1 个不稳定版本
| 0.1.0 | 2024 年 3 月 22 日 |
|---|
#681 在 密码学
91KB
2K SLoC
rust-ccatoken
rust-ccatoken 是在 Rust 中实现 Arm CCA 认证令牌(Realm Management Monitor (RMM) Specification §A.7)的实现。
该库实现了以下接口
- 解码 CBOR 编码的 CCA 令牌
- 验证 CCA 令牌(平台、领域及其绑定)
- 使用用户提供的参考值和背书评估 CCA 证据
ccatoken CLI
除了库代码外,这个包还提供了一个 CLI 来操作 CCA 令牌。
以下所有示例都假设所有路径相对于此存储库的根目录,并且 ccatoken 可执行文件可以通过 shell 的 PATH 访达。即。
export PATH=$PATH:"$PWD/target/debug"
ccatoken golden
该 golden 命令为给定的令牌和 CPAK 创建参考值和信任锚。如果令牌没有通过 CPAK 成功验证,则不提取任何值。
ccatoken golden \
-e testdata/cca-token.cbor \
-c testdata/cpak.json \
-t golden-tastore.json \
-r golden-rvstore.json
成功时
golden values extraction successful
两个 "golden" 存储在磁盘上。内容可以使用 jq(1) 格式化如下
jq . golden-*.json
应该产生类似以下输出的输出
{
"platform": [
{
"implementation-id": "7f454c4602010100000000000000000003003e00010000005058000000000000",
"sw-components": [
{
"measurement-value": "07060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918",
"signer-id": "07060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918",
"version": "3.4.2",
"component-type": "BL"
},
{
"measurement-value": "07060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918",
"signer-id": "07060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918",
"version": "1.2",
"component-type": "M1"
},
{
"measurement-value": "07060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918",
"signer-id": "07060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918",
"version": "1.2.3",
"component-type": "M2"
},
{
"measurement-value": "07060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918",
"signer-id": "07060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918",
"version": "1",
"component-type": "M3"
}
],
"platform-configuration": "0107060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918"
}
],
"realm": [
{
"initial-measurement": "0000000000000000000000000000000000000000000000000000000000000000",
"rak-hash-algorithm": "sha-256",
"extensible-measurements": [
"0000000000000000000000000000000000000000000000000000000000000000",
"0000000000000000000000000000000000000000000000000000000000000000",
"0000000000000000000000000000000000000000000000000000000000000000",
"0000000000000000000000000000000000000000000000000000000000000000"
],
"personalization-value": "54686520717569636b2062726f776e20666f78206a756d7073206f766572203133206c617a7920646f67732e54686520717569636b2062726f776e20666f7820"
}
]
}
[
{
"pkey": {
"crv": "P-384",
"kty": "EC",
"x": "IShnxS4rlQiwpCCpBWDzlNLfqiG911FP8akBr-fh94uxHU5m-Kijivp2r2oxxN6M",
"y": "hM4tr8mWQli1P61xh3T0ViDREbF26DGOEYfbAjWjGNN7pZf-6A4OTHYqEryz6m7U"
},
"implementation-id": "7f454c4602010100000000000000000003003e00010000005058000000000000",
"instance-id": "0107060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918"
}
]
ccatoken appraise
该 appraise 命令尝试匹配提供的 CCA 令牌和参考值。
ccatoken appraise \
-e testdata/cca-token.cbor \
-r golden-rvstore.json
成功完成时,平台和领域的计算信任向量将打印到标准输出
appraisal completed
platform trust vector: {
"instance-identity": 2,
"configuration": 2,
"executables": 3,
"hardware": 2,
"runtime-opaque": 32
}
realm trust vector: {
"executables": 2
}
ccatoken verify
该 verify 命令使用从信任锚存储库中匹配的 CPAK 对提供的 CCA 令牌进行密码学验证。
ccatoken verify \
-e testdata/cca-token.cbor \
-t golden-tastore.json
成功完成时,平台和领域的计算信任向量将打印到标准输出
verification completed
platform trust vector: {
"instance-identity": 2
}
realm trust vector: {
"instance-identity": 2
}
依赖关系
~11–24MB
~472K SLoC