From acd7e29d3cbe75e3f269662c235ef430b2ef7959 Mon Sep 17 00:00:00 2001 From: Jiewen Yao Date: Thu, 28 Nov 2024 08:40:54 +0800 Subject: [PATCH] Provide description for measurement transcript usage. Signed-off-by: Jiewen Yao --- src/08-attestation.adoc | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/08-attestation.adoc b/src/08-attestation.adoc index 767331c..dd4dfc7 100644 --- a/src/08-attestation.adoc +++ b/src/08-attestation.adoc @@ -203,6 +203,34 @@ Although the device measurement and certificate are not required to be included in the TVM report, the TVM should provide a mechanism to return the device measurement and certificate for the verifier to perform further verification. +To support remote verification, the device measurement data shall be the +signed <> measurement transcript, including `VCA` and all +`{GET_MEASUREMENTS, MEASUREMENTS}` pairs that are exchanged between the SPDM +measurement requester and the responder. Only the last `MEASUREMENTS` shall +include the digital signature of the measurement transcript. + +Providing the signed <> measurement transcript has multiple benefits: + +- Measurement record integrity protection. + The provided <> measurement transcript digital signature protects + the measurement record integrity against: + * Transport attacks between the host and the remote verifier, that should + otherwise be protected through TLS. + * Internal device attacks and vulnerabilities. The Device Security Manager + (DSM) may be composed of several pieces of firmware, and every one of them + can potentially forge the measurements before returning it to the requester. + With a digitally signed measurement transcript, they can not be modified + after the DSM RoT signs them, effectively removing all other DSM components + out of the overall TCB. +- Additional data for attestation. + * <> `MEASUREMENTS` response opaque data field. + With a signed transcript, device-specific opaque data is included into + the `MEASUREMENTS` response. This piece of data may be required by the + device verifier. + * <> connection parameter in `VCA`. The verifier can check the + negotiated SPDM version, capabilities and algorithms. + + .TVM Attestation Comparison [width=90%, align="center", options="header"] |===