Annotations

Introduction

Annotation is a way to associate a human-readable description or value with a specific technical attestation key. It is like adding a comment or a sticky note to a piece of data in the attestation report to make it understandable to a person. It helps turn raw, technical attestation data into something more informative and actionable for administrators or users.

In other words, an attestation report contains lots of technical, sometime cryptographically obfuscated information about the platform security processor and workload being verified. Some of these data points might be obscure codes, hashes, or measurements that aren't immediately meaningful to a human.

What are Annotations?

An annotation allows you to look at one of these technical keys and associate with a value.

Example

Consider an attestation report including a particular measurement value, like a hash of the operating system's kernel

// Some technical value from the report

key: "sha256:abcdef123456..." 

Without an annotation, you just have this string of characters, and you don't know what it represents. You could create an annotation that links this specific key to a meaningful value

Example

// Some annotated report
key: "sha256:abcdef123456..."
value: "Expected hash for Ubuntu 22.04 LTS kernel version 5.15.0-91"

Now, when you review the attestation and see that specific hash or key, you can look up its annotation and immediately understand that it corresponds to a verified version of the Ubuntu kernel or value.

Next Steps

For more information about creating annotation using vHSM CLI, see Annotations.