Introduce CCA Realm provisioning plugin #222
Conversation
Signed-off-by: Yogesh Deshpande <[email protected]>
yogeshbdeshpande
force-pushed
the
realm-provisioning-plugin
branch
from
344ff79 to
d2de33e
Compare
| "scheme": "CCA_REALM", | ||
| "type": "REFERENCE_VALUE", | ||
| "attributes": { | ||
| "CCA_REALM.vendor": "Worload Client Ltd", |
| "scheme": "CCA_REALM", | ||
| "type": "REFERENCE_VALUE", | ||
| "attributes": { | ||
| "CCA_REALM.vendor": "Worload Client Ltd", |
| @@ -0,0 +1,34 @@ | |||
| // Copyright 2022-2024 Contributors to the Veraison project. | |||
| var attrs = map[string]interface{}{ | ||
| "CCA_REALM.vendor": cAttr.Vendor, | ||
| "CCA_REALM-class-id": cAttr.UUID, | ||
| "CCA_REALM-instance-id": rAttr.Rim, |
There was a problem hiding this comment.
this should be "CCA_REALM-realm-initial-measurement"
There was a problem hiding this comment.
Yes, it can be expressed this way and perhaps better, hence renamed it now!
|
|
||
| var attrs = map[string]interface{}{ | ||
| "CCA_REALM.vendor": cAttr.Vendor, | ||
| "CCA_REALM-class-id": cAttr.UUID, |
There was a problem hiding this comment.
Is it the right choice? Would "model" be a better identifier for what is essentially a software product?
There was a problem hiding this comment.
the intent here was to identify a Workload provider Identity which is launching N number of Realms, each with a Unique RIM Value.
| @@ -8,6 +8,7 @@ SUBDIR += psa-iot | |||
| SUBDIR += tpm-enacttrust | |||
| SUBDIR += parsec-tpm | |||
| SUBDIR += parsec-cca | |||
| SUBDIR += cca-realm-provisioning | |||
There was a problem hiding this comment.
Even though this currently only implements the provisioning part, shouldn't the scheme be just cca-realm (and any future verification implementation would go under here as well)?
There was a problem hiding this comment.
@setrofim : As discussed only the provisioning will be a separate scheme, as it is coming from a different supply chain, the Verification will be taken care inside a combined CCA plugin, which verifies both Realm and Platform part together. Hence I chosen the name cca-realm-provisioning.
If I keep it just cca-realm then it will assume both Provisioning and Verifications are handled inside!
There was a problem hiding this comment.
Mmm ok, that would mean that the StoreHandler implementation would essentially be split/duplicated across two schemes, as the key formats need to be aligned across both schemes (which breaks the conceptual integrity of a scheme -- schems ought to be independent of each other).
Are we sure this is the right way forward? Would it not be better to implement as single cca scheme that handles everything in a single set of plugins, and then use configuration and/or policy to control whether the platform or realm parts, or both, are handled by a particular deployment?
There was a problem hiding this comment.
Sure, I thought about StoreHandler part, while implementing the provisioning scheme and came to conclusion that the internal logic will be implemented in the common set of functions and both the schemes will invoke the same internal implementation thus essentially avoiding duplication! This is the best way of approaching as the CCA Scheme StoreHandler needs to fetch in sequence the RefValues for Platform and Realm in sequence, however this scheme will only do that latter!
There was a problem hiding this comment.
Conceptually, a "scheme" is supposed to encompass the entire attestation "lifecycle", i.e. provisioning and attestion. It doesn't make sense to have a scheme with only provisioning, after all, the sole purpose of provisioning endorsements is so that they would later be used in verification.
the Verification will be taken care inside a combined CCA plugin, which verifies both Realm and Platform part together.
If that is the case, then this should be part of that combined plugin as well (going back to my intial suggestion of renaming this). When implementing the verification part of it, we can then re-use the commmon functionality between this and the cca-ssd-platform scheme.
On the other hand, if the goal is to modify cca-ssd-platfom scheme to optinally handle the realm part as well, then (it should probably be renamed, and) this should be part of that too.
Basically, it doesn't make sense for provisioning to exist in a scheme of its own, as the only purpose of provisioning is to enable verification. So if realm verification on its own is not a thing, and we can only have plaform and platform+realm, then we should have two schemes: cca-ssd-platform and cca (or cca-combined).
There was a problem hiding this comment.
Using the same media type for both is incorrect, isn't it?
It's not incorrect, as long as the same CoRIM profile takes care of both platform and realm.
Instead, if we want to have separate profiles, we will need two media types.
There was a problem hiding this comment.
Yes, they should be separate media types/profiles.
There was a problem hiding this comment.
Yes, CCA Platform and CCA Realm are two separate profiles and hence we will need two media types!
There was a problem hiding this comment.
It's not incorrect, as long as the same CoRIM profile takes care of both platform and realm.
They technically could be handled with a single profile. However, I belive the arguement is that they should be handled by separate profiles, as they're expected to be privided by different entitied within the supply chain, and that would simplify the profile that each entity needs to understand.
There was a problem hiding this comment.
there are clear practical advantages to separating the two. I was just noting that it's not "incorrect" per se.
I think we are all in agreement about "two media types for one scheme"
| if classID == nil { | ||
| log.Debug("no classID in the environment") | ||
| } | ||
| if classID != nil { |
There was a problem hiding this comment.
Should be an else clause for the if statement above, rather than a separate if statement.
| log.Debug("no classID in the environment") | ||
| } | ||
| if classID != nil { | ||
| uuID, err := classID.GetUUID() |
There was a problem hiding this comment.
nit: rename to uuid, the whole thing, "UUID" is an initialism, and it doesn't make sense to only keep the "ID" part capitalized; so either UUID or uuid.
|
|
||
| type CorimExtractor struct{} | ||
|
|
||
| func (o CorimExtractor) RefValExtractor( |
There was a problem hiding this comment.
Rename to ExtractRefVal. In general, methods should be verbs (unless constructors, factories, properties, etc). The name as-is suggests that this should return an extractor, rather than a slice of ref vals.
(note: I realise that this is meant to be implementing common.IExtractor, however there is no need for that interface -- this is only used within this code, and is never passed via the interface.)
There was a problem hiding this comment.
IExtractor is the interface which is been implemented by CorimExtractor. To your comment: however there is no need for that interface -- this is only used within this code
is not true, IExtractor interfaces are invoked from: UnsignedCorimDecoder.go
hence this is not a local function!
|
|
||
| } | ||
|
|
||
| func RefValLookupKey(schemeName, tenantID, instID string) string { |
There was a problem hiding this comment.
Can be changed to a local function (i. e. refValLookupKey)?
| for k, val := range r.M { | ||
| a, d, err := o.extractRealmDigest(val) | ||
| if err != nil { | ||
| return errors.New("unable to extract digest for ") |
| return "", nil, fmt.Errorf("invalid digest: %v", err) | ||
| } | ||
| if len(digests) != 1 { | ||
| return "", nil, fmt.Errorf("invalid number %d for digest", len(digests)) |
There was a problem hiding this comment.
| return "", nil, fmt.Errorf("invalid number %d for digest", len(digests)) | |
| return "", nil, fmt.Errorf("expecting 1 digest, got %d", len(digests)) |
| } | ||
|
|
||
| func (o *RealmAttributes) extractRealmDigest(digests comid.Digests) (algID string, hash []byte, err error) { | ||
|
|
There was a problem hiding this comment.
spurious NL
|
Follow up on this:
I think there should be a |
@thomas-fossati: I will look into this further! Basically my initial thought was REM slots will always be 4 in token, so we provide 4 to Supply Chain. They can use whatever they want to use 1,2,3, or all. The rest will be filled with |
Not really. Suppose at run-time the workload app extends the REMs but the verifier is only in the "pure" TCB (i.e., platform + RIM). If both RIM and REMs must be specified there is no way to tell the verifier to "ignore REMs". |
Signed-off-by: Yogesh Deshpande <[email protected]>
Signed-off-by: Yogesh Deshpande <[email protected]>
Signed-off-by: Yogesh Deshpande <[email protected]>
Signed-off-by: Yogesh Deshpande <[email protected]>
Signed-off-by: Yogesh Deshpande <[email protected]>
Signed-off-by: Yogesh Deshpande <[email protected]>
|
Closing this PR as the changes |
This change introduces Realm Provisioning Plugin