Skip to content

Commit 70d567e

Browse files
yogeshbdeshpandethomas-fossati
yogeshbdeshpande
authored and
thomas-fossati
committed
feat(scheme)!: implement CCA realm provisioning and verification
1. add "composite" Arm CCA scheme 2. add CCA Realm provisioning and verification 3. refactor common CCA components for use by other CCA-based schemes 4. modify integration tests take care of composite attesters BREAKING CHANGE: the EAR for CCA appraisal has a new “CCA_REALM” submod with details about Realm appraisal Signed-off-by: Yogesh Deshpande <[email protected]>
1 parent 68a72eb commit 70d567e

File tree

131 files changed

+2896
-1205
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

131 files changed

+2896
-1205
lines changed

builtin/schemes.gen.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ package builtin
33
import (
44
"github.com/veraison/services/plugin"
55

6-
scheme1 "github.com/veraison/services/scheme/cca-ssd-platform"
6+
scheme1 "github.com/veraison/services/scheme/arm-cca"
77
scheme4 "github.com/veraison/services/scheme/psa-iot"
88
scheme2 "github.com/veraison/services/scheme/riot"
99
scheme3 "github.com/veraison/services/scheme/tpm-enacttrust"

end-to-end/corimCcaRealm.cbor

763 Bytes
Binary file not shown.

end-to-end/input/cca-realm-endorsements.cbor

763 Bytes
Binary file not shown.

end-to-end/input/corim-src/comid-cca-realm-refval.json

+79
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
{
2+
"lang": "en-GB",
3+
"tag-identity": {
4+
"id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16",
5+
"version": 0
6+
},
7+
"entities": [
8+
{
9+
"name": "Workload Client Ltd.",
10+
"regid": "https://workloadclient.example",
11+
"roles": [
12+
"tagCreator",
13+
"creator",
14+
"maintainer"
15+
]
16+
}
17+
],
18+
"triples": {
19+
"reference-values": [
20+
{
21+
"environment": {
22+
"class": {
23+
"id": {
24+
"type": "uuid",
25+
"value": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C"
26+
},
27+
"vendor": "Workload Client Ltd"
28+
},
29+
"instance": {
30+
"type": "bytes",
31+
"value": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
32+
}
33+
},
34+
"measurements": [
35+
{
36+
"value": {
37+
"raw-value": {
38+
"type": "bytes",
39+
"value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA=="
40+
},
41+
"integrity-registers": {
42+
"rim": {
43+
"key-type": "text",
44+
"value": [
45+
"sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
46+
]
47+
},
48+
"rem0": {
49+
"key-type": "text",
50+
"value": [
51+
"sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
52+
]
53+
},
54+
"rem1": {
55+
"key-type": "text",
56+
"value": [
57+
"sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
58+
]
59+
},
60+
"rem2": {
61+
"key-type": "text",
62+
"value": [
63+
"sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
64+
]
65+
},
66+
"rem3": {
67+
"key-type": "text",
68+
"value": [
69+
"sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
70+
]
71+
}
72+
}
73+
}
74+
}
75+
]
76+
}
77+
]
78+
}
79+
}

scheme/psa-iot/test/corimCcaNoProfile.json end-to-end/input/corim-src/corim-cca-realm.json

+2-5
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,7 @@
11
{
22
"corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc",
3-
"dependent-rims": [
4-
{
5-
"href": "https://parent.example/rims/ccb3aa85-61b4-40f1-848e-02ad6e8a254b",
6-
"thumbprint": "sha-256:5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXU="
7-
}
3+
"profiles": [
4+
"http://arm.com/cca/realm/1"
85
],
96
"validity": {
107
"not-before": "2021-12-31T00:00:00Z",

go.mod

+2-2
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ require (
1515
github.com/hashicorp/go-hclog v1.2.0
1616
github.com/hashicorp/go-plugin v1.4.4
1717
github.com/jellydator/ttlcache/v3 v3.0.0
18-
github.com/json-iterator/go v1.1.12
18+
github.com/json-iterator/go v1.1.12 // indirect
1919
github.com/lestrrat-go/jwx/v2 v2.0.11
2020
github.com/mattn/go-sqlite3 v1.14.14
2121
github.com/mitchellh/mapstructure v1.5.0
@@ -29,7 +29,7 @@ require (
2929
github.com/tbaehler/gin-keycloak v1.5.0
3030
github.com/veraison/ccatoken v1.1.0
3131
github.com/veraison/cmw v0.1.0
32-
github.com/veraison/corim v1.1.2
32+
github.com/veraison/corim v1.1.3-0.20240615102753-72283bb916a0
3333
github.com/veraison/dice v0.0.1
3434
github.com/veraison/ear v1.1.2
3535
github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53

go.sum

+2-2
Original file line numberDiff line numberDiff line change
@@ -1064,8 +1064,8 @@ github.com/veraison/ccatoken v1.1.0 h1:U0Z5fOQRsdz3ksvvxVzTITczo+kfRxIlkWahJNP6I
10641064
github.com/veraison/ccatoken v1.1.0/go.mod h1:qh/KBwsrhPyGJqttlh8PU56wt1rPkUCX9A3ZAA/53Nc=
10651065
github.com/veraison/cmw v0.1.0 h1:vD6tBlGPROCW/HlDcG1jh+XUJi5ihrjXatKZBjrv8mU=
10661066
github.com/veraison/cmw v0.1.0/go.mod h1:WoBrlgByc6C1FeHhdze1/bQx1kv5d1sWKO5ezEf4Hs4=
1067-
github.com/veraison/corim v1.1.2 h1:JIk6ZK/OzKEb0FJUFHSnmkn67yyGy+5NChYax0bwttA=
1068-
github.com/veraison/corim v1.1.2/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU=
1067+
github.com/veraison/corim v1.1.3-0.20240615102753-72283bb916a0 h1:FgWzsb/wUxeeKZ3Dd3NOTnwHBJ397EPNiF3o3ZJ/64o=
1068+
github.com/veraison/corim v1.1.3-0.20240615102753-72283bb916a0/go.mod h1:KB6TVcLcz1QppfzoyIesUMfdYodI/ndg7bqBdtqgc90=
10691069
github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4=
10701070
github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs=
10711071
github.com/veraison/ear v1.1.2 h1:Xs41FqAG8IyJaceqNFcX2+nf51Et1uyhmCJV8SZqw/8=

integration-tests/data/results/cca.freshness-fail.json

+17-16
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,19 @@
11
{
2-
"ear.appraisal-policy-id": "policy:CCA_SSD_PLATFORM",
3-
"ear.status": "contraindicated",
4-
"ear.trustworthiness-vector": {
5-
"configuration": 99,
6-
"executables": 99,
7-
"file-system": 99,
8-
"hardware": 99,
9-
"instance-identity": 99,
10-
"runtime-opaque": 99,
11-
"sourced-data": 99,
12-
"storage-opaque": 99
13-
},
14-
"ear.veraison.policy-claims": {
15-
"problem": "integrity validation failed"
16-
}
2+
"ARM_CCA": {
3+
"ear.appraisal-policy-id": "policy:ARM_CCA",
4+
"ear.status": "contraindicated",
5+
"ear.trustworthiness-vector": {
6+
"configuration": 99,
7+
"executables": 99,
8+
"file-system": 99,
9+
"hardware": 99,
10+
"instance-identity": 99,
11+
"runtime-opaque": 99,
12+
"sourced-data": 99,
13+
"storage-opaque": 99
14+
},
15+
"ear.veraison.policy-claims": {
16+
"problem": "integrity validation failed"
17+
}
18+
}
1719
}
18-

integration-tests/data/results/cca.good.json

+77-63
Original file line numberDiff line numberDiff line change
@@ -1,66 +1,80 @@
11
{
2-
"ear.status": "affirming",
3-
"ear.trustworthiness-vector": {
4-
"configuration": 2,
5-
"executables": 2,
6-
"file-system": 0,
7-
"hardware": 2,
8-
"instance-identity": 2,
9-
"runtime-opaque": 2,
10-
"sourced-data": 0,
11-
"storage-opaque": 2
2+
"CCA_SSD_PLATFORM": {
3+
"ear.status": "affirming",
4+
"ear.trustworthiness-vector": {
5+
"configuration": 2,
6+
"executables": 2,
7+
"file-system": 0,
8+
"hardware": 2,
9+
"instance-identity": 2,
10+
"runtime-opaque": 2,
11+
"sourced-data": 0,
12+
"storage-opaque": 2
13+
},
14+
"ear.appraisal-policy-id": "policy:ARM_CCA",
15+
"ear.veraison.annotated-evidence": {
16+
"cca-platform-challenge": "Bea1iETGoM0ZOCBpuv2w5JRmKjrc+P3hFHjpM5Ua8XkP9d5ceOPbESPaCiB6i2ZVbgoi8Z7mS9wviZU7azJVXw==",
17+
"cca-platform-config": "AQID",
18+
"cca-platform-hash-algo-id": "sha-256",
19+
"cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
20+
"cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
21+
"cca-platform-lifecycle": 12288,
22+
"cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
23+
"cca-platform-service-indicator": "https://veraison.example/v1/challenge-response",
24+
"cca-platform-sw-components": [
25+
{
26+
"measurement-type": "BL",
27+
"measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
28+
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
29+
"version": "3.4.2"
1230
},
13-
"ear.appraisal-policy-id": "policy:CCA_SSD_PLATFORM",
14-
"ear.veraison.annotated-evidence": {
15-
"platform": {
16-
"cca-platform-challenge": "Bea1iETGoM0ZOCBpuv2w5JRmKjrc+P3hFHjpM5Ua8XkP9d5ceOPbESPaCiB6i2ZVbgoi8Z7mS9wviZU7azJVXw==",
17-
"cca-platform-config": "AQID",
18-
"cca-platform-hash-algo-id": "sha-256",
19-
"cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
20-
"cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
21-
"cca-platform-lifecycle": 12288,
22-
"cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
23-
"cca-platform-service-indicator": "https://veraison.example/v1/challenge-response",
24-
"cca-platform-sw-components": [
25-
{
26-
"measurement-type": "BL",
27-
"measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
28-
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
29-
"version": "3.4.2"
30-
},
31-
{
32-
"measurement-type": "M1",
33-
"measurement-value": "CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
34-
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
35-
"version": "1.2.0"
36-
},
37-
{
38-
"measurement-type": "M2",
39-
"measurement-value": "DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
40-
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
41-
"version": "1.2.3"
42-
},
43-
{
44-
"measurement-type": "M3",
45-
"measurement-value": "EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
46-
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
47-
"version": "1.0.0"
48-
}
49-
]
50-
},
51-
"realm": {
52-
"cca-realm-challenge": "byTWuWNaLIu/WOkIuU4Ewb+zroDN6+gyQkV4SZ/jF2Hn9eHYvOASGET1Sr36UobaiPU6ZXsVM1yTlrQyklS8XA==",
53-
"cca-realm-extensible-measurements": [
54-
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
55-
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
56-
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
57-
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
58-
],
59-
"cca-realm-hash-algo-id": "sha-256",
60-
"cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
61-
"cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
62-
"cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==",
63-
"cca-realm-public-key-hash-algo-id": "sha-512"
64-
}
65-
}
31+
{
32+
"measurement-type": "M1",
33+
"measurement-value": "CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
34+
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
35+
"version": "1.2.0"
36+
},
37+
{
38+
"measurement-type": "M2",
39+
"measurement-value": "DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
40+
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
41+
"version": "1.2.3"
42+
},
43+
{
44+
"measurement-type": "M3",
45+
"measurement-value": "EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
46+
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
47+
"version": "1.0.0"
48+
}
49+
]
50+
}
51+
},
52+
"CCA_REALM": {
53+
"ear.appraisal-policy-id": "policy:ARM_CCA",
54+
"ear.status": "warning",
55+
"ear.trustworthiness-vector": {
56+
"configuration": 0,
57+
"executables": 33,
58+
"file-system": 0,
59+
"hardware": 0,
60+
"instance-identity": 2,
61+
"runtime-opaque": 0,
62+
"sourced-data": 0,
63+
"storage-opaque": 0
64+
},
65+
"ear.veraison.annotated-evidence": {
66+
"cca-realm-challenge": "byTWuWNaLIu/WOkIuU4Ewb+zroDN6+gyQkV4SZ/jF2Hn9eHYvOASGET1Sr36UobaiPU6ZXsVM1yTlrQyklS8XA==",
67+
"cca-realm-extensible-measurements": [
68+
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
69+
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
70+
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
71+
"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
72+
],
73+
"cca-realm-hash-algo-id": "sha-256",
74+
"cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
75+
"cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
76+
"cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==",
77+
"cca-realm-public-key-hash-algo-id": "sha-512"
78+
}
79+
}
6680
}

0 commit comments

Comments
 (0)