Add linear privilege level measurement value type #354
Conversation
deeglaze
requested review from
henkbirkholz,
thomas-fossati,
yogeshbdeshpande and
nedmsmith
as code owners
As a means of representing a CPL or VMPL, this provides some extra semantic understanding. Leaving condition-matching to a later PR.
|
@deeglaze Instead of directly making a change request, can we please have an issue, which describes a requirement. What is a Privilege level of an Environment ? Why it is needed? What uses cases are relevant when this feature gains relevance ? |
|
Add matching rules to the PR Add examples to the PR, in CDDL |
|
@deeglaze I assume, there is still work to be done on this PR, so we would not take this up during CoRIM Meeting on 29th Jan 2025 ? |
As a means of representing a CPL or VMPL, this provides some extra semantic understanding. Leaving condition-matching to a later PR.
This adds taggs 564 and 565 (563 proposed by PR ietf-rats-wg#297). The -Infinity is valid diagnostic notation, but our tooling does not recognize it.
Co-authored-by: Ned Smith <ned.smith@intel.com>
| @@ -1118,6 +1118,21 @@ are acceptable states. | |||
| Integrity Registers can be used to model the PCRs in a TPM or vTPM, in which case the identifier is the register index, or other kinds of vendor-specific measured objects. | |||
|
|
|||
|
|
|||
| ##### Linear Privilege Level {#sec-comid-linear-privlevel} | |||
|
|
|||
| A Linear Privilege Level describes an operating privilege for the target environment. | |||
There was a problem hiding this comment.
I would swap the bottom sentence to state that:
| @@ -1118,6 +1118,21 @@ are acceptable states. | |||
| Integrity Registers can be used to model the PCRs in a TPM or vTPM, in which case the identifier is the register index, or other kinds of vendor-specific measured objects. | |||
|
|
|||
|
|
|||
| ##### Linear Privilege Level {#sec-comid-linear-privlevel} | |||
|
|
|||
| A Linear Privilege Level describes an operating privilege for the target environment. | |||
There was a problem hiding this comment.
| A Linear Privilege Level describes an operating privilege for the target environment. | |
| A Linear Privilege Level describes an operating privilege for the target environment. The privilege can be expressed in either positive integer ranges or in negative integer ranges. |
There was a problem hiding this comment.
0 is also legal though.
There was a problem hiding this comment.
I added to the example showing that a range can include both negative and positive integers. Maybe just document that the values are integers?
draft-ietf-rats-corim.md
Outdated
| ##### Linear Privilege Level {#sec-comid-linear-privlevel} | ||
|
|
||
| A Linear Privilege Level describes an operating privilege for the target environment. | ||
| The convention is that 0 is the highest privilege, and higher numbers correspond to fewer privileges. |
There was a problem hiding this comment.
| The convention is that 0 is the highest privilege, and higher numbers correspond to fewer privileges. | |
| When expressed in positive integer ranges the convention is that 0 is the highest privilege, and higher numbers correspond to fewer privileges. No negative number representation is allowed, in this setting. |
There was a problem hiding this comment.
What setting? This is convention.
There was a problem hiding this comment.
What setting? This is convention.
Yes, I mean that you can replace it with convention or something similar!
There was a problem hiding this comment.
I don't understand this comment. Replace what with convention? I'm trying to encode a range comparison that requires an internalized notion of order.
There was a problem hiding this comment.
The text related to positive range should follow the cddl section as the rest of the discussion on ranges is following the cddl section.
draft-ietf-rats-corim.md
Outdated
|
|
||
| The ACS entry value stored under `measurement-values-map` codepoint 15 is a linear privilege level, which must have type `linear-privlevel-type-choice`. | ||
|
|
||
| If the entry `linear-privlevel-type-choice` is an `int` or an `int` tagged with #6.564, then comparison with the `int` named as PRIV is as follows. |
There was a problem hiding this comment.
I am not clear when was PRIV introduced and what its context is? Can you please clarify..
There was a problem hiding this comment.
PRIV is referenced below when describing the comparison. PRIV here represents an exact privilege level in the ACS that will be compared against a CoRIM. I'm following the same wording form as for SVN.
draft-ietf-rats-corim.md
Outdated
|
|
||
| If the entry `linear-privlevel-type-choice` is an `int` or an `int` tagged with #6.564, then comparison with the `int` named as PRIV is as follows. | ||
|
|
||
| * If the condition ECT value for `measurement-values-map` codepoint 15 is an untagged `int` or an `int` tagged with #6.564 then an equality comparison is performed on the `int` components. |
There was a problem hiding this comment.
When would one use int and when would one use tagged-int. can you please explain as this is the base spec!
cddl/linear-privilege-level.cddl
Outdated
| linear-privlevel-type-choice /= signed-integer-range-type-choice | ||
| signed-integer-range-type-choice = int-eq / int-range / tagged-int-eq / tagged-int-range | ||
| int-eq = int | ||
| int-range = [min: inf-int, max: inf-int] |
There was a problem hiding this comment.
This looks like a policy construct which i am little nervous in absorbing here..?
is there a way to express it more clearly using base types?
There was a problem hiding this comment.
It's a weak form of comparison for use in conditional endorsements. We have SVN range comparisons. This is just slightly broader.
Added example to test negative and positive ranges.
Added cbor-tags.txt to git ignore list.
| @@ -1118,6 +1118,21 @@ are acceptable states. | |||
| Integrity Registers can be used to model the PCRs in a TPM or vTPM, in which case the identifier is the register index, or other kinds of vendor-specific measured objects. | |||
|
|
|||
|
|
|||
| ##### Linear Privilege Level {#sec-comid-linear-privlevel} | |||
|
|
|||
| A Linear Privilege Level describes an operating privilege for the target environment. | |||
There was a problem hiding this comment.
I added to the example showing that a range can include both negative and positive integers. Maybe just document that the values are integers?
draft-ietf-rats-corim.md
Outdated
| ##### Linear Privilege Level {#sec-comid-linear-privlevel} | ||
|
|
||
| A Linear Privilege Level describes an operating privilege for the target environment. | ||
| The convention is that 0 is the highest privilege, and higher numbers correspond to fewer privileges. |
There was a problem hiding this comment.
The text related to positive range should follow the cddl section as the rest of the discussion on ranges is following the cddl section.
draft-ietf-rats-corim.md
Outdated
| * If the condition ECT value for `measurement-values-map` codepoint 15 is an `int-range` tagged with #6.564 then a range inclusion comparison is performed. | ||
| The comparison MUST return true if the value of PRIV is greater than or equal to the `min` value in the condition ECT AND the value of PRIV is less than or equal to than the `max` value in the condition ECT | ||
|
|
||
| If the entry `linear-privilege-type-choice` is an `int-range` or `int-range` tagged with #6.564, then comparison with the pair of `inf-int` values MINPRIV and MAXPRIV is as follows. |
There was a problem hiding this comment.
inf-int doesn't appear to be defined anywhere.
|
General feedback: The value of an integer measurement type that is strictly used for privilege levels doesn't allow the flexibility to be used for other measurement types (as in the type mechanism isn't extensible) means it isn't as generally useful. I thought we were going to give it semantics that were similar to raw-value where the mkey tag can be used to distginguish semantic richness while the appraisal comparison doesn't care as it's simple checking whether a singleton value falls within the range of integers. |
Agreed, which is why the tagged value is a tagged-int-range, and not a tagged-linear-privilege-range. The added semantic context of linear privilege comes from codepoint 15. An mkey can add further context that it's for a specific notion of privilege like CPL or VMPL.
The comparison only cares so much as it provides the semantics of range inclusion. |
As a means of representing a CPL or VMPL, this provides some extra semantic understanding. Leaving condition-matching to a later PR.