Skip to content

Commit

Permalink
matcher musings
Browse files Browse the repository at this point in the history 
Signed-off-by: Thomas Fossati <[email protected]>
  • Loading branch information
@thomas-fossati
thomas-fossati committed Jan 18, 2024
1 parent b797d2d commit 7ec3413
Show file tree
Hide file tree
Showing 5 changed files with 333 additions and 0 deletions.
8 changes: 8 additions & 0 deletions matcher-musings/Makefile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
Examples := $(wildcard *.json)
Manifest := manifest.cddl

all: $(Manifest) $(Examples)
@for f in $(Examples); do \
echo ">> validating $$f against $<" ; \
cddl $< validate $$f || exit 1 ; \
done
131 changes: 131 additions & 0 deletions matcher-musings/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
# Musings on pattern-matching Evidence

The Verifier's main function is to find patterns in Evidence that match known-good-values or known-bad-values, or some specific "state" that can be associated with metadata related to the Attester (i.e., what CoRIM calls "endorsed values").

To pattern-match Evidence, the Verifier needs:

* A way to identify which Evidence claim needs to be matched
* The comparison logic to be used in matching
* The value(s) to compare against

It makes sense to encapsulate all that into a basic _matcher_ object that can become a building block of higher-level constructs.

Given the variability of Evidence, such _matcher_ needs to be assisted by an "attestation scheme"-specific function that identifies the claim in the Evidence Claims-Set that this _matcher_ is describing.

```cddl
matcher = {
cmp: $cmp
values: values
}
$cmp /= "in-set" ; any
/ "in-range" ; sortable types
/ "masked" ; bytes
/ "regexp" ; text
values = [ + any ]
claim-id = text / int
```

## Reference Values

```cddl
RV = {
? desc: text
cond: { + claim-id => matcher }
}
```

## x-Reference Values

```cddl
xRV = {
? desc: text
cond: { + claim-id => matcher }
reason: $reason
}
$reason /= "insecure"
/ "obsolete"
```

## Endorsed Values

```cddl
EV = {
? desc: text
cond: { + claim-id => matcher }
claims: named-claims
}
named-claims = {
+ claim-id => any
}
```

## Manifest

```cddl
manifest = {
heading: heading
? reference-values: [ + RV ]
? x-reference-values: [ + xRV ]
? endorsed-values: [ + EV ]
}
heading = {
author: text
attestation-scheme: text
; $extns
}
```

## Examples

### `in-range` matching

```json
{
"svn": {
"cmp": "in-range",
"values": [
{ "min": 0, "max": 10 }
]
}
}
```

### `masked` matching

```json
{
"raw-value": {
"cmp": "masked",
"values": [
{ "bytes": "AAE=", "mask": "AQE=" }
]
}
}
```

### Arm CCA

Complete examples of manifests for Arm CCA platform and realm:

* [cca-platform.json](cca-platform.json)
* [cca-realm.json](cca-realm.json)

---
> **WIP**
---


```python
def match(ClaimsSet, RV, CTX)
for rv in RV:
tbcClaim = CTX.profile.claim_lookup(ClaimsSet, rv.cid)
if not rv.cmp(tbcClaim, rv.vals):
return false
return true
```
58 changes: 58 additions & 0 deletions matcher-musings/cca-platform.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"heading": {
"author": "thofos",
"attestation-scheme": "arm:cca:platform"
},
"reference-values": [
{
"cond": {
"implementation-id": {
"cmp": "in-set",
"values": [
"qrvM3Q=="
]
},
"sw-components": {
"cmp": "in-set",
"values": [
[
{
"measurement-value": "//8=",
"signer-id": "7u4="
},
{
"measurement-value": "qrs=",
"signer-id": "7u4="
}
]
]
},
"platform-configuration": {
"cmp": "masked",
"values": [
{
"bytes": "AAE=",
"mask": "AQE="
}
]
}
}
}
],
"endorsed-values": [
{
"cond": {
"implementation-id": {
"cmp": "in-set",
"values": [
"qrvM3Q=="
]
}
},
"claims": {
"vendor": "ACME Inc",
"model": "very confidential"
}
}
]
}
84 changes: 84 additions & 0 deletions matcher-musings/cca-realm.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
{
"heading": {
"author": "thofos",
"attestation-scheme": "arm:cca:realm"
},
"reference-values": [
{
"cond": {
"rim": {
"cmp": "in-set",
"values": [
"3q0=",
"vq8="
]
},
"rem": {
"cmp": "in-set",
"values": [
[
"3q0=",
"vq8=",
"AAA=",
"AAA="
],
[
"AAA=",
"AAA=",
"AAA=",
"AAA="
]
]
}
}
}
],
"x-reference-values": [
{
"cond": {
"rim": {
"cmp": "in-set",
"values": [
"+v8="
]
}
},
"reason": "insecure"
}
],
"endorsed-values": [
{
"cond": {
"rim": {
"cmp": "in-set",
"values": [
"3q0="
]
}
},
"claims": {
"version": "1.2.9rc1",
"features": [
"A",
"B"
]
}
},
{
"cond": {
"rim": {
"cmp": "in-set",
"values": [
"vq8="
]
}
},
"claims": {
"version": "1.0.0",
"features": [
"A"
]
}
}
]
}
52 changes: 52 additions & 0 deletions matcher-musings/manifest.cddl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
start = manifest

manifest = {
heading: heading
? reference-values: [ + RV ]
? x-reference-values: [ + xRV ]
? endorsed-values: [ + EV ]
}

heading = {
author: text
attestation-scheme: text
; $extns
}

matcher = {
cmp: $cmp
values: values
}

claim-id = text / int

$cmp /= "in-set" ; any
/ "in-range" ; sortable types
/ "masked" ; bytes
/ "regexp" ; text

values = [ + any ]

named-claims = {
+ claim-id => any
}

RV = {
? desc: text
cond: { + claim-id => matcher }
}

EV = {
? desc: text
cond: { + claim-id => matcher }
claims: named-claims
}

xRV = {
? desc: text
cond: { + claim-id => matcher }
reason: $reason
}

$reason /= "insecure"
/ "obsolete"

0 comments on commit 7ec3413

Please sign in to comment.