Skip to content

Add protocol specification to README #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Nov 25, 2025
Merged

Add protocol specification to README #37

merged 10 commits into from
Nov 25, 2025
+131 −31

Conversation

@ameba23
Copy link
Collaborator

@ameba23 ameba23 commented Nov 20, 2025
edited
Loading

This adds a description of the protocol and some extra usage information to the readme.

I've also renamed a struct and some variables to use the same terminology at the protocol description.

ameba23
ameba23 commented Nov 20, 2025
View reviewed changes
README.md

### Attestation Exchange

Immediately after the TLS handshake, an attestation exchange is made. The server first provides an attestation message (even if it has the `none` attestation type). The client verifies, if verification is successful it also provides an attestation message and otherwise closes the connection. If the server cannot verify the client's attestation, it closes the connection.
Copy link
Collaborator Author

@ameba23 ameba23 Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a failed attestation, we could maybe have them respond with a rejection message rather than just closing the connection

Copy link
Collaborator Author

@ameba23 ameba23 Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made #43

metachris
metachris reviewed Nov 24, 2025
View reviewed changes
README.md Outdated

The remaining 32 bytes are exported key material ([RFC5705](https://www.rfc-editor.org/rfc/rfc5705)) from the TLS session. This must have the exporter label `EXPORTER-Channel-Binding` and no context data.

In the case of attestation types `dcap-tx`, `gcp-tdx`, and `qemu-tdx`, a standard DCAP attestation is generated using the `configfs-tsm` linux filesystem interface. This means that this binary must be run with access to `/sys/kernel/config/tsm/report` which on many systems requires sudo.
Copy link

@metachris metachris Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dcap-tx -> dcap-tdx

metachris
metachris reviewed Nov 24, 2025
View reviewed changes
@ameba23 ameba23 mentioned this pull request Nov 25, 2025
Open
@ameba23 ameba23 merged commit 28665f2 into main Nov 25, 2025
2 checks passed
@ameba23 ameba23 deleted the peg/readme-protocol-spec branch November 25, 2025 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@metachris metachris metachris left review comments

@Ruteri Ruteri Ruteri approved these changes

@MoeMahhouk MoeMahhouk Awaiting requested review from MoeMahhouk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ameba23 @metachris @Ruteri