Add GET_EAT Support to OCP Profile #60
Conversation
Signed-off-by: Fabrizio Damato <[email protected]>
- Updated Contributors list Signed-off-by: Fabrizio Damato <[email protected]>
| +=====================+=====================+=====================+==============================================+ | ||
| | 0 | CommandCode | 1 | Shall be 02h to indicate GET_EAT. | | ||
| +---------------------+---------------------+---------------------+----------------------------------------------+ | ||
| | 1 | CommandVersion | 1 | The version of this request structure. | |
There was a problem hiding this comment.
Generally better to put the CommandVersion first in case the command is parsed and we need to key off-of that.
There was a problem hiding this comment.
I dont disagree w/ the comment in general, but I dont have strong opinion as well for this specific case. Followed same convention of GET_ENVELOPE_SIGNED_CSR (https://github.com/opencomputeproject/Security/blob/main/specifications/device-identity-provisioning/spec.ocp).
There was a problem hiding this comment.
might be worth changing there too. Generally version and size being the first two fields of the structure helps with maximum versioning compatiblity, and easier to write code for.
There was a problem hiding this comment.
Ack, @bluegate010 any thoughts on this ?
There was a problem hiding this comment.
Shuffling thusly sounds good to me.
| +---------------------+---------------------+---------------------+----------------------------------------------+ | ||
| | 8 | EATToken | EATLength | Shall be the Entity Attestation Token | | ||
| | | | | conforming to this OCP Profile. This | | ||
| | | | | field shall be CBOR-encoded | |
There was a problem hiding this comment.
Nit: is the encoding necessary to be specified as a shall? can be a stream of bytes i nthe response and specify elsewhere what the format of the EATToken is, which we already specify ?
There was a problem hiding this comment.
Why not being prescriptive ? I have no issue to remove SHALLL if you feel strong about it
There was a problem hiding this comment.
no strong opinion either way. being prescriptive in a single place generally means you only need to change one place. i think CBOR encoding is implied for EAT token in other parts of the spec, so didnt think it was needed.
| - Certificate chain validation **MUST** be performed according to the requester's trust policy | ||
| - The x5-chain in the unprotected header **MUST** be validated before trusting the EAT contents | ||
|
|
||
| ### Replay Protection |
There was a problem hiding this comment.
hmmm not sure i follow this section. i realize all of this is should, but i'm not sure this is necessary since "requesters" may implement something unnecessary. If the nonce requirements are met, this shouldnt be required at all right? this feels like it leads to temptation to do something non standard.
There was a problem hiding this comment.
I agree requester is misleading, would it replacing to "verifier" sound more reasonable ?
There was a problem hiding this comment.
i was questioning the need for this section at all? If a verifier follows the nonce requirements, not sure what maintaining the cache would help with, and the SHOULD NOT makes it sound like it is okay to reuse a nonce within some time window (which should never be the case?)
There was a problem hiding this comment.
I agree, it is redundant...will strip out
|
|
||
| ## Overview | ||
|
|
||
| The GET_EAT command enables requesters to obtain attestation evidence from a device in the form of an Entity Attestation Token (EAT) that conforms to this OCP Profile. This command is designed to be transport-agnostic while providing a standardized interface for attestation requests. |
There was a problem hiding this comment.
requester is confusing, specially in the context of SPDM. SPDM has a very specific meaning for requester, here you really mean verifier?
might be good to delineate SPDM requester from this specs requester.
There was a problem hiding this comment.
I agree. I will replace with verifier
|
|
||
| 2. **Requesters** using GET_EAT: | ||
| - **SHOULD** implement appropriate timeout handling | ||
| - **MUST** be prepared to handle ERROR responses |
There was a problem hiding this comment.
SPDM is not the only supported transport layer.
There was a problem hiding this comment.
ack, might be good to clarify "error responses from the trasport". the capitalized ERROR sounds like it is referring to something specific.
- Replace Requester with Verifier - Swap Command Version and Command Code - Strip unnecessary description of Security Considerations - Add Clarification for large buffer handling Signed-off-by: Fabrizio Damato <[email protected]>
| @@ -552,6 +553,76 @@ algorithms: | |||
|
|
|||
| See <https://github.com/opencomputeproject/Security/tree/main/specifications/ietf-eat-profile>. | |||
|
|
|||
| ## OCP Command Registry {#sec:ocp-command-registry} | |||
There was a problem hiding this comment.
If this registry is at the level of OCP, not OCP Security, then it should go in (something like) https://github.com/opencomputeproject/ocp-oid-registry. Maybe @bluegate010 can rename that repository to ocp-registry and not make it specific to OIDs.
There was a problem hiding this comment.
Agreed, on reflection I think it at least needs to be in a separate document, and it's possible that other projects will want to define their own. Will ask OCP to change the registry repo name.
There was a problem hiding this comment.
It sounds good... I`ll move to https://github.com/opencomputeproject/ocp-registry. Is a markdown document the right place to include the OCP Command Registry, or are you expecting a different format ?
There was a problem hiding this comment.
Markdown is fine, yeah.
There was a problem hiding this comment.
I will create a separate commit, as it is a separate github repo
There was a problem hiding this comment.
Let's drop the changes to this spec from the PR?
fdamato
force-pushed
the
fadamato/get_eat_support
branch
2 times, most recently
from
2d07c0d to
6101b25
Compare
… from Attestation Main Spec Signed-off-by: Fabrizio Damato <[email protected]>
fdamato
force-pushed
the
fadamato/get_eat_support
branch
from
6101b25 to
65a9c1a
Compare
| @@ -552,6 +553,76 @@ algorithms: | |||
|
|
|||
| See <https://github.com/opencomputeproject/Security/tree/main/specifications/ietf-eat-profile>. | |||
|
|
|||
| ## OCP Command Registry {#sec:ocp-command-registry} | |||
There was a problem hiding this comment.
Let's drop the changes to this spec from the PR?
| | 2 | Status | 1 | Response status. | | ||
| | | | | 0x00 = SUCCESS | | ||
| | | | | 0x01 = ERROR | |
There was a problem hiding this comment.
The transport protocol should have an error reporting mechanism that we can use?
There was a problem hiding this comment.
I`m not really convinced on this one... because we would lose control on ERROR type, if we want to expand more.
There was a problem hiding this comment.
We should be able to use SPDM's ExtendedErrorData field for vendor-defined errors.
There was a problem hiding this comment.
I see this is a heavy requirement to bring for NON SPDM adopters... don`t you agree?
There was a problem hiding this comment.
As discussed offline, we can define in the transport binding how error codes should be returned. For SPDM we can avail ourselves of their existing machinery, and for other transports we can do something else.
| 2. The EAT Profile claim (265) **MUST** be present and contain the OCP Profile OID | ||
| 3. The Nonce claim (10) **MUST** be present and contain the nonce value from the request | ||
| 4. The Measurements claim (273) **MUST** be present and contain concise evidence | ||
| 5. The issuer claim (1) **SHALL** be present if binding to a certificate chain |
There was a problem hiding this comment.
Any reason this line uses SHALL instead of MUST?
There was a problem hiding this comment.
I would prefer consistency and move everything to MUST
| - The Responder **MUST** use the SPDM VENDOR_DEFINED_RESPONSE format | ||
| - The StandardID field **MUST** contain 4 (IANA) | ||
| - The VendorID field **MUST** contain 42623 (OCP) | ||
| - The first byte of the VendorDefinedReqPayload/VendorDefinedRespPayload is the Command Code, and must contain the value 02h to indicate GET_EAT |
There was a problem hiding this comment.
| - The first byte of the VendorDefinedReqPayload/VendorDefinedRespPayload is the Command Code, and must contain the value 02h to indicate GET_EAT | |
| - The first byte of the VendorDefinedReqPayload/VendorDefinedRespPayload is the Command Code, and **MUST** contain the value 02h to indicate GET_EAT |
| TSM engines and other transport mechanisms **MAY** define their own bindings for the GET_EAT command, provided they: | ||
| - Maintain semantic equivalence of request and response structures |
There was a problem hiding this comment.
Will need a blank line between these two in order for the bullet points to render properly. Here and above.
There was a problem hiding this comment.
GET_EAT should go in (something like) OCP Attestation. How the EAT is transported should decoupled from the EAT itself.
There was a problem hiding this comment.
I have no problem with that, but we initially discussed to keep it together with the profile. @bluegate010 you ok to move to OCP Attestation 1.1 spec ?
No description provided.