diff --git a/.github/workflows/archive.yml b/.github/workflows/archive.yml index 19d125f..dd9429a 100644 --- a/.github/workflows/archive.yml +++ b/.github/workflows/archive.yml @@ -37,6 +37,6 @@ jobs: token: ${{ github.token }} - name: "Save Archive" - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: archive.json diff --git a/.github/workflows/ghpages.yml b/.github/workflows/ghpages.yml index ed9b441..a1bf36e 100644 --- a/.github/workflows/ghpages.yml +++ b/.github/workflows/ghpages.yml @@ -51,7 +51,7 @@ jobs: token: ${{ github.token }} - name: "Archive Built Drafts" - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: | draft-*.html diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 264812f..8981ed4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -50,6 +50,6 @@ jobs: make: upload "UPLOAD_EMAIL=${{ inputs.email }}" - name: "Archive Submitted Drafts" - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: path: "versioned/draft-*-[0-9][0-9].*" diff --git a/cddl/Makefile b/cddl/Makefile index 868cae1..1b911dd 100644 --- a/cddl/Makefile +++ b/cddl/Makefile @@ -1,4 +1,4 @@ -.DEFAULT_GOAL := all +.DEFAULT_GOAL := check MAKECMDGOALS ?= $(.DEFAULT_GOAL) SUBDIRS := platform diff --git a/cddl/check.mk b/cddl/check.mk index 9c5ca87..e8af886 100644 --- a/cddl/check.mk +++ b/cddl/check.mk @@ -21,11 +21,14 @@ check-$(1)-examples: $(1)-autogen.cddl $(3:.diag=.cbor) $$(cddl) $$< validate $$$$f &>/dev/null || exit 1 ; \ echo ">> saving prettified CBOR to $$$${f%.cbor}.pretty" ; \ $$(cbor2pretty) $$$$f > $$$${f%.cbor}.pretty ; \ + echo ">> saving hexified CBOR to $$$${f%.cbor}.hex" ; \ + $$(xxd) -p $$$$f > $$$${f%.cbor}.hex ; \ done .PHONY: check-$(1)-examples CLEANFILES += $(3:.diag=.cbor) CLEANFILES += $(3:.diag=.pretty) +CLEANFILES += $(3:.diag=.hex) endef # cddl_check_template diff --git a/cddl/misc/pak.diag b/cddl/misc/pak.diag new file mode 100644 index 0000000..bfd67c6 --- /dev/null +++ b/cddl/misc/pak.diag @@ -0,0 +1,7 @@ +{ + / kty / 1: 2, / EC2 / + / crv / -1: 2, / P-384 / + / x-coordinate / -2: h'212867C52E2B9508B0A420A90560F394D2DFAA21BDD7514FF1A901AFE7E1F78BB11D4E66F8A8A38AFA76AF6A31C4DE8C', + / y-coordinate / -3: h'84CE2DAFC9964258B53FAD718774F45620D111B176E8318E1187DB0235A318D37BA597FEE80E0E4C762A12BCB3EA6ED4', + / private key / -4: h'8AC090C995869F61AC1358F02B021A26AB6EB386203AC735D7CE9855538B91F74C44B0D580243EFB799A293DCBAA0899' +} diff --git a/cddl/misc/rak.diag b/cddl/misc/rak.diag new file mode 100644 index 0000000..9fc2e8b --- /dev/null +++ b/cddl/misc/rak.diag @@ -0,0 +1,7 @@ +{ + / kty / 1: 2, / EC2 / + / crv / -1: 2, / P-384 / + / x-coordinate / -2: h'76F988091BE585ED41801AECFAB858548C63057E16B0E676120BBD0D2F9C29E056C5D41A0130EB9C21517899DC23146B', + / y-coordinate / -3: h'28E1B062BD3EA4B315FD219F1CBB528CB6E74CA49BE16773734F61A1CA61031B2BBF3D918F2F94FFC4228E50919544AE', + / private key / -4: h'2011C7F03CEE4325176E524F033C0CE1E21A76E6C1A4F0B839AA1DF61E0E8A5C8A05740F9B69EFA7EB1A4185BD117F68' +} diff --git a/cddl/platform/arm-platform-hash-types.cddl b/cddl/platform/arm-platform-hash-types.cddl index 7bf3f35..0de1930 100644 --- a/cddl/platform/arm-platform-hash-types.cddl +++ b/cddl/platform/arm-platform-hash-types.cddl @@ -1,2 +1,3 @@ -arm-platform-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64 - +arm-platform-hash-type = bytes .size 32 / + bytes .size 48 / + bytes .size 64 diff --git a/cddl/platform/arm-platform-implementation-id.cddl b/cddl/platform/arm-platform-implementation-id.cddl index 12a27f1..a4ce59c 100644 --- a/cddl/platform/arm-platform-implementation-id.cddl +++ b/cddl/platform/arm-platform-implementation-id.cddl @@ -2,6 +2,7 @@ arm-platform-implementation-id-label = 2396 ; PSA implementation ID arm-platform-implementation-id-type = bytes .size 32 arm-platform-implementation-id = ( - arm-platform-implementation-id-label => arm-platform-implementation-id-type + arm-platform-implementation-id-label => + arm-platform-implementation-id-type ) diff --git a/cddl/platform/arm-platform-instance-id.cddl b/cddl/platform/arm-platform-instance-id.cddl index 381b9f1..201cef8 100644 --- a/cddl/platform/arm-platform-instance-id.cddl +++ b/cddl/platform/arm-platform-instance-id.cddl @@ -1,8 +1,6 @@ arm-platform-instance-id-label = 256 ; EAT ueid -; TODO: require that the first byte of arm-platform-instance-id-type is 0x01 -; EAT UEIDs need to be 7 - 33 bytes -arm-platform-instance-id-type = bytes .size 33 +arm-platform-instance-id-type = eat-ueid-rand-type arm-platform-instance-id = ( arm-platform-instance-id-label => arm-platform-instance-id-type diff --git a/cddl/platform/arm-platform-verification-service-indicator.cddl b/cddl/platform/arm-platform-verification-service-indicator.cddl index a174de0..6881408 100644 --- a/cddl/platform/arm-platform-verification-service-indicator.cddl +++ b/cddl/platform/arm-platform-verification-service-indicator.cddl @@ -1,4 +1,5 @@ -arm-platform-verification-service-label = 2400 ; PSA verification service +; PSA verification service +arm-platform-verification-service-label = 2400 arm-platform-verification-service-type = text arm-platform-verification-service = ( diff --git a/cddl/platform/eat-ueid-rand.cddl b/cddl/platform/eat-ueid-rand.cddl new file mode 100644 index 0000000..eb30767 --- /dev/null +++ b/cddl/platform/eat-ueid-rand.cddl @@ -0,0 +1,9 @@ +eat-ueid-rand-type = bytes .join eat-ueid-rand-fmt + +eat-ueid-rand-fmt = [ + ; the type byte is 0x01 + ueid-rand-typ + bytes .size 32 +] + +ueid-rand-typ = h'01' diff --git a/cddl/platform/examples/3.diag b/cddl/platform/examples/3.diag index a26f62d..ffd6297 100644 --- a/cddl/platform/examples/3.diag +++ b/cddl/platform/examples/3.diag @@ -1,25 +1,90 @@ { - 265: "tag:arm.com,2023:cca_platform#1.0.0", - 10: h'0D22E08A98469058486318283489BDB36F09DBEFEB1864DF433FA6E54EA2D711', - 2396: h'7F454C4602010100000000000000000003003E00010000005058000000000000', - 256: h'0107060504030201000F0E0D0C0B0A090817161514131211101F1E1D1C1B1A1918', - 2401: h'CFCFCFCF', - 2395: 12291, - 2402: "sha-256", - 2400: "https://veraison.example/.well-known/veraison/verification", - 2399: [ - { 1: "RSE_BL1_2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'9A271F2A916B0B6EE6CECB2426F0B3206EF074578BE55D9BC94F6F3FE3AB86AA', 6: "sha-256" }, - { 1: "RSE_BL2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'53C234E5E8472B6AC51C1AE1CAB3FE06FAD053BEB8EBFD8977B010655BFDD3C3', 6: "sha-256" }, - { 1: "RSE_S", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1121CFCCD5913F0A63FEC40A6FFD44EA64F9DC135C66634BA001D10BCF4302A2', 6: "sha-256" }, - { 1: "AP_BL1", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1571B5EC78BD68512BF7830BB6A2A44B2047C7DF57BCE79EB8A1C0E5BEA0A501', 6: "sha-256" }, - { 1: "AP_BL2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'10159BAF262B43A92D95DB59DAE1F72C645127301661E0A3CE4E38B295A97C58', 6: "sha-256" }, - { 1: "SCP_BL1", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'10122E856B3FCD49F063636317476149CB730A1AA1CFAAD818552B72F56D6F68', 6: "sha-256" }, - { 1: "SCP_BL2", 5: h'F14B4987904BCB5814E4459A057ED4D20F58A633152288A761214DCD28780B56', 2: h'AA67A169B0BBA217AA0AA88A65346920C84C42447C36BA5F7EA65F422C1FE5D8', 6: "sha-256" }, - { 1: "AP_BL31", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'2E6D31A5983A91251BFAE5AEFA1C0A19D8BA3CF601D0E8A706B4CFA9661A6B8A', 6: "sha-256" }, - { 1: "RMM", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'A1FB50E6C86FAE1679EF3351296FD6713411A08CF8DD1790A4FD05FAE8688164', 6: "sha-256" }, - { 1: "HW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1A252402972F6057FA53CC172B52B9FFCA698E18311FACD0F3B06ECAAEF79E17', 6: "sha-256" }, - { 1: "FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'9A92ADBC0CEE38EF658C71CE1B1BF8C65668F166BFB213644C895CCB1AD07A25', 6: "sha-256" }, - { 1: "TB_FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'238903180CC104EC2C5D8B3F20C5BC61B389EC0A967DF8CC208CDC7CD454174F', 6: "sha-256" }, - { 1: "SOC_FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'E6C21E8D260FE71882DEBDB339D2402A2CA7648529BC2303F48649BCE0380017', 6: "sha-256" } - ] + 265:"tag:arm.com,2023:cca_platform#1.0.0", + 10:h'0D22E08A98469058486318283489BDB36F09DBEFEB1864DF433FA6E54EA2D711', + 2396:h'7F454C4602010100000000000000000003003E00010000005058000000000000', + 256:h'0107060504030201000F0E0D0C0B0A090817161514131211101F1E1D1C1B1A1918', + 2401:h'CFCFCFCF', + 2395:12291, + 2402:"sha-256", + 2400:"https://veraison.example/.well-known/veraison/verification", + 2399:[ + { + 1:"RSE_BL1_2", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'9A271F2A916B0B6EE6CECB2426F0B3206EF074578BE55D9BC94F6F3FE3AB86AA', + 6:"sha-256" + }, + { + 1:"RSE_BL2", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'53C234E5E8472B6AC51C1AE1CAB3FE06FAD053BEB8EBFD8977B010655BFDD3C3', + 6:"sha-256" + }, + { + 1:"RSE_S", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'1121CFCCD5913F0A63FEC40A6FFD44EA64F9DC135C66634BA001D10BCF4302A2', + 6:"sha-256" + }, + { + 1:"AP_BL1", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'1571B5EC78BD68512BF7830BB6A2A44B2047C7DF57BCE79EB8A1C0E5BEA0A501', + 6:"sha-256" + }, + { + 1:"AP_BL2", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'10159BAF262B43A92D95DB59DAE1F72C645127301661E0A3CE4E38B295A97C58', + 6:"sha-256" + }, + { + 1:"SCP_BL1", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'10122E856B3FCD49F063636317476149CB730A1AA1CFAAD818552B72F56D6F68', + 6:"sha-256" + }, + { + 1:"SCP_BL2", + 5:h'F14B4987904BCB5814E4459A057ED4D20F58A633152288A761214DCD28780B56', + 2:h'AA67A169B0BBA217AA0AA88A65346920C84C42447C36BA5F7EA65F422C1FE5D8', + 6:"sha-256" + }, + { + 1:"AP_BL31", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'2E6D31A5983A91251BFAE5AEFA1C0A19D8BA3CF601D0E8A706B4CFA9661A6B8A', + 6:"sha-256" + }, + { + 1:"RMM", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'A1FB50E6C86FAE1679EF3351296FD6713411A08CF8DD1790A4FD05FAE8688164', + 6:"sha-256" + }, + { + 1:"HW_CONFIG", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'1A252402972F6057FA53CC172B52B9FFCA698E18311FACD0F3B06ECAAEF79E17', + 6:"sha-256" + }, + { + 1:"FW_CONFIG", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'9A92ADBC0CEE38EF658C71CE1B1BF8C65668F166BFB213644C895CCB1AD07A25', + 6:"sha-256" + }, + { + 1:"TB_FW_CONFIG", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'238903180CC104EC2C5D8B3F20C5BC61B389EC0A967DF8CC208CDC7CD454174F', + 6:"sha-256" + }, + { + 1:"SOC_FW_CONFIG", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'E6C21E8D260FE71882DEBDB339D2402A2CA7648529BC2303F48649BCE0380017', + 6:"sha-256" + } + ] } diff --git a/cddl/platform/frags.mk b/cddl/platform/frags.mk index b85737e..6745cbc 100644 --- a/cddl/platform/frags.mk +++ b/cddl/platform/frags.mk @@ -9,5 +9,6 @@ PLATFORM_FRAGS += arm-platform-profile.cddl PLATFORM_FRAGS += arm-platform-security-lifecycle.cddl PLATFORM_FRAGS += arm-platform-software-components.cddl PLATFORM_FRAGS += arm-platform-verification-service-indicator.cddl +PLATFORM_FRAGS += eat-ueid-rand.cddl PLATFORM_EXAMPLES := $(wildcard examples/*.diag) diff --git a/cddl/realm/cca-realm-claims.cddl b/cddl/realm/cca-realm-claims.cddl index 9bf95a1..6f67942 100644 --- a/cddl/realm/cca-realm-claims.cddl +++ b/cddl/realm/cca-realm-claims.cddl @@ -9,5 +9,4 @@ cca-realm-claim-map = { cca-realm-hash-algo-id cca-realm-public-key cca-realm-public-key-hash-algo-id - cca-realm-mec-policy } diff --git a/cddl/realm/cca-realm-extensible-measurements.cddl b/cddl/realm/cca-realm-extensible-measurements.cddl index 998bd66..789c8f9 100644 --- a/cddl/realm/cca-realm-extensible-measurements.cddl +++ b/cddl/realm/cca-realm-extensible-measurements.cddl @@ -1,5 +1,6 @@ cca-realm-extensible-measurements-label = 44239 cca-realm-extensible-measurements = ( - cca-realm-extensible-measurements-label => [ 4*4 cca-realm-measurement-type ] + cca-realm-extensible-measurements-label => + [ 4*4 cca-realm-measurement-type ] ) diff --git a/cddl/realm/cca-realm-personalization-value.cddl b/cddl/realm/cca-realm-personalization-value.cddl index 66559c9..09e0294 100644 --- a/cddl/realm/cca-realm-personalization-value.cddl +++ b/cddl/realm/cca-realm-personalization-value.cddl @@ -2,5 +2,6 @@ cca-realm-personalization-value-label = 44235 cca-realm-personalization-value-type = bytes .size 64 cca-realm-personalization-value = ( - cca-realm-personalization-value-label => cca-realm-personalization-value-type + cca-realm-personalization-value-label => + cca-realm-personalization-value-type ) diff --git a/cddl/realm/frags.mk b/cddl/realm/frags.mk index 8b6c1ba..4ab4f2d 100644 --- a/cddl/realm/frags.mk +++ b/cddl/realm/frags.mk @@ -4,7 +4,7 @@ REALM_FRAGS += cca-realm-extensible-measurements.cddl REALM_FRAGS += cca-realm-hash-algo-id.cddl REALM_FRAGS += cca-realm-initial-measurement.cddl REALM_FRAGS += cca-realm-measurement.cddl -REALM_FRAGS += cca-realm-mec-policy.cddl +#REALM_FRAGS += cca-realm-mec-policy.cddl REALM_FRAGS += cca-realm-personalization-value.cddl REALM_FRAGS += cca-realm-profile.cddl REALM_FRAGS += cca-realm-public-key-hash-algo-id.cddl diff --git a/cddl/tools.mk b/cddl/tools.mk index 1524367..4d24e7f 100644 --- a/cddl/tools.mk +++ b/cddl/tools.mk @@ -25,3 +25,7 @@ ifeq ($(strip $(cbor2pretty)),) $(error cbor2pretty tool not found. To install cbor2pretty, run: 'gem install cbor-diag') endif +xxd ?= $(shell command -v xxd) +ifeq ($(strip $(xxd)),) + $(error xxd tool not found. Make sure it is installed and in PATH) +endif diff --git a/cddl/top/Makefile b/cddl/top/Makefile index 6f46f84..ae16e8e 100644 --- a/cddl/top/Makefile +++ b/cddl/top/Makefile @@ -16,4 +16,6 @@ check: check-top check-top-examples clean: ; rm -f $(CLEANFILES) .PHONY: clean +EXAMPLES := $(wildcard examples/*.diag) + $(eval $(call cddl_check_template,top,$(FRAGS),$(EXAMPLES))) diff --git a/cddl/top/cca-top-claims.cddl b/cddl/top/cca-top-claims.cddl index 3eac054..f6f6fb0 100644 --- a/cddl/top/cca-top-claims.cddl +++ b/cddl/top/cca-top-claims.cddl @@ -1,6 +1,7 @@ -cca-token = #6.399(cca-token-collection) ; CMW (draft-ietf-rats-msg-wrap) Collection +; CMW (draft-ietf-rats-msg-wrap) Collection +cca-token = #6.399(cca-token-collection) cca-token-collection = { - 44234 => COSE_Sign1 ; 44234 = 0xACCA - 44241 => COSE_Sign1 + 44234 => bytes .cbor COSE_Sign1 ; 44234=0xACCA + 44241 => bytes .cbor COSE_Sign1 } diff --git a/cddl/top/examples/1.diag b/cddl/top/examples/1.diag new file mode 100644 index 0000000..be5aa10 --- /dev/null +++ b/cddl/top/examples/1.diag @@ -0,0 +1,118 @@ +399({ + 44234: << 18([ + h'A1013822', + {}, + << { + 265:"tag:arm.com,2023:cca_platform#1.0.0", + 10:h'0D22E08A98469058486318283489BDB36F09DBEFEB1864DF433FA6E54EA2D711', + 2396:h'7F454C4602010100000000000000000003003E00010000005058000000000000', + 256:h'0107060504030201000F0E0D0C0B0A090817161514131211101F1E1D1C1B1A1918', + 2401:h'CFCFCFCF', + 2395:12291, + 2402:"sha-256", + 2400:"https://veraison.example/.well-known/veraison/verification", + 2399:[ + { + 1:"RSE_BL1_2", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'9A271F2A916B0B6EE6CECB2426F0B3206EF074578BE55D9BC94F6F3FE3AB86AA', + 6:"sha-256" + }, + { + 1:"RSE_BL2", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'53C234E5E8472B6AC51C1AE1CAB3FE06FAD053BEB8EBFD8977B010655BFDD3C3', + 6:"sha-256" + }, + { + 1:"RSE_S", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'1121CFCCD5913F0A63FEC40A6FFD44EA64F9DC135C66634BA001D10BCF4302A2', + 6:"sha-256" + }, + { + 1:"AP_BL1", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'1571B5EC78BD68512BF7830BB6A2A44B2047C7DF57BCE79EB8A1C0E5BEA0A501', + 6:"sha-256" + }, + { + 1:"AP_BL2", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'10159BAF262B43A92D95DB59DAE1F72C645127301661E0A3CE4E38B295A97C58', + 6:"sha-256" + }, + { + 1:"SCP_BL1", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'10122E856B3FCD49F063636317476149CB730A1AA1CFAAD818552B72F56D6F68', + 6:"sha-256" + }, + { + 1:"SCP_BL2", + 5:h'F14B4987904BCB5814E4459A057ED4D20F58A633152288A761214DCD28780B56', + 2:h'AA67A169B0BBA217AA0AA88A65346920C84C42447C36BA5F7EA65F422C1FE5D8', + 6:"sha-256" + }, + { + 1:"AP_BL31", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'2E6D31A5983A91251BFAE5AEFA1C0A19D8BA3CF601D0E8A706B4CFA9661A6B8A', + 6:"sha-256" + }, + { + 1:"RMM", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'A1FB50E6C86FAE1679EF3351296FD6713411A08CF8DD1790A4FD05FAE8688164', + 6:"sha-256" + }, + { + 1:"HW_CONFIG", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'1A252402972F6057FA53CC172B52B9FFCA698E18311FACD0F3B06ECAAEF79E17', + 6:"sha-256" + }, + { + 1:"FW_CONFIG", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'9A92ADBC0CEE38EF658C71CE1B1BF8C65668F166BFB213644C895CCB1AD07A25', + 6:"sha-256" + }, + { + 1:"TB_FW_CONFIG", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'238903180CC104EC2C5D8B3F20C5BC61B389EC0A967DF8CC208CDC7CD454174F', + 6:"sha-256" + }, + { + 1:"SOC_FW_CONFIG", + 5:h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', + 2:h'E6C21E8D260FE71882DEBDB339D2402A2CA7648529BC2303F48649BCE0380017', + 6:"sha-256" + } + ] + } >>, + h'31D04D52CCDE952C1E32CBA181885A40B8CC38E0528C1E89589807642AA5E3F2BC37F95374506BFF4D2E4BE7063C4D72419270C722E8D4D93EE8B6C9FACE3B43C9761A49941AB6F38FFDFF496AD463B4CBFA11D83E23E31F7F62329DE30C1CC8' + ]) >>, + + 44241: << 18([ + h'A1013822', + {}, + << { + 265:"tag:arm.com,2023:realm#1.0.0", + 10:h'6E86D6D97CC713BC6DD43DBCE491A6B40311C027A8BF85A39DA63E9CE44C132A8A119D296FAE6A6999E9BF3E4471B0CE01245D889424C31E89793B3B1D6B1504', + 44236:"sha-256", + 44240:"sha-256", + 44235:h'54686520717569636B2062726F776E20666F78206A756D7073206F766572203133206C617A7920646F67732E54686520717569636B2062726F776E20666F7820', + 44237:h'A40102200221583076F988091BE585ED41801AECFAB858548C63057E16B0E676120BBD0D2F9C29E056C5D41A0130EB9C21517899DC23146B22583028E1B062BD3EA4B315FD219F1CBB528CB6E74CA49BE16773734F61A1CA61031B2BBF3D918F2F94FFC4228E50919544AE', + 44238:h'311314AB73620350CF758834AE5C65D9E8C2DC7FEBE6E7D9654BBE864E300D49', + 44239:[ + h'24D5B0A296CC05CBD8068C5067C5BD473B770DDA6AE082FE3BA30ABE3F9A6AB1', + h'788FC090BFC6B8ED903152BA8414E73DAF5B8C7BB1E79AD502AB0699B659ED16', + h'DAC46A58415DC3A00D7A741852008E9CAE64F52D03B9F76D76F4B3644FEFC416', + h'32C6AFC627E55585C03155359F331A0E225F6840DB947DD96EFAB81BE2671939' + ] + } >>, + h'580B1DEA32D30AC6884C86B39CBE0FCB03BD00DF5103F9BAB01386A46A3BA8143E27ED6D4EB0D0A2724ABDF9640C09462FACE6DF186909DFA6EB131E3A7918276077ACDAB8A8BDECA6B0EAAFAB66E1439C1371F4FB1D6AAC047481B5DC75DD46' + ]) >> +}) diff --git a/cddl/top/generic-sign1.cddl b/cddl/top/generic-sign1.cddl index 929fd4d..6dda226 100644 --- a/cddl/top/generic-sign1.cddl +++ b/cddl/top/generic-sign1.cddl @@ -1,7 +1,7 @@ ;# import rfc9052 -COSE_Sign1 = [ +COSE_Sign1 = #6.18([ Headers payload: bytes .cbor C signature: bytes -] +]) diff --git a/draft-ffm-rats-cca-token.md b/draft-ffm-rats-cca-token.md index 3e93c82..f0dc72b 100644 --- a/draft-ffm-rats-cca-token.md +++ b/draft-ffm-rats-cca-token.md @@ -350,6 +350,10 @@ apply to the `ueid-type`: * The length MUST be 33 bytes. * The first byte MUST be 0x01 (RAND) followed by the 32-byte unique identifier of the PAK. +~~~ cbor-diag +{::include cddl/platform/eat-ueid-rand.cddl} +~~~ + This claim MUST be present in a CCA Platform attestation token. ~~~ @@ -1166,45 +1170,70 @@ The Content-Formats should be allocated from the Expert review range (0-255). # Examples The following examples show CCA attestation tokens for an hypothetical system -comprising a single measured software component. +comprising a single number of software component. The attesting device is in a lifecycle state ({{sec-security-lifecycle}}) of SECURED. -## Sample Platform Token in CWT/COSE Sign1 Format +## Delegated Mode -The following sample claim set and token are representative of a CCA Platform Token. -The eat-nonce may be set to a hash of the RAK public key if the delegated model is assumed. If not, -then the eat-nonce is a hash of the realm claims set, which includes verifier-provided challenge data. +The following sample claim set and token are representative of a CCA Token using "delegated mode" described in {{delegated}}. -~~~ -{::include-fold cddl/sample_tokens/platform.diag} -~~~ +In this model, the `eat_nonce` claim in the Platform token contains a hash of the RAK public key claim in the Realm token. + +### Platform Claims Set -## COSE Sign1 Token {#ex-sign1} +The CCA Platform claims set is +~~~ cbor-diag +{::include-fold cddl/platform/examples/3.diag} ~~~ -TODO...include cddl/example/sign1-claims.diag + +### Realm Claims Set + +The CCA Realm claims set is + +~~~ cbor-diag +{::include-fold cddl/realm/examples/1.diag} ~~~ -The JWK representation of the PAK used for creating the COSE Sign1 signature -over the PSA token is: +### Platform Attestation Key + +The COSE Key representation of the Platform Attestation Key (PAK) used for creating the COSE Sign1 signature over the CCA Platform token is +~~~ cbor-diag +{::include-fold cddl/misc/pak.diag} ~~~ -TODO...include cddl/example/tfm-es-iak.json + +### Realm Attestation Key + +The COSE Key representation of the Realm Attestation Key (RAK) used for creating the COSE Sign1 signature over the CCA Realm token is + +~~~ cbor-diag +{::include-fold cddl/misc/rak.diag} ~~~ -The resulting COSE object is: +### Signed and Bound Assembly + +The resulting CMW collection is ~~~ -TODO...include cddl/example/psa-sign1.diag +{::include-fold cddl/top/examples/1.diag} ~~~ which has the following base16 encoding: ~~~ -TODO...include cddl/example/psa-sign1.hex +{::include-fold cddl/top/examples/1.hex} ~~~ +## Direct Mode + +The following sample claim sets and the resulting CCA Token are representative of a CCA Token using "direct mode" ({{direct}}). + +In "direct mode" the `eat_nonce` claim in the Platform token contains a hash of the Realm claims set, which includes verifier-provided challenge data. + +TODO + # Acknowledgments {:numbered="false"}