Remote Attestation

The remote attestation feature of the Kunpeng BoostKit for Confidential Computing TEE Kit aims to prove that cVMs and the confidential computing platform are trustworthy.

• Whether cVMs are running in a real confidential computing environment
• Whether cVM parameters or code has been tampered with

The remote attestation feature of the TEE Kit leverages trusted boot and the remote authentication protocol.

• Trusted boot of the confidential computing platform and cVMs follows the "measurement before execution" principle. An unforgeable measurement report is generated to verify that the initial system status is secure.
• The authentication protocol verifies the identities of cVMs and the confidential computing platform as well as the initial system status.

The remote attestation framework offers measurement reports on the confidential computing platform and cVMs to verify the identities. Connection to cVMs may be in either of the following scenarios:

• cVMs connect to the remote attestation client when they are starting up. You can determine whether to complete the startup based on the remote attestation status.
• cVMs connect to the remote attestation client when they are running. You can determine whether to establish the secure communication channel based on the remote attestation status.

The following figure illustrates the remote attestation process when cVMs are starting up:

During measurement initiation:

1. The user sends a cVM creation request to the host Linux, and sends the cVM configuration information, kernel image, temporary file system, and device tree information.
2. The cVM Management Service sends the creation command through the QEMU/KVM.
3. The TMM creates the cVM and measures the creation process.
4. After the cVM is started, it runs the RATS-TLS Server in the temporary file system and waits for communication.
5. When the RATS-TLS Server is initializing, the Attester requests a measurement report from the TMM through the TSI.
6. The host Linux returns the cVM IP address to the user's local machine.

During TLS communication establishment:

1. The user sends a hello message to the RATS-TLS Server through the RATS-TLS Client. Then the Server and Client exchange keys.
2. The RATS-TLS Server returns a certificate, which contains the cVM token and platform token.
3. The Verifier sends the IAK public key hash in the platform token to the remote attestation server. After that, the remote attestation server returns the IAK certificate chain (including the IAK public key) and the platform measurement reference value.
4. Based on the files and configuration information sent to the host Linux, the user uses the cVM Reference Generator to generate the virtCCA cVM measurement reference value, that is, the Realm Initial Measurement (RIM) reference value.
5. The Verifier verifies the cVM token and platform token, checks whether the RIM in the cVM token is the same as the reference value, and checks whether the measurement value in the platform token is the same as the reference value.

If the verification is successful, a secure communication channel is established. In addition, the user can return the key of the primary file system, decrypt the primary file system, and start the cVM.

For details, see "Remote Attestation" in Confidential Computing TEE Kit Feature Guide.