Expose nonce to policies

The session nonce is intended to ensure freshness. It is intended to be used as a challenge to the attester to ensure a fresh attestation report is generated. It is also included in the attestation result. Thus far, however, do not process it. The assumption is that this is done by the RP. However, given that this is fairly generic, the RP may wish to rely on the verifier for this. Given that a scheme may not be doing this (none of our current implementations do), the policy would be a natural place to do this on per-deployment basis. Prior to this, the nonce established during the creation of a verification session is added to the attestation result by the core verification pipeline code, and is also available to scheme handlers inside ExtractClaims(). However, the nonce was not provided to policies. As there is no obvious place for the nonce within existing policy engine inputs, this change adds a new input for this purpose. It also implements a couple of fixes to the policy code. - Amend policy agent interface to take an "appraisal context" that currently only contains the verification session's nonce. In the future, it may be used for any other items that need to be passed to the policy and do not fall within the existing categories of "evidence, "endorsements", or "results". - Fix how evidence is expected to look to the agent. Previously, due to a mistake in the unit test inputs, the evidence was expected to be under the key "evidence" (where as the entire input map should be treated as evidence). - Update github.com/veraison/ear dependency to v1.1.2. This adds updated wider limits for nonce sizes allowed inside eat (this is needed as CCA nonce exceeds the old limit when base64-encoded). - Update CCA_SSD_PLATFORM scheme handler to extract both platform and realm claims into evidence. The scheme only processes platform evidence, so realm claims were not being extracted; however the session nonce is contained within the realm claims. The scheme handler still only validates the platform claims, however the realm claims (and the nonce) are now available to policies. - Add an integration test case to show how a policy could be used to verify the nonce for the CCA_SSD_PLATFORM scheme. Signed-off-by: Sergei Trofimov <[email protected]>
veraison · Sep 26, 2023 · 2ba8481 · 2ba8481
1 parent 9c67c6d
commit 2ba8481
Show file tree

Hide file tree

Showing 24 changed files with 364 additions and 116 deletions.
diff --git a/go.mod b/go.mod
@@ -32,7 +32,7 @@ require (
 	github.com/veraison/cmw v0.1.0
 	github.com/veraison/corim v1.1.2-0.20230912171018-eeb7bd486d3c
 	github.com/veraison/dice v0.0.1
-	github.com/veraison/ear v1.1.0
+	github.com/veraison/ear v1.1.2
 	github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53
 	github.com/veraison/parsec v0.1.1-0.20230915122508-f31e6c9be40e
 	github.com/veraison/psatoken v1.2.0

diff --git a/go.sum b/go.sum
@@ -1070,8 +1070,8 @@ github.com/veraison/corim v1.1.2-0.20230912171018-eeb7bd486d3c h1:do1Yj0d4uq+Sd4
 github.com/veraison/corim v1.1.2-0.20230912171018-eeb7bd486d3c/go.mod h1:Vn9+tCyN2ljpQxYvM6rwu3hNqdVbWrdQ9hqMa1Jfxb0=
 github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4=
 github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs=
-github.com/veraison/ear v1.1.0 h1:vndGaFiG/qqcoIXyTteJ8D9Tf1aGzhds8ufAaUfArgM=
-github.com/veraison/ear v1.1.0/go.mod h1:O3yKgZR04DWKHHiNxfXCMX9ky0cLVoC67TFks6JwEhI=
+github.com/veraison/ear v1.1.2 h1:Xs41FqAG8IyJaceqNFcX2+nf51Et1uyhmCJV8SZqw/8=
+github.com/veraison/ear v1.1.2/go.mod h1:O3yKgZR04DWKHHiNxfXCMX9ky0cLVoC67TFks6JwEhI=
 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 h1:5gnX2TrGd/Xz8DOp2OaLtg/jLoIubSUTrgz6iZ58pJ4=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=

diff --git a/integration-tests/data/claims/cca.good.json b/integration-tests/data/claims/cca.good.json
@@ -35,7 +35,7 @@
     "cca-platform-hash-algo-id": "sha-256"
   },
   "cca-realm-delegated-token": {
-    "cca-realm-challenge": "QUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQg==",
+    "cca-realm-challenge": "byTWuWNaLIu/WOkIuU4Ewb+zroDN6+gyQkV4SZ/jF2Hn9eHYvOASGET1Sr36UobaiPU6ZXsVM1yTlrQyklS8XA==",
     "cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
     "cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
     "cca-realm-extensible-measurements": [

diff --git a/integration-tests/data/policies/cca-verify-challenge.rego b/integration-tests/data/policies/cca-verify-challenge.rego
@@ -0,0 +1,5 @@
+package policy
+
+status = AFFIRMING {
+  base64url.decode(session["nonce"]) == base64.decode(evidence["realm"]["cca-realm-challenge"])
+} else =  CONTRAINDICATED
diff --git a/integration-tests/data/results/cca.good.json b/integration-tests/data/results/cca.good.json
@@ -1,50 +1,66 @@
 {
-	"ear.status": "affirming",
-	"ear.trustworthiness-vector": {
-		"configuration": 2,
-		"executables": 2,
-		"file-system": 0,
-		"hardware": 2,
-		"instance-identity": 2,
-		"runtime-opaque": 2,
-		"sourced-data": 0,
-		"storage-opaque": 2
-	},
-	"ear.appraisal-policy-id": "policy:CCA_SSD_PLATFORM",
-	"ear.veraison.annotated-evidence": {
-		"cca-platform-challenge": "Bea1iETGoM0ZOCBpuv2w5JRmKjrc+P3hFHjpM5Ua8XkP9d5ceOPbESPaCiB6i2ZVbgoi8Z7mS9wviZU7azJVXw==",
-		"cca-platform-config": "AQID",
-		"cca-platform-hash-algo-id": "sha-256",
-		"cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
-		"cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
-		"cca-platform-lifecycle": 12288,
-		"cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
-		"cca-platform-service-indicator": "https://veraison.example/v1/challenge-response",
-		"cca-platform-sw-components": [
-			{
-				"measurement-type": "BL",
-				"measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
-				"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
-				"version": "3.4.2"
-			},
-			{
-				"measurement-type": "M1",
-				"measurement-value": "CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
-				"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
-				"version": "1.2.0"
-			},
-			{
-				"measurement-type": "M2",
-				"measurement-value": "DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
-				"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
-				"version": "1.2.3"
-			},
-			{
-				"measurement-type": "M3",
-				"measurement-value": "EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
-				"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
-				"version": "1.0.0"
-			}
-		]
-	}
+        "ear.status": "affirming",
+        "ear.trustworthiness-vector": {
+                "configuration": 2,
+                "executables": 2,
+                "file-system": 0,
+                "hardware": 2,
+                "instance-identity": 2,
+                "runtime-opaque": 2,
+                "sourced-data": 0,
+                "storage-opaque": 2
+        },
+        "ear.appraisal-policy-id": "policy:CCA_SSD_PLATFORM",
+            "ear.veraison.annotated-evidence": {
+                "platform": {
+                    "cca-platform-challenge": "Bea1iETGoM0ZOCBpuv2w5JRmKjrc+P3hFHjpM5Ua8XkP9d5ceOPbESPaCiB6i2ZVbgoi8Z7mS9wviZU7azJVXw==",
+                    "cca-platform-config": "AQID",
+                    "cca-platform-hash-algo-id": "sha-256",
+                    "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+                    "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
+                    "cca-platform-lifecycle": 12288,
+                    "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+                    "cca-platform-service-indicator": "https://veraison.example/v1/challenge-response",
+                    "cca-platform-sw-components": [
+                        {
+                            "measurement-type": "BL",
+                            "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "version": "3.4.2"
+                        },
+                        {
+                            "measurement-type": "M1",
+                            "measurement-value": "CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "version": "1.2.0"
+                        },
+                        {
+                            "measurement-type": "M2",
+                            "measurement-value": "DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "version": "1.2.3"
+                        },
+                        {
+                            "measurement-type": "M3",
+                            "measurement-value": "EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "version": "1.0.0"
+                        }
+                    ]
+                },
+                "realm": {
+                    "cca-realm-challenge": "byTWuWNaLIu/WOkIuU4Ewb+zroDN6+gyQkV4SZ/jF2Hn9eHYvOASGET1Sr36UobaiPU6ZXsVM1yTlrQyklS8XA==",
+                    "cca-realm-extensible-measurements": [
+                        "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+                        "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+                        "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+                        "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
+                    ],
+                    "cca-realm-hash-algo-id": "sha-256",
+                    "cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+                    "cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
+                    "cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==",
+                    "cca-realm-public-key-hash-algo-id": "sha-512"
+                }
+            }
 }
diff --git a/integration-tests/data/results/cca.verify-challenge.json b/integration-tests/data/results/cca.verify-challenge.json
@@ -0,0 +1,65 @@
+{
+	"ear.status": "affirming",
+	"ear.trustworthiness-vector": {
+		"configuration": 2,
+		"executables": 2,
+		"file-system": 0,
+		"hardware": 2,
+		"instance-identity": 2,
+		"runtime-opaque": 2,
+		"sourced-data": 0,
+		"storage-opaque": 2
+	},
+            "ear.veraison.annotated-evidence": {
+                "platform": {
+                    "cca-platform-challenge": "Bea1iETGoM0ZOCBpuv2w5JRmKjrc+P3hFHjpM5Ua8XkP9d5ceOPbESPaCiB6i2ZVbgoi8Z7mS9wviZU7azJVXw==",
+                    "cca-platform-config": "AQID",
+                    "cca-platform-hash-algo-id": "sha-256",
+                    "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+                    "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
+                    "cca-platform-lifecycle": 12288,
+                    "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+                    "cca-platform-service-indicator": "https://veraison.example/v1/challenge-response",
+                    "cca-platform-sw-components": [
+                        {
+                            "measurement-type": "BL",
+                            "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "version": "3.4.2"
+                        },
+                        {
+                            "measurement-type": "M1",
+                            "measurement-value": "CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "version": "1.2.0"
+                        },
+                        {
+                            "measurement-type": "M2",
+                            "measurement-value": "DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "version": "1.2.3"
+                        },
+                        {
+                            "measurement-type": "M3",
+                            "measurement-value": "EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                            "version": "1.0.0"
+                        }
+                    ]
+                },
+                "realm": {
+                    "cca-realm-challenge": "byTWuWNaLIu/WOkIuU4Ewb+zroDN6+gyQkV4SZ/jF2Hn9eHYvOASGET1Sr36UobaiPU6ZXsVM1yTlrQyklS8XA==",
+                    "cca-realm-extensible-measurements": [
+                        "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+                        "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+                        "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+                        "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
+                    ],
+                    "cca-realm-hash-algo-id": "sha-256",
+                    "cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+                    "cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
+                    "cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==",
+                    "cca-realm-public-key-hash-algo-id": "sha-512"
+                }
+            }
+}
diff --git a/integration-tests/tests/common.yaml b/integration-tests/tests/common.yaml
@@ -7,6 +7,7 @@ variables:
   management-service: '{tavern.env_vars.MANAGEMENT_HOST}.{tavern.env_vars.VERAISON_NETWORK}:{tavern.env_vars.MANAGEMENT_PORT}'
   keycloak-service: '{tavern.env_vars.KEYCLOAK_HOST}.{tavern.env_vars.VERAISON_NETWORK}:{tavern.env_vars.KEYCLOAK_PORT}'
   good-nonce: QUp8F0FBs9DpodKK8xUg8NQimf6sQAfe2J1ormzZLxk=
+  good-nonce-64: byTWuWNaLIu_WOkIuU4Ewb-zroDN6-gyQkV4SZ_jF2Hn9eHYvOASGET1Sr36UobaiPU6ZXsVM1yTlrQyklS8XA==
   bad-nonce: Ppfdfe2JzZLOk=
   endorsements-content-types:
     psa.p1: application/corim-unsigned+cbor; profile=http://arm.com/psa/iot/1

diff --git a/integration-tests/tests/test_cca_verify_challenge.tavern.yaml b/integration-tests/tests/test_cca_verify_challenge.tavern.yaml
@@ -0,0 +1,99 @@
+test_name: cca-verify-challenge
+
+marks:
+  - parametrize:
+      key:
+        #  Attestation scheme -- this is used to indicate how test cases should
+        #  be constructed (e.g. how the evidence token will be compiled.
+        - scheme
+        # Some attestation schemes (currently, only PSA) may support multiple
+        # profiles. If a scheme does not support multiple profiles, specify it
+        # as '_'.
+        - profile
+        # Which evidence description will be used to construct the evidence token.
+        - evidence
+        # The name of the endorsements spec within common.yaml
+        - endorsements
+        # Signing keys that will be used to construct the evidence. How this is
+        # used is dependent on the scheme.
+        - signing
+        # Expected structure of the returned EAR (EAT (Entity Attestation
+        # Token) Attestation Result).
+        - expected
+      vals:
+        - [cca, _, good, full, ccakeys, verify-challenge]
+
+includes:
+  - !include common.yaml
+
+stages:
+  - name: submit post request to the provisioning service successfully
+    request:
+      method: POST
+      url: http://{provisioning-service}/endorsement-provisioning/v1/submit
+      headers:
+        content-type: '{endorsements-content-type}' # set via hook
+        authorization: '{authorization}' # set via hook
+      file_body: __generated__/endorsements/corim-{scheme}-{endorsements}.cbor
+    response:
+      status_code: 200
+
+  - name: submit cca policy
+    request:
+      method: POST
+      url: http://{management-service}/management/v1/policy/CCA_SSD_PLATFORM
+      headers:
+        content-type: application/vnd.veraison.policy.opa
+        accept: application/vnd.veraison.policy+json
+        authorization: '{alt-authorization}' # set via hook
+      file_body: data/policies/cca-verify-challenge.rego
+    response:
+      status_code: 201
+      save:
+        json:
+          policy-uuid: uuid
+
+  - name: activate cca policy
+    request:
+      method: POST
+      url: http://{management-service}/management/v1/policy/CCA_SSD_PLATFORM/{policy-uuid}/activate
+      headers:
+        authorization: '{alt-authorization}' # set via hook
+    response:
+      status_code: 200
+
+  - name: verify as relying party - creation of session resource
+    request:
+      method: POST
+      url: http://{verification-service}/challenge-response/v1/newSession?nonce={good-nonce-64}
+    response:
+      status_code: 201
+      save:
+        headers:
+          relying-party-session: Location
+
+  - name: verify as relying party - submitting the evidence
+    request:
+      method: POST
+      url: http://{verification-service}/challenge-response/v1/{relying-party-session}
+      headers:
+        content-type: '{evidence-content-type}' # set via hook
+      file_body: __generated__/evidence/{scheme}.{evidence}.cbor
+    response:
+      status_code: 200
+      verify_response_with:
+        - function: checkers:save_result
+          extra_kwargs:
+            scheme: '{scheme}'
+            evidence: '{evidence}'
+        - function: checkers:compare_to_expected_result
+          extra_kwargs:
+            expected: data/results/{scheme}.{expected}.json
+            verifier_key: data/keys/verifier.jwk
+
+  - name: verify as relying party - deleting the session object
+    request:
+      method: DELETE
+      url: http://{verification-service}/challenge-response/v1/{relying-party-session}
+    response:
+      status_code: 204
diff --git a/integration-tests/utils/hooks.py b/integration-tests/utils/hooks.py
@@ -50,6 +50,14 @@ def setup_provisioning_fail_empty_body(test, variables):
     _set_authorization(test, variables, 'provisioner')
 
 
+def setup_cca_verify_challenge(test, variables):
+    _set_content_types(test, variables)
+    _set_authorization(test, variables, 'provisioner')
+    _set_alt_authorization(test, variables, 'manager')
+    generate_endorsements(test)
+    generate_evidence_from_test(test)
+
+
 def _set_content_types(test, variables):
     scheme = test.test_vars['scheme']
     profile = test.test_vars['profile']
@@ -64,3 +72,6 @@ def _set_authorization(test, variables, role):
     variables['authorization'] = f'Bearer {token}'
 
 
+def _set_alt_authorization(test, variables, role):
+    token = get_access_token(test, role)
+    variables['alt-authorization'] = f'Bearer {token}'
diff --git a/policy/agent.go b/policy/agent.go
@@ -68,6 +68,7 @@ func (o *Agent) GetBackendName() string {
 // overwrite the result status or any of the values in the result trust vector.
 func (o *Agent) Evaluate(
 	ctx context.Context,
+	sessionContext map[string]interface{},
 	scheme string,
 	policy *Policy,
 	submod string,
@@ -81,6 +82,7 @@ func (o *Agent) Evaluate(
 
 	updatedByPolicy, err := o.Backend.Evaluate(
 		ctx,
+		sessionContext,
 		scheme,
 		policy.Rules,
 		resultMap,
@@ -109,7 +111,7 @@ func (o *Agent) Evaluate(
 	}
 
 	for k, v := range updatedTV {
-		if v != "" {
+		if v != "" && v != ear.NoClaim {
 			appraisalUpdated = true
 			resultMap["ear.trustworthiness-vector"].(map[string]interface{})[k] = v
 		}
@@ -118,7 +120,7 @@ func (o *Agent) Evaluate(
 	updatedAddedClaims, ok := updatedByPolicy["ear.veraison.policy-claims"].(*map[string]interface{})
 	if ok {
 		appraisalUpdated = true
-		resultMap["ear.veraison.policy-claims"] = updatedAddedClaims
+		resultMap["ear.veraison.policy-claims"] = *updatedAddedClaims
 	}
 
 	if appraisalUpdated {

diff --git a/policy/agent_test.go b/policy/agent_test.go
@@ -164,6 +164,7 @@ func Test_Agent_Evaluate(t *testing.T) {
 		backend := mock_deps.NewMockIBackend(ctrl)
 		backend.EXPECT().
 			Evaluate(gomock.Eq(ctx),
+				gomock.Any(),
 				gomock.Any(),
 				gomock.Eq(policy.Rules),
 				gomock.Any(),
@@ -174,7 +175,7 @@ func Test_Agent_Evaluate(t *testing.T) {
 
 		agent := &Agent{Backend: backend, logger: logger}
 		submod := "test"
-		res, err := agent.Evaluate(ctx, "test", policy,
+		res, err := agent.Evaluate(ctx, map[string]interface{}{}, "test", policy,
 			submod, appraisal, evidence, endorsements)
 
 		if v.ExpectedError == "" {