Add Attestation related D-bus Interface
Attestation provides critical and pertinent
security information about a specific device, system, software
element, or other managed entity.
Three relevant interfaces are defined as below.
ComponentIntegrity describes integrity of a component, including
what protocol used to measure the integrity, when was the integrity
info last updated, whether the integrity measurement is enabled, etc.
Some associations have been added to this interface, including a link
to the trusted component that the integrity object is reporting,
and a link to the systems that the integrity object is protecting.
IdentityAuthentication describes the identity verification status. It
also has two associations defined, one is a link to the requester's
certificate, the other one for the responder.
MeasurementSet defines the dbus method to get SPDM measurements.
These three interfaces are grouped under a new directory Attestation as
they are used to expose identity/integrity/measurement information for
an attestation.
Signed-off-by: Zhichuang Sun <zhichuang@google.com>
Change-Id: Iac86dfc63c85af04985a61ba52161301134e8f2b
diff --git a/yaml/xyz/openbmc_project/Attestation/ComponentIntegrity.interface.yaml b/yaml/xyz/openbmc_project/Attestation/ComponentIntegrity.interface.yaml
new file mode 100644
index 0000000..bc0b6dc
--- /dev/null
+++ b/yaml/xyz/openbmc_project/Attestation/ComponentIntegrity.interface.yaml
@@ -0,0 +1,67 @@
+description: >
+ Implement to represent component integrity information acquired from a
+ secure authentication or measurement of the protected components. A trusted
+ component (e.g., iRoT or TPM) is typically involved to provide the info
+ using a security protocol (e.g., SPDM).
+
+properties:
+ - name: Enabled
+ type: boolean
+ default: false
+ description: >
+ An indication of whether security protocols are enabled for the
+ component.
+
+ - name: Type
+ type: enum[self.SecurityTechnologyType]
+ default: Unknown
+ flags:
+ - readonly
+ description: >
+ The type of security technology for the component.
+
+ - name: TypeVersion
+ type: string
+ flags:
+ - readonly
+ description: >
+ The version of the security technology. Human readable format, e.g.
+ "1.1" for SPDM.
+
+ - name: LastUpdated
+ type: uint64
+ flags:
+ - readonly
+ description: >
+ The date and time when information for the component was last updated.
+ Firmware update, device certificate change or other device state
+ change that leads to component integrity change should update this
+ date. It is represented in milliseconds since the UNIX epoch.
+
+associations:
+ - name: authenticating
+ description: >
+ Objects that implement ComponentIntegrity can implement the
+ "authenticating" association to provide a link to the target component
+ whose integrity this resource authenticates.
+ reverse_name: authenticated_by
+ required_endpoint_interfaces:
+ - xyz.openbmc_project.Inventory.Item
+
+enumerations:
+ - name: SecurityTechnologyType
+ description: >
+ The security technology used for the component.
+ values:
+ - name: OEM
+ description: >
+ OEM-specific. If it is neither SPDM nor TPM, tag it OEM.
+ - name: SPDM
+ description: >
+ Security Protocol and Data Model (SPDM) protocol.
+ - name: TPM
+ description: >
+ Trusted Platform Module (TPM).
+ - name: Unknown
+ description: >
+ Security technology not known yet.
diff --git a/yaml/xyz/openbmc_project/Attestation/IdentityAuthentication.interface.yaml b/yaml/xyz/openbmc_project/Attestation/IdentityAuthentication.interface.yaml
new file mode 100644
index 0000000..f469a45
--- /dev/null
+++ b/yaml/xyz/openbmc_project/Attestation/IdentityAuthentication.interface.yaml
@@ -0,0 +1,44 @@
+description: >
+ Implement to represent properties related to Identity Authentication using
+ SPDM protocol.
+
+properties:
+ - name: ResponderVerificationStatus
+ type: enum[self.VerificationStatus]
+ default: Unknown
+ description: >
+ The status of the verification of the identity of the component.
+
+associations:
+ - name: requester_identitified_by
+ description: >
+ Objects that implement IdentityAuthentication can implement the
+ "requester_identified_by" association to provide a link to the target
+ certificate that provides the requester's identity.
+ reverse_name: identifying_requester
+ required_endpoint_interfaces:
+ - xyz.openbmc_project.Certs.Certificate
+
+ - name: responder_identitified_by
+ description: >
+ Objects that implement IdentityAuthentication can implement the
+ "responder_identified_by" association to provide a link to the target
+ certificate that provides the responder's identity.
+ reverse_name: identifying_responder
+ required_endpoint_interfaces:
+ - xyz.openbmc_project.Certs.Certificate
+
+enumerations:
+ - name: VerificationStatus
+ description: >
+ The possible status of the verification.
+ values:
+ - name: Failed
+ description: >
+ Unsuccessful verification.
+ - name: Success
+ description: >
+ Successful verification.
+ - name: Unknown
+ description: >
+ Status not known yet.
diff --git a/yaml/xyz/openbmc_project/Attestation/MeasurementSet.interface.yaml b/yaml/xyz/openbmc_project/Attestation/MeasurementSet.interface.yaml
new file mode 100644
index 0000000..ccb5312
--- /dev/null
+++ b/yaml/xyz/openbmc_project/Attestation/MeasurementSet.interface.yaml
@@ -0,0 +1,62 @@
+description: >
+ Implement to represent properties related to SPDM Measurements set.
+
+methods:
+ - name: SPDMGetSignedMeasurements
+ description: >
+ This method generates an SPDM cryptographic signed statement over the
+ given nonce and measurements of the SPDM Responder.
+
+ parameters:
+ - name: MeasurementIndices
+ type: array[size]
+ description: >
+ An array of indices that identify the measurement blocks to
+ sign.
+
+ - name: Nonce
+ type: string
+ description: >
+ A 32-byte hex-encoded string to be signed with the measurements.
+ The value should be unique.
+
+ - name: SlotId
+ type: size
+ description: >
+ The slot identifier for the certificate containing the private
+ key to generate the signature over the measurements.
+
+ returns:
+ - name: Certificate
+ type: object_path
+ description: >
+ Certificate corresponding to the SPDM slot identifier that can
+ be used to validate the signature.
+ - name: HashingAlgorithm
+ type: string
+ description: >
+ The hashing algorithm used for generating the cryptographic
+ signed statement.
+ - name: PublicKey
+ type: string
+ description: >
+ A Privacy Enhanced Mail (PEM)-encoded public key that can be
+ used to validate the signature.
+ - name: SignedMeasurements
+ type: string
+ description: >
+ Base64 encoded cryptographic signed statement generated by the
+ signer.
+ - name: SigningAlgorithm
+ type: string
+ description: >
+ The asymmetric signing algorithm used for generating the
+ cryptographic signed statement.
+ - name: Version
+ type: string
+ description: >
+ The SPDM version used by the SPDM Responder to generate the
+ cryptographic signed statement.
+ errors:
+ - xyz.openbmc_project.Common.Error.InvalidArgument
+ - xyz.openbmc_project.Common.Error.InternalFailure