Add: Documentation for CoMID templates #20
Conversation
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
deeglaze
left a comment
deeglaze
left a comment
There was a problem hiding this comment.
Thank you, this is a great start.
|
|
||
| Each measurement has two crucial subfields: | ||
|
|
||
| - **key**: Identifies the measurement, including possible fields like `label`, `version`, and `signer-id`. |
There was a problem hiding this comment.
These don’t match the CoMID spec.
There was a problem hiding this comment.
@deeglaze could you be more specfic as i got it in most of the templates like
"key": {
"type": "psa.refval-id",
"value": {
"label": "PRoT",
"version": "1.3.5",
"signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs="
}
}
data/comid/README.md
Outdated
| ### 2.2 Triples | ||
|
|
||
| - **reference-values**: One or more **reference-value** objects, each containing an **environment** and one or more **measurements**. | ||
| - **attester-verification-keys**: One or more **attester-verification-key** objects, each containing an **environment** and an array of **verification-keys**. |
There was a problem hiding this comment.
This doesn’t match the common attestation terminology. An attestation private key signs an attestation, and the attestation public key is used to verify attestation signatures, but I wouldn’t call that a verification key.
There was a problem hiding this comment.
In comid-psa-iakpub.json template file term used is verification keys for array, like could you provide some reference for this
"attester-verification-keys": [
{
"environment": {
"class": {
"id": {
"type": "psa.impl-id",
"value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
},
"vendor": "ACME",
"model": "RoadRunner"
},
"instance": {
"type": "ueid",
"value": "Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI"
}
},
"verification-keys": [
{
"type": "pkix-base64-key",
"value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
}
]
}
There was a problem hiding this comment.
@ravjot07, you could use "attestation public key" rather than "verification-keys" in L34.
Note: the way we encode verification keys for CCA and PSA will likely change to use the CoTS (i.e., trusted anchors) format instead. So, it's not something worth much sweating at this point.
| ### 4.2 Reference-Value Fields | ||
| | Field | Type | Description | Example | | ||
| |:------------------:|:------:|:----------------------------------------------------------------------------------:|:---------------------------------------------------------------------------------------------:| | ||
| | environment | Object | Contains class and optionally instance, layer, index. | See 3.1 Environment. | |
There was a problem hiding this comment.
This enumeration confuses what is optional and required, as well as what is where. The layer and index are optional fields of class, whereas instance is at the same level as class.
There was a problem hiding this comment.
@ravjot07 take a look at these here:- https://github.com/ravjot07/cocli/tree/docs/data/comid#42-reference-value-fields
actually i had simply used excel file for these tables and then later converted it into md format using online tools like table converter
| | Field | Type | Description | Example | | ||
| |:-----------------:|:------:|:---------------------------------------:|:---------------------------------------------------------------------------:| | ||
| | environment | Object | Defines the environment for these keys. | See 3.1 Environment. | | ||
| | verification-keys | Array | Holds one or more public keys. | [ { "type": "pkix-base64-key", "value": "-----BEGIN PUBLIC KEY-----..." } ] | |
There was a problem hiding this comment.
Still would rename these
data/comid/README.md
Outdated
|
|
||
| ## 1 Introduction | ||
|
|
||
| **CoMID (Concise Model Identifier)**, is a data model and serialization format (in JSON) for capturing **reference values** and **verification keys** that can be used in remote attestation and other trust-verification scenarios. By standardizing how measurements are captured and shared, CoMID facilitates **interoperability**, **integrity**, and **traceability** across various systems and vendors. |
There was a problem hiding this comment.
Please keep separate sentences on separate lines. I don’t know what is meant by traceability here.
There was a problem hiding this comment.
this is what i get form https://datatracker.ietf.org/doc/draft-ietf-rats-corim/ page no 15 and from here i meant by tracebility is that we could extract information about hardware, firmware
A CoMID tag contains information about hardware, firmware, or module
composition.
Each CoMID has a unique ID that is used to unambiguously identify
CoMID instances when cross referencing CoMID tags, for example in
typed link relations, or in a CoBOM tag.
A CoMID defines several types of Claims, using "triples" semantics.
There was a problem hiding this comment.
sure i will keep separate sentences on separate lines.
There was a problem hiding this comment.
I wouldn't say traceability when you really just mean the integrity of the measurements. There's a whole other form of supply chain security that tracks the links in the chain from source to binary that isn't captured by the CoRIM specification.
Co-authored-by: Dionna Amalie Glaze <drdeeglaze@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
|
@deeglaze i have documented example templates and added some flowcharts for more clarity. pl review them |
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
data/comid/README.md
Outdated
| ### 2.2 Triples | ||
|
|
||
| - **reference-values**: One or more **reference-value** objects, each containing an **environment** and one or more **measurements**. | ||
| - **attester-verification-keys**: One or more **attester-verification-key** objects, each containing an **environment** and an array of **verification-keys**. |
There was a problem hiding this comment.
@ravjot07, you could use "attestation public key" rather than "verification-keys" in L34.
Note: the way we encode verification keys for CCA and PSA will likely change to use the CoTS (i.e., trusted anchors) format instead. So, it's not something worth much sweating at this point.
thomas-fossati
left a comment
thomas-fossati
left a comment
There was a problem hiding this comment.
Leftover comment/suggestion.
data/corim/README.md
Outdated
|
|
||
| ### 2.2 CoRIM in the RATS Architecture | ||
|
|
||
| In the **IETF RATS architecture** ([RFC9334]), a **Verifier** appraises **Evidence** (the Attester’s state claims) against **Reference Values** or **Endorsements** (often created or authorized by an Endorser). CoRIM can be used: |
There was a problem hiding this comment.
| In the **IETF RATS architecture** ([RFC9334]), a **Verifier** appraises **Evidence** (the Attester’s state claims) against **Reference Values** or **Endorsements** (often created or authorized by an Endorser). CoRIM can be used: | |
| In the **IETF RATS architecture** ([RFC9334](https://rfc-editor.org/rfc/rfc9334)), a **Verifier** appraises **Evidence** (the Attester’s state claims) against **Reference Values** or **Endorsements** (often created or authorized by an Endorser). CoRIM can be used: |
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
… environment paths Signed-off-by: Priyanshu Thapliyal <priyanshuthapliyal2005@gmail.com>
Signed-off-by: Priyanshu Thapliyal <priyanshuthapliyal2005@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Co-authored-by: Dionna Amalie Glaze <drdeeglaze@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
|
@thomas-fossati i have updated docs can you review them.. |
There was a problem hiding this comment.
since we have the mermaid equivalent, this can be safely removed now
|
|
||
| Below are the **seven** template files, each highlighting different aspects of CoMID usage. | ||
|
|
||
| ### comid-cca-mult-refval.json |
There was a problem hiding this comment.
(I thought I had made this comment in the previous review cycle, but I cannot find it here, so...)
Rather than making verbatim copies of the files (which will eventually go out of sync), it's better to reference the originals here.
GitHub has a "code snippet" functionality that comes in handy: by copying the permalink to the JSON file (and adding the wanted lines range), the file is embedded in the rendered markdown -- which is pretty cool.
There was a problem hiding this comment.
To be a bit more concrete: using the permalink to comid-cca-mult-refval.json (including explicit line range) https://github.com/veraison/cocli/blob/0d8fae8210ae527589792de2fba54442302380f7/data/comid/templates/comid-cca-mult-refval.json#L1-L93 will render as:
cocli/data/comid/templates/comid-cca-mult-refval.json
Lines 1 to 93 in 0d8fae8
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
| } | ||
| ``` | ||
|
|
||
| [comid-cca-mult-refval.json](https://github.com/veraison/cocli/blob/0d8fae8210ae527589792de2fba54442302380f7/data/comid/templates/comid-cca-mult-refval.json#L1-L93) |
There was a problem hiding this comment.
Does this work as intended? I understand from the GitHub docs you just need to slap the bare permalink URI on a separate line, without any wrapping.
There was a problem hiding this comment.
Yaa this does not works as intended, i will add bare permalink
There was a problem hiding this comment.
@thomas-fossati sir a also tried bare link but it does not work as intended
There was a problem hiding this comment.
It's because you are working on a fork (I think). To work, the permalink must refer to the local repo. Try and test it with a permalink to the same files but in the ravjot07/cocli repo. If that works (it should), just replace them with the permalinks to the veraison/cocli copies. Leap of faith! :-)
There was a problem hiding this comment.
sure @thomas-fossati i will give it a try
Signed-off-by: Ravjot Singh <ravu2004@gmail.com>
4 participants
@deeglaze I have created a basic documentation for CoMID templates..
I was working on this PR and thought that it might be useful to add a high level structure to format of these templates so can you take and look add this and decide whether we should put this is in docs or not ??
And one more suggestion i need was does should we add description for all the 7 provided templates in CoMID or not?
Contributes towards #18