Skip to content

Lead verifier: VTS composite-appraisal business logic #369

New issue
New issue
Open
Open
Lead verifier: VTS composite-appraisal business logic#369
Labels
multi-verifiermulti-verifier support
@thomas-fossati

Description

@thomas-fossati
thomas-fossati
opened on Jan 19, 2026

The composite appraisal business logic is implemented in a new VTS gRPC service handler GetCompositeAttestation that takes a proto.AttestationToken as input and returns a proto.AppraisalContext.

The CE handler is tasked with the following actions:

  1. Look up a suitable composite evidence parser depending on the composite evidence (base) media type.
  2. Break down the composite evidence using the parser to obtain its component elements.
  3. For each element in the collection:
    3.1. Look up a suitable client plugin using the configured dispatch table
    3.2. Invoke the client, passing the component evidence and the nonce to obtain the EAR appraisal. If no client can be identified, populate an EAR appraisal with a status of “unknown”.
  4. Collect all the appraisals in an EAR claims-set.
  5. Pass the EAR claims-set to the dynamic policy engine for any additions or overwrites.
  6. Sign the EAR claims-set and return it.

Configuration

VTS configuration is extended with an optional new key, dispatch-table.

dispatch-table: ./dispatch-table.json

This variable points to a local JSON file containing one object for each client type.

{
  "vrsn-local": {
    "type": "veraison-client",
    "url": "https://localhost:8443",
    "insecure": true,
    "ca-certs": [ "../../../deployments/docker/src/certs/rootCA.crt" ],
    "hints": [ "application/vnd.veraison.tsm-report+cbor; provider=arm_cca" ]
  }
}

In this iteration, support is limited to the veraison client.
Other verifiers (e.g., Intel-TA, NV, Trustee) will be incorporated in future work.
The optional "hints" contain a list of evidence formats (as media types) that the downstream verifier should know how to handle.
If the downstream verifier exposes a discovery interface, the discovered evidence formats (as media types) will be integrated with the hints.
In the event of a conflict between clients, an evidence format introduced via "hints" takes precedence over a discovered evidence format.

The configuration stanza is passed down to the composite evidence client plugin with the same name as the "type” value.

Metadata

Metadata

Assignees

No one assigned

    Labels

    multi-verifiermulti-verifier support

    Type

    No type

    Projects

    Lead Verifier Implementation

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions