Confidential Space token claims

This document describes the items that are present in Confidential Space attestation tokens, as defined in the well-known endpoint for Confidential Space. The tokens are JSON web tokens (JWT).

Default attestation tokens are located in /run/container_launcher/attestation_verifier_claims_token on a Confidential Space image, and can also be requested from the launcher's HTTP server.

For more information about tokens and retrieving them, see Use resources outside of Google Cloud.

Example token

The following is an example of an encoded attestation token. You can use https://jwt.io/ to decode it:

eyJhbGciOiJIUzI1NiIsImtpZCI6IjEyMzQ1IiwidHlwIjoiSldUIn0.eyJhdWQiOiI8WU9VUkFVRElFTkNFPiIsImV4cCI6MTY5ODg2NTE2NSwiaWF0IjoxNjk4ODYxNTY1LCJpc3MiOiJodHRwczovL2NvbmZpZGVudGlhbGNvbXB1dGluZy5nb29nbGVhcGlzLmNvbSIsIm5iZiI6MTY5ODg2MTU2NSwic3ViIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vY29tcHV0ZS92MS9wcm9qZWN0cy90ZXN0LXByb2plY3Qvem9uZXMvdXMtZWFzdDQtYy9pbnN0YW5jZXMvb24tZGVtYW5kLWRlbW8xIiwiZWF0X25vbmNlIjpbInRoaXNJc0FjdXN0b21Ob25jZSIsInRoaXNJc0FNdWNoTG9uZ2VyQ3VzdG9tTm9uY2VXaXRoUGFkZGluZ0Zvcjc0Qnl0ZXMwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIl0sInNlY2Jvb3QiOnRydWUsIm9lbWlkIjoxMTEyOSwiaHdtb2RlbCI6IkdDUF9BTURfU0VWIiwic3duYW1lIjoiQ09ORklERU5USUFMX1NQQUNFIiwic3d2ZXJzaW9uIjpbIjIzMDkwMiJdLCJkYmdzdGF0IjoiZGlzYWJsZWQtc2luY2UtYm9vdCIsInN1Ym1vZHMiOnsiY29uZmlkZW50aWFsX3NwYWNlIjp7InN1cHBvcnRfYXR0cmlidXRlcyI6WyJFWFBFUklNRU5UQUwiXX0sImNvbnRhaW5lciI6eyJpbWFnZV9yZWZlcmVuY2UiOiJ1cy1kb2NrZXIucGtnLmRldi90ZXN0LXByb2plY3Qvb24tZGVtYW5kLWF0dGVzdGF0aW9uL3dvcmtsb2FkLWNvbnRhaW5lcjpsYXRlc3QiLCJpbWFnZV9kaWdlc3QiOiJzaGEyNTY6NjY3YjdjYzk0MDdmN2Q5OTQ5ZDQzZmQ1MWRkZTJhNWI2NmRiOWI2OTVlZjViZmU1MjVjZjg1NzZkNTRmZmFhOSIsInJlc3RhcnRfcG9saWN5IjoiTmV2ZXIiLCJpbWFnZV9pZCI6InNoYTI1NjpmMjQ4NGQ0MzU4ZWJlNzRiMGI5ZTEwNTFkODg1MjM4OWQ1ZjU0ODE2ODFhNDkzM2ZkNThhNjE4MTdhZWU3NmRhIiwiZW52X292ZXJyaWRlIjpudWxsLCJjbWRfb3ZlcnJpZGUiOm51bGwsImVudiI6eyJIT1NUTkFNRSI6Im9uLWRlbWFuZC1kZW1vMSIsIlBBVEgiOiIvdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4ifSwiYXJncyI6WyIvY3VzdG9tbm9uY2UiXSwiaW1hZ2Vfc2lnbmF0dXJlcyI6bnVsbH0sImdjZSI6eyJ6b25lIjoidXMtZWFzdDQtYyIsInByb2plY3RfaWQiOiJ0ZXN0LXByb2plY3QiLCJwcm9qZWN0X251bWJlciI6IjcxNDIiLCJpbnN0YW5jZV9uYW1lIjoib24tZGVtYW5kLWRlbW8xIiwiaW5zdGFuY2VfaWQiOiIxNTMzMjk2MjA2NzY5MjM3ODY4In19LCJnb29nbGVfc2VydmljZV9hY2NvdW50cyI6WyJjb21wdXRlQGRldmVsb3Blci5nc2VydmljZWFjY291bnQuY29tIl19.E1hejTeIHqTXHPdwJN0meCDnghfQyd7p8SN_Fu7auK5tBGKSfDuDMHdNdOnjQzqU6KTvUAxCme4gEfkX5T8pDeV2eETFRrFkd_nOE6BhnNafm6UvLSet2y161JI2fjL7ZKHQdmSCubmJRVoKT10ZQVOSuy8NkkkKwHhMXFZ_yvTPSInGjTKMw0aFj5CB6qC-rdwr9f9ETOaCxRexKnR9y8weZbbKsMROCnviwkLv3mIQx-J4aFmtgbhI_yEb9AOein4sPjmk8n-LnFhgeAPzK7FYziD81U9p8wtRN5sDDAXpJuej1yr2aEcRhWQTyQ5DzXQ2DsSN91ZCV4-fv6wjyw0000

The following is an example of a decoded token:

{
  "alg": "HS256",
  "kid": "12345",
  "typ": "JWT"
}.
{
  "aud": "<YOURAUDIENCE>",
  "exp": 1698865165,
  "iat": 1698861565,
  "iss": "https://confidentialcomputing.googleapis.com",
  "nbf": 1698861565,
  "sub": "https://www.googleapis.com/compute/v1/projects/test-project/zones/us-east4-c/instances/on-demand-demo1",
  "eat_nonce": [
    "thisIsAcustomNonce",
    "thisIsAMuchLongerCustomNonceWithPaddingFor74Bytes0000000000000000000000000"
  ],
  "secboot": true,
  "oemid": 11129,
  "hwmodel": "GCP_AMD_SEV",
  "swname": "CONFIDENTIAL_SPACE",
  "swversion": [
    "230902"
  ],
  "dbgstat": "disabled-since-boot",
  "submods": {
    "confidential_space": {
      "support_attributes": [
        "EXPERIMENTAL"
      ]
    },
    "container": {
      "image_reference": "us-docker.pkg.dev/test-project/on-demand-attestation/workload-container:latest",
      "image_digest": "sha256:667b7cc9407f7d9949d43fd51dde2a5b66db9b695ef5bfe525cf8576d54ffaa9",
      "restart_policy": "Never",
      "image_id": "sha256:f2484d4358ebe74b0b9e1051d8852389d5f5481681a4933fd58a61817aee76da",
      "env_override": null,
      "cmd_override": null,
      "env": {
        "HOSTNAME": "on-demand-demo1",
        "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
      },
      "args": [
        "/customnonce"
      ],
      "image_signatures": null
    },
    "gce": {
      "zone": "us-east4-c",
      "project_id": "test-project",
      "project_number": "7142",
      "instance_name": "on-demand-demo1",
      "instance_id": "1533296206769237868"
    }
  },
  "google_service_accounts": [
    "952117457142-compute@developer.gserviceaccount.com"
  ]
}

The items within the token are further explained in the following sections.

Token items

The following table describes the high-level items in an attestation token. These items are compliant with the OpenID Connect 1.0 specification.

`well-known` endpoint values	Description
`claims_supported`	See Supported claims.
`id_token_signing_alg_values_supported`	The signing algorithms (`alg` values) supported by the token. Confidential Space supports the `RS256` algorithm.
`issuer`	The HTTPS scheme that Confidential Space uses as its issuer identifier. The value is `https://confidentialcomputing.googleapis.com`.
`jwks_uri`	The path to the public keys used to verify the token signature. You can publish these keys in a Cloud Storage bucket. You can find the `jwks_uri` keys in https://www.googleapis.com/service_accounts/v1/metadata/jwk/signer@confidentialspace-sign.iam.gserviceaccount.com. An example value is `https://example.storage.googleapis.com/jwks.json.`
`response_types_supported`	The list of supported Confidential Space response types. Confidential Space supports `id_token`.
`scopes_supported`	The OAuth 2.0 scope values that the Confidential VM instance supports. Confidential Space supports `openid` only.
`subject_types_supported`	The subject identifier types that Confidential Space supports. Confidential Space supports `public`.

Supported claims

The following table describes the top-level supported claims in the attestation token.

Claim	Type	Description
`aud`	String	The audience. For the default token (which is fetched every hour by the launcher within Confidential VM), the audience is `https://sts.googleapis.com`. For custom tokens, the audience is echoed from the audience in the token request. The maximum length is 512 bytes.
`dbgstat`	String	The debug status for the hardware. In production images, the value is `disabled-since-boot`. In debug images, the value is `enabled`.
`eat_nonce`	String or string array	One or more nonces for the attestation token. The values are echoed from the token options sent in the custom token request. Each nonce must be between 10 to 74 bytes inclusive. A maximum of six nonces are allowed.
`exp`	Int, Unix timestamp	The expiration time on or after which the token must not be accepted for processing. The value is a JSON number that represents the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the expiry time.
`google_service_accounts`	String array	The validated service accounts that are running the Confidential Space workload.
`hwmodel`	String	The unique identifier for the hardware token. Current values are `GCP_AMD_SEV`, `GCP_AMD_SEV_ES`, and `GCP_SHIELDED_VM`.
`iat`	Int, Unix timestamp	The time when the JWT was issued. The value is a JSON number that represents the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the issue time.
`iss`	String	The issuer of the token, which is set to `https://confidentialcomputing.googleapis.com`.
`nbf`	Int, Unix timestamp	The time before which the JWT cannot be used for processing.
`oemid`	Uint64	The Google Private Enterprise Number (PEN), which is `11129`.
`secboot`	Boolean	Whether Secure Boot is enabled, which ensures that the firmware and operating system were authenticated during the VM boot process. This value is always `true`.
`sub`	String	The subject, which is the fully qualified virtual machine ID for the Confidential VM. For example, `https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_ID`. This format is known as the instance's selfLink.
`submods`	Array	An array of various claims. See Submod claims.
`swname`	String	The name of the approved operating system for the VM. Values are `CONFIDENTIAL_SPACE` or `GCE`. The `CONFIDENTIAL_SPACE` value is only for hardened images that passed all validation.
`swversion`	String array	The version of the operating system. The value is a string array that contains only one value. The version follows the format `YYYYMM##`, where `##` is a counter for the number of images released before the image being used in the same month.

Submods claims

The following table describes the submods claims in the attestation token.

Claim	Type	Description
`confidential_space`	String array	The object that contains a `support_attributes` field (`USABLE`, `STABLE`, and `LATEST`). For more information, see Confidential Space image lifecycle.
`container`	Object	See Workload container claims.
`gce`	Object	See Compute Engine claims.

Workload container claims

The following table describes the container claims in the attestation token. For more information about these claims, see Attestation assertions.

Claim	Type	Description
`args`	String array	The full `argv` the container is invoked with. This claim includes the container's entrypoint path and any additional command-line arguments.
`cmd_override`	String array	The CMD commands and parameters used in the workload image.
`env`	Object array	The environment variables and their values that have been explicitly passed to the container.
`env_override`	Object array	The overwritten environment variables in the container.
`image_digest`	String	The image digest of the workload container.
`image_id`	String	The image ID of the workload container.
`image_reference`	String	The location of the workload container running in Confidential Space.
`image_signatures`	Object array	See Container image signature claims.
`restart_policy`	String	The restart policy of the container launcher when the workload stops. Valid values are `Always`, `OnFailure`, and `Never`. Default is `Never`.

Compute Engine claims

The following table describes the gce claims in the attestation token.

Claim	Type	Description
`instance_id`	String	The VM instance ID.
`instance_name`	String	The VM instance name.
`project_id`	String	The project ID for the project that the VM is running in.
`project_number`	String	The project number for the project that the VM is running in.
`zone`	String	The Compute Engine zone where the Confidential VM is running.

Container image signature claims

The following table describes the image_signature claims in the attestation token.

Claim Type Description

Claim	Type	Description
`key_id`	String	The hexadecimal fingerprint of the public key. To get the fingerprint, you can run the following command: $ openssl pkey -pubin -in `public_key.pem` -outform DER \| openssl sha256 Where `public_key.pem` is your public key in PEM format.
`signature`	String	The base64-encoded signature for a payload that's associated with the signed container and that follows the Simple Signing format.
`signature_algorithm`	String	The algorithm used to sign the key. One of the following: RSASSA_PSS_SHA256 (RSASSA-PSS with a SHA-256 digest) RSASSA_PKCS1V15_SHA256 (RSASSA-PKCS1 v1_5 with a SHA-256 digest) ECDSA_P256_SHA256 (ECDSA on the P-256 Curve with a SHA-256 digest)

key_id

String

The hexadecimal fingerprint of the public key. To get the fingerprint, you can run the following command:

$ openssl pkey -pubin -in public_key.pem -outform DER | openssl sha256

Where public_key.pem is your public key in PEM format.

signature String The base64-encoded signature for a payload that's associated with the signed container and that follows the Simple Signing format.

signature_algorithm

String

The algorithm used to sign the key. One of the following:

RSASSA_PSS_SHA256 (RSASSA-PSS with a SHA-256 digest)
RSASSA_PKCS1V15_SHA256 (RSASSA-PKCS1 v1_5 with a SHA-256 digest)
ECDSA_P256_SHA256 (ECDSA on the P-256 Curve with a SHA-256 digest)

What's next

See the IETF draft for The Entity Attestation Token (EAT) for more information on attestation claims.
See the OpenID Connect Core 1.0 for more information on OpenID token claims.