Skip to content

CoRIM ramblings...

Jump to bottom
Thomas Fossati edited this page Oct 16, 2023 · 21 revisions

Goal

The purpose of CoRIM is to provide verifiers with complete information about attesters, enabling verifiers to conduct secure evaluations of evidence produced by attesters.

Device modelling

CoRIM breaks down a device under appraisal into a set of hierarchically arranged components called environments.

Environments represent either an attesting or a target environment.

Triples

Each environment is described by one or more triples, i.e., stereotyped statements of the form:

"subject verb object"

where:

  • subject is an environment
  • verb is one from a very limited set of predicates
  • object is an attribute associated with the subject whose type depends on the specific verb

There are two kinds of triples:

  • structure triple, describing the relationships between environments,
  • attribute triple, describing attributes associated with environments.

Example

An example system:

flowchart TD
    A --"has child"--- B
    A --"has child"--- C
    B --"has child"--- D
    subgraph " "
       A --"signs with key"--- a((a))
    end
    subgraph " "
       B --"signs with key"--- x((x))
    end
    subgraph " "
       C --"has endorsed value"--- b((b))
       C --"has reference value"--- c((c))
    end
    subgraph " "
       D --"has reference value"--- d((d))
       D --"has endorsed value"--- e((e))
    end
Loading

Tags

Triples about one or more related environments are bundled into a CoMID.

The scope of a CoMID is not fixed. Related triples can be distributed across multiple CoMIDs, while unrelated triples can be present in the same CoMID. The actual mapping is dependent on the supply chain arrangement of the device, which CoMID does not restrict in any way.

CoMID tags, in turn, are bundled into a CoRIM tag.

CoRIM tags are signed containers which bundle some CoMID (and other kinds of) tags along with metadata about the signer (i.e., a given supply chain entity), the validity of the contained tags, etc.

CoRIM assumes that the verifier's appraisal policy for evidence describes which signers are authorised to talk about which environment.

Kinds of triples

Attribute triples

Reference values

"Reference values" are claims describing the desired state of a target environment.

In appraisal, they are compared to the corresponding evidence claims.

A reference value triple is as follows:

  • subject is a target environment
  • verb is "has reference value"
  • object is the desired value of measurement of the target environment

For example, the subject could be a firmware component, and the object is the desired value for a measurement of that firmware component.

"X" reference values

"X reference values" are claims describing the undesired/unacceptable state of a target environment.

In appraisal, they are compared to the corresponding evidence claims.

An X reference value triple is as follows:

  • subject is a target environment
  • verb is "has undesired value"
  • object is the undesired value of measurement of the target environment, and the reason why it's undesirable

For example, the subject could be a firmware component, and the object is the value for a measurement of that firmware component that is unacceptable due to a security vulnerability.

Endorsed values

"Endorsed values" are claims describing some actual feature of an environment.

During an appraisal, they are added to evidence claims. They can be conditional to the successful matching of certain reference values.

An endorsed value triple is as follows:

  • subject is an attesting or a target environment
  • verb is "has endorsed value"
  • object is some non-measured attribute of the environment

For example, the subject could be an attester, and the object is a product name for that attester.

Signing keys

Raw public or secret keys with which an attesting environment uses to sign evidence.

They are used for cryptographic verification of evidence.

A signing keys triple is as follows:

  • subject is an attesting environment
  • verb is "signs with"
  • object is the key material used by the attesting environment to seal evidence

For example, the subject could be an attester, and the object is the raw public key paired with the secret signing key.

Structure Triples

Grouping

Description of the hierarchical arrangement of environments.

A grouping triple is as follows:

  • subject is an environment
  • verb is "has children environments"
  • object a list of environments

For example, the subject could be the lead attester in a composite device, and the objects would be the sub-attesters.

Subjects and objects being of the same type allow recursive application of the triple.

So, one of the sub-attesters above could become the subject of another grouping triple having the FW components of that sub-attester for objects.

Conditional triples (work in progress)

Triples can be wrapped in conditional statements of the form "IF condition THEN triple".

Syntactically, a condition is a list of tuples [(environment, attribute), ...].

There are two types of conditions:

  • AND: all tuples in the condition set must match against the ACS before the triple can be added to the ACS
  • OR: at least one tuple in the condition set must match against the current ACS before the triple can be added to the ACS

TODO: topo-sorting.

Clone this wiki locally