-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
multi-valued measurements #67
Comments
Note that the CDDL in [1] is not an acccurate depiction of DiceTcbInfoSeq as the DiceTcbInfo contains both the 'name fields' (aka The CDDL in [1] is similar to an as yet unpublished variation of DiceTcbInfoSeq that compresses common fields where the name fields are common. But this variation instructs the Verifier to uncompress them resulting in a DiceTcbInfoSeq. [1] ; ENV --1:m--> MEAS [2] |
Note also that (ENV --1:m--> MEAS) can be achieved by The interesting case for (ENV --1:m--> MEAS) and [1] above is when there are multiple instances of measurements that have the same code point. In such a scenario, the only way to disambiguate 'm1' from 'm2' is by array position. However, this seems dubious as tooling might swap entries and more importantly, array position doesn't add semantic context for which component in the system was the original source of the measurement. Using |
Thanks for the clarification, wiki page updated. |
yes, that's the case that we want to support natively.
yes, let's not do that.
Interesting idea, I hadn't thought about using class's |
[ environment-map, measurement-map ] should also be listed as a form of ENV --1:m--> MEAS |
you mean in case the measurement values are different, right? (I reckon a more precise headline for my musing is "multi-valued same-type measurements".) |
If we are expecting to rely on CBOR compaction [3], then CDDL that aims to only optimize for size can result in semantic expressiveness gaps. [3] https://datatracker.ietf.org/doc/html/draft-ietf-cbor-packed |
Yes, if 'same-type' means same code point. |
ok, so I'm reading the description of
and I am a bit concerned that the idea of "clone" doesn't really fit the use case I'm trying to model. Those multiple measurements associated with the PSA "mutable" RoT (PRoT) are not "clones" of the PRoT, they are measurements of PRoT sub-components. It's partitioning rather than cloning. |
This was the use case justification that we were aware of at the time. If there is additional justification then it seems OK to add that also. The question is what will a Verifier do with the information? We've defined However, if they match, then each field in The verifier may not care if CoMID expects the module designer will make these decisions as part of tag creation. |
Hmm, right. If |
Can you say more about what doesn't work? |
The PSA software components claim is an unordered set of measurements:
There is no defined order that could be associated with an Therefore, if Basically, the primitive I need for matching is an "equality among unordered sets". |
This seems to have similar semantics as
Are the matching semantics that all instances of |
yes. |
Is this issue resolved? Maybe as "do not fix"? |
@nedmsmith @thomas-fossati I want to resurrect the discussion on There are other use cases apart from PSA, where we have a set of Measurements (Digests to be precise). The set belongs to an Environment. Currently we do not have an adequate and elegant We do not want Supply chain to use As far as concern about Evidence Matching Policy, we can make a careful assessment of the situation as: A Verifier matches all the Measurements belonging to the Environment with the set of Reference Values. |
I was looking for text (both in I-D.corim and TCG Endorsement arch) that clarifies whether an array of reference triples mean OR or AND matching logic. That is to say, given an array of reference triples in the same tag / same triples-map statement. Do all of the EMT statements have to match (aka AND logic) or is it OR logic where if any triples in the array match, then the evidence matches? The examples seem to suggest OR logic, but the prose sections don't seem very clear to me. E.g.: given a reference-triple array as follows:
and given Evidence as:
Is there a match on (ENV2, MEAS2) because (ENV2, MEAS2) appears in the list of RV triples or is it not a match because all of the RV triples are not matched? AND logic therefore uses inner arrays. There are several examples that follow.
If evidence matching algorithms allow for: ~[ (env=ENV2, meas=MEAS2) ] matching. Then evidence can omit the inner array brackets: (ENV2, MEAS2). If the reference values expression was:
AND matching logic implies: Yogesh may be suggesting AND logic where only the measurement component of an EMT has multiplicity.
The current schema supports measurement multiplicity by defining code points that have values expressed as arrays.
|
Note the TCG Endorsement arch spec suggests there are use cases for multi-valued measurement sets for a given environment and it implies AND matching logic: If we allow an arbitrary set of measurement values with the same key (Example 2 above), I think that presents ambiguity as it isn't clear if value2 appearing at array position 0 is different from value2 appearing at array position 1. |
If matching multiple different digests in one go is the goal, defining a multi-digest measurement is an "elegant" (and more compact) solution. We made the measurement map extensible to allow use cases that do not fit the DICE model. |
I think this issue is tied to the environment scoping issue #176 because scope may determine whether a collection of measurements is grouped by EMT structure or by the scope of the chosen EMT name. |
This is Example 3 above. |
I think, we are over-complicating the discussion here: For Example 1: (stated by Ned above) Example 2: Ned got the use case right, the ENV has Multiple Measurements: @nedmsmith To your point: If we allow an arbitrary set of measurement values with the same key (Example 2 above), I think that presents ambiguity as it isn't clear if value2 appearing at array position 0 is different from value2 appearing at array position 1. We have sufficient semantics in the schema today to define what each Measurement at a specific position (say 0 or 1) implies, that should be clarified by the Supply Chain, when provisioning reference values. The Verifier will match the corresponding one received in the Evidence. Example 3: My view point: b. The extension point does not exist at the correct place to express the multiplicity I am referring to |
@thomas-fossati : |
That's what I meant.
why not, extensibility is a feature not a bug ;-) |
I meant the Hence the proposal! |
|
Now I am confused. I understood this was about changing ref-val and end-val triples to allow 1 or more |
Yes I do NOT propose extending the map. You are correct! I propose we add multiplicity! |
Example 4:
|
I am all for Example 4: |
... and document the verifier behavior for matching reference values to evidence / ACS and for conditional endorsement condition matching. |
100% Agree! |
... and make sure that this all works with existing conditional triples using naked |
...and not forgetting the ability to include authority as part of the condition. |
I have started a Draft [WIP] PR. I admit I will need your help in completing this neatly 🥇 I will update examples, once we limit and evaluate the impact! |
Can we close this? Yogesh's PR #181 was closed with reason: "we have an alternative called integrity registers". |
Sure let's close this! |
+1 |
see https://github.com/ietf-rats-wg/draft-ietf-rats-corim/wiki/Multiple--vs-Single-measurements-Environments
The text was updated successfully, but these errors were encountered: