全部產品
Search

搜尋本產品

    Elastic Compute Service:遠程證明服務

    文件中心

    Elastic Compute Service:遠程證明服務

    更新時間:Jun 19, 2024

    阿里雲遠程證明服務是一個統一的解決方案,用於驗證平台的可信度和在該平台中啟動並執行代碼的完整性。該服務支援對基於可信平台模組TPM(Trusted Platform Module)的平台進行證明,以及對可信加密執行環境TEE(Trusted Execution Environment)的狀態進行證明。本文介紹遠程證明服務的工作原理及如何使用遠程證明服務。

    工作原理

    阿里雲遠程證明服務以背調模型(Background-Check Model)為基礎,可用於驗證阿里雲安全增強型執行個體的安全狀態和可信性。該服務涉及以下角色:

    • 證明者(Attester):使用阿里雲ECS執行個體的使用者,需要向依賴方證明ECS執行個體的身份及可信度。

    • 依賴方(Relying Party):需要驗證證明者身份及可信度的實體,依賴方會基於TPM、TEE等度量資訊作為基準資料產生評估策略。

    • 驗證方(Verifier):阿里雲遠程證明服務,負責將證據與評估策略進行比較,並得出驗證結果。

    具體證明流程如下:

    1. 證明者在ECS執行個體中收集和產生證據。

    2. 證明者將證據傳遞給依賴方。

    3. 依賴方將其直接轉寄給驗證方。

    4. 驗證方將證據與其評估策略進行比較。

    5. 驗證方將證明結果返回給依賴方。

    6. 依賴方將證明結果與自己的評估策略進行比較。

    在該驗證過程中,證明結果由可信的驗證方通過安全通道傳遞給依賴方,因此安全性較高。關於更多背調模型說明,請參見Background-Check Model

    在基於背調模型的阿里雲遠程證明服務設計中,除了支援由依賴方中轉證據外,還支援證明者直接將證據傳遞給遠程證明服務,依賴方可以隨時向遠程證明服務查詢特定實體的證明結果。這種方式可以大大降低依賴方的負載,並有利於管理員集中管理其所有實體的狀態。

    計費說明

    阿里雲遠程證明服務本身不收費。

    但您需要對使用遠程證明服務的ECS執行個體進行付費。

    遠程證明服務OpenAPI樣本

    阿里雲遠程證明服務支援基於vTPM平台模組的可信計算執行個體和基於Intel SGX/TDX/Enclave的機密計算執行個體。

    • 針對vTPM的遠程證明服務,您需要使用阿里雲帳號開通Security Center服務。

    • 針對機密計算執行個體特性Intel SGX/TDX等的遠程證明服務,您可以通過匿名的HTTP方式訪問。

    遠程證明vTPM可信執行個體

    更多可信執行個體資訊,請參見可信計算能力概述

    上報證據

    請求參數樣本(該介面需鑒權後方可調用,請參考請求結構和簽名機制進行調用):

    access https://trusted-server.cn-hangzhou.aliyuncs.com?Action=PutMessage&PropertyUuid=0f74b5cc-ff0e-4fa6-b457-1dc58072****&FileData=******************

    請求響應樣本:

    {
	"PropertyName": "instance-name",
	"SystemTrustDetail": {
		"pcr3": "d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198exxxx",
		"pcr4": "c35cef3b92c3850dc0bfa6139b25dc1c4c3d642b8587bde0fiemd847ufjxxxx",
		"pcr5": "aabd7d8c76c931dabed7ea53d1c8f96036c42a29435680ddff3f3148ff70xxxx",
		"pcr6": "d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198exxxx",
		"pcr0": "d22aa1bba22e829456f0cfda0d87690e6c252032864643da353133f161xxxx",
		"pcr1": "d9f056a703f04e4f408445752e97e92c890266d32e2ff1df3e80545aab4fxxxx",
		"pcr2": "d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198exxxx",
		"pcr7": "dd794f2d0c4cfa28dc9b5a3266e8516378ba551190d9844c38b890f7ad27xxxx",
		"pcr8": "deb301d065009d62980110d8173e350bbd43a4997ad74bf358ce5399c0ecxxxx",
		"pcr9": "ffe25e93ac7d245159184ac68c7dd5783e4cea978fafb1ad036bc861a8cdxxxx"
	},
	"RequestId": "D0E0C1D2-2937-54D4-9C52-XXXXXXXXXXXX",
	"SystemExceptionNum": 0,
	"ProgramWhiteListId": -1,
	"SystemWhiteListId": 1234,
	"ProgramTrustStatus": 4,
	"SystemTrustStatus": 1,
	"GmtModified": 1698975648000,
	"ProgramWhiteListName": "",
	"GmtRecentReport": 1698975648000,
	"OnlineStatus": 1,
	"Extensions": {
		"pcr5": "d1dac9c104c63c7e24f27962f4ad1df639a3f3224b1a968a45916207cf3xxxx"
	},
	"PropertyPrivateIp": "1.1.X.X",
	"PropertyPublicIp": "1.1.X.X",
	"GmtCreate": 1698385542000,
	"PropertyUuid": "c13fcabe-6683-4a9f-8cdd-xxxxxxxxxxxx",
	"ProgramTrustDetail": "{}",
	"ProgramExceptionNum": 0,
	"PropertyAffiliation": 1
}

    查詢證明結果

    請求參數樣本:

    access https://trusted-server.cn-beijing.aliyuncs.com?Action=DescribeInstance&PropertyUuid=0f74b5cc-ff0e-4fa6-b457-1dc58072****

    請求響應樣本:

    {
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3****"
  "data": {
    "nextClientIMAIndex": 0,
    "systemVerificationResult": {
      "status": 1,
      "code": "TrustedStatus"
    },
    "programVerificationResult": {
      "status": 1,
      "code": "TrustedStatus"
    }
  }
}

    遠程證明SGX/TDX機密執行個體

    更多SGX/TDX機密執行個體資訊,請參見構建SGX機密計算環境構建TDX機密計算環境

    擷取平台TCB資訊

    請求參數樣本:

    curl https://sgx-dcap-server.cn-beijing.aliyuncs.com/sgx/certification/v3/tcb?fmspc=00606A000000

    請求響應樣本:

    {
	"tcbInfo": {
		"version": 2,
		"issueDate": "2023-10-11T08:09:33Z",
		"nextUpdate": "2023-12-18T08:09:33Z",
		"fmspc": "00606A000000",
		"pceId": "0000",
		"tcbType": 0,
		"tcbEvaluationDataNumber": 12,
		"tcbLevels": [{
			"tcb": {
				"sgxtcbcomp01svn": 4,
				"sgxtcbcomp02svn": 4,
				"sgxtcbcomp03svn": 3,
				"sgxtcbcomp04svn": 3,
				"sgxtcbcomp05svn": 255,
				"sgxtcbcomp06svn": 255,
				"sgxtcbcomp07svn": 0,
				"sgxtcbcomp08svn": 0,
				"sgxtcbcomp09svn": 0,
				"sgxtcbcomp10svn": 0,
				"sgxtcbcomp11svn": 0,
				"sgxtcbcomp12svn": 0,
				"sgxtcbcomp13svn": 0,
				"sgxtcbcomp14svn": 0,
				"sgxtcbcomp15svn": 0,
				"sgxtcbcomp16svn": 0,
				"pcesvn": 11
			},
			"tcbDate": "2021-11-10T00:00:00Z",
			"tcbStatus": "UpToDate"
		}, {
			"tcb": {
				"sgxtcbcomp01svn": 4,
				"sgxtcbcomp02svn": 4,
				"sgxtcbcomp03svn": 3,
				"sgxtcbcomp04svn": 3,
				"sgxtcbcomp05svn": 255,
				"sgxtcbcomp06svn": 255,
				"sgxtcbcomp07svn": 0,
				"sgxtcbcomp08svn": 0,
				"sgxtcbcomp09svn": 0,
				"sgxtcbcomp10svn": 0,
				"sgxtcbcomp11svn": 0,
				"sgxtcbcomp12svn": 0,
				"sgxtcbcomp13svn": 0,
				"sgxtcbcomp14svn": 0,
				"sgxtcbcomp15svn": 0,
				"sgxtcbcomp16svn": 0,
				"pcesvn": 10
			},
			"tcbDate": "2020-11-11T00:00:00Z",
			"tcbStatus": "OutOfDate"
		}, {
			"tcb": {
				"sgxtcbcomp01svn": 4,
				"sgxtcbcomp02svn": 4,
				"sgxtcbcomp03svn": 3,
				"sgxtcbcomp04svn": 3,
				"sgxtcbcomp05svn": 255,
				"sgxtcbcomp06svn": 255,
				"sgxtcbcomp07svn": 0,
				"sgxtcbcomp08svn": 0,
				"sgxtcbcomp09svn": 0,
				"sgxtcbcomp10svn": 0,
				"sgxtcbcomp11svn": 0,
				"sgxtcbcomp12svn": 0,
				"sgxtcbcomp13svn": 0,
				"sgxtcbcomp14svn": 0,
				"sgxtcbcomp15svn": 0,
				"sgxtcbcomp16svn": 0,
				"pcesvn": 5
			},
			"tcbDate": "2018-01-04T00:00:00Z",
			"tcbStatus": "OutOfDate"
		}]
	},
	"signature": "21750a9a4173140379971c9eeaeee8dd27364cae4fdc45e19825bcddb0e5942941cb7cad8067aaaa98c75a0a0cfa9de329eb7d875957bd633a248bc328a0xxxx"
}

    擷取QE身份

    請求參數樣本:

    curl https://sgx-dcap-server.cn-beijing.aliyuncs.com/sgx/certification/v3/qe/identity

    請求響應樣本:

    {
	"enclaveIdentity": {
		"id": "QE",
		"version": 2,
		"issueDate": "2023-11-01T14:57:38Z",
		"nextUpdate": "2023-12-01T14:57:38Z",
		"tcbEvaluationDataNumber": 16,
		"miscselect": "00000000",
		"miscselectMask": "FFFFFFFF",
		"attributes": "11000000000000000000000000000000",
		"attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
		"mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C5xxxx",
		"isvprodid": 1,
		"tcbLevels": [{
				"tcb": {
					"isvsvn": 8
				},
				"tcbDate": "2023-08-09T00:00:00Z",
				"tcbStatus": "UpToDate"
			},
			{
				"tcb": {
					"isvsvn": 6
				},
				"tcbDate": "2021-11-10T00:00:00Z",
				"tcbStatus": "OutOfDate"
			}, {
				"tcb": {
					"isvsvn": 5
				},
				"tcbDate": "2020-11-11T00:00:00Z",
				"tcbStatus": "OutOfDate"
			}, {
				"tcb": {
					"isvsvn": 4
				},
				"tcbDate": "2019-11-13T00:00:00Z",
				"tcbStatus": "OutOfDate"
			}, {
				"tcb": {
					"isvsvn": 2
				},
				"tcbDate": "2019-05-15T00:00:00Z",
				"tcbStatus": "OutOfDate"
			}, {
				"tcb": {
					"isvsvn": 1
				},
				"tcbDate": "2018-08-15T00:00:00Z",
				"tcbStatus": "OutOfDate"
			}
		]
	},
	"signature": "593f79398d6400e62d14f1066e69e4e5bb44ed7544b18713d8020354e7601481681dc812a124672bfedd0e54ab31179fac442400c011ebca6b00c44d805bxxxx"
}

    擷取QvE身份

    請求參數樣本:

    curl https://sgx-dcap-server.cn-beijing.aliyuncs.com/sgx/certification/v3/qve/identity

    請求響應樣本:

    {
	"enclaveIdentity": {
		"id": "QVE",
		"version": 2,
		"issueDate": "2023-11-01T15:45:01Z",
		"nextUpdate": "2023-12-01T15:45:01Z",
		"tcbEvaluationDataNumber": 16,
		"miscselect": "00000000",
		"miscselectMask": "FFFFFFFF",
		"attributes": "01000000000000000000000000000000",
		"attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
		"mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C5xxxx",
		"isvprodid": 2,
		"tcbLevels": [{
			"tcb": {
				"isvsvn": 3
			},
			"tcbDate": "2023-08-09T00:00:00Z",
			"tcbStatus": "UpToDate"
		}]
	},
	"signature": "251bb1301cb499cb8161a9b885fad8ceeb06b497f1e4a83c8de2d0f2e9e82c3ce0f22ce2ef6c6a789dcc287bb0a1da12a822a465395b54c9046aacfee7ceaff6"
}