diff --git a/docs/docs/architecture/attestation.md b/docs/docs/architecture/attestation.md index 60a571e900..4ef3c1e8b7 100644 --- a/docs/docs/architecture/attestation.md +++ b/docs/docs/architecture/attestation.md @@ -58,7 +58,7 @@ columns 4 - **Attester**: Assigned to entities that are responsible for creating *Evidence* which is then sent to a *Verifier*. - **Verifier**: These entities utilize the *Evidence*, *Reference Values*, and *Endorsements*. They assess the trustworthiness of the *Attester* by applying an *Appraisal Policy* for *Evidence*, a process known as "appraisal of Evidence." Following this assessment, *Verifiers* generate *Attestation Results* for use by *Relying Parties*. The *Appraisal Policy* for *Evidence* may be provided by the *Verifier Owner*, configured by the owner, programmed into the *Verifier*, or acquired through other means. -- **Relying Party**: Assigned to entities that utilize *Attestation Results*, applying their own appraisal policies to make specific decisions, such as authorization decisions. This process is referred to as the "appraisal of Attestation Results". The *Appraisal Policy* for *Attestation Results* might be sourced from the *Relying Party Owner*, configured by the owner, embedded in the *Relying Party*, or obtained through other protocols or mechanisms. +- **Relying Party**: Assigned to entities that utilize *Attestation Results*, applying their own appraisal policies to make specific decisions, such as authorization decisions. This process is referred to as the "appraisal of Attestation Results." The *Appraisal Policy* for *Attestation Results* might be sourced from the *Relying Party Owner*, configured by the owner, embedded in the *Relying Party*, or obtained through other protocols or mechanisms. ## Components of Contrast's Attestation The key components involved in the attestation process of Contrast are detailed below: @@ -129,7 +129,7 @@ During the [deployment](../deployment.md#generate-policy-annotations-and-manifes On AMD SEV-SNP system's the policy's hash is then added to the CPU's attestation report via the `HOSTDATA` field by the hypervisor. When provided with the policy from the Kata host, the guest agent verifies that the policy's hash matches the one in the `HOSTDATA` field. -In summary the Pod's evidence consists of the CPU report, the pod-VM image's measurments, and the runtime policy. +In summary the Pod's evidence consists of the CPU report, the pod-VM image's measurements, and the runtime policy. All of this layered evidence is combined into one statement and passed to the verifier. ### Verifier: Coordinator and CLI @@ -183,7 +183,7 @@ All connections between components such as the CLI, the Coordinator, and the Pod ### Evidence Types and Formats Several types of attestation evidence exist in Contrast: - **The hardware attestation report**: For AMD SEV-SNP, this includes information such as chip identifier, platform info, microcode versions, and guest measurements. The report also contains the runtime policy hash and is signed by the CPU's private key. -- **The guest measurements**: A launch digest generated by the CPU, which is the hash of all initial guest memory pages, containing the kernel, initramfs, and kernel commandline including the root filesystem's dm-verity root hash. +- **The guest measurements**: A launch digest generated by the CPU, which is the hash of all initial guest memory pages, containing the kernel, initramfs, and kernel command line including the root filesystem's dm-verity root hash. - **The runtime policy hash**: The hash of the Rego policy that defines all expected API commands and their values from the host to the Kata guest agent, including the dm-verity hashes for the container image layers, environment variables, and mount points. ### Appraisal Policies for Evidence diff --git a/tools/vale/styles/config/vocabularies/edgeless/accept.txt b/tools/vale/styles/config/vocabularies/edgeless/accept.txt index 63f3633df1..3917072b07 100644 --- a/tools/vale/styles/config/vocabularies/edgeless/accept.txt +++ b/tools/vale/styles/config/vocabularies/edgeless/accept.txt @@ -4,6 +4,7 @@ Ansys API Asciinema ASG +attesters auditable autoscaler autoscaling @@ -16,6 +17,7 @@ Bootstrapper cachable cachix changeset +CLI cloud cmdline config @@ -94,6 +96,7 @@ unencrypted unspoofable untrusted updatable +userland UUID vCPU virsh