diff --git a/service/attestation/attestation-service/policy/src/opa/default_itrustee.rego b/service/attestation/attestation-service/policy/src/opa/default_itrustee.rego index f55449c128e89070126db90f788e070372c34777..e67cc9c5be3f288f5f233d14d37e74fdfdc03f5e 100644 --- a/service/attestation/attestation-service/policy/src/opa/default_itrustee.rego +++ b/service/attestation/attestation-service/policy/src/opa/default_itrustee.rego @@ -1,10 +1,23 @@ -# if create a new rego file, "output" should exist, # package name should be "attestation" package attestation -import rego.v1 -expect_keys := ["itrustee.ta_img", "itrustee.ta_mem"] -input_keys := object.keys(input) -output[exist] := input[exist] if { - some exist in expect_keys - exist in input_keys -} +import future.keywords.if + +allow := true if { + input["itrustee.ta_img"] != null + input["itrustee.ta_mem"] != null +} else := false + +ta_img := input["itrustee.ta_img"] if { + input["itrustee.ta_img"] != null +} else := null + +ta_mem := input["itrustee.ta_mem"] if { + input["itrustee.ta_mem"] != null +} else := null + +#output and output.allow must exist +output := { + "allow": allow, + "itrustee.ta_img": ta_img, + "itrustee.ta_mem": ta_mem +} \ No newline at end of file diff --git a/service/attestation/attestation-service/policy/src/opa/default_vcca.rego b/service/attestation/attestation-service/policy/src/opa/default_vcca.rego index 32229e43b014e7dfeb3e77b6a7c6611fac39b2ea..33803d711066f2fa0e0bbfd53b8e8fadbef12147 100644 --- a/service/attestation/attestation-service/policy/src/opa/default_vcca.rego +++ b/service/attestation/attestation-service/policy/src/opa/default_vcca.rego @@ -1,10 +1,17 @@ -# if create a new rego file, "output" should exist, # package name should be "attestation" package attestation -import rego.v1 -expect_keys := ["vcca.cvm.rim"] -input_keys := object.keys(input) -output[exist] := input[exist] if { - some exist in expect_keys - exist in input_keys -} +import future.keywords.if + +allow := true if { + input["vcca.cvm.rim"] != null +} else := false + +rim := input["vcca.cvm.rim"] if { + input["vcca.cvm.rim"] != null +} else := null + +#output and output.allow must exist +output := { + "allow": allow, + "vcca.cvm.rim": rim +} \ No newline at end of file diff --git a/service/attestation/attestation-service/service/src/lib.rs b/service/attestation/attestation-service/service/src/lib.rs index 99ae8185c67948fa8438ad860df71623b40b8172..0877611209a75039f54cb113804958f3195afc2b 100644 --- a/service/attestation/attestation-service/service/src/lib.rs +++ b/service/attestation/attestation-service/service/src/lib.rs @@ -157,7 +157,7 @@ impl AttestationService { ) .await; let mut report = serde_json::json!({}); - let mut ref_exist_null: bool = false; + let mut policy_result: bool = true; match result { Ok(eval) => { for id in eval.keys() { @@ -171,11 +171,9 @@ impl AttestationService { } Ok(ret) => ret, }; - for key in refs.keys() { - // reference value is null means not found - if refs[key].is_null() { - ref_exist_null = true; - } + // output of policy engine should include "allow" indicates evaluate result + if !refs.get("allow").and_then(Value::as_bool).unwrap_or(false) { + policy_result = false; } report .as_object_mut() @@ -202,7 +200,7 @@ impl AttestationService { .ok_or(anyhow!("tee type unknown"))?, ), result: EvlResult { - eval_result: passed & !ref_exist_null, + eval_result: passed & policy_result, policy: policy_ids, report: report, }, diff --git a/service/attestation/oeas/docs/oeas_token.md b/service/attestation/oeas/docs/oeas_token.md new file mode 100644 index 0000000000000000000000000000000000000000..43f1fd2363b0aed455bb8fc47ccec37f37896453 --- /dev/null +++ b/service/attestation/oeas/docs/oeas_token.md @@ -0,0 +1,135 @@ +# oeas Token + +本文介绍oeas的Attestation Service返回的Token内容格式。 +Token采取Json Web Key (JWT, RFC7519)标准令牌格式,签名算法可配置,默认采用PS256. 令牌结构按以下方式组织: + +``` +
.. +``` +Header,Payload均为BASE64_URL编码的JSON结构体,Signature为BASE64_URL编码的签名数据 + +## Header + +Header的JSON结构内容字段如下: + +| 名称 | 类型 | 示例值 | 描述 | +| :-----| :---- | :-----| :---- | +| alg | 字符串 | PS256 | RFC7519标准Header字段,指明令牌所使用的签名算法,当前默认为PS256算法 | +| typ | 字符串 | JWT | RFC7519标准Header字段,指明令牌类型,固定为JWT | + +## Payload + +Payload的JSON结构字段内容如下: + +| 名称 | 类型 | 示例值 | 描述 | +| :-----| :---- | :-----| :---- | +| iss | 字符串 | oeas | RFC7519标准字段,指明令牌签发者 | +| iat | Unix时间戳 | 1700796647 | RFC7519标准字段,指明令牌签发时间 | +| nbf | Unix时间戳 | 1700796647 | RFC7519标准字段,指明令牌开始生效时间 | +| exp | Unix时间戳 | 1700796947 | RFC7519标准字段,指明令牌过期时间 | +| evaluation-reports | JSON结构数组 | / | 包含每个策略所对应的验证结果,详见下文[evaluation-reports](#evaluation-report) | +| tee | 字符串 | kunpeng | 标明TEE类型 | +| tcb-status | JSON结构 | /| 解析并序列化后的TEE证据内容,JSON结构的内容特定于TEE类型,详见下文[example](#example) | + +### evaluation-reports + +| 名称 | 类型 | 示例值 | 描述 | +| :-----| :---- | :-----| :---- | +| policy | JSON结构数组 | ["test.rego","default.rego"] | 指定的策略ID列表 | +| report | JSON结构 | 见下文示例 | 存储每个策略的输出结果 | + +## example + +kunpeng oeas Token示例: + +``` +eyJ0eXAiOiJKV1QiLCJhbGciOiJQUzI1NiJ9.eyJpc3MiOiJvZWFzIiwiaWF0IjoxNzQzNjUwMDM0LCJuYmYiOjE3NDM2NTAwMzQsImV4cCI6MTc0MzY1MDMzNCwiZXZhbHVhdGlvbl9yZXBvcnRzIjp7ImV2YWxfcmVzdWx0Ijp0cnVlLCJwb2xpY3kiOltdLCJyZXBvcnQiOnsiZGVmYXVsdF9pdHJ1c3RlZS5yZWdvIjoie1wiYWxsb3dcIjp0cnVlLFwiaXRydXN0ZWUudGFfaW1nXCI6XCJhTENPUnNIUXNJRTJvMEpxa3VVZl9KYW52TkZjNjQxTV92YnpXN19TcHZFXCIsXCJpdHJ1c3RlZS50YV9tZW1cIjpcIkJWQ0luOU9FVWJJa2gxazhPY0xpaXMySHBIY1J3ZnZscG5FaXQ3cmpHVlFcIn0iLCJpbWEiOm51bGx9fSwidGVlIjoiaXRydXN0ZWUiLCJ0Y2Jfc3RhdHVzIjp7Iml0cnVzdGVlLmhhc2hfYWxnIjoiSFMyNTYiLCJpdHJ1c3RlZS5rZXkiOnsiZW5jX2tleSI6IlZreFVfUUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJUQkFBQUFBQUFBQ0FBQUFBQUFBQUFEQUFBQUFBQUFBQU1BQUFBQUFBQUFCQUFBQUFBQUFBQUVBQUFBQUFBQUFCNmcyZnFnZjNUdXh6aUMyYWRVaXlyMEM0TTVGWGEtdGItckdKQk1FTk5ZZVNfU2JLTkNGVm9GOU5WNURXc1Y3b3RlM0EtZ2FWazFhUFZOdlJYZHkzLTkyZjFzeEdGZ1ZIQ09YNkZrQVl3N0ItTW0xRVpXbHRvTmpFbEZTeEtvM0hRZzcyRERieHhmSE8xMldNVUFsdWcyazZfMTBmUjV2aEhEcGx4dTFoRDhtaDBqclJOU2FwdE1aaVJLbzNJOGVreUZmazNyNG1OVkVZUVBmaHVIMVIyRnFtREhhcUI1dlBSek5uM2N2RDJBbkJWUGpteGRtdGpKbmVKZlJIS3czSGZvNXpRbmZlMW4xYUU0UlFVaGUzcHFUMmNnTk5XeHl0RUw2Y3RrdFhMRkxSaDNuQm15NWcyeG1EYnBCcVc4R29Zc0FwMHBIcWhrejFRN1RUZ1o5aVdObVdrclo5bThkSlZLeGhCODd3d2RUR0xMRURqdW1ibnNiNGpYMjN1SjBjaEEyYzUxZzgzSFRLLXB0elVic1Q5aElhODVKUG1iQjY2N3RKc3V1Zm1RZUprSDRHeWRneWMwQUphWlRvNXRkRlRQQ1hoMmV5VFI5aG0wcU9faHJTbkJRbFNFNHNRcHVYR014SnpOMVdRMEhGaS1kWVF1d1ZXV0d0ZTlaZFNPZ2ZNQjVZTHJQZnhhbHNaWDhqT2VaOHM0dVhJMDB4a2Ita1V2Qmo2RkFDR1RYOWJ2SS1ham5kNHdMeHVYQk16bTAxNnJoU3V2U0hKNmVnam9xYVNxbDl6b0NpQk4wSWd4dHgxVFNtQW91VEpudDlzd3NVcGFHZ2U3bG91Z2gyZmhJd1hQSzdPd3Nxd05GTFFjVXVrZFJfbVlVb0loQy1US29rSWg1NGo2TUVBQk9aQW5VUU9kaTNuMl84dGJ0d3luVUFwUFI1aUtRTkdxQnZ0X0Q5bWxFTDg2X2pWUlFNbnU4a2NUM2JmUDU3M0QyX0dhYklWbjRJY1lQYTBvZ2N3U1M1Ny1ybFNNTXB6ZElXMk5CcnFDeTY3UWRBZzc1YjFKMFJzbUlfb3U1UjJCb0tjZ01LUHNrZTJVRkZsYUNyM0tOb2xiQVluSE5KY1JWenpFcl90dVV2aUQwa0pwTFJ3cU5RSGY3V2VqUy1nVTRUZElBdGlETFc4NkpHSU9sZVd1UGZzVFZXSk1PRUFBT3hqdy0zcWJzcWVHNW51U0x5SGVZS2NYZFFQLW4wT2NURDRWUkRWeUx5b2tDN0hDU1loOFU4ZkN4RWVvNlZrVXJsdXNlZE9ENkRpeF91aXhzRk9RaFJtcW4xYUhRQ1A2ZExqdEVPMHNKQ1NQMFhrVzlScm1XUVBYREV6S3piYWJIYjNwTjhRUXd4eVNHWDNZWEtVQ2FMRGplLWdiMmRURW5wNVd6Nmt6ZkZVYVFHYTZyajR6UERRVTBtaE1WZmF1VENxUEVVTmdCd1o0d3lLS1puVWR3TEFhbXlUUWNuQi1sMy1lSm1tUjZaZE04cVVWdDQyTjMtdy1VT2dUR0prbkxkd190T2lxbTNLTGx1RWFOaFZldkpxZFI1OWJqRzkzSksyNGRTRjR0TTdaaHp1aG0wcHVHUWltUng3MGtYWVEyNk5zRUlPV0tMazU5Uzc2aHg2dTQwMUZqbXBuU3lkS0M3ZnE0NXdIWGlwSXFBeHQzcURaMlBhU0VTclNGQ3FidENoSzRvOHduaFEwOXNKbXBjOXVBTjJNWHptYkRiMk9icGJQUTVvQUxQSjhrdWJsd0dKdWVhaGdrZktneHBocmprM3RYU3VJYVNhZDBIR1IzbXNLN2ZWTTZpNmswaDVNOGJwMlZuWjZNUzljVjlRVFh1ZHptbVdNTWk2U2NVVWxyYi1Na1Z3OXpXZERBRTBqWGZxd2xrMjhKd3FiX1N3c0lQZDhrYldoM09oajVSY3RmUDNZVWhXTXBhMHNsdXRjcVNWcjZjTTNBakFoOXpFM29OSXZIZ2RvN0xnYWZNWFJGSDBlQWVNbEdvM0JXLTNPcUNSLWE0Y1JIX3BUVzhoOF9UcjRvOTdsV1lNYWcxeWdfRFNRYzVyRzJtR24xSGZCZDFWVmRHYjExZDFXb1liIiwicHViX2tleSI6eyJlIjoiQVFBQiIsImt0eSI6IlJTQSIsIm4iOiJ6YmdaNVM3a2ljT3J3MHRmb0xROVl4cXNnVjZ1aEp4dDJZYTZwVlF0eVEzdEpHbHg0dGNWRWIwNFBPOUVrTzhrUW5yRG1oZ1M0OUxaTUg3dkd2dklOb1dWSVZzUkFwLVdZMnBkVTJKbWszVmhXSGFiRGlmVmdnY0U1MzJZLVlzWkZmbEhkUHlhNDZVVlNGOGRyYldHblB4bmhVaFRvVEJla2xaVW1wZDcxRy10aVJnaFB4UkpTOVhUNUI1alB3bTh1S1dPV2U1NmxxSXNnUmxpUy1Lam9GcGF2Unp4ZXN3Mkpfb2tyS0pRbE1QTGg0UXBMV1ktSEFLS0xCTW5fNHRibjBwZWZNdExxVDMtVlJZZjBUTHZBeTBHQ1hPMU54Um1fcE9JY1c1cHhRTVFGWUk1bFd5Q2JwZG43b2didm5ScUtqZ2RYNXc1dndvbk9VcnJTYnEwRGx0VjdUWEZyaThiVU9fblNfUWk3MkwtNUFjWUN3RldYSDVrUnI5TTlXNkFPN1dPNS1EMGRoakRKVkc4Q1p4c01YR3BTakRONmhjOUJzNXc4VVhKdTM5b2ktSEdaZ1R1RUpkZnQ5RUhHRVZtbXd2U2FBamJTcnNhVlZCaVhkOGJ5SmdoSmJGdmtQLUhxdDAwbl9VS2k1dHU1a2ZMZy0wWUw5RTZNR2E1V201M01YZEV2eVBwUjBWOEh2TllfNHVEMW1BZ2NvTjVCLXBaVXdCV193d2lUX1hIRmNIMEF0STU0Wm5GSlczUHI1dm5rZ201d3lXWm5GQ0V0S01IbU00aXdLUjlLWFlyeTNPTE56VllwTEtGaGpPQnJ4bUJ4ODBuZUZJQnpIRW1XZzcwNi1pZWVhNFpJbnREWlNWczJReTZmVVNac0p1Ty1JbENHWGtXbXRHM05SYyJ9fSwiaXRydXN0ZWUubm9uY2UiOiJKbFg5b09pbTh3c01PYkI1VE4tT2ZlMER0QjJfekM4LVFvMkg1NXZNbno2QzlURElFMEJxTUhHYlVzdW1oblYzQ1h0d0l1eE11bk44c1J4eHNTLWxhUSIsIml0cnVzdGVlLnRhX2ltZyI6ImFMQ09Sc0hRc0lFMm8wSnFrdVVmX0phbnZORmM2NDFNX3Zielc3X1NwdkUiLCJpdHJ1c3RlZS50YV9tZW0iOiJCVkNJbjlPRVViSWtoMWs4T2NMaWlzMkhwSGNSd2Z2bHBuRWl0N3JqR1ZRIiwiaXRydXN0ZWUudXVpZCI6ImY2OGZkNzA0LTZlYjEtNGQxNC1iMjE4LTcyMjg1MGViM2VmMCIsIml0cnVzdGVlLnZlcnNpb24iOiJURUUuUkEuMS4wIn19.GpbdynKkCAiJ0xDqIADmWCWDRKVcSfrgjGtXZVVF-MwAmbE-e4_WLHTnfYTVsNuuMhp8lTlZcaTEk0kUN_C3vpxYQFiuCXm9hioLR4Xnv4xC6qpsZAiuBkLO9q2c5tp_GzunS28nlS4gUHcy-oaaaIASJYdCSXrfryHRQfXjfaBQjAyza1vmXETM4_m4BhjcAVLp1-wc3Tk5ITTGoWCovUaELZxdV_IyGg8C-6c1jv4zDAG3xI9dRGv1-8lie9EVNu0m4tbz0hBFekUlK1v_JyW9k4HVAG11jDgGnMxQz91pQ18lckPqgzciH9Qtoky-y9Kd7KhwiLhtfYuj-SEXkA +``` + +各字段分别经Base64_URL解码得到如下: + +### Header + +``` +{"typ":"JWT","alg":"PS256"} +``` + +### Payload + +``` +{ + "iss": "oeas", + "iat": 1743650034, + "nbf": 1743650034, + "exp": 1743650334, + "evaluation_reports": { + "eval_result": true, + "policy": [], + "report": { + "default_itrustee.rego": "{\"allow\":true,\"itrustee.ta_img\":\"aLCORsHQsIE2o0JqkuUf_JanvNFc641M_vbzW7_SpvE\",\"itrustee.ta_mem\":\"BVCIn9OEUbIkh1k8OcLiis2HpHcRwfvlpnEit7rjGVQ\"}", + "ima": null + } + }, + "tee": "itrustee", + "tcb_status": { + "itrustee.hash_alg": "HS256", + "itrustee.key": { + "enc_key": "VkxU_QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABTBAAAAAAAACAAAAAAAAAADAAAAAAAAAAMAAAAAAAAABAAAAAAAAAAEAAAAAAAAAB6g2fqgf3TuxziC2adUiyr0C4M5FXa-tb-rGJBMENNYeS_SbKNCFVoF9NV5DWsV7ote3A-gaVk1aPVNvRXdy3-92f1sxGFgVHCOX6FkAYw7B-Mm1EZWltoNjElFSxKo3HQg72DDbxxfHO12WMUAlug2k6_10fR5vhHDplxu1hD8mh0jrRNSaptMZiRKo3I8ekyFfk3r4mNVEYQPfhuH1R2FqmDHaqB5vPRzNn3cvD2AnBVPjmxdmtjJneJfRHKw3Hfo5zQnfe1n1aE4RQUhe3pqT2cgNNWxytEL6ctktXLFLRh3nBmy5g2xmDbpBqW8GoYsAp0pHqhkz1Q7TTgZ9iWNmWkrZ9m8dJVKxhB87wwdTGLLEDjumbnsb4jX23uJ0chA2c51g83HTK-ptzUbsT9hIa85JPmbB667tJsuufmQeJkH4Gydgyc0AJaZTo5tdFTPCXh2eyTR9hm0qO_hrSnBQlSE4sQpuXGMxJzN1WQ0HFi-dYQuwVWWGte9ZdSOgfMB5YLrPfxalsZX8jOeZ8s4uXI00xkb-kUvBj6FACGTX9bvI-ajnd4wLxuXBMzm016rhSuvSHJ6egjoqaSql9zoCiBN0Igxtx1TSmAouTJnt9swsUpaGge7lough2fhIwXPK7OwsqwNFLQcUukdR_mYUoIhC-TKokIh54j6MEABOZAnUQOdi3n2_8tbtwynUApPR5iKQNGqBvt_D9mlEL86_jVRQMnu8kcT3bfP573D2_GabIVn4IcYPa0ogcwSS57-rlSMMpzdIW2NBrqCy67QdAg75b1J0RsmI_ou5R2BoKcgMKPske2UFFlaCr3KNolbAYnHNJcRVzzEr_tuUviD0kJpLRwqNQHf7WejS-gU4TdIAtiDLW86JGIOleWuPfsTVWJMOEAAOxjw-3qbsqeG5nuSLyHeYKcXdQP-n0OcTD4VRDVyLyokC7HCSYh8U8fCxEeo6VkUrlusedOD6Dix_uixsFOQhRmqn1aHQCP6dLjtEO0sJCSP0XkW9RrmWQPXDEzKzbabHb3pN8QQwxySGX3YXKUCaLDje-gb2dTEnp5Wz6kzfFUaQGa6rj4zPDQU0mhMVfauTCqPEUNgBwZ4wyKKZnUdwLAamyTQcnB-l3-eJmmR6ZdM8qUVt42N3-w-UOgTGJknLdw_tOiqm3KLluEaNhVevJqdR59bjG93JK24dSF4tM7Zhzuhm0puGQimRx70kXYQ26NsEIOWKLk59S76hx6u401FjmpnSydKC7fq45wHXipIqAxt3qDZ2PaSESrSFCqbtChK4o8wnhQ09sJmpc9uAN2MXzmbDb2ObpbPQ5oALPJ8kublwGJueahgkfKgxphrjk3tXSuIaSad0HGR3msK7fVM6i6k0h5M8bp2VnZ6MS9cV9QTXudzmmWMMi6ScUUlrb-MkVw9zWdDAE0jXfqwlk28Jwqb_SwsIPd8kbWh3Ohj5RctfP3YUhWMpa0slutcqSVr6cM3AjAh9zE3oNIvHgdo7LgafMXRFH0eAeMlGo3BW-3OqCR-a4cRH_pTW8h8_Tr4o97lWYMag1yg_DSQc5rG2mGn1HfBd1VVdGb11d1WoYb", + "pub_key": { + "e": "AQAB", + "kty": "RSA", + "n": "zbgZ5S7kicOrw0tfoLQ9YxqsgV6uhJxt2Ya6pVQtyQ3tJGlx4tcVEb04PO9EkO8kQnrDmhgS49LZMH7vGvvINoWVIVsRAp-WY2pdU2Jmk3VhWHabDifVggcE532Y-YsZFflHdPya46UVSF8drbWGnPxnhUhToTBeklZUmpd71G-tiRghPxRJS9XT5B5jPwm8uKWOWe56lqIsgRliS-KjoFpavRzxesw2J_okrKJQlMPLh4QpLWY-HAKKLBMn_4tbn0pefMtLqT3-VRYf0TLvAy0GCXO1NxRm_pOIcW5pxQMQFYI5lWyCbpdn7ogbvnRqKjgdX5w5vwonOUrrSbq0DltV7TXFri8bUO_nS_Qi72L-5AcYCwFWXH5kRr9M9W6AO7WO5-D0dhjDJVG8CZxsMXGpSjDN6hc9Bs5w8UXJu39oi-HGZgTuEJdft9EHGEVmmwvSaAjbSrsaVVBiXd8byJghJbFvkP-Hqt00n_UKi5tu5kfLg-0YL9E6MGa5Wm53MXdEvyPpR0V8HvNY_4uD1mAgcoN5B-pZUwBW_wwiT_XHFcH0AtI54ZnFJW3Pr5vnkgm5wyWZnFCEtKMHmM4iwKR9KXYry3OLNzVYpLKFhjOBrxmBx80neFIBzHEmWg706-ieea4ZIntDZSVs2Qy6fUSZsJuO-IlCGXkWmtG3NRc" + } + }, + "itrustee.nonce": "JlX9oOim8wsMObB5TN-Ofe0DtB2_zC8-Qo2H55vMnz6C9TDIE0BqMHGbUsumhnV3CXtwIuxMunN8sRxxsS-laQ", + "itrustee.ta_img": "aLCORsHQsIE2o0JqkuUf_JanvNFc641M_vbzW7_SpvE", + "itrustee.ta_mem": "BVCIn9OEUbIkh1k8OcLiis2HpHcRwfvlpnEit7rjGVQ", + "itrustee.uuid": "f68fd704-6eb1-4d14-b218-722850eb3ef0", + "itrustee.version": "TEE.RA.1.0" + } +} +``` + +virtCCA oeas Token示例: + +``` +eyJ0eXAiOiJKV1QiLCJhbGciOiJQUzI1NiJ9.eyJpc3MiOiJvZWFzIiwiaWF0IjoxNzQzNTYyNjk1LCJuYmYiOjE3NDM1NjI2OTUsImV4cCI6MTc0MzU2Mjk5NSwiZXZhbHVhdGlvbl9yZXBvcnRzIjp7ImV2YWxfcmVzdWx0Ijp0cnVlLCJwb2xpY3kiOltdLCJyZXBvcnQiOnsiZGVmYXVsdF92Y2NhLnJlZ28iOiJ7XCJhbGxvd1wiOnRydWUsXCJ2Y2NhLmN2bS5yaW1cIjpcImNlM2YyYTU3N2E3ZTQwZjNhMzhkMTlmZWE4MTE4NjMyNzVhNzVmNTk2ODI4ODUxYzFhNWIyZDE5MzBhMzlmNTNcIn0iLCJpbWEiOnt9fX0sInRlZSI6InZjY2EiLCJ0Y2Jfc3RhdHVzIjp7InZjY2EuY3ZtLmNoYWxsZW5nZSI6ImFlYTEzZGM4Zjg0ZDg4MTc3ZWZmNjM0Mzg1N2I5ZWM4ZDcwNDBmMGZhMDVlMmU2ZjY4MTU5ODkxOTU1NWNlOTJlNjE5NGY5NWJjMzk4MGIzNTg5NzBlZGZhYWYzYTQ1MTRkMzlhYTJmZmJiMTY3YjY3MjBiMDRmNGVjZWM1YTAwIiwidmNjYS5jdm0ucmVtLjAiOiI1ZTQ2MmM1NTk1NDZmNWI0OTNiNGJiZTQ2OTk2ZGQ0Mjk4MWNkZjBjOGFmMzJhN2QxMTM1MGU0MDg2NTAyN2RhIiwidmNjYS5jdm0ucmVtLjEiOiIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwidmNjYS5jdm0ucmVtLjIiOiIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwidmNjYS5jdm0ucmVtLjMiOiIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwidmNjYS5jdm0ucmltIjoiY2UzZjJhNTc3YTdlNDBmM2EzOGQxOWZlYTgxMTg2MzI3NWE3NWY1OTY4Mjg4NTFjMWE1YjJkMTkzMGEzOWY1MyIsInZjY2EuY3ZtLnJwdiI6IjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwidmNjYS5wbGF0Zm9ybSI6IiJ9fQ.hExX-zQj--wpqXFtLGqWBMLxtzRzh9IKGMRIvcb8qmZKCdxmUJaKcDSgxZl8K1QPEo9Hbl45eWtOkGkqBuitF8zX5lNak5tYXKHwCVZbk8U3wJiFpv-hJuyDupP0jnBVwgJ_iaoucGYChX7s0zEOQMNGNBhNS-y4FH_ua1_4h6zIcY7Tu-byBXeT1uuNiIFLAADVlChV6AHZEGywfseOcz4jc7HCAfsKftRdbcrt38Dhzt_KAZsql16RTxQNLTGmkJnqqd4XODdXQqOY8KsO6lIEE19ivxvJvsC3nyzJdEaAAw_rvXSGbBXSr_HuEYUfkNYWpQ5Kfl3BVdB0Z4BWvg +``` + +各字段分别经Base64_URL解码得到如下: + +### Header + +``` +{"typ":"JWT","ALG:"PS256"} +``` + +### Payload + +``` +{ + "iss": "oeas", + "iat": 1743562695, + "nbf": 1743562695, + "exp": 1743562995, + "evaluation_reports": { + "eval_result": true, + "policy": [], + "report": { + "default_vcca.rego": "{\"allow\":true,\"vcca.cvm.rim\":\"ce3f2a577a7e40f3a38d19fea811863275a75f596828851c1a5b2d1930a39f53\"}", + "ima": {} + } + }, + "tee": "vcca", + "tcb_status": { + "vcca.cvm.challenge": "aea13dc8f84d88177eff6343857b9ec8d7040f0fa05e2e6f681598919555ce92e6194f95bc3980b358970edfaaf3a4514d39aa2ffbb167b6720b04f4ecec5a00", + "vcca.cvm.rem.0": "5e462c559546f5b493b4bbe46996dd42981cdf0c8af32a7d11350e40865027da", + "vcca.cvm.rem.1": "0000000000000000000000000000000000000000000000000000000000000000", + "vcca.cvm.rem.2": "0000000000000000000000000000000000000000000000000000000000000000", + "vcca.cvm.rem.3": "0000000000000000000000000000000000000000000000000000000000000000", + "vcca.cvm.rim": "ce3f2a577a7e40f3a38d19fea811863275a75f596828851c1a5b2d1930a39f53", + "vcca.cvm.rpv": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "vcca.platform": "" + } +} +``` diff --git a/service/attestation/oeas/docs/policy.md b/service/attestation/oeas/docs/policy.md index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..3aee023581c7b3dace680ec9de6020f802bd83e8 100644 --- a/service/attestation/oeas/docs/policy.md +++ b/service/attestation/oeas/docs/policy.md @@ -0,0 +1,81 @@ +# oeas Policy + +本文介绍oeas Attestation Policy编写与设置。 + +## Introduction + +oeas策略引擎使用[Open Policy Agent (OPA)](https://www.openpolicyagent.org/)实现,使用Rego语法编写。 + +策略引擎的输入为度量对象集合(json格式,度量对象包含度量名、度量值,分别对应json对象key、value), 用户可以编写策略,对度量对象进行校验。不同tee环境的度量对象集合如下: +``` +virtcca +{ + "vcca.cvm.challenge": "aa00...", + "vcca.cvm.rpv": "aa11...", + "vcca.cvm.rim": "aa22...", + "vcca.cvm.rem.0": "aa33..., + "vcca.cvm.rem.1": "aa44...", + "vcca.cvm.rem.2": "aa55...", + "vcca.cvm.rem.3": "aa66...", + "vcca.platform": "" +} + +itrustee +{ + "itrustee.nonce": "aa11...", + "itrustee.hash_alg": "aa22...", + "itrustee.key": "aa33...", + "itrustee.ta_img": "aa44...", + "itrustee.ta_mem": "aa55....", + "itrustee.uuid": "aa66....", + "itrustee.version": "aa77..." +} + +```` +在进行策略规则校验前,先根据上述度量集合依次查找度量对象的基线并输出到基线集,如果基线不存在,则输出基线值为NULL,否则输出对应基线值。例如: +``` +{ + "cca.cvm.rim":"aa11...", + "vcca.cvm.rpv":NULL, + ... +} +``` +策略引擎将上述基线集和策略集作为输入,依次使用每个策略对基线集进行评估并输出对应的策略结果。每个策略结果和总的评估结果均输出到最终的报告中。 +用户可根据[Open Policy Agent](https://www.openpolicyagent.org/docs/latest/)编写策略,注意package名称必须为"attestation",输出结果必须为"output",且包含allow布尔字段,标识策略的评估结果。 +以下为一个简单示例: +该示例要求输入的基线值存在。 +``` +# package name should be "attestation" +package attestation +import future.keywords.if + +allow := true if { + input["vcca.cvm.rim"] != null +} else := false + +rim := input["vcca.cvm.rim"] if { + input["vcca.cvm.rim"] != null +} else := null + +#output and output.allow must exist +output := { + "allow": allow, + "vcca.cvm.rim": rim +} +``` +则输出的结果可能为 +``` +{"allow":true,"vcca.cvm.rim": "aa11..."} 或者 +{"allow":false,"vcca.cvm.rim": NULL} +``` + +### 设置 Policy + +首先对策略文件policy_id的内容进行Base64_url编码得到policy_base64_url,再通过policy接口的post方法设置。 +curl -H "Content-Type:application/json" -X POST -d '{"{policy_id}":"{policy_base64_url}"}' http://127.0.0.1/policy + + + + + +