Introduce CCA Realm provisioning plugin

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/tbaehler/gin-keycloak v1.5.0
 	github.com/veraison/ccatoken v1.1.0
 	github.com/veraison/cmw v0.1.0
-	github.com/veraison/corim v1.1.2
+	github.com/veraison/corim v1.1.3-0.20240513181923-a0e8f54e1f67
 	github.com/veraison/dice v0.0.1
 	github.com/veraison/ear v1.1.2
 	github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53

go.sum

@@ -625,6 +625,7 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9
 github.com/hashicorp/go-plugin v1.4.4 h1:NVdrSdFRt3SkZtNckJ6tog7gbpRrcbOjQi/rgF7JYWQ=
 github.com/hashicorp/go-plugin v1.4.4/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
@@ -1063,8 +1064,12 @@ github.com/veraison/ccatoken v1.1.0 h1:U0Z5fOQRsdz3ksvvxVzTITczo+kfRxIlkWahJNP6I
 github.com/veraison/ccatoken v1.1.0/go.mod h1:qh/KBwsrhPyGJqttlh8PU56wt1rPkUCX9A3ZAA/53Nc=
 github.com/veraison/cmw v0.1.0 h1:vD6tBlGPROCW/HlDcG1jh+XUJi5ihrjXatKZBjrv8mU=
 github.com/veraison/cmw v0.1.0/go.mod h1:WoBrlgByc6C1FeHhdze1/bQx1kv5d1sWKO5ezEf4Hs4=
-github.com/veraison/corim v1.1.2 h1:JIk6ZK/OzKEb0FJUFHSnmkn67yyGy+5NChYax0bwttA=
-github.com/veraison/corim v1.1.2/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU=
+github.com/veraison/corim v1.1.3-0.20240423112400-92efbf346d05 h1:UDu2uBWhd17Hx+NqvvaXVjApk3PwbkDt+K7H0Xy+RKY=
+github.com/veraison/corim v1.1.3-0.20240423112400-92efbf346d05/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU=
+github.com/veraison/corim v1.1.3-0.20240429160003-7b04d8b96e76 h1:kB1KvHDnKO7YubQ0Bs3DMjZrC2r9JmaXCDfzeGJCEb0=
+github.com/veraison/corim v1.1.3-0.20240429160003-7b04d8b96e76/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU=
+github.com/veraison/corim v1.1.3-0.20240513181923-a0e8f54e1f67 h1:j67b84ttamX1ZJGlHnV/20NfBS05UdT3DonlDQ0eWnI=
+github.com/veraison/corim v1.1.3-0.20240513181923-a0e8f54e1f67/go.mod h1:mmEA2yMATiwNCGD6xo2L7Afag7z2OdZTOz8QO6IvzNY=
 github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4=
 github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs=
 github.com/veraison/ear v1.1.2 h1:Xs41FqAG8IyJaceqNFcX2+nf51Et1uyhmCJV8SZqw/8=

scheme/Makefile

@@ -8,6 +8,7 @@ SUBDIR += psa-iot
 SUBDIR += tpm-enacttrust
 SUBDIR += parsec-tpm
 SUBDIR += parsec-cca
+SUBDIR += cca-realm-provisioning
 
 clean: ; $(RM) -rf ./bin
 

scheme/cca-realm-provisioning/Makefile

@@ -0,0 +1,15 @@
+
+# Copyright 2024 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
+.DEFAULT_GOAL := test
+
+GOPKG := github.com/veraison/services/scheme/cca-realm-provisioning
+SRCS := $(wildcard *.go)
+
+SUBDIR += plugin
+
+include ../../mk/common.mk
+include ../../mk/lint.mk
+include ../../mk/pkg.mk
+include ../../mk/subdir.mk
+include ../../mk/test.mk

scheme/cca-realm-provisioning/README.md

@@ -0,0 +1,41 @@
+# Endorsement Store Interface
+
+## Reference Value
+
+In CCA_Realm scheme the Realm instance is uniquely identified by the values of Realm initial measurements,
+used to launch a Realm.
+
+```json
+{
+    "scheme": "CCA_REALM",
+    "type": "REFERENCE_VALUE",
+    "attributes": {
+        "CCA_REALM.vendor": "Workload Client Ltd",
+        "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C",
+        "CCA_REALM.realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
+        "CCA_REALM.hash-alg-id": "sha-384",
+        "CCA_REALM.realm-personalization-value":"5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==",
+        "CCA_REALM.measurements": [
+            {
+                "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1"
+            },
+            {
+                "rem0": "IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
+            },
+            {
+                "rem1": "JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
+            },
+            {
+                "rem2": "MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
+            },
+            {
+                "rem3": "NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
+            }
+        ]
+    }
+}
+```
+
+## Trust Anchor
+
+CCA_Realm scheme has no explicit Trust Anchor to provision, as they are supplied inline in the Realm attestation token

scheme/cca-realm-provisioning/classattributes.go

@@ -0,0 +1,51 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package cca_realm_provisioning
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/veraison/corim/comid"
+	"github.com/veraison/services/log"
+)
+
+type ClassAttributes struct {
+	UUID   string
+	Vendor string
+}
+
+// extract class variables from environment
+func (o *ClassAttributes) FromEnvironment(e comid.Environment) error {
+	class := e.Class
+
+	if class == nil {
+		log.Debug("no class in the environment")
+		return nil
+	}
+
+	classID := class.ClassID
+
+	if classID == nil {
+		log.Debug("no classID in the environment")
+	} else {
+		UUID, err := classID.GetUUID()
+		if err != nil {
+			return fmt.Errorf("could not extract uu-id from class-id: %w", err)
+		}
+
+		if err := UUID.Valid(); err != nil {
+			return fmt.Errorf("no valid uu-id: %w", err)
+		}
+
+		o.UUID = UUID.String()
+	}
+
+	if class.Vendor != nil {
+		o.Vendor = *class.Vendor
+	} else {
+		return errors.New("class is neither UUID or Vendor Name")
+	}
+
+	return nil
+}

scheme/cca-realm-provisioning/corim_extractor.go

@@ -0,0 +1,90 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package cca_realm_provisioning
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/veraison/corim/comid"
+	"github.com/veraison/services/handler"
+)
+
+type CorimExtractor struct{}
+
+func (o CorimExtractor) RefValExtractor(
+	rv comid.ReferenceValue,
+) ([]*handler.Endorsement, error) {
+	var classAttrs ClassAttributes
+	var instAttrs InstanceAttributes
+
+	if err := classAttrs.FromEnvironment(rv.Environment); err != nil {
+		return nil, fmt.Errorf("could not extract Realm class attributes: %w", err)
+	}
+
+	if err := instAttrs.FromEnvironment(rv.Environment); err != nil {
+		return nil, fmt.Errorf("could not extract Realm instance attributes: %w", err)
+	}
+
+	// Measurements are encoded in a measurement-map of a CoMID
+	// reference-triple-record.  Since a measurement-map can encode one or more
+	// measurements, a single reference-triple-record can carry as many
+	// measurements as needed. Hence for a Realm Instance, all the measurements
+	// which comprise of both the "rim" & "rem" measurements are carried in an
+	// integrity register
+	refVals := make([]*handler.Endorsement, 0, len(rv.Measurements))
+
+	var refVal *handler.Endorsement
+	for _, m := range rv.Measurements {
+		var rAttr RealmAttributes
+		if err := rAttr.FromMeasurement(m); err != nil {
+			return nil, fmt.Errorf("unable to extract realm reference attributes from measurement: %w", err)
+		}
+		refAttrs, err := makeRefValAttrs(&classAttrs, &instAttrs, &rAttr)
+		if err != nil {
+			return nil, fmt.Errorf("unable to make reference attributes: %w", err)
+		}
+		refVal = &handler.Endorsement{
+			Scheme:     "CCA_REALM",
+			Type:       handler.EndorsementType_REFERENCE_VALUE,
+			Attributes: refAttrs,
+		}
+		refVals = append(refVals, refVal)
+	}
+
+	if len(refVals) == 0 {
+		return nil, fmt.Errorf("no measurements found")
+	}
+
+	return refVals, nil
+}
+
+func makeRefValAttrs(cAttr *ClassAttributes,
+	iAttr *InstanceAttributes,
+	rAttr *RealmAttributes) (json.RawMessage, error) {
+
+	var attrs = map[string]interface{}{
+		"CCA_REALM.vendor":                      cAttr.Vendor,
+		"CCA_REALM.class-id":                    cAttr.UUID,
+		"CCA_REALM.realm-initial-measurement":   rAttr.Rim,
+		"CCA_REALM.hash-alg-id":                 rAttr.HashAlgID,
+		"CCA_REALM.realm-personalization-value": rAttr.Rpv,
+		"CCA_REALM.rim":                         rAttr.Rim,
+		"CCA_REALM.rem0":                        rAttr.Rem[0],
+		"CCA_REALM.rem1":                        rAttr.Rem[1],
+		"CCA_REALM.rem2":                        rAttr.Rem[2],
+		"CCA_REALM.rem3":                        rAttr.Rem[3],
+	}
+
+	data, err := json.Marshal(attrs)
+	if err != nil {
+		return nil, fmt.Errorf("unable to marshal reference value attributes: %w", err)
+	}
+	return data, nil
+}
+
+func (o CorimExtractor) TaExtractor(
+	avk comid.AttestVerifKey,
+) (*handler.Endorsement, error) {
+	return nil, fmt.Errorf("cca realm endorsements does not have a Trust Anchor")
+}

scheme/cca-realm-provisioning/corim_test_vectors.go

@@ -0,0 +1,132 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package cca_realm_provisioning
+
+// automatically generated from:
+// comidCcaRealm.json and corimCcaRealm.json
+var unsignedCorimcomidCcaRealm = `
+a500505c57e8f446cd421b91c908cf93e13cfc0181590234d901faa40065
+656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074
+576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073
+3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102
+04a1008182a200a200d82550cd1f0e5526f9460db9d8f7fde171787c0173
+576f726b6c6f616420436c69656e74204c746401d9023058304284b5694c
+a6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2d2edc685b322
+277ec25819962413d8c9b2c1f581a101a204d902305840e45b72f5c0c0b5
+72db4d8d3ab7e97f368ff74e62347a824decb67a84e5224d75e45b72f5c0
+c0b572db4d8d3ab7e97f368ff74e62347a824decb67a84e5224d750ea563
+72696d81820758304284b5694ca6c0d2cf4789a0b95ac8025c818de52304
+364be7cd2981b2d2edc685b322277ec25819962413d8c9b2c1f56472656d
+3081820758302107bbe761fca52d95136a1354db7a4dd57b1b26be0d3da7
+1d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d3181
+820758302507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9e
+b23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d32818207
+58303107bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb239
+86b34ba615abf6514cf35e5a9ea55a032d068a786472656d338182075830
+3507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b3
+4ba615abf6514cf35e5a9ea55a032d068a780381781a687474703a2f2f61
+726d2e636f6d2f6363612f7265616c6d2f3104a200c11a61ce480001c11a
+695467800581a3006941434d45204c74642e01d8206c61636d652e657861
+6d706c65028101
+`
+
+// automatically generated from:
+// comidCcaRealmNoClass.json and corimCcaRealm.json
+var unsignedCorimcomidCcaRealmNoClass = `
+a500505c57e8f446cd421b91c908cf93e13cfc01815901c3d901faa40065
+656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074
+576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073
+3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102
+04a1008182a101d9023058304284b5694ca6c0d2cf4789a0b95ac8025c81
+8de52304364be7cd2981b2d2edc685b322277ec25819962413d8c9b2c1f5
+81a101a10ea56372696d81820758304284b5694ca6c0d2cf4789a0b95ac8
+025c818de52304364be7cd2981b2d2edc685b322277ec25819962413d8c9
+b2c1f56472656d3081820758302107bbe761fca52d95136a1354db7a4dd5
+7b1b26be0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a
+786472656d3181820758302507bbe761fca52d95136a1354db7a4dd57b1b
+26be0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a7864
+72656d3281820758303107bbe761fca52d95136a1354db7a4dd57b1b26be
+0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a78647265
+6d3381820758303507bbe761fca52d95136a1354db7a4dd57b1b26be0d3d
+a71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a780381781a68
+7474703a2f2f61726d2e636f6d2f6363612f7265616c6d2f3104a200c11a
+61ce480001c11a695467800581a3006941434d45204c74642e01d8206c61
+636d652e6578616d706c65028101
+`
+
+// automatically generated from:
+// comidCcaRealmNoInstance.json and corimCcaRealm.json
+var unsignedCorimcomidCcaRealmNoInstance = `
+a500505c57e8f446cd421b91c908cf93e13cfc01815901b8d901faa40065
+656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074
+576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073
+3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102
+04a1008182a100a200d82550cd1f0e5526f9460db9d8f7fde171787c0173
+576f726b6c6f616420436c69656e74204c746481a101a10ea56372696d81
+820758304284b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd
+2981b2d2edc685b322277ec25819962413d8c9b2c1f56472656d30818207
+58302107bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb239
+86b34ba615abf6514cf35e5a9ea55a032d068a786472656d318182075830
+2507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b3
+4ba615abf6514cf35e5a9ea55a032d068a786472656d3281820758303107
+bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba6
+15abf6514cf35e5a9ea55a032d068a786472656d3381820758303507bbe7
+61fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615ab
+f6514cf35e5a9ea55a032d068a780381781a687474703a2f2f61726d2e63
+6f6d2f6363612f7265616c6d2f3104a200c11a61ce480001c11a69546780
+0581a3006941434d45204c74642e01d8206c61636d652e6578616d706c65
+028101
+`
+
+// automatically generated from:
+// comidCcaRealmInvalidInstance.json and corimCcaRealm.json
+var unsignedCorimcomidCcaRealmInvalidInstance = `
+a500505c57e8f446cd421b91c908cf93e13cfc01815901dfd901faa40065
+656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074
+576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073
+3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102
+04a1008182a200a200d82550cd1f0e5526f9460db9d8f7fde171787c0173
+576f726b6c6f616420436c69656e74204c746401d90226582101ceebae7b
+8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f150881a1
+01a10ea56372696d81820758304284b5694ca6c0d2cf4789a0b95ac8025c
+818de52304364be7cd2981b2d2edc685b322277ec25819962413d8c9b2c1
+f56472656d3081820758302107bbe761fca52d95136a1354db7a4dd57b1b
+26be0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a7864
+72656d3181820758302507bbe761fca52d95136a1354db7a4dd57b1b26be
+0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a78647265
+6d3281820758303107bbe761fca52d95136a1354db7a4dd57b1b26be0d3d
+a71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d33
+81820758303507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d
+9eb23986b34ba615abf6514cf35e5a9ea55a032d068a780381781a687474
+703a2f2f61726d2e636f6d2f6363612f7265616c6d2f3104a200c11a61ce
+480001c11a695467800581a3006941434d45204c74642e01d8206c61636d
+652e6578616d706c65028101
+`
+
+// automatically generated from:
+// comidCcaRealmInvalidClass.json and corimCcaRealm.json
+var unsignedCorimcomidCcaRealmInvalidClass = `
+a500505c57e8f446cd421b91c908cf93e13cfc0181590237d901faa40065
+656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074
+576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073
+3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102
+04a1008182a200a200d90258582061636d652d696d706c656d656e746174
+696f6e2d69642d303030303030303031016441434d4501d9023058304284
+b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2d2edc6
+85b322277ec25819962413d8c9b2c1f581a101a204d902305840e45b72f5
+c0c0b572db4d8d3ab7e97f368ff74e62347a824decb67a84e5224d75e45b
+72f5c0c0b572db4d8d3ab7e97f368ff74e62347a824decb67a84e5224d75
+0ea56372696d81820758304284b5694ca6c0d2cf4789a0b95ac8025c818d
+e52304364be7cd2981b2d2edc685b322277ec25819962413d8c9b2c1f564
+72656d3081820758302107bbe761fca52d95136a1354db7a4dd57b1b26be
+0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a78647265
+6d3181820758302507bbe761fca52d95136a1354db7a4dd57b1b26be0d3d
+a71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d32
+81820758303107bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d
+9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d338182
+0758303507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb2
+3986b34ba615abf6514cf35e5a9ea55a032d068a780381781a687474703a
+2f2f61726d2e636f6d2f6363612f7265616c6d2f3104a200c11a61ce4800
+01c11a695467800581a3006941434d45204c74642e01d8206c61636d652e
+6578616d706c65028101
+`