Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conditional endorsement series triple section reworded #326

Open
wants to merge 21 commits into
base: main
Choose a base branch
from

Conversation

nedmsmith
Copy link
Collaborator

@nedmsmith nedmsmith commented Oct 15, 2024

Added description to conditional series triple to address issues #310 and #321.
Updated example here to better illustrate a use case.

Added text to address issue #310 for conditional series triple and issue #321
Modified cond series example to better highlight motivating use case.
Fix white space
More realistic use case that could result in multiple entries satisfied by the condition.
fix whitespace.
cddl/examples/comid-series.diag Show resolved Hide resolved
cddl/examples/comid-series.diag Outdated Show resolved Hide resolved
[^issue] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/310
The Conditional Endorsement Series Triple is used to assert endorsed values conditional on various sets of possible measurement values.
Each series entry describes a different possible set of values.
Series entries are ordered so that the set describing the most trustworthy state is evaluated first and least trustworthy state last.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ordering leads to negative conditions in the head of the rule still. The possible evaluation inconsistency from Issue #321 remains.

If the conditions are mutually-exclusive, then there's no need to order them and the triple is syntactic sugar for multiple normal conditions.
If the conditions are not mutually-exclusive, then you need a way to stratify condition matching to regain logical consistency.

Given that you haven't stated any condition, I don't know what your intention is here.

nedmsmith and others added 2 commits October 16, 2024 09:54
Co-authored-by: Dionna Amalie Glaze <dionnaglaze@google.com>
@nedmsmith
Copy link
Collaborator Author

Additional use case context: Some have characterized the triple as being an optimization of endorsement triples. The way to realize the same semantics using conditional-endorsement-triple is that there will be multiple valid RIMs containing statements about valid SVN ranges. A vendor may increment an SVN when a new image of security sensitive code is released, resulting in multiple valid RIMS in circulation. If at some later point one of the implementations is found to have a vulnerability, the affected RIM(s) can be revoked.

Nevertheless, there can be a range of RIMS that declare multiple valid SVN values. The RIMS could match the same component resulting in multiple ACS entries but with different matching reference SVN values.

The question then is how should these values be processed and by whom? Ideally, the best answer should be selected, because there will be additional endorsement statements that assert additional information based on SVN state. This approach distributes state across multiple RIMS resulting in multiple ACS entries that then needs to be post-processed to find the "best" correct answer.

Comparing this to the series triple. One RIM can be used to communicate the information that would otherwise be spread across in multiple RIMs and avoids adding, unnecessarily, multiple correct answers to the ACS that then need to be filtered in some way to find the best answer.

Any vendor that relies on SVNs to manage security change control will likely need this capability. If they don't proactively increment SVNs as part of their release process, then they will need to release / install updates that update the SVN. The alternative is they merely have to revoke an already issued RIM.

to latest cddl version
fix build error for xml target
Reworded to better characterize expected behavior.
Improved wording for how series iteration terminates.
Added "Series" to the Conditional Endorsement conceptual message.
Minor wording improvements
@nedmsmith nedmsmith requested a review from deeglaze December 11, 2024 18:40
draft-ietf-rats-corim.md Outdated Show resolved Hide resolved
Co-authored-by: Dionna Amalie Glaze <dionnaglaze@google.com>
More clarification about the usage and matching order will be resolved by: [^tracked-at] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/321
The Conditional Endorsement Series Triple is used to assert endorsed values based on an initial condition match followed by a series condition match.
Every `series-condition-record` selection MUST select the same `mkey`s.
Every selected `mkey`'s corresponding mentioned set of keys `mval`.key MUST be the same across each `series-condition-record`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though one to parse... I am not sure I get what you mean here. Is it that "each selected mkey MUST have the same corresponding set of mvals across all series-condition-record entries" ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Say you have 3 measurement-map in a selection. One has no mkey with mval { 0: …}. One has mkey 1 with mval: { 1: …, 4: … } and one has mkey 2 with mval {0: …, 7: …}. That has to be the same selection structure for all selections in the series.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, surely L1188 needs unpacking. I suggest reorganising it this way:

  1. make a short normative statement, followed by
  2. an example

Added example describing selection constraints.

More clarification about the usage and matching order will be resolved by: [^tracked-at] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/321
Then all selection statements in the series will use the same 3 matching criteria.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A B and C being the same across conditions would make only the first condition match if any do. You need to check that for all n > 0, for all m in cond[n].selection, there uniquely exists some m’ in cond[0].selection such that m’.mkey = m.mkey AND keys(m.mval) = keys(m’.mval).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likewise every mkey in cond[0] must appear in later conds.

Copy link
Collaborator Author

@nedmsmith nedmsmith Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The existing text says that selection matching is based on the results of the condition. That means the selection conditions are not searching ACS, rather they are searching the results of the condition match. The above explanation seems to assume selection matching is over ACS no?

Copy link
Collaborator

@deeglaze deeglaze Dec 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Say your stateful environment record is [E, [mval: {1: min-svn(1)}, {mkey: 1, mval: {1: min-svn(2), 4: h'f00'}]]

You have have multiple ECTs that match E and these measurement-maps. You then need to narrow down.
[[{mval: {1: 10}}, {mkey: 1, mval: {1: min-svn(3), 4: h'f00'}}, some endorsements],
[{mval: {1: 9}}, {mkey: 1, mval: {1: min-svn(2), 4: h'f00'}}, some endorsements]].

We have the same mkeys. The first selection binds your A to {1: 10} and B to {1: min-svn(3), 4: h'f00'}. That makes the second in the series invalid, since {1: 9} != {1: 10}. This is why I restricted only to the keys of the mval.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made another editing pass. Is it OK?

Revised example text to illustrate how normative text is to be interpreted.
simplify sentence structure
@@ -1187,7 +1187,7 @@ The Conditional Endorsement Series Triple is used to assert endorsed values base
Every `conditional-series-record` selection MUST select the same `mkey`s where
every selected `mkey`'s corresponding set of keys (i.e., `mval`._key_) MUST be the same across each `conditional-series-record`.
For example, if a selection matches on 3 `measurement-map` statements; `mkey` is the same for all 3 statements
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"a selection" and "3 measurement-map statements" seems like the wrong way of describing it, since a list of measurement-map with the same mkey is ill-formed. You can only have one measurement-map with a specific mkey in a list of measurement-map.

I think you mean there are 3 conditional-series-record, and for each record, they have 1 measurement-map in their list each, and that measurement map has the same mkey, and an mval of the form you state below. That would be fine. It would also be fine for each record to have more than 1 measurement-map, such as

[[mkey: 0, mval: {A: _variable-X_, B: _variable-Y_, C: _variable-Z_ }], [mkey: 1, mval: {D: _variable-W_}]]

I don't think "mval contains" is appropriate either, since the first mval also contains "A=variable-X" without the closure. You need to state that mval contains exactly those 3 key/value pairs and no more.

added 'only' to furthur clarify
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants