Skip to content

se-attester: use SHA-512 for report data in IBM SEL#1469

Open
BbolroC wants to merge 2 commits into
confidential-containers:mainfrom
BbolroC:use-sha512-report-data-ibm-sel
Open

se-attester: use SHA-512 for report data in IBM SEL#1469
BbolroC wants to merge 2 commits into
confidential-containers:mainfrom
BbolroC:use-sha512-report-data-ibm-sel

Conversation

@BbolroC
Copy link
Copy Markdown
Member

@BbolroC BbolroC commented May 13, 2026
edited
Loading

This PR uses more secure SHA-512 algorithm for report data in IBM SEL instead of the fallback algorithm SHA-384.
As small refactor, it also extracts the process_runtime_digest() helper function from the SE attester into a general-purpose utility function.

Depends-on: confidential-containers/trustee#1338

Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com

@BbolroC BbolroC requested a review from a team as a code owner May 13, 2026 04:37
@BbolroC BbolroC mentioned this pull request May 13, 2026
Merged
@BbolroC BbolroC force-pushed the use-sha512-report-data-ibm-sel branch 2 times, most recently from 271d190 to 1033788 Compare May 13, 2026 05:02
@mythi
Copy link
Copy Markdown
Contributor

mythi commented May 13, 2026

Depends-on: confidential-containers/trustee#1338

The Trustee PR is also set to depend on this one. To avoid the circular dependency, can this be mode so that se-attester uses sha384 hash algo with old Trustee that does not give you selected-hash-algorithm. Or is it like this already?

could process_runtime_digest() be made such that it can also be used in get_evidence() to deduplicate the logic.

@BbolroC
Copy link
Copy Markdown
Member Author

BbolroC commented May 13, 2026
edited
Loading

Depends-on: confidential-containers/trustee#1338

The Trustee PR is also set to depend on this one. To avoid the circular dependency, can this be mode so that se-attester uses sha384 hash algo with old Trustee that does not give you selected-hash-algorithm. Or is it like this already?

Yeah, I am aware of it, unfortunately. For this, the attestation service should keep memorizing which hash algorithm is selected for the extra_params for each attestation challenge and pass the info to a verifier for validation of the report data, which leads to non-marginal changes. I think we can deal with it separately. Or does it make sense to make a fallback for the validation in the verifier side? What do you think @Xynnn007 about this?

could process_runtime_digest() be made such that it can also be used in get_evidence() to deduplicate the logic.

Good idea! This also makes the unit tests look nice and clear. I will update the PR. Thanks!

@BbolroC BbolroC marked this pull request as draft May 13, 2026 07:31
@Xynnn007
Copy link
Copy Markdown
Member

Xynnn007 commented May 13, 2026
edited
Loading

Yeah, I am aware of it, unfortunately. For this, the attestation service should keep memorizing which hash algorithm is selected for the extra_params for each attestation challenge and pass the info to a verifier for validation of the report data, which leads to non-marginal changes. I think we can deal with it separately. Or does it make sense to make a fallback for the validation in the verifier side? What do you think @Xynnn007 about this?

Let's first distinguish a few concepts before looking at what the current PR is doing.

First, the current Attester abstracts the TEE's report retrieval capability into a black box. For architectures like TDX/SNP, there's a challenge parameter called report_data, which is a short data value, typically a few tens of bytes long. IBM SE's black box uses the UserData field for this.

As for runtime_data, it's a large JSON structure, a concept at the KBS protocol level. We bind the entire runtime_data to specific evidence when retrieving evidence. However, since report_data is short, we hash the entire runtime_data and use the hash value as report_data to call get_report. The hash algorithm can be chosen during kbs protocol handshake.

So, in this PR, the change is for low-level black box to implement IBM SE's report_data functionality - we can treat it as what the Intel CPU circuits inside is doing - changing report field from 48 bytes to 64 bytes - thus a breaking change but I think it's ok. It's not a good idea to support both modes in report_data ability level as it's low level black box, but we need to ensure that the compatibility for attester/verifier in a same version.

@BbolroC BbolroC force-pushed the use-sha512-report-data-ibm-sel branch 2 times, most recently from 3273635 to 9b8555a Compare May 13, 2026 09:18
@BbolroC BbolroC marked this pull request as ready for review May 13, 2026 15:06
Xynnn007
Xynnn007 approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks @BbolroC

Note that this is a breaking change for IBM SE architecture.
Also, with a deep diving to code, I realize now SE could now support composite attestation. The SeAttestationRequest.runtime_data_digest can be set in the kbs_protocol for IBM SE. This work can be done a separate PR.

Comment thread attestation-agent/attester/src/se/mod.rs Outdated
@Xynnn007 Xynnn007 mentioned this pull request May 18, 2026
Draft
@Xynnn007
Copy link
Copy Markdown
Member

Xynnn007 commented May 18, 2026

btw let's merge this when confidential-containers/trustee#1338 is ready also, for there are breaking changes and we need the compability for both side.

@BbolroC BbolroC force-pushed the use-sha512-report-data-ibm-sel branch from 095dbe5 to b9f82d4 Compare May 18, 2026 09:49
@mythi
Copy link
Copy Markdown
Contributor

mythi commented May 18, 2026

@BbolroC I think b9f82d4 needs to be the first commit in this PR.

@BbolroC BbolroC force-pushed the use-sha512-report-data-ibm-sel branch 3 times, most recently from ec00d6e to d8694fe Compare May 18, 2026 15:51
@Xynnn007
Copy link
Copy Markdown
Member

Xynnn007 commented May 19, 2026

Note that confidential-containers/trustee#1338 gets merged

mythi
mythi reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mythi mythi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks OK. Have you tested this with existing Trustee releases?

Comment thread attestation-agent/attester/src/utils.rs Outdated
@BbolroC
Copy link
Copy Markdown
Member Author

BbolroC commented May 19, 2026
edited
Loading

Looks OK. Have you tested this with existing Trustee releases?

Yes, I tested it with the latest push for both. It works. But not working with the current Trustee (the version before confidential-containers/trustee#1338 is merged) as @Xynnn007 explained above.

BbolroC added 2 commits May 19, 2026 10:39
@BbolroC
se-attester: extract validation logic into reusable utility function
43daace 
Extract the process_runtime_digest() helper function from the SE attester
into a general-purpose utility function.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
@BbolroC
se-attester: use SHA-512 for report data in IBM SEL
aaed09f 
Use more secure SHA-512 algorithm for report data
in IBM SEL instead of the fallback algorithm SHA-384.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
@BbolroC BbolroC force-pushed the use-sha512-report-data-ibm-sel branch from d8694fe to aaed09f Compare May 19, 2026 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mythi mythi mythi approved these changes

@Xynnn007 Xynnn007 Xynnn007 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BbolroC @mythi @Xynnn007