[Rats] EAT implementation (hackathon report)

Thomas Fossati <tho.ietf@gmail.com> Thu, 12 November 2020 17:17 UTC

Return-Path: <tho.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 087743A1426 for <rats@ietfa.amsl.com>; Thu, 12 Nov 2020 09:17:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id tJCgDYyyaK6H for <rats@ietfa.amsl.com>; Thu, 12 Nov 2020 09:17:00 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637CA3A1424 for <rats@ietf.org>; Thu, 12 Nov 2020 09:17:00 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id 74so9546163lfo.5 for <rats@ietf.org>; Thu, 12 Nov 2020 09:17:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=JCAMtaCmhXKoALwVnjj6EwNovm/yCm8YY582FQqms4I=; b=IdbJIqHSdDz3ho0Jmlz7iSmRvFMzOVJExMgcghLFwHFHCx6+0h8rLu/RhjAs4bzv6t VB3cOOyGuARFLoBHsRfx9P5r86uOOCsg2bL9gn2tIvYsfpEQM3QrMYJmVXXKqv+Iiu1N dGCmEQVHSwkjwsl/GGH+0TQnM9fihw3IBN0pCGwD0slilbU1oDblW8Aj0UCz23wrc7VZ iHTndtUezr8YHtXIdeGFgrfWNL/v0J0w8vstYau0BvVYRscCfKkwxyThqPTt4RHR9lJP wa/ySr2z546N41MlJ8/ZmpI9M2z6wSVDpBAvMUL0F4B88TAX2VbWQnqg4+4J1PH1puu4 N36g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=JCAMtaCmhXKoALwVnjj6EwNovm/yCm8YY582FQqms4I=; b=ktmQVBR/PkUqfyBsNtOpv3rqMfpIYI+3ZUsHJx64Dw1aPf9sJpvRr41IQaPUjuyHtQ mu61DMga7CxQFbmgq8xPCqIAS8XXwv2Sh6RT3QsetsHkmw/hLgb4zzToJTZ+Hf577h6I hNUP4nMawOqP+l1oQ39ROdC7vqbGbLOggxD5cLCgRx4k/ySbB1RlP8SvLymxxuMEppBM vd9IWoCJnlZekjkULm5hvOMYPKGB6Wi2/+bsII/72PA/5oDDFQ2Dqru9XWg7dSL6cC94 L3lIKIxC21J2yxtoeBAslUm+AyxSpWK3efPTExeo6wciZVJsTfGsjVYqvOftwWQbl78z mLAA==
X-Gm-Message-State: AOAM530Yyu1+9IocusOHw49qfIkWNHpoPgUKQoFq47jcgL0zlP7GfAxq NaDTgwmYxUWgKLRGco5Xi+vDcM1LPrpYR5B/2DPI758HnVI=
X-Google-Smtp-Source: ABdhPJyHA1hdgRdDolXXYk4MVGa4XpOp+0rO5K1lTXe1nOOC9TbM5z7ikn/CvYorYQa0PqWf15pWHkRuqkpkdDFxwFY=
X-Received: by 2002:a19:2202:: with SMTP id i2mr124753lfi.416.1605201418101; Thu, 12 Nov 2020 09:16:58 -0800 (PST)
MIME-Version: 1.0
From: Thomas Fossati <tho.ietf@gmail.com>
Date: Thu, 12 Nov 2020 17:16:47 +0000
Message-ID: <CAObGJnPZ1dkhKkUehowH-H0hy8MPvT6k5YENHymPEon6VAYWOw@mail.gmail.com>
To: rats@ietf.org
Cc: sergei.trofimov@arm.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/AhxQOzIIq3foAWpvcC0EgtC3AGI>
Subject: [Rats] EAT implementation (hackathon report)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2020 17:17:02 -0000

Hi all,

Sergei and I have been busy implementing the latest EAT spec at the hackathon.

We started from scratch and in three days we managed to produce a full
implementation [1] that is about 2.5KLOC, including 50+ accompanying

Overall, the impression is that the document is in pretty good shape
and can be implemented without too much ambiguity.

Here are a few random things we noticed in the process and that we
wanted to share with the EAT editors as well as the wider group:

1. It's not clear what is the story around the extensibility of single
claims?  E.g., if I wanted to expand the semantics of "Debug Disable"
or "Security Level" with my own local semantics, how would I do that?
This question popped when discussing whether the decoder should accept
values not currently listed and make them available to the user?

2. Typo: The "nonce" JSON label is missing from Section 4.3.1

3. The JSON story is nearly OK, except for two things: the Submods
claim where the JSON:CBOR equivalency is broken by allowing unbounded
int keys in CBOR that can't have an equivalent in JSON; the
StringOrURI type whose semantics can be preserved when transcoding.
The former could be solved by only allowing string labels.  The latter
by declaring we only deal in strings.

4. The CDDL for CWT claims is currently wrong: it’d allow only one CWT
claim at a time in the EAT map.  Scaling up a bit, we should probably
have a CDDL socket for EAT extensions in the top-level map (maybe
starting from CWT claims).

5. The CBOR interoperability section should have normative language
where needed and double check that there are no copy-pasted
requirements from other documents without an explicit ref -- e.g., the
stray "Duplicate map keys are not allowed." should have a ref to 7049.

6. Some typographic thoughts about Debug Disable claim.  The "disable"
in "Debug disable" is redundant; it'd be better renaming it as just
"Debug" or "Debug status". A bit more consistent wording wouldn’t hurt
too. e.g.:
* "Not disabled" => “enabled” -- this, combined with the above
suggestion, would move us from "debug disable not disabled" to a
simpler to digest "debug enabled" :-)
* "Permanent disable" => "disabled permanently"
* "Full permanent disable" => "disabled fully and permanently"

I think that's it; Sergei might have something more.

I can make Issues and PRs for all of the above if needed.


[1] https://github.com/veraison/eat