...
URI | Type | Request Contains | Response Contains | Functionality |
---|---|---|---|---|
/api/v2/edgeDevice/uuid | POST | Empty payload, with just AuthContainer | UUID of the device or Error 404 | Return UUID of the device, based on device certificate present in AuthContainer. So far, EVE has been re-using /api/v2/edgeDevice/config to get UUID of the device in the initial stages of starting EVE services. But with measured boot and remote attestation, configuration is sent to device only when device is attested for software integrity (which happens later as part zedAgent). Therefore, it may be observed that for getting UUID, fetching the whole configuration (which requires attestation now) would be an overkill, and hence the need for this new lightweight URI. The proposed /uuid is lightweight URI that responds with a single field that contains the UUID of the device. If the device is not known, Error 404 is sent. |
/api/v2/edgeDevice/{uuid}/attest SubType ATTEST_REQ_CERT | POST | X.509 Certificate signed by Device Certificate | No Response Payload, only the standard HTTP status codes | To send attestation certificate. This certificate is used to validate signature of the PCR Quote. This certificate is different from device certificate and ECDH certificate. The cert type for this will be set to CERT_TYPE_DEVICE_RESTRICTED_SIGNING. For more details, please refer this section of API documentation |
/api/v2/edgeDevice/{uuid}/attest SubType ATTEST_REQ_NONCE | POST | Empty payload, with just AuthContainer | Nonce Value | To request a nonce from controller. This nonce will be included while generating PCR Quote. This will trigger re-fetching of nonce from device. For more details, please refer this section of API documentation |
/api/v2/edgeDevice/{uuid}/attest SubType ATTEST_REQ_QUOTE | POST | PCR Quote, Event Log, Integrity Token, Image Version, Firmware Version, Nonce used | SUCCESS or FAILURE. If FAILURE Sub-code indicates whether there is a nonce mismatch. Also carries Integrity-Token Value, and the encrypted Volume Storage Key | To send { PCR Quote, Event Log, Integrity Token, and Image version } for attestation. If attestation result (PASS/FAIL) is sent back as response. If attestation is successful, EVC will cache the Integrity Token and the encrypted Volume Storage Key in the response. The next config request should contain the same Integrity-Token.
For more details, please refer this section of API documentation |
/api/v2/edgeDevice/{uuid}/config | POST | Hash of last configuration received , and Integrity Token as proof of access to the Vault | Full configuration in case of proper Integrity Token, Error 403 if there is a Integrity-Token mismatch | Device will include Integrity-Token and hash of the last-received configuration in the request. Controller will run a periodic time check, and attestation has to be redone periodically at these intervals. |
...