-
Notifications
You must be signed in to change notification settings - Fork 6
Layered Conditional Endorsements
This proposal builds on top of the "Composite device description using domain membership triples".
There are cases where Endorsed Values are applicable to an Environment only if Evidence matches certain Reference Values.
One example is that of a security certification granted to an Attester (or sub-Attester) running a combination of certain software component(s) at a specific version. In this case, the Verifier must make sure that the current "accepted state" matches the expected, "certified" measurements before letting the certificate data into the accepted state.
Another example is that of high-level controls or benchmarks that can be cleared by a complex, composite Attester only if a given combination of Target Environments are running a specific software revision and configuration.
To model these use cases we reuse CoRIM's "Stateful Environment" primitive.
The example reuses the composite device arrangement from Composite device modelling using (extended) domain-membership-triples
:
flowchart TD
Domain1["PSA sub-attester"]
subgraph Attester1[" "]
TEx["BL"]
TEy["TF-M"]
end
Domain2["GPU sub-attester"]
subgraph Attester2[" "]
TE2["GPU FW"]
end
Domain1 --> Attester1
Domain2 --> Attester2
Domain0["Lead Attester"]
subgraph DomainComp[" "]
Domain1
Domain2
end
Domain0 --> DomainComp
Endorser want to provision a Security Certificate that belongs to PSA sub-attester
a. Stateful Environment for boot-loader (BL)
component
Visually
flowchart TD
subgraph Attester1["Stateful Environment- BL"]
TEx["BL"]
TEy["comid.version-1.0.0 \ncomid.digests=(44aa336a4...)"]
TEx -.- TEy
end
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'57057d658db1403b9e387f9f0fa604cf'),
/ comid.vendor / 1 : "FW Manufacturer X",
/ comid.model / 2 : "BL"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
]
]
}
},
],
b. Define a Stateful Environment for TF-M
component
Visually
flowchart TD
subgraph Attester1["Stateful Environment- TF-M"]
TEx["TF-M"]
TEy["comid.version-1.0.0 \ncomid.digests=(9c49c3f7b1...)"]
TEx -.- TEy
end
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'993a383a41134c999c333a13414a546d'),
/ comid.vendor / 1 : "FW Manufacturer X",
/ comid.model / 2 : "TF-M"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'9c49c3f7b15f62db77deb9a5fa5a21e516edb15bb7b2214654695a59ac492d9e'
]
]
}
}
]
$stateful-domain-type-choice /= environment-map
$stateful-domain-type-choice /= stateful-environment-record
A Stateful Domain defines a particular Sub-Attester Product and its revision associated together.
The benefit of a Stateful Domain:
-
Uniquely identify a particular Sub-Attester Composition (with specific revision) and links it to the Sub-Attester Elements (see below).
-
A Stateful Domain is published by an OEM which is used by different Suuply Chain Endorsers (like Common Criterion and FIPS) to run Certification Programs and issue multiple Endorsements pertaining to
Stateful Domain
at different points in time. -
The Endorsers (Certification Bodies) need not care about the composition as this is described by the
stateful-domain-triple-record
(see below), under control of OEM
- A stateful domain composition triple is defined with a
stateful-domain
set tostateful-environment-record
as a subject and is composed of multiple stateful evironments
stateful-domain-triple-record = [
; associates a stateful domain name to a series of stateful environments
subject: $stateful-environment-record ; the stateful environment record identifying the name of the stateful environment
object: [stateful-environment-record] ; a list of stateful environments associated to the stateful domain
]
Visually
flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
PSA-VER["version=1.0.0"]
BL["class-id=57057D65-...\nmodel=BL"]
BL_M1["version=1.0.0\ndigest=44aa336a..."]
TF-M["class-id=993A383A-...\nmodel=TF-M"]
TF-M_M1["version=1.0.0\ndigest=9c49c3f7..."]
subgraph PSA-name["PSA Stateful Domain"]
PSA
PSA-VER
PSA -.- PSA-VER
end
subgraph PSA-target1["BL"]
BL
BL_M1
BL -.- BL_M1
end
subgraph PSA-target2["TF-M"]
TF-M
TF-M_M1
TF-M -.- TF-M_M1
end
PSA-name --- PSA-target1
PSA-name --- PSA-target2
For the PSA sub-attester the example CDDL for the stateful-domain-record
which is identified with a specific
revision of PSA implementation-id
as the environment with a specific revision (making it stateful) and is associated to
specific revision of "BL" and "TF-M" components, as given below.
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : / tagged-impl-id-type / 600(
h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
),
/ comid.vendor / 1 : "ACME Ltd.",
/ comid.model / 2 : "PSA RoT"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
}
},
],
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'57057d658db1403b9e387f9f0fa604cf'),
/ comid.vendor / 1 : "FW Manufacturer X",
/ comid.model / 2 : "BL"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
]
]
}
},
],
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'993a383a41134c999c333a13414a546d'),
/ comid.vendor / 1 : "FW Manufacturer X",
/ comid.model / 2 : "TF-M"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'9c49c3f7b15f62db77deb9a5fa5a21e516edb15bb7b2214654695a59ac492d9e'
]
]
}
}
]
]
]
PSA Certification from an Independent Certification Body can be modelled using Conditional Endorsed Triple.
The Verifier accepts the Endorsements identified by measurement-values-map, when it can find a stateful environment matching stateful-environment-record, in its database
Visually
flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
PSA-VER["version=1.0.0"]
BL_M1["name =Tester-X PSA security certificate\nserial-number=4567893241\nversion=1.0.0"]
subgraph PSA-name["PSA Stateful Domain"]
PSA
PSA-VER
PSA -.- PSA-VER
end
subgraph PSA-target1["PSA-Certification"]
BL_M1
end
PSA-name --- PSA-target1
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : / tagged-impl-id-type / 600(
h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
),
/ comid.vendor / 1 : "ACME Ltd.",
/ comid.model / 2 : "PSA RoT"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
}
},
],
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.name / 11 : {
/ name / 0: "Tester-X PSA security certificate" ; certificate version
},
/ comid.serial-number / 8 : {
/ serial-number / 0: "4567893241" ; certificate number
},
/ comid.version / 0 : {
/ version / 0: "1.0.0" ; certificate version
},
}
},
],
a. Stateful Environment for `GPU-FW component
Visually
flowchart TD
subgraph Attester1["Stateful Environment- GPU-FW"]
TEx["GPU-FW"]
TEy["comid.version-1.0.0 \ncomid.digests=(44aa336a4...)"]
TEx -.- TEy
end
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'67057d658db1403b9e387f9f0fa604cf'),
/ comid.vendor / 1 : "GPU Manufacturer X",
/ comid.model / 2 : "GPU-FW"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'34b03909f183581749721835ea2473e9377647da3cf7c7169b9b78e77ec260a2'
]
]
}
},
],
For the GPU sub-attester the example CDDL for the stateful-domain-record
which is identified with a specific
revision of GPU uu-id
as the environment with a specific revision (making it stateful) and is associated to
specific revision of "GPU-FW" component, as given below.
For the GPU sub-attester the example CDDL for the stateful-domain-record which is identified with a specific revision of GPU uu-id as the environment with a specific revision (making it stateful) and is associated to specific revision of "GPU-FW" component, as given below.
Visually
flowchart TD
GPU["class-id=600(61636d652...)\n model= GPU RoT"]
GPU-VER["version=1.0.0"]
FW["class-id=57057D65-...\nmodel=GPU"]
GPU_M1["version=1.0.0\ndigest=44aa336a..."]
subgraph GPU-name["GPU Stateful Domain"]
GPU
GPU-VER
GPU -.- GPU-VER
end
subgraph GPU-target1["GPU-FW"]
FW
GPU_M1
FW -.- GPU_M1
end
GPU-name --- GPU-target1
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'c77b8c870b4a44058b024e5388ffd8e6'),
/ comid.vendor / 1 : "GPUs Inc.",
/ comid.model / 2 : "Fancy 2.0"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
}
},
],
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'67057d658db1403b9e387f9f0fa604cf'),
/ comid.vendor / 1 : "GPU Manufacturer X",
/ comid.model / 2 : "GPU-FW"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
/ comid.digests / 2 : [
[
/ hash-alg-id / 1, / sha256 /
/ hash-value / h'34b03909f183581749721835ea2473e9377647da3cf7c7169b9b78e77ec260a2'
]
]
}
},
]
]
GPU Certification from an Independent Certification Body can be modelled using the Conditional Endorsed Triple.
The Verifier accepts the Endorsements identified by measurement-values-map, when it can find a stateful environment matching stateful-environment-record, in its database
Visually
flowchart TD
GPU["class-id=600(c77b8c870...)\n model= GPU RoT"]
GPU-VER["version=1.0.0"]
GPU-FW["name =Tester-Y GPU system certificate\nserial-number=4567893241\nversion=1.0.0"]
subgraph GPU-name["GPU Stateful Domain"]
GPU
GPU-VER
GPU -.- GPU-VER
end
subgraph GPU-target1["GPU-Certification"]
GPU-FW
end
GPU-name --- GPU-target1
[
[
/ environment-map / {
/ comid.class / 0 : {
/ comid.class-id / 0 : 37(h'c77b8c870b4a44058b024e5388ffd8e6'),
/ comid.vendor / 1 : "GPUs Inc.",
/ comid.model / 2 : "Fancy 2.0"
}
},
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.version / 0 : {
/ version / 0: "1.0.0"
},
}
},
],
/ measurement-map / {
/ comid.mval / 1 : {
/ comid.name / 11 : {
/ name / 0: "Tester-Y GPU system certificate" ; certificate version
},
/ comid.serial-number / 8 : {
/ serial-number / 0: "876543" ; certificate number
},
/ comid.version / 0 : {
/ version / 0: "1.0.0" ; certificate version
},
}
},
],
The following use case has been highlighted:
-
Lead Attester is issued an Endorsement(example a Security Certificate), iff Verifier has the Matching Endorsements pertaining to the Sub-Attesters
-
In the example below, Supply Chain Actor for Lead Attester Identified by a Stateful Environment issues an Endorsement iff the PSA sub-attester has a
PSA Security Certification with Number:
from Tester X AND GPU sub-attester has aGPU System Certification with Number:
from Tester Y