Network Working Group S. Frost Internet-Draft Arm Limited Intended status: Informational T. Fossati Expires: 5 January 2025 Linaro G. Mandyam Mediatek Inc 4 July 2024 Arm's Confidential Compute Architecture Reference Attestation Token draft-ffm-rats-cca-token-00 Abstract The Arm Confidential Compute Architecture (CCA) is series of hardware and software innovations that enhance Arm’s support for Confidential Computing for large, compute-intensive workloads. Devices that implement CCA can produce attestation tokens as described in this memo, which are the basis for trustworthiness assessment of the Confidential Compute environment. This document specifies the CCA attestation token structure and semantics. The CCA attestation token is a profile of the Entity Attestation Token (EAT). This specification describes what claims are used in an attestation token generated by CCA compliant systems, how these claims get serialized to the wire, and how they are cryptographically protected. This informational document is published as an independent submission to improve interoperability with Arm's architecture. It is not a standard nor a product of the IETF. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 5 January 2025. Frost, et al. Expires 5 January 2025 [Page 1] Internet-Draft CCA Reference Attestation Token July 2024 Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 3. CCA Attester Model . . . . . . . . . . . . . . . . . . . . . 5 4. CCA Claims . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1. CCA Attestation Token top level wrapper . . . . . . . . . 9 4.2. CCA Platform token Claims . . . . . . . . . . . . . . . . 10 4.3. Caller Claims . . . . . . . . . . . . . . . . . . . . . . 10 4.3.1. CCA Platform Nonce . . . . . . . . . . . . . . . . . 10 4.4. Target Identification Claims . . . . . . . . . . . . . . 11 4.4.1. CCA Platform Instance ID . . . . . . . . . . . . . . 11 4.4.2. CCA Platform Implementation ID . . . . . . . . . . . 11 4.5. Target State Claims . . . . . . . . . . . . . . . . . . . 12 4.5.1. CCA Platform Profile Definition . . . . . . . . . . . 12 4.5.2. Security Lifecycle . . . . . . . . . . . . . . . . . 12 4.5.3. Platform Config . . . . . . . . . . . . . . . . . . . 15 4.6. Software Inventory Claims . . . . . . . . . . . . . . . . 16 4.6.1. Software Components . . . . . . . . . . . . . . . . . 16 4.7. Verification Claims . . . . . . . . . . . . . . . . . . . 18 4.7.1. Verification Service Indicator . . . . . . . . . . . 18 4.7.2. CCA Platform Hash Algorithm ID . . . . . . . . . . . 18 4.8. CCA Realm state token Claims . . . . . . . . . . . . . . 19 4.8.1. Realm Nonce . . . . . . . . . . . . . . . . . . . . . 19 4.8.2. CCA Platform Profile Definition . . . . . . . . . . . 19 4.8.3. Realm Personalisation Value . . . . . . . . . . . . . 20 4.8.4. Realm Initial Measurement . . . . . . . . . . . . . . 20 4.8.5. Realm Extensible Measurements . . . . . . . . . . . . 20 4.8.6. Realm Hash Algorithm Measurements . . . . . . . . . . 21 4.8.7. Realm Public Key . . . . . . . . . . . . . . . . . . 21 4.8.8. Realm Public Key Hash Algorithm ID . . . . . . . . . 21 4.9. Backwards Compatibility Considerations . . . . . . . . . 22 4.10. Token Binding . . . . . . . . . . . . . . . . . . . . . . 22 4.11. Reference Profile . . . . . . . . . . . . . . . . . . . . 23 4.11.1. Token Encoding and Signing . . . . . . . . . . . . . 23 4.11.2. Freshness Model . . . . . . . . . . . . . . . . . . 23 4.11.3. Synopsis . . . . . . . . . . . . . . . . . . . . . . 24 Frost, et al. Expires 5 January 2025 [Page 2] Internet-Draft CCA Reference Attestation Token July 2024 5. Collated CDDL . . . . . . . . . . . . . . . . . . . . . . . . 24 6. Signing key implementation alternatives . . . . . . . . . . . 25 7. CCA Attestation Token Verification . . . . . . . . . . . . . 26 7.1. AR4SI Trustworthiness Claims Mappings . . . . . . . . . . 27 7.2. Endorsements, Reference Values and Verification Key Material . . . . . . . . . . . . . . . . . . . . . . . . 28 8. Implementation Status . . . . . . . . . . . . . . . . . . . . 28 9. Security and Privacy Considerations . . . . . . . . . . . . . 29 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 10.1. CBOR Web Token Claims Registration . . . . . . . . . . . 29 10.1.1. Security Lifecycle Claim . . . . . . . . . . . . . . 29 10.1.2. Implementation ID Claim . . . . . . . . . . . . . . 30 10.1.3. Software Components Claim . . . . . . . . . . . . . 30 10.1.4. Verification Service Indicator Claim . . . . . . . . 30 10.1.5. Platform Config Claim . . . . . . . . . . . . . . . 31 10.1.6. Platform Hash Algorithm ID Clain . . . . . . . . . . 31 10.1.7. CCA Token Platform Token Label . . . . . . . . . . . 31 10.1.8. Realm Personalization Value Claim . . . . . . . . . 32 10.1.9. Realm Hash Algorithm ID Claim . . . . . . . . . . . 32 10.1.10. Realm Public Key Claim . . . . . . . . . . . . . . . 32 10.1.11. Realm Initial Measurement Claim . . . . . . . . . . 33 10.1.12. Realm Extensible Measurements Claim . . . . . . . . 33 10.1.13. Realm Public Key Hash Algorithm ID Claim . . . . . . 33 10.1.14. CCA Token Delegated Realm Token Label . . . . . . . 34 10.2. Media Types . . . . . . . . . . . . . . . . . . . . . . 34 10.3. CoAP Content-Formats Registration . . . . . . . . . . . 34 10.3.1. Registry Contents . . . . . . . . . . . . . . . . . 34 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 11.1. Normative References . . . . . . . . . . . . . . . . . . 35 11.2. Informative References . . . . . . . . . . . . . . . . . 36 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 38 A.1. COSE Sign1 Token . . . . . . . . . . . . . . . . . . . . 38 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 38 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 1. Introduction The Arm Confidential Compute Architecture (CCA) [CCA-ARCH] is a set of hardware [RME] and firmware [RMM] specifications, backed by a reference implementation [TF-RMM] . Frost, et al. Expires 5 January 2025 [Page 3] Internet-Draft CCA Reference Attestation Token July 2024 CCA provides confidential compute environments, called Realms, that can be dynamically allocated by the Normal world host. The initial state of a Realm, and of the platform on which it executes, can be attested. Attestation allows the Realm owner to establish trust in the Realm, before provisioning any secrets to it. The Realm does not have to inherit the trust from the Non-secure hypervisor which controls it. As outlined in the RATS Architecture [RFC9334], an Attester produces a signed collection of Claims that constitutes Evidence about its target environment. This document focuses on the output provided by requests from the Realm to the Realm Management Monitor (RMM) management component for an attestation token that covers the state of that Realm and the CCA Platform. This output corresponds to Evidence in [RFC9334] and, as a design decision, the CCA attestation token is a profile of the Entity Attestation Token (EAT) [EAT]. Note that there are other profiles of EAT available, such as [I-D.kdyxy-rats-tdx-eat-profile] and [I-D.mandyam-rats-qwestoken], for use with different use cases and by different attestation technologies. Since the CCA tokens are consumed by services outside the device, there is an actual need to ensure interoperability. Interoperability needs are addressed here by describing the exact syntax and semantics of the attestation claims, and defining the way these claims are encoded and cryptographically protected. Further details on concepts expressed below can be found in the Realm Management Monitor specification 1.0 [RMM]. As mentioned in the abstract, this memo documents a vendor extension to the RATS architecture, and is not a standard. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The terms Attester, Relying Party, Verifier, Attestation Result, Target Environment, Attesting Environment and Evidence are defined in [RFC9334]. We use the term "receiver" to refer to Relying Parties and Verifiers. Frost, et al. Expires 5 January 2025 [Page 4] Internet-Draft CCA Reference Attestation Token July 2024 We use the terms Evidence, "CCA attestation token", and "CCA token" interchangeably. The terms "sender" and Attester are used interchangeably. Likewise, we use the terms Verifier and "verification service" interchangeably. RoT: Root of Trust, the minimal set of software, hardware and data that has to be implicitly trusted in the platform - there is no software or hardware at a deeper level that can verify that the Root of Trust is authentic and unmodified. An example of a RoT suitable for CCA would be an isolated Trusted subsystem responsible for initial measurements, lifecycle state management, identity and attestation services. The services that the RoT provides for securitization of the CCA environment are descibed as Hardware-Enforced Security (HES) - see Section B4.1.5 of [RME]. Realm-World: Realm World, provides a security state and physical address range that provides an execution environment for VMs that is isolated from the Normal and Secure worlds. The controlling firmware running in the Realm world can access memory in the Normal world to allow shared buffers. (This is similar to Trusted Execution Environment (TEE), "secure world", or "secure enclave".) Realm: the Realm execution environment, is an Arm CCA environment that can be dynamically allocated by the Normal world Host. NW-Host: Normal world host, refers to the security domain outside of the restricted Root, Secure and Realm worlds. This typically contains the host hypervisor and supervisory services. The NW-Host can allocate and manage resource allocation and can manage the scheduling for other worlds. In this document, the structure of data is specified in Concise Data Definition Language (CDDL) [RFC8610]. 3. CCA Attester Model Figure 1 outlines the structure of the CCA Attester according to the conceptual model described in Section 3.1 of [RFC9334]. Frost, et al. Expires 5 January 2025 [Page 5] Internet-Draft CCA Reference Attestation Token July 2024 .----------. | Verifier | '----------' ^ | CCA Token | | .-------------------------------------------|----------. | .-----------------------------------------|--------. | | | Attesting Environment .<------R-----. | | | | | | | | | | | | .------------. .--+--. .----+-+------. | | | | | Main | | HES | | Realm | | | | | | Bootloader +--->| RoT |<----+ Management | | | | | | | W | | R | Monitor | | | | | '-----+------' '-----' '------+------' | | | '----------|------------------------------|--------' | | | | | | .----------|------------------------------|--------. | | | | | | | | | .-----o-------. .-----o------. | | | | | Realm World | | Realm | | | | | | TCB | | State | | | | | '-------------' '------------' | | | | Target Environment | | | '--------------------------------------------------' | '------------------------------------------------------' Legend: ---> read ---> write ---o measure R W Figure 1: CCA Attester The CCA Attester is a relatively straightforward embodiment of the RATS Attester with exactly one Attesting Environment and one or more Target Environments. The Attesting Environment is responsible for collecting the information to be represented in CCA claims and to assemble them into Evidence. It is made of three cooperating components: * The Main Bootloader, executing at boot-time, measures the trusted computing base (TCB) of the Realm World * i.e., loaded firmware components and sends them to the HES RoT to be stored isolated. (CCA Platform Boot State). See Figure 2. Frost, et al. Expires 5 January 2025 [Page 6] Internet-Draft CCA Reference Attestation Token July 2024 i-th Target Main Boot HES Environment Loader RoT | | | .--------|-------------|-------------|----. | loop i | | | | | | measure | | | | |o------------+ | | | | | write | | | | | measurement | | | | +------------>| | '--------|-------------|-------------|----' | | | Figure 2: CCA Attester Boot Phase * The Realm Management Monitor (RMM), executing at run-time, maintains measurements for the state of a Realm. It can respond to requests issued from a Realm for an attestation token relevant for that Realm by obtaining a CCA Platform attestation token from the HES RoT and combining that with an attestation token containing Evidence reflecting Realm state. * The HES RoT, executing at run-time, maintains measurements for the state of the CCA platform TCB, including the lifecycle state of the CCA platform. It can answer requests coming from the RMM to collect and format claims corresponding to that state and use a CCA Platform Attestation Key (CPAK) to sign them. How the CPAK is derived is implementation-specific. See Figure 3. Frost, et al. Expires 5 January 2025 [Page 7] Internet-Draft CCA Reference Attestation Token July 2024 HES Realm RoT Manager Verifier | | | -----------+---------------+-----------+---- | | | Platform | | | Boot | | | State | Req. Platform | | | | Token (#RAK) | | | |<--------------+ | v | | | Platform <-| | | Token ->| | | | | | <---| | | sign | | | --->| Plat Token | | +-------------->| | | | | | Realm | | | State | | | | | | | | | | | v | | | Realm | | | Token | | | .---+ | | sign | | | | '-->| | | | | | | | | | CCA Token | | +---------->| | | | Figure 3: CCA Attester Run-time Phase The Target Environment consists of two elements: * Realm World TCB - hardware, firmware and configuration contributions. * Individual state of a Realm - measurements of the initial state of the Realm and dynamic measurements provided by Realm guest code. A reference implementation of the CCA Attester is provided by [TF-RMM]. Frost, et al. Expires 5 January 2025 [Page 8] Internet-Draft CCA Reference Attestation Token July 2024 4. CCA Claims This section describes the claims to be used in a CCA reference attestation token. There are two logical sections within the CCA attestation token, relating to the two Target Environment elements: * The CCA Platform token * The Realm state token The two sections use inter-related claims to bind together into a single logical unit. See Section 9 for more details. The above tokens are presented to the requester within a top level Conceptual Message WWrapper (CMW) collection [CMW]. CDDL [RFC8610] along with text descriptions is used to define each claim independent of encoding. The following CDDL type(s) are reused by different claims: arm-platform-hash-type = bytes .size 32 / bytes .size 48 / bytes .size 64 Two conventions are used to encode the Right-Hand-Side (RHS) of a claim: the postfix -label is used for EAT-defined claims, and the postfix -key for PSA-originated claims. 4.1. CCA Attestation Token top level wrapper The above tokens are presented to the requester within a top level CMW collection [CMW]. The collection map has two entries, one for a bstr encoding of the CCA Platform token and the other for a bstr encoding of the Realm state token/ Frost, et al. Expires 5 January 2025 [Page 9] Internet-Draft CCA Reference Attestation Token July 2024 cca-token = #6.399(cca-token-collection) ; CMW (draft-ietf-rats-msg-wrap) Collection cca-platform-token = bstr .cbor COSE_Sign1_Tagged cca-realm-delegated-token = bstr .cbor COSE_Sign1_Tagged cca-token-collection = { 44234 => cca-platform-token ; 44234 = 0xACCA 44241 => cca-realm-delegated-token } ; EAT standard definitions COSE_Sign1_Tagged = #6.18(COSE_Sign1) ; Deliberately shortcut these definitions until EAT is finalised and able to ; pull in the full set of definitions COSE_Sign1 = "COSE-Sign1 placeholder" 4.2. CCA Platform token Claims 4.3. Caller Claims 4.3.1. CCA Platform Nonce The Nonce claim is used to carry a challenge provided by the caller to demonstrate freshness of the generated token. The EAT [EAT] nonce (claim key 10) is used. Since the EAT nonce claim offers flexiblity for different attestation technologies, this specifications applies the following constraints to the nonce-type: * The length MUST be either 32, 48, or 64 bytes. * Only a single nonce value is conveyed. The array notation MUST NOT be used for encoding the nonce value. Where the CCA Platform implementation uses the Delegated Token signing model Section 4.10, the value of the Nonce claim will be a hash of the Realm Public Key claim of the CCA Realm State token Section 4.8.7. This claim MUST be present in a CCA Platform attestation token. arm-platform-challenge-label = 10 arm-platform-challenge = ( arm-platform-challenge-label => arm-platform-hash-type ) Frost, et al. Expires 5 January 2025 [Page 10] Internet-Draft CCA Reference Attestation Token July 2024 4.4. Target Identification Claims 4.4.1. CCA Platform Instance ID The Instance ID claim represents the unique identifier of the Platform Attestation Key (PAK). The EAT ueid (claim key 256) of type RAND is used. The following constraints apply to the ueid-type: * The length MUST be 33 bytes. * The first byte MUST be 0x01 (RAND) followed by the 32-byte unique identifier of the PAK. This claim MUST be present in a CCA Platform attestation token. arm-platform-instance-id-label = 256 ; EAT ueid ; TODO: require that the first byte of arm-platform-instance-id-type is 0x01 ; EAT UEIDs need to be 7 - 33 bytes arm-platform-instance-id-type = bytes .size 33 arm-platform-instance-id = ( arm-platform-instance-id-label => arm-platform-instance-id-type ) 4.4.2. CCA Platform Implementation ID The Implementation ID claim uniquely identifies the implementation of the CCA Platform. A verification service uses this claim to locate the details of the CCA Platform implementation from an Endorser or manufacturer. Such details are used by a verification service to determine the security properties or certification status of the CCA Platform implementation. The value and format of the ID is decided by the manufacturer or a particular certification scheme. For example, the ID could take the form of a product serial number, database ID, or other appropriate identifier. This claim MUST be present in a CCA Platform attestation token. Note that this identifies the CCA Platform implementation, not a particular instance. To uniquely identify an instance, see the Instance ID claim Section 4.4.1. Frost, et al. Expires 5 January 2025 [Page 11] Internet-Draft CCA Reference Attestation Token July 2024 arm-platform-implementation-id-label = 2396 ; PSA implementation ID arm-platform-implementation-id-type = bytes .size 32 arm-platform-implementation-id = ( arm-platform-implementation-id-label => arm-platform-implementation-id-type ) 4.5. Target State Claims 4.5.1. CCA Platform Profile Definition The CCA platform profile claim identifies the EAT profile to which the CCA platform token conforms. This allows a receiver to assign the intended semantics to the rest of the claims found in the token. The EAT eat_profile (claim key 265) is used. The format of the CCA platform profile claim is defined as a text string of value "tag:arm.com,2023:cca#1.0.0". This claim MUST be present in a CCA Platform attestation token. See Section 4.9, for considerations about backwards compatibility with previous versions of the CCA Platform attestation token format. cca-platform-profile-label = 265 ; EAT profile cca-platform-profile-type = "tag:arm.com,2023:cca_platform#1.0.0" cca-platform-profile = ( cca-platform-profile-label => cca-platform-profile-type ) 4.5.2. Security Lifecycle The Security Lifecycle claim represents the current lifecycle state of the CCA Platform. The state is represented by an integer that is divided as follows: * major[15:8] - CCA Platform security lifecycle state, and * minor[7:0] - IMPLEMENTATION DEFINED state. The CCA Platform lifecycle states are illustrated in Figure 4. A non debugged CCA platform will be in psa-lifecycle-secured state. Realm Management Security Domain debug is always recoverable, and would therefore be represented by psa-lifecycle-non-psa-rot-debug state. Frost, et al. Expires 5 January 2025 [Page 12] Internet-Draft CCA Reference Attestation Token July 2024 Root world debug is recoverable on a HES system and would be represented by psa-lifecycle-recoverable-psa-rot state. On a non-HES system Root world debug is usually non-recoverable, and would be represented by psa-lifecycle-lifecycle-decommissioned state This claim MUST be present in a CCA Platform attestation token. .--------------------------. | Device Assembly and Test | '------------+-------------' | Device | Lockdown v .----------------------------. | CCA Security Provisioning | '-----------+----------------' | Provisioning | .---------------------. Lockdown | | | v v | .----------------. |Recoverable .--------------+ Secured +--------. | | '-+--------------' | | Non | ^ Recoverable | Recoverable RM Debug | Root Debug | Root Debug Enable | | | | | | | | | v | v | | .---------- -+--. .-------+-. | | Realm Manager | | Root | | | Debug | | Debug | | '---------------' '--+------' | | | .---------------. | '----------->+ Terminate +<----------' '---------------' | | v .----------------. | Decommissioned | '----------------' Figure 4: CCA Platform Lifecycle States The CDDL representation is shown below. Table 1 provides the mappings between Figure 4 and the data model. Frost, et al. Expires 5 January 2025 [Page 13] Internet-Draft CCA Reference Attestation Token July 2024 arm-platform-lifecycle-label = 2395 ; PSA lifecycle arm-platform-lifecycle-unknown-type = 0x0000..0x00ff arm-platform-lifecycle-assembly-and-test-type = 0x1000..0x10ff arm-platform-lifecycle-arm-platform-rot-provisioning-type = 0x2000..0x20ff arm-platform-lifecycle-secured-type = 0x3000..0x30ff arm-platform-lifecycle-non-arm-platform-rot-debug-type = 0x4000..0x40ff arm-platform-lifecycle-recoverable-arm-platform-rot-debug-type = 0x5000..0x50ff arm-platform-lifecycle-decommissioned-type = 0x6000..0x60ff arm-platform-lifecycle-type = arm-platform-lifecycle-unknown-type / arm-platform-lifecycle-assembly-and-test-type / arm-platform-lifecycle-arm-platform-rot-provisioning-type / arm-platform-lifecycle-secured-type / arm-platform-lifecycle-non-arm-platform-rot-debug-type / arm-platform-lifecycle-recoverable-arm-platform-rot-debug-type / arm-platform-lifecycle-decommissioned-type arm-platform-lifecycle = ( arm-platform-lifecycle-label => arm-platform-lifecycle-type ) psa-lifecycle-unknown-type is not shown in Figure 4; it represents an invalid state that must not occur in a system. Frost, et al. Expires 5 January 2025 [Page 14] Internet-Draft CCA Reference Attestation Token July 2024 +==============================================+====================+ | CDDL | Lifecycle | | | States | +==============================================+====================+ | psa-lifecycle-unknown-type | | +----------------------------------------------+--------------------+ | psa-lifecycle-assembly-and-test-type | Assembly and | | | Test | +----------------------------------------------+--------------------+ | psa-lifecycle-psa-rot-provisioning-type | CCA Platform | | | Provisioning | +----------------------------------------------+--------------------+ | psa-lifecycle-secured-type | Secured | +----------------------------------------------+--------------------+ | psa-lifecycle-non-psa-rot-debug-type | Non-Recoverable | | | CCA Platform | | | Debug | +----------------------------------------------+--------------------+ | psa-lifecycle-recoverable-psa-rot-debug-type | Recoverable CCA | | | Platform Debug | +----------------------------------------------+--------------------+ | psa-lifecycle-decommissioned-type | Decommissioned | +----------------------------------------------+--------------------+ Table 1: Lifecycle States Mappings 4.5.3. Platform Config The CCA platform config claim describes the set of chosen implementation options of the CCA platform. As an example, these may include a description of the level of physical memory protection which is provided. The CCA platform config claim is expected to contain the System Properties field which is present in the Root Non-volatile Storage (RNVS) public parameters. This claim MUST be present in a CCA Platform attestation token. arm-platform-config-label = 2401 ; PSA platform range ; TBD: add to IANA registration arm-platform-config-type = bytes arm-platform-config = ( arm-platform-config-label => arm-platform-config-type ) Frost, et al. Expires 5 January 2025 [Page 15] Internet-Draft CCA Reference Attestation Token July 2024 4.6. Software Inventory Claims 4.6.1. Software Components The Software Components claim is a list of software components which can affect the behavior of the CCA platform. This claim MUST be present in a CCA Platform attestation token. Each entry in the Software Components list describes one software component using the attributes described in the following subsections. Unless explicitly stated, the presence of an attribute is OPTIONAL. Note that, as described in [RFC9334], a relying party will typically see the result of the appraisal process from the Verifier in form of an Attestation Result, rather than the CCA Platform token from the attesting endpoint. Therefore, a relying party is not expected to understand the Software Components claim. Instead, it is for the Verifier to check this claim against the available Reference Values and provide an answer in form of an "high level" Attestation Result, which may or may not include the original Software Components claim. arm-platform-sw-components-label = 2399 ; PSA software components arm-platform-sw-component = { ? 1 => text, ; component type 2 => arm-platform-hash-type, ; measurement value ? 4 => text, ; version 5 => arm-platform-hash-type, ; signer id ? 6 => text, ; hash algorithm identifier } arm-platform-sw-components = ( arm-platform-sw-components-label => [ + arm-platform-sw-component ] ) 4.6.1.1. Component Type The Component Type attribute (key=1) is a short string representing the role of this software component. This attribute is intended for use as a hint to help the verifier understand how to evaluate the CCA platform software component measurement value. This attribute is optional in a CCA Platform software component. Frost, et al. Expires 5 January 2025 [Page 16] Internet-Draft CCA Reference Attestation Token July 2024 4.6.1.2. Measurement Value The Measurement Value attribute (key=2) represents a hash of the invariant software component in memory at the time it was initialized. The value MUST be a cryptographic hash of 256 bits or stronger. This attribute MUST be present in a PSA software component. 4.6.1.3. Version The Version attribute (key=4) is the issued software version in the form of a text string. The meaning of this string is defined by the software component vendor. This attribute is optional in a CCA Platform software component. 4.6.1.4. Signer ID The Signer ID attribute (key=5) uniquely identifies the signer of the software component. The identification is typically accomplished by hashing the signer's public key. The value of this attribute will correspond to the entry in the original manifest for the component. This can be used by a Verifier to ensure the components were signed by an expected trusted source. This attribute MUST be present in a CCA Platform software component. 4.6.1.5. Measurement Description The Measurement Description attribute (key=6) contains a string identifying the hash algorithm used to compute the corresponding Measurement Value. The string SHOULD be encoded according to "Hash Name String" in the "Named Information Hash Algorithm Registry" [IANA.named-information]. 4.6.1.6. Measurement Description The Measurement Description attribute (key=6) contains a string identifying the hash algorithm used to compute the corresponding Measurement Value. The string SHOULD be encoded according to "Hash Name String" in the "Named Information Hash Algorithm Registry" [IANA.named-information]. Frost, et al. Expires 5 January 2025 [Page 17] Internet-Draft CCA Reference Attestation Token July 2024 4.7. Verification Claims The following claims are part of the CCA Platform token (and therefore still Evidence) but aim to help receivers, including relying parties, with the processing of the received attestation Evidence. 4.7.1. Verification Service Indicator The Verification Service Indicator claim is a hint used by a relying party to locate a verification service for the token. The value is a text string that can be used to locate the service (typically, a URL specifying the address of the verification service API). A Relying Party may choose to ignore this claim in favor of other information. arm-platform-verification-service-label = 2400 ; PSA verification service arm-platform-verification-service-type = text arm-platform-verification-service = ( arm-platform-verification-service-label => arm-platform-verification-service-type ) It is assumed that the relying party is pre-configured with a list of trusted verification services and that the contents of this hint can be used to look up the correct one. Under no circumstances must the relying party be tricked into contacting an unknown and untrusted verification service since the returned Attestation Result cannot be relied on. Note: This hint requires the relying party to parse the content of the CCA Platform token. Since the relying party may not be in possession of a trust anchor to verify the digital signature, it uses the hint in the same way as it would treat any other information provided by an external party, which includes attacker-provided data. 4.7.2. CCA Platform Hash Algorithm ID The CCA platform hash algorithm ID claim is a text string that identifies the algorithm used to calculate the extended measurements in the CCA platform token. The string SHOULD be encoded according to "Hash Name String" in the "Named Information Hash Algorithm Registry" [IANA.named-information]. The CCA platform hash algorithm ID claim MUST be present in a CCA platform token. Frost, et al. Expires 5 January 2025 [Page 18] Internet-Draft CCA Reference Attestation Token July 2024 arm-platform-hash-algo-id-label = 2402 ; PSA platform range ; TBD: add to IANA registration arm-platform-hash-algo-id = ( arm-platform-hash-algo-id-label => text ) 4.8. CCA Realm state token Claims The CCA Realm state token contains claims that represent the Target Environment that is the Realm that requested the attestation report. 4.8.1. Realm Nonce The Nonce claim is used to carry a challenge provided by the caller to demonstrate freshness of the generated token. The EAT [EAT] nonce (claim key 10) is used. Since the EAT nonce claim offers flexiblity for different attestation technologies, this specification applies the following constraints to the nonce-type: * The length MUST be either 32, 48, or 64 bytes. * Only a single nonce value is conveyed. The array notation MUST NOT be used for encoding the nonce value. This claim MUST be present in a CCA Realm state attestation token. cca-realm-challenge-label = 10 cca-realm-challenge-type = bytes .size 64 cca-realm-challenge = ( cca-realm-challenge-label => cca-realm-challenge-type ) 4.8.2. CCA Platform Profile Definition The Realm profile claim identifies the EAT profile to which the Realm token conforms. This allows a receiver to assign the intended semantics to the rest of the claims found in the token. The EAT eat_profile (claim key 265) is used. The format of the CCA platform profile claim is defined as a text string of value "tag:arm.com,2023:realm#1.0.0". Frost, et al. Expires 5 January 2025 [Page 19] Internet-Draft CCA Reference Attestation Token July 2024 This claim is OPTIONAL in a CCA Realm attestation token. If the Realm profile is not included in a CCA Realm token then the profile value used in the CCA Platform token should refer to a profile that describes both Platform and Realm claims. cca-realm-profile-label = 265 ; EAT profile cca-realm-profile-type = "tag:arm.com,2023:realm#1.0.0" cca-realm-profile = ( cca-realm-profile-label => cca-realm-profile-type ) 4.8.3. Realm Personalisation Value The Realm Personalization Value (RPV) claim contains the RPV which was provided at Realm creation. This claim MUST be present in a CCA Realm state attestation token. cca-realm-personalization-value-label = 44235 cca-realm-personalization-value-type = bytes .size 64 cca-realm-personalization-value = ( cca-realm-personalization-value-label => cca-realm-personalization-value-type ) 4.8.4. Realm Initial Measurement The Realm Initial Measurement claim contains the measurements taken of Realm state before the Realm is activated. This claim MUST be present in a CCA Realm state attestation token. cca-realm-initial-measurement-label = 44238 cca-realm-initial-measurement = ( cca-realm-initial-measurement-label => cca-realm-measurement-type ) 4.8.5. Realm Extensible Measurements The Realm Extensible Measurements claim contains measurements provided by Realm guest software and extended to the set of Realm Extensible Measurements maintained by the RMM. This claim MUST be present in a CCA Realm state attestation token. Frost, et al. Expires 5 January 2025 [Page 20] Internet-Draft CCA Reference Attestation Token July 2024 cca-realm-extensible-measurements-label = 44239 cca-realm-extensible-measurements = ( cca-realm-extensible-measurements-label => [ 4*4 cca-realm-measurement-type ] ) 4.8.6. Realm Hash Algorithm Measurements The Realm hash algorithm ID claim identifies the algorithm used to calculate all hash values which are present in the Realm token. The string value of the claim SHOULD be encoded according to "Hash Name String" in the "Named Information Hash Algorithm Registry" [IANA.named-information]. This claim MUST be present in a CCA Realm state attestation token. cca-realm-hash-algo-id-label = 44236 cca-realm-hash-algo-id = ( cca-realm-hash-algo-id-label => text ) 4.8.7. Realm Public Key The Realm public key claim identifies the attestation key which is used to sign the Realm token The value of the Realm public key claim is a byte string representation of a COSE_Key. This claim MUST be present in a CCA Realm state attestation token. cca-realm-public-key-label = 44237 ; See RFC8152 for definition of COSE_Key cca-realm-public-key-type = bstr .cbor COSE_Key cca-realm-public-key = ( cca-realm-public-key-label => cca-realm-public-key-type ) 4.8.8. Realm Public Key Hash Algorithm ID The Realm public key hash algorithm identifier claim identifies the algorithm used to hash the value of the Realm Public Key claim Section 4.8.7 such that it can be presented as a Challenge for the bound CCA Platform token Section 4.10. Frost, et al. Expires 5 January 2025 [Page 21] Internet-Draft CCA Reference Attestation Token July 2024 This claim MUST be present in a CCA Realm state attestation token. cca-realm-public-key-hash-algo-id-label = 44240 cca-realm-public-key-hash-algo-id = ( cca-realm-public-key-hash-algo-id-label => text ) 4.9. Backwards Compatibility Considerations This profile conforms to the claims in the Beta2 release of the 1.0 release of the Realm Management Monitor specification. [RMM]. There has not been a prior release of this specification to the 1.0 release. Hence this section is a place holder for claim changes introduced in future releases. 4.10. Token Binding The reference implementation uses a 'Delegated Model' for token signing. In this model, the completion of signing operations for the CCA token is delegated from the CCA Platform RoT to the RMM. When the RMM initialises, it obtains a 'Realm Attestation Token' (RAK) signing key pair from the CCA Platform RoT. The public part of that key pair is hashed and used as a challenge to obtain a CCA Platform token (signed by the CCA Platform RoT). When guest code in a Realm requests a CCA Attestation token, the RMM prepares a Realm state token, signed by the RAK private key, then wraps both tokens in a CMW Collection. The two tokens are bound together by the Nonce claim in the CCA Platform token having the same value as a hash of the Realm Public key claim in the Realm state token (using the hash algorithm identified by the Realm Public Key Hash Algorithm ID claim). A verifier MUST check this binding is valid when verifying a CCA Attestation token. An implementation may choose instead a 'Direct Model'. In this model, when guest code in a Realm requests a CCA Attestation token, the RMM prepares a Realm state claim set, but does not wrap it in a CMW. Instead, the claim set is hashed and this value is used as a Challenge to obtain a CCA Platform token, signed by the CCA Platform RoT. The CCA Platform and Realm state claim set are presented within a CMW Collection as in the Delegated model. The two parts of the collection are bound together by the Nonce claim in the CCA Platform token having the same value as the hash of the Realm state claim set. If the Direct Model is used, the CCA Platform profile claim Section 4.5.1 MUST have a different value from the reference profile. The map value within the CCA Attestation token CMW Collection for the Realm state claim set MUST also have a different value to that used Frost, et al. Expires 5 January 2025 [Page 22] Internet-Draft CCA Reference Attestation Token July 2024 for a Realm state CMW token. In such a profile, the Realm Public Key Section 4.8.7 and Realm Public Key Hash Algorithm ID Section 4.8.8 claims will not be used. 4.11. Reference Profile 4.11.1. Token Encoding and Signing The CCA attestation token is encoded in CBOR [STD94] format. The CBOR representation of a CCA attestation token MUST be "valid" according to the definition in Section 1.2 of [STD94]. Besides, only definite-length string, arrays, and maps are allowed. Given that a PSA Attester is typically found in a constrained device, it MAY NOT emit CBOR preferred serializations (Section 4.1 of [STD94]). Therefore, the Verifier MUST be a variation-tolerant CBOR decoder. TODO.... need different narrative from IoT reasons... Cryptographic protection is obtained by wrapping the CCA Platform and Realm state claims-set in a COSE Web Token (CWT) [RFC8392]. The signature structure MUST be a tagged (18) COSE_Sign1. Acknowledging the variety of markets, regulations and use cases in which the CCA attestation token can be used, the baseline profile does not impose any strong requirement on the cryptographic algorithms that need to be supported by Attesters and Verifiers. The flexibility provided by the COSE format should be sufficient to deal with the level of cryptographic agility needed to adapt to specific use cases. It is RECOMMENDED that commonly adopted algorithms are used, such as those discussed in [COSE-ALGS]. It is expected that receivers will accept a wider range of algorithms, while Attesters would produce CCA tokens using only one such algorithm. The CCA Platform token is always directly signed by the CCA Platform RoT. Therefore, the CCA claims-set is never carried in a Detached EAT bundle (Section 5 of [EAT]). 4.11.2. Freshness Model The CCA token supports the freshness models for attestation Evidence based on nonces and epoch handles (Section 10.2 and Section 10.3 of [RFC9334]) using the nonce claim to convey the nonce or epoch handle supplied by the Verifier. No further assumption on the specific remote attestation protocol is made. Frost, et al. Expires 5 January 2025 [Page 23] Internet-Draft CCA Reference Attestation Token July 2024 Note that use of epoch handles is constrained by the type restrictions imposed by the eat_nonce syntax. For use in CCA tokens, it must be possible to encode the epoch handle as an opaque binary string between 8 and 64 octets. 4.11.3. Synopsis Table 2 presents a concise view of the requirements described in the preceding sections. +==================+=============================================+ | Issue | Profile Definition | +==================+=============================================+ | CBOR/JSON | CBOR MUST be used | +------------------+---------------------------------------------+ | CBOR Encoding | Definite length maps and arrays MUST be | | | used | +------------------+---------------------------------------------+ | CBOR Encoding | Definite length strings MUST be used | +------------------+---------------------------------------------+ | CBOR | Variant serialization MAY be used | | Serialization | | +------------------+---------------------------------------------+ | COSE Protection | COSE_Sign1 MUST be used | +------------------+---------------------------------------------+ | Algorithms | [COSE-ALGS] SHOULD be used | +------------------+---------------------------------------------+ | Detached EAT | Detached EAT bundles MUST NOT be sent | | Bundle Usage | | +------------------+---------------------------------------------+ | Verification Key | Any identification method listed in | | Identification | Appendix F.1 of [EAT] | +------------------+---------------------------------------------+ | Endorsements | See Section 7.2 | +------------------+---------------------------------------------+ | Freshness | nonce or epoch ID based | +------------------+---------------------------------------------+ | Claims | Those defined in Section 4. As per general | | | EAT rules, the receiver MUST NOT error out | | | on claims it does not understand. | +------------------+---------------------------------------------+ Table 2: Baseline Profile 5. Collated CDDL TODO...include cddl/cca-attestation.cddl Frost, et al. Expires 5 January 2025 [Page 24] Internet-Draft CCA Reference Attestation Token July 2024 6. Signing key implementation alternatives In the CCA Platform reference design, PAKs (Section 3, Paragraph 8) are raw public keys. Some implementations may choose to use an PAK that is a certified public key. If this option is taken, the value of the CCA Platform Profile Definition claim Section 4.5.1 MUST be altered from the reference implementation value. TODO... perhaps lose this justification section as... Certified public keys require the manufacturer to run the certification authority (CA) that issues X.509 certs for the PAKs. (Note that operating a CA is a complex and expensive task that may be unaffordable to certain manufacturers.) Using certified public keys offers better scalability properties when compared to using raw public keys, namely: * storage requirements for the Verifier are minimised - the same manufacturer's trust anchor is used for any number of devices, * the provisioning model is simpler and more robust since there is no need to notify the Verifier about each newly manufactured device, Furthermore, existing and well-understood revocation mechanisms can be readily used. TODO... ...to here The PAK's X.509 cert can be inlined in the CCA Platform token using the x5chain COSE header parameter [COSE-X509] at the cost of an increase in the CCA Platform token size. Note that the exact split between pre-provisioned and inlined certs may vary depending on the specific deployment. In that respect, x5chain is quite flexible: it can contain the end-entity (EE) cert only, the EE and a partial chain, or the EE and the full chain up to the trust anchor (see Section 2 of [COSE-X509] for the details). TODO...lose following as IoT centric?? :: Constraints around network bandwidth and computing resources available to endpoints, such as network buffers, may dictate a reasonable split point. Frost, et al. Expires 5 January 2025 [Page 25] Internet-Draft CCA Reference Attestation Token July 2024 7. CCA Attestation Token Verification To verify the token for the reference profile, the initial need is to check correct encoding for the token. Primary trust is established by checking the signing of the CCA Platform token CWT. The key used for verification is supplied to the Verifier by an authorized Endorser along with the corresponding Attester's Instance ID. For the verifier, the CCA Platform Instance ID Section 4.4.1 claim is used to assist locating the key used to verify the signature covering the CCA Platform CWT token. The verifier can also be supplied with the information that the key instance has been revoked and is no longer valid. Additional validation checks on the token are: * Checking that the binding between the CCA Platform token and the Realm state token is valid Section 4.10}. This has the side effect of establishing the trustworthiness of the RAK public key. * Validating that the Realm state token is correctly signed by the RAK. * Checking that the value of the lll claim is psa-lifecycle-secured state. Note that some other values of this claim (psa-lifecycle- non-psa-rot-debug and psa-lifecycle-recoverable-psa-rot states) may indicate that the attester is only temporarily unsuitable and the verifier may choose the to indicate this as a contraindication rather than a full verification failure. See discussion of the CCA platform lifecycle in [RMM]. The Verifier will typically operate a policy where values of some of the claims in this profile can be compared to reference values, registered with the Verifier for a given deployment, in order to confirm that the device is endorsed by the manufacturer supply chain. The policy may require that the relevant claims must have a match to a registered reference value. All claims may be worthy of additional appraisal. It is likely that most deployments would include a policy with appraisal for the following claims: * Implementation ID - the value of the Implementation ID can be used to identify the verification requirements of the deployment. Frost, et al. Expires 5 January 2025 [Page 26] Internet-Draft CCA Reference Attestation Token July 2024 * Software Component, Measurement Value - this value can uniquely identify a firmware release from the supply chain. In some cases, a Verifier may maintain a record for a series of firmware releases, being patches to an original baseline release. A verification policy may then allow this value to match any point on that release sequence or expect some minimum level of maturity related to the sequence. * Software Component, Signer ID - where present in a deployment, this could allow a Verifier to operate a more general policy than that for Measurement Value as above, by allowing a token to contain any firmware entries signed by a known Signer ID, without checking for a uniquely registered version. 7.1. AR4SI Trustworthiness Claims Mappings [RATS-AR4SI] defines an information model that Verifiers can employ to produce Attestation Results. AR4SI provides a set of standardized appraisal categories and tiers that greatly simplifies the task of writing Relying Party policies in multi-attester environments. The contents of Table 3 are intended as guidance for implementing a PSA Verifier that computes its results using AR4SI. The table describes which PSA Evidence claims (if any) are related to which AR4SI trustworthiness claim, and therefore what the Verifier must consider when deciding if and how to appraise a certain feature associated with the PSA Attester. Frost, et al. Expires 5 January 2025 [Page 27] Internet-Draft CCA Reference Attestation Token July 2024 +===================+=============================================+ | Trustworthiness | Related PSA claims | | Vector claims | | +===================+=============================================+ | configuration | Software Components (Section 4.6.1) | +-------------------+---------------------------------------------+ | executables | ditto | +-------------------+---------------------------------------------+ | file-system | N/A | +-------------------+---------------------------------------------+ | hardware | Implementation ID (Section 4.4.2) and CCA | | | Platform config (TODO) | +-------------------+---------------------------------------------+ | instance-identity | Instance ID (Section 4.4.1). The Security | | | Lifecycle (Section 4.5.2) can also impact | | | the derived identity. | +-------------------+---------------------------------------------+ | runtime-opaque | Indirectly derived from executables, | | | hardware, and instance-identity. The | | | Security Lifecycle (Section 4.5.2) can also | | | be relevant: for example, any debug state | | | will expose otherwise protected memory. | +-------------------+---------------------------------------------+ | sourced-data | N/A | +-------------------+---------------------------------------------+ | storage-opaque | Indirectly derived from executables, | | | hardware, and instance-identity. | +-------------------+---------------------------------------------+ Table 3: AR4SI Claims mappings This document does not prescribe what value must be chosen based on each possible situation: when assigning specific Trustworthiness Claim values, an implementation is expected to follow the algorithm described in Section 2.3.3 of [RATS-AR4SI]. 7.2. Endorsements, Reference Values and Verification Key Material The *TODO* ref-to-CCA-Endorsements defines a protocol based on the [RATS-CoRIM] data model that can be used to convey CCA Endorsements, Reference Values and verification key material to the Verifier. TODO... perhaps redact this section until a cca-endorsements draft is available? 8. Implementation Status // RFC Editor: please remove this section before pubblication. Frost, et al. Expires 5 January 2025 [Page 28] Internet-Draft CCA Reference Attestation Token July 2024 Implementations of this specification are provided by the Trusted Firmware-RMM project [TF-RMM] and the Veraison project [Veraison]. These implementations are released as open-source software. 9. Security and Privacy Considerations This specification re-uses the EAT specification and therefore the CWT specification. Hence, the security and privacy considerations of those specifications apply here as well. TODO... questionable ability to execute on this as anyone can call RSI?? A PSA Attester MUST NOT provide Evidence to an untrusted challenger, as it may allow attackers to interpose and trick the Verifier into believing the attacker is a legitimate Attester. This is especially relevant to protocols that use PSA attestation tokens to authenticate the attester to a relying party. Attestation tokens contain information that may be unique to a device and therefore they may allow singling out an individual device for tracking purposes. Deployments that have privacy requirements must take appropriate measures to ensure that the token is only used to provision anonymous/pseudonym keys. 10. IANA Considerations 10.1. CBOR Web Token Claims Registration IANA is requested to make permanent the following claims that have been assigned via early allocation in the "CBOR Web Token (CWT) Claims" registry [IANA-CWT]. 10.1.1. Security Lifecycle Claim * Claim Name: arm-platform-security-lifecycle * Claim Description: Arm Platform Security Lifecycle * JWT Claim Name: N/A * Claim Key: 2395 * Claim Value Type(s): unsigned integer * Change Controller: Hannes Tschofenig TODO... find document centric change controller... * Specification Document(s): Section 4.5.2 of RFCthis Frost, et al. Expires 5 January 2025 [Page 29] Internet-Draft CCA Reference Attestation Token July 2024 10.1.2. Implementation ID Claim * Claim Name: arm-platform-implementation-id * Claim Description: Arm Platform Implementation ID * JWT Claim Name: N/A * Claim Key: 2396 * Claim Value Type(s): byte string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.4.2 of RFCthis 10.1.3. Software Components Claim * Claim Name: arm-platform-software-components * Claim Description: Arm Platform Software Components * JWT Claim Name: N/A * Claim Key: 2399 * Claim Value Type(s): array * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.6.1 of RFCthis 10.1.4. Verification Service Indicator Claim * Claim Name: arm-platform-verification-service-indicator * Claim Description: Arm Platform Verification Service Indicator * JWT Claim Name: N/A * Claim Key: 2400 * Claim Value Type(s): text string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.7.1 of RFCthis Frost, et al. Expires 5 January 2025 [Page 30] Internet-Draft CCA Reference Attestation Token July 2024 10.1.5. Platform Config Claim * Claim Name: arm-platform-config * Claim Description: Arm Platform Configuration * JWT Claim Name: N/A * Claim Key: 2401 * Claim Value Type(s): byte string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.5.3 of RFCthis 10.1.6. Platform Hash Algorithm ID Clain * Claim Name: arm-platform-hash-algm-id * Claim Description: Arm Platform Hash Algorithm ID * JWT Claim Name: N/A * Claim Key: 2402 * Claim Value Type(s): text string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.7.2 of RFCthis 10.1.7. CCA Token Platform Token Label * Claim Name: cca-platform-token-label * Claim Description: CCA Token Platform Token Label * JWT Claim Name: N/A * Claim Key: 44234 * Claim Value Type(s): byte string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.1 of RFCthis Frost, et al. Expires 5 January 2025 [Page 31] Internet-Draft CCA Reference Attestation Token July 2024 10.1.8. Realm Personalization Value Claim * Claim Name: cca-realm-personalization-value * Claim Description: CCA Realm Personalisation Value * JWT Claim Name: N/A * Claim Key: 44235 * Claim Value Type(s): byte string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.8.3 of RFCthis 10.1.9. Realm Hash Algorithm ID Claim * Claim Name: cca-realm-hash-algm-id * Claim Description: CCA Realm Hash Algorithm ID * JWT Claim Name: N/A * Claim Key: 44236 * Claim Value Type(s): text string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.8.6 of RFCthis 10.1.10. Realm Public Key Claim * Claim Name: cca-realm-public-key * Claim Description: CCA Realm Public Key * JWT Claim Name: N/A * Claim Key: 44237 * Claim Value Type(s): byte string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.8.7 of RFCthis Frost, et al. Expires 5 January 2025 [Page 32] Internet-Draft CCA Reference Attestation Token July 2024 10.1.11. Realm Initial Measurement Claim * Claim Name: cca-realm-initial-measurement * Claim Description: CCA Realm Initial Measurement * JWT Claim Name: N/A * Claim Key: 44238 * Claim Value Type(s): byte string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.8.4 of RFCthis 10.1.12. Realm Extensible Measurements Claim * Claim Name: cca-realm-extensible-measurements * Claim Description: CCA Realm Extensible Measurements * JWT Claim Name: N/A * Claim Key: 44239 * Claim Value Type(s): array * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.8.4 of RFCthis 10.1.13. Realm Public Key Hash Algorithm ID Claim * Claim Name: cca-realm-public-key-hash-algm-id * Claim Description: Realm Public Key Hash Algorithm ID Claim * JWT Claim Name: N/A * Claim Key: 44240 * Claim Value Type(s): text string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.8.8 of RFCthis Frost, et al. Expires 5 January 2025 [Page 33] Internet-Draft CCA Reference Attestation Token July 2024 10.1.14. CCA Token Delegated Realm Token Label * Claim Name: cca-platform-delegated-realm-label * Claim Description: CCA Token Platform Token Label * JWT Claim Name: N/A * Claim Key: 44241 * Claim Value Type(s): byte string * Change Controller: Hannes Tschofenig * Specification Document(s): Section 4.1 of RFCthis 10.2. Media Types No new media type registration is requested. To indicate that the transmitted content is a CCA attestation token, applications can use the application/eat+cwt media type defined in [EAT-MEDIATYPES] with the eat_profile parameter set to tag:arm.com,2023:cca#1.0.0. 10.3. CoAP Content-Formats Registration IANA is requested to register a CoAP Content-Format ID in the "CoAP Content-Formats" registry [IANA-CoAP-Content-Formats]: * A registration for the application/eat+cwt media type with the eat_profile parameter equal to "tag:arm.com,2023:cca#1.0.0" The Content-Formats should be allocated from the Expert review range (0-255). 10.3.1. Registry Contents * Media Type: `application/eat+cwt; eat_profile="tag:arm.com,2023:cca#1.0.0" * Encoding: - * Id: To-be-assigned by IANA * Reference: RFCthis * Media Type: `application/eat+cwt; eat_profile="tag:arm.com,2023:realm#1.0.0" Frost, et al. Expires 5 January 2025 [Page 34] Internet-Draft CCA Reference Attestation Token July 2024 * Encoding: - * Id: To-be-assigned by IANA * Reference: RFCthis 11. References 11.1. Normative References [CCA-ARCH] Arm, "Learn the architecture - Introducing Arm Confidential Compute Architecture", May 2023, . [CMW] Birkholz, H., Smith, N., Fossati, T., and H. Tschofenig, "RATS Conceptual Messages Wrapper (CMW)", Work in Progress, Internet-Draft, draft-ietf-rats-msg-wrap-06, 1 July 2024, . [COSE-ALGS] Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, August 2022, . [EAT] Lundblade, L., Mandyam, G., O'Donoghue, J., and C. Wallace, "The Entity Attestation Token (EAT)", Work in Progress, Internet-Draft, draft-ietf-rats-eat-28, 25 June 2024, . [EAT-MEDIATYPES] Lundblade, L., Birkholz, H., and T. Fossati, "EAT Media Types", Work in Progress, Internet-Draft, draft-ietf-rats- eat-media-type-07, 2 April 2024, . [IANA-CWT] IANA, "CBOR Web Token (CWT) Claims", 2022, . [IANA.named-information] IANA, "Named Information", . Frost, et al. Expires 5 January 2025 [Page 35] Internet-Draft CCA Reference Attestation Token July 2024 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, May 2018, . [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, June 2019, . [RME] Arm, "Learn the architecture - Realm Management Extension", June 2021, . [RMM] Arm, "Realm Management Monitor specification 1.0", December 2022, . [STD94] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, . [STD96] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . [X509] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . 11.2. Informative References Frost, et al. Expires 5 January 2025 [Page 36] Internet-Draft CCA Reference Attestation Token July 2024 [COSE-X509] Schaad, J., "CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates", RFC 9360, DOI 10.17487/RFC9360, February 2023, . [I-D.kdyxy-rats-tdx-eat-profile] Kostal, G., Dittakavi, S., Yeluri, R., Xia, H., and J. Yu, "EAT profile for Intel® Trust Domain Extensions (TDX) attestation result", Work in Progress, Internet-Draft, draft-kdyxy-rats-tdx-eat-profile-01, 23 April 2024, . [I-D.mandyam-rats-qwestoken] Mandyam, G., Sekhar, V., and S. Mohammed, "The Qualcomm Wireless Edge Services (QWES) Attestation Token", Work in Progress, Internet-Draft, draft-mandyam-rats-qwestoken-00, 1 November 2019, . [IANA-CoAP-Content-Formats] IANA, "CoAP Content-Formats", 2022, . [RATS-AR4SI] Voit, E., Birkholz, H., Hardjono, T., Fossati, T., and V. Scarlata, "Attestation Results for Secure Interactions", Work in Progress, Internet-Draft, draft-ietf-rats-ar4si- 06, 4 March 2024, . [RATS-CoRIM] Birkholz, H., Fossati, T., Deshpande, Y., Smith, N., and W. Pan, "Concise Reference Integrity Manifest", Work in Progress, Internet-Draft, draft-ietf-rats-corim-04, 4 March 2024, . [RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote ATtestation procedureS (RATS) Architecture", RFC 9334, DOI 10.17487/RFC9334, January 2023, . [TF-RMM] Trusted Firmware Project, "Trusted Firmware-RMM", 2022, . Frost, et al. Expires 5 January 2025 [Page 37] Internet-Draft CCA Reference Attestation Token July 2024 [TLS12-IoT] Tschofenig, H., Ed. and T. Fossati, "Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things", RFC 7925, DOI 10.17487/RFC7925, July 2016, . [TLS13-IoT] Tschofenig, H., Fossati, T., and M. Richardson, "TLS/DTLS 1.3 Profiles for the Internet of Things", Work in Progress, Internet-Draft, draft-ietf-uta-tls13-iot- profile-09, 3 March 2024, . [Veraison] The Veraison Project, "Veraison ccatoken package", 2022, . Appendix A. Examples The following examples show CCA attestation tokens for an hypothetical system comprising a single measured software component. The attesting device is in a lifecycle state (Section 4.5.2) of SECURED. A.1. COSE Sign1 Token TODO...include cddl/example/sign1-claims.diag The JWK representation of the PAK used for creating the COSE Sign1 signature over the PSA token is: TODO...include cddl/example/tfm-es-iak.json The resulting COSE object is: TODO...include cddl/example/psa-sign1.diag which has the following base16 encoding: TODO...include cddl/example/psa-sign1.hex Acknowledgments TODO Contributors Frost, et al. Expires 5 January 2025 [Page 38] Internet-Draft CCA Reference Attestation Token July 2024 Yogesh Deshpande Arm Limited Email: Yogesh.Deshpande@arm.com Sergei Trofimov Arm Limited Email: Sergei.Trofimov@arm.com Authors' Addresses Simon Frost Arm Limited Email: Simon.Frost@arm.com Thomas Fossati Linaro Email: thomas.fossati@linaro.org Giri Mandyam Mediatek Inc Email: giridhar.mandyam@gmail.com Frost, et al. Expires 5 January 2025 [Page 39]