You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: specifications/attestation-of-system-components/spec.ocp
+101Lines changed: 101 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -65,6 +65,7 @@ The Contributors of this Specification would like to acknowledge the following:
65
65
- Wojtek Powiertowski, Facebook, Inc.
66
66
- Eric Spada, Broadcom, Inc.
67
67
- Ben Stoltz, Google
68
+
- Fabrizio D'Amato - AMD
68
69
69
70
<!---
70
71
Please describe how this Specification complies with the OCP tenets.
@@ -558,6 +559,106 @@ May call these "(strongly) recommended"
558
559
559
560
See <https://github.com/opencomputeproject/Security/tree/main/specifications/ietf-eat-profile>.
560
561
562
+
# GET_EAT Command
563
+
564
+
## Overview
565
+
566
+
The GET_EAT command enables verifiers to obtain attestation evidence from a device in the form of an Entity Attestation Token (EAT) that conforms to the OCP EAT Profile. This command is allocated in the [@{ocp-command-registry}] and is designed to be transport-agnostic while providing a standardized interface for attestation requests.
567
+
568
+
## Command Definition
569
+
570
+
The GET_EAT command is assigned command code 0x02 in the [@{ocp-command-registry}].
**Note**: Error conditions are reported using transport-specific error mechanisms with error codes from [@{ocp-command-registry}].
620
+
621
+
## EAT Token Requirements
622
+
623
+
The EATToken returned in the GET_EAT response **MUST** conform to the OCP EAT Profile specification, which includes:
624
+
625
+
1. The EAT **MUST** be encoded as a signed CWT (CBOR Web Token)
626
+
2. The EAT Profile claim (265) **MUST** be present and contain the OCP Profile OID
627
+
3. The Nonce claim (10) **MUST** be present and contain the exact nonce value from the request (matching both value and length)
628
+
4. The Measurements claim (273) **MUST** be present and contain concise evidence as defined in the OCP EAT Profile
629
+
5. The issuer claim (1) **MUST** be present to bind the EAT to the certificate chain that issued it
630
+
6. The rim-locators claim (-70001) **MAY** be present to reference CoRIM locations
631
+
632
+
**Note:** The nonce claim in the EAT response must preserve both the value and length of the nonce provided in the GET_EAT request to ensure proper freshness verification.
633
+
634
+
## Transport Bindings
635
+
636
+
### SPDM Binding
637
+
638
+
When transported over SPDM, the GET_EAT command utilizes the VENDOR_DEFINED mechanism as specified in the [@{ocp-command-registry}].
639
+
640
+
For SPDM binding:
641
+
642
+
- The SignerSlotID field **MUST** correspond to SPDM certificate slot numbers
643
+
644
+
For detailed SPDM transport binding requirements including:
645
+
646
+
- VENDOR_DEFINED message structure
647
+
- Success and error case handling
648
+
- ExtendedErrorData usage
649
+
- Command framing specifications
650
+
651
+
Please refer to the [@{ocp-command-registry}] specification.
652
+
653
+
### Native Transport Bindings
654
+
655
+
TSM engines and other transport mechanisms **MAY** define their own bindings for the GET_EAT command, provided they:
656
+
657
+
- Maintain semantic equivalence of request and response structures
658
+
- Preserve all required fields and their meanings
659
+
- Implement appropriate error reporting using transport-native mechanisms
660
+
- Document any transport-specific adaptations
661
+
561
662
# Measurement collection and storage
562
663
563
664
## REQUIREMENTS - What to measure and what not to measure {#sec:requirements-what-to-measure-and-what-not-to-measure}
0 commit comments