diff --git a/provisioning/api/handler.go b/provisioning/api/handler.go index b62f0aa0..d4b2e811 100644 --- a/provisioning/api/handler.go +++ b/provisioning/api/handler.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package api diff --git a/provisioning/provisioner/provisioner.go b/provisioning/provisioner/provisioner.go index d8e570e0..507a710e 100644 --- a/provisioning/provisioner/provisioner.go +++ b/provisioning/provisioner/provisioner.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package provisioner diff --git a/scheme/arm-cca/evidence_handler_test.go b/scheme/arm-cca/evidence_handler_test.go index f37e4b98..570a8be1 100644 --- a/scheme/arm-cca/evidence_handler_test.go +++ b/scheme/arm-cca/evidence_handler_test.go @@ -102,10 +102,9 @@ func Test_AppraiseEvidence_Realm(t *testing.T) { // nolint: dupl { desc: "No realm endorsements", input: "test/realm/no-realm-endorsements.json", - expectedStatus: ear.TrustTierWarning, - expectedExec: ear.UnrecognizedRuntimeClaim, + expectedStatus: ear.TrustTierNone, + expectedExec: ear.NoClaim, }, - { desc: "No matching rim measurements", input: "test/realm/rim-mismatch-endorsements.json", diff --git a/scheme/arm-cca/realm.go b/scheme/arm-cca/realm.go index 5b54e228..0dfe473d 100644 --- a/scheme/arm-cca/realm.go +++ b/scheme/arm-cca/realm.go @@ -35,10 +35,16 @@ func realmAppraisal( // If crypto verification (including chaining) completes correctly, // we can safely assume the Realm instance to be trustworthy trustVector.InstanceIdentity = ear.TrustworthyInstanceClaim - trustVector.Executables = ear.UnrecognizedRuntimeClaim + // By default, make no claims with regard to realm executables (i.e., RIM, + // PV and REMs). This is to support a platform-only CCA verifier. + // If we have been provisioned with realm executable reference values, they + // will be checked in the loop below and the trust vector updated accordingly. + trustVector.Executables = ear.NoClaim + partial := true for _, endorsement := range realmEndorsements { if matchRim(claims, &endorsement) { + partial = false err := matchRpv(claims, &endorsement) switch err { // Note, If an Endorser does not use RPV it indicates, one Realm per RIM, which is a match @@ -74,6 +80,11 @@ func realmAppraisal( } appraisal.UpdateStatusFromTrustVector() + // This is a kludge to work around EAR inability to express "partial" verification semantics. + if *appraisal.Status == ear.TrustTierAffirming && partial { + noClaimStatus := ear.TrustTierNone + appraisal.Status = &noClaimStatus + } appraisal.VeraisonAnnotatedEvidence = &claimsMap return &appraisal, nil