secboot --> oemboot

ietf-rats-wg · Nov 25, 2022 · a55bb1e · a55bb1e
1 parent 002b980
commit a55bb1e
Show file tree

Hide file tree

Showing 15 changed files with 26 additions and 23 deletions.
diff --git a/cddl/CDDL-FRAGS.mk b/cddl/CDDL-FRAGS.mk
@@ -17,7 +17,7 @@ COMMON_CDDL_FRAGS += hardware-version.cddl
 COMMON_CDDL_FRAGS += hardware-model.cddl
 COMMON_CDDL_FRAGS += software-name.cddl
 COMMON_CDDL_FRAGS += software-version.cddl
-COMMON_CDDL_FRAGS += secure-boot.cddl
+COMMON_CDDL_FRAGS += oem-boot.cddl
 COMMON_CDDL_FRAGS += debug-status.cddl
 COMMON_CDDL_FRAGS += location.cddl
 COMMON_CDDL_FRAGS += uptime.cddl

diff --git a/cddl/Example-Payloads/minimal.diag b/cddl/Example-Payloads/minimal.diag
@@ -1,4 +1,4 @@
 {
     / eat_nonce /        10: h'948f8860d13a463e8e',
-    / secboot /         262: true
+    / oemboot /         262: true
 }
diff --git a/cddl/Example-Payloads/simple.diag b/cddl/Example-Payloads/simple.diag
@@ -4,7 +4,7 @@
     / ueid /           256: h'0198f50a4ff6c05861c8860d13a638ea',
     / oemid /          258: h'88124e',
     / hwmodel /       259: h'881cf5f243fbef3336bbd22547dddefc',
-    / secboot /        262: true,
+    / oemboot /        262: true,
     / dbgstat /        263: 3, / permanent-disable /
     / timestamp (iat) /  6: 1526542894
 }
diff --git a/cddl/Example-Payloads/submods.diag b/cddl/Example-Payloads/submods.diag
@@ -1,7 +1,7 @@
 {
     / eat_nonce /             10: h'948f8860d13a463e8e',
     / ueid /                 256: h'0198f50a4ff6c05861c8860d13a638ea',
-    / secboot /              262: true,
+    / oemboot /              262: true,
     / dbgstat /              263: 3, / permanent-disable  /
     / timestamp (iat) /        6: 1526542894,
     / submods / 266: {

diff --git a/cddl/Example-Payloads/valid_hw_block.diag b/cddl/Example-Payloads/valid_hw_block.diag
@@ -9,7 +9,7 @@
     / eat_nonce /       10: h'948f8860d13a463e',
     / ueid /           256: h'0198f50a4ff6c05861c8860d13a638ea',
     / oemid /          258: 64242, / Private Enterprise Number /
-    / secboot /        262: true,
+    / oemboot /        262: true,
     / dbgstat /        263: 3, / disabled-permanently /
     / hwversion /      260: [ "3.1", 1 ] / Type is multipartnumeric /
 }

diff --git a/cddl/Example-Payloads/valid_hw_block2.diag b/cddl/Example-Payloads/valid_hw_block2.diag
@@ -7,7 +7,7 @@
     / eat_nonce /       10: h'948f8860d13a463e',
     / ueid /           256: h'0198f50a4ff6c05861c8860d13a638ea',
     / oemid /          258: 64242, / Private Enterprise Number /
-    / secboot /        262: true,
+    / oemboot /        262: true,
     / dbgstat /        263: 3, / disabled-permanently /
     / hwversion /      260: [ "3.1", 1 ], / multipartnumeric /
     / submods/         266: {

diff --git a/cddl/Example-Payloads/valid_iot.diag b/cddl/Example-Payloads/valid_iot.diag
@@ -6,13 +6,13 @@
 
 {
     / eat_nonce / 10: h'948f8860d13a463e',
-    / secboot /  262: true,
+    / oemboot /  262: true,
     / dbgstat /  263: 2, / disabled-since-boot /
     / oemid /    258: h'8945ad', / IEEE CID based /
     / ueid /     256: h'0198f50a4ff6c05861c8860d13a638ea', 
     / submods /  266: {
                         "OS" : {
-        / secboot /         262: true,
+        / oemboot /         262: true,
         / dbgstat /         263: 2, / disabled-since-boot /
         / measurements /    274: [
                                    [

diff --git a/cddl/Example-Payloads/valid_key_store.diag b/cddl/Example-Payloads/valid_key_store.diag
@@ -20,7 +20,7 @@
 
 {
     / eat_nonce /       10: h'948f8860d13a463e',
-    / secboot /        262: true,
+    / oemboot /        262: true,
     / dbgstat /        263: 2, / disabled-since-boot /
     / manifests /      273: [
                                 [ 121, / CoAP Content ID. A      /
@@ -55,7 +55,7 @@
     / submods /        266 : { 
                            "HLOS" : { / submod for high-level OS /
          / eat_nonce /         10: h'948f8860d13a463e',
-           / secboot /        262: true,
+           / oemboot /        262: true,
            / manifests /      273: [ 
                                 [ 121, / CoAP Content ID. A      /
                                        / made up one until one   /

diff --git a/cddl/Example-Payloads/valid_results.json b/cddl/Example-Payloads/valid_results.json
@@ -1,6 +1,6 @@
 {
    "eat_nonce": "jkd8KL-8=Qlzg4",
-   "secboot": true,
+   "oemboot": true,
    "dbgstat": "disabled-since-boot",
    "oemid": "iUWt",
    "ueid": "AZj1Ck_2wFhhyIYNE6Y4",
@@ -19,4 +19,4 @@
          ]
       ]
    ]
-}
+}
diff --git a/cddl/Example-Payloads/valid_submods.diag b/cddl/Example-Payloads/valid_submods.diag
@@ -24,7 +24,7 @@
     / hwversion /      260: ["1.3.4", 1], / Multipartnumeric  /
     / swname /         271: "Acme OS",
     / swversion /      272: ["3.5.5", 1],
-    / secboot /        262: true,
+    / oemboot /        262: true,
     / dbgstat /        263: 3, / permanent-disable  /
     / timestamp (iat) /  6: 1526542894,
     / submods / 266: {

diff --git a/cddl/Example-Payloads/valid_tee.diag b/cddl/Example-Payloads/valid_tee.diag
@@ -2,7 +2,7 @@
 
 {
     / eat_nonce /       10: h'948f8860d13a463e',
-    / secboot /        262: true,
+    / oemboot /        262: true,
     / dbgstat /        263: 2, / disabled-since-boot /
     / manifests /      273: [
                               [

diff --git a/cddl/claim-labels.cddl b/cddl/claim-labels.cddl
@@ -7,7 +7,7 @@ sueids-label           = JC< "sueids",     257 >
 oemid-label            = JC< "oemid",      258 >
 hardware-model-label   = JC< "hwmodel",    259 >
 hardware-version-label = JC< "hwversion",  260 >
-secure-boot-label      = JC< "secboot",    262 >
+oem-boot-label         = JC< "oemboot",    262 >
 debug-status-label     = JC< "dbgstat",    263 >
 location-label         = JC< "location",   264 >
 profile-label          = JC< "eat_profile",265 >

diff --git a/cddl/oem-boot.cddl b/cddl/oem-boot.cddl
@@ -0,0 +1 @@
+$$Claims-Set-Claims //= (oem-boot-label => bool)
diff --git a/cddl/secure-boot.cddl b/cddl/secure-boot.cddl
diff --git a/draft-ietf-rats-eat.md b/draft-ietf-rats-eat.md
@@ -732,18 +732,18 @@ A full CoSWID manifest or other type of manifest can be instead if this is too s
 ~~~~
 
 
-### secboot (Secure Boot) Claim
+### oemboot (OEM Authorized Boot) Claim
 
-A "secboot" claim with value of true indicates secure boot is enabled. Secure boot is
-considered enabled when the firmware and operating
-system, are under control of the manufacturer of the entity identified in the
-"oemid" claim described in {{oemid}}.
-Control by the manufacturer of the firmware and the operating system may be by it being in ROM, being cryptographically authenticated, a combination of the two or similar.
+An "oemboot" claim with value of true indicates the entity booted with software authorized by the manufacturer of the entity as indicated by the "oemid" claim described in {{oemid}}.
+It indicates the firmware and operating system are fully under control of the OEM and may not be replaced by the end user or even the enterprise that owns the device.
+The means of control may be by cryptographic authentication of the software, by the software being in ROM, a combination of the two or other.
+If this claim is present the "oemid" claim SHOULD always also be present.
 
 ~~~~CDDL
-{::include nc-cddl/secure-boot.cddl}
+{::include nc-cddl/oem-boot.cddl}
 ~~~~
 
+
 ### dbgstat (Debug Status) Claim
 
 The "dbgstat" claim applies to entity-wide or submodule-wide debug facilities of the
@@ -2526,6 +2526,9 @@ differences. A comprehensive history is available via the IETF Datatracker's rec
 - General edits to the submodules section
 - Change the way detached digests are identified in JSON-encoded tokens
 
+## From draft-ietf-rats-eat-17
+- Rename secboot to oemboot and describe it as OEM Authorized Boot
+
 --- contributor
 
 Many thanks to the following contributors to draft versions of this
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		$$Claims-Set-Claims //= (oem-boot-label => bool)