-
Notifications
You must be signed in to change notification settings - Fork 6
Home
In the following, if a MUST-level requirement is violated, the entire procedure is aborted.
The described flow is divided into two separate phases:
- Appraisal Context Initialisation
- Evidence Appraisal
The described flow is not a reference implementation, in particular it is expected that the cost of the initialisation phase can be amortised across multiple appraisals. Implementers are free to do whatever they like, as long as the stated invariants are not violated.
The goal of the initialisation phase is to load the appraisal context with all and only the reference values, endorsed values, and cryptographic validation key material that will be used in the appraisal phase.
All available Concise Reference Integrity Manifests (CoRIMs) are collected.
CoRIMs that are not within their validity period, or that cannot be associated with an authenticated and authorised source MUST be discarded.
The selection process MUST yield at least one CoRIM.
All CoBOMs are collected from the selected CoRIMs.
There MUST be at least one (non-empty) CoBOM.
CoBOMs are used to locate and collect the listed tags (i.e., CoMIDs and/or CoSWIDs and/or CoTSs) from the selected CoRIMs.
All the listed tags MUST be successfully located and be syntactically and semantically valid.
All reference values, endorsed values and cryptographic verification key material found in the listed tags are extracted and loaded into the appraisal context together with their (attesting or target) environments.
The goal of the appraisal phase is to determine the trustworthiness of the submitted Evidence and summarise it in an Attestation Result.
The Attestation Result provides a set of trust metrics associated with the Evidence together with any further information that can be derived by the Verifier about the Attester (e.g., via supply chain endorsements).
The Relying Party application will use the Attestation Result to make policy decisions.
We make no assumptions on the specific shape of the Attestation Result except for its optional ability to transport endorsed values associated with the appraised Attester.
The first step in the appraisal process is to verify Evidence cryptographic envelope.
The exact verification mechanics depends on the specific Evidence format.
In DICE, a suitable certificate chain anchored on a trusted root certificate is searched up -- e.g., based on linking information obtained from the layer 0 certificate -- in the appraisal context. If found, then usual X.509 certificate validation is performed.
In PSA, the verification public key is looked up in the appraisal context using the euid claim found in the PSA claims-set. If found, COSE Sign1 verification is performed accordingly.
Independent of the specific method, the integrity of Evidence cryptographic envelope MUST be successfully verified.
Then, the attesting and attested environment(s) associated with Evidence are identified.
Typically, this is done by inspecting the claims-set(s) and extracting the relevant claims
For example: with PSA Evidence, the Verifier will look at the euid and implementation-id claims; while with DICE Evidence the environment is found in the DiceTcbInfo extension.
The environment identifier(s) are used to lookup the relevant Reference Values from the appraisal context.
Evidence MUST match the identified Reference Values.
The environment identifier(s) are used to lookup the relevant Endorsed Values from the appraisal context.
Any matching Endorsed Value can be added to the Attestation Result.