6376 - Update to OCP Attestation Specification to improve interoperability through convergence on industry standards.pdf

1、Improve Interoperability in OCP AttestationFabrizio Damato(AMD)Jeff Andersen(Google)Fabrizio Damato(AMD)Jeff Andersen(Google)Improve Interoperability in OCP Attestation“How can Data Centers achieve scalable and secure attestation without a converged reporting standard?”Interoperability Challenges in

2、 Attestation Vendor A Attestation ReportVendor B Attestation ReportVendor C Attestation ReportVendor D Attestation ReportCSP Remote VerifierOrchestratorDevice ADevice BDevice CDevice DOCP established Interoperability being a key element for an“Admissible Architecture”Composable Security Architecture

3、Breaking Down InteroperabilityInteroperabilityStandard InterfacesI3C/DOEStandard Protocol/APIs DMTF SPDM/MCTPStandard Evidence Report(s)?Goal:Converge on Attestation Report FormatDOE:Data Object ExchangeCBOR:Concise Binary Object RepresentationExtremely small code sizeFairly small message sizeExtens

4、ibility without the need for version negotiationCoRIM:Concise Reference Integrity ManifestA reference manifest of attested measurementsRepresented in CBORBuilding Blocks:CBOR and CoRIMTCG introduced“concise-evidence”CBOR based evidence format.The other half of CoRIM-produced by the deviceCrafted aro

5、und CoRIM semantics,can be easily verified against a CoRIMDMTF SPDM 1.3 introduced”Structured Manifest”measurement type.The concise-evidence binds with SPDM as a“Structured Manifest”payloadTCG DICE Binding for SPDM Concise EvidenceDeviceVerifierVendor EndorserSPDMTLSConcise evidenceIETF CoRIMTCGs“co

6、ncise-evidence”format does not include an embedded signing schemeChallenge:Verifier not an SPDM RequestorRemote VerifierConcise evidenceSPDM RequestorL1/L2 signatureL1/L2 signatureDevice(SPDM Responder)Verifier behind SPDM Requestor Server PlatformVMRoTRemote verifierConcise evidenceGuest Owner Atte