Concepts

Learn about the basic concepts around creating, attesting, verifying and updating workload identities, identifying not only a machine but also its code.

A workload identity is the specific software running in an enclaved virtual machine you want to check. That is, you need to ensure it's running on a machine precisely as intended, including (a) data and code are concealed from the underlying infrastructure operator, and (b) data and code are free from unauthorized modifications.

The checklist covers different aspects, or identities, of the setup. This could include checks about:

  • physical machine ("platform")

  • basic software that starts the computer ("firmware")

  • specific programs, modules, or drivers ("workload")

  • any extra details about the environment ("metadata")

The policy is like a checklist you create beforehand for the workload identity. It lists all the claims you expect to be true about the workload running on for it to be considered safe and trustworthy. The policy is compound of the 4 identities — platform, firmware, workload, metadata — and policies describing how to verify an identity claim.

Additional, objects for attestation life cycle management are introduced. They include annotation to add semantics to attestation reports, log for programatic auditing/reporting, and time-based one-time password (TOTP) allowing for fully automated registration of machine identities.

JSON Object
Description

Annotation

Key-value store to map cryptographic with human readable report data

Attestation

Process of proving a workload fullfills the identity claims

Identity

Claims related to the hardware platform and software computing base, which can be compound to form the workload identity

Logs

Audit logs to trace attestation requests

Policy

Rules determining what identity claims need to be fulfilled in the identification of workload

TOTP

Time-based one-time token to update the attestation

Last updated

Was this helpful?