Add VBS-Protected Key Attestation Sample.#16
Add VBS-Protected Key Attestation Sample.#16carolinecreamer wants to merge 12 commits intomicrosoft:mainfrom
Conversation
attestation/utils.cpp
Outdated
| { | ||
| cout << "Creating VBS NCrypt (Key Guard) key..."; | ||
|
|
||
| wil::unique_ncrypt_key key_guard_key = create_key(MS_KEY_STORAGE_PROVIDER, nullptr, NCRYPT_OVERWRITE_KEY_FLAG | NCRYPT_USE_VIRTUAL_ISOLATION_FLAG); |
There was a problem hiding this comment.
NCRYPT_OVERWRITE_KEY_FLAG should not be required as the key is ephemeral (name = nullptr).
There was a problem hiding this comment.
Keeping NCRYPT_OVERWRITE_KEY_FLAG because key is no longer ephemeral.
| } | ||
|
|
||
| return 0; | ||
| } |
There was a problem hiding this comment.
This should have a comment explaining what the report will contain, similar to the comment on sample_tpm_key_att.cpp.
carolinecreamer
changed the title
| // These properties are described in the NCrypt library documentation (https://learn.microsoft.com/en-us/windows/win32/api/ncrypt/nf-ncrypt-ncryptverifyclaim#protectingattesting-private-keys-using-virtualization-based-security-vbs). | ||
| // A relying party (RP) should validate several important fields inside "vbs_ncrypt.vbs_trustlet_report" to ensure the key was generated and protected inside a trusted VBS-protected environment: | ||
| // | ||
| // trustlet_identity - Identifies the VBS trustlet that created or protects the key. The RP should compare this value against an expected trustlet identity to ensure the key originates from a trusted environment. |
There was a problem hiding this comment.
If I should remove descriptions, like for enclave descriptions, let me know. Added descriptions since documentation is limited right now, but I'm assuming that these values will all be properly documented once VBS-protected keys GA
| try | ||
| { | ||
| auto tpm_aik = load_tpm_key(AIK_NAME, true); | ||
| auto vbs_protected_key = create_vbs_protected_key(L"att_sample_vbs_key", false); |
There was a problem hiding this comment.
I used "att_sample_vbs_key" to distinguish from the key in the tpm key attestation sample, but I wanted to not make the name such a mouthful ("att_sample_vbs_protected_key"). If I should change the name for correctness, let me know.
2 participants
Add VBS-Protected Key Attestation Sample.