diff --git a/Makefile b/Makefile index adc7e94..9f0cf78 100644 --- a/Makefile +++ b/Makefile @@ -52,3 +52,7 @@ $(eval $(call cddl_check_template,comidx,$(COMID_X_FRAGS),$(COMID_X_EXAMPLES))) clean: ; rm -f $(CLEANFILES) clean-extra: clean ; $(MAKE) -C $(CORIM_DIR) clean + +export-ce: ce-autogen.cddl + @echo -n "copying ce.cddl to exports" + @cp $(CE_DIR)/ce-autogen.cddl exports/ce.cddl \ No newline at end of file diff --git a/exports/ce.cddl b/exports/ce.cddl new file mode 100644 index 0000000..8c8c618 --- /dev/null +++ b/exports/ce.cddl @@ -0,0 +1,733 @@ +start = tagged-concise-evidence + +tagged-spdm-toc = #6.570(spdm-toc-map) +spdm-toc = spdm-toc-map +spdm-toc-map = { + &(tagged-evidence: 0) => [ + $tagged-evidence-type-choice] + ? &(rim-locators: 1) => [ + corim-locator-map ] ;see corim + ? &(profile: 2) => $profile-type-choice ; see corim + * $$spdm-toc-map-extension +} + +$tagged-evidence-type-choice /= tagged-concise-evidence + +tagged-concise-evidence = #6.571(concise-evidence-map) +concise-evidence = concise-evidence-map +concise-evidence-map = { + &(ce.ev-triples: 0) => ev-triples-map + ? &(ce.evidence-id: 1) => $evidence-id-type-choice + * $$concise-evidence-map-extension +} +$evidence-id-type-choice /= tagged-uuid-type + +ev-triples-map = non-empty< { + ? &(ce.evidence-triples: 0) => [ + evidence-triple-record ] + ? &(ce.identity-triples: 1) => [ + ev-identity-triple-record ] + ? &(ce.dependency-triples: 2) => [ + ev-dependency-triple-record ] + ? &(ce.membership-triples: 3) => [ + ev-membership-triple-record ] + ? &(ce.coswid-triples: 4) => [ + ev-coswid-triple-record ] + ? &(ce.attest-key-triples: 5) => [ + ev-attest-key-triple-record ] + * $$ev-triples-map-extension +} > + +evidence-triple-record = [ + environment-map + [ + measurement-map ] +] + +ev-identity-triple-record = [ + environment-map + [ + $crypto-key-type-choice ] +] + +ev-attest-key-triple-record = [ + environment-map + [ + $crypto-key-type-choice ] +] + +ev-dependency-triple-record = [ + $domain-type-choice + [ + $domain-type-choice ] +] + +ev-membership-triple-record = [ + $domain-type-choice + [ + environment-map ] +] + +ev-coswid-triple-record = [ + environment-map, + [ + ev-coswid-evidence-map ] +] + +ev-coswid-evidence-map = { + ? &(ce.coswid-tag-id: 0) => concise-swid-tag-id + &(ce.coswid-evidence: 1) => evidence-entry + ? &(ce.authorized-by: 2) => [ + $crypto-key-type-choice ] ; see comid schema +} + +$$measurement-values-map-extension //= ( + &(spdm-indirect: 12) => spdm-indirect-map +) +spdm-indirect-map = { + &(index: 0) => [ + uint ] + * $$spdm-indirect-map-extension +} + +$$flags-map-extension //= ( + ? &(runtime-meas: 6) => bool + ? &(immutable: 7) => bool + ? &(tcb: 8) => bool +) + +corim = tagged-concise-rim-type-choice + +$concise-rim-type-choice /= tagged-corim-map +$concise-rim-type-choice /= tagged-signed-corim + +concise-bom-tag = { + &(tag-identity: 0) => tag-identity-map + &(tags-list: 1) => [ + tag-identity-map ], + &(bom-validity: 2) => validity-map + * $$concise-bom-tag-extension +} + +$concise-tag-type-choice /= tagged-concise-swid-tag +$concise-tag-type-choice /= tagged-concise-mid-tag +$concise-tag-type-choice /= tagged-concise-bom-tag + +corim-entity-map = + entity-map<$corim-role-type-choice, $$corim-entity-map-extension> + +$corim-id-type-choice /= tstr +$corim-id-type-choice /= uuid-type + +corim-locator-map = { + &(href: 0) => uri + ? &(thumbprint: 1) => digest +} + +corim-map = { + &(id: 0) => $corim-id-type-choice + &(tags: 1) => [ + $concise-tag-type-choice ] + ? &(dependent-rims: 2) => [ + corim-locator-map ] + ? &(profile: 3) => $profile-type-choice + ? &(rim-validity: 4) => validity-map + ? &(entities: 5) => [ + corim-entity-map ] + * $$corim-map-extension +} + +corim-meta-map = { + &(signer: 0) => corim-signer-map + ? &(signature-validity: 1) => validity-map +} + +$corim-role-type-choice /= &(manifest-creator: 1) + +corim-signer-map = { + &(signer-name: 0) => $entity-name-type-choice + ? &(signer-uri: 1) => uri + * $$corim-signer-map-extension +} + +COSE-Sign1-corim = [ + protected: bstr .cbor protected-corim-header-map + unprotected: unprotected-corim-header-map + payload: bstr .cbor tagged-corim-map + signature: bstr +] + +$profile-type-choice /= uri +$profile-type-choice /= tagged-oid-type + +protected-corim-header-map = { + &(alg: 1) => int + &(content-type: 3) => "application/corim-unsigned+cbor" + &(kid: 4) => bstr + &(corim-meta: 8) => bstr .cbor corim-meta-map + * cose-label => cose-value +} + +signed-corim = #6.18(COSE-Sign1-corim) + +tagged-corim-map = #6.501(corim-map) + + +tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice) + +tagged-signed-corim = #6.502(signed-corim) + +tagged-concise-swid-tag = #6.505(bytes .cbor concise-swid-tag) + +tagged-concise-mid-tag = #6.506(bytes .cbor concise-mid-tag) + +tagged-concise-bom-tag = #6.508(bytes .cbor concise-bom-tag) + +unprotected-corim-header-map = { + * cose-label => cose-value +} + +validity-map = { + ? &(not-before: 0) => time + &(not-after: 1) => time +} + +concise-mid-tag = { + ? &(language: 0) => text + &(tag-identity: 1) => tag-identity-map + ? &(entities: 2) => [ + comid-entity-map ] + ? &(linked-tags: 3) => [ + linked-tag-map ] + &(triples: 4) => triples-map + * $$concise-mid-tag-extension +} + +accepted-claims-set = { + &(state-triples: 0) => [ + endorsed-triple-record ] + ? &(identity-triples: 1) => [ + identity-triple-record ] + ? &(coswid-triples: 2) => [ + ev-coswid-triple-record ] + * $$accepted-claims-set-extension +} + +attest-key-triple-record = [ + environment-map + [ + $crypto-key-type-choice ] +] + +$class-id-type-choice /= tagged-oid-type +$class-id-type-choice /= tagged-uuid-type +$class-id-type-choice /= tagged-bytes + +class-map = non-empty<{ + ? &(class-id: 0) => $class-id-type-choice + ? &(vendor: 1) => tstr + ? &(model: 2) => tstr + ? &(layer: 3) => uint + ? &(index: 4) => uint +}> + +comid-entity-map = + entity-map<$comid-role-type-choice, $$comid-entity-map-extension> + +$comid-role-type-choice /= &(tag-creator: 0) +$comid-role-type-choice /= &(creator: 1) +$comid-role-type-choice /= &(maintainer: 2) + +conditional-endorsement-series-triple-record = [ + condition: stateful-environment-record + series: [ + conditional-series-record ] +] + +conditional-series-record = [ + selection: [ + measurement-map] + ; endorsed values that apply in case revf matches + addition: [ + measurement-map ] +] + +COSE_KeySet = [ + COSE_Key ] + +COSE_Key = { + 1 => tstr / int + ? 2 => bstr + ? 3 => tstr / int + ? 4 => [+ (tstr / int) ] + ? 5 => bstr + * cose-label => cose-value +} + +cose-label = int / tstr +cose-value = any + +coswid-triple-record = [ + environment-map + [ + concise-swid-tag-id ] +] + +concise-swid-tag-id = text / bstr .size 16 + +$crypto-key-type-choice /= tagged-pkix-base64-key-type +$crypto-key-type-choice /= tagged-pkix-base64-cert-type +$crypto-key-type-choice /= tagged-pkix-base64-cert-path-type +$crypto-key-type-choice /= tagged-cose-key-type +$crypto-key-type-choice /= tagged-thumbprint-type +$crypto-key-type-choice /= tagged-cert-thumbprint-type +$crypto-key-type-choice /= tagged-cert-path-thumbprint-type + +tagged-pkix-base64-key-type = #6.554(tstr) +tagged-pkix-base64-cert-type = #6.555(tstr) +tagged-pkix-base64-cert-path-type = #6.556(tstr) +tagged-thumbprint-type = #6.557(digest) +tagged-cose-key-type = #6.558(COSE_KeySet / COSE_Key) +tagged-cert-thumbprint-type = #6.559(digest) +tagged-cert-path-thumbprint-type = #6.561(digest) + +domain-dependency-triple-record = [ + $domain-type-choice + [ + $domain-type-choice ] +] + +domain-membership-triple-record = [ + $domain-type-choice + [ + environment-map ] +] + +conditional-endorsement-triple-record = [ + conditions: [ + stateful-environment-record ] + endorsements: [ + endorsed-triple-record ] +] + +$domain-type-choice /= uint +$domain-type-choice /= text +$domain-type-choice /= tagged-uuid-type +$domain-type-choice /= tagged-oid-type + +endorsed-triple-record = [ + environment-map + [ + measurement-map ] +] + +entity-map = { + &(entity-name: 0) => $entity-name-type-choice + ? &(reg-id: 1) => uri + &(role: 2) => [ + role-type-choice ] + * extension-socket +} + +$entity-name-type-choice /= text + +environment-map = non-empty<{ + ? &(class: 0) => class-map + ? &(instance: 1) => $instance-id-type-choice + ? &(group: 2) => $group-id-type-choice +}> + +flags-map = { + ? &(is-configured: 0) => bool + ? &(is-secure: 1) => bool + ? &(is-recovery: 2) => bool + ? &(is-debug: 3) => bool + ? &(is-replay-protected: 4) => bool + ? &(is-integrity-protected: 5) => bool + ? &(is-runtime-meas: 6) => bool + ? &(is-immutable: 7) => bool + ? &(is-tcb: 8) => bool + ? &(is-confidentiality-protected: 9) => bool + * $$flags-map-extension +} + +$group-id-type-choice /= tagged-uuid-type +$group-id-type-choice /= tagged-bytes + +identity-triple-record = [ + environment-map + [ + $crypto-key-type-choice ] +] + +$instance-id-type-choice /= tagged-ueid-type +$instance-id-type-choice /= tagged-uuid-type +$instance-id-type-choice /= $crypto-key-type-choice +$instance-id-type-choice /= tagged-bytes + +ip-addr-type-choice = ip4-addr-type / ip6-addr-type +ip4-addr-type = bytes .size 4 +ip6-addr-type = bytes .size 16 + +linked-tag-map = { + &(linked-tag-id: 0) => $tag-id-type-choice + &(tag-rel: 1) => $tag-rel-type-choice +} + +mac-addr-type-choice = eui48-addr-type / eui64-addr-type +eui48-addr-type = bytes .size 6 +eui64-addr-type = bytes .size 8 + +$measured-element-type-choice /= tagged-oid-type +$measured-element-type-choice /= tagged-uuid-type +$measured-element-type-choice /= uint + +measurement-map = { + ? &(mkey: 0) => $measured-element-type-choice + &(mval: 1) => measurement-values-map + ? &(authorized-by: 2) => [ + $crypto-key-type-choice ] +} + +measurement-values-map = non-empty<{ + ? &(version: 0) => version-map + ? &(svn: 1) => svn-type-choice + ? &(digests: 2) => digests-type + ? &(flags: 3) => flags-map + ? ( + &(raw-value: 4) => $raw-value-type-choice, + ? &(raw-value-mask: 5) => raw-value-mask-type + ) + ? &(mac-addr: 6) => mac-addr-type-choice + ? &(ip-addr: 7) => ip-addr-type-choice + ? &(serial-number: 8) => text + ? &(ueid: 9) => ueid-type + ? &(uuid: 10) => uuid-type + ? &(name: 11) => text + ? &(cryptokeys: 13) => [ + $crypto-key-type-choice ] + ? &(integrity-registers: 14) => integrity-registers + * $$measurement-values-map-extension +}> + +non-empty = (M) .and ({ + any => any }) + +oid-type = bytes +tagged-oid-type = #6.111(oid-type) + +$raw-value-type-choice /= tagged-bytes + +raw-value-mask-type = bytes + +reference-triple-record = [ + environment-map + [ + measurement-map ] +] + +stateful-environment-record = [ + environment-map, + [ + measurement-map ] +] + +svn-type = uint +svn = svn-type +min-svn = svn-type +tagged-svn = #6.552(svn) +tagged-min-svn = #6.553(min-svn) +svn-type-choice = tagged-svn / tagged-min-svn + +$tag-id-type-choice /= tstr +$tag-id-type-choice /= uuid-type + +tag-identity-map = { + &(tag-id: 0) => $tag-id-type-choice + ? &(tag-version: 1) => tag-version-type +} + +$tag-rel-type-choice /= &(supplements: 0) +$tag-rel-type-choice /= &(replaces: 1) + +tag-version-type = uint .default 0 + +tagged-bytes = #6.560(bytes) + +triples-map = non-empty<{ + ? &(reference-triples: 0) => + [ + reference-triple-record ] + ? &(endorsed-triples: 1) => + [ + endorsed-triple-record ] + ? &(identity-triples: 2) => + [ + identity-triple-record ] + ? &(attest-key-triples: 3) => + [ + attest-key-triple-record ] + ? &(dependency-triples: 4) => + [ + domain-dependency-triple-record ] + ? &(membership-triples: 5) => + [ + domain-membership-triple-record ] + ? &(coswid-triples: 6) => + [ + coswid-triple-record ] + ? &(conditional-endorsement-series-triples: 8) => + [ + conditional-endorsement-series-triple-record ] + ? &(conditional-endorsement-triples: 10) => + [ + conditional-endorsement-triple-record ] + * $$triples-map-extension +}> + +ueid-type = bytes .size 33 +tagged-ueid-type = #6.550(ueid-type) + +uuid-type = bytes .size 16 +tagged-uuid-type = #6.37(uuid-type) + +version-map = { + &(version: 0) => text + ? &(version-scheme: 1) => $version-scheme +} + +digest = [ + alg: (int / text), + val: bytes +] + +digests-type = [ + digest ] + +integrity-register-id-type-choice = uint / text + +integrity-registers = { + + integrity-register-id-type-choice => digests-type +} + +concise-swid-tag = { + tag-id => text / bstr .size 16, + tag-version => integer, + ? corpus => bool, + ? patch => bool, + ? supplemental => bool, + software-name => text, + ? software-version => text, + ? version-scheme => $version-scheme, + ? media => text, + ? software-meta => one-or-more, + entity => one-or-more, + ? link => one-or-more, + ? payload-or-evidence, + * $$coswid-extension, + global-attributes, +} + +payload-or-evidence //= ( payload => payload-entry ) +payload-or-evidence //= ( evidence => evidence-entry ) + +any-uri = uri +label = text / int + +$version-scheme /= multipartnumeric +$version-scheme /= multipartnumeric-suffix +$version-scheme /= alphanumeric +$version-scheme /= decimal +$version-scheme /= semver +$version-scheme /= int / text + +any-attribute = ( + label => one-or-more / one-or-more +) + +one-or-more = T / [ 2* T ] + +global-attributes = ( + ? lang => text, + * any-attribute, +) + +hash-entry = [ + hash-alg-id: int, + hash-value: bytes, +] + +entity-entry = { + entity-name => text, + ? reg-id => any-uri, + role => one-or-more<$role>, + ? thumbprint => hash-entry, + * $$entity-extension, + global-attributes, +} + +$role /= tag-creator +$role /= software-creator +$role /= aggregator +$role /= distributor +$role /= licensor +$role /= maintainer +$role /= int / text + +link-entry = { + ? artifact => text, + href => any-uri, + ? media => text, + ? ownership => $ownership, + rel => $rel, + ? media-type => text, + ? use => $use, + * $$link-extension, + global-attributes, +} + +$ownership /= shared +$ownership /= private +$ownership /= abandon +$ownership /= int / text + +$rel /= ancestor +$rel /= component +$rel /= feature +$rel /= installationmedia +$rel /= packageinstaller +$rel /= parent +$rel /= patches +$rel /= requires +$rel /= see-also +$rel /= supersedes +$rel /= supplemental +$rel /= -256..64436 / text + +$use /= optional +$use /= required +$use /= recommended +$use /= int / text + +software-meta-entry = { + ? activation-status => text, + ? channel-type => text, + ? colloquial-version => text, + ? description => text, + ? edition => text, + ? entitlement-data-required => bool, + ? entitlement-key => text, + ? generator => text / bstr .size 16, + ? persistent-id => text, + ? product => text, + ? product-family => text, + ? revision => text, + ? summary => text, + ? unspsc-code => text, + ? unspsc-version => text, + * $$software-meta-extension, + global-attributes, +} + +path-elements-group = ( ? directory => one-or-more, + ? file => one-or-more, + ) + +resource-collection = ( + path-elements-group, + ? process => one-or-more, + ? resource => one-or-more, + * $$resource-collection-extension, +) + +file-entry = { + filesystem-item, + ? size => uint, + ? file-version => text, + ? hash => hash-entry, + * $$file-extension, + global-attributes, +} + +directory-entry = { + filesystem-item, + ? path-elements => { path-elements-group }, + * $$directory-extension, + global-attributes, +} + +process-entry = { + process-name => text, + ? pid => integer, + * $$process-extension, + global-attributes, +} + +resource-entry = { + type => text, + * $$resource-extension, + global-attributes, +} + +filesystem-item = ( + ? key => bool, + ? location => text, + fs-name => text, + ? root => text, +) + +payload-entry = { + resource-collection, + * $$payload-extension, + global-attributes, +} + +evidence-entry = { + resource-collection, + ? date => integer-time, + ? device-id => text, + ? location => text, + * $$evidence-extension, + global-attributes, +} + +integer-time = #6.1(int) + +tag-id = 0 +software-name = 1 +entity = 2 +evidence = 3 +link = 4 +software-meta = 5 +payload = 6 +hash = 7 +corpus = 8 +patch = 9 +media = 10 +supplemental = 11 +tag-version = 12 +software-version = 13 +version-scheme = 14 +lang = 15 +directory = 16 +file = 17 +process = 18 +resource = 19 +size = 20 +file-version = 21 +key = 22 +location = 23 +fs-name = 24 +root = 25 +path-elements = 26 +process-name = 27 +pid = 28 +type = 29 +entity-name = 31 +reg-id = 32 +role = 33 +thumbprint = 34 +date = 35 +device-id = 36 +artifact = 37 +href = 38 +ownership = 39 +rel = 40 +media-type = 41 +use = 42 +activation-status = 43 +channel-type = 44 +colloquial-version = 45 +description = 46 +edition = 47 +entitlement-data-required = 48 +entitlement-key = 49 +generator = 50 +persistent-id = 51 +product = 52 +product-family = 53 +revision = 54 +summary = 55 +unspsc-code = 56 +unspsc-version = 57 + +multipartnumeric = 1 +multipartnumeric-suffix = 2 +alphanumeric = 3 +decimal = 4 +semver = 16384 + +tag-creator=1 +software-creator=2 +aggregator=3 +distributor=4 +licensor=5 +maintainer=6 + +abandon=1 +private=2 +shared=3 + +ancestor=1 +component=2 +feature=3 +installationmedia=4 +packageinstaller=5 +parent=6 +patches=7 +requires=8 +see-also=9 +supersedes=10 + +optional=1 +required=2 +recommended=3 + +