Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AR4SI mappings folder #52

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

AR4SI mappings folder #52

wants to merge 2 commits into from

Conversation

thomas-fossati
Copy link
Contributor

Starting with CCA

@thomas-fossati
Copy link
Contributor Author

@SimonFrost-Arm @setrofim @yogeshbdeshpande please review

Copy link
Contributor

@SimonFrost-Arm SimonFrost-Arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v. useful, hopefully the start of many!

Copy link
Contributor

@setrofim setrofim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM in general.

ar4si/arm-cca.md Outdated
|Hardware (and Firmware)||CONTRAINDICATED_HARDWARE (genuine HW/FW but contraindicated)|TRUSTWORTHY_INSTANCE && some sw-component claims are known-bad|
|||UNRECOGNIZED_HARDWARE (unrecognised HW/FW)|TRUSTWORTHY_INSTANCE && some sw-component claims couldn’t be found|
|||GENUINE_HARDWARE (genuine HW/FW)|Same as (TRUSTWORTHY_INSTANCE && APPROVED_BOOT)|
||Not clear what is the difference between this and CONTRAINDICATED_HARDWARE?|UNSAFE_HARDWARE (genuine HW/SW but known sec vulns)|TBD (see note)|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not clear what is the difference between this and CONTRAINDICATED_HARDWARE?

CONTRAINDICATED == know exploits
UNSAFE == known vulns (but no know exploits confirmed)
?

Copy link
Contributor Author

@thomas-fossati thomas-fossati Sep 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for self: this needs corresponding signals in the x-refval.

ar4si/arm-cca.md Outdated
|||UNAVAIL_CONFIG_ELEMS|N.A.|
|||UNSAFE_CONFIG|N.A.|
|||UNSUPPORTABLE_CONFIG|N.A.|
|Executables|It looks like an “UNRECOGNIZED_BOOT” is missing… but really the problem here is that this claim conflates run-time and boot-time.|APPROVED_BOOT|if RIM and PV (if provided) match|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the value of Executables field if RIM and PV do not match? Would the value ever be APPROVED_BOOT in paractice, if the value of the field depends on the subsequent evaluation of REM?

I agree, there should really be a spearate claim for "boot"...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the value of Executables field if RIM and PV do not match?

There is none at the moment. UNRECOGNIZED_BOOT would be it - if it existed.
OK, I will raise an issue in the AR4SI repo for that.
Until then, we have the negative codepoints space to use to define our new experimental semantics.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ar4si/arm-cca.md Outdated
|||APPROVED_RUNTIME|if REM match|
|||CONTRAINDICATED_RUNTIME|If the verifier has a notion of known-bad REM values (alongside known-good) this can be set in case REM matches known-bad values|
|||UNRECOGNIZED_RUNTIME|If no REM ref-values match evidence|
||Not clear how this differs from CONTRAINDICATED_RUNTIME|UNSAFE_RUNTIME|(could be used as an alternative to CONTRAINDICATED_RUNTIME in the warning tier)|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As with hardware, know exploit vs know vuln?

|||CRYPTO_VALIDATION_FAILED|On failures coming from the Platform token verifier (excluding Realm binding, which is captured in the Realm part)|
|Instance identity||TRUSTWORTHY_INSTANCE|verification using CPAK is successful and Implementation ID is known (implicitly, from the fact that ref-values associated to it exist)|
|||UNTRUSTWORTHY_INSTANCE|If the verifier has a notion of known-bad CPAK, then verification using CPAK that is successful but CPAK is known-bad can assert this claim.|
|||UNRECOGNIZED_INSTANCE|No CPAK found corresponding to the Instance ID or Implementation ID is not known (i.e., there are no ref-values associated to it.)|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add a clarification Glossary in the end to expand fully what it means to be CPAK ..?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are talking of a single acronym, adding a glossary is a tad overkill :-)

I'll expand CPAK inline.

Signed-off-by: Thomas Fossati <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants