From 8d9f55e18ed2de5daee0b28617de7c801dba29aa Mon Sep 17 00:00:00 2001 From: Thomas Fossati Date: Thu, 15 Feb 2024 18:04:55 +0100 Subject: [PATCH] rework based on Hannes suggestion to extend EAT measurements Signed-off-by: Thomas Fossati --- cddl/Makefile | 30 +++- cddl/eat-ex1.diag | 29 ++++ cddl/eat-plug.cddl | 1 + cddl/ex1.diag | 8 +- cddl/minimal-eat.cddlc | 39 ++++++ draft-fft-rats-eat-measured-component.md | 170 ++++++++++++++++++++--- 6 files changed, 248 insertions(+), 29 deletions(-) create mode 100644 cddl/eat-ex1.diag create mode 100644 cddl/eat-plug.cddl create mode 100644 cddl/minimal-eat.cddlc diff --git a/cddl/Makefile b/cddl/Makefile index 5422dae..5f3cae8 100644 --- a/cddl/Makefile +++ b/cddl/Makefile @@ -1,16 +1,24 @@ +SHELL := /bin/bash + %.cbor: %.diag ; diag2cbor.rb $< > $@ %.cddl: %.cddlc ; cddlc -2tcddl $< > $@ CDDL := measured-component.cddl -DIAG_EXAMPLES := $(wildcard *.diag) +DIAG_EXAMPLES := $(wildcard ex*.diag) CBOR_EXAMPLES := $(DIAG_EXAMPLES:.diag=.cbor) -all: check-schema check-examples +all: check-schema check-examples mceat-check-examples check-schema: $(CDDL) ; cddl $< g 10 .PHONY: check-schema -clean: ; -rm -f $(CDDL) $(wildcard *.pretty) $(CBOR_EXAMPLES) +CLEANFILES += $(CDDL) +CLEANFILES += $(CBOR_EXAMPLES) +CLEANFILES += $(wildcard *.pretty) +CLEANFILES += $(MCEAT_CDDL) +CLEANFILES += $(MCEAT_CBOR_EXAMPLES) + +clean: ; -rm -f $(CLEANFILES) .PHONY: clean check-examples: $(CBOR_EXAMPLES) $(CDDL) @@ -21,3 +29,19 @@ check-examples: $(CBOR_EXAMPLES) $(CDDL) cbor2pretty.rb $$f > $${f%.cbor}.pretty ; \ done .PHONY: check-examples + +MCEAT_CDDL := mc+eat.cddl +MCEAT_DIAG_EXAMPLES := eat-ex1.diag +MCEAT_CBOR_EXAMPLES := $(MCEAT_DIAG_EXAMPLES:.diag=.cbor) + +$(MCEAT_CDDL): minimal-eat.cddlc eat-plug.cddl $(CDDL) + cddlc -2 -sClaims-Set -tcddl -Imeasured-component $< > $@ + +mceat-check-examples: $(MCEAT_CBOR_EXAMPLES) $(MCEAT_CDDL) + @for f in $(MCEAT_CBOR_EXAMPLES); do \ + echo ">> validating $$f against $(MCEAT_CDDL)" ; \ + cddl $(MCEAT_CDDL) validate $$f &>/dev/null || exit 1 ; \ + echo ">> saving prettified CBOR to $${f%.cbor}.pretty" ; \ + cbor2pretty.rb $$f > $${f%.cbor}.pretty ; \ + done +.PHONY: mceat-check-examples diff --git a/cddl/eat-ex1.diag b/cddl/eat-ex1.diag new file mode 100644 index 0000000..3692ace --- /dev/null +++ b/cddl/eat-ex1.diag @@ -0,0 +1,29 @@ +{ + 273: [ + [ + 65000, / using a CoAP C-F from the experimental range / + << + [ + / id / [ + / name / "boot loader X", + / version / [ + "1.2.3rc2", + 16384 / semver / + ] + ], + / measurement / [ + / alg / "sha-256", + / val / h'3996003d486fb91ffb056f7d03f2b2992b215b31db + e7af4b373431fc7d319da3' + ], + / signer / h'492e9b676c21f6012b1ceeb9032feb4141a880797 + 355f6675015ec59c51ca1ec', + / countersigners / [ + h'4277bb97ba7b51577a0d38151d3e08b40bdf946753f5b5bdeb + 814d6ff57a8a5e' + ] + ] + >> + ] + ] +} diff --git a/cddl/eat-plug.cddl b/cddl/eat-plug.cddl new file mode 100644 index 0000000..8caa6d5 --- /dev/null +++ b/cddl/eat-plug.cddl @@ -0,0 +1 @@ +$measurements-body-cbor /= bytes .cbor measured-component diff --git a/cddl/ex1.diag b/cddl/ex1.diag index c839c1d..d8bfe4e 100644 --- a/cddl/ex1.diag +++ b/cddl/ex1.diag @@ -1,6 +1,6 @@ [ / id / [ - / name / "boot loader X", + / name / "boot loader X", / version / [ "1.2.3rc2", 16384 / semver / @@ -9,12 +9,12 @@ / measurement / [ / alg / "sha-256", / val / h'3996003d486fb91ffb056f7d03f2b2992b215b31dbe7af4b37 -3431fc7d319da3' + 3431fc7d319da3' ], / signer / h'492e9b676c21f6012b1ceeb9032feb4141a880797355f6675 -015ec59c51ca1ec', + 015ec59c51ca1ec', / countersigners / [ h'4277bb97ba7b51577a0d38151d3e08b40bdf946753f5b5bdeb814d6ff5 -7a8a5e' + 7a8a5e' ] ] diff --git a/cddl/minimal-eat.cddlc b/cddl/minimal-eat.cddlc new file mode 100644 index 0000000..6a1963a --- /dev/null +++ b/cddl/minimal-eat.cddlc @@ -0,0 +1,39 @@ +$$Claims-Set-Claims //= ( + measurements-label => measurements-type +) + +measurements-label = JC< "measurements", 273 > + +measurements-type = [+ measurements-format] + +measurements-format = [ + content-type: coap-content-format, + content-format: JC< $measurements-body-json, $measurements-body-cbor > +] + +; $measurements-body-cbor /= bytes .cbor untagged-coswid +$measurements-body-cbor /= bytes .cbor measured-component +$measurements-body-json /= base64-url-text + +Claims-Set = { + $$Claims-Set-Claims +} + +untagged-coswid = ~coswid.concise-swid-tag + +; common data types ยง7.2.1 + +base64-url-text = tstr .regexp "[A-Za-z0-9_-]+" + +coap-content-format = uint .le 65535 + +JSON-ONLY = J .feature "json" +CBOR-ONLY = C .feature "cbor" + +JC = JSON-ONLY / CBOR-ONLY + +; import + +;# import rfc9393 as coswid + +coswid.one-or-more = T / [ 2* T ] diff --git a/draft-fft-rats-eat-measured-component.md b/draft-fft-rats-eat-measured-component.md index 2f21f1f..bd01dc8 100644 --- a/draft-fft-rats-eat-measured-component.md +++ b/draft-fft-rats-eat-measured-component.md @@ -1,7 +1,7 @@ --- v: 3 -title: A Measured Component Claim for EAT +title: EAT Measured Component abbrev: "EAT Measured Component" docname: draft-fft-rats-eat-measured-component-latest category: std @@ -11,7 +11,7 @@ submissionType: IETF ipr: trust200902 area: "Security" workgroup: "Remote ATtestation ProcedureS" -keyword: [ EAT, claim, measured, component ] +keyword: [ EAT, measurements, claim, measured, component ] stand_alone: yes smart_quotes: no @@ -29,12 +29,11 @@ author: email: Hannes.Tschofenig@siemens.com normative: + RFC7252: coap RFC8610: cddl RFC9165: cddlplus I-D.ietf-cbor-cddl-modules: cddlmod RFC9393: coswid - IANA.cwt: - IANA.jwt: I-D.ietf-rats-eat: rats-eat I-D.ietf-cose-key-thumbprint: cose-key-thumbprint I-D.ietf-rats-corim: corim @@ -48,13 +47,20 @@ entity: --- abstract -This document defines a EAT claim to carry information about measured components. +This document defines a "measured components" format that can be used with the EAT Measurements claim. --- middle # Introduction -This document defines a EAT {{-rats-eat}} claim to carry information about measured components. +{{Section 4.2.6 of -rats-eat}} defines a Measurements claim that: + +> "[c]ontains descriptions, lists, evidence or measurements of the software that exists on the entity or any other measurable subsystem of the entity." + +This claim allows for different measurement formats, each identified by a different CoAP Content-Format ({{Section 12.3 of -coap}}). +Initially, the only specified format is CoSWID of type "evidence", as per {{Section 2.9.4 of -coswid}}. + +This document introduces the "measured components" format that can be used with the EAT Measurements claim in addition or as an alternative to CoSWID. # Conventions and Definitions @@ -92,42 +98,162 @@ The following types and semantics have been reused: ## CDDL +The `measured-component` data item: + ~~~ cddl {::include cddl/measured-component.cddlc} ~~~ +The CDDL extending the EAT Measurements format: + +~~~ cddl +{::include cddl/eat-plug.cddl} +~~~ + +The associated `content-type` MUST contain the CoAP Content-Format assigned by IANA for the `application/measured-component+cbor`. +When the `content-type` is instead the Content-Format for `application/measured-component+json`, the `content-format` contains the base64url-encoded value of TBD. + # Examples +The examples are CBOR only. +JSON examples will be added in a future version of this document. + +The example in {{ex-1}} is a measured component with all the fields populated. + ~~~ cbor-edn {::include cddl/ex1.diag} ~~~ +{: #ex-1 title="Complete Measured Component"} + +The example in {{ex-eat-1}} is the same measured component as above but used as the format of a `measurements` claim in a EAT claims-set. +Note that the example uses a CoAP Content-Format value from the experimental range (65000), which will change to the value assigned by IANA for the `application/measured-component+cbor` Content-Format. + +~~~ cbor-edn +{::include cddl/eat-ex1.diag} +~~~ +{: #ex-eat-1 title="EAT Measurements Claim using a Measured Component"} + +# Security Considerations {#seccons} + +TODO # IANA Considerations [^rfced] replace "{{&SELF}}" with the RFC number assigned to this document. -## CWT `measured-component` Claim Registration +## Media Types Registrations + +IANA is requested to add the following media types to the "Media Types" registry {{!IANA.media-types}}. + +| Name | Template | Reference | +|-----------------|-------------------------|-----------| +| `mc+cbor` | `application/measured-component+cbor` | {{&SELF}} | +| `mc+json` | `application/measured-component+json` | {{&SELF}} | +{: #tab-mc-regs title="Measured Component Media Types"} + +### `application/measured-component+cbor` + +{:compact} +Type name: +: application + +Subtype name: +: measured-component+cbor + +Required parameters: +: n/a + +Optional parameters: +: n/a + +Encoding considerations: +: binary (CBOR) + +Security considerations: +: {{seccons}} of {{&SELF}} + +Interoperability considerations: +: n/a + +Published specification: +: {{&SELF}} + +Applications that use this media type: +: Attesters, Verifiers and Relying Parties + +Fragment identifier considerations: +: The syntax and semantics of fragment identifiers are as specified for "application/cbor". (No fragment identification syntax is currently defined for "application/cbor".) + +Person & email address to contact for further information: +: RATS WG mailing list (rats@ietf.org) + +Intended usage: +: COMMON + +Restrictions on usage: +: none + +Author/Change controller: +: IETF + +Provisional registration: +: no + +### `application/measured-component+json` + +{:compact} +Type name: +: application + +Subtype name: +: measured-component+json + +Required parameters: +: n/a + +Optional parameters: +: n/a + +Encoding considerations: +: binary (JSON is UTF-8-encoded text) + +Security considerations: +: {{seccons}} of {{&SELF}} + +Interoperability considerations: +: n/a + +Published specification: +: {{&SELF}} + +Applications that use this media type: +: Attesters, Verifiers and Relying Parties + +Fragment identifier considerations: +: The syntax and semantics of fragment identifiers are as specified for "application/json". (No fragment identification syntax is currently defined for "application/json".) + +Person & email address to contact for further information: +: RATS WG mailing list (rats@ietf.org) + +Intended usage: +: COMMON -IANA is requested to add a new `measured-component` claim to the "CBOR Web Token (CWT) Claims" registry {{IANA.cwt}} as follows: +Restrictions on usage: +: none -* Claim Name: measured-component -* Claim Description: Measured Component -* Claim Key: TBD -* Claim Value Type(s): CBOR Map -* Change Controller: IETF -* Specification Document(s): {{measured-component}} of {{&SELF}} +Author/Change controller: +: IETF -The suggested value for the Claim Key is TBD +Provisional registration: +: no -## JWT `measured-component` Claim Registration +## Measured Component Content-Format Registrations -IANA is requested to add a new `measured-component` claim to the "JSON Web Token Claims" sub-registry of the "JSON Web Token (JWT)" registry {{IANA.jwt}} as follows: +IANA is requested to register two Content-Format numbers in the "CoAP Content-Formats" sub-registry, within the "Constrained RESTful Environments (CoRE) Parameters" Registry {{!IANA.core-parameters}}, as follows: -* Claim Name: measured-component -* Claim Description: Measured Component -* Claim Value Type(s): JSON object -* Change Controller: IETF -* Specification Document(s): {{measured-component}} of {{&SELF}} +| Content-Type | Content Coding | ID | Reference | +| application/measured-component+cbor | - | TBD1 | {{&SELF}} | +| application/measured-component+json | - | TBD2 | {{&SELF}} | --- back