Skip to content

Layered Conditional Endorsements

Jump to bottom
Thomas Fossati edited this page Sep 28, 2023 · 24 revisions

Conditional Endorsements

This proposal builds on top of the "Composite device description using domain membership triples" design described here.

Introduction

There are cases where Endorsed Values are applicable to an Environment only if Evidence matches certain Reference Values.

For example:

  • A given security certification has been granted to an Attester (or sub-Attester) that runs a specific version of a certain software component. Before associating the certification data to the Attester, the Verifier must make sure that the relevant claims in Evidence match the expected "certified" measurements.

  • A given Test Data pertains only to a set of specific Target Environments running a specific revision of measurements.

To model such requirement we use the concept of "Stateful Environment" documented in the CoRIM draft

Endorsement addition to PSA sub-attester

Endorser want to provision a Security Certificate that belongs to PSA sub-attester

Define a Stateful Environment for each component of PSA sub-attester as under

a. Stateful Environment for boot-loader (BL) component

[
    / environment-map / {
        / comid.class / 0 : {
            / comid.class-id / 0 : 37(h'57057d658db1403b9e387f9f0fa604cf'),
            / comid.vendor /   1 : "FW Manufacturer X",
            / comid.model /    2 : "BL"
        }
    },

    / measurement-map / {
        / comid.mval / 1 : {
            / comid.version / 0 : {
                / version / 0: "1.0.0"
            },
            / comid.digests / 2 : [
                [
                    / hash-alg-id / 1, / sha256 /
                    / hash-value /  h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
                ]
            ]
        }
    },
],

Visually

flowchart TD
  subgraph Attester1["Stateful Environment- BL"]
        TEx["BL"]
        TEy["comid.version-1.0.0 \ncomid.digests=(44aa336a4...)"]
        TEx -.- TEy
    end
Loading

b. Define a Stateful Environment for TF-M component

[
    / environment-map / {
        / comid.class / 0 : {
            / comid.class-id / 0 : 37(h'993a383a41134c999c333a13414a546d'),
            / comid.vendor /   1 : "FW Manufacturer X",
            / comid.model /    2 : "TF-M"
        }
    },
    / measurement-map / {
        / comid.mval / 1 : {
            / comid.version / 0 : {
                /version / 0: "1.0.0"
            },
            / comid.digests / 2 : [
                [
                    / hash-alg-id / 1, / sha256 /
                    / hash-value /  h'9c49c3f7b15f62db77deb9a5fa5a21e516edb15bb7b2214654695a59ac492d9e'
                ]
            ]
        }
    }
]

Visually

flowchart TD

  subgraph Attester1["Stateful Environment- TF-M"]
        TEx["TF-M"]
        TEy["comid.version-1.0.0 \ncomid.digests=(9c49c3f7b1...)"]
        TEx -.- TEy
    end
Loading

Define Stateful Domain

$stateful-domain-type-choice /= uint
$stateful-domain-type-choice /= text
$stateful-domain-type-choice /= environment-map
$stateful-domain-type-choice /= stateful-environment-record

  • Note, the stateful domain name can also be a stateful-environment-record to enable composition of richer grouping where a lead stateful domain can comprise of multiple stateful domain records. A stateful-domain can also be updated.

  • A stateful domain composition triple is defined with a stateful-domain set to stateful-environment-record as a subject and is composed of multiple stateful evironments

stateful-domain-record = [
; associates a stateful domain name to a series of stateful environments
subject: $stateful-domain-type-choice ; stateful domain name
object: [stateful-environment-record] ; a list of stateful environments associated to the stateful domain

]

For the PSA sub-attester the example CDDL for the stateful-domain-record which is identified with a specific revision of PSA implementation-id as the stateful environment which comprises a set of specific revisions of "BL" and "TF-M" components, as given below.

[
    [
     / environment-map / {
            / comid.class / 0 : {
                / comid.class-id / 0 : / tagged-impl-id-type / 600(
                    h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
                ),
                / comid.vendor / 1 : "ACME Ltd.",
                / comid.model /  2 : "PSA RoT"
            }
        },

     / measurement-map / {
            / comid.mval / 1 : {
                / comid.version / 0 : {
                    / version / 0: "1.0.0"
                },
            }
        },
    ],
    [
        [
            / environment-map / {
                / comid.class / 0 : {
                    / comid.class-id / 0 : 37(h'57057d658db1403b9e387f9f0fa604cf'),
                    / comid.vendor /   1 : "FW Manufacturer X",
                    / comid.model /    2 : "BL"
                }
            },

            / measurement-map / {
                / comid.mval / 1 : {
                    / comid.version / 0 : {
                        / version / 0: "1.0.0"
                    },
                    / comid.digests / 2 : [
                        [
                            / hash-alg-id / 1, / sha256 /
                            / hash-value /  h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
                        ]
                    ]
                }
            },
        ],
        [
            / environment-map / {
                / comid.class / 0 : {
                    / comid.class-id / 0 : 37(h'993a383a41134c999c333a13414a546d'),
                    / comid.vendor /   1 : "FW Manufacturer X",
                    / comid.model /    2 : "TF-M"
                }
            },
            / measurement-map / {
                / comid.mval / 1 : {
                    / comid.version / 0 : {
                        /version / 0: "1.0.0"
                    },
                    / comid.digests / 2 : [
                        [
                            / hash-alg-id / 1, / sha256 /
                            / hash-value /  h'9c49c3f7b15f62db77deb9a5fa5a21e516edb15bb7b2214654695a59ac492d9e'
                        ]
                    ]
                }
            }
        ]
    ]
]

Visually

flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
  PSA-VER["version=1.0.0"]
  BL["class-id=57057D65-...\nmodel=BL"]
  BL_M1["version=1.0.0\ndigest=44aa336a..."]
  TF-M["class-id=993A383A-...\nmodel=TF-M"]
  TF-M_M1["version=1.0.0\ndigest=9c49c3f7..."]
  subgraph PSA-name["PSA Stateful Domain"]
    PSA
    PSA-VER
    PSA -.- PSA-VER
  end
  subgraph PSA-target1["BL"]
    BL
    BL_M1
    BL -.- BL_M1
  end

  subgraph PSA-target2["TF-M"]
    TF-M
    TF-M_M1
     TF-M -.- TF-M_M1
  end
 


  PSA-name --- PSA-target1
  PSA-name --- PSA-target2
Loading

Security Certification PSA sub-attester:

[
   [
     / environment-map / {
            / comid.class / 0 : {
                / comid.class-id / 0 : / tagged-impl-id-type / 600(
                    h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
                ),
                / comid.vendor / 1 : "ACME Ltd.",
                / comid.model /  2 : "PSA RoT"
            }
        },

     / measurement-map / {
            / comid.mval / 1 : {
                / comid.version / 0 : {
                    / version / 0: "1.0.0"
                },
            }
        },
    ],
    / measurement-map / {
        / comid.mval / 1 : {
            / comid.name / 11 : {
                / name / 0: "Tester-X PSA security certificate"  ; certificate version 
            },
            / comid.serial-number / 8 : {
                / serial-number / 0: "4567893241"  ; certificate number 
            },
            / comid.version / 0 : {
                / version / 0: "1.0.0"  ; certificate version 
            },
        }
    },
],

Visually

flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
  PSA-VER["version=1.0.0"]
  BL_M1["name =Tester-X PSA security certificate\nserial-number=4567893241\nversion=1.0.0"]

  subgraph PSA-name["PSA Stateful Domain"]
    PSA
    PSA-VER
    PSA -.- PSA-VER
  end
  subgraph PSA-target1["PSA-Certification"]
    BL_M1
  end

  PSA-name --- PSA-target1
Loading

Endorsement update to PSA sub-attester

The Security Certificate for the same Stateful Domain can be updated using the Endorsed Triple semantics specifying the Stateful Domain as the subject and new revision of the certificate in the object

Example CDDL as below

[
   [
     / environment-map / {
            / comid.class / 0 : {
                / comid.class-id / 0 : / tagged-impl-id-type / 600(
                    h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
                ),
                / comid.vendor / 1 : "ACME Ltd.",
                / comid.model /  2 : "PSA RoT"
            }
        },

     / measurement-map / {
            / comid.mval / 1 : {
                / comid.version / 0 : {
                    / version / 0: "1.0.0"
                },
            }
        },
    ],

    / measurement-map / {
        / comid.mval / 1 : {
            / comid.name / 11 : {
                / name / 0: "Tester-X PSA security certificate"  ; certificate version 
            },
            / comid.serial-number / 8 : {
                / serial-number / 0: "12345678456"  ; certificate number 
            },
            / comid.version / 0 : {
                / version / 0: "1.0.1"  ; certificate version 
            },
        }
    },
],

Visually

flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
  PSA-VER["version=1.0.0"]
  BL_M1["name =Tester-X PSA security certificate\nserial-number=12345678456\nversion=1.0.1"]

  subgraph PSA-name["PSA Stateful Domain"]
    PSA
    PSA-VER
    PSA -.- PSA-VER
  end
  subgraph PSA-target1["PSA-Certification"]
    BL_M1
  end

  PSA-name --- PSA-target1
Loading
Clone this wiki locally