Concepts

Learn about the basic concepts around creating, attesting, verifying and updating workload identities, identifying not only a machine but also its code.

A workload identity is the specific software running in an enclaved virtual machine you want to check. That is, you need to ensure it's running on a machine precisely as intended, including (a) data and code are concealed from the underlying infrastructure operator, and (b) data and code are free from unauthorized modifications.

The checklist covers different aspects, or identities, of the setup. This could include checks about:

  • physical machine ("platform")

  • basic software that starts the computer ("firmware")

  • specific programs, modules, or drivers ("workload")

  • any extra details about the environment ("metadata")

The policy is like a checklist you create beforehand for the workload identity. It lists all the claims you expect to be true about the workload running on for it to be considered safe and trustworthy. The policy is compound of the 4 identities — platform, firmware, workload, metadata — and policies describing how to verify an identity claim.

Object
Description

Identity

Claims related to the hardware platform and software computing base, which can be compound to form the workload identity

Policy

Rules determining what identity claims need to be fulflilled in the identification of workload

Attestation

Process of proving a workload fullfills the identity claims

TOTP

Time-based one-time token to update the attestation

Logs

Audit logs to trace attestation requests

Last updated

Was this helpful?