fix(scheme): align PSA/CCA with CoRIM profiles#401
fix(scheme): align PSA/CCA with CoRIM profiles#401abhiraj-ku wants to merge 1 commit intoveraison:mainfrom
Conversation
abhiraj-ku
force-pushed
the
refresh-corim-profiles
branch
from
9777357 to
68a8817
Compare
abhiraj-ku
changed the title
|
@abhiraj-ku Please check why integration tests are failing, the simple clue could be that the expected test vectors have not been modified to match the changes |
abhiraj-ku
force-pushed
the
refresh-corim-profiles
branch
from
68a8817 to
9c2ea92
Compare
setrofim
left a comment
setrofim
left a comment
There was a problem hiding this comment.
CoRIM validation in scheme/arm-cca/corim.go and scheme/psa-iot/corim.go should now be redundant, as that the updated profile code should handle that.
It should be sufficient for the scheme to import the corresponding CoRIM profile package, so that the profile gets registered, and the corim.go files here can be removed.
abhiraj-ku
force-pushed
the
refresh-corim-profiles
branch
3 times, most recently
from
b29d634 to
fd23c00
Compare
abhiraj-ku
force-pushed
the
refresh-corim-profiles
branch
2 times, most recently
from
b265db6 to
ecb1369
Compare
thomas-fossati
left a comment
thomas-fossati
left a comment
There was a problem hiding this comment.
Thanks for all the work! I have left a couple of comments inline.
| ] | ||
| "sha-256:BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" | ||
| ], | ||
| "name": "BL" |
There was a problem hiding this comment.
Please, add version too. (Here and below; also, for PSA.)
| "value": "cca.platform-config" | ||
| }, | ||
| "value": { | ||
| "raw-value": { |
There was a problem hiding this comment.
This seems to use separate codepoints to encode the raw value and the associated mask. However, https://www.ietf.org/archive/id/draft-ydb-rats-cca-endorsements-03.html#section-3.1.3.2 specifies a single codepoint for both, which is consistent with the deprecation of codepoint 5 in upstream CoRIM.
There was a problem hiding this comment.
should it be changed to match the draft’s single tagged-masked-raw-value representation?
| "raw-value": { | ||
| "type": "bytes", | ||
| "value": "AQID" | ||
| }, | ||
| "raw-value-mask": "AQID" |
|
@abhiraj-ku : I checked the scheme Please check: https://github.com/veraison/services/blob/main/scheme/parsec-cca/test/corim/src/comid-parsec-cca-refval.json We need to fix this also, either here OR via a separate PR. |
yogeshbdeshpande
left a comment
yogeshbdeshpande
left a comment
There was a problem hiding this comment.
Left some comments for you to look at!
| }, | ||
| "ear.veraison.policy-claims": { | ||
| "problem": "integrity validation failed: bad evidence: freshness: psa-nonce (414a7c174141b3d0e9a1d28af31520f0d42299feac4007ded89d68ae6cd92f19) does not match session nonce (75e69d6de79f75e69d6de79f75e69d6de79f75e69d6de79f75e69d6de79f75e6)" | ||
| "problem": "no trust anchor for evidence" |
There was a problem hiding this comment.
This does not seems correct to me, can you please double check, why this has been modified??
There was a problem hiding this comment.
The error MUST be failure of Evidence Integrity due to mis-match of PSA Nonce.
| "digests": [ | ||
| "sha-256:BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" | ||
| ], | ||
| "name": "BL" |
There was a problem hiding this comment.
Need to apply the Version comment by checking all the test files
scheme/arm-cca/scheme.go
Outdated
| return false, false, err | ||
| } | ||
|
|
||
| // Not a platform-config entry. Treat any digest-bearing measurement as |
There was a problem hiding this comment.
We should check here for MKey corresponding to CCA SW Component and fail, if there is a mis-match in MKey value
scheme/arm-cca/scheme.go
Outdated
| encoded := base64.StdEncoding.EncodeToString((*measurement.Val.Digests)[0].HashValue) | ||
| referenceValues[encoded] = [2]string{*refValID.Label, *refValID.Version} | ||
| // Extract label (mtype) and version from measurement value | ||
| label := "" |
There was a problem hiding this comment.
This and line 487, can be best written as
var label, version string
ARM CCA does the same model/thing and the same extraction and mapping pattern exists in ARM CCA and that class ID is exactly what implementation ID maps into during lookup in the json file you have referenced here |
Migrate PSA-IoT and ARM-CCA scheme handling to latest profile APIs and string measurement keys. Regenerate PSA and ARM-CCA CoRIM test vectors and update negative cases to match new profile validation behavior. Signed-off-by: Abhishek kumar <abhirajabhi312@gmail.com>
abhiraj-ku
force-pushed
the
refresh-corim-profiles
branch
from
ecb1369 to
d4c39f7
Compare
thomas-fossati
left a comment
thomas-fossati
left a comment
There was a problem hiding this comment.
LGTM, thanks!
As discussed, we will update veraison/corim to support $raw-value-type-choice and then return here with the necessary changes to ensure full alignment with the CCA profile.
🚢 it!
4 participants
Migrate PSA-IoT and ARM-CCA scheme handling to latest profile APIs and string measurement keys.
Regenerate PSA and ARM-CCA CoRIM test vectors and update negative cases to match new profile validation behavior.