-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
extend the use of tagged-bytes to identifiers #188
Changes from 6 commits
50f2fe0
9b82845
f6b97ba
b1f4810
269c024
9757398
c3f0dee
6fee7e3
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
$class-id-type-choice /= tagged-oid-type | ||
$class-id-type-choice /= tagged-uuid-type | ||
$class-id-type-choice /= tagged-int-type | ||
$class-id-type-choice /= tagged-bytes |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
/ concise-mid-tag / { | ||
/ comid.tag-identity / 1 : { | ||
/ comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' | ||
}, | ||
/ comid.entity / 2 : [ { | ||
/ comid.entity-name / 0 : "ACME Inc.", | ||
/ comid.reg-id / 1 : 32("https://acme.example"), | ||
/ comid.role / 2 : [ 0 ] / tag-creator / | ||
} ], | ||
/ comid.triples / 4 : { | ||
/ comid.reference-triples / 0 : [ [ | ||
/ environment-map / { | ||
/ comid.instance / 1 : / e.g., SEV-SNP CHIP_ID / 560( | ||
h'9f71ec4d223f4f899d532ed6ff6ecbbb4a62cb386ba24c204c9371ce5e3b9291713fe96b9b413d8842968ebb1fa4cf1920d0c5e9f872776a1e826f2851ecdb47') | ||
}, | ||
/ measurement-map / { | ||
/ comid.mval / 1 : { | ||
/ comid.ver / 0 : { | ||
/ comid.version / 0 : "1.0.0", | ||
/ comid.version-scheme / 1 : 16384 / semver / | ||
}, | ||
} | ||
} | ||
] ] | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,2 @@ | ||
$group-id-type-choice /= tagged-uuid-type | ||
$group-id-type-choice /= tagged-bytes |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
$instance-id-type-choice /= tagged-ueid-type | ||
$instance-id-type-choice /= tagged-uuid-type | ||
$instance-id-type-choice /= $crypto-key-type-choice | ||
$instance-id-type-choice /= tagged-bytes |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,3 @@ | ||
tagged-bytes = #6.560(bytes) | ||
$raw-value-type-choice /= tagged-bytes | ||
|
||
raw-value-mask-type = bytes |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
tagged-bytes = #6.560(bytes) |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -303,6 +303,17 @@ convention - e.g., {{Section 4.4.1.5 of -psa-token}}). | |||||
{::include cddl/digest.cddl} | ||||||
~~~ | ||||||
|
||||||
### Tagged Bytes Type {#sec-common-tagged-bytes} | ||||||
|
||||||
An opaque, variable-length byte string. | ||||||
It can be used in different contexts: as an instance, class or group identifier in an `environment-map`; as a raw value measurement in a `measurement-values-map`. | ||||||
Its semantics are defined by the context in which it is found, and by the overarching CoRIM profile. | ||||||
When used as an identifier the responsible allocator entity SHOULD ensure uniqueness within the usage scope. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think global uniqueness is needed here. It is sufficient that the tagged bytes unambiguously identify an entity within a given scope. The same There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The other examples of The problem is there is one section for describing the semantics of the tag 560 () but it is used in all three There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Clarifying why I do not agree with Andy's suggestion: the word global to me implies across contexts, which is not what we should require from the allocator for the reason I've tried to describe above.
Do you have any suggestions? ISTM that the exact semantics will be profile-specific, i.e., out-of-scope of base CoRIM -- except if DICE has anything to say about There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Discussion today resolved that 560 is to be interpreted within the CDDL context in which it occurs. This PR proposes 3 additional contexts from the current raw-value-group context. The description of the CDDL for each context should describe the expected properties. In the case, of There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yes
I don't understand this.
Yes
WFM
thomas-fossati marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
~~~ cddl | ||||||
{::include cddl/tagged-bytes.cddl} | ||||||
~~~ | ||||||
|
||||||
# Concise Reference Integrity Manifest (CoRIM) {#sec-corim} | ||||||
|
||||||
A CoRIM is a collection of tags and related metadata as described below. | ||||||
|
@@ -821,7 +832,7 @@ An instance carries a unique identifier that is reliably bound to a Target Envir | |||||
that is an instance of the Attester. | ||||||
|
||||||
The types defined for an instance identifier are CBOR tagged expressions of | ||||||
UEID, UUID, or cryptographic key identifier. | ||||||
UEID, UUID, variable-length opaque byte string, or cryptographic key identifier. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please either add a reference to tagged bytes or describe profile specific behaviour dependency here! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done in 6fee7e3 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Similar entry is needed in the class identifier as well! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. see 6fee7e3 |
||||||
|
||||||
~~~ cddl | ||||||
{::include cddl/instance-id-type-choice.cddl} | ||||||
|
@@ -833,7 +844,7 @@ A group carries a unique identifier that is reliably bound to a group of | |||||
Attesters, for example when a number of Attester are hidden in the same | ||||||
anonymity set. | ||||||
|
||||||
The type defined for a group identified is UUID. | ||||||
The types defined for a group identified are UUID and variable-length opaque byte string. | ||||||
|
||||||
~~~ cddl | ||||||
{::include cddl/group-id-type-choice.cddl} | ||||||
|
@@ -1045,7 +1056,7 @@ Raw value measurements are typically vendor defined values that are checked by V | |||||
for consistency only, since the security relevance is opaque to Verifiers. | ||||||
|
||||||
There are two parts to a `raw-value-group`, a measurement and an optional mask. | ||||||
The default raw value measurement is a CBOR tagged `bstr`. | ||||||
The default raw value measurement is of type `tagged-bytes` ({{sec-common-tagged-bytes}}). | ||||||
Additional raw value types can be defined, but must be CBOR tagged so that parsers can distinguish | ||||||
between the various semantics of type values. | ||||||
|
||||||
|
@@ -1962,9 +1973,9 @@ IANA is requested to allocate the following tags in the "CBOR Tags" registry {{! | |||||
| 555 | `text` | tagged-pkix-base64-cert-type, see {{sec-crypto-keys}} | {{&SELF}} | | ||||||
| 556 | `text` | tagged-pkix-base64-cert-path-type, see {{sec-crypto-keys}} | {{&SELF}} | | ||||||
| 557 | `[int/text, bytes]` | tagged-thumbprint-type, see {{sec-common-hash-entry}} | {{&SELF}} | | ||||||
| 558 | `COSE_Key/ COSE_KeySet` | tagged-cose-key-type, see {{sec-crypto-keys}} | {{&SELF}} | | ||||||
| 558 | `COSE_Key/ COSE_KeySet` | tagged-cose-key-type, see {{sec-crypto-keys}} | {{&SELF}} | | ||||||
| 559 | `digest` | tagged-cert-thumbprint-type, see {{sec-crypto-keys}} | {{&SELF}} | | ||||||
| 560 | `bytes` | tagged-bytes, see {{sec-comid-raw-value-types}} | {{&SELF}} | | ||||||
| 560 | `bytes` | tagged-bytes, see {{sec-common-tagged-bytes}} | {{&SELF}} | | ||||||
| 561 | `digest` | tagged-cert-path-thumbprint-type, see {{sec-crypto-keys}} | {{&SELF}} | | ||||||
| 562-599 | `any` | Earmarked for CoRIM | {{&SELF}} | | ||||||
|
||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed to omit this suggestion.