fix(scheme): allow CCA plaform-only verifier

Do not return an overall warning status if no realm reference values have been provisioned. Instead, return "no claims". Fix #265 Signed-off-by: Thomas Fossati <[email protected]>
veraison · Sep 3, 2024 · 458b416 · 458b416
1 parent e8e7666
commit 458b416
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/scheme/arm-cca/evidence_handler_test.go b/scheme/arm-cca/evidence_handler_test.go
@@ -102,10 +102,9 @@ func Test_AppraiseEvidence_Realm(t *testing.T) { // nolint: dupl
 		{
 			desc:           "No realm endorsements",
 			input:          "test/realm/no-realm-endorsements.json",
-			expectedStatus: ear.TrustTierWarning,
-			expectedExec:   ear.UnrecognizedRuntimeClaim,
+			expectedStatus: ear.TrustTierNone,
+			expectedExec:   ear.NoClaim,
 		},
-
 		{
 			desc:           "No matching rim measurements",
 			input:          "test/realm/rim-mismatch-endorsements.json",

diff --git a/scheme/arm-cca/realm.go b/scheme/arm-cca/realm.go
@@ -35,10 +35,16 @@ func realmAppraisal(
 	// If crypto verification (including chaining) completes correctly,
 	// we can safely assume the Realm instance to be trustworthy
 	trustVector.InstanceIdentity = ear.TrustworthyInstanceClaim
-	trustVector.Executables = ear.UnrecognizedRuntimeClaim
+	// By default, make no claims with regard to realm executables (i.e., RIM,
+	// PV and REMs).  This is to support a platform-only CCA verifier.
+	// If we have been provisioned with realm executable reference values, they
+	// will be checked in the loop below and the trust vector updated accordingly.
+	trustVector.Executables = ear.NoClaim
 
+	partial := true
 	for _, endorsement := range realmEndorsements {
 		if matchRim(claims, &endorsement) {
+			partial = false
 			err := matchRpv(claims, &endorsement)
 			switch err {
 			// Note, If an Endorser does not use RPV it indicates, one Realm per RIM, which is a match
@@ -74,6 +80,11 @@ func realmAppraisal(
 	}
 
 	appraisal.UpdateStatusFromTrustVector()
+	// This is a kludge to work around EAR inability to express "partial" verification semantics.
+	if *appraisal.Status == ear.TrustTierAffirming && partial {
+		noClaimStatus := ear.TrustTierNone
+		appraisal.Status = &noClaimStatus
+	}
 	appraisal.VeraisonAnnotatedEvidence = &claimsMap
 
 	return &appraisal, nil