Optimized the logic for token issuance and verification.

[jialez0]

1. Move the token issuance process down to Attestation Service completion, which is in line with the responsibility division and RATS model. Related to: Change the Attestation Results from a custom JSON structure to a JWT standard format. attestation-service#121
2. Add some new compiling features to support the functional division of KBS in two deployment forms: background checking model and passport model.
3. Add an optional feature: fine-grained validation of the Claims of Attention Results Token using a policy engine to determine whether the requester has access rights to specific resource.
4. Update scripts and documents, add a quick start guide.
5. Update client tool to support get resource with token. (Rely on the new kbs_protocol in Refactor kbs client guest-components#304)

@Xynnn007 @sameo @bpradipt @mkulke @mythi If you have any comments on these modifications, please let me know.

[fitzthum]

Haven't had time to look at the code yet. Just a few comments.

One thing overall is that I would like us to settle on some more formal definitions of background check vs passport and how it relates to our project specifically.

I think we've been making a slightly different distinction between two modes. Currently we have one mode where the HW evidence is only the initial launch measurement. This is the 2-stage attestation. MSFT have proposed another mode where we measure the policy and bind the hw measurement to the workload. In some ways these two modes map onto background check vs passport, but not quite.

When we use a two-stage attestation, the hw evidence alone does not define the workload. Currently we use the RATS background check model for this. The KBS asks the AS to validate the hw evidence, and then the KBS injects secrets into the guest that define the workload identity.

What we've noticed lately is that it would be useful to be able to provide a workload with some kind of "passport" that reflects the workload claims. In the two-stage approach we can't use the HW evidence as a passport, because it only includes the launch measurement. Instead, this passport would have to come from the KBS, which knows the full set of workload claims. Even though we've referred to this as a passport, it wouldn't work with the RATS passport model, because we need to get it from the KBS, not from the AS (assuming the launch measurement is truly generic).

On the other hand, if we use the policy-based approach with the host data, the launch measurement would now reflect the entire workload. Here we would already have a "passport" even if we never connect to a verifier. This evidence could be sent to an enlightened KMS directly to retrieve secrets. Maybe we shouldn't refer to this as a passport, but as a workload certificate (or something).

So we have different meanings of the passport/background check idea. In the RATS model one of the crucial differences is whether or not you connect directly to the AS. For CoCo we probably care more about what exactly the evidence measures. We've also just introduced a distinction between tokens and evidence. I think we need to make it much more clear what the relationship between all these things is.

Does this make any sense? cc: @Xynnn007 @mkulke

[fitzthum]

nit: Mode -> Model

[jialez0]

Here we use "mode" to distinguish from "model". "mode" are a specific usage of KBS, and "model" are abstract architectures defined by RATS.

[fitzthum]

@jialez0 Yes, I understand the model and I think that it will work. I think it's also a fine place to start, but I'm not sure it's going to be optimal in the long term.

One thing to think about is that this model requires resource policy to be platform specific. I'm not sure this is ideal.

I suggested an alternate model where the output of the AS policy validation would be the input to the KBS policy validation. In this model the AS could evaluate the claims and return not just true/false, but a wide range out outputs. For instance the AS could return level1, level2, level3 etc. to reflect different levels of strictness. Then the KBS policy could require a certain level for a certain secret. In this approach the resource policy is decoupled from the platform. The AS could define level2 for many several different platforms. I think this would really simplify coming up with resource policies, especially for resources that are deployed on multiple platforms.

That said, I think the use case you mention is valid and should be supported. I think we could easily allow both if we just include the output of the AS validation as part of the token along with the claims. Then if people want to write a KBS policy that parses all the claims again they can, but they can also just use the output from the AS. Does that seem reasonable?

[jialez0]

I suggested an alternate model where the output of the AS policy validation would be the input to the KBS policy validation. In this model the AS could evaluate the claims and return not just true/false, but a wide range out outputs. For instance the AS could return level1, level2, level3 etc. to reflect different levels of strictness. Then the KBS policy could require a certain level for a certain secret. In this approach the resource policy is decoupled from the platform. The AS could define level2 for many several different platforms. I think this would really simplify coming up with resource policies, especially for resources that are deployed on multiple platforms.

@fitzthum Okay, I think this is reasonable, and I will implement it in this PR and AS PR.