This is a C library for getting and verifying attestations from Confidential ACI. It is written in C for maximum portability and has language specific bindings. Current ways to use this library are:
- Standalone C executables
- Docker image
- Python package
To build the core c library as well as all bindings from source, checkout the code and run
make
pip install git+https://github.com/microsoft/[email protected]#subdirectory=src/bindings/python
docker pull ghcr.io/microsoft/confidential-aci-attestation:0.2.0
The C executables live under build/ to run, simply execute the binary.
./build/get_snp_version
./build/get_attestation_ccf
The get_attestation_* binaries will fetch genuine attestation reports if running on genuine SEV-SNP machines, otherwise they will return attestations based on the files under examples.
These sample values were captured on an C-ACI instance running a version of the container defined in compose.yml with the allow_all.rego security policy.
You can also run the verification code against a generated report, just ensure the format of the attestation (which follows the get_attestation_ part of the binary name) matches between get_ and verify_. For example:
attestation=$(./build/get_attestation_ccf <(printf "example-report-data"))
./build/verify_attestation_ccf \
--report-data <(printf "example-report-data") \
--security-policy-b64 "$(cat examples/security_policies/allow_all.rego | base64 -w 0)" \
"$attestation"
attestation=$(python -m attestation.get_attestation_ccf <(printf "example-report-data"))
python -m attestation.verify_attestation_ccf \
--report-data <(printf "example-report-data") \
--security-policy-b64 "$(cat examples/security_policies/allow_all.rego | base64 -w 0)" \
"$attestation"
image="ghcr.io/microsoft/confidential-aci-attestation:0.2.0"
attestation=$(printf "example-report-data" | docker run $image get_attestation_ccf)
printf "example-report-data" | docker run -i $image verify_attestation_ccf \
--report-data /dev/stdin \
--security-policy-b64 "$(cat examples/security_policies/allow_all.rego | base64 -w 0)" \
"$attestation"
Sometimes you want to deploy this code as a container alongside your main logic container so that you can provide your report data at a later time.
image="ghcr.io/microsoft/confidential-aci-attestation:0.2.0"
docker run -d --network=host $image server
attestation=$(printf "example-report-data" | curl localhost:5000/get_attestation_ccf --data-binary @-)
printf "example-report-data" | docker run -i $image verify_attestation_ccf \
--report-data /dev/stdin \
--security-policy-b64 "$(cat examples/security_policies/allow_all.rego | base64 -w 0)" \
"$attestation"
When making changes, you can verify them with:
make lint
make test
This will lint the C code, and run unit tests, test the roundtrip of getting a virtual attestation and verifying it (similar to the example above).
You can also run this roundtrip test in real C-ACI, with:
make test-aci
This will take slightly longer than the other tests, which is why it isn't run implicitly.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.