ACA fails on Platform Version check #723
Comments
cyrus-dev
added a commit
that referenced
this issue
Mar 6, 2024
[#723] Update Provisioning for Version value
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem: The "Platform Version" field as described in section 2.1.5.6 of the v1.1 version of the TCG platform cert spec is listed as a MUST in the table of section 2.1.5 so a Verifier is obligated to check/process it. It does have the following note: "platform version is encoded as a string and is the manufacturer-specific implementation version of the platform", so a manufacturer could technically add whatever value it wanted. Any value, however, makes it rather difficult for Verifier to match in this case.
The Platform Version attribute within a Platform Certificate typically defaults to either "Unknown" or "Not Specified" if the platform does not track its version (many devices will typically change a model number versus tracking a version). This can lead to a mis-compare by the ACA during the provisioning process (i.e. a false negative).
Proposed solution: If the ACA finds a Platform Version field within a Platform certificate with a value of either "Unknown" or "Not Specified" (not case sensitive) it should skip the comparison with the actual value returned from the provisioner. If it is not one of the the two values it should proceed with the comparison.
The text was updated successfully, but these errors were encountered: