diff --git a/dev-docs/security-overview.md b/dev-docs/security-overview.md index a2b03ab0ef..f91d6cb71e 100644 --- a/dev-docs/security-overview.md +++ b/dev-docs/security-overview.md @@ -79,12 +79,16 @@ Abstractly, a remote-attestation statement `R` from a CVM looks as follows: R = Sig-CPU(, , ) ``` -The `payload` is controlled by the software running inside the CVM. +The field `payload` is controlled by the software running inside the CVM. In the case of a Constellation node, the `payload` is always the public key of the respective Bootstrapper running inside the CVM. Thus, `R` can be seen as a certificate for that public key issued by the CPU. Based on this, nodes establish attested TLS (aTLS) connections. aTLS is used during [cluster creation](#cluster-creation) and when [growing a cluster](#cluster-growth). +The field `auxiliary data` is populated automatically by the CVM platform and, among others, includes information like CPU firmware versions. + +Note that this description of `R` is highly abstract. + ### Measurements In the ideal case, the underlying CVM platform does not inject any of its own software into a CVM. @@ -101,7 +105,7 @@ In measured boot, in general, the software components involved in the boot proce The values of these registers are also called "runtime measurements". All supported CVM platforms provide TPMs to CVMs. Constellation nodes use these to measure their boot process. -They include the 16 runtime measurements as `auxiliary data` in `R`. +They include the 16 runtime measurements as part of `payload` in `R`. Thus, abstractly, `payload` here has the following format: `payload = | `. On each CVM platform, runtime measurements are taken differently. Details on this are given in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements).