Skip to content

Pin enclave measurement (MRTD/TCB) — attestation that proves our code [L1]#269

Merged
posix4e merged 4 commits into
mainfrom
feature/measurement-pinning
May 30, 2026
Merged

Pin enclave measurement (MRTD/TCB) — attestation that proves our code [L1]#269
posix4e merged 4 commits into
mainfrom
feature/measurement-pinning

Conversation

@posix4e
Copy link
Copy Markdown
Member

@posix4e posix4e commented May 29, 2026

Why

Attestation today proves "a genuine, TCB-up-to-date TDX VM bound to this Noise key" but never checks which code runs — mrtd was logged (cp.rs:512) and never compared. So any genuine TDX enclave (incl. different/malicious code) with a valid token + bound key passes. (confer-proxy had the same gap.)

What (Layer 1 — warn-then-enforce)

ita::ExpectedMeasurements (MRTD allowlist + tcb_status + enforce) from env:

  • DD_EXPECTED_MRTD (comma/space-sep hex; unset = observe-only)
  • DD_EXPECTED_TCB (default UpToDate once pinned)
  • DD_MEASUREMENT_ENFORCE=0 → warn instead of reject (canary)

Checked after verifier.verify in cp.rs::register (reject → 401) and the collector scrape (drop from store). The blessed MRTD is sourced from a committed pin (PR review = trust anchor) or, later, the ee-mini signed manifest.

Client-side counterpart: devopsdefender/dd-client#4 (--expected-mrtd).

Scope / honesty

This pins the firmware + kernel + initrd baseline. It does not yet cover:

  • the root filesystem — ee-mini's DD targets are ext4-label with no dm-verity, so the rootfs is unmeasured/mutable (Layer 0, ee-mini: enable dm-verity → roothash in cmdline → RTMR);
  • the workload binarydevopsdefender/cloudflared are fetched at boot, not measured (Layer 2: pin digests).

Land this in warn mode (don't set DD_EXPECTED_MRTD) for visibility; bless the captured MRTD in a follow-up, then enforce. Tests cover match/mismatch/bad-TCB/unpinned.

🤖 Generated with Claude Code

@posix4e @claude
Pin enclave measurement: expected-MRTD check (Layer 1, warn-then-enfo…
be78b6b 
…rce)

Attestation proved "a genuine TDX VM bound to this key" but never checked the
measurement, so any genuine enclave (incl. different/malicious code) with a valid
token + bound key passed. mrtd was logged and never compared.

Add ita::ExpectedMeasurements (mrtd allowlist + tcb_status + enforce flag) from
env (DD_EXPECTED_MRTD / DD_EXPECTED_TCB / DD_MEASUREMENT_ENFORCE). Check after
verifier.verify in cp.rs::register and the collector scrape: unset = observe-only
(current behavior), pinned+enforce = reject mismatch (401 / drop from store),
pinned+!enforce = warn (canary). Default tcb = UpToDate once pinned.

Source of the pinned value is a committed/blessed measurement (PR review =
trust anchor), or the ee-mini signed manifest once it exists. Note: this pins the
firmware+kernel+initrd baseline; covering the rootfs needs dm-verity (ee-mini,
Layer 0) and workloads need digest pinning (Layer 2).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026
edited
Loading

DD preview ready

URL: https://pr-269.devopsdefender.com

Browser login: visit https://pr-269.devopsdefender.com — DD redirects you to
the GitHub App auth broker. A DD session cookie scoped
to .devopsdefender.com lets the preview, fleet, and
shell hosts share the same login.

Machine-to-machine: GitHub Actions workflows in the
DD_OWNER org pass their per-job OIDC JWT as
Authorization: Bearer … (audience dd-agent).

Register endpoint for a local agent: https://pr-269.devopsdefender.com/register
(authenticated by ITA attestation).

@posix4e
Also read tdx_report_data on the server for consistency
75462bc 
Mirror the client fix: Intel TDX tokens expose the quote report_data as
tdx_report_data, not attester_held_data. Harmless today (CP reads only mrtd/tcb)
but keeps Claims correct as measurement/binding checks expand.
posix4e added 2 commits May 30, 2026 13:40
@posix4e
Read tdx_report_data directly (drop needless attester_held_data fallb…
01a568c 
…ack)
@posix4e
Fix: report_data is dual-mode, not a stray fallback
363b037 
Intel tokens use tdx_report_data; the local dev issuer (mint_local) uses
attester_held_data. Read tdx_report_data first, attester_held_data as the
local-mode source. (Reverts the over-eager removal that broke local-mode tests.)
@posix4e posix4e merged commit eb6d91e into main May 30, 2026
2 of 3 checks passed
@posix4e posix4e deleted the feature/measurement-pinning branch May 30, 2026 13:45
@posix4e posix4e mentioned this pull request May 30, 2026
Merged
posix4e added a commit that referenced this pull request May 30, 2026
@posix4e
Merge pull request #270 from devopsdefender/revert/back-to-may10
c152a9e 
Revert to May-10 working state (back out #267, #269, #268)
posix4e added a commit that referenced this pull request May 30, 2026
@posix4e
Merge pull request #272 from devopsdefender/reland/features-no-stonith
04bf6ca 
Re-land #267 + #269 + #268 (now that STONITH is gone)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@posix4e