Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Second attempt at early allocation of CWT Labels #152

Merged
merged 9 commits into from Feb 17, 2022
Merged

Second attempt at early allocation of CWT Labels #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3b681e0
First parts of new CWT Key assignments
Jan 20, 2022
2de6c55
more label fixes
Jan 21, 2022
eb34946
mostly finished early allocation of claims in the document
Jan 22, 2022
3a7253c
Change all the CDDL and examples to new tag numbers
Jan 22, 2022
0a686e6
resolve minor conflict with master
Jan 23, 2022
905a8af
Make it clear that claim numbners for early allocation are just reque…
Feb 14, 2022
001af7b
Remove security-level from early allocation
Feb 14, 2022
c8b39f5
Merge branch 'master' into early2
Feb 14, 2022
de7f723
remove the TBDnnn from claims that are not for early assignment
Feb 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 10 additions & 8 deletions cddl/eat-assigned-labels.cddl
View file
Open in desktop
Expand Up @@ -3,11 +3,13 @@
; They are not expected to change in the final publication as an RFC.

nonce-label = 10
ueid-label = 11
oemid-label = 13
security-level-label = 14
secure-boot-label = 15
debug-status-label = 16
location-label = 17
profile-label = 18
submods-label = 20
ueid-label = 256
sueids-label = 257
oemid-label = 258
hardware-model-label = 259
hardware-version-label = 260
secure-boot-label = 262
debug-status-label = 263
location-label = 264
profile-label = 265
submods-label = 266
21 changes: 12 additions & 9 deletions cddl/eat-json-labels.cddl
View file
Open in desktop
@@ -1,26 +1,29 @@
; The following are claim names for JSON encoded tokens.

nonce-label /= "nonce"


ueid-label /= "ueid"
sueids-label /= "sueids"
nonce-label /= "nonce"
oemid-label /= "oemid"
hardware-model-label /= "hwmodel"
hardware-version-label /= "hwversion"
security-level-label /= "seclevel"
secure-boot-label /= "secboot"
debug-status-label /= "dbgstat"
location-label /= "location"
uptime-label /= "uptime"
profile-label /= "eat-profile"
intended-use-label /= "intuse"
uptime-label /= "uptime"
boot-seed-label /= "bootseed"
submods-label /= "submods"
timestamp /= "timestamp"
manifests-label /= "manifests"
swevidence-label /= "swevidence"
intended-use-label /= "intuse"
dloas-label /= "dloas"
swresults-label /= "swresults"
sw-name-label /= "swname"
sw-version-label /= "swversion"
hardware-model-label /= "hwmodel"
manifests-label /= "manifests"
swevidence-label /= "swevidence"
swresults-label /= "swresults"
submods-label /= "submods"


latitude /= "lat"
longitude /= "long"
Expand Down
22 changes: 10 additions & 12 deletions cddl/eat-tbd-labels-validate.cddl
View file
Open in desktop
Expand Up @@ -5,15 +5,13 @@
; This file is used for cddl validation. It is not included
; in the document. The file eat-tbd-labels.cddl is for the document.

sueids-label = 25
hw-version-label = 26
sw-name-label = 29
sw-version-label = 30
uptime-label = 31
boot-seed-label = 32
intended-use-label = 33
dloas-label = 34
manifests-label = 35
swevidence-label = 36
swresults-label = 37
hardware-model-label = 39
security-level-label = 261
uptime-label = 267
boot-seed-label = 268
intended-use-label = 269
dloas-label = 270
sw-name-label = 271
sw-version-label = 272
manifests-label = 273
swevidence-label = 274
swresults-label = 275
29 changes: 14 additions & 15 deletions cddl/eat-tbd-labels.cddl
View file
Open in desktop
@@ -1,16 +1,15 @@
; These are not yet assigned in any way and may change.
; These are intentionally above 24 so as to not use up
; single-byte labels.
; These are not yet assigned numbers
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is placed as the top comment of a batch review and serves as a kind of introduction to the review.

In general, I am under the impression that a significant source for debate is the undifferentiated use of the defined sets of Claims in both EATs that reflect Evidence or EATs that reflect Attestation Results.

Additionally, I am not clear about how an EAT shall express that its content is either Evidence or Attestation Results. Adding to that, I am not clear about how an EAT shall expresses the identity the responsible Attesting Environment of an Attester or the responsible Verifier that produces the Claims and puts them into the corresponding RATS Conceptual Message (except implicitly due to the key material used for signing, which might not apply if UCCS or UJCS are used and nesting EATs are conveyed).

To reiterate, the more I try to compose RATS Conceptual Messages via the current Claim definition provided by this document, the more my doubts concerning the feasibility of the entire approach increase. I am not clear on how to compose useful and unambiguous EAT with the current definitions, tbh. To illustrate my confusion, I selected the very first issue that came to mind for each Claim definition that is covered by this PR.

Analogously, each following comment of this review batch is target towards a single Claim in the set for early allocation, specifically. The Claim specific comments are associated with draft-ietf-rats-eat.md.


security-level-label = <TBD>
uptime-label = <TBD>
boot-seed-label = <TB>
intended-use-label = <TBD>
dloas-label = <TBD>
sw-name-label = <TBD>
sw-version-label = <TBD>
manifests-label = <TBD>
swevidence-label = <TBD>
swresults-label = <TBD>



sueids-label = <TBD25>
hw-version-label = <TBD26>
sw-name-label = <TBD29>
sw-version-label = <TBD30>
uptime-label = <TBD31>
boot-seed-label = <TBD32>
intended-use-label = <TBD33>
dloas-label = <TBD34>
manifests-label = <TBD35>
swevidence-label = <TBD36>
swresults-label = <TBD37>
hardware-model-label = <TBD39>
10 changes: 5 additions & 5 deletions cddl/examples/simple.diag
View file
Open in desktop
@@ -1,10 +1,10 @@
{
/ issuer / 1: "joe",
/ nonce / 10: h'948f8860d13a463e8e',
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea',
/ OEM ID / 13: h'88124e',
/ HW Class / 39: h'881cf5f243fbef3336bbd22547dddefc',
/ secure-boot / 15: true,
/ debug-disable / 16: 3, / permanent-disable /
/ UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ OEM ID / 258: h'88124e',
/ HW Model / 259: h'881cf5f243fbef3336bbd22547dddefc',
/ secure-boot / 262: true,
/ debug-status / 263: 3, / permanent-disable /
/ timestamp (iat) / 6: 1526542894
}
16 changes: 8 additions & 8 deletions cddl/examples/submods.diag
View file
Open in desktop
@@ -1,24 +1,24 @@
{
/ nonce / 10: h'948f8860d13a463e8e',
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea',
/ secure-boot / 15: true,
/ debug-disable / 16: 3, / permanent-disable /
/ UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ secure-boot / 262: true,
/ debug-status / 263: 3, / permanent-disable /
/ timestamp (iat) / 6: 1526542894,
/ security-level / 14: 3, / secure restricted OS /
/ submods / 20: {
/ security-level / 261: 3, / secure restricted OS /
/ submods / 266: {
/ first submod, an Android Application /
"Android App Foo" : {
/ security-level / 14: 1 / unrestricted /
/ security-level / 261: 1 / unrestricted /
},

/ 2nd submod, A nested EAT from a secure element /
"Secure Element Eat" :
/ an embedded EAT, bytes of which are not shown /
h'420123',
h'420123', / TODO: make this real /

/ 3rd submod, information about Linux Android /
"Linux Android": {
/ security-level / 14: 1 / unrestricted /
/ security-level / 261: 1 / unrestricted /
}
}
}
24 changes: 13 additions & 11 deletions cddl/examples/valid_deb.diag
View file
Open in desktop
Expand Up @@ -9,20 +9,22 @@
/ /
/ This token here is in UCCS format (unsigned). In a more /
/ realistic example, it would be a signed CWT. /
h'd90259a80a48948f8860d13a463e0b500198f50a4ff6c058
61c8860d13a638ea0d19faf20e040ff51003181a8263332e
310114a163544545822f5820e5cf95fd24fab71446742dd5
8d43dae178e55fe2b94291a9291082ffc2635a0b',

h'd90259a80a48948f8860d13a463e190100500198
f50a4ff6c05861c8860d13a638ea19010219faf2
19010504190106f5190107031901048263332e31
0119010aa163544545822f5820e5cf95fd24fab7
1446742dd58d43dae178e55fe2b94291a9291082
ffc2635a0b',
{
/ A CBOR-encoded byte-string wrapped EAT claims-set. It /
/ contains claims suitable for a TEE /
"TEE" : h'a50a48948f8860d13a463e0e030ff51002182381
585dda53574944a60064336132340c01016b4163
6d6520544545204f530d65332e312e340282a218
1f6b41636d6520544545204f53182101a2181f6b
41636d6520544545204f5318210206a111a11818
6e61636d655f7465655f332e657865'
"TEE" : h'a50a48948f8860d13a463e19010503190106f519
01070219011181585dda53574944a60064336132
340c01016b41636d6520544545204f530d65332e
312e340282a2181f6b41636d6520544545204f53
182101a2181f6b41636d6520544545204f531821
0206a111a118186e61636d655f7465655f332e65
7865'
}
])

12 changes: 6 additions & 6 deletions cddl/examples/valid_hw_block.diag
View file
Open in desktop
Expand Up @@ -7,11 +7,11 @@

601({
/ nonce / 10: h'948f8860d13a463e',
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea',
/ OEMID / 13: 64242, / Private Enterprise Number /
/ security-level / 14: 4, / hardware level security /
/ secure-boot / 15: true,
/ debug-status / 16: 3, / disabled-permanently /
/ chip-version / 26: [ "3.1", 1 ] / Type is multipartnumeric /
/ UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ OEMID / 258: 64242, / Private Enterprise Number /
/ security-level / 261: 4, / hardware level security /
/ secure-boot / 262: true,
/ debug-status / 263: 3, / disabled-permanently /
/ HW version / 260: [ "3.1", 1 ] / Type is multipartnumeric /
})

14 changes: 7 additions & 7 deletions cddl/examples/valid_hw_block2.diag
View file
Open in desktop
Expand Up @@ -5,13 +5,13 @@

601({
/ nonce / 10: h'948f8860d13a463e',
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea',
/ OEMID / 13: 64242, / Private Enterprise Number /
/ security-level / 14: 4, / hardware level security /
/ secure-boot / 15: true,
/ debug-status / 16: 3, / disabled-permanently /
/ chip-version / 26: [ "3.1", 1 ], / multipartnumeric /
/ submods/ 20: {
/ UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ OEMID / 258: 64242, / Private Enterprise Number /
/ security-level / 261: 4, / hardware level security /
/ secure-boot / 262: true,
/ debug-status / 263: 3, / disabled-permanently /
/ hw version / 260: [ "3.1", 1 ], / multipartnumeric /
/ submods/ 266: {
"TEE": [ / detached digest submod /
-16, / SHA-256 /
h'e5cf95fd24fab7144674
Expand Down
20 changes: 10 additions & 10 deletions cddl/examples/valid_iot.diag
View file
Open in desktop
Expand Up @@ -6,17 +6,17 @@

601({
/ nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 3, / secure-restricted /
/ secure-boot / 15: true,
/ debug-status / 16: 2, / disabled-since-boot /
/ OEMID / 13: h'8945ad', / IEEE CID based /
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea',
/ sumods / 20: {
/ security-level / 261: 3, / secure-restricted /
/ secure-boot / 262: true,
/ debug-status / 263: 2, / disabled-since-boot /
/ OEMID / 258: h'8945ad', / IEEE CID based /
/ UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ sumods / 266: {
"OS" : {
/ security-level / 14: 2, / restricted /
/ secure-boot / 15: true,
/ debug-status / 16: 2, / disabled-since-boot /
/ swevidence / 36: [
/ security-level / 261: 2, / restricted /
/ secure-boot / 262: true,
/ debug-status / 263: 2, / disabled-since-boot /
/ swevidence / 274: [
/ This is a byte-string wrapped /
/ evidence CoSWID. It has /
/ hashes of the main files of /
Expand Down
16 changes: 8 additions & 8 deletions cddl/examples/valid_key_store.diag
View file
Open in desktop
Expand Up @@ -20,10 +20,10 @@

601({
/ nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 3, / secure-restricted /
/ debug-status / 16: 2, / disabled-since-boot /
/ secure-boot / 15: true,
/ manifests / 35: [
/ security-level / 261: 3, / secure-restricted /
/ secure-boot / 262: true,
/ debug-status / 263: 2, / disabled-since-boot /
/ manifests / 273: [
h'da53574944a600683762623334383766
0c000169436172626f6e6974650d6331
2e320e0102a2181f75496e6475737472
Expand All @@ -49,12 +49,12 @@
c9ba860af7e0ca7ca7e9eecd0084d19c'
},

/ submods / 20 : {
/ submods / 266 : {
"HLOS" : { / submod for high-level OS /
/ nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 1, / unrestricted /
/ secure-boot / 15: true,
/ manifests / 35: [
/ security-level / 261: 1, / unrestricted /
/ secure-boot / 262: true,
/ manifests / 273: [
h'da53574944a600687337
6537346b78380c000168
44726f6964204f530d65
Expand Down
30 changes: 15 additions & 15 deletions cddl/examples/valid_submods.diag
View file
Open in desktop
Expand Up @@ -17,30 +17,30 @@

{
/ nonce / 10: h'948f8860d13a463e8e',
/ UEID / 11: h'0198f50a4ff6c05861c8860d13a638ea',
/ HW OEM ID / 13: h'894823', / IEEE OUI format OEM ID /
/ HW Model ID / 39: h'549dcecc8b987c737b44e40f7c635ce8'
/ UEID / 256: h'0198f50a4ff6c05861c8860d13a638ea',
/ HW OEM ID / 258: h'894823', / IEEE OUI format OEM ID /
/ HW Model ID / 259: h'549dcecc8b987c737b44e40f7c635ce8'
/ Hash of chip model name /,
/ HW Version / 26: ["1.3.4", 1], / Multipartnumeric version /
/ SW Name / 29: "Acme OS",
/ SW Version / 30: ["3.5.5", 1],
/ secure-boot / 15: true,
/ debug-disable / 16: 3, / permanent-disable /
/ HW Version / 260: ["1.3.4", 1], / Multipartnumeric version /
/ SW Name / 271: "Acme OS",
/ SW Version / 272: ["3.5.5", 1],
/ secure-boot / 262: true,
/ debug-status / 263: 3, / permanent-disable /
/ timestamp (iat) / 6: 1526542894,
/ security-level / 14: 3, / secure restricted OS /
/ submods / 20: {
/ security-level / 261: 3, / secure restricted OS /
/ submods / 266: {
/ A submodule to hold some claims about the circuit board /
"board" : {
/ HW OEM ID / 13: h'9bef8787eba13e2c8f6e7cb4b1f4619a',
/ HW Model ID / 39: h'ee80f5a66c1fb9742999a8fdab930893'
/ HW OEM ID / 258: h'9bef8787eba13e2c8f6e7cb4b1f4619a',
/ HW Model ID / 259: h'ee80f5a66c1fb9742999a8fdab930893'
/ Hash of board module name /,
/ HW Version / 26: ["2.0a", 2] / multipartnumeric+suffix /
/ HW Version / 260: ["2.0a", 2] / multipartnumeric+suffix /
},

/ A submodule to hold claims about the overall device /
"device" : {
/ HW OEM ID / 13: 61234, / PEN Format OEM ID /
/ HW Version / 26: ["4012345123456", 5] / EAN-13 format (barcode) /
/ HW OEM ID / 258: 61234, / PEN Format OEM ID /
/ HW Version / 260: ["4012345123456", 5] / EAN-13 format (barcode) /
}
}
}
8 changes: 4 additions & 4 deletions cddl/examples/valid_tee.diag
View file
Open in desktop
Expand Up @@ -2,10 +2,10 @@

601({
/ nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 3, / secure-restricted /
/ secure-boot / 15: true,
/ debug-status / 16: 2, / disabled-since-boot /
/ manfests / 35: [
/ security-level / 261: 3, / secure-restricted /
/ secure-boot / 262: true,
/ debug-status / 263: 2, / disabled-since-boot /
/ manfests / 273: [
/ This is byte-string wrapped /
/ payload CoSWID. It gives the TEE /
/ software name, the version and /
Expand Down
8 changes: 4 additions & 4 deletions cddl/examples/valid_tee_not_tag.diag
View file
Open in desktop
Expand Up @@ -2,10 +2,10 @@

{
/ nonce / 10: h'948f8860d13a463e',
/ security-level / 14: 3, / secure-restricted /
/ secure-boot / 15: true,
/ debug-status / 16: 2, / disabled-since-boot /
/ manfests / 43: [
/ security-level / 261: 3, / secure-restricted /
/ secure-boot / 262: true,
/ debug-status / 263: 2, / disabled-since-boot /
/ manfests / 273: [
/ This is byte-string wrapped payload CoSWID. It /
/ gives the TEE software name, the version and the /
/ name of the file it is in./
Expand Down
4 changes: 2 additions & 2 deletions cddl/hardware-version.cddl
View file
Open in desktop
@@ -1,8 +1,8 @@
$$claims-set-claims //= (
hw-version-label => hw-version-type
hardware-version-label => hardware-version-type
)

hw-version-type = [
hardware-version-type = [
version: tstr,
scheme: $version-scheme
]