Group Membership, a proposal

[thomas-fossati]

see https://github.com/ietf-rats-wg/draft-ietf-rats-corim/wiki/Composite-device-description-using-domain-membership-triples

[nedmsmith]

Issue #136 has some context regarding grouping concepts

[nedmsmith]

It is not possible to limit the acceptable combinations: all possible cross-products are acceptable.
Suppose TF-M goes through a similar update cycle as BL. Using the semantics above it is not possible to express things like: BL "1.0.0" is acceptable only with TF-M "1.0.0" and not with TF-M "1.0.1".

Typically, updates are applied in the context of an update package that contains dependency semantics (see SUIT). If there are unacceptable combinations the update manifest will sus them out. If there is a trustworthiness relevant combinatoric that a RATS Verifier should process, the RVP can create a new BL version "1.0.1" that excludes the revoked T-FM image.

Alternatively, the RVP could create a domain context that includes stateful-environment-records that names only valid versions of T-FM. (Although allowing stateful-environment-record as a posible domain name wasn't part of the original proposal).

[nedmsmith]

Grouping semantics apply to Evidence as well as RV/Endorsements. A DICE alias certificate / EAT token implies a grouping of evidence claims due to the signature over the claims. The Attester implies the grouping context because it chose to bundle a set of claims before signing them.

A TPM PCR is also an implied grouping context. TCG specs specify the type of measurements that belong to a specific PCR. The intent is that a Verifier can check the integrity of individual PCRs and return a pass/fail result for each PCR. If some pass and some fail, the final result is neither pass or fail. Hence, there isn't a presumption that appraisal necessarily must produce a binary result.

Similarly, the RVs should be grouped such that only the RVs that are apply to the Evidence grouping semantic should be applied for a given grouping.