Definition of Equivalent and Inequivalent Hardware #2
Description
In the context of Workload Identity Requirement:
Operations that would preserve the Workload Credentials, such as migration within the data-center between equivalent hardware instances, need not require new Workload Credentials to be issued.
What is the meaning or interpretation of Equivalent and Non Equivalent Hardware ..?
Definition should consider following aspects:
Here are some examples of platform operations that might change the security posture of a workload but that are unknown to the workload and can result in the workload unknowingly passing an identity with stale claims.
Workloads running on the same CPU/PSP when the CPU/PSP firmware is transparently updated to a new version.
Workloads migrated to different hardware (a different CPU) in the same rack running the same firmware.
Workloads migrated to hardware in a different datacenter (think "availability zone") in physically proximate geography and identical governmental jurisdiction.
Attestation evidence can become outdated at any time.
An attestation report can be requested at any time.
Attestation endorsement/verification can be performed at any time.
This pattern suggests the need for leveraging identity token lifetime to allow customers to set how long they are willing to accept the risk of stale attestation evidence versus accepting the performance implications of frequent renewals to preserve freshness.