< draft-fdb-rats-psa-endorsements-00.txt   draft-fdb-rats-psa-endorsements-01.txt >
RATS T. Fossati RATS T. Fossati
Internet-Draft Y. Deshpande Internet-Draft Y. Deshpande
Intended status: Informational Arm Ltd Intended status: Informational Arm Ltd
Expires: 12 May 2022 H. Birkholz Expires: 12 November 2022 H. Birkholz
Fraunhofer SIT Fraunhofer SIT
8 November 2021 11 May 2022
Arm's Platform Security Architecture (PSA) Attestation Verifier Arm's Platform Security Architecture (PSA) Attestation Verifier
Endorsements Endorsements
draft-fdb-rats-psa-endorsements-00 draft-fdb-rats-psa-endorsements-01
Abstract Abstract
PSA Endorsements include reference values, cryptographic key material PSA Endorsements include reference values, cryptographic key material
and certification status information that a Verifier needs in order and certification status information that a Verifier needs in order
to appraise attestation Evidence produced by a PSA device. This memo to appraise attestation Evidence produced by a PSA device. This memo
defines such PSA Endorsements as a profile of the CoRIM data model. defines such PSA Endorsements as a profile of the CoRIM data model.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 12 May 2022. This Internet-Draft will expire on 12 November 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 2 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 2
3. PSA Endorsements . . . . . . . . . . . . . . . . . . . . . . 3 3. PSA Endorsements . . . . . . . . . . . . . . . . . . . . . . 3
3.1. PSA Endorsement Profile . . . . . . . . . . . . . . . . . 3 3.1. PSA Endorsement Profile . . . . . . . . . . . . . . . . . 3
3.2. PSA Endorsements to PSA RoT Linkage . . . . . . . . . . . 4 3.2. PSA Endorsements to PSA RoT Linkage . . . . . . . . . . . 4
3.3. Reference Values . . . . . . . . . . . . . . . . . . . . 5 3.3. Reference Values . . . . . . . . . . . . . . . . . . . . 5
3.3.1. Software Upgrades and Patches . . . . . . . . . . . . 8 3.3.1. Software Upgrades and Patches . . . . . . . . . . . . 8
3.4. Attestation Verification Claims . . . . . . . . . . . . . 10 3.4. Attestation Verification Claims . . . . . . . . . . . . . 10
3.5. Certification Claims . . . . . . . . . . . . . . . . . . 12 3.5. Certification Claims . . . . . . . . . . . . . . . . . . 11
3.6. Endorsements Block List . . . . . . . . . . . . . . . . . 14 3.6. Endorsements Block List . . . . . . . . . . . . . . . . . 13
4. Security Considerations . . . . . . . . . . . . . . . . . . . 14 4. Security Considerations . . . . . . . . . . . . . . . . . . . 14
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
5.1. CBOR Tag Registrations . . . . . . . . . . . . . . . . . 14 5.1. CBOR Tag Registrations . . . . . . . . . . . . . . . . . 14
5.2. CoRIM Profile Registration . . . . . . . . . . . . . . . 14 5.2. CoRIM Profile Registration . . . . . . . . . . . . . . . 14
5.3. CoMID Codepoints . . . . . . . . . . . . . . . . . . . . 15 5.3. CoMID Codepoints . . . . . . . . . . . . . . . . . . . . 14
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Normative References . . . . . . . . . . . . . . . . . . . . . 15 Normative References . . . . . . . . . . . . . . . . . . . . . 15
Informative References . . . . . . . . . . . . . . . . . . . . 16 Informative References . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
PSA Endorsements include reference values, cryptographic key material PSA Endorsements include reference values, cryptographic key material
and certification status information that a Verifier needs in order and certification status information that a Verifier needs in order
skipping to change at page 7, line 23 skipping to change at page 7, line 23
/ comid.class / 0 : { / comid.class / 0 : {
/ comid.class-id / 0 : / comid.class-id / 0 :
/ tagged-impl-id-type / 600( / tagged-impl-id-type / 600(
h'61636d652d696d706c656d656e746174 h'61636d652d696d706c656d656e746174
696f6e2d69642d303030303030303031' 696f6e2d69642d303030303030303031'
), ),
/ comid.vendor / 1 : "ACME Ltd.", / comid.vendor / 1 : "ACME Ltd.",
/ comid.model / 2 : "Roadrunner 1.0" / comid.model / 2 : "Roadrunner 1.0"
} }
}, },
/ measurement-map / { [
/ comid.mkey / 0 : 601({ / measurement-map / {
/ psa.measurement-type / 1 : "PRoT", / comid.mkey / 0 : 601({
/ psa.version / 4 : "1.3.5", / psa.measurement-type / 1 : "PRoT",
/ psa.signer-id / 5 : h'acbb11c7e4da2172 / psa.version / 4 : "1.3.5",
05523ce4ce1a245a / psa.signer-id / 5 : h'acbb11c7e4da2172
e1a239ae3c6bfd9e 05523ce4ce1a245a
7871f7e5d8bae86b' e1a239ae3c6bfd9e
}), 7871f7e5d8bae86b'
/ comid.mval / 1 : { }),
/ comid.digests / 2 : [ / comid.mval / 1 : {
/ hash-alg-id / 1, / sha256 / / comid.digests / 2 : [
/ hash-value / h'44aa336af4cb14a8 / hash-alg-id / 1, / sha256 /
79432e53dd6571c7 / hash-value / h'44aa336af4cb14a8
fa9bccafb75f4882 79432e53dd6571c7
59262d6ea3a4d91b' fa9bccafb75f4882
] 59262d6ea3a4d91b'
]
}
} }
} ]
] ]
] ]
} }
} }
Figure 3: Example Reference Value Figure 3: Example Reference Value
3.3.1. Software Upgrades and Patches 3.3.1. Software Upgrades and Patches
In order to model software lifecycle events such as updates and In order to model software lifecycle events such as updates and
skipping to change at page 11, line 29 skipping to change at page 11, line 29
/ comid.vendor / 1 : "ACME Ltd.", / comid.vendor / 1 : "ACME Ltd.",
/ comid.model / 2 : "Roadrunner 1.0" / comid.model / 2 : "Roadrunner 1.0"
}, },
/ comid.instance / 1 : / comid.instance / 1 :
/ tagged-ueid-type / 550( / tagged-ueid-type / 550(
h'01 h'01
4ca3e4f50bf248c39787020d68ffd05c 4ca3e4f50bf248c39787020d68ffd05c
88767751bf2645ca923f57a98becd296' 88767751bf2645ca923f57a98becd296'
) )
}, },
/ verification-key-map / { [
/ comid.key / 0 : / verification-key-map / {
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgA / comid.key / 0 :
ETl4iCZ47zrRbRG0TVf0dw7VFlHtv18HInY "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgA
hnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8 ETl4iCZ47zrRbRG0TVf0dw7VFlHtv18HInY
ANHS5HgGCCSr7E/Lg==" hnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8
} ANHS5HgGCCSr7E/Lg=="
}
]
] ]
] ]
} }
} }
Figure 5: Example Attestation Verification Claim Figure 5: Example Attestation Verification Claim
3.5. Certification Claims 3.5. Certification Claims
PSA Certified [PSA-CERTIFIED] defines a certification scheme for the PSA Certified [PSA-CERTIFIED] defines a certification scheme for the
skipping to change at page 14, line 48 skipping to change at page 14, line 36
+-----+--------------+-----------------------------------+ +-----+--------------+-----------------------------------+
| 601 | tagged map | PSA Software Component Identifier | | 601 | tagged map | PSA Software Component Identifier |
| | | (Section 3.3 of RFCTHIS) | | | | (Section 3.3 of RFCTHIS) |
+-----+--------------+-----------------------------------+ +-----+--------------+-----------------------------------+
Table 1: CoRIM CBOR Tags Table 1: CoRIM CBOR Tags
5.2. CoRIM Profile Registration 5.2. CoRIM Profile Registration
IANA is requested to register the following profile value in the IANA is requested to register the following profile value in the
// TODO // TODO CoRIM registry.
+==========================+======+============================+ +==========================+======+============================+
| Profile Value | Type | Semantics | | Profile Value | Type | Semantics |
+==========================+======+============================+ +==========================+======+============================+
| http://arm.com/psa/iot/1 | uri | The CoRIM profile | | http://arm.com/psa/iot/1 | uri | The CoRIM profile |
| | | specified by this document | | | | specified by this document |
+--------------------------+------+----------------------------+ +--------------------------+------+----------------------------+
Table 2: PSA profile for CoRIM Table 2: PSA profile for CoRIM
5.3. CoMID Codepoints 5.3. CoMID Codepoints
skipping to change at page 15, line 38 skipping to change at page 15, line 25
Acknowledgements Acknowledgements
// TODO // TODO
References References
Normative References Normative References
[CoRIM] Birkholz, H., Fossati, T., Deshpande, Y., Smith, N., and [CoRIM] Birkholz, H., Fossati, T., Deshpande, Y., Smith, N., and
W. Pan, "Concise Reference Integrity Manifest", Work in W. Pan, "Concise Reference Integrity Manifest", Work in
Progress, Internet-Draft, draft-birkholz-rats-corim-01, 26 Progress, Internet-Draft, draft-birkholz-rats-corim-02, 26
July 2021, <https://www.ietf.org/archive/id/draft- January 2022, <https://www.ietf.org/archive/id/draft-
birkholz-rats-corim-01.txt>. birkholz-rats-corim-02.txt>.
[IANA.cbor-tags] [IANA.cbor-tags]
IANA, "Concise Binary Object Representation (CBOR) Tags", IANA, "Concise Binary Object Representation (CBOR) Tags",
<http://www.iana.org/assignments/cbor-tags>. <https://www.iana.org/assignments/cbor-tags>.
[PSA-TOKEN] [PSA-TOKEN]
Tschofenig, H., Frost, S., Brossard, M., Shaw, A., and T. Tschofenig, H., Frost, S., Brossard, M., Shaw, A., and T.
Fossati, "Arm's Platform Security Architecture (PSA) Fossati, "Arm's Platform Security Architecture (PSA)
Attestation Token", Work in Progress, Internet-Draft, Attestation Token", Work in Progress, Internet-Draft,
draft-tschofenig-rats-psa-token-08, 24 March 2021, draft-tschofenig-rats-psa-token-09, 7 March 2022,
<https://www.ietf.org/archive/id/draft-tschofenig-rats- <https://www.ietf.org/archive/id/draft-tschofenig-rats-
psa-token-08.txt>. psa-token-09.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
skipping to change at page 16, line 37 skipping to change at page 16, line 18
Informative References Informative References
[PSA-CERTIFIED] [PSA-CERTIFIED]
"PSA Certified", 2021, <https://www.psacertified.org>. "PSA Certified", 2021, <https://www.psacertified.org>.
[RATS-ARCH] [RATS-ARCH]
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote Attestation Procedures Architecture", Work W. Pan, "Remote Attestation Procedures Architecture", Work
in Progress, Internet-Draft, draft-ietf-rats-architecture- in Progress, Internet-Draft, draft-ietf-rats-architecture-
12, 23 April 2021, <https://www.ietf.org/archive/id/draft- 15, 8 February 2022, <https://www.ietf.org/archive/id/
ietf-rats-architecture-12.txt>. draft-ietf-rats-architecture-15.txt>.
Authors' Addresses Authors' Addresses
Thomas Fossati Thomas Fossati
Arm Ltd Arm Ltd
Email: thomas.fossati@arm.com Email: thomas.fossati@arm.com
Yogesh Deshpande Yogesh Deshpande
Arm Ltd Arm Ltd
Email: yogesh.deshpande@arm.com Email: yogesh.deshpande@arm.com
Henk Birkholz Henk Birkholz
Fraunhofer SIT Fraunhofer SIT
Email: henk.birkholz@sit.fraunhofer.de Email: henk.birkholz@sit.fraunhofer.de
 End of changes. 21 change blocks. 
48 lines changed or deleted 51 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/