Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add: Documentation for CoMID templates #20

Open
wants to merge 25 commits into
base: main
Choose a base branch
from
Open

Add: Documentation for CoMID templates #20

Changes from 2 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
b7bbcae
Add: Docs for CoMID Template Format
ravjot07 Dec 24, 2024
b995937
minor changes
ravjot07 Dec 24, 2024
d5f6ccc
Update data/comid/README.md
ravjot07 Dec 25, 2024
9a70845
Update Readme: add examples and diagrams
ravjot07 Dec 27, 2024
d2e7ffd
Merge branch 'docs' of https://github.com/ravjot07/cocli into docs
ravjot07 Dec 27, 2024
41453a0
minor changes
ravjot07 Dec 27, 2024
b4038e1
Docs: CoRIM template Format
ravjot07 Dec 30, 2024
b60c154
Update: diagrams to mermaid format and some minor changes
ravjot07 Jan 4, 2025
1a28a31
fix(docs): Update README for Windows Bash auto-completion and correct…
Priyanshuthapliyal2005 Dec 22, 2024
a05f8fb
update window bash to git bash
Priyanshuthapliyal2005 Dec 23, 2024
f44bd62
Update: corim display Command to Support Unsigned CoRIMs
ravjot07 Dec 20, 2024
9cfeed7
Refractor code into more modeluar function
ravjot07 Dec 22, 2024
d4963e7
minor changes
ravjot07 Dec 22, 2024
7427ebf
Fixes: ci issue
ravjot07 Dec 23, 2024
5a9919d
Add: Docs for CoMID Template Format
ravjot07 Dec 24, 2024
9e820d9
minor changes
ravjot07 Dec 24, 2024
1447a59
Update Readme: add examples and diagrams
ravjot07 Dec 27, 2024
c470890
Update data/comid/README.md
ravjot07 Dec 25, 2024
d554494
minor changes
ravjot07 Dec 27, 2024
eac2206
Docs: CoRIM template Format
ravjot07 Dec 30, 2024
a32b99e
Update: diagrams to mermaid format and some minor changes
ravjot07 Jan 4, 2025
19fcbf4
Removed pngs and updated links
ravjot07 Jan 7, 2025
7cecd10
Removed pngs and updated links
ravjot07 Jan 7, 2025
e312487
minor changes
ravjot07 Jan 7, 2025
d77c838
testing prelinks
ravjot07 Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 83 additions & 0 deletions data/comid/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@

# CoMID Template Format

## 1 Introduction

**CoMID (Concise Model Identifier)**, is a data model and serialization format (in JSON) for capturing **reference values** and **verification keys** that can be used in remote attestation and other trust-verification scenarios. By standardizing how measurements are captured and shared, CoMID facilitates **interoperability**, **integrity**, and **traceability** across various systems and vendors.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please keep separate sentences on separate lines. I don’t know what is meant by traceability here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is what i get form https://datatracker.ietf.org/doc/draft-ietf-rats-corim/ page no 15 and from here i meant by tracebility is that we could extract information about hardware, firmware

A CoMID tag contains information about hardware, firmware, or module
   composition.

   Each CoMID has a unique ID that is used to unambiguously identify
   CoMID instances when cross referencing CoMID tags, for example in
   typed link relations, or in a CoBOM tag.

   A CoMID defines several types of Claims, using "triples" semantics.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure i will keep separate sentences on separate lines.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't say traceability when you really just mean the integrity of the measurements. There's a whole other form of supply chain security that tracks the links in the chain from source to binary that isn't captured by the CoRIM specification.


## 2 Template Structure

A CoMID template is a JSON document composed of **top-level fields** and a **triples** object. The **top-level fields** provide overall identification, language, and authorship, while the **triples** object contains domain-specific data (e.g., reference values, attester keys).

```
{
"lang": "<language-region>",
"tag-identity": { ... },
"entities": [ ... ],
"triples": {
"reference-values": [ ... ],
"attester-verification-keys": [ ... ]
...
}
}
```

### 2.1 Top-Level Fields

- **lang** (`String`): Defines the language or locale (e.g., `"en-GB"`).
- **tag-identity** (`Object`): Uniquely identifies this CoMID document via an ID (often a UUID) and includes a version number.
- **entities** (`Array`): Lists the entities (organizations, individuals, etc.) contributing to or maintaining the document, along with their roles.

### 2.2 Triples

- **reference-values**: One or more **reference-value** objects, each containing an **environment** and one or more **measurements**.
- **attester-verification-keys**: One or more **attester-verification-key** objects, each containing an **environment** and an array of **verification-keys**.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn’t match the common attestation terminology. An attestation private key signs an attestation, and the attestation public key is used to verify attestation signatures, but I wouldn’t call that a verification key.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In comid-psa-iakpub.json template file term used is verification keys for array, like could you provide some reference for this

"attester-verification-keys": [
      {
        "environment": {
          "class": {
            "id": {
              "type": "psa.impl-id",
              "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
            },
            "vendor": "ACME",
            "model": "RoadRunner"
          },
          "instance": {
            "type": "ueid",
            "value": "Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI"
          }
        },
        "verification-keys": [
          {
            "type": "pkix-base64-key",
            "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
          }
        ]
      }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ravjot07, you could use "attestation public key" rather than "verification-keys" in L34.

Note: the way we encode verification keys for CCA and PSA will likely change to use the CoTS (i.e., trusted anchors) format instead. So, it's not something worth much sweating at this point.



## 3 Components

### 3.1 Environment

An **environment** captures the context of a measurement or verification key:

- **class**: Vendor, model, and possibly an ID (`type` + `value`).
- **instance** (`optional`): For distinguishing multiple instances of the same environment (e.g., using `ueid` or `uuid`).
- **layer** and **index** (`optional`): For layered environments (e.g., DICE layers in multi-stage boot processes).

### 3.2 Measurements

Each measurement has two crucial subfields:

- **key**: Identifies the measurement, including possible fields like `label`, `version`, and `signer-id`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These don’t match the CoMID spec.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deeglaze could you be more specfic as i got it in most of the templates like


            "key": {
              "type": "psa.refval-id",
              "value": {
                "label": "PRoT",
                "version": "1.3.5",
                "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs="
              }
            }

- **value**: Holds the actual measurement data (e.g., cryptographic digests, raw values, or operational flags).

### 3.3 Attester Verification Keys

Used to store **public keys** associated with an environment. This is essential for verifying the attestation claims or measurement signatures produced by that environment.

## 4 Field-By-Field Explanation

### 4.1 Global Fields
| Field | Type | Description | Example |
|:------------: |:------: |:-------------------------------------------------------: |:--------------------------------------------: |
| lang | String | Language/country code. | "en-GB" |
| tag-identity | Object | Identity of this CoMID tag (UUID + version). | "id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16" |
| entities | Array | The organizations/roles associated with this CoMID tag. | [ { "name": "ACME Ltd." ... } ] |

### 4.2 Reference-Value Fields
| Field | Type | Description | Example |
|:------------------:|:------:|:----------------------------------------------------------------------------------:|:---------------------------------------------------------------------------------------------:|
| environment | Object | Contains class and optionally instance, layer, index. | See 3.1 Environment. |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This enumeration confuses what is optional and required, as well as what is where. The layer and index are optional fields of class, whereas instance is at the same level as class.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ravjot07 take a look at these here:- https://github.com/ravjot07/cocli/tree/docs/data/comid#42-reference-value-fields
actually i had simply used excel file for these tables and then later converted it into md format using online tools like table converter

| measurements | Array | List of measurement objects. | [ { "key": { ... }, "value": { ... } } ] |
| measurements.key | Object | Identifies the measurement. Could be a psa.refval-id, cca.platform-config-id, etc. | { "type": "psa.refval-id", "value": { "label": "BL", "version": "2.1.0", ... } } |
| measurements.value | Object | Holds the actual measurement data. | { "digests": ["sha-256:..."] }, or { "raw-value": { "type": "bytes", "value": "..." } }, etc. |

### 4.3 Attester-Verification-Key Fields
| Field | Type | Description | Example |
|:-----------------:|:------:|:---------------------------------------:|:---------------------------------------------------------------------------:|
| environment | Object | Defines the environment for these keys. | See 3.1 Environment. |
| verification-keys | Array | Holds one or more public keys. | [ { "type": "pkix-base64-key", "value": "-----BEGIN PUBLIC KEY-----..." } ] |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still would rename these

----------

### 5 High Level Structure for CoMID Templates

Loading