Skip to content

Commit 65a9c1a

Browse files
fdamatofdamato
committed
Address OCP Feedback on NONCE length, and remove OCP Command Registry from Attestation Main Spec
Signed-off-by: Fabrizio Damato <[email protected]>
1 parent 92ac383 commit 65a9c1a

File tree

2 files changed

+7
-87
lines changed

2 files changed

+7
-87
lines changed

specifications/attestation-of-system-components/spec.ocp

Lines changed: 0 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -575,60 +575,6 @@ OCP commands are designed to be transport-agnostic. When transported over SPDM,
575575

576576
Other transport protocols may define their own bindings while preserving the same command codes and semantics.
577577

578-
### OCP Command Code Registry
579-
580-
The following table lists all registered OCP command codes:
581-
582-
+---------------------+------------------------------+---------------------------------------+----------------------------------------------+
583-
| Command Code | Command Name | Defining Specification | Description |
584-
+=====================+==============================+=======================================+==============================================+
585-
| 0x00 | Reserved | - | Reserved for future use |
586-
+---------------------+------------------------------+---------------------------------------+----------------------------------------------+
587-
| 0x01 | GET_ENVELOPE_SIGNED_CSR | OCP Device Identity | Requests a replay-protected CSR that is |
588-
| | | Provisioning | envelope-signed by an attestation key to |
589-
| | | | prove authenticity of the identity keypair |
590-
+---------------------+------------------------------+---------------------------------------+----------------------------------------------+
591-
| 0x02 | GET_EAT | OCP Profile for IETF Entity | Requests an Entity Attestation Token |
592-
| | | Attestation Token | conforming to OCP Profile |
593-
+---------------------+------------------------------+---------------------------------------+----------------------------------------------+
594-
| 0x03-0xFF | Reserved | - | Reserved for future assignment |
595-
+---------------------+------------------------------+---------------------------------------+----------------------------------------------+
596-
597-
### Command Code Assignment Process
598-
599-
New OCP specifications that require command codes **MUST**:
600-
601-
1. Request command code assignment from the OCP Security Working Group
602-
2. Provide command name and brief description
603-
3. Reference the defining specification
604-
4. Update this registry upon approval
605-
606-
### REQUIREMENTS - OCP Command Usage
607-
608-
*OCP specifications defining new commands **MUST**:*
609-
610-
- *Use command codes assigned in this registry*
611-
- *Not reuse or conflict with existing command codes*
612-
613-
*When transporting OCP commands over SPDM, implementations **MUST**:*
614-
615-
- *Use StandardID value of 4 (IANA)*
616-
- *Use VendorID value of 42623 (OCP)*
617-
- *Place the OCP Command Code as the first byte of VendorDefinedReqPayload/VendorDefinedRespPayload*
618-
619-
### Cross-Specification References
620-
621-
#### GET_ENVELOPE_SIGNED_CSR (0x01)
622-
- **Defined in:** OCP Device Identity Provisioning Specification
623-
- **Purpose:** Requests a freshness-protected (replay-resistant) Certificate Signing Request that is envelope-signed by an attestation key to establish trust in a device's identity keypair
624-
- **Reference:** See Device Identity Provisioning specification for full command definition
625-
626-
#### GET_EAT (0x02)
627-
- **Defined in:** OCP Profile for IETF Entity Attestation Token
628-
- **Purpose:** Retrieves attestation evidence in OCP EAT format
629-
- **Reference:** See OCP EAT Profile specification for full command definition
630-
631-
632578
# Measurement collection and storage
633579

634580
## REQUIREMENTS - What to measure and what not to measure {#sec:requirements-what-to-measure-and-what-not-to-measure}

specifications/ietf-eat-profile/spec.ocp

Lines changed: 7 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -288,7 +288,7 @@ TODO: fill in with a diag
288288

289289
## Overview
290290

291-
The GET_EAT command enables requesters to obtain attestation evidence from a device in the form of an Entity Attestation Token (EAT) that conforms to this OCP Profile. This command is designed to be transport-agnostic while providing a standardized interface for attestation requests.
291+
The GET_EAT command enables verifiers to obtain attestation evidence from a device in the form of an Entity Attestation Token (EAT) that conforms to this OCP Profile. This command is designed to be transport-agnostic while providing a standardized interface for attestation requests.
292292

293293
## Command Definition
294294

@@ -304,10 +304,13 @@ The GET_EAT command enables requesters to obtain attestation evidence from a dev
304304
+---------------------+---------------------+---------------------+----------------------------------------------+
305305
| 2 | Reserved | 2 | Reserved. |
306306
+---------------------+---------------------+---------------------+----------------------------------------------+
307-
| 4 | Nonce | 32 | The Requester shall choose a random |
307+
| 4 | NonceLength | 1 | Shall be the length of the Nonce field |
308+
| | | | in bytes. Shall be between 8 and 64 bytes. |
309+
+---------------------+---------------------+---------------------+----------------------------------------------+
310+
| 5 | Nonce | NonceLength | The Requester shall choose a random |
308311
| | | | value to ensure freshness. |
309312
+---------------------+---------------------+---------------------+----------------------------------------------+
310-
| 36 | SignerSlotID | 1 | Shall be the SlotID. Slot number of the |
313+
| 5 + NonceLength | SignerSlotID | 1 | Shall be the SlotID. Slot number of the |
311314
| | | | Responder certificate chain that shall |
312315
| | | | be used for signing the EAT. |
313316
+---------------------+---------------------+---------------------+----------------------------------------------+
@@ -371,33 +374,4 @@ For SPDM binding:
371374
TSM engines and other transport mechanisms **MAY** define their own bindings for the GET_EAT command, provided they:
372375
- Maintain semantic equivalence of request and response structures
373376
- Preserve all required fields and their meanings
374-
- Document any transport-specific adaptations
375-
376-
## Security Considerations
377-
378-
### Nonce Requirements
379-
- Requesters **SHOULD** use cryptographically secure random number generators for nonce generation
380-
- Nonces **SHOULD** be at least 32 bytes to prevent collision attacks
381-
- Requesters **MUST** verify that the response nonce matches the request nonce exactly
382-
383-
### Signature Verification
384-
- Requesters **MUST** validate the COSE_Sign1 signature on the returned EAT
385-
- Certificate chain validation **MUST** be performed according to the requester's trust policy
386-
- The x5-chain in the unprotected header **MUST** be validated before trusting the EAT contents
387-
388-
### Replay Protection
389-
- Requesters **SHOULD** maintain a cache of recently used nonces to detect replay attempts
390-
- Responses with duplicate nonces **MUST** be rejected
391-
- Nonce values **SHOULD NOT** be reused within a reasonable time window
392-
393-
## Implementation Notes
394-
395-
1. **Attesters** implementing GET_EAT:
396-
- **MUST** support generating EATs for all provisioned attestation keys
397-
- **SHOULD** complete GET_EAT requests within a reasonable timeout period
398-
- **MAY** implement rate limiting to prevent denial of service
399-
400-
2. **Requesters** using GET_EAT:
401-
- **SHOULD** implement appropriate timeout handling
402-
- **MUST** be prepared to handle ERROR responses
403-
- **SHOULD** validate EAT contents against expected device state
377+
- Document any transport-specific adaptations

0 commit comments

Comments
 (0)