Remote Attestation in a Container (or VM)

Since TEE OS 1.4.0, the QCA daemon, QCA lib-report, and QTA-report components are added to support remote attestation in containers (or VMs). (Remote attestation in VMs is basically the same as that in containers. The following uses containers as an example.) The source code of the QCA lib-report and QTA-report can be obtained from the iTrustee SDK repository, and that of the QCA daemon can be obtained from the KunpengSecL repository. Compared with remote attestation on a host, remote attestation in a container additionally requires deploying components in the container and adding configurations on the host.

Deploying Components on a Host

Go to 1 and clone the KunpengSecL repository, and switch to the branch supported by the container.
```
cd kunpengsecl
git checkout -b container_support origin/feature/container_support
```

Apply the patch for the container information deletion API in KunpengSecL to the QCA lib and QTA.

cd itrustee_sdk/
git apply ../kunpengsecl/attestation/tee/tverlib/simulator/0001-libqca-qta-add-delete-interface.patch

Compile the QCA lib that supports remote attestation in containers on the host and deploy it again.

cd itrustee_sdk/test/CA/libqca/
make clean; make TARGET_HOST_QCA=y
cp output/libqca.so /usr/lib64/

Grant permission to the QCA server in the QTA source code and modify the following file:
1. Open the file.
```
vim itrustee_sdk/test/TA/qta/src/tee_qta.c
```
2. Press i to enter the insert mode and add the following content:
```
ret = addcaller_ca_exec("/vendor/bin/qcaserver", "root");
if (ret != TEE_SUCCESS)
    return ret;
```
3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
Compile the QTA on the host and save the QTA configuration and private key on the host to the signed_config and TA_cert directories in itrustee_sdk/build/signtools/, and modify the manifest/manifest.txt file based on the configs.xml resource file configured when applying for the QTA certificate.
```
cd itrustee_sdk/test/TA/qta/
make clean; make TARGET_HOST_QTA=true
cp e08f7eca-e875-440e-9ab0-5f381136c600.sec /var/itrustee/ta/
```

Recompile the demo and redeploy the QCA server.

cd kunpengsecl
make clean && make build
cp attestation/tee/demo/pkg/qcaserver /vendor/bin/

Deploying Components in a Container

To implement remote attestation in a container, deploy the QCA daemon, QCA lib-report, and QTA-report components in addition to deploying and starting the container (see Confidential Containers). If the container has a different OS from the host, you are advised to recompile the three components in the container. If they are the same, you can directly reuse the source code and compilation environment downloaded from Compiling and Deploying the QCA Lib and QTA and Compiling the Demo, compile the source code, and copy the three components to the container. Perform the following operations in the container. For details about the compilation environment, see the preceding operations on the host.

Compile the QCA lib-report in the container.

cd itrustee_sdk/test/CA/libqca/
make clean; make TARGET_CONTAINER_QCA=y

Grant permission to the QCA daemon in the QTA source code and modify the following file:
1. Open the file.
```
vim itrustee_sdk/test/TA/qta/src/tee_qta.c
```
2. Press i to enter the insert mode and add the following content:
```
ret = addcaller_ca_exec("/vendor/bin/qca_daemon", "root");
if (ret != TEE_SUCCESS)
    return ret;
```
3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
Compile and deploy the QTA-report in the container. Save the QTA-report configuration and private key to the signed_config and TA_cert directories in itrustee_sdk/build/signtools/, and modify the manifest/manifest-report.txt file based on the configs.xml resource file used to apply for the QTA-report certificate.
```
cd itrustee_sdk/test/TA/qta/
make clean; make TARGET_QTA_REPORT=true
cp 4f84c0e0-4c3f-422f-97dc-14bfa2314ad1.sec /var/itrustee/ta/
```
- Similar to the QTA, the QTA-report is the privileged TA of remote attestation. The QTA-report UUID must be 4f84c0e0-4c3f-422f-97dc-14bfa2314ad1, whereas the service name can be customized.
- After the compilation is complete, you can view the QTA-report base value in the hash_4f84c0e0-4c3f-422f-97dc-14bfa2314ad1.txt directory. When verifying the TA measurement report in the container on the RA Client, you need to verify the QTA-report base value.
Compile and deploy the QCA daemon. After performing Deploying Components on a Host, the QCA daemon is generated in the kunpengsecl/attestation/tee/demo/pkg directory.
```
cd kunpengsecl
make clean && make build
cp kunpengsecl/attestation/tee/demo/pkg/qca_daemon /vendor/bin/
```
If you compile the QCA daemon on the host and copy it to the container, you need to copy the SO files of the three components to the container, including libteec_adaptor.so and libboundscheck.so.

Running the Demo

Start the Attestation Service on the host by following instructions in Window 1.
Deploy the RA Service on the host by following instructions in Window 2. To enable the RA Service to listen to QCA daemon requests and establish a connection, add a socket service for the RA Service.
1. To make the new socket service invisible to external systems and available only to the local container, you can create the socket service using a private IP address. The following method will become invalid after the host is restarted.
```
# Assign a private IP address.
ifconfig enp125s0f0:remote 10.10.10.10 netmask 255.255.255.0 up
# Enable the firewall port.
firewall-cmd --zone=public --add-port=9000/tcp
```
2. Go to the RA Service configuration file directory.
```
cd kunpengsecl/attestation/tee/demo/qca_demo/cmd
```
3. Open the file to add the socket service configuration.
```
vim config.yaml
```
4. Press i to enter the insert mode and modify the file as follows:
```
qcaconfig:
  ...
  virtual:
    server: 10.10.10.10:9000  # New TCP port for the RA Service to listen to QCA daemon connection requests in the container.
    healthcheck: 10           # Interval for checking the connection validity, in minutes. The value ranges from 0 to 7 days.
```
5. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
6. Add the -V command line parameter when starting the RA Service. This parameter indicates the support for containers and VMs.
```
/vendor/bin/qcaserver -V true -C 1
```
Start the container by following instructions in Confidential Containers and start the QCA daemon in the container. After the QCA daemon is started, the qca_daemon.log file is generated in the current directory.
```
/vendor/bin/qca_daemon -H 10.10.10.10:9000
```
Start the TA to be verified in the container.
```
/vendor/bin/rsa_demo
```
Configure TA information and the AS certificate by following instructions in Window 4. Then add the information about the container where the TA to be verified runs, and add the QTA-report base value to the measurement file.
```
cd kunpengsecl/attestation/tee/demo/attester_demo/cmd
```
1. Modify the configuration file.
```
vim config.yaml
```
2. Press i to enter the insert mode to add the container information:
```
attesterconfig:
  ...
  virtualguest:      # Information about the container where the TA to be verified runs
    id: xxxxx        # For a container, the value is a 64-bit container ID. For a VM, the value is a 36-bit VM UUID.
    type: docker     # Only Docker and KVM are supported.
```
3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
4. Add the QTA-report base value to the base value file.
```
vim basevalue.txt
```
5. Press i to enter the insert mode and add the QTA-report base value.
```
....
4f84c0e0-4c3f-422f-97dc-14bfa2314ad1 [img_hash] [mem_hash]
```
6. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
Start a measurement request from the RA Client.
```
go run main.go -M 1
```
Confidential computing does not support mem-hash measurement.

Parent topic: Remote and Local Attestation