@@ -127,12 +127,12 @@ SPIRE SERVER and KEYLIME VERIFIER VERIFICATION PHASE:
127127┌──────────────┐ [8] ┌──────────────┐ [9] ┌──────────────┐ [10] ┌──────────────┐ [11] ┌──────────────┐ [12] ┌──────────────┐ [13] ┌──────────────┐ [14] ┌──────────────┐ [15] ┌──────────────┐
128128│ SPIRE Server │──────>│ Keylime │──────>│ Keylime │──────>│ Keylime │──────>│ rust-keylime │──────>│ Mobile Sensor│──────>│ rust-keylime │──────>│ Keylime │──────>│ SPIRE Server │
129129│ Extract: App │ │ Verifier │ │ Registrar │ │ Verifier │ │ Agent │ │ Microservice │ │ Agent │ │ Verifier │ │ Issue Agent │
130- │ Key, Cert, │ │ Verify App │ │ Return: IP, │ │ Verify AK │ │ Generate │ │ Verify │ │ Return Quote │ │ Verify Quote │ │ SVID with │
131- │ Nonce, UUID │ │ Key Cert │ │ Port, AK, │ │ Registration │ │ TPM Quote │ │ Device Loc │ │ + Location │ │ Verify Cert │ │ BroaderClaims│
132- └──────────────┘ │ Signature │ │ mTLS Cert │ │ (PoC Check) │ │ (with loc) │ │ (Mock MNO ) │ └──────────────┘ │ Verify Loc │ └──────────────┘
133- └──────────────┘ └──────────────┘ └──────────────┘ │ (PCR 15) │ │ Return │
134- └──────────────┘ │ BroaderClaims │
135- └──────────────┘
130+ │ Key, Cert, │ │ Verify App │ │ Return: IP, │ │ Verify AK │ │ (Sidecar) │ │ (Mock MNO) │ │ (Sidecar) │ │ Verify ZKP │ │ SVID with │
131+ │ Nonce, UUID │ │ Key Cert │ │ Port, AK, │ │ Registration │ │ Collect Loc │ │ Return Loc │ │ Generate ZKP │ │ Verify Quote │ │ BroaderClaims│
132+ └──────────────┘ │ Signature │ │ mTLS Cert │ │ (PoC Check) │ └──────┬───────┘ └──────────────┘ │ (Plonky2 ) │ └──────┬ ───────┘ └──────────────┘
133+ └──────────────┘ └──────────────┘ └──────────────┘ │ └──────────────┘ │
134+ └─────────────────── [13] ──────────────────────┘ │
135+ └──────────────┘
136136
137137SPIRE AGENT SVID ISSUANCE & WORKLOAD SVID ISSUANCE:
138138┌──────────────┐ [16] ┌──────────────┐ [17] ┌──────────────┐ [18] ┌──────────────┐ [19] ┌──────────────┐ [20] ┌──────────────┐ [21] ┌──────────────┐
@@ -157,10 +157,10 @@ SPIRE AGENT SVID ISSUANCE & WORKLOAD SVID ISSUANCE:
157157** [ 9] ** Lookup Agent: Verifier queries Registrar for agent info (IP, Port, AK, mTLS Cert)
158158** [ 10] ** Verify AK Registration: Verifier verifies TPM AK is registered with registrar/verifier (PoC security check - only registered AKs can attest)
159159** [ 11] ** Quote Request: Verifier requests fresh TPM quote with challenge nonce
160- ** [ 12] ** Location Detection: Agent detects mobile sensor, binds to PCR 15 with nonce
161- ** [ 13] ** Location Extraction: Keylime Verifier initiates fetch of location via mTLS, validates nonce and PCR index *
162- ** [ 14] ** Quote Response : Agent returns TPM quote and nonce-bound location data
163- ** [ 15] ** Verification Result : Verifier returns BroaderClaims (geolocation, TPM attestation) → SPIRE Server
160+ ** [ 12] ** Location Detection: Agent (Sidecar) detects mobile sensor / GNSS coordinates
161+ ** [ 13] ** MNO Endorsement: Verifier fetches location from MNO (Mock MNO Microservice) to bind to session
162+ ** [ 14] ** ZKP Generation : Agent (Sidecar) runs Plonky2 circuits to prove: Coordinate-in-Geofence, binding to session nonce
163+ ** [ 15] ** Stateless Verification : Verifier validates ZKP proof and TPM quote result → SPIRE Server
164164** [ 16] ** Agent SVID: Server issues agent SVID with BroaderClaims embedded → SPIRE Agent
165165** [ 17] ** Workload Request: Workload connects to Agent Workload API
166166** [ 18] ** Workload API: Workload requests SVID via Agent Workload API
@@ -1817,7 +1817,7 @@ POST http://localhost:9050/verify
18171817sequenceDiagram
18181818 participant Workload as Workload App
18191819 participant Hardware as TPM / Sensors
1820- participant KAgent as Keylime Agent
1820+ participant KAgent as Keylime Agent (Sidecar)
18211821 participant Agent as SPIRE Agent
18221822 participant MNO as Mock MNO (Carrier)
18231823 participant Verifier as Keylime Verifier
@@ -1834,17 +1834,20 @@ sequenceDiagram
18341834 Server->>Verifier: Verify Identity
18351835
18361836 Note right of Verifier: Host Integrity Check
1837- Verifier->>KAgent: Trigger: Fetch TPM Quote & Geo
1837+ Verifier->>KAgent: Trigger attestation with nonce
18381838 KAgent->>Hardware: Read PCRs
1839- Hardware->>KAgent: TPM-Signed Evidence (IMEI, IMSI)
1840- KAgent-->>Verifier: Integrity Quote + Geo
1839+ Hardware->>KAgent: TPM-Signed Evidence
18411840
1842- Verifier->>MNO: Verify Device Location (CAMARA API)
1843- MNO-->>Verifier: Signed MNO Endorsement
1844- Verifier-->>Server: Attested Claims + MNO Anchor
1841+ Note right of KAgent: Gen 4: Privacy-Preserving Gen
1842+ KAgent->>MNO: Request Geo-Endorsement
1843+ MNO-->>KAgent: Signed MNO Response (Gen 4 Dependency*)
1844+ KAgent->>KAgent: Run Plonky2 ZKP Prover (On-Device)
1845+ Note over KAgent: Prove: Location is in Category Radius
18451846
1846- Server->>Server: Run Plonky2 ZKP Prover
1847- Note right of Server: Prove: Location matches MNO Radius<br/>(Privacy-preserving)
1847+ KAgent-->>Verifier: Integrity Quote + ZKP Proof
1848+ Verifier->>Verifier: Stateless ZKP Verification
1849+
1850+ Verifier-->>Server: Attested Claims (compliant) + Proof Receipt
18481851
18491852 Server-->>Agent: Agent SVID + grc.sovereignty_receipt
18501853
@@ -1853,10 +1856,13 @@ sequenceDiagram
18531856
18541857 Note over Workload, Envoy: 4. RUNTIME VERIFICATION (Stateless)
18551858 Workload->>Envoy: mTLS Request with SVID Chain
1856- Envoy->>Envoy: Extract & Verify ZKP Receipt
1859+ Envoy->>Envoy: Extract & Verify ZKP Receipt (Plonky2)
18571860 Envoy-->>Workload: Allowed (Verified Sovereign)
18581861```
18591862
1863+ > [ !IMPORTANT]
1864+ > ** Gen 4 Implementation Status** : The ZKP Prover logic (Plonky2) and stateless verification are fully implemented. The remaining dependency for absolute zero-trust is ** MNO Local Response Signing** , which ensures the location input to the ZKP circuit is authenticated by the carrier before proof generation.
1865+
18601866### Evolution: Gen 3 → Gen 4
18611867
18621868| Aspect | Gen 3 (Current) | Gen 4 (Roadmap) |
0 commit comments