IETF Logo Mail Archive

Re: [Rats] [sacm] CoSWID and EAT and CWT

Thomas Fossati <Thomas.Fossati@arm.com> Wed, 27 November 2019 16:59 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A984A12093E; Wed, 27 Nov 2019 08:59:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=B47RVxLt; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=kfrF8bSM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8a3i9uxJueHC; Wed, 27 Nov 2019 08:59:43 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20061.outbound.protection.outlook.com [40.107.2.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12437120927; Wed, 27 Nov 2019 08:59:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8KoFiQBcU0q3S8JywqfZR7j+pMO6kGwHOPF3O/Dwy84=; b=B47RVxLttBGmu3qn6Hty8jsWW3uCnrdimtgLMJyBu3qzkF+e7Y6TApvzkL+7v34c4/hXWQDn6SrKsyC8azx6krSBgnZLAiYFzmup16rGXsEivDFKtmba+RH7j19CuYftuZ8je4Jya0c25a1odMt35IPseqoHaiZ/sThOl3MkYh0=
Received: from VI1PR0802CA0011.eurprd08.prod.outlook.com (2603:10a6:800:aa::21) by VI1PR08MB3037.eurprd08.prod.outlook.com (2603:10a6:803:42::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.17; Wed, 27 Nov 2019 16:59:37 +0000
Received: from DB5EUR03FT059.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::209) by VI1PR0802CA0011.outlook.office365.com (2603:10a6:800:aa::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.19 via Frontend Transport; Wed, 27 Nov 2019 16:59:37 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT059.mail.protection.outlook.com (10.152.21.175) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18 via Frontend Transport; Wed, 27 Nov 2019 16:59:37 +0000
Received: ("Tessian outbound 15590139dbb5:v37"); Wed, 27 Nov 2019 16:59:35 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 92074247f288c3da
X-CR-MTA-TID: 64aa7808
Received: from c9bf0f2719b7.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id ED551546-F403-48B2-8282-BE0F3214DB1E.1; Wed, 27 Nov 2019 16:59:30 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id c9bf0f2719b7.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 27 Nov 2019 16:59:30 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=flE+TNU+R2gWt5jcuMfBfEbPZ0bggWTpii+I/1gKllnp2zQySzGLPHJc9LySaDP1Zc4lfNh756rFzc68iTzlW62eB7WfV/f26YPcS4yOtJ5f4Z0lB/sy0IHTg+CeRWprICVkp+BMi/maKUrneqYnfDfcZ7OnAajDDgRQm7Rk19KLoWjgf8Mk52QLACQhZrsmNIRs8itQh+R66l79edyRoZw2HGH7c7nNnAtm8EmYnZNPOl1mYAWE8NK7DTbzc71BXM+Q8Sj2OWQI9pzGyEaSUaW1El4xJFGiYB7XZJd3HZI/pC+0GNn0PevlGZwUStWFHel/UtfJt5di1kSAQUMOhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q3hkaEVaXm3fJFES2T2UeGzA4EwYQ/fvjEDbavwDmdc=; b=nN8qNLvkoIxGV5kWEhCmUCxBrcYgX6a5GSdIGYV0Y+nmiBGv+ItxFeR92KmNVgM6KESWFY12lonyd5TI1anHmOEn7XPiCP663zNXCIEuc/+XZ1UxzlKpG3xf1MY5tfgclK+49zorQZ5pxIZWSh5xWMaE+uRxPCHDsanEIXLBYXmkBwlInc2akMWqL+Tbg2E9PRGoVE2cA3JLiwyeaV4N92mUjH3Yjm1EdNKbUO7NisXTY4Av8ikqraqSKwXJQDM1RnSVOCdzJ2KUsXAdCTFVKERj5oyAnZam8IkmNWVF5bkhnhDDx582MN+XE1MRldzovjxosIS7m80E/OdsfIgqTQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q3hkaEVaXm3fJFES2T2UeGzA4EwYQ/fvjEDbavwDmdc=; b=kfrF8bSMNdRe1Ah3fLH9bcDovMhGlDU45ofDKzhLKzouk+cL4o/sPdHE6wAEgnKNjmBSNn+NpWoms4nXhYOVgTZE4OUJaDCJFLWYRIMFYJ6iutAcPdvAAv1MqE/Wj1f9t15j8hsWFLppFO0hM7e+jWYwDtZps6Rra3z3cgj6S3U=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB4039.eurprd08.prod.outlook.com (20.179.0.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18; Wed, 27 Nov 2019 16:59:28 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::e8f5:4b6f:34b7:47a4]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::e8f5:4b6f:34b7:47a4%7]) with mapi id 15.20.2495.014; Wed, 27 Nov 2019 16:59:28 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Laurence Lundblade <lgl@island-resort.com>, "sacm@ietf.org" <sacm@ietf.org>, "rats@ietf.org" <rats@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [sacm] [Rats] CoSWID and EAT and CWT
Thread-Index: AQHVoAOFHbeRQea3TEO+3tpXPiFPYKeWUfEAgAfW1QCAAONGgIAAO/qA
Date: Wed, 27 Nov 2019 16:59:28 +0000
Message-ID: <05D67FD7-B95E-4716-B844-2F2F3A09030F@arm.com>
References: <2A12D8A3-722A-44D1-8011-218C89C8B50B@island-resort.com> <VI1PR08MB5360236E3583EBD3A78085EDFA490@VI1PR08MB5360.eurprd08.prod.outlook.com> <60C4E362-02FD-4DDF-BFB4-D09D358282D4@arm.com> <b5bca8a7-7e7c-4432-a1be-6cf1fc21c352@sit.fraunhofer.de>
In-Reply-To: <b5bca8a7-7e7c-4432-a1be-6cf1fc21c352@sit.fraunhofer.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.50]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 3ae72324-d335-4b3c-6432-08d7735b2f8f
X-MS-TrafficTypeDiagnostic: AM6PR08MB4039:|AM6PR08MB4039:|VI1PR08MB3037:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR08MB30379EE9A100D5F7A0FBC3AD9C440@VI1PR08MB3037.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:758;OLM:758;
x-forefront-prvs: 023495660C
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(39860400002)(366004)(376002)(346002)(51444003)(199004)(189003)(51914003)(4326008)(58126008)(256004)(186003)(2616005)(11346002)(446003)(478600001)(71200400001)(71190400001)(36756003)(2906002)(25786009)(66476007)(81156014)(66946007)(64756008)(66556008)(8676002)(66446008)(7736002)(5660300002)(305945005)(8936002)(91956017)(76116006)(86362001)(33656002)(81166006)(316002)(6512007)(53546011)(6506007)(6246003)(26005)(102836004)(229853002)(66066001)(6436002)(14454004)(2501003)(2201001)(6486002)(76176011)(99286004)(3846002)(561944003)(110136005)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4039; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: gT3gG4wBKgCzuShrzdr7G+tPtdXmktR9b4nspFvWOYtnR0pjMUJOyL1LUUx2uAu1U1qf04rWpL3J+FEDc57CN5rc8DPwglVB5kSxmkwndjKwo7HozVgQlEzO35PUg/ZFGhI0LvWZDpohWIiEwiJB0lUrT5fOm0GLacN7txyaWwRXXgPvAHX067mJKYNr1uYwBDQg7K4Bw1ODU8eRwg6gjDxXr296+tQBoDPj64Fd4iIEVPkFlGBlYsfqUkmbXhsI+WxT3P2KhidabjqXatnMnwDW+66j0S65HYKBS0u3L+5AIe249b7Ko7892QnUXnqXC1t37Rd1zmY2CqP90mERX16Vv5Yss84CTnD2qwqfqsoQEPybbaJY05yAxzaUmU+e1q0olkVE1ufPZdlrSkL29NE1aXhogeopSAAEOlxJNCCkZqVtZgdkfxNsotZSxIjS
Content-Type: text/plain; charset="utf-8"
Content-ID: <6CA036DD64B1EC40B2EA981D4F8EB496@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4039
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT059.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(136003)(376002)(396003)(51444003)(51914003)(199004)(189003)(40434004)(14444005)(305945005)(33656002)(110136005)(2906002)(6486002)(6512007)(58126008)(336012)(81156014)(8676002)(436003)(186003)(14454004)(25786009)(4326008)(450100002)(86362001)(478600001)(22756006)(81166006)(26005)(106002)(6246003)(561944003)(7736002)(2501003)(8936002)(356004)(229853002)(2201001)(36756003)(99286004)(102836004)(70206006)(76176011)(23676004)(316002)(2616005)(47776003)(11346002)(76130400001)(26826003)(5660300002)(5024004)(446003)(66066001)(3846002)(2486003)(6506007)(50466002)(53546011)(6116002)(70586007); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3037; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: f1340cb7-a9ae-4b4e-36a4-08d7735b2a22
X-Forefront-PRVS: 023495660C
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: i4Kr+uBiLMCF9KQhxiyehc2FT09ylyZMJLZ3c/xorRsudu6pRlxvEeVseiqT8lJt9wEDwMsmHye3t+EJKvwXTD/nN1Cn9CSQkw812a+KuPRD4pGGWEVOC0ZIT/cBbrzG0v0j+LOLsM25lSwLxfyaIOoHVUDvpTy2YW7+UiqLo0hDyQN7kk6mFSIIx+OjTZmyl7UikbkFAOCcEdG7uJt7frrZEOmhlj/MiOAU3O19aNzH9pVNQ8rCZFQz/NFW/l5YdS8E3r+bKAfWpnskn5IChz5q4R82MBWSWq9V4jTkUlmg1vwVCzvL+0LnlyLEQDidEbirMaLVuYa04B03jzL30vVKxTnuCBR4jJ0uK7vVFFAXYeBdr0jZy+kj8WEEho5chReR/JzTLTRHy/YXgygwRbb95A4VPZBipOZ5XrGOLayPX2E2pAOig2qBgooDB2bi
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Nov 2019 16:59:37.2608 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3ae72324-d335-4b3c-6432-08d7735b2f8f
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3037
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/wAnB5D5uSORgG7D44kDVMa9w-jU>
Subject: Re: [Rats] [sacm] CoSWID and EAT and CWT
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 16:59:47 -0000

Hi Henk

Thanks very much for your input.

On 27/11/2019, 13:24, "Henk Birkholz" <henk.birkholz@sit.fraunhofer.de> wrote:
> yes there are ways to deal with firmware in SWID, namely the resource
> type (index 19) in the set of SWID resource-collection [1] in
> combination with the rel type (index 40) entries.
>
> This way, you would not have to use filesystem-items, but this way is
> also a bit clunky and would require an informational guidance document
> describing how to use *SWID for that.

That's interesting because initially I also tried to use the resource
type -- which looked like the less wrong among all the available types
in the resource collection.  However it wasn't clear to me how to
associate a checksum to the component, hence I went for the
filesystem-item.  Maybe I was just looking in the wrong place or maybe,
as you say, there's a magic firmware recipe that's worth documenting
here.

> There are some quite smart ways to do that actually with
> filesystem-items, but I think it is more feasible to use a SUIT
> manifest here to describe everything relevant to the "firmware thingy"
> and then put a CoSWID into the SUIT manifest's outer wrapper [2] that
> then represents the rest of the semantics that is not covered by the
> manifest but by CoSWID. This method is fine, as the COSE envelope
> around the EAT will make tempering with the outer wrapper of the SUIT
> Manifest evident.
>
> I think that is a more elegant way to do it, actually, and the reason
> why issue #46 in the EAT repo proposes to define a Claim to include a
> SUIT Manifest in an EAT, too.

I'll look into this, thanks for the pointer.

Stepping back for a second and looking from the perspective of my
immediate requirement (i.e., "Is it possible to translate PSA's software
component claim using purely EAT constructs?"), ideally I'd like to have
something that is expressive enough to encode my semantics (i.e.: SW
component name, version, signer and measurement) without being overly
complex.

So my knee-jerk reaction is if that implies pulling a dependency on
SUIT maybe it's a bit too much?  But I confess haven't yet looked at
the details of your proposal nor I can claim enough SUIT-foo to really
grok the complexity involved.  As said, I'll have a look shortly.

cheers!

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email