Update verifying_attestation_records/README.md for new provenance for…

…mat. Switching from slsa-github-generator to the attest-build-provenance action results in slightly different information in Rekor. Also update the example ledger evidence to match the version used in the README. Change-Id: I835d27f3e95bfe05510ce36072bb622fb7d326ca
google-parfait · Jul 30, 2024 · a1a625a · a1a625a
1 parent defbf90
commit a1a625a
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 70 deletions.
diff --git a/inspecting_attestation_records/README.md b/inspecting_attestation_records/README.md
@@ -81,7 +81,7 @@ _____ Root Layer _____
 _____ Application Layer _____
 
 binary:
-  sha2_256: 892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4
+  sha2_256: 5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe
 config: {}
 
 
@@ -154,44 +154,39 @@ the `https://search.sigstore.dev/?hash={THE_SHA256_HASH}` URL format, where
 `{THE_SHA256_HASH}` is the SHA2-256 hash of the binary in the evidence/access
 policy. These entries should show the binaries' provenance, including a link to
 the Git commit on GitHub that the binaries were built from, as well as the
-command that was used to build the binary, and which should allow you to
+workflow that was used to build the binary, and which should allow you to
 rebuild the same binary in a reproducible manner.
 
 For example, below is an excerpt of the SLSA provenance record for the ledger
 application binary listed in the example explanation output above
-(https://search.sigstore.dev/?hash=892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4):
+(https://search.sigstore.dev/?hash=5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe):
 
 ```
-predicate:
-  buildDefinition:
-    buildType: https://slsa.dev/container-based-build/v0.1?draft
-    externalParameters:
-      source:
-        uri: >-
-          git+https://github.com/google-parfait/confidential-federated-compute@refs/heads/main
-        digest:
-          sha1: 20a4f3fc1f49943d03b76b264d3dc0ce90f83ade
-      builderImage:
-        uri: >-
-          rust@sha256:4013eb0e2e5c7157d5f0f11d83594d8bad62238a86957f3d57e447a6a6bdf563
-        digest:
-          sha256: 4013eb0e2e5c7157d5f0f11d83594d8bad62238a86957f3d57e447a6a6bdf563
-      configPath: buildconfigs/ledger_enclave_app.toml
-      buildConfig:
-        ArtifactPath: target/x86_64-unknown-none/release/ledger_enclave_app
-        Command:
-          - sh
-          - '-c'
-          - >-
-            GITHUB_ACTION="provenance" scripts/setup_build_env.sh && cargo build
-            --release --package ledger_enclave_app
+GitHub Workflow SHA: 0f8072c8e9dda36170f0fa466305e9664716fb56
+GitHub Workflow Name: Build and attest all
+GitHub Workflow Repository: google-parfait/confidential-federated-compute
+GitHub Workflow Ref: refs/heads/main
+OIDC Issuer (v2): https://token.actions.githubusercontent.com
+Build Signer URI: https://github.com/google-parfait/confidential-federated-compute/.github/workflows/build.yaml@refs/heads/main
+Build Signer Digest: 0f8072c8e9dda36170f0fa466305e9664716fb56
+Runner Environment: github-hosted
+Source Repository URI: https://github.com/google-parfait/confidential-federated-compute
+Source Repository Digest: 0f8072c8e9dda36170f0fa466305e9664716fb56
+Source Repository Ref: refs/heads/main
+Source Repository Identifier: '775138920'
+Source Repository Owner URI: https://github.com/google-parfait
+Source Repository Owner Identifier: '164364956'
+Build Config URI: https://github.com/google-parfait/confidential-federated-compute/.github/workflows/build.yaml@refs/heads/main
+Build Config Digest: 0f8072c8e9dda36170f0fa466305e9664716fb56
+Build Trigger: push
+Run Invocation URI: https://github.com/google-parfait/confidential-federated-compute/actions/runs/10088700871/attempts/1
 
 ... <snip> ...
 ```
 
 It describes that the ledger application binary was produced at commit
-20a4f3fc1f49943d03b76b264d3dc0ce90f83ade in the
-https://github.com/google-parfait/confidential-federated-compute repository,
-and it shows that the `GITHUB_ACTION="provenance" scripts/setup_build_env.sh &&
-cargo build --release --package ledger_enclave_app` command was used to build
-the binary.
+0f8072c8e9dda36170f0fa466305e9664716fb56 in the
+https://github.com/google-parfait/confidential-federated-compute repository
+using the "Build and attest all" workflow.
+https://github.com/google-parfait/confidential-federated-compute/actions/runs/10088700871/attempts/1
+has more information about the action that produced the binary.
diff --git a/...sts/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_file.snap b/...sts/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_file.snap
@@ -1,6 +1,5 @@
 ---
 source: tools/explain_fcp_attestation_record/tests/snapshot_tests.rs
-assertion_line: 63
 expression: "output.replace(record_file_path, \"{TMP_RECORD_FILE}\")"
 ---
 Inspecting record at {TMP_RECORD_FILE}.
@@ -16,26 +15,26 @@ _____ Root Layer _____
 The attestation is rooted in an AMD SEV-SNP TEE.
 
 Attestations identifying the firmware captured in the evidence can be found here:
-https://search.sigstore.dev/?hash=33d5453b09e16ed0d6deb7c9f076b66b92a1b472d89534034717143554f6746d
+https://search.sigstore.dev/?hash=a8c51290169976afc37e6e6d866107285b5f4711a9ce5389c05d9a5d297d68c5
 
-ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a; it is listed as the 'initial_measurement' in the evidence of this layer.
+ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704; it is listed as the 'initial_measurement' in the evidence of this layer.
 
 The evidence describing this layer is outlined below.
 
 sev_snp:
   current_tcb:
     boot_loader: 3
     microcode: 209
-    snp: 20
+    snp: 22
     tee: 0
   debug: false
-  hardware_id: d137b92d3ea7907e6829d123513c2a250acfa5c9eecfc5759f79c574eaf61792c0692af3b9caa39ab4069a329e7f8152b3fa2e2fee2717b42cd263983244198f
-  initial_measurement: 6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a
-  report_data: 8ef5ac52c6101d73903859b9b242cc1a84ca096a1fc13b15abcfd2857b6ea0450000000000000000000000000000000000000000000000000000000000000000
+  hardware_id: c1f5c58f728e2eded313ee675ac982393169c9bbffe6e250c54d81fcea2dad556d314f3c62c16cb9ae3d22f68a747261835f220d3656d0e6b646e6b2f11252cf
+  initial_measurement: 571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704
+  report_data: f75ac8ac3bfd479a0f121c384d71b4c032867895db71d91d135710083fd780a10000000000000000000000000000000000000000000000000000000000000000
   reported_tcb:
     boot_loader: 3
     microcode: 209
-    snp: 20
+    snp: 22
     tee: 0
   vmpl: 0
 
@@ -45,19 +44,19 @@ Note: binaries for this layer are generally provided by the Oak project (https:/
 _____ Kernel Layer _____
 
 Attestations identifying the binaries captured in the evidence in this layer can be found as outlined below.
-Kernel: https://search.sigstore.dev/?hash=ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
-Initial Ramdisk: https://search.sigstore.dev/?hash=daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8
+Kernel: https://search.sigstore.dev/?hash=4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b
+Initial Ramdisk: https://search.sigstore.dev/?hash=51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8
 
 The evidence describing the kernel layer is outlined below.
 
 acpi:
   sha2_256: dbaccae7bfbf006e2b8623a82f1a5fcda2ea0392233c26b18356b3bcfac231eb
 init_ram_fs:
-  sha2_256: daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8
+  sha2_256: 51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8
 kernel_cmd_line:
   sha2_256: 2b98586d9905a605c295d77c61e8cfd2027ae5b8a04eefa9018436f6ad114297
 kernel_image:
-  sha2_256: ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
+  sha2_256: 4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b
 kernel_raw_cmd_line: console=ttyS0
 kernel_setup_data:
   sha2_256: 4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1
@@ -72,7 +71,7 @@ _____ Application Layer _____
 The evidence describing the application is outlined below.
 
 binary:
-  sha2_256: 892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4
+  sha2_256: 5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe
 config: {}
 
 

diff --git a/...ts/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_stdin.snap b/...ts/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_stdin.snap
@@ -1,6 +1,5 @@
 ---
 source: tools/explain_fcp_attestation_record/tests/snapshot_tests.rs
-assertion_line: 88
 expression: output
 ---
 Inspecting record provided via stdin.
@@ -16,26 +15,26 @@ _____ Root Layer _____
 The attestation is rooted in an AMD SEV-SNP TEE.
 
 Attestations identifying the firmware captured in the evidence can be found here:
-https://search.sigstore.dev/?hash=33d5453b09e16ed0d6deb7c9f076b66b92a1b472d89534034717143554f6746d
+https://search.sigstore.dev/?hash=a8c51290169976afc37e6e6d866107285b5f4711a9ce5389c05d9a5d297d68c5
 
-ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a; it is listed as the 'initial_measurement' in the evidence of this layer.
+ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704; it is listed as the 'initial_measurement' in the evidence of this layer.
 
 The evidence describing this layer is outlined below.
 
 sev_snp:
   current_tcb:
     boot_loader: 3
     microcode: 209
-    snp: 20
+    snp: 22
     tee: 0
   debug: false
-  hardware_id: d137b92d3ea7907e6829d123513c2a250acfa5c9eecfc5759f79c574eaf61792c0692af3b9caa39ab4069a329e7f8152b3fa2e2fee2717b42cd263983244198f
-  initial_measurement: 6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a
-  report_data: 8ef5ac52c6101d73903859b9b242cc1a84ca096a1fc13b15abcfd2857b6ea0450000000000000000000000000000000000000000000000000000000000000000
+  hardware_id: c1f5c58f728e2eded313ee675ac982393169c9bbffe6e250c54d81fcea2dad556d314f3c62c16cb9ae3d22f68a747261835f220d3656d0e6b646e6b2f11252cf
+  initial_measurement: 571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704
+  report_data: f75ac8ac3bfd479a0f121c384d71b4c032867895db71d91d135710083fd780a10000000000000000000000000000000000000000000000000000000000000000
   reported_tcb:
     boot_loader: 3
     microcode: 209
-    snp: 20
+    snp: 22
     tee: 0
   vmpl: 0
 
@@ -45,19 +44,19 @@ Note: binaries for this layer are generally provided by the Oak project (https:/
 _____ Kernel Layer _____
 
 Attestations identifying the binaries captured in the evidence in this layer can be found as outlined below.
-Kernel: https://search.sigstore.dev/?hash=ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
-Initial Ramdisk: https://search.sigstore.dev/?hash=daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8
+Kernel: https://search.sigstore.dev/?hash=4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b
+Initial Ramdisk: https://search.sigstore.dev/?hash=51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8
 
 The evidence describing the kernel layer is outlined below.
 
 acpi:
   sha2_256: dbaccae7bfbf006e2b8623a82f1a5fcda2ea0392233c26b18356b3bcfac231eb
 init_ram_fs:
-  sha2_256: daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8
+  sha2_256: 51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8
 kernel_cmd_line:
   sha2_256: 2b98586d9905a605c295d77c61e8cfd2027ae5b8a04eefa9018436f6ad114297
 kernel_image:
-  sha2_256: ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
+  sha2_256: 4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b
 kernel_raw_cmd_line: console=ttyS0
 kernel_setup_data:
   sha2_256: 4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1
@@ -72,7 +71,7 @@ _____ Application Layer _____
 The evidence describing the application is outlined below.
 
 binary:
-  sha2_256: 892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4
+  sha2_256: 5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe
 config: {}
 
 

diff --git a/...cord/tests/snapshots/snapshot_tests__explain_record_with_nonempty_data_access_policy.snap b/...cord/tests/snapshots/snapshot_tests__explain_record_with_nonempty_data_access_policy.snap
@@ -1,6 +1,5 @@
 ---
 source: tools/explain_fcp_attestation_record/tests/snapshot_tests.rs
-assertion_line: 109
 expression: buf
 ---
 ========================================
@@ -14,26 +13,26 @@ _____ Root Layer _____
 The attestation is rooted in an AMD SEV-SNP TEE.
 
 Attestations identifying the firmware captured in the evidence can be found here:
-https://search.sigstore.dev/?hash=33d5453b09e16ed0d6deb7c9f076b66b92a1b472d89534034717143554f6746d
+https://search.sigstore.dev/?hash=a8c51290169976afc37e6e6d866107285b5f4711a9ce5389c05d9a5d297d68c5
 
-ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a; it is listed as the 'initial_measurement' in the evidence of this layer.
+ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704; it is listed as the 'initial_measurement' in the evidence of this layer.
 
 The evidence describing this layer is outlined below.
 
 sev_snp:
   current_tcb:
     boot_loader: 3
     microcode: 209
-    snp: 20
+    snp: 22
     tee: 0
   debug: false
-  hardware_id: d137b92d3ea7907e6829d123513c2a250acfa5c9eecfc5759f79c574eaf61792c0692af3b9caa39ab4069a329e7f8152b3fa2e2fee2717b42cd263983244198f
-  initial_measurement: 6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a
-  report_data: 8ef5ac52c6101d73903859b9b242cc1a84ca096a1fc13b15abcfd2857b6ea0450000000000000000000000000000000000000000000000000000000000000000
+  hardware_id: c1f5c58f728e2eded313ee675ac982393169c9bbffe6e250c54d81fcea2dad556d314f3c62c16cb9ae3d22f68a747261835f220d3656d0e6b646e6b2f11252cf
+  initial_measurement: 571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704
+  report_data: f75ac8ac3bfd479a0f121c384d71b4c032867895db71d91d135710083fd780a10000000000000000000000000000000000000000000000000000000000000000
   reported_tcb:
     boot_loader: 3
     microcode: 209
-    snp: 20
+    snp: 22
     tee: 0
   vmpl: 0
 
@@ -43,19 +42,19 @@ Note: binaries for this layer are generally provided by the Oak project (https:/
 _____ Kernel Layer _____
 
 Attestations identifying the binaries captured in the evidence in this layer can be found as outlined below.
-Kernel: https://search.sigstore.dev/?hash=ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
-Initial Ramdisk: https://search.sigstore.dev/?hash=daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8
+Kernel: https://search.sigstore.dev/?hash=4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b
+Initial Ramdisk: https://search.sigstore.dev/?hash=51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8
 
 The evidence describing the kernel layer is outlined below.
 
 acpi:
   sha2_256: dbaccae7bfbf006e2b8623a82f1a5fcda2ea0392233c26b18356b3bcfac231eb
 init_ram_fs:
-  sha2_256: daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8
+  sha2_256: 51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8
 kernel_cmd_line:
   sha2_256: 2b98586d9905a605c295d77c61e8cfd2027ae5b8a04eefa9018436f6ad114297
 kernel_image:
-  sha2_256: ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8
+  sha2_256: 4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b
 kernel_raw_cmd_line: console=ttyS0
 kernel_setup_data:
   sha2_256: 4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1
@@ -70,7 +69,7 @@ _____ Application Layer _____
 The evidence describing the application is outlined below.
 
 binary:
-  sha2_256: 892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4
+  sha2_256: 5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe
 config: {}
 
 

diff --git a/tools/explain_fcp_attestation_record/tests/testdata/ledger_evidence.pb b/tools/explain_fcp_attestation_record/tests/testdata/ledger_evidence.pb