Platform Configuration Registers (PCR)

A secure running environment include several platform configuration registers that are unique to that environment. With this values we can ensure that the information we recieve comes from the source we expect.

Obtain PCR values for your build

Once you build your vFunction you want to obtain its PCR values to add them to the secrets provider. For this you will use the verifiably API and provide your build-id.

curl --request GET -H "x-api-key: <api-key>" -H "x-api-key-id: <api-key-id>" 
"https://vbuild.us-east-2.verifiably.com/pcr/<build_id>?values=true"

Once you call the API you will recieve a link to download a zip file which contains a text file with the PCR values of your vFunction. If you set the parameter "values=true" then you will also recieve the explicit values of the PCRs.

{
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "455a4208741947799dd28a4ed38632cf31039cbba9ec45f2f658a1a75bdc52464d22f224f5d060b5c4975742c4f37723",
    "PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
    "PCR2": "f86f8f184e0ec4905f56eae44cc288391db56fd5a3599da5cc40ff89cbf52a77680904711ba1e2425a4be3d089968e0d"
  }
}

Add PCR to secrets provider

In your secrets provider you need to add the pcr values that you want to accept. For this just create a dictionary with the PCR number and its value.

expected_pcrs = {
    "0":"455a4208741947799dd28a4ed38632cf31039cbba9ec45f2f658a1a75bdc52464d22f224f5d060b5c4975742c4f37723",
    "1":"bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
    "2":"f86f8f184e0ec4905f56eae44cc288391db56fd5a3599da5cc40ff89cbf52a77680904711ba1e2425a4be3d089968e0d"
}

Use this dictionary to set up the secrets provider as explained in the Mercury Bank Example.