GitHubContribute in GitHub: Edit online

Attestation

Attestation is a process that starts by default at virtual instance creation, ensures that the virtual server instance image is indeed built by IBM, and that it was not modified. This process also provides information and allows validation of any data that is provided to the instance at the time of deployment.

When you create a virtual server instance by using the IBM Hyper Protect Container Runtime (HPCR) image, the image uses an initial file system that is protected by encryption and signed by IBM Secure Execution (SE). For more information, see Confidential computing with LinuxONE. To know more about the attestation process, see this video.

The boot process creates a unique root disk encryption key to ensure protection of the root disk. To perform attestation, the virtual server instance image contains an attestation-signing key and the hash of the root partition at build time. The boot process validates the root partition. If the hash of the root partition does not match, the boot process does not continue because it assumes that the image was modified before boot. The attestation signing key is a random RSA 4 K key that is signed by an IBM root key that is maintained in Hyper Protect Crypto Services. The IBM root key is signed by Digicert.

During deployment of the virtual server instance, an attestation record is created. It contains hashes of the following items:

  • The original base image
  • The root partition at the moment of the first boot
  • The root partition at build time
  • The cloud initialization options

The attestation record is signed by the attestation key. As an extra protection layer, you can provide a public key during deployment, against which the attestation record is encrypted. The hash of this public key is added to the attestation record to ensure that the record can be viewed only by the compliance authority, and the expected authority can be easily identified through that hash.

Before you upload any workload to your instance, you need to validate the attestation record. After an instance is created, you can validate the attestation record within the created instance. Your instance must have access to the /var/hyperprotect directory. If so, follow these procedures:

  • The attestation record is signed by the attestation signing key.
  • The attestation signing key can be confirmed by the IBM intermediate certificate. The IBM intermediate certificate is signed by DigiCert, which is proven by the root certificate of DigiCert, thus completing the chain of trust.

The encryption and attestation certificates are signed by the IBM intermediate certificate and this has been signed by the IBM Digicert intermediate cert (which in turn is signed by DigiCert Trusted Root G4). For more information about the certificates, see DigiCert Trusted Root Authority Certificates.

Use the following procedure to validate the attestation record and hashes:

  • Obtain the attestation record se-checksums.txt and the signature file se-signature.bin from your IBM Hyper Protect Virtual Servers instance. To do so, you can implement your container to provide the attestation record and the signature file. The attestation record and the signature file are made available to your container in the /var/hyperprotect directory.

  • Get the IBM attestation certificate that is a part of the image TAR file.

  • Validate the attestation certificate by following the instructions here.

  • Extract the encryption public key from the encryption certificate by using the following command:

     openssl x509 -pubkey -noout -in ibm-hyper-protect-container-runtime-24.9.1-attestation.crt > contract-public-key.pub
    
  • Verify the signature of the attestation record:

    openssl sha256 -verify contract-public-key.pub -signature se-signature.bin se-checksums.txt
    

    Note: Signature verification must be done on a decrypted attestation file.

  • You can now use the hashes from the attestation record for validation.

In case you provided a public key for encrypting the attestation record, the following script might help in decrypting the record.

#!/bin/bash
#
# Example script to decrypt attestation document.
#
# Usage:
#   ./decrypt-attestation.sh <rsa-priv-key.pem> [file]
#
# Token Format:
#   hyper-protect-basic.<ENC_AES_KEY_BASE64>.<ENC_MESSAGE_BASE64>


RSA_PRIV_KEY="$1"
if [ -z "$RSA_PRIV_KEY" ]; then
    echo "Usage: $0 <rsa-priv-key.pem>"
    exit 1
fi
INPUT_FILE="${2:-se-checksums.txt.enc}"
TMP_DIR="$(mktemp -d)"
#trap 'rm -r $TMP_DIR' EXIT


PASSWORD_ENC="${TMP_DIR}/password_enc"
MESSAGE_ENC="${TMP_DIR}/message_enc"


# extract encrypted AES key and encrypted message
cut -d. -f 2 "$INPUT_FILE"| base64 -d > "$PASSWORD_ENC"
cut -d. -f 3 "$INPUT_FILE"| base64 -d > "$MESSAGE_ENC"

# decrypt password
PASSWORD=$(openssl pkeyutl -decrypt -inkey "$RSA_PRIV_KEY" -in "$PASSWORD_ENC")


# decrypt message
echo -n "$PASSWORD" | openssl aes-256-cbc -d -pbkdf2 -in "$MESSAGE_ENC" -pass stdin --out se-checksums.txt

In the case of a docker container, the decrypt-attestation.sh file can be accessed by mounting /var/hyperprotect in the docker container. For example,

 volumes:
      - "/var/hyperprotect/:/var/hyperprotect/:ro"

In the case of a Podman container, the decrypt-attestation.sh file can be accessed by mounting /var/hyperprotect in the Podman container. For example,

 volumeMounts:
     - name: attestation
       readOnly: true
       mountPath: /var/hyperprotect:Z,U

The attestation document

When VSI is running on Z16 or higher, the boot process attempts to perform Ultravisor attestation to verify that the image is running on the correct host. The Ultravisor attestation produces evidence that is revealed through the Attestation Document; For more information, see Attestation.

The attestation document is available as the /var/hyperprotect/se-checksums.txt file, within the IBM Hyper Protect Virtual Servers instance. You can find the other related files under the same directory of the attestation document.

  • If user-data contains any other sections apart from workload, env, envworkloadsignature, and attestationpublickey, the SHA256 for the respective sections are generated.
  • If user-data is encrypted, the SHA256sum format for the encrypted part of the user data sections such as workload, env, and so on are also generated.
  • If any other keys apart from env, workload, envWorkloadSignature, and attestationPublicKey are present, the sha256 format of the each value is generated under the attestation records with the format sha256ofthevaluecontract: contract: otherkey.

The following information is available at the /var/hyperprotect/ directory:

/var/hyperprotect
/var/hyperprotect/
|-- cidata
|   |-- meta-data
|   |-- vendor-data
|-- se-checksums.txt
|-- se-signature.bin
|-- se-version
|-- user-data.decrypted

Checksums are the SHA256 of the message digest and can be calculated by using the following Linux command-line utility:

sha256sum <file>

The following snippet is an example of an attestation document:

24.11.0
Machine Type/Plant/Serial: 8562/02/4C588
Image age: 7 days since creation.
Ultravisor CUID: 0x1735c76d5a3d3b3e1bb7cb9f0c9ebe75
Host HKD: HKD-3931-0271A28.crt
HKD is valid until: Dec 26 17:35:32 2024 GMT
AP device present: true
Number of configured APs: 2
d58c9f54ed661428a43ecfc73a0496ccffa3bd11bc67d91527eeb6d88801134b AP(1):secret 
e0ee64acef428031783ba31387c6803a620290a9172defcdc19e49a33d831505 AP(2):secret
080f817231fe4bc40021d24e20af9f1135a36711047212f9374664b86ab406ac baseimage
ad65a3820d4a233c84e6d201ce537b8020435ccefe26682809da5ef9b176b8ae root.tar.gz
50330413a1f80e0abb51116ea4861527f4444b7ba27de975f167a60955a8963f /dev/disk/by-label/cidata
e033c938bf6bd79f50b50d54d577c2909b4304c633501e3d67c5eb6b49570be2 cidata/meta-data
1ca7ac0518344d5e7646d41fa768dad0deaf402576e44e2a0f9c298538ade3da cidata/user-data
cb0535727a27ffe986bce98de8eb1b2c1fafb8033e19b783eefe107b7cc61f65 cidata/vendor-data
a344bd0107382a6e019a0789dc2c43c75ea21342489a8800aa2e5ba140e5d820 attestationPublicKey
3ec698881c8f79cfd8b911516e3a7c008cc6923767e46481479a88934e9bb932 contract:env
1e8afc52b452b7439a8fe9d7d4950fbed2457bc091a4d83136c6a795b4d28c03 contract:workload

For more information on AP, see Crypto Passthrough

The following table describes each entry in the example attestation document:

Table 1. Entries in an attestation document

Entry Description
Machine Type/Plant/Serial Machine Type/Plant/Serial is the information required to obtain a Host Key Document for the secure execution VM. It reflects on which machine the secure execution VM is currently running.
Image age Image age is the age of the VSI image since its creation.
Ultravisor CUID Ultravisor CUID is provided through ultravisor attestation. This is only present on Z16 machines and requires an HKD to be available.
Host HKD Host HKD is the name of the Host Key Document file used for Ultravisor attestation. (Z16 only). If supplied, the Host HKD field will include the description field.
HKD is valid until HKD is valid untilis valid until the expiration date of the HKD that was used for attestation.
AP device present AP device presentis an indicator for available crypto devices (crypto-pt) in passthrough mode. (Z16 only) Number of configured APs is the number of APs that have been successfully configured.
AP(X):secret AP(X):secret is the number of AP devices that have been configured through a crypto-pt section in the contract data. AP(X):secret is the checksum of the association secrets supplied in crypto-passthrough configuration. The AP(X):secret are only present if there is a crypto-pt section in the contract, and require a Z16
baseimage The baseimage is the IBM internal QEMU Copy On Write Version 2 (QCOW2) file, which is used as the source for most of the operating system files of the Hyper Protect Container Runtime image. It is used only at image build time by the enabler process. The enabler uses this source together with other Debian packages to create the root.tar.gz and the encrypted secure execution kernel or 'initrd' image.
root.tar.gz The root.tar.gz is part of the final secure execution enabled IBM Hyper Protect Container Runtime image and contains all operating system files. It is stored on the image's first partition (boot partition) as /boot/root.tar.gz.
/dev/disk/by-label/cidata The /dev/disk/by-label/cidata is a block device that is attached to the running instance that contains the cloud-init files. For more information about Cloud-Init, see cloud-init documentation.
cidata All the files in cidata copied are from the /dev/disk/by-label/cidata block device.
attestationPublicKey The attestationPublicKey is the public key that you provide which is used to encrypt the attestation document. The attestationPublicKey is part of the user-data file. Encrypting the attestation document is optional.
workload Workload is a mandatory section. The workload persona provides information about the container (or workload) that needs to be brought up on the IBM Hyper Protect Virtual Servers instance.
env env is a mandatory section. The deployer persona works closely with IBM Cloud. The deployer then creates the env section of the contract. The env section has information that is specific to the IBM Cloud environment.
envWorkloadSignature envWorkloadSignature is an optional section and contains the signature of the other sections of the contract.
contract: sections contract: sections are the checksums of top level keys in the contract document.

The following is the shasum of the ibm-hyper-protect-container-runtime-24.11.0.qcow2 (2.1.11) baseimage:

080f817231fe4bc40021d24e20af9f1135a36711047212f9374664b86ab406ac baseimage

The following is the shasum of the ibm-hyper-protect-container-runtime-24.11.0.qcow2 (2.1.11) root.tar.gz:

ad65a3820d4a233c84e6d201ce537b8020435ccefe26682809da5ef9b176b8ae root.tar.gz

Calculating sha of different subsection of contract

To calculate contract subsection of sha, the input should be similar to the one provided in the contract. If publicKey is provided in the contract, for example with attestationPublicKey, sha should be calculated on the publicKey file only, even though the input is provided in one line with \n or \r.

Decrypting the attestation document

If user data contains a public RSA key (attribute: attestationPublicKey), then the attestation document (se-checksums.txt) is encrypted with the given key. The encryption is done by the same process as that of contract encryption. For more information, see Contract encryption. The public RSA key itself can also be encrypted like the contract.

The encrypted attestation document is then named se-checksums.txt.enc.

In the case of a docker container, the decrypt-attestation.sh file can be accessed by mounting /var/hyperprotect in the docker container. For example,

 volumes:
      - "/var/hyperprotect/:/var/hyperprotect/:ro"

In the case of a Podman container, the decrypt-attestation.sh file can be accessed by mounting /var/hyperprotect in the Podman container. For example,

 volumeMounts:
     - name: attestation
       readOnly: true
       mountPath: /var/hyperprotect:Z,U

Understanding attestation flows

The following diagram shows two scenarios for attestation from the point of view of the auditor to validate that the deployment is the expected one. The left side of the diagram shows the establishment of trust by the auditor who is rooted on a third-party certificate authority. Any key used is kept in a Hyper Protect Crypto Service and signed in a certificate chain based on the third-party authority. The Build environment that is used by Hyper Protect is running in a trusted execution environment by using IBM Secure Execution Technology.

The result is a secure execution image that is seen at the end of the diagram, which is an encrypted secure execution image. To the right of the diagram, the validation of the deployment is outlined. For this, the auditor includes into the encrypted workload contract of the IBM Hyper Protect instance, the public key of a secret, which only the auditor has control over. Such secrets might be protected by appropriate means, like a Hyper Protect Crypto Service, HSM or just a random key. Only the Hyper Protect bootloader that is executed in the trusted execution environment provided through IBM Secure Execution for Linux on IBM LinuxONE, can run the secure execution image of IBM Hyper Protect Virtual Servers. The bootloader contains the secret to decrypt the contract.

During boot several hashes of components and measures of code are taken and added to the attestation record. To further protect this attestation record, the record is encrypted with the public key that the auditor provided. By doing so, only the auditor is in the position to decrypt the attestation record and can validate that the workload that is deployed in the enclave is the expected and untampered version of the workload that is expected to be deployed into the IBM Hyper Protect Virtual Servers instance.

Figure showing the attestation process

Figure 1. Attestation process