This document explains all the steps one needs to follow to successfully run end to end CCA Platform Verification Demonstration.
Note: The below commands assume an Ubuntu system, you may need to adjust the package managers and/or package names to match your Operating System.
- One needs to install
go,jq,sqlite3,tmuxandcurl.
Follow the instructions given here to install go in your system
Installing jq:
sudo apt update && sudo apt install jq && jq --versionInstalling sqlite3:
sudo apt update
sudo apt install sqlite3
sqlite3 --versionYou will get an output like this:
3.31.1 2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837balt1
Installing curl:
sudo apt install curlInstalling tmux:
sudo apt-get install tmux- For build to succeed one needs to install following packages:
- protoc-gen-go with version v1.26
Download
protobuf-all-[VERSION].tar.gzfrom here.
Extract the contents and change into the directory
./configure
make
make check
sudo make installTo check if this works
protoc --version
- protoc-gen-go-grpc version v1.1
go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1 - protoc-gen-go-json version v1.1.0
go install github.com/mitchellh/protoc-gen-go-json@v1.1.0 - mockgen version v1.6.0
go install github.com/golang/mock/mockgen@v1.6.0
-
One need to install jq and curl.
-
For build to succeed, one needs to install following packages:
- protoc-gen-go with version v1.26
- protoc-gen-go-grpc version v1.1
- protoc-gen-go-json version v1.1.0
- mockgen version v1.6.0
- Commands below assume execution in a Bourne-compatible shell. Please adjust appropriately in case any other shell is used.
First create new Concise Module Identifiers (CoMID's), then use them to create Concise Reference Integrity Manifests (CoRIM's) using reference templates located under docs/demo/cca/prov-verif-e2e/data/templates to provision them in Veraison Verification Service.
More details about CoRIM and CoMID can be found here
Do this ONLY if it is not done already:
Please Note: Setup instructions are same between PSA and CCA demonstration.
In a new Bourne-compatible shell session
export TOPDIR=$(pwd)- Install
coclitool for provisioning endorsements using following command
go install github.com/veraison/corim/cocli@demo-cca-1.0.0- Install
arctool for decoding attestation results using the following command
go install github.com/veraison/ear/arc@demo-cca-1.0.0git clone https://github.com/veraison/docscd ${TOPDIR}/docs/demo/cca/prov-verif-e2e- Create CoMIDs for CCA Trust Anchors and Reference Values using given JSON template
Please inspect template JSON file data/templates/comid-cca-ta-endorsements.json to provision CCA trust anchors (TA) and modify anything as per your requirement
Please inspect template JSON file data/templates/comid-cca-mult-refval.json to provision CCA reference values and modify anything as per your requirement
Using a single command one can create two CBOR files for two CoMIDs from above json templates
cocli comid create --template=data/templates/comid-cca-ta-endorsements.json \
--template=data/templates/comid-cca-mult-refval.jsonOne should see, on the console
created "comid-cca-ta-endorsements.cbor" from "data/templates comid-cca-ta-endorsements.json"
created "comid-cca-mult-refval.cbor" from "data/templates/comid-cca-mult-refval.json"
- Create a single CoRIM using given CoRIM JSON template and supplying CBOR Trust Anchor and Reference Value CoMIDs from above
cocli corim create --template=data/templates/corim-cca.json --comid=comid-cca-ta-endorsements.cbor --comid=comid-cca-mult-refval.cborcreated "corim-cca.cbor" from "data/templates/corim-cca.json"
Move the generated CORIM above to data/cbor directory
mv corim-cca.cbor data/cbor/- Please retain this shell, as
shell-1as you would need to come back here at the time of provisioning the endorsements.
To run provisioning test you need two parallel shell sessions.
In each shell, move to the directory location where you are going to clone the GIT repo and do:
export TOPDIR=$(pwd)In the first shell, clone the Veraison services repository:
git clone --branch demo-cca-1.0.0 https://github.com/veraison/servicesBuild the services:
make -C ${TOPDIR}/servicesStart the REST API frontend:
( cd ${TOPDIR}/services/provisioning/cmd/provisioning-service && ./provisioning-service )In another shell, create the KV stores:
( cd ${TOPDIR}/services/vts/cmd/vts-service && ./../../test-harness/init-kvstores.sh )Then start the VTS service:
( cd ${TOPDIR}/services/vts/cmd/vts-service && ./vts-service )VTS Service starts, loading available plugins. You should see a list of media types registered by the discovered pluings. e.g.
INFO loading attestation schemes
INFO Registered media types:
INFO application/psa-attestation-token
INFO application/eat-cwt; profile=http://arm.com/psa/2.0.0
INFO application/pem-certificate-chain
INFO application/vnd.enacttrust.tpm-evidence
INFO application/eat-collection; profile=http://arm.com/CCA-SSD/1.0.0
Go back to shell-1, used for Creation of CCA Endorsements
Ensure that you are under docs/demo/cca/prov-verif-e2e directory:
cd ${TOPDIR}/docs/demo/cca/prov-verif-e2eShip the single CORIM that contains CCA reference values and trust anchor from data/cbor folder using following commands
cocli corim submit --corim-file=data/cbor/corim-cca.cbor --api-server="http://localhost:8888/endorsement-provisioning/v1/submit" --media-type="application/corim-unsigned+cbor; profile=http://arm.com/cca/ssd/1"The REST frontend should return a success (200 this indicates HTTP OK) status.
The success of post API status can be noticed in console logs of the frontend (provisioning-service) as below...
[GIN] 2022/09/09 - 17:39:55 | 200 | 49.977785ms | 127.0.0.1 | POST "/endorsement-provisioning/v1/submit"
If so, you can inspect the KV stores to check what has been generated:
- Verification keys:
sqlite3 ${TOPDIR}/services/vts/cmd/vts-service/ta-store.sql 'select distinct vals from kvstore' | jq .- Reference values:
sqlite3 ${TOPDIR}/services/vts/cmd/vts-service/en-store.sql 'select distinct vals from kvstore' | jq .Use Ctrl-C to stop the REST provisioning frontend (shell-1) (as you
would not need provisioning service once the Reference Values and
Endorsements are now provisioned into Verification service)
If not already done, ensure the verification service is running:
( cd ${TOPDIR}/services/verification/cmd/verification-service && ./verification-service )In a new shell session
export TOPDIR=$(pwd)go install github.com/veraison/evcli@demo-cca-1.0.0cd ${TOPDIR}/docs/demo/cca/prov-verif-e2e- Verifying Evidence as a Relying party with the Veraison Verifier
- First create Evidence using supplied templates
evcli cca create --claims=data/templates/cca-claims.json --pak=data/keys/ec256.jwk --rak=data/keys/ec384.jwk --token=cca-evidence.cbor>> "cca-evidence.cbor" successfully created
- Exchange Evidence with the Verification Service
- Verifying as a Relying Party
evcli cca verify-as relying-party --api-server=http://localhost:8080/challenge-response/v1/newSession --token=cca-evidence.cbor | tr -d '"' > ear.jwtThe above command writes a Entity Attestation Result (ear) as a signed JSON Web Token in file ear.jwt
- Decoding the contents of Entity Attestation Result
One can cryptogrpahically verify the ear.jwt returned from Veraison and decode the contents using arc CLI tool as below:
arc verify -a=ES256 -p=data/keys/verif_es256_pub.jwk ear.jwt- Verifying as an Attester
evcli cca verify-as attester --api-server=http://localhost:8080/challenge-response/v1/newSession --claims=data/templates/cca-claims-without-realm-challenge.json --pak=data/keys/ec256.jwk --rak=data/keys/ec384.jwk | tr -d '"' > ear.jwtNow decode the Entity Attestation Results using arc tool as given above
- Log checking
-
On VTS plugin window(where VTS is running) one should see the debug print:
plugin.scheme-cca-ssd-platform: Token Signature Verified,matchSoftware Success&matchPlatformConfig Success -
On Verification window one should see Appraisal Context indicating Success