From 7ec34138bdc4619a8ce116eefcccedc1f8ce5c7f Mon Sep 17 00:00:00 2001 From: Thomas Fossati Date: Thu, 18 Jan 2024 21:03:59 +0100 Subject: [PATCH] matcher musings Signed-off-by: Thomas Fossati --- matcher-musings/Makefile | 8 ++ matcher-musings/README.md | 131 ++++++++++++++++++++++++++++++ matcher-musings/cca-platform.json | 58 +++++++++++++ matcher-musings/cca-realm.json | 84 +++++++++++++++++++ matcher-musings/manifest.cddl | 52 ++++++++++++ 5 files changed, 333 insertions(+) create mode 100644 matcher-musings/Makefile create mode 100644 matcher-musings/README.md create mode 100644 matcher-musings/cca-platform.json create mode 100644 matcher-musings/cca-realm.json create mode 100644 matcher-musings/manifest.cddl diff --git a/matcher-musings/Makefile b/matcher-musings/Makefile new file mode 100644 index 0000000..0865ba8 --- /dev/null +++ b/matcher-musings/Makefile @@ -0,0 +1,8 @@ +Examples := $(wildcard *.json) +Manifest := manifest.cddl + +all: $(Manifest) $(Examples) + @for f in $(Examples); do \ + echo ">> validating $$f against $<" ; \ + cddl $< validate $$f || exit 1 ; \ + done diff --git a/matcher-musings/README.md b/matcher-musings/README.md new file mode 100644 index 0000000..8203c02 --- /dev/null +++ b/matcher-musings/README.md @@ -0,0 +1,131 @@ +# Musings on pattern-matching Evidence + +The Verifier's main function is to find patterns in Evidence that match known-good-values or known-bad-values, or some specific "state" that can be associated with metadata related to the Attester (i.e., what CoRIM calls "endorsed values"). + +To pattern-match Evidence, the Verifier needs: + +* A way to identify which Evidence claim needs to be matched +* The comparison logic to be used in matching +* The value(s) to compare against + +It makes sense to encapsulate all that into a basic _matcher_ object that can become a building block of higher-level constructs. + +Given the variability of Evidence, such _matcher_ needs to be assisted by an "attestation scheme"-specific function that identifies the claim in the Evidence Claims-Set that this _matcher_ is describing. + +```cddl +matcher = { + cmp: $cmp + values: values +} + +$cmp /= "in-set" ; any + / "in-range" ; sortable types + / "masked" ; bytes + / "regexp" ; text + +values = [ + any ] + +claim-id = text / int +``` + +## Reference Values + +```cddl +RV = { + ? desc: text + cond: { + claim-id => matcher } +} +``` + +## x-Reference Values + +```cddl +xRV = { + ? desc: text + cond: { + claim-id => matcher } + reason: $reason +} + +$reason /= "insecure" + / "obsolete" +``` + +## Endorsed Values + +```cddl +EV = { + ? desc: text + cond: { + claim-id => matcher } + claims: named-claims +} + +named-claims = { + + claim-id => any +} +``` + +## Manifest + +```cddl +manifest = { + heading: heading + ? reference-values: [ + RV ] + ? x-reference-values: [ + xRV ] + ? endorsed-values: [ + EV ] +} + +heading = { + author: text + attestation-scheme: text + ; $extns +} +``` + +## Examples + +### `in-range` matching + +```json +{ + "svn": { + "cmp": "in-range", + "values": [ + { "min": 0, "max": 10 } + ] + } +} +``` + +### `masked` matching + +```json +{ + "raw-value": { + "cmp": "masked", + "values": [ + { "bytes": "AAE=", "mask": "AQE=" } + ] + } +} +``` + +### Arm CCA + +Complete examples of manifests for Arm CCA platform and realm: + +* [cca-platform.json](cca-platform.json) +* [cca-realm.json](cca-realm.json) + +--- +> **WIP** +--- + + +```python +def match(ClaimsSet, RV, CTX) + for rv in RV: + tbcClaim = CTX.profile.claim_lookup(ClaimsSet, rv.cid) + if not rv.cmp(tbcClaim, rv.vals): + return false + return true +``` \ No newline at end of file diff --git a/matcher-musings/cca-platform.json b/matcher-musings/cca-platform.json new file mode 100644 index 0000000..49d2d7c --- /dev/null +++ b/matcher-musings/cca-platform.json @@ -0,0 +1,58 @@ +{ + "heading": { + "author": "thofos", + "attestation-scheme": "arm:cca:platform" + }, + "reference-values": [ + { + "cond": { + "implementation-id": { + "cmp": "in-set", + "values": [ + "qrvM3Q==" + ] + }, + "sw-components": { + "cmp": "in-set", + "values": [ + [ + { + "measurement-value": "//8=", + "signer-id": "7u4=" + }, + { + "measurement-value": "qrs=", + "signer-id": "7u4=" + } + ] + ] + }, + "platform-configuration": { + "cmp": "masked", + "values": [ + { + "bytes": "AAE=", + "mask": "AQE=" + } + ] + } + } + } + ], + "endorsed-values": [ + { + "cond": { + "implementation-id": { + "cmp": "in-set", + "values": [ + "qrvM3Q==" + ] + } + }, + "claims": { + "vendor": "ACME Inc", + "model": "very confidential" + } + } + ] +} \ No newline at end of file diff --git a/matcher-musings/cca-realm.json b/matcher-musings/cca-realm.json new file mode 100644 index 0000000..acaf33b --- /dev/null +++ b/matcher-musings/cca-realm.json @@ -0,0 +1,84 @@ +{ + "heading": { + "author": "thofos", + "attestation-scheme": "arm:cca:realm" + }, + "reference-values": [ + { + "cond": { + "rim": { + "cmp": "in-set", + "values": [ + "3q0=", + "vq8=" + ] + }, + "rem": { + "cmp": "in-set", + "values": [ + [ + "3q0=", + "vq8=", + "AAA=", + "AAA=" + ], + [ + "AAA=", + "AAA=", + "AAA=", + "AAA=" + ] + ] + } + } + } + ], + "x-reference-values": [ + { + "cond": { + "rim": { + "cmp": "in-set", + "values": [ + "+v8=" + ] + } + }, + "reason": "insecure" + } + ], + "endorsed-values": [ + { + "cond": { + "rim": { + "cmp": "in-set", + "values": [ + "3q0=" + ] + } + }, + "claims": { + "version": "1.2.9rc1", + "features": [ + "A", + "B" + ] + } + }, + { + "cond": { + "rim": { + "cmp": "in-set", + "values": [ + "vq8=" + ] + } + }, + "claims": { + "version": "1.0.0", + "features": [ + "A" + ] + } + } + ] +} \ No newline at end of file diff --git a/matcher-musings/manifest.cddl b/matcher-musings/manifest.cddl new file mode 100644 index 0000000..91a3883 --- /dev/null +++ b/matcher-musings/manifest.cddl @@ -0,0 +1,52 @@ +start = manifest + +manifest = { + heading: heading + ? reference-values: [ + RV ] + ? x-reference-values: [ + xRV ] + ? endorsed-values: [ + EV ] +} + +heading = { + author: text + attestation-scheme: text + ; $extns +} + +matcher = { + cmp: $cmp + values: values +} + +claim-id = text / int + +$cmp /= "in-set" ; any + / "in-range" ; sortable types + / "masked" ; bytes + / "regexp" ; text + +values = [ + any ] + +named-claims = { + + claim-id => any +} + +RV = { + ? desc: text + cond: { + claim-id => matcher } +} + +EV = { + ? desc: text + cond: { + claim-id => matcher } + claims: named-claims +} + +xRV = { + ? desc: text + cond: { + claim-id => matcher } + reason: $reason +} + +$reason /= "insecure" + / "obsolete"