-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Thomas Fossati <[email protected]>
- Loading branch information
1 parent
b797d2d
commit 7ec3413
Showing
5 changed files
with
333 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
Examples := $(wildcard *.json) | ||
Manifest := manifest.cddl | ||
|
||
all: $(Manifest) $(Examples) | ||
@for f in $(Examples); do \ | ||
echo ">> validating $$f against $<" ; \ | ||
cddl $< validate $$f || exit 1 ; \ | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,131 @@ | ||
# Musings on pattern-matching Evidence | ||
|
||
The Verifier's main function is to find patterns in Evidence that match known-good-values or known-bad-values, or some specific "state" that can be associated with metadata related to the Attester (i.e., what CoRIM calls "endorsed values"). | ||
|
||
To pattern-match Evidence, the Verifier needs: | ||
|
||
* A way to identify which Evidence claim needs to be matched | ||
* The comparison logic to be used in matching | ||
* The value(s) to compare against | ||
|
||
It makes sense to encapsulate all that into a basic _matcher_ object that can become a building block of higher-level constructs. | ||
|
||
Given the variability of Evidence, such _matcher_ needs to be assisted by an "attestation scheme"-specific function that identifies the claim in the Evidence Claims-Set that this _matcher_ is describing. | ||
|
||
```cddl | ||
matcher = { | ||
cmp: $cmp | ||
values: values | ||
} | ||
$cmp /= "in-set" ; any | ||
/ "in-range" ; sortable types | ||
/ "masked" ; bytes | ||
/ "regexp" ; text | ||
values = [ + any ] | ||
claim-id = text / int | ||
``` | ||
|
||
## Reference Values | ||
|
||
```cddl | ||
RV = { | ||
? desc: text | ||
cond: { + claim-id => matcher } | ||
} | ||
``` | ||
|
||
## x-Reference Values | ||
|
||
```cddl | ||
xRV = { | ||
? desc: text | ||
cond: { + claim-id => matcher } | ||
reason: $reason | ||
} | ||
$reason /= "insecure" | ||
/ "obsolete" | ||
``` | ||
|
||
## Endorsed Values | ||
|
||
```cddl | ||
EV = { | ||
? desc: text | ||
cond: { + claim-id => matcher } | ||
claims: named-claims | ||
} | ||
named-claims = { | ||
+ claim-id => any | ||
} | ||
``` | ||
|
||
## Manifest | ||
|
||
```cddl | ||
manifest = { | ||
heading: heading | ||
? reference-values: [ + RV ] | ||
? x-reference-values: [ + xRV ] | ||
? endorsed-values: [ + EV ] | ||
} | ||
heading = { | ||
author: text | ||
attestation-scheme: text | ||
; $extns | ||
} | ||
``` | ||
|
||
## Examples | ||
|
||
### `in-range` matching | ||
|
||
```json | ||
{ | ||
"svn": { | ||
"cmp": "in-range", | ||
"values": [ | ||
{ "min": 0, "max": 10 } | ||
] | ||
} | ||
} | ||
``` | ||
|
||
### `masked` matching | ||
|
||
```json | ||
{ | ||
"raw-value": { | ||
"cmp": "masked", | ||
"values": [ | ||
{ "bytes": "AAE=", "mask": "AQE=" } | ||
] | ||
} | ||
} | ||
``` | ||
|
||
### Arm CCA | ||
|
||
Complete examples of manifests for Arm CCA platform and realm: | ||
|
||
* [cca-platform.json](cca-platform.json) | ||
* [cca-realm.json](cca-realm.json) | ||
|
||
--- | ||
> **WIP** | ||
--- | ||
|
||
|
||
```python | ||
def match(ClaimsSet, RV, CTX) | ||
for rv in RV: | ||
tbcClaim = CTX.profile.claim_lookup(ClaimsSet, rv.cid) | ||
if not rv.cmp(tbcClaim, rv.vals): | ||
return false | ||
return true | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
{ | ||
"heading": { | ||
"author": "thofos", | ||
"attestation-scheme": "arm:cca:platform" | ||
}, | ||
"reference-values": [ | ||
{ | ||
"cond": { | ||
"implementation-id": { | ||
"cmp": "in-set", | ||
"values": [ | ||
"qrvM3Q==" | ||
] | ||
}, | ||
"sw-components": { | ||
"cmp": "in-set", | ||
"values": [ | ||
[ | ||
{ | ||
"measurement-value": "//8=", | ||
"signer-id": "7u4=" | ||
}, | ||
{ | ||
"measurement-value": "qrs=", | ||
"signer-id": "7u4=" | ||
} | ||
] | ||
] | ||
}, | ||
"platform-configuration": { | ||
"cmp": "masked", | ||
"values": [ | ||
{ | ||
"bytes": "AAE=", | ||
"mask": "AQE=" | ||
} | ||
] | ||
} | ||
} | ||
} | ||
], | ||
"endorsed-values": [ | ||
{ | ||
"cond": { | ||
"implementation-id": { | ||
"cmp": "in-set", | ||
"values": [ | ||
"qrvM3Q==" | ||
] | ||
} | ||
}, | ||
"claims": { | ||
"vendor": "ACME Inc", | ||
"model": "very confidential" | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
{ | ||
"heading": { | ||
"author": "thofos", | ||
"attestation-scheme": "arm:cca:realm" | ||
}, | ||
"reference-values": [ | ||
{ | ||
"cond": { | ||
"rim": { | ||
"cmp": "in-set", | ||
"values": [ | ||
"3q0=", | ||
"vq8=" | ||
] | ||
}, | ||
"rem": { | ||
"cmp": "in-set", | ||
"values": [ | ||
[ | ||
"3q0=", | ||
"vq8=", | ||
"AAA=", | ||
"AAA=" | ||
], | ||
[ | ||
"AAA=", | ||
"AAA=", | ||
"AAA=", | ||
"AAA=" | ||
] | ||
] | ||
} | ||
} | ||
} | ||
], | ||
"x-reference-values": [ | ||
{ | ||
"cond": { | ||
"rim": { | ||
"cmp": "in-set", | ||
"values": [ | ||
"+v8=" | ||
] | ||
} | ||
}, | ||
"reason": "insecure" | ||
} | ||
], | ||
"endorsed-values": [ | ||
{ | ||
"cond": { | ||
"rim": { | ||
"cmp": "in-set", | ||
"values": [ | ||
"3q0=" | ||
] | ||
} | ||
}, | ||
"claims": { | ||
"version": "1.2.9rc1", | ||
"features": [ | ||
"A", | ||
"B" | ||
] | ||
} | ||
}, | ||
{ | ||
"cond": { | ||
"rim": { | ||
"cmp": "in-set", | ||
"values": [ | ||
"vq8=" | ||
] | ||
} | ||
}, | ||
"claims": { | ||
"version": "1.0.0", | ||
"features": [ | ||
"A" | ||
] | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
start = manifest | ||
|
||
manifest = { | ||
heading: heading | ||
? reference-values: [ + RV ] | ||
? x-reference-values: [ + xRV ] | ||
? endorsed-values: [ + EV ] | ||
} | ||
|
||
heading = { | ||
author: text | ||
attestation-scheme: text | ||
; $extns | ||
} | ||
|
||
matcher = { | ||
cmp: $cmp | ||
values: values | ||
} | ||
|
||
claim-id = text / int | ||
|
||
$cmp /= "in-set" ; any | ||
/ "in-range" ; sortable types | ||
/ "masked" ; bytes | ||
/ "regexp" ; text | ||
|
||
values = [ + any ] | ||
|
||
named-claims = { | ||
+ claim-id => any | ||
} | ||
|
||
RV = { | ||
? desc: text | ||
cond: { + claim-id => matcher } | ||
} | ||
|
||
EV = { | ||
? desc: text | ||
cond: { + claim-id => matcher } | ||
claims: named-claims | ||
} | ||
|
||
xRV = { | ||
? desc: text | ||
cond: { + claim-id => matcher } | ||
reason: $reason | ||
} | ||
|
||
$reason /= "insecure" | ||
/ "obsolete" |