Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- SEV-SNP attestation backend (Tier 3): `ca2a_runtime.tee.sev_snp` (report parsing, `SevSnpProvider`) and `ca2a_verify.sev_snp` (VCEK chain verification, ECDSA-P384 report-signature verification, measurement/report-data binding), all fail-closed. Chain path validated against the real AMD Milan root; report-signature path validated with synthetic vectors. Report generation requires a real SEV-SNP guest.
- Peer-call enforcement decision core (Tier 2): `ca2a_runtime.policy.LocalPolicy` and `ca2a_runtime.peer` (`effective_scope`, `enforce_peer_call`). Effective permission is the delegated leaf scope intersected with the callee's local policy; a granted call emits a linked provenance record. New error `SCOPE_NOT_PERMITTED`. Claim C3 (scope-policy intersection) is now a validated experiment. Cedar-engine binding of the local policy and live A2A transport wiring remain open.
- Sealed peer channel (Tier 2): `ca2a_runtime.channel` (`SealedChannel`, `generate_channel_keypair`, `open_sealed`). HPKE-style X25519 -> HKDF-SHA256 -> ChaCha20-Poly1305 sealing a payload to the peer's attested key; only the peer's private key opens it, and a wrong key or tampered ciphertext fails closed. Claim C4 (sealed-payload confidentiality) is now a validated experiment at the cryptographic layer. The enclave-binding of the private key (a hardware property) and live-path wiring remain open.
- Cross-operator attestation (Claim C6) validated in software: a two-operator harness composing the SEV-SNP verifier, measurement pinning, and the sealed channel demonstrates independent keys, mutual attestation, confidential cross-operator delegation, and binary-swap detection. Synthetic report vectors (a genuine report needs SEV-SNP hardware); real hardware end to end remains open. **All six claims (C1-C6) are now validated experiments.**
- Repository scaffold: governance, CI/CD, docs framework, and packaging at parity with the agentrust-io house standard

### Not yet implemented
Expand Down
3 changes: 2 additions & 1 deletion ROADMAP.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ Already implemented and tested elsewhere; cA2A depends on it rather than reimple
Real hardware attestation verification (SEV-SNP VCEK chain, Intel TDX quote via QVL/PCS, TPM AK cert + checkquote). This is a dependency for any cross-operator trust claim, single-agent or multi-agent, and is shared with cmcp. At least one real hardware backend must land before cA2A is marketed as attested across trust domains, so the demo matches the claim.

- **SEV-SNP verifier: landed.** Report parsing, VCEK chain verification (validated against the real AMD Milan root), ECDSA-P384 report-signature verification, and measurement/report-data binding, all fail-closed. Report generation still requires a real SEV-SNP guest. See `ca2a_verify.sev_snp` and [docs/spec/attestation.md](docs/spec/attestation.md).
- **Pending:** Intel TDX and TPM backends; end-to-end validation of the report-signature path against real hardware vectors; then unblock claim C6 (cross-operator attestation).
- **Cross-operator attestation (C6): validated in software.** A two-operator harness (SEV-SNP verifier + measurement pinning + sealed channel) shows independent keys, mutual attestation, confidential cross-operator delegation, and binary-swap detection. All six claims (C1-C6) are now validated experiments.
- **Pending:** Intel TDX and TPM backends; end-to-end validation of the report-signature path against real hardware vectors on a confidential VM; and the live A2A transport binding that drives the whole pipeline off a real inbound call.

## v1.0: Stable profile

Expand Down
82 changes: 42 additions & 40 deletions docs/spec/attestation.md
Original file line number Diff line number Diff line change
@@ -1,40 +1,42 @@
# Peer Attestation

Before a peer is trusted with a delegated task, it proves it is running attested, measured code. cA2A reuses the pluggable TEE provider abstraction from [cmcp](https://github.com/agentrust-io/cmcp).

## Provider interface

A provider implements `BaseProvider`:

- `detect()` returns whether the provider is available on the current host.
- `attest(public_key, nonce)` returns an `AttestationReport` binding `public_key` to the host's hardware measurement under `nonce`.

An `AttestationReport` carries `platform`, `measurement`, the bound `public_key`, and the `nonce`.

## Providers

| Provider | Platform | Status |
|---|---|---|
| `software-only` | none | Available; for development and CI. Reports `platform: software-only`, never a hardware platform string. |
| `sev-snp` | AMD SEV-SNP | Verifier implemented (see below). Report generation requires a real SEV-SNP guest. |
| `tpm` | TPM 2.0 / vTPM | Tier 3, not yet implemented |
| `tdx` | Intel TDX | Tier 3, not yet implemented |
| `opaque` | OPAQUE Confidential Runtime | Tier 3, explicit opt-in, not auto-selected |

## SEV-SNP verification

`ca2a_verify.sev_snp.verify_sev_snp_report` appraises an AMD SEV-SNP attestation report offline, in three fail-closed steps:

1. **Certificate chain.** The VCEK is verified up to a trusted AMD root (ARK) through `ARK -> ASK -> VCEK`. Each certificate must be validly issued by the next, and the root must match a trusted anchor by fingerprint.
2. **Report signature.** The ECDSA-P384 signature (stored as little-endian `r` and `s`) is verified against the VCEK public key over the report body (`report[:0x2A0]`).
3. **Binding.** The launch `measurement` and the `report_data` (which carries the runtime key and nonce) are checked against expected values.

**What is validated.** The chain-verification path is exercised against the genuine AMD Milan ARK/ASK root chain fetched from AMD KDS (`tests/fixtures/sev_snp/`). The report-signature path is exercised end to end with a synthetic VCEK and report, because a genuine report plus VCEK pair requires real SEV-SNP hardware. Producing a report (`SevSnpProvider.attest`) fails closed off hardware (`AttestationUnsupported`).

## Fail closed

Providers without a backend `detect()` to False, so they are never selected automatically, and verification fails closed when evidence is absent or invalid. This is deliberate: cA2A must not be described as attested across trust domains until a real hardware backend verifies a quote against a golden measurement. TDX and TPM backends remain Tier 3. See [LIMITATIONS.md](../../LIMITATIONS.md).

## Why this is the critical path

Real hardware attestation verification (SEV-SNP VCEK chain from AMD KDS, Intel TDX quote via QVL/PCS, TPM AK cert plus checkquote) is a dependency for any cross-operator trust claim, single-agent or multi-agent. It is shared with cmcp and sequenced first on the roadmap so the demo matches the claim.
# Peer Attestation

Before a peer is trusted with a delegated task, it proves it is running attested, measured code. cA2A reuses the pluggable TEE provider abstraction from [cmcp](https://github.com/agentrust-io/cmcp).

## Provider interface

A provider implements `BaseProvider`:

- `detect()` returns whether the provider is available on the current host.
- `attest(public_key, nonce)` returns an `AttestationReport` binding `public_key` to the host's hardware measurement under `nonce`.

An `AttestationReport` carries `platform`, `measurement`, the bound `public_key`, and the `nonce`.

## Providers

| Provider | Platform | Status |
|---|---|---|
| `software-only` | none | Available; for development and CI. Reports `platform: software-only`, never a hardware platform string. |
| `sev-snp` | AMD SEV-SNP | Verifier implemented (see below). Report generation requires a real SEV-SNP guest. |
| `tpm` | TPM 2.0 / vTPM | Tier 3, not yet implemented |
| `tdx` | Intel TDX | Tier 3, not yet implemented |
| `opaque` | OPAQUE Confidential Runtime | Tier 3, explicit opt-in, not auto-selected |

## SEV-SNP verification

`ca2a_verify.sev_snp.verify_sev_snp_report` appraises an AMD SEV-SNP attestation report offline, in three fail-closed steps:

1. **Certificate chain.** The VCEK is verified up to a trusted AMD root (ARK) through `ARK -> ASK -> VCEK`. Each certificate must be validly issued by the next, and the root must match a trusted anchor by fingerprint.
2. **Report signature.** The ECDSA-P384 signature (stored as little-endian `r` and `s`) is verified against the VCEK public key over the report body (`report[:0x2A0]`).
3. **Binding.** The launch `measurement` and the `report_data` (which carries the runtime key and nonce) are checked against expected values.

**What is validated.** The chain-verification path is exercised against the genuine AMD Milan ARK/ASK root chain fetched from AMD KDS (`tests/fixtures/sev_snp/`). The report-signature path is exercised end to end with a synthetic VCEK and report, because a genuine report plus VCEK pair requires real SEV-SNP hardware. Producing a report (`SevSnpProvider.attest`) fails closed off hardware (`AttestationUnsupported`).

**Cross-operator use.** Two operators in separate trust domains each bind their sealed-channel public key into a report and verify the counterparty's report against a pinned golden measurement. This composes into mutual attestation, confidential cross-operator delegation (seal to the attested key), and binary-swap detection (a changed measurement is rejected), validated in software as claim C6. See the [call graph](call-graph.md) and the `claim6-cross-operator-attestation` experiment.

## Fail closed

Providers without a backend `detect()` to False, so they are never selected automatically, and verification fails closed when evidence is absent or invalid. This is deliberate: cA2A must not be described as attested across trust domains until a real hardware backend verifies a quote against a golden measurement. TDX and TPM backends remain Tier 3. See [LIMITATIONS.md](../../LIMITATIONS.md).

## Why this is the critical path

Real hardware attestation verification (SEV-SNP VCEK chain from AMD KDS, Intel TDX quote via QVL/PCS, TPM AK cert plus checkquote) is a dependency for any cross-operator trust claim, single-agent or multi-agent. It is shared with cmcp and sequenced first on the roadmap so the demo matches the claim.
12 changes: 6 additions & 6 deletions experiments/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,22 +13,22 @@ Each experiment imports directly from `ca2a_runtime`. Run from the repo root aft
| [claim3-scope-policy-intersection](claim3-scope-policy-intersection/) | C3: Delegated scope intersected with local policy | working | Effective scope = delegated INTERSECT local policy; capability granted only when delegated AND locally allowed (1/1 allowed, 3/3 denied) |
| [claim4-sealed-payload-confidentiality](claim4-sealed-payload-confidentiality/) | C4: Payload decrypts only with the peer's enclave-bound key | working | Sealed to the attested key (X25519 -> HKDF -> ChaCha20-Poly1305); only the peer's private key opens it; path sees ciphertext; tamper fails closed |
| [claim5-provenance-dag-integrity](claim5-provenance-dag-integrity/) | C5: Linked records are tamper-evident, bound to authority | working | Tamper flips ~50% of hash bits (128/256), `ProvenanceLinkBroken` raised; reparent detected; provenance bound to authority |
| [claim6-cross-operator-attestation](claim6-cross-operator-attestation/) | C6: Two domains, independent keys, mutual attestation, binary-swap detection | gated (Tier 3) | SKIPs until a real hardware attestation backend verifies a quote |
| [claim6-cross-operator-attestation](claim6-cross-operator-attestation/) | C6: Two domains, independent keys, mutual attestation, binary-swap detection | working | Mutual SEV-SNP attestation, sealed cross-operator delegation, and binary-swap detection (4/4); synthetic vectors, real hardware end-to-end pending |

Working experiments are fully reproducible on any host with no TEE. Gated experiments SKIP (exit 0) until the implementation they depend on lands, mirroring how cmcp's `claim-hw-attestation` SKIPs without a confidential VM. Each gated dependency is on the [roadmap](../ROADMAP.md).
All six claims are validated and fully reproducible on any host with no TEE. The attestation-dependent claims (C4, C6) exercise the SEV-SNP verifier against synthetic report vectors, since a genuine report requires SEV-SNP hardware; validating the report-signature path against real hardware vectors, and driving the whole pipeline off a live A2A transport, remain on the [roadmap](../ROADMAP.md).

## Running

```bash
pip install -e ".[dev]"
python experiments/claim1-attenuation-soundness/run.py
python experiments/claim2-cross-chain-replay/run.py
python experiments/claim3-scope-policy-intersection/run.py # SKIP (Tier 2)
python experiments/claim4-sealed-payload-confidentiality/run.py # fail-closed today
python experiments/claim3-scope-policy-intersection/run.py
python experiments/claim4-sealed-payload-confidentiality/run.py
python experiments/claim5-provenance-dag-integrity/run.py
python experiments/claim6-cross-operator-attestation/run.py # SKIP (Tier 3)
python experiments/claim6-cross-operator-attestation/run.py
```

## CI

Each claim has a unit test under `tests/unit/test_claim*.py`. Working claims assert their property; gated claims register a `pytest.mark.skip` so CI records them as skipped, not failed, until the dependency lands. The suite runs in the `test` job of [.github/workflows/ci.yml](../.github/workflows/ci.yml).
Each claim has a unit test under `tests/unit/test_claim*.py` that asserts its property. All six run in the `test` job of [.github/workflows/ci.yml](../.github/workflows/ci.yml).
Loading
Loading