Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Appendix B.1 and B.2 need some TLC #155

Open
thomas-fossati opened this issue Sep 10, 2024 · 4 comments
Open

Appendix B.1 and B.2 need some TLC #155

thomas-fossati opened this issue Sep 10, 2024 · 4 comments
Assignees
@nedmsmith

Comments

@thomas-fossati
Copy link
Contributor

@henkbirkholz asked me to look at B.1 and B.2.

Two observations:

  • The title is the same and a good percentage of the prose portion is repeated. It is not clear why both sections are needed. (My guess is you wanted to have CMW and TCBInfo examples one alongside the other, but for some reason, you ended in this garbled situation.)
  • The example in B.2 is not a CMW, it's a DICE TCBInfo. To be a CMW it should use OID id-pe-cmw, and the encoding defined in Section 5 of CMW.

In conclusion:

  1. The title of B.2 should be "TCG DiceTCBInfo in CSR", and
  2. B.1 still needs some tender love and care.

This may be related to #144
@henkbirkholz
Copy link
Collaborator

6.4.2. Initial Registry Contents references I-D.ietf-rats-msg-wrap (oid 1.3.6.1.5.5.7.1.35) and then lists DiceConceptualMessageWrapper (oid 2.23.133.5.4.9) as the item to register.

1.3.6.1.5.5.7.1.35 represents a superset of 2.23.133.5.4.9, I think. Should we consider using that oid instead?

@thomas-fossati
Copy link
Contributor Author

1.3.6.1.5.5.7.1.35 represents a superset of 2.23.133.5.4.9, I think. Should we consider using that oid instead?

Yes, two reasons:

  1. As you also noted, IETF CMW is a superset of TCG CMW;
  2. It makes sense for an IETF spec to eat its own dog food :-)

@hannestschofenig hannestschofenig mentioned this issue Sep 23, 2024
Open
@nedmsmith
Copy link
Collaborator

nedmsmith commented Sep 24, 2024
edited
Loading

Here's proposed ASN.1 for Section B.1
I noted there was no name given to the DEFINITIONS section that defined EvidenceStatementSet. Was there a reason?
I found it helpful to give it a name so I can write the IMPORTS section, namely: EvidenceStatementSet FROM CsrAttestation

Should I give it a name in a PR to add the other ASN.1?

Note also the TcgDice block defines the other DICE OIDs that show up in the OID registry in the IANA section.

I also noticed the B.2 section is mislabeled as it is showing a DiceTcbInfo example. The updated ASN.1 shows construction of an EvidenceStatementSet containing both Dice CMW and Dice TcbInfo structures.

CsrAttestationDiceExample DEFINITIONS IMPLICIT TAGS ::= BEGIN

IMPORTS 

tcg-dice-conceptual-message-wrapper FROM TcgDice
DiceConceptualMessageWrapper FROM TcgDice

EvidenceStatementSet FROM CsrAttestation 
;

tcgDiceCmwEvidenceStatementES EVIDENCE-STATEMENT ::=
  { DiceConceptualMessageWrapper IDENTIFIED BY tcg-dice-conceptual-message-wrapper }

tcgDiceTcbInfoEvidenceStatementES EVIDENCE-STATEMENT ::=
  { DiceTcbInfo IDENTIFIED BY tcg-dice-TcbInfo }
-- where ConceptualMessageWrapper, tcg-dice-conceptual-message-wrapper, DiceTcbInfo, and tcg-dice-TcbInfo
-- are defined in DICE-Attestation-Architecture-Version-1.1-Revision-17_1August2023.pdf

EvidenceStatementSet EVIDENCE-STATEMENT ::= {
  tcgDiceEvidenceStatementES, 
  tcgDiceTcbInfoEvidenceStatementES, 
  ...
}
END

TcgDice DEFINITIONS IMPLICIT TAGS ::= BEGIN

EXPORTS ALL;

tcg OBJECT IDENTIFIER ::= { 2 23 133 }
tcg-dice OBJECT IDENTIFIER ::= { tcg platformClass(5) dice(4) }
tcg-dice-TcbInfo OBJECT IDENTIFIER ::= { tcg-dice tcbinfo(1) }
tcg-dice-MultiTcbInfo OBJECT IDENTIFIER ::= {tcg-dice multitcbinfo(5) }
tcg-dice-UCCS-evidence OBJECT IDENTIFIER ::= {tcg-dice uccs-evidence(6) }
tcg-dice-manifest-evidence OBJECT IDENTIFIER ::= {tcg-dice manifest-evidience(7) }
tcg-dice-MultiTcbInfoComp OBJECT IDENTIFIER ::= {tcg-dice multitcbinfocomp(8) }
tcg-dice-conceptual-message-wrapper OBJECT IDENTIFIER ::= { tcg-dice cmw(9) }

DiceConceptualMessageWrapper ::= SEQUENCE {
    cmw OCTECT STRING
}

DiceTcbInfo ::== SEQUENCE {
    vendor [0] IMPLICIT UTF8String OPTIONAL,
    model [1] IMPLICIT UTF8String OPTIONAL,
    version [2] IMPLICIT UTF8String OPTIONAL,
    svn [3] IMPLICIT INTEGER OPTIONAL,
    layer [4] IMPLICIT INTEGER OPTIONAL,
    index [5] IMPLICIT INTEGER OPTIONAL,
    fwids [6] IMPLICIT FWIDLIST OPTIONAL,
    flags [7] IMPLICIT OperationalFlags OPTIONAL,
    vendorInfo [8] IMPLICIT OCTET STRING OPTIONAL,
    type [9] IMPLICIT OCTET STRING OPTIONAL,
    flagsMask [10]IMPLICIT OperationalFlagsMask OPTIONAL
}

FWIDLIST ::== SEQUENCE SIZE (1..MAX) OF FWID
    FWID ::== SEQUENCE {
    hashAlg OBJECT IDENTIFIER,
    digest OCTET STRING
}

OperationalFlags ::= BIT STRING {
    notConfigured (0),
    notSecure (1),
    recovery (2),
    debug (3),
    notReplayProtected (4),
    notIntegrityProtected (5),
    notRuntimeMeasured (6),
    notImmutable (7),
    notTcb (8),
    fixedWidth (31)
}

OperationalFlagsMask ::= BIT STRING {
    notConfigured (0),
    notSecure (1),
    recovery (2),
    debug (3),
    notReplayProtected (4),
    notIntegrityProtected (5),
    notRuntimeMeasured (6),
    notImmutable (7),
    notTcb (8),
    fixedWidth (31)
}
    
END

@nedmsmith
Copy link
Collaborator

Fixed in PR #160

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nedmsmith nedmsmith

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hannestschofenig @nedmsmith @thomas-fossati @henkbirkholz