Attestation assertions

assertion.dbgstat

Interacts with:

• Workload operator: The --image-family value.

Verifies that the Confidential Space image is the debug or production version.

The valid values are the following:

• enable: Check that the debug image is being used.
• disabled-since-boot: Check that the production image is being used.

Examples

The following code verifies that the debug version of the Confidential Space image is being used:

assertion.dbgstat == "enable"

The following code verifies that the production version of the Confidential Space image is being used:

assertion.dbgstat == "disabled-since-boot"

Verifies the security version of the production Confidential Space image that's running on the Confidential VM instance, using its support attributes. Debug Confidential Space images have no support attribute set.

The following are valid support attributes:

• LATEST: This is the latest version of the image, and is supported. The LATEST image is also STABLE and USABLE.
• STABLE: This version of the image is supported and monitored for vulnerabilities. A STABLE image is also USABLE.
• USABLE: An image with only this attribute is out of support and no longer monitored for vulnerabilities. Use at your own risk.
• EXPERIMENTAL: An image with only this attribute makes use of preview features. It is for testing purposes only, and should never be used in production. An EXPERIMENTAL image never has the attributes LATEST, STABLE, or USABLE.

Example

The following code verifies that a stable version of the Confidential Space image is being used:

"STABLE" in assertion.submods.confidential_space.support_attributes

Verifies the software running on the attesting entity. The value is always CONFIDENTIAL_SPACE.

Example

assertion.swname == "CONFIDENTIAL_SPACE"

Verifies the software version of the Confidential Space image. We recommend using assertion.submods.confidential_space.support_attributes instead to target the latest version of an image.

Example

int(assertion.swversion[0]) == 230103

assertion.submods.container.cmd_override

Interacts with:

• Workload author: The allow_cmd_override launch policy.
• Workload operator: The tee-cmd metadata variable.

Verifies the CMD commands and parameters used in the workload image.

Examples

The following code verifies the CMD of the workload image hasn't been overwritten:

size(assertion.submods.container.cmd_override) == 0

The following code verifies that program is the only content in the CMD overrides:

assertion.submods.container.cmd_override == ['program']

assertion.submods.container.env

Interacts with:

• Workload author: The allow_env_override launch policy.
• Workload operator: The tee-env-ENVIRONMENT_VARIABLE_NAME metadata variable.

Verifies that environment variables and their values have been explicitly passed to the container.

Example

The following code verifies that the environment variable example-env-1 is set to value-1, and example-env-2 is set to value-2.

assertion.submods.container.env == {"example-env-1": "value-1", "example-env-2": "value-2"}

assertion.submods.container.env_override

Interacts with:

• Workload author: The allow_env_override launch policy.
• Workload operator: The tee-env-ENVIRONMENT_VARIABLE_NAME metadata variable.

Verifies if the workload operator has overwritten environment variables in the container.

Examples

The following code verifies that the workload operator has not overridden the example environment variable:

!has(assertion.submods.container.env_override.example)

The following code verifies that the workload operator hasn't overwritten any environment variables:

size(assertion.submods.container.env_override) == 0

Verifies the image digest of the workload container. Specifying this condition lets multiple parties agree on an authorized workload that is allowed to access their data.

Example

assertion.submods.container.image_digest == "sha256:837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b"

Verifies the image ID of the workload container.

Example

assertion.submods.container.image_id == "sha256:652a44b0e911271ba07cf2915cd700fdfa50abd62a98f87a57fdebc59843d93f"

assertion.submods.container.image_reference

Interacts with:

• Workload operator: The tee-image-reference metadata variable.

Verifies the location of the workload container running on top of the Confidential Space image.

Example

assertion.submods.container.image_reference == "us-docker.pkg.dev/PROJECT_ID/WORKLOAD_CONTAINER:latest"

assertion.submods.container.image_signatures

Interacts with:

• Workload operator: The tee-signed-image-repos metadata variable.

Verifies that the image has a certain signature or is signed by a public key and signing algorithm. Specifying this condition lets multiple parties agree on an authorized workload that is allowed to access their data.

The assertion can include the following elements:

• key_id: The hexadecimal fingerprint of the public key. To get the fingerprint, you can run the following command:

  openssl pkey -pubin -in public_key.pem -outform DER | openssl sha256

  Where public_key.pem is your public key in PEM format.

• signature: The signature over a payload that's associated with the signed container and that follows the Simple Signing format.

• signature_algorithm: The algorithm used to sign the key. One of the following:

  • RSASSA_PSS_SHA256 (RSASSA-PSS with a SHA-256 digest)
  • RSASSA_PKCS1V15_SHA256 (RSASSA-PKCS1 v1_5 with a SHA-256 digest)
  • ECDSA_P256_SHA256 (ECDSA on the P-256 Curve with a SHA-256 digest)

Example

['ECDSA_P256_SHA256:PUBLIC_KEY_FINGERPRINT'].exists(fingerprint, fingerprint in assertion.submods.container.image_signatures.map(sig, sig.signature_algorithm+':'+sig.key_id))

assertion.submods.container.restart_policy

Interacts with:

• Workload operator: The tee-restart-policy metadata variable.

Verifies the restart policy of the container launcher for when the workload stops.

The valid values are the following:

• Never (default)
• Always
• OnFailure

Example

assertion.submods.container.restart_policy == "Never"

assertion.google_service_accounts

Interacts with:

• Workload operator: The tee-impersonate-service-accounts metadata variable, and the --service-account value.

Verifies that a specified service account is connected to the VM running the workload, or has been listed using tee-impersonate-service-accounts in the VM metadata.

Example

workload-service-account@my-project.iam.gserviceaccount.com in assertion.google_service_accounts

Verifies the underlying Confidential Computing technology. The supported platforms are as follows:

• GCP_AMD_SEV
• INTEL_TDX

Example

assertion.hwmodel == "GCP_AMD_SEV"

assertion.submods.confidential_space.monitoring_enabled

Interacts with:

• Workload author: The monitoring_memory_allow launch policy.
• Workload operator: The tee-monitoring-memory-enable metadata variable.

Verifies the monitoring state on the attesting entity.

Example

assertion.submods.confidential_space.monitoring_enabled.memory == true

Verifies the VM instance ID.

Example

assertion.submods.gce.instance_id == "0000000000000000000"

Verifies the name of the VM instance.

Example

assertion.submods.gce.instance_name == "workload-vm"

Verifies that the VM is running a Google Cloud project with the specified project ID.

Example

assertion.submods.gce.project_id == "project-id"

Verifies that the VM is running in a Google Cloud project with the specified project number.

Example

assertion.submods.gce.project_number == "00000000000"

assertion.submods.gce.zone

Interacts with:

• Workload operator: The --zone value.

Verifies that the VM is running in the specified zone.

Example

assertion.submods.gce.zone == "us-central1-a"

assertion.submods.nvidia_gpu.cc_feature

Interacts with:

• Workload operator: The tee-install-gpu-driver metadata variable.

Verifies the Confidential Computing features supported by an NVIDIA GPU. Only single GPU passthrough (SPT) mode is supported in Confidential Space, so the value is always SPT.

For more information about NVIDIA Confidential Computing support, see NVIDIA Trusted Computing Solutions (PDF).

Example

assertion.submods.nvidia_gpu.cc_feature == "SPT"

assertion.submods.nvidia_gpu.cc_mode

Interacts with:

• Workload operator: The tee-install-gpu-driver metadata variable.

Verifies the status of NVIDIA's Confidential Computing driver. The valid values are the following:

• OFF: none of the NVIDIA Confidential Computing features are active.
• ON: the NVIDIA H100 hardware, firmware, and software have fully activated the confidential computing features.
• DEVTOOLS: the GPU is in a partial confidential computing mode that matches the workflows of ON mode, but disables security protections.

Example

assertion.submods.nvidia_gpu.cc_mode == "ON"

assertion.submods.nvidia_gpu.gpus

Interacts with:

• Workload operator: The tee-install-gpu-driver metadata variable.

Verifies claims for each attested NVIDIA GPU. Confidential Space only supports a single GPU claim.

A gpus object is similar to the following:

{
  "hwmodel": "GCP_NVIDIA_H100",
  "ueid": "490457405999046854973671575630853621547794591064",
  "l4_serial_number": "1216669666319372030078",
  "driver_version": "570.00",
  "vbios_version": "96.00.9F.00.01"
}

Examples

The following code verifies that the first GPU hardware model is an NVIDIA H100 running on Google Cloud:

assertion.submods.nvidia_gpu.gpus[0].hwmodel == "GCP_NVIDIA_H100"

The following code verifies that the attestation claim has GPU-related claims:

has(assertion.submods.nvidia_gpu.gpus)