device-identity-provisioning: add keypair discovery and rename to Att…#98
Open
fdamato wants to merge 1 commit into
Open
Conversation
…ested CSR Signed-off-by: Fabrizio Damato <fabrizio.damato@amd.com>
xiaoyuruan
reviewed
May 27, 2026
|
|
||
| 1. The `KeyPairID` as a CBOR unsigned integer in the range `1..255`. | ||
| 2. An array of OIDs describing the derivation attributes of that keypair, drawn from the OIDs defined in @sec:defined-oids. | ||
|
|
There was a problem hiding this comment.
Place a pointer to the CDDL definition.
xiaoyuruan
reviewed
May 29, 2026
| / protected / <<{ | ||
| / alg-id / 1 : 7, | ||
| / content-type / 3 : "application/eat+cbor", | ||
| ; SHA-384 digest of the Attestation Key (i.e. the SPDM Signing Key) |
There was a problem hiding this comment.
Change to hash of cert chain (same as DIGEST response)
xiaoyuruan
reviewed
May 29, 2026
| / unprotected / {}, | ||
| / payload / <<{ | ||
| / iss / 1 : "RT Alias Key", | ||
| / nonce / 10 : h'AAAABBBBAAAABBBBAAAABBBB', |
There was a problem hiding this comment.
Change to 32 bytes same as SPDM nonce
xiaoyuruan
reviewed
May 29, 2026
| TODO: fill in | ||
| A device may expose multiple identity keypairs (e.g., IDevID, LDevID, and other vendor- or owner-defined keys), each with its own derivation inputs. Before a PKI owner can select a suitable PKI anchor point, it must discover which keypairs the device supports and which derivation attributes are associated with each. | ||
|
|
||
| This specification reuses the `GET_ATTESTED_CSR` command defined in @sec:establishing-trust-in-identity for keypair discovery, by reserving `KeyPairID = 0` as a discovery sentinel. SPDM 1.3 reserves the value 0 for the `KeyPairID` field, so it is safe to repurpose here without colliding with any valid keypair identifier. |
There was a problem hiding this comment.
remove "1.3". Say "value 0 is not a valid KeyPairID."
xiaoyuruan
reviewed
May 29, 2026
|
|
||
| - `Param1` (`KeyPairID`) SHALL be `0`, indicating a discovery request rather than a CSR request. | ||
| - `Param2` (Request Attributes), `RequesterInfoLength`, `OpaqueDataLength`, `RequesterInfo`, and `OpaqueData` SHALL be `0` / empty. The Responder SHALL ignore any non-zero values in these fields when `KeyPairID` is `0`. | ||
| - `SignerSlotIDParam` SHALL be interpreted identically to the CSR case. Bit [4] selects whether the response is attested by an Attestation Key, and bits [3:0] select the SPDM slot whose Attestation Key signs the CWT. Requesters SHOULD request an attested response so that the inventory is attestable. |
xiaoyuruan
reviewed
May 29, 2026
|
|
||
| When `KeyPairID = 0` is specified in the request, the Responder SHALL return an `ATTESTED_CSR` response whose `AttestedCSRdata` is an EAT encoded as a CWT, with the following requirements: | ||
|
|
||
| - The EAT SHALL include the standard issuer claim and a nonce claim whose value matches the `Nonce` provided in the discovery request. |
xiaoyuruan
reviewed
May 29, 2026
|
|
||
| - The EAT SHALL include the standard issuer claim and a nonce claim whose value matches the `Nonce` provided in the discovery request. | ||
| - The EAT SHALL NOT include the CSR claim or the derivation-attribute-OID claim defined in @sec:establishing-trust-in-identity. Instead, it SHALL include a single private claim, the *KeyPair Inventory* claim, containing the device's keypair inventory. | ||
| - If `SignerSlotIDParam` indicated an attested response, the CWT SHALL be signed by the Attestation Key corresponding to the specified slot, following the same `kid` and signing rules as in @sec:establishing-trust-in-identity. |
There was a problem hiding this comment.
remove "If SignerSlotIDParam indicated an attested response, " as it's always required.
xiaoyuruan
reviewed
May 29, 2026
|
|
||
| The *KeyPair Inventory* claim SHALL be a CBOR array. Each element SHALL be a CBOR array of two elements: | ||
|
|
||
| 1. The `KeyPairID` as a CBOR unsigned integer in the range `1..255`. |
xiaoyuruan
reviewed
May 29, 2026
| {#fig:envelope-signed-csr-non-self-signed} | ||
| {#fig:attested-csr-non-self-signed} | ||
|
|
||
| This specification provides a definition for a vendor-defined SPDM command, utilizing VENDOR_DEFINED_REQUEST from SPDM 1.3, which can be used to surface these attested CSRs. |
There was a problem hiding this comment.
"from SPDM 1.3" -> "of SPDM 1.3 and later"
xiaoyuruan
reviewed
May 29, 2026
| @@ -237,12 +267,13 @@ Table: GET_ENVELOPE_SIGNED_CSR VendorDefinedReqPayload {#tbl:ecsr-req} | |||
| +---------------------+---------------------+---------------------+----------------------------------------------+ | |||
| | 12 | SignerSlotIDParam | 1 | - Bit [7:5]. Reserved. | | |||
| | | | | - Bit [4:4]. If this value is `1`, the CSR | | |||
There was a problem hiding this comment.
Signature is always required, so remove Bit [4] def.
xiaoyuruan
reviewed
May 29, 2026
| - E.g., Slot 0's certificate chain would extend at least to the vendor-endorsed certificate over IDevID. A separate slot's certificate chain would extend at least to the certificate issued by the slot's configured PKI owner. | ||
| - A device may report intermediate certificates for the slot's PKI owner if it is configured to do so. | ||
| - The nonce claim SHALL match the nonce value provided in the GET_ATTESTED_CSR request to ensure freshness. | ||
| - If SignerSlotIDParam indicates an attested response, the CWT SHALL be signed by an Attestation Key endorsed by the certificate chain corresponding to the specified SlotID. The Requester obtains the Attestation Key's certificate chain out-of-band via the SPDM `GET_CERTIFICATE` command for that slot. |
There was a problem hiding this comment.
remove "If SignerSlotIDParam indicates an attested response, " as sig is required
xiaoyuruan
reviewed
May 29, 2026
| - A device may report intermediate certificates for the slot's PKI owner if it is configured to do so. | ||
| - The nonce claim SHALL match the nonce value provided in the GET_ATTESTED_CSR request to ensure freshness. | ||
| - If SignerSlotIDParam indicates an attested response, the CWT SHALL be signed by an Attestation Key endorsed by the certificate chain corresponding to the specified SlotID. The Requester obtains the Attestation Key's certificate chain out-of-band via the SPDM `GET_CERTIFICATE` command for that slot. | ||
| - If SignerSlotIDParam indicates an attested response, the `kid` parameter (COSE header label `4`) in the CWT's protected header SHALL be the SHA-384 digest of the DER-encoded `SubjectPublicKeyInfo` of the Attestation Key. The Requester uses this digest to confirm that the signing key matches the Attestation Key whose certificate chain it retrieved from the selected SPDM slot. |
xiaoyuruan
reviewed
May 29, 2026
| - A device may report intermediate certificates for the slot's PKI owner if it is configured to do so. | ||
| - The nonce claim SHALL match the nonce value provided in the GET_ATTESTED_CSR request to ensure freshness. | ||
| - If SignerSlotIDParam indicates an attested response, the CWT SHALL be signed by an Attestation Key endorsed by the certificate chain corresponding to the specified SlotID. The Requester obtains the Attestation Key's certificate chain out-of-band via the SPDM `GET_CERTIFICATE` command for that slot. | ||
| - If SignerSlotIDParam indicates an attested response, the `kid` parameter (COSE header label `4`) in the CWT's protected header SHALL be the SHA-384 digest of the DER-encoded `SubjectPublicKeyInfo` of the Attestation Key. The Requester uses this digest to confirm that the signing key matches the Attestation Key whose certificate chain it retrieved from the selected SPDM slot. |
There was a problem hiding this comment.
make it hash of cert chain to be consistent with DIGEST
"the DER-encoded SubjectPublicKeyInfo of the Attestation Key"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…ested CSR