EAT Measured Component

EAT Measured Component Arm

Simon.Frost@arm.com

Linaro

Thomas.Fossati@linaro.org

University of Applied Sciences Bonn-Rhein-Sieg

Hannes.Tschofenig@gmx.net

Fraunhofer SIT

henk.birkholz@ietf.contact

Security Remote ATtestation ProcedureS EAT measurements claim measured component The term "measured component" refers to an object within the attester's target environment whose state can be sampled and typically digested using a cryptographic hash function. Examples of measured components include firmware stored in flash memory, software loaded into memory at start time, data stored in a file system, or values in a CPU register. This document provides the information model for the "measured component" and two associated data models. This separation is intentional: the JSON and CBOR serializations, coupled with the media types and associated Constrained Application Protocol (CoAP) Content-Formats, enable the immediate use of the semantics within the Entity Attestation Token (EAT) framework. Meanwhile, the information model can be reused in future specifications to provide additional serializations, for example using ASN.1. Discussion Venues Discussion of this document takes place on the Remote ATtestation ProcedureS Working Group mailing list (rats@ietf.org), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction defines a Measurements claim that:

"[c]ontains descriptions, lists, evidence or measurements of the software that exists on the entity or any other measurable subsystem of the entity."

This claim allows for different measurement formats, each identified by a different CoAP Content-Format (). Currently, the only specified format is Concise Software Identification (CoSWID) Tags of type "evidence", as per . However, CoSWID is not suitable for measurements that cannot be anchored to a file system, such as those in early boot environments. To address this gap, this document introduces a "measured component" format that can be used with the EAT Measurements claim alongside or instead of CoSWID. The term "measured component" refers to an object within the attester's target environment whose state can be sampled and typically digested using a cryptographic hash function. This includes, for example: the invariant part of a firmware component that is loaded in memory at startup time, a run-time integrity check (RTIC), a file system object, or a CPU register. This document provides the information model for the "measured component" and two associated data models . This separation is intentional: the JSON and CBOR serializations, coupled with the media types and associated CoAP Content-Formats, enable the immediate use of the semantics within the EAT framework. Meanwhile, the information model can be reused in future specifications to provide additional serializations, for example using ASN.1.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. In this document, CDDL is used to describe the data formats.

Information Model This section presents the information model of a "measured component". A "measured component" information element includes the component's sampled state (in digested or raw form) along with metadata that helps in identifying the component. Optionally, any entities responsible for signing the installed component can also be specified. The information elements (IE) that constitute a "measured component" are described in . Measured Component Information Elements

IE	Description	Requirement Level
Component Name	The name given to the measured component. It is important that this name remains consistent across different releases to allow for better tracking of the same measured item across updates. When combined with a consistent versioning scheme, it enables better signalling from the appraisal procedure to the relying parties.	REQUIRED
Component Version	A value representing the specific release or development version of the measured component. Using Semantic Versioning is RECOMMENDED.	OPTIONAL
Digested or Raw Value	Either the raw value or the digested value of the measured component.	REQUIRED
Digest Algorithm	Hash algorithm used to compute the Digest Value.	REQUIRED only if the value is in the digested form
Authorities	One or more entities that can authoritatively identify the component being measured.	OPTIONAL

A data model implementing this information model SHOULD also allow a limited amount of extensibility to accommodate profile-specific semantics.

Data Model This section presents a JSON and CBOR data model that implements the information model outlined in . The data model is inspired by the "PSA software component" claim (), which has been refactored to take into account the recommendations about the design of new EAT claims described in . CDDL is used to express rules and constraints of the data model for both JSON and CBOR. These rules must be strictly followed when creating or validating "measured component" data items. When there is variation between CBOR and JSON, the CDDL generic JC<>, defined in , is used.

Common Types The following three basic types are used at various places within the measured component data model:

The digest Type A digest represents the result of a hashing operation together with the hash algorithm used. The type of the digest algorithm identifier can be either int or text and is interpreted according to the registry. Specifically, int values are matched against "ID" entries and text values are matched against "Hash Name String" entries. Whenever possible, using the int encoding is RECOMMENDED. ]]>

The measured-component Data Item The measured-component data item is as follows: component-id measurement ? authorities-label => [ + authority-id-type ] ? flags-label => flags-type } measurement //= ( digested-measurement-label => digest ) measurement //= ( raw-measurement-label => bytes ) authority-id-type = eat.JC flags-type = eat.JC component-id-label = eat.JC<"id", 1> digested-measurement-label = eat.JC<"digested-measurement", 2> raw-measurement-label = eat.JC<"raw-measurement", 5> authorities-label = eat.JC<"authorities", 3> flags-label = eat.JC<"flags", 4> ]]> The members of the measured-component CBOR map / JSON object are:

"id" (index 1):: The measured component identifier encoded according to the format described in .
"measurement":: Either a digest value and digest algorithm (index 2), encoded using the digest format (), or the "raw" measurement (index 5), encoded as a byte string. Note that, while the size of the digested form is constrained by the digest function, the size of the raw form can vary greatly depending on what is being measured (it could be a CPU register or an entire configuration blob, for example). Therefore, a decoder implementation may decide to limit the amount of memory it allocates to this specific field.
"authorities" (index 3):: One or more authorities, see .
"flags" (index 4):: a 64-bit field with profile-defined semantics, see .

Component Identifier The component-id data item is as follows:

name: A string that provides a human readable identifier for the component in question. Format and adopted conventions depend on the component type.
version: A compound version data item that reuses the encoding and semantics of sw-version-type, extending it to non-software components.

Authority Identifier An authority is an entity that can authoritatively identify a given component by digitally signing it. This signature is usually verified during installation, or when the measured component is executed by the boot ROM, operating system, or application launcher. For example, as in Unified Extensible Firmware Interface (UEFI) Secure Boot and Arm Trusted Board Boot . Another example may be the controlling entity in an app store. An authority is identified by its signing public key. It could be an X.509 certificate, a raw public key, a public key thumbprint, or some other identifier that can be uniquely associated with the signing entity. In some cases, multiple parties may need to sign a component to indicate their endorsement or approval. This could include roles such as a firmware update system, fleet owner, or third-party auditor. The specific purpose of each signature may depend on the deployment, and the order of authorities within the array could indicate meaning. If an EAT profile () uses measured components, it MUST specify whether the authorities field is used. If it is used, the profile MUST also specify what each of the entries in the authorities array represents, and how to interpret the corresponding authority-id-type. The authority-id-type is defined as follows: ]]>

Profile-specific Flags This optional field can contain up to 64 bits of profile-defined semantics, enabling a profile of this specification to encode additional information and extend the base type. It can be used to carry information in fixed-size chunks, such as a bit mask or a single value within a predetermined set of codepoints. Regardless of its internal structure, the size of this field is exactly 8 bytes. The flags-type is defined as follows: ]]> If an EAT profile () uses measured components, it MUST specify whether the flags field is used. If it is used, the profile MUST also specify how to interpret the 64 bits.

EAT measurements-format Extensions The CDDL in extends the $measurements-body-cbor and $measurements-body-json EAT sockets to add support for measured-components to the Measurements claim.

EAT measurements-format Extensions Each socket is extended with two new types: a "native" representation that is used when measured-component and the EAT have the same serialization (e.g., they are both CBOR), and a "tunnel" representation that is used when the serializations differ.

measurements-format for CBOR EAT The entries in are the allowed content-type / content-format pairs when the measured-component is carried in a CBOR EAT. Note the use of the "native" and "tunnel" formats from , and how the associated CoAP Content-Format is used to describe the original serialization. measurement-format for EAT CWT

content-type (CoAP C-F equivalent)	content-format
`application/measured-component+cbor`	`mc-cbor`
`application/measured-component+json`	`mc-json`

measurements-format for JSON EAT is the equivalent of for JSON-serialized EAT. measurement-format for EAT JWT

content-type (CoAP C-F equivalent)	content-format
`application/measured-component+json`	`mc-json`
`application/measured-component+cbor`	`tstr .b64u mc-cbor`

EAT Profiles and Measured Components The semantics of the authorities and profile flags fields are defined by the applicable EAT profile, i.e., the profile of the wrapping EAT. If the profile of the EAT is not known to the consumer and one or more Measured Components within that EAT include authorities and/or profile flags, the consumer MUST reject the EAT.

Examples The example in is a digested measured component with all the fields populated.

Complete Measured Component The example in is the same measured component as above but used as the format of a measurements claim in a EAT claims-set. This example uses TBD1 as the content-type value of the measurements-format entry. (This will change to the value assigned by IANA to the mc+cbor Content-Format.) Note that the array contains only one measured component, but additional entries could be added if the measured TCB is made of multiple, individually measured components.

EAT Measurements Claim using a Measured Component (CBOR) > ] ] } ]]> The example in illustrates the inclusion of a JSON measured component inside a JSON EAT. This example uses TBD2 as the content-type value of the measurements-format entry. (This will change to the value assigned by IANA to the mc+json Content-Format.)

EAT Measurements Claim using a Measured Component (JSON) The example in is a measured component representing a boot loader identified by its path name:

Digested Measured Component using File Path as Identifier The example in is a raw measured component.

Raw Measured Component

Security Considerations Please review Sections Claim Trustworthiness, Multiple EAT Consumers and Detached EAT Bundle Digest Security Considerations of ; these considerations apply to this document as well. Note that similar security considerations may apply when the Measured Component information model is serialized using different data models than the ones specified in this document. The Component Name and Component Version can give an attacker detailed information about the software running on a device and its configuration settings. This information could offer an attacker valuable insights. Any textual fields (e.g., Component Name and Component Version) that are stored in a file, inserted into a database, or displayed to humans must be properly sanitized to prevent attacks and undesirable behavior. Further discussion and references on this topic can be found in . If the component measurement is digested, the digest must be computed using a strong cryptographic hash function.

Privacy Considerations Please review Section Multiple EAT Consumers of ; the differential encryption considerations discussed there also apply to this document. The Component Name and Component Version could reveal private information about a device and its owner. Additionally, the stability requirement of the Component Name could enable tracking.

IANA Considerations RFC Editor: replace "RFCthis" with the RFC number assigned to this document.

Media Types Registrations IANA is requested to add the following media types to the "Media Types" registry . Measured Component Media Types

Name	Template	Reference
`mc+cbor`	`application/measured-component+cbor`	RFCthis
`mc+json`	`application/measured-component+json`	RFCthis

application/measured-component+cbor

Type name:: application
Subtype name:: measured-component+cbor
Required parameters:: n/a
Optional parameters:: n/a
Encoding considerations:: binary (CBOR)
Security considerations:: of RFCthis
Interoperability considerations:: n/a
Published specification:: RFCthis
Applications that use this media type:: Attesters, Verifiers and Relying Parties
Fragment identifier considerations:: The syntax and semantics of fragment identifiers are as specified for "application/cbor". (No fragment identification syntax is currently defined for "application/cbor".)
Person & email address to contact for further information:: RATS WG mailing list (rats@ietf.org)
Intended usage:: COMMON
Restrictions on usage:: none
Author/Change controller:: IETF
Provisional registration:: no

application/measured-component+json

Type name:: application
Subtype name:: measured-component+json
Required parameters:: n/a
Optional parameters:: n/a
Encoding considerations:: binary (JSON is UTF-8-encoded text)
Security considerations:: of RFCthis
Interoperability considerations:: n/a
Published specification:: RFCthis
Applications that use this media type:: Attesters, Verifiers and Relying Parties
Fragment identifier considerations:: The syntax and semantics of fragment identifiers are as specified for "application/json". (No fragment identification syntax is currently defined for "application/json".)
Person & email address to contact for further information:: RATS WG mailing list (rats@ietf.org)
Intended usage:: COMMON
Restrictions on usage:: none
Author/Change controller:: IETF
Provisional registration:: no

Measured Component Content-Format Registrations IANA is requested to register two Content-Format numbers in the "CoAP Content-Formats" sub-registry, within the "Constrained RESTful Environments (CoRE) Parameters" Registry , as follows:

Content-Type	Content Coding	ID	Reference
application/measured-component+cbor	-	TBD1	RFCthis
application/measured-component+json	-	TBD2	RFCthis

If possible, TBD1 and TBD2 should be assigned in the 256..9999 range.

References Normative References The Constrained Application Protocol (CoAP) The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. Additional Control Operators for the Concise Data Definition Language (CDDL) The Concise Data Definition Language (CDDL), standardized in RFC 8610, provides "control operators" as its main language extension point. The present document defines a number of control operators that were not yet ready at the time RFC 8610 was completed:.plus,.cat, and.det for the construction of constants;.abnf/.abnfb for including ABNF (RFC 5234 and RFC 7405) in CDDL specifications; and.feature for indicating the use of a non-basic feature in an instance. Concise Data Definition Language (CDDL): Additional Control Operators for the Conversion and Processing of Text The Concise Data Definition Language (CDDL), standardized in RFC 8610, provides "control operators" as its main language extension point. RFCs have added to this extension point in both an application-specific and a more general way. The present document defines a number of additional generally applicable control operators for text conversion (bytes, integers, printf-style formatting, and JSON) and for an operation on text. The Entity Attestation Token (EAT) An Entity Attestation Token (EAT) provides an attested claims set that describes the state and characteristics of an entity, a device such as a smartphone, an Internet of Things (IoT) device, network equipment, or such. This claims set is used by a relying party, server, or service to determine the type and degree of trust placed in the entity. An EAT is either a CBOR Web Token (CWT) or a JSON Web Token (JWT) with attestation-oriented claims. Semantic Versioning 2.0.0 Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Named Information IANA Informative References On the Difference between Information Models and Data Models There has been ongoing confusion about the differences between Information Models and Data Models for defining managed objects in network management. This document explains the differences between these terms by analyzing how existing network management model specifications (from the IETF and other bodies such as the International Telecommunication Union (ITU) or the Distributed Management Task Force (DMTF)) fit into the universe of Information Models and Data Models. This memo documents the main results of the 8th workshop of the Network Management Research Group (NMRG) of the Internet Research Task Force (IRTF) hosted by the University of Texas at Austin. This memo provides information for the Internet community. Arm's Platform Security Architecture (PSA) Attestation Token Arm's Platform Security Architecture (PSA) is a family of hardware and firmware security specifications, along with open-source reference implementations, aimed at helping device makers and chip manufacturers integrate best-practice security into their products. Devices that comply with PSA can generate attestation tokens as described in this document, which serve as the foundation for various protocols, including secure provisioning and network access control. This document specifies the structure and semantics of the PSA attestation token. The PSA attestation token is a profile of the Entity Attestation Token (EAT). This specification describes the claims used in an attestation token generated by PSA-compliant systems, how these claims are serialized for transmission, and how they are cryptographically protected. This Informational document is published as an Independent Submission to improve interoperability with Arm's architecture. It is not a standard nor a product of the IETF. Concise Software Identification Tags ISO/IEC 19770-2:2015 Software Identification (SWID) tags provide an extensible XML-based structure to identify and describe individual software components, patches, and installation bundles. SWID tag representations can be too large for devices with network and storage constraints. This document defines a concise representation of SWID tags: Concise SWID (CoSWID) tags. CoSWID supports a set of semantics and features that are similar to those for SWID tags, as well as new semantics that allow CoSWIDs to describe additional types of information, all in a more memory-efficient format. Unicode Character Repertoire Subsets This document discusses subsets of the Unicode character repertoire for use in protocols and data formats and specifies three subsets recommended for use in IETF specifications. Unified Extensible Firmware Interface (UEFI) Specification UEFI Forum, Inc. Trusted Board Boot Requirements Client (TBBR-CLIENT) Armv8-A Arm Ltd Media Types IANA Constrained RESTful Environments (CoRE) Parameters IANA

Collected CDDL This appendix contains all the CDDL definitions included in this specification. component-id, measurement, ? authorities-label => [+ authority-id-type], ? flags-label => flags-type, } measurement //= (digested-measurement-label => digest // raw-\ measurement-label => bytes) authority-id-type = eat.JC flags-type = eat.JC component-id = [ name: text, ? version: version, ] version = [ val: text, ? scheme: coswid.$version-scheme, ] digest = [ alg: int / text, val: digest-value-type, ] digest-value-type = eat.JC bytes-b64u = text .b64u bytes bytes8 = bytes .size 8 bytes8-b64u = text .b64u bytes8 component-id-label = eat.JC<"id", 1> digested-measurement-label = eat.JC<"digested-measurement", 2> raw-measurement-label = eat.JC<"raw-measurement", 5> authorities-label = eat.JC<"authorities", 3> flags-label = eat.JC<"flags", 4> mc-cbor = bytes .cbor measured-component mc-json = text .json measured-component $measurements-body-cbor /= mc-cbor / mc-json $measurements-body-json /= mc-json / text .b64u mc-cbor eat.JSON-ONLY = J .feature "json" eat.CBOR-ONLY = C .feature "cbor" eat.JC = eat.JSON-ONLY / eat.CBOR-ONLY coswid.$version-scheme /= coswid.multipartnumeric / coswid.\ multipartnumeric-suffix / coswid.alphanumeric / coswid.decimal / \ coswid.semver / int / text coswid.multipartnumeric = 1 coswid.multipartnumeric-suffix = 2 coswid.alphanumeric = 3 coswid.decimal = 4 coswid.semver = 16384 ]]>

Open Issues The list of currently open issues for this documents can be found at . Note to RFC Editor: please remove before publication.

Acknowledgments The authors would like to thank Carl Wallace, Carsten Bormann, Deb Cooley, Dionna Glaze, Giridhar Mandyam, Houda Labiod, , Jun Zhang, Laurence Lundblade, Michael Richardson, Muhammad Usama Sardar and Yogesh Deshpande for providing comments, reviews and suggestions that greatly improved this document. The authors would also like to thank Ken Takayama for providing an implementation of this specification in the veraison/eat package.