-
Notifications
You must be signed in to change notification settings - Fork 14
CCA Evidence Verification
Thomas Fossati edited this page Jul 13, 2023
·
5 revisions
Based on the evidence format described in Appendix A7.2.3 of Realm Management Monitor Specification.
- CPAK public key (pCPAK)
- Reference values for CCA platform software components
- Reference value for CCA platform configuration
- Reference value for CCA realm Initial measurement configuration
- CCA realm personalisation value
- CCA realm extensible measurements
- Cryptographic Validation
- Check signature on the platform token according to §4.4. of RFC9052, using pCPAK.
- Extract RAK public key (pRAK) from realm token (Note: The pRAK is is encoded into the uncompressed form specified in SEC 1, Version 2.0, Section 2.3.3. In order to be used for verification, it typically needs to be converted into an x, y pair.)
- Check signature on the realm token according to §4.4. of RFC9052, using pRAK.
- Check the cryptographic binding between the platform and realm tokens:
- Extract pRAK from realm token
- Extract pRAK's hash algorithm identifier from the realm token
- Hash pRAK using said hash algorithm
- Extract nonce from the platform token
- Check nonce is the same as the value computed in step 1.iv.c
- CCA RoT Lifecycle Check
- Extract the CCA lifecycle claim from the platform token and ensure that it is "SECURED"
- Mandatory Reference Values Checks
- Match software component measurements claims from the platform token against the corresponding reference values
- Match configuration claim from the platform token against the corresponding reference value
- Match initial measurement from the realm token against the corresponding reference value
- Optional Reference Values Checks
- Match personalisation value claim in the realm token against the corresponding reference value
- Match extensible measurements claim in the realm token against the corresponding reference value
NOTE: Steps 4.1 and 4.2 depend on the realm author's choice to use these optional features.