Include OCP EAT Profile Diagnostic Example, and few minor editorial f… (#76)

* Include OCP EAT Profile Diagnostic Example, and few minor editorial fixes

Signed-off-by: Fabrizio Damato <fabrizio.damato@amd.com>

* EAT: Address few issues with the OCP Profile Example and add SUEID as optional claim

Signed-off-by: Fabrizio Damato <fabrizio.damato@amd.com>

* Update specifications/ietf-eat-profile/spec.ocp

* Update specifications/ietf-eat-profile/spec.ocp

Signed-off-by: Fabrizio Damato <fabrizio.damato@amd.com>

---------

Signed-off-by: Fabrizio Damato <fabrizio.damato@amd.com>

Author: fdamato

specifications/ietf-eat-profile/bibliography.yaml

@@ -68,4 +68,11 @@ references:
     issued:
       year: 2024
       month: 8
-    url: "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf"
+    url: "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf"
+  - id: "ietf-rfc9052"
+    title: "CBOR Object Signing and Encryption (COSE): Structures and Process"
+    publisher: "IETF"
+    issued:
+      year: 2022
+      month: 8
+    url: "https://datatracker.ietf.org/doc/html/rfc9052"

specifications/ietf-eat-profile/cddl/ietf_eat_ocp_profile.cddl

@@ -30,6 +30,9 @@ cwt-eat = {
   ; UEID claim (Optional)
   ? &(ueid : 256) => bstr .size (7..33)
 
+  ; SUEID claim (Optional)
+  ? &(sueid : 257) => bstr .size (7..33)
+
   ; OEM ID claim (Optional) // oemid-type is defined in https://datatracker.ietf.org/doc/rfc9711/
   ? &(oemid : 258) => oemid-type
 

specifications/ietf-eat-profile/diag/ocp-profile-eat-example.diag

@@ -0,0 +1,186 @@
+/ Self-described CBOR tag /
+55799(
+  / CWT tag 61 /
+  61(
+    / COSE_Sign1 tag 18 /
+    18([
+      / Protected header /
+      << {
+        / alg: ECDSA P-384 /
+        1: -51,
+        / content-type: application/eat+cwt
+        3: 263
+      } >>,
+      
+      / Unprotected header /
+      {
+        / x5chain: single certificate /
+        33: << h'308202a4...certificate_bytes...' >>
+      },
+      
+      / Payload: CWT claims /
+      << {
+        / Mandatory claims in deterministic order /
+        
+        / 1 (0x01): issuer /
+        1: "Attester-AK-2024",
+        
+        / 7 (0x07): cti /
+        7: h'0123456789abcdef0123456789abcdef',
+        
+        / 10 (0x0a): nonce /
+        10: h'fedcba9876543210fedcba9876543210',
+        
+        / 263 (0x190107): dbgstat - disabled /
+        263: 2,
+        
+        / 265 (0x190109): EAT Profile - OCP Security Attestation EAT Profile /
+        265: 111(h'2b0601040182e42b0103'),
+        
+        / 273 (0x190111): measurements /
+        273: [
+          [
+            / CoAP content-format for concise-evidence /
+            10571,
+            
+            / Concise evidence as CBOR bytestring /
+            <<({
+              / ce.ev-triples /
+              0: {
+                / ce.evidence-triples /
+                0: [
+                  / Triple 1: Firmware Component /
+                  [
+                    / environment-map /
+                    {
+                      / class /
+                      0: {
+                        / class-id: tagged-bytes #6.560 with 4-byte identifier /
+                        0: 560(h'01020304'),
+                        / vendor /
+                        1: "ACME Inc.",
+                        / model /
+                        2: "ACME RoadRunner Trap"
+                      }
+                    },
+                    / measurement-map array /
+                    [
+                      {
+                        / mkey /
+                        0: {
+                          / index /
+                          0: 1
+                        },
+                        / mval /
+                        1: {
+                          / version /
+                          0: {
+                            0: "1.2.3.45"
+                          },
+                          / svn /
+                          1: 45,
+                          / digests /
+                          2: [
+                            [
+                              / sha-384 /
+                              "sha-384",
+                              h'38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b'
+                            ]
+                          ],
+                          / integrity-registers: journey digest /
+                          5: [
+                            [
+                              "sha-384",
+                              h'c7ade88fc7a21498a6a5e5c385e1f68bed822b72aa63c4a9a48a3c9c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c8c'
+                            ]
+                          ]
+                        }
+                      }
+                    ]
+                  ],
+                  
+                  / Triple 2: Hardware Configuration /
+                  [
+                    / environment-map /
+                    {
+                      / class /
+                      0: {
+                        / class-id: tagged-bytes #6.560 with 4-byte identifier /
+                        0: 560(h'05060708'),
+                        / vendor /
+                        1: "ACME Inc.",
+                        / model /
+                        2: "ACME RoadRunner Trap"
+                      }
+                    },
+                    / measurement-map array /
+                    [
+                      {
+                        / mkey /
+                        0: {
+                          / index /
+                          0: 2
+                        },
+                        / mval /
+                        1: {
+                          / digests: hash of HW configuration /
+                          2: [
+                            [
+                              / sha-384 /
+                              "sha-384",
+                              h'1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef'
+                            ]
+                          ],
+                          / raw-value: fuse settings /
+                          4: h'00000001',
+                          / raw-value-mask /
+                          6: h'ffffffff'
+                        }
+                      }
+                    ]
+                  ],
+                  
+                  / Triple 3: Software Configuration /
+                  [
+                    / environment-map /
+                    {
+                      / class /
+                      0: {
+                        / class-id: tagged-bytes #6.560 with 4-byte identifier /
+                        0: 560(h'090a0b0c'),
+                        / vendor /
+                        1: "ACME Inc.",
+                        / model /
+                        2: "ACME RoadRunner Trap"
+                      }
+                    },
+                    / measurement-map array /
+                    [
+                      {
+                        / mkey /
+                        0: {
+                          / index /
+                          0: 3
+                        },
+                        / mval /
+                        1: {
+                          / raw-value: security configuration /
+                          4: h'00000003',
+                          / raw-value-mask /
+                          6: h'000000ff'
+                        }
+                      }
+                    ]
+                  ]
+                ]
+              }
+            }) >>
+          ]
+        ]
+      } >>,
+      
+      / Signature: ES384 signature bytes (96 bytes) /
+      h'3045022100ab3c8d9e7f1234567890abcdef1234567890abcdef1234567890abcdef123456022100fedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321'
+    ])
+  )
+)

specifications/ietf-eat-profile/spec.ocp

@@ -191,25 +191,28 @@ serve informational purposes:
 7. **ueid** (claim key: 256, encoded as 0x190100)
     * This claim is used by the attester to identify the attester. If present, refer to [@{ietf-rfc9711}] for acceptable values for this claim
 
-8. **oemid** (claim key: 258, encoded as 0x190102)
+8. **sueid** (claim key: 257, encoded as 0x190101)
+    * This claim is used by the attester to identify the attester at the different lifecycle stages. If present, refer to [@{ietf-rfc9711}] for acceptable values for this claim
+
+9. **oemid** (claim key: 258, encoded as 0x190102)
     * This claim is used by the attester to identify the Original Equipment Manufacturer (OEM) of the hardware. If present, refer to [@{ietf-rfc9711}] for acceptable values for this claim
 
-9. **hwmodel** (claim key: 259, encoded as 0x190103)
+10. **hwmodel** (claim key: 259, encoded as 0x190103)
     * This claim is used by the attester to differentiate hardware models, products, and variants manufactured by a particular OEM. If present, refer to [@{ietf-rfc9711}] for acceptable values for this claim
 
-10. **uptime** (claim key: 261, encoded as 0x190105)
+11. **uptime** (claim key: 261, encoded as 0x190105)
     * This claim is used by the attester to indicate the number of seconds elapsed since boot. If present, refer to [@{ietf-rfc9711}] for acceptable values for this claim
 
-11. **bootcount** (claim key: 267, encoded as 0x19010b)
+12. **bootcount** (claim key: 267, encoded as 0x19010b)
     * This claim is used by the attester to indicate the number of times the attester has booted. If present, refer to [@{ietf-rfc9711}] for acceptable values for this claim
 
-12. **bootseed** (claim key: 268, encoded as 0x19010c)
+13. **bootseed** (claim key: 268, encoded as 0x19010c)
     * This claim is used by the attester to differentiate boot sessions. If present, refer to [@{ietf-rfc9711}] for acceptable values for this claim
 
-13. **dloas** (claim key: 269, encoded as 0x19010d)
+14. **dloas** (claim key: 269, encoded as 0x19010d)
     * This claim is used by the attester to point the verifier to the endorsement repository (one example, OCP SAFE). If present, refer to [@{ietf-rfc9711}] for the claim structure.
 
-14. **rim-locators** (claim key: -70001, encoded as 0x3a00011170)
+15. **rim-locators** (claim key: -70001, encoded as 0x3a00011170)
     * This claim is used by the attester to point the verifier to the rim repository. If present, **SHALL** be an array of corim-locator-map (refer to [@{ietf-rats-corim}]).
 
 
@@ -407,5 +410,5 @@ The following example illustrates a CWT containing claims for three target envir
 * **Software (SW) Configuration**: RAW Value (e.g., Debug State)
 
 ```include {.small}
-TODO: fill in with a diag
-```
+!include diag/ocp-profile-eat-example.diag
+```