Skip to content

Layered Conditional Endorsements

Yogesh Deshpande edited this page Oct 3, 2023 · 24 revisions

(Layered) Conditional Endorsements

This proposal builds on top of the "Composite device description using domain membership triples".

Introduction

There are cases where Endorsed Values are applicable to an Environment only if Evidence matches certain Reference Values.

One example is that of a security certification granted to an Attester (or sub-Attester) running a combination of certain software component(s) at a specific version. In this case, the Verifier must make sure that the current "accepted state" matches the expected, "certified" measurements before letting the certificate data into the accepted state.

Another example is that of high-level controls or benchmarks that can be cleared by a complex, composite Attester only if a given combination of Target Environments are running a specific software revision and configuration.

To model these use cases we reuse CoRIM's "Stateful Environment" primitive.

Example Attester Description

The example reuses the composite device arrangement from Composite device modelling using (extended) domain-membership-triples:

flowchart TD
    Domain1["PSA sub-attester"]
    subgraph Attester1[" "]
        TEx["BL"]
        TEy["TF-M"]
    end
    Domain2["GPU sub-attester"]
    subgraph Attester2[" "]
        TE2["GPU FW"]
    end
    Domain1 --> Attester1
    Domain2 --> Attester2
    Domain0["Lead Attester"]
    subgraph DomainComp[" "]
        Domain1
        Domain2
    end
    Domain0 --> DomainComp
Loading

Endorsement addition to PSA sub-attester

Endorser want to provision a Security Certificate that belongs to PSA sub-attester

Modelling PSA Sub-Attester

Define a Stateful Environment for each component of PSA sub-attester as under

a. Stateful Environment for boot-loader (BL) component

Visually

flowchart TD
  subgraph Attester1["Stateful Environment- BL"]
        TEx["BL"]
        TEy["comid.version-1.0.0 \ncomid.digests=(44aa336a4...)"]
        TEx -.- TEy
    end
Loading
[
    / environment-map / {
        / comid.class / 0 : {
            / comid.class-id / 0 : 37(h'57057d658db1403b9e387f9f0fa604cf'),
            / comid.vendor /   1 : "FW Manufacturer X",
            / comid.model /    2 : "BL"
        }
    },

    / measurement-map / {
        / comid.mval / 1 : {
            / comid.version / 0 : {
                / version / 0: "1.0.0"
            },
            / comid.digests / 2 : [
                [
                    / hash-alg-id / 1, / sha256 /
                    / hash-value /  h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
                ]
            ]
        }
    },
],

b. Define a Stateful Environment for TF-M component

Visually

flowchart TD

  subgraph Attester1["Stateful Environment- TF-M"]
        TEx["TF-M"]
        TEy["comid.version-1.0.0 \ncomid.digests=(9c49c3f7b1...)"]
        TEx -.- TEy
    end
Loading
[
    / environment-map / {
        / comid.class / 0 : {
            / comid.class-id / 0 : 37(h'993a383a41134c999c333a13414a546d'),
            / comid.vendor /   1 : "FW Manufacturer X",
            / comid.model /    2 : "TF-M"
        }
    },
    / measurement-map / {
        / comid.mval / 1 : {
            / comid.version / 0 : {
                /version / 0: "1.0.0"
            },
            / comid.digests / 2 : [
                [
                    / hash-alg-id / 1, / sha256 /
                    / hash-value /  h'9c49c3f7b15f62db77deb9a5fa5a21e516edb15bb7b2214654695a59ac492d9e'
                ]
            ]
        }
    }
]

Define Stateful Domain

$stateful-domain-type-choice /= environment-map
$stateful-domain-type-choice /= stateful-environment-record

Need for a Stateful Domain

A Stateful Domain defines a particular Sub-Attester Product and its revision associated together.

The benefit of a Stateful Domain:

  1. Uniquely identify a particular Sub-Attester Composition (with specific revision) and links it to the Sub-Attester Elements (see below).

  2. A Stateful Domain is published by an OEM which is used by different Suuply Chain Endorsers (like Common Criterion and FIPS) to run Certification Programs and issue multiple Endorsements pertaining to Stateful Domain at different points in time.

  3. The Endorsers (Certification Bodies) need not care about the composition as this is described by the stateful-domain-triple-record (see below), under control of OEM

Stateful Domain Composition Triple

  • A stateful domain composition triple is defined with a stateful-domain set to stateful-environment-record as a subject and is composed of multiple stateful evironments
stateful-domain-triple-record = [
; associates a stateful domain name to a series of stateful environments
subject: $stateful-environment-record ; the stateful environment record identifying the name of the stateful environment 
object: [stateful-environment-record] ; a list of stateful environments associated to the stateful domain
]

Visually

flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
  PSA-VER["version=1.0.0"]
  BL["class-id=57057D65-...\nmodel=BL"]
  BL_M1["version=1.0.0\ndigest=44aa336a..."]
  TF-M["class-id=993A383A-...\nmodel=TF-M"]
  TF-M_M1["version=1.0.0\ndigest=9c49c3f7..."]
  subgraph PSA-name["PSA Stateful Domain"]
    PSA
    PSA-VER
    PSA -.- PSA-VER
  end
  subgraph PSA-target1["BL"]
    BL
    BL_M1
    BL -.- BL_M1
  end

  subgraph PSA-target2["TF-M"]
    TF-M
    TF-M_M1
     TF-M -.- TF-M_M1
  end
 

  PSA-name --- PSA-target1
  PSA-name --- PSA-target2
Loading

For the PSA sub-attester the example CDDL for the stateful-domain-record which is identified with a specific revision of PSA implementation-id as the environment with a specific revision (making it stateful) and is associated to specific revision of "BL" and "TF-M" components, as given below.

[
    [
     / environment-map / {
            / comid.class / 0 : {
                / comid.class-id / 0 : / tagged-impl-id-type / 600(
                    h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
                ),
                / comid.vendor / 1 : "ACME Ltd.",
                / comid.model /  2 : "PSA RoT"
            }
        },

     / measurement-map / {
            / comid.mval / 1 : {
                / comid.version / 0 : {
                    / version / 0: "1.0.0"
                },
            }
        },
    ],
    [
        [
            / environment-map / {
                / comid.class / 0 : {
                    / comid.class-id / 0 : 37(h'57057d658db1403b9e387f9f0fa604cf'),
                    / comid.vendor /   1 : "FW Manufacturer X",
                    / comid.model /    2 : "BL"
                }
            },

            / measurement-map / {
                / comid.mval / 1 : {
                    / comid.version / 0 : {
                        / version / 0: "1.0.0"
                    },
                    / comid.digests / 2 : [
                        [
                            / hash-alg-id / 1, / sha256 /
                            / hash-value /  h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
                        ]
                    ]
                }
            },
        ],
        [
            / environment-map / {
                / comid.class / 0 : {
                    / comid.class-id / 0 : 37(h'993a383a41134c999c333a13414a546d'),
                    / comid.vendor /   1 : "FW Manufacturer X",
                    / comid.model /    2 : "TF-M"
                }
            },
            / measurement-map / {
                / comid.mval / 1 : {
                    / comid.version / 0 : {
                        /version / 0: "1.0.0"
                    },
                    / comid.digests / 2 : [
                        [
                            / hash-alg-id / 1, / sha256 /
                            / hash-value /  h'9c49c3f7b15f62db77deb9a5fa5a21e516edb15bb7b2214654695a59ac492d9e'
                        ]
                    ]
                }
            }
        ]
    ]
]

Modelling PSA Certification

PSA Certification from an Independent Certification Body can be modelled using the following Triple.

Stateful-Environment Endorsements Triple

The semantics of the new triple is as follows:

"The $stateful-env has endorsed value $val"

stateful-env-endorsement-triple-record = [
env: stateful-environment-record ; The stateful environment to which the endorsed value belongs to
val: measurement-values-map    ; the endorsed value
]

The Verifier accepts the Endorsements identified by measurement-values-map, when it can find a stateful environment matching stateful-environment-record, in its database

Visually

flowchart TD
PSA["class-id=600(61636d652...)\n model= PSA RoT"]
  PSA-VER["version=1.0.0"]
  BL_M1["name =Tester-X PSA security certificate\nserial-number=4567893241\nversion=1.0.0"]

  subgraph PSA-name["PSA Stateful Domain"]
    PSA
    PSA-VER
    PSA -.- PSA-VER
  end
  subgraph PSA-target1["PSA-Certification"]
    BL_M1
  end

  PSA-name --- PSA-target1
Loading
[
   [
     / environment-map / {
            / comid.class / 0 : {
                / comid.class-id / 0 : / tagged-impl-id-type / 600(
                    h'61636d652d696d706c656d656e746174696f6e2d69642d303030303030303031'
                ),
                / comid.vendor / 1 : "ACME Ltd.",
                / comid.model /  2 : "PSA RoT"
            }
        },

     / measurement-map / {
            / comid.mval / 1 : {
                / comid.version / 0 : {
                    / version / 0: "1.0.0"
                },
            }
        },
    ],
/ measurement-map / {
        / comid.mval / 1 : {
            / comid.name / 11 : {
                / name / 0: "Tester-X PSA security certificate"  ; certificate version 
            },
            / comid.serial-number / 8 : {
                / serial-number / 0: "4567893241"  ; certificate number 
            },
            / comid.version / 0 : {
                / version / 0: "1.0.0"  ; certificate version 
            },
        }
    },
],

Modelling GPU Sub-Attester

Stateful Environment Record for GPU-FW

a. Stateful Environment for `GPU-FW component

Visually

flowchart TD
  subgraph Attester1["Stateful Environment- GPU-FW"]
        TEx["GPU-FW"]
        TEy["comid.version-1.0.0 \ncomid.digests=(44aa336a4...)"]
        TEx -.- TEy
    end
Loading
[
    / environment-map / {
        / comid.class / 0 : {
            / comid.class-id / 0 : 37(h'67057d658db1403b9e387f9f0fa604cf'),
            / comid.vendor /   1 : "GPU Manufacturer X",
            / comid.model /    2 : "GPU-FW"
        }
    },

    / measurement-map / {
        / comid.mval / 1 : {
            / comid.version / 0 : {
                / version / 0: "1.0.0"
            },
            / comid.digests / 2 : [
                [
                    / hash-alg-id / 1, / sha256 /
                    / hash-value /  h'34b03909f183581749721835ea2473e9377647da3cf7c7169b9b78e77ec260a2'
                ]
            ]
        }
    },
],

GPU Stateful Domain Composition Triple

For the GPU sub-attester the example CDDL for the stateful-domain-record which is identified with a specific revision of GPU uu-id as the environment with a specific revision (making it stateful) and is associated to specific revision of "GPU-FW" component, as given below.

For the GPU sub-attester the example CDDL for the stateful-domain-record which is identified with a specific revision of GPU uu-id as the environment with a specific revision (making it stateful) and is associated to specific revision of "GPU-FW" component, as given below.

Visually

flowchart TD
GPU["class-id=600(61636d652...)\n model= GPU RoT"]
  GPU-VER["version=1.0.0"]
  FW["class-id=57057D65-...\nmodel=GPU"]
  GPU_M1["version=1.0.0\ndigest=44aa336a..."]

  subgraph GPU-name["GPU Stateful Domain"]
    GPU
    GPU-VER
    GPU -.- GPU-VER
  end
  subgraph GPU-target1["GPU-FW"]
    FW
    GPU_M1
    FW -.- GPU_M1
  end

 

  GPU-name --- GPU-target1
Loading

[
    [
     / environment-map / {
            / comid.class / 0 : {
                / comid.class-id / 0 : 37(h'c77b8c870b4a44058b024e5388ffd8e6'),
				/ comid.vendor / 1 : "GPUs Inc.",
				/ comid.model /  2 : "Fancy 2.0"
            }
        },

     / measurement-map / {
            / comid.mval / 1 : {
                / comid.version / 0 : {
                    / version / 0: "1.0.0"
                },
            }
        },
    ],
	
    [
	  / environment-map / {
        / comid.class / 0 : {
            / comid.class-id / 0 : 37(h'67057d658db1403b9e387f9f0fa604cf'),
            / comid.vendor /   1 : "GPU Manufacturer X",
            / comid.model /    2 : "GPU-FW"
		  }	
		},
		/ measurement-map / {
			/ comid.mval / 1 : {
				/ comid.version / 0 : {
					/ version / 0: "1.0.0"
				},
				/ comid.digests / 2 : [
					[
						/ hash-alg-id / 1, / sha256 /
						/ hash-value /  h'34b03909f183581749721835ea2473e9377647da3cf7c7169b9b78e77ec260a2'
					]
				]
			}
		},
    ]
]

Modelling GPU Endorsements

GPU Certification from an Independent Certification Body can be modelled using the following Triple. using Stateful-Environment Endorsements Triple

The Verifier accepts the Endorsements identified by measurement-values-map, when it can find a stateful environment matching stateful-environment-record, in its database

Visually

flowchart TD
GPU["class-id=600(c77b8c870...)\n model= GPU RoT"]
  GPU-VER["version=1.0.0"]
  GPU-FW["name =Tester-Y GPU system certificate\nserial-number=4567893241\nversion=1.0.0"]

  subgraph GPU-name["GPU Stateful Domain"]
    GPU
    GPU-VER
    GPU -.- GPU-VER
  end
  subgraph GPU-target1["GPU-Certification"]
    GPU-FW
  end

  GPU-name --- GPU-target1
Loading
[
   [
     / environment-map / {
            / comid.class / 0 : {
                / comid.class-id / 0 : 37(h'c77b8c870b4a44058b024e5388ffd8e6'),
 				/ comid.vendor / 1 : "GPUs Inc.",
				/ comid.model /  2 : "Fancy 2.0"
            }
        },

     / measurement-map / {
            / comid.mval / 1 : {
                / comid.version / 0 : {
                    / version / 0: "1.0.0"
                },
            }
        },
    ],
/ measurement-map / {
        / comid.mval / 1 : {
            / comid.name / 11 : {
                / name / 0: "Tester-Y GPU system certificate"  ; certificate version 
            },
            / comid.serial-number / 8 : {
                / serial-number / 0: "876543"  ; certificate number 
            },
            / comid.version / 0 : {
                / version / 0: "1.0.0"  ; certificate version 
            },
        }
    },
],