IETF Logo Mail Archive

Re: [Rats] CoSWID and EAT and CWT

Laurence Lundblade <lgl@island-resort.com> Wed, 27 November 2019 00:48 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72B2A120B32 for <rats@ietfa.amsl.com>; Tue, 26 Nov 2019 16:48:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M8-4lZ7Q-6nD for <rats@ietfa.amsl.com>; Tue, 26 Nov 2019 16:48:48 -0800 (PST)
Received: from p3plsmtpa07-04.prod.phx3.secureserver.net (p3plsmtpa07-04.prod.phx3.secureserver.net [173.201.192.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E04B1120B30 for <rats@ietf.org>; Tue, 26 Nov 2019 16:48:47 -0800 (PST)
Received: from [10.86.0.118] ([45.56.150.43]) by :SMTPAUTH: with ESMTPA id ZlVei0gP2YzYsZlVfiQUm7; Tue, 26 Nov 2019 17:48:47 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <46CBC5D5-C4AF-4FFD-A06E-5D8B1FFF2AE7@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B1B39B3D-7B29-415F-BAE8-DFD016492154"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 26 Nov 2019 16:48:46 -0800
In-Reply-To: <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "sacm@ietf.org" <sacm@ietf.org>, "rats@ietf.org" <rats@ietf.org>
To: Thomas Fossati <Thomas.Fossati@arm.com>
References: <2A12D8A3-722A-44D1-8011-218C89C8B50B@island-resort.com> <VI1PR08MB5360236E3583EBD3A78085EDFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfNLsy+E7UFr6g9DdtJI2HrTdbIh/Ans7SVSmX9d4V/qQgtY6FyozCeWsZ/Fe2jiKMP/Zj1K57xuon+6jKOLfO+GkXEdSSfFob/Fe0bktzzgtBI9Uzt69 MmxxCYciT+mCEmcqckvaoaJLHh/JXaDkz54TZ+f75pdVHALi7Ll0P076AFfEP16MtelUatEE+MM5bw8kzyAYmcmCd2oPlo76x61vWUqPLrfCMwMI3vbzJG4q PrGb5F1lr/X+IQQ6OvAlCA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/DXxsHk1ekegHp-NoSMbp-N6pjy8>
Subject: Re: [Rats] CoSWID and EAT and CWT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 00:48:49 -0000

Looks good, Thomas

Here’s a signed EAT with the CoSWID as a claim with label 21.

In EATs with submods, there would likely be a CoSWID per submod (not shown below).

LL


18(
    [
        / protected parameters, bstr wrapped / << {
            / alg / 1: -7 / ECDSA 256 /
        } >>,

        / unprotected parameters / {
            / kid / 4: h'4173796d6d657472696345434453413
                          23536' / 'AsymmetricECDSA256' /
        },

        / COSE payload, the EAT, bstr wrapped / << {
            / nonce  /
            7:h'948f8860d13a463e8e',
    
            / UEID /
            8:h'0198f50a4ff6c05861c8860d13a638ea4fe2f',
    
            / boot_state (based on the -01 draft) /
            12:{true, true, true, true, false},
    
            / time stamp /
            6:1526542894,
    
            / The CoSWID /
            21: {
           
                / tag-id, globally unique identifier for the software component /
      0: "trustedfirmware.org/TF-M",

      / tag-version (here: 0, i.e. initial tag) /
      12: 0,

      / software component name /
      1: "TF-M",

      / version of the software component /
      13: "1.0.0-rc1+build.123",

      / (optional) version scheme (here: semver) /
      14: 16384,

      / entity, i.e. organizations responsible for producing or releasing
        the software component /
      2: {
          / entity name /
          31: "Linaro Limited",

         / entity role (here: software creator) /
         33: 2,

         / thumbprint of the entity public key (algo -- here; SHA-256 -- and value) /
         34: [
             1,
             h'5e73c2e6a96be594e56b218418a3ea03f1397934a2517d781855195fe3c5916b'
         ]
           },

           / payload /
           6: {
     
              / filesystem item (name and hash) /
              17: {
     
                  24: "tfm.bin",
                  7: [
                      1,
                      h'4a039f284d8ad68ca5b4d1592977c7c964c4abb5d08d87e4a0346b80cce5c74d'
                  ]
               }
           }
       }
   } >>,

   / signature / h'5427c1ff28d23fbad1f29c4c7c6a555e601d6fa29f
                   9179bc3d7438bacaca5acd08c8d4d4f96131680c42
                   9a01f85951ecee743a52b9b63632c57209120e1c9e
                   30'
]
)




> On Nov 26, 2019, at 3:51 PM, Thomas Fossati <Thomas.Fossati@arm.com> wrote:
> 
> Hi Hannes,
> 
> On 22/11/2019, 00:08, Hannes.Tschofenig@arm.com> wrote:
>> Hi all
>> 
>> Can someone send an example around how this would actually look like?
> 
> For something such as TF-M, it should look like this:
> 
> {
>  / tag-id, globally unique identifier for the software component /
>  0: "trustedfirmware.org/TF-M",
> 
>  / tag-version (here: 0, i.e. initial tag) /
>  12: 0,
> 
>  / software component name /
>  1: "TF-M",
> 
>  / version of the software component /
>  13: "1.0.0-rc1+build.123",
> 
>  / (optional) version scheme (here: semver) /
>  14: 16384,
> 
>  / entity, i.e. organizations responsible for producing or releasing
>    the software component /
>  2: {
>    / entity name /
>    31: "Linaro Limited",
> 
>    / entity role (here: software creator) /
>    33: 2,
> 
>    / thumbprint of the entity public key (algo -- here; SHA-256 -- and value) /
>    34: [
>      1,
>      h'5e73c2e6a96be594e56b218418a3ea03f1397934a2517d781855195fe3c5916b'
>    ]
>  },
> 
>  / payload /
>  6: {
>    / filesystem item (name and hash) /
>    17: {
>      24: "tfm.bin",
>      7: [
>        1,
>        h'4a039f284d8ad68ca5b4d1592977c7c964c4abb5d08d87e4a0346b80cce5c74d'
>      ]
>    }
>  }
> }
> 
> At least this would be my interpretation of the CoSWID draft.  I'm a bit
> unsure whether a "filesystem" item is the most appropriate payload for a
> firmware thingy.  Surely Henk can suggest something better.
> 
> Cheers!
> 
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>

v2.23.0 | Report a Bug | By Email