From a55bb1ee937a042afc1efcb9c17cb885f4a9dcda Mon Sep 17 00:00:00 2001 From: Laurence Lundblade Date: Fri, 25 Nov 2022 13:22:11 -0800 Subject: [PATCH] secboot --> oemboot --- cddl/CDDL-FRAGS.mk | 2 +- cddl/Example-Payloads/minimal.diag | 2 +- cddl/Example-Payloads/simple.diag | 2 +- cddl/Example-Payloads/submods.diag | 2 +- cddl/Example-Payloads/valid_hw_block.diag | 2 +- cddl/Example-Payloads/valid_hw_block2.diag | 2 +- cddl/Example-Payloads/valid_iot.diag | 4 ++-- cddl/Example-Payloads/valid_key_store.diag | 4 ++-- cddl/Example-Payloads/valid_results.json | 4 ++-- cddl/Example-Payloads/valid_submods.diag | 2 +- cddl/Example-Payloads/valid_tee.diag | 2 +- cddl/claim-labels.cddl | 2 +- cddl/oem-boot.cddl | 1 + cddl/secure-boot.cddl | 1 - draft-ietf-rats-eat.md | 17 ++++++++++------- 15 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 cddl/oem-boot.cddl delete mode 100644 cddl/secure-boot.cddl diff --git a/cddl/CDDL-FRAGS.mk b/cddl/CDDL-FRAGS.mk index 09e763da..d9493b7f 100644 --- a/cddl/CDDL-FRAGS.mk +++ b/cddl/CDDL-FRAGS.mk @@ -17,7 +17,7 @@ COMMON_CDDL_FRAGS += hardware-version.cddl COMMON_CDDL_FRAGS += hardware-model.cddl COMMON_CDDL_FRAGS += software-name.cddl COMMON_CDDL_FRAGS += software-version.cddl -COMMON_CDDL_FRAGS += secure-boot.cddl +COMMON_CDDL_FRAGS += oem-boot.cddl COMMON_CDDL_FRAGS += debug-status.cddl COMMON_CDDL_FRAGS += location.cddl COMMON_CDDL_FRAGS += uptime.cddl diff --git a/cddl/Example-Payloads/minimal.diag b/cddl/Example-Payloads/minimal.diag index 2d9a3b10..5388a3cf 100644 --- a/cddl/Example-Payloads/minimal.diag +++ b/cddl/Example-Payloads/minimal.diag @@ -1,4 +1,4 @@ { / eat_nonce / 10: h'948f8860d13a463e8e', - / secboot / 262: true + / oemboot / 262: true } diff --git a/cddl/Example-Payloads/simple.diag b/cddl/Example-Payloads/simple.diag index e8f68c70..8d935d3b 100644 --- a/cddl/Example-Payloads/simple.diag +++ b/cddl/Example-Payloads/simple.diag @@ -4,7 +4,7 @@ / ueid / 256: h'0198f50a4ff6c05861c8860d13a638ea', / oemid / 258: h'88124e', / hwmodel / 259: h'881cf5f243fbef3336bbd22547dddefc', - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 3, / permanent-disable / / timestamp (iat) / 6: 1526542894 } diff --git a/cddl/Example-Payloads/submods.diag b/cddl/Example-Payloads/submods.diag index 2c0b80ee..07fb856f 100644 --- a/cddl/Example-Payloads/submods.diag +++ b/cddl/Example-Payloads/submods.diag @@ -1,7 +1,7 @@ { / eat_nonce / 10: h'948f8860d13a463e8e', / ueid / 256: h'0198f50a4ff6c05861c8860d13a638ea', - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 3, / permanent-disable / / timestamp (iat) / 6: 1526542894, / submods / 266: { diff --git a/cddl/Example-Payloads/valid_hw_block.diag b/cddl/Example-Payloads/valid_hw_block.diag index a3fc5488..2b910eb0 100644 --- a/cddl/Example-Payloads/valid_hw_block.diag +++ b/cddl/Example-Payloads/valid_hw_block.diag @@ -9,7 +9,7 @@ / eat_nonce / 10: h'948f8860d13a463e', / ueid / 256: h'0198f50a4ff6c05861c8860d13a638ea', / oemid / 258: 64242, / Private Enterprise Number / - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 3, / disabled-permanently / / hwversion / 260: [ "3.1", 1 ] / Type is multipartnumeric / } diff --git a/cddl/Example-Payloads/valid_hw_block2.diag b/cddl/Example-Payloads/valid_hw_block2.diag index 2f1fd156..ca66ccfb 100644 --- a/cddl/Example-Payloads/valid_hw_block2.diag +++ b/cddl/Example-Payloads/valid_hw_block2.diag @@ -7,7 +7,7 @@ / eat_nonce / 10: h'948f8860d13a463e', / ueid / 256: h'0198f50a4ff6c05861c8860d13a638ea', / oemid / 258: 64242, / Private Enterprise Number / - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 3, / disabled-permanently / / hwversion / 260: [ "3.1", 1 ], / multipartnumeric / / submods/ 266: { diff --git a/cddl/Example-Payloads/valid_iot.diag b/cddl/Example-Payloads/valid_iot.diag index b70670c6..5227c2a3 100644 --- a/cddl/Example-Payloads/valid_iot.diag +++ b/cddl/Example-Payloads/valid_iot.diag @@ -6,13 +6,13 @@ { / eat_nonce / 10: h'948f8860d13a463e', - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 2, / disabled-since-boot / / oemid / 258: h'8945ad', / IEEE CID based / / ueid / 256: h'0198f50a4ff6c05861c8860d13a638ea', / submods / 266: { "OS" : { - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 2, / disabled-since-boot / / measurements / 274: [ [ diff --git a/cddl/Example-Payloads/valid_key_store.diag b/cddl/Example-Payloads/valid_key_store.diag index c0b5c0b7..02074729 100644 --- a/cddl/Example-Payloads/valid_key_store.diag +++ b/cddl/Example-Payloads/valid_key_store.diag @@ -20,7 +20,7 @@ { / eat_nonce / 10: h'948f8860d13a463e', - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 2, / disabled-since-boot / / manifests / 273: [ [ 121, / CoAP Content ID. A / @@ -55,7 +55,7 @@ / submods / 266 : { "HLOS" : { / submod for high-level OS / / eat_nonce / 10: h'948f8860d13a463e', - / secboot / 262: true, + / oemboot / 262: true, / manifests / 273: [ [ 121, / CoAP Content ID. A / / made up one until one / diff --git a/cddl/Example-Payloads/valid_results.json b/cddl/Example-Payloads/valid_results.json index d1b4f339..2584bf89 100644 --- a/cddl/Example-Payloads/valid_results.json +++ b/cddl/Example-Payloads/valid_results.json @@ -1,6 +1,6 @@ { "eat_nonce": "jkd8KL-8=Qlzg4", - "secboot": true, + "oemboot": true, "dbgstat": "disabled-since-boot", "oemid": "iUWt", "ueid": "AZj1Ck_2wFhhyIYNE6Y4", @@ -19,4 +19,4 @@ ] ] ] -} \ No newline at end of file +} diff --git a/cddl/Example-Payloads/valid_submods.diag b/cddl/Example-Payloads/valid_submods.diag index 08e7f219..728a355e 100644 --- a/cddl/Example-Payloads/valid_submods.diag +++ b/cddl/Example-Payloads/valid_submods.diag @@ -24,7 +24,7 @@ / hwversion / 260: ["1.3.4", 1], / Multipartnumeric / / swname / 271: "Acme OS", / swversion / 272: ["3.5.5", 1], - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 3, / permanent-disable / / timestamp (iat) / 6: 1526542894, / submods / 266: { diff --git a/cddl/Example-Payloads/valid_tee.diag b/cddl/Example-Payloads/valid_tee.diag index 1f43776d..2b8a3bb4 100644 --- a/cddl/Example-Payloads/valid_tee.diag +++ b/cddl/Example-Payloads/valid_tee.diag @@ -2,7 +2,7 @@ { / eat_nonce / 10: h'948f8860d13a463e', - / secboot / 262: true, + / oemboot / 262: true, / dbgstat / 263: 2, / disabled-since-boot / / manifests / 273: [ [ diff --git a/cddl/claim-labels.cddl b/cddl/claim-labels.cddl index d326dd12..5abd1d42 100644 --- a/cddl/claim-labels.cddl +++ b/cddl/claim-labels.cddl @@ -7,7 +7,7 @@ sueids-label = JC< "sueids", 257 > oemid-label = JC< "oemid", 258 > hardware-model-label = JC< "hwmodel", 259 > hardware-version-label = JC< "hwversion", 260 > -secure-boot-label = JC< "secboot", 262 > +oem-boot-label = JC< "oemboot", 262 > debug-status-label = JC< "dbgstat", 263 > location-label = JC< "location", 264 > profile-label = JC< "eat_profile",265 > diff --git a/cddl/oem-boot.cddl b/cddl/oem-boot.cddl new file mode 100644 index 00000000..d944ab5a --- /dev/null +++ b/cddl/oem-boot.cddl @@ -0,0 +1 @@ +$$Claims-Set-Claims //= (oem-boot-label => bool) diff --git a/cddl/secure-boot.cddl b/cddl/secure-boot.cddl deleted file mode 100644 index eba9342f..00000000 --- a/cddl/secure-boot.cddl +++ /dev/null @@ -1 +0,0 @@ -$$Claims-Set-Claims //= (secure-boot-label => bool) diff --git a/draft-ietf-rats-eat.md b/draft-ietf-rats-eat.md index 5602087b..96be0d3e 100644 --- a/draft-ietf-rats-eat.md +++ b/draft-ietf-rats-eat.md @@ -732,18 +732,18 @@ A full CoSWID manifest or other type of manifest can be instead if this is too s ~~~~ -### secboot (Secure Boot) Claim +### oemboot (OEM Authorized Boot) Claim -A "secboot" claim with value of true indicates secure boot is enabled. Secure boot is -considered enabled when the firmware and operating -system, are under control of the manufacturer of the entity identified in the -"oemid" claim described in {{oemid}}. -Control by the manufacturer of the firmware and the operating system may be by it being in ROM, being cryptographically authenticated, a combination of the two or similar. +An "oemboot" claim with value of true indicates the entity booted with software authorized by the manufacturer of the entity as indicated by the "oemid" claim described in {{oemid}}. +It indicates the firmware and operating system are fully under control of the OEM and may not be replaced by the end user or even the enterprise that owns the device. +The means of control may be by cryptographic authentication of the software, by the software being in ROM, a combination of the two or other. +If this claim is present the "oemid" claim SHOULD always also be present. ~~~~CDDL -{::include nc-cddl/secure-boot.cddl} +{::include nc-cddl/oem-boot.cddl} ~~~~ + ### dbgstat (Debug Status) Claim The "dbgstat" claim applies to entity-wide or submodule-wide debug facilities of the @@ -2526,6 +2526,9 @@ differences. A comprehensive history is available via the IETF Datatracker's rec - General edits to the submodules section - Change the way detached digests are identified in JSON-encoded tokens +## From draft-ietf-rats-eat-17 +- Rename secboot to oemboot and describe it as OEM Authorized Boot + --- contributor Many thanks to the following contributors to draft versions of this