-
Notifications
You must be signed in to change notification settings - Fork 7
Layered Conditional Endorsements
This proposal builds on top of the "Composite device description using domain membership triples".
There are cases where Endorsed Values are applicable to an Environment only if Evidence matches certain Reference Values.
One example is that of a security certification granted to an Attester (or sub-Attester) running a combination of certain software component(s) at a specific version. In this case, the Verifier must make sure that the current "accepted state" matches the expected, "certified" measurements before letting the certificate data into the accepted state.
Another example is that of high-level controls or benchmarks that can be cleared by a complex, composite Attester only if a given combination of Target Environments are running a specific software revision and configuration.
To model these use cases we reuse CoRIM's "Stateful Environment" primitive.
Endorser want to provision a Security Certificate that belongs to PSA sub-attester
a. Stateful Environment for boot-loader (BL) component
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'57057d658db1403b9e387f9f0fa604cf'),
/ comid.vendor / 1 : "FW Manufacturer X",
/ comid.model / 2 : "BL"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
]
]
}
},
],
Visually
flowchart TD
subgraph Attester1["Stateful Environment- BL"]
TEx["BL"]
TEy["comid.version-1.0.0 \ncomid.digests=(44aa336a4...)"]
TEx -.- TEy
end
b. Define a Stateful Environment for TF-M component
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'993a383a41134c999c333a13414a546d'),
/ comid.vendor / 1 : "FW Manufacturer X",
/ comid.model / 2 : "TF-M"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'9c49c3f7b15f62db77deb9a5fa5a21e516edb15bb7b2214654695a59ac492d9e'
]
]
}
}
]
Visually
flowchart TD
subgraph Attester1["Stateful Environment- TF-M"]
TEx["TF-M"]
TEy["comid.version-1.0.0 \ncomid.digests=(9c49c3f7b1...)"]
TEx -.- TEy
end
$stateful-domain-type-choice /= environment-map
$stateful-domain-type-choice /= stateful-environment-record
- A stateful domain composition triple is defined with a
stateful-domainset tostateful-environment-recordas a subject and is composed of multiple stateful evironments
stateful-domain-triple-record = [
; associates a stateful domain name to a series of stateful environments
subject: $stateful-environment-record ; the stateful environment record identifying the name of the stateful environment
object: [stateful-environment-record] ; a list of stateful environments associated to the stateful domain
]
For the PSA sub-attester the example CDDL for the stateful-domain-record which is identified with a specific
revision of PSA implementation-id as the stateful environment which comprises a set of specific revisions of
"BL" and "TF-M" components, as given below.
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : / tagged-impl-id-type / 600(
h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
),
/ comid.vendor / 1 : "ACME Ltd.",
/ comid.model / 2 : "PSA RoT"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
}
},
],
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'57057d658db1403b9e387f9f0fa604cf'),
/ comid.vendor / 1 : "FW Manufacturer X",
/ comid.model / 2 : "BL"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
]
]
}
},
],
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'993a383a41134c999c333a13414a546d'),
/ comid.vendor / 1 : "FW Manufacturer X",
/ comid.model / 2 : "TF-M"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'9c49c3f7b15f62db77deb9a5fa5a21e516edb15bb7b2214654695a59ac492d9e'
]
]
}
}
]
]
]
Visually
flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
PSA-VER["version=1.0.0"]
BL["class-id=57057D65-...\nmodel=BL"]
BL_M1["version=1.0.0\ndigest=44aa336a..."]
TF-M["class-id=993A383A-...\nmodel=TF-M"]
TF-M_M1["version=1.0.0\ndigest=9c49c3f7..."]
subgraph PSA-name["PSA Stateful Domain"]
PSA
PSA-VER
PSA -.- PSA-VER
end
subgraph PSA-target1["BL"]
BL
BL_M1
BL -.- BL_M1
end
subgraph PSA-target2["TF-M"]
TF-M
TF-M_M1
TF-M -.- TF-M_M1
end
PSA-name --- PSA-target1
PSA-name --- PSA-target2
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : / tagged-impl-id-type / 600(
h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
),
/ comid.vendor / 1 : "ACME Ltd.",
/ comid.model / 2 : "PSA RoT"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
}
},
],
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.name / 11 : {
/ name / 0: "Tester-X PSA security certificate" ; certificate version
},
/ comid.serial-number / 8 : {
/ serial-number / 0: "4567893241" ; certificate number
},
/ comid.version / 0 : {
/ version / 0: "1.0.0" ; certificate version
},
}
},
],
Visually
flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
PSA-VER["version=1.0.0"]
BL_M1["name =Tester-X PSA security certificate\nserial-number=4567893241\nversion=1.0.0"]
subgraph PSA-name["PSA Stateful Domain"]
PSA
PSA-VER
PSA -.- PSA-VER
end
subgraph PSA-target1["PSA-Certification"]
BL_M1
end
PSA-name --- PSA-target1
The Security Certificate for the same Stateful Domain can be updated using the Endorsed Triple semantics specifying
the Stateful Domain as the subject and new revision of the certificate in the object
Example CDDL as below
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : / tagged-impl-id-type / 600(
h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
),
/ comid.vendor / 1 : "ACME Ltd.",
/ comid.model / 2 : "PSA RoT"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
}
},
],
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.name / 11 : {
/ name / 0: "Tester-X PSA security certificate" ; certificate version
},
/ comid.serial-number / 8 : {
/ serial-number / 0: "12345678456" ; certificate number
},
/ comid.version / 0 : {
/ version / 0: "1.0.1" ; certificate version
},
}
},
],
Visually
flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
PSA-VER["version=1.0.0"]
BL_M1["name =Tester-X PSA security certificate\nserial-number=12345678456\nversion=1.0.1"]
subgraph PSA-name["PSA Stateful Domain"]
PSA
PSA-VER
PSA -.- PSA-VER
end
subgraph PSA-target1["PSA-Certification"]
BL_M1
end
PSA-name --- PSA-target1