Exemplos de um token de atestado
A política de atestado é usada para processar a evidência de atestado e determina se o Atestado do Azure emite um token de atestado. A geração de tokens de atestado pode ser controlada com políticas personalizadas. Aqui estão alguns exemplos de um token de atestado.
Exemplo de JWT (Token Web JSON) gerado para o atestado SGX (Software Guard Extensions)
{
"alg": "RS256",
"jku": "https://tradewinds.us.attest.azure.net/certs",
"kid": <self signed certificate reference to perform signature verification of attestation token,
"typ": "JWT"
}.{
"aas-ehd": <input enclave held data>,
"exp": 1568187398,
"iat": 1568158598,
"is-debuggable": false,
"iss": "https://tradewinds.us.attest.azure.net",
"maa-attestationcollateral":
{
"qeidcertshash": <SHA256 value of QE Identity issuing certs>,
"qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
"qeidhash": <SHA256 value of the QE Identity collateral>,
"quotehash": <SHA256 value of the evaluated quote>,
"tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,
"tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,
"tcbinfohash": <SHA256 value of the TCB Info collateral>
},
"maa-ehd": <input enclave held data>,
"nbf": 1568158598,
"product-id": 4639,
"sgx-mrenclave": <SGX enclave mrenclave value>,
"sgx-mrsigner": <SGX enclave msrigner value>,
"svn": 0,
"tee": "sgx"
"x-ms-attestation-type": "sgx",
"x-ms-policy-hash": <>,
"x-ms-sgx-collateral":
{
"qeidcertshash": <SHA256 value of QE Identity issuing certs>,
"qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
"qeidhash": <SHA256 value of the QE Identity collateral>,
"quotehash": <SHA256 value of the evaluated quote>,
"tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,
"tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,
"tcbinfohash": <SHA256 value of the TCB Info collateral>
},
"x-ms-sgx-ehd": <>,
"x-ms-sgx-is-debuggable": true,
"x-ms-sgx-mrenclave": <SGX enclave mrenclave value>,
"x-ms-sgx-mrsigner": <SGX enclave msrigner value>,
"x-ms-sgx-product-id": 1,
"x-ms-sgx-svn": 1,
"x-ms-ver": "1.0",
"x-ms-sgx-config-id": "000102030405060708090a0b0c0d8f99000102030405060708090a0b0c860e9a000102030405060708090a0b7d0d0e9b000102030405060708090a740c0d0e9c",
"x-ms-sgx-config-svn": 3451,
"x-ms-sgx-isv-extended-product-id": "8765432143211234abcdabcdef123456",
"x-ms-sgx-isv-family-id": "1234567812344321abcd1234567890ab"
}.[Signature]
Algumas das declarações usadas aqui são consideradas preteridas, mas têm suporte total. É recomendável que todos os códigos e ferramentas futuros usem os nomes de declaração não preteridos. Para obter mais informações, confira as declarações emitidas pelo Atestado do Azure.
As declarações abaixo aparecem apenas no token de atestado gerado para plataformas de servidor baseadas em processador escalonável intel® Xeon®. As declarações não aparecerão se o enclave SGX não estiver configurado com Suporte à separação e compartilhamento de chaves.
x-ms-sgx-config-id
x-ms-sgx-config-svn
x-ms-sgx-isv-extended-product-id
x-ms-sgx-isv-family-id
Exemplo de JWT gerado para o atestado SEV-SNP
{
"exp": 1649970020,
"iat": 1649941220,
"iss": "https://maasandbox0001.wus.attest.azure.net",
"jti": "b65da1dcfbb4698b0bb2323cac664b745a2ff1cffbba55641fd65784aa9474d5",
"nbf": 1649941220,
"x-ms-attestation-type": "sevsnpvm",
"x-ms-compliance-status": "azure-compliant-cvm",
"x-ms-policy-hash": "LTPRQQju-FejAwdYihF8YV_c2XWebG9joKvrHKc3bxs",
"x-ms-runtime": {
"keys": [
{
"e": "AQAB",
"key_ops": ["encrypt"],
"kid": "HCLTransferKey",
"kty": "RSA",
"n": "ur08DccjGGzRo3OIq445n00Q3OthMIbR3SWIzCcicIM_7nPiVF5NBIknk2zdHZN1iiNhIzJezrXSqVT7Ty1Dl4AB5xiAAqxo7xGjFqlL47NA8WbZRMxQtwlsOjZgFxosDNXIt6dMq7ODh4nj6nV2JMScNfRKyr1XFIUK0XkOWvVlSlNZjaAxj8H4pS0yNfNwr1Q94VdSn3LPRuZBHE7VrofHRGSHJraDllfKT0-8oKW8EjpMwv1ME_OgPqPwLyiRzr99moB7uxzjEVDe55D2i2mPrcmT7kSsHwp5O2xKhM68rda6F-IT21JgdhQ6n4HWCicslBmx4oqkI-x5lVsRkQ"
}
],
"vm-configuration": {
"secure-boot": true,
"secure-boot-template-id": "1734c6e8-3154-4dda-ba5f-a874cc483422",
"tpm-enabled": true,
"vmUniqueId": "AE5CBB2A-DC95-4870-A74A-EE4FB33B1A9C"
}
},
"x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-bootloader-svn": 0,
"x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
"x-ms-sevsnpvm-guestsvn": 1,
"x-ms-sevsnpvm-hostdata": "0000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-idkeydigest": "38ed94f9aab20bc5eb40e89c7cbb03aa1b9efb435892656ade789ccaa0ded82ff18bae0e849c3166351ba1fa7ff620a2",
"x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
"x-ms-sevsnpvm-is-debuggable": false,
"x-ms-sevsnpvm-launchmeasurement": "04a170f39a3f702472ed0c7ecbda9babfc530e3caac475fdd607ff499177d14c278c5a15ad07ceacd5230ae63d507e9d",
"x-ms-sevsnpvm-microcode-svn": 40,
"x-ms-sevsnpvm-migration-allowed": false,
"x-ms-sevsnpvm-reportdata": "99dd4593a43f4b0f5f10f1856c7326eba309b943251fededc15592e3250ca9e90000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-reportid": "d1d5c2c71596fae601433ecdfb62799de2a785cc08be3b1c8a4e26a381494787",
"x-ms-sevsnpvm-smt-allowed": true,
"x-ms-sevsnpvm-snpfw-svn": 0,
"x-ms-sevsnpvm-tee-svn": 0,
"x-ms-sevsnpvm-vmpl": 0,
"x-ms-ver": "1.0"
}
Exemplo de JWT gerado para atestado TDX
As definições de declarações abaixo estão disponíveis no Perfil EAT do Atestado do Azure TDX.
{
"attester_tcb_status": "UpToDate",
"dbgstat": "disabled",
"eat_profile": "https://aka.ms/maa-eat-profile-tdxvm",
"exp": 1697706287,
"iat": 1697677487,
"intuse": "generic",
"iss": "https://maasand001.eus.attest.azure.net",
"jti": "5f65006d573bc1c04f67820348c20f5d8da72ddbbd4d6c03da8de9f11b5cf29b",
"nbf": 1697677487,
"tdx_mrconfigid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_mrowner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_mrownerconfig": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_mrseam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656",
"tdx_mrsignerseam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_mrtd": "5be56d418d33661a6c21da77c9503a07e430b35eb92a0bd042a6b3c4e79b3c82bb1c594e770d0d129a0724669f1e953f",
"tdx_report_data": "93c6db49f2318387bcebdad0275e206725d948f9000d900344aa44abaef145960000000000000000000000000000000000000000000000000000000000000000",
"tdx_rtmr0": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_rtmr1": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_rtmr2": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_rtmr3": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_seam_attributes": "0000000000000000",
"tdx_seamsvn": 3,
"tdx_td_attributes": "0000000000000000",
"tdx_td_attributes_debug": false,
"tdx_td_attributes_key_locker": false,
"tdx_td_attributes_perfmon": false,
"tdx_td_attributes_protection_keys": false,
"tdx_td_attributes_septve_disable": false,
"tdx_tee_tcb_svn": "03000600000000000000000000000000",
"tdx_xfam": "e718060000000000",
"x-ms-attestation-type": "tdxvm",
"x-ms-compliance-status": "azure-compliant-cvm",
"x-ms-policy-hash": "B56nbp5slhw66peoRYkpdq1WykMkEworvdol08hnMXE",
"x-ms-runtime": {
"test-claim-name": "test-claim-value"
},
"x-ms-ver": "1.0"
}