[tools/sgx] Interoperable RA-TLS #1039
Conversation
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
5 times, most recently
from
e800988 to
349438f
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 12 files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "WIP" found in commit messages' one-liners
subprojects/packagefiles/libcbor/meson.build line 26 at r1 (raw file):
# We can't use `include_directories('include')` because the `include/` dir is generated in the # custom target above, but Meson checks for existence of the dir *before* running the target
subprojects/packagefiles/libcbor/meson.build line 33 at r1 (raw file):
# HACK: Use the generated "cbor.h" file and propagate it as part of the RA-TLS build dependency # to enforce compile order, i.e., to make sure libcbor headers are ready before RA-TLS sources # start compiling.
FYI: this hack is taken from c15ca88 (PR #773). Thanks to Kailun for this!
tools/sgx/ra-tls/ra_tls.h line 49 at r1 (raw file):
static const size_t g_evidence_oid_raw_size = sizeof(g_evidence_oid_raw); #define TCG_DICE_TAGGED_EVIDENCE_CBOR_TAG 0x1234 /* FIXME: proper IANA tag once registered */
FYI: https://github.com/inclavare-containers/librats/pull/70/files#diff-185d289285535eed189c6af62435742c52b0ffa61ae647ab41fa4d4c5c8ec5b6 -- RATS uses 0x1a75
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
349438f to
ade87ee
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 13 files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "WIP" found in commit messages' one-liners
meson.build line 265 at r2 (raw file):
protobuf_dep = dependency('libprotobuf-c') libcbor_dep = subproject('libcbor-0.9.0').get_variable('libcbor_dep')
FYI: I cannot use https://mesonbuild.com/CMake-module.html# because of this bug: mesonbuild/meson#10764
dimakuv
changed the title
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
ade87ee to
7df10d8
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 14 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners
a discussion (no related file):
For high-level overview of this proposal, I recommend to read this and look at the new RA-TLS diagram: https://github.com/gramineproject/gramine/blob/dimakuv/interoperable-ra-tls/Documentation/attestation.rst
There was a problem hiding this comment.
Reviewable status: 0 of 14 files reviewed, 3 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners
a discussion (no related file):
For Interoperable RA-TLS in other SGX frameworks, track these:
- [WIP][RFC] librats for DICE evidence extension inclavare-containers/librats#70
- Add Support of Interoperable TLS Proposal openenclave/openenclave#4653
a discussion (no related file):
This PR is ready for review.
However, to finalize the PR, we need a published Interoperable RA-TLS spec and registered CBOR tags. This is work in progress. But we can do reviews, testing and discussions in parallel.
dimakuv
force-pushed
the
dimakuv/cosmetic-changes-ra-tls
branch
from
2f26651 to
67b1b9f
Compare
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
7df10d8 to
cc4671c
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 16 files reviewed, 3 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners
a discussion (no related file):
I rebased this PR now on top of current master because we merged a prerequisite PR #1038
There was a problem hiding this comment.
Reviewable status: 0 of 16 files reviewed, 4 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners (waiting on @dimakuv)
tools/sgx/ra-tls/ra_tls.h line 41 at r4 (raw file):
static const size_t g_quote_oid_size = sizeof(g_quote_oid); /* standard TCG DICE "tagged evidence" OID (2.23.133.4.9) */
Hello Dmitrii 👋, I'm from librats. Where did you get this oid? According to the definition in the TCG DICE Attestation Architecture document, it should be 2.23.133.5.4.9. Please let me know if the document has been updated.
There was a problem hiding this comment.
Reviewable status: 0 of 16 files reviewed, 6 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners (waiting on @KB5201314)
tools/sgx/ra-tls/ra_tls.h line 41 at r4 (raw file):
Previously, KB5201314 (imlk) wrote…
Hello Dmitrii 👋, I'm from librats. Where did you get this oid? According to the definition in the TCG DICE Attestation Architecture document, it should be
2.23.133.5.4.9. Please let me know if the document has been updated.
Yes, indeed, this is a wrong OID. I'll need to fix it everywhere:
- In RA-TLS code itself (both in OID and in raw-OID)
- In Examples
- In Documentation (on the diagram)
tools/sgx/ra-tls/ra_tls_attest.c line 227 at r4 (raw file):
} /*! generate claims -- CBOR map with { "pubkey" = <DER-formatted pubkey as CBOR bstr> } */
The new version of the standard proposes to use:
"pubkey-hash" = CBOR array of [ hash-algo-id, hash-value ]
Change my implementation to this.
tools/sgx/ra-tls/ra_tls_verify_common.c line 352 at r4 (raw file):
} if (strncmp((char*)cbor_string_handle(claims_pairs[i].key), "pubkey",
ditto ("pubkey-hash")
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
cc4671c to
af400b3
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 17 files reviewed, 6 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners (waiting on @KB5201314)
a discussion (no related file):
FYI: For OID <-> raw bytes conversion, one can use https://misc.daniel-marschall.de/asn.1/oid-converter/online.php
tools/sgx/ra-tls/ra_tls.h line 41 at r4 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Yes, indeed, this is a wrong OID. I'll need to fix it everywhere:
- In RA-TLS code itself (both in OID and in raw-OID)
- In Examples
- In Documentation (on the diagram)
Done
tools/sgx/ra-tls/ra_tls.h line 55 at r5 (raw file):
#define IANA_NAMED_INFO_HASH_ALG_REGISTRY_SHA256 1 #define IANA_NAMED_INFO_HASH_ALG_REGISTRY_SHA384 7 #define IANA_NAMED_INFO_HASH_ALG_REGISTRY_SHA512 8
Exact list of supported hash funcs is under discussion, see CCC-Attestation/interoperable-ra-tls#6
tools/sgx/ra-tls/ra_tls_attest.c line 227 at r4 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
The new version of the standard proposes to use:
"pubkey-hash" = CBOR array of [ hash-algo-id, hash-value ]Change my implementation to this.
Done
tools/sgx/ra-tls/ra_tls_verify_common.c line 352 at r4 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
ditto (
"pubkey-hash")
Done
tools/sgx/ra-tls/ra_tls_verify_common.c line 267 at r5 (raw file):
} /* TODO: add other recognized hash functions on a need basis */
Under discussion, see CCC-Attestation/interoperable-ra-tls#6
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
af400b3 to
4a5c275
Compare
dimakuv
changed the title
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
4a5c275 to
d321063
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 17 files reviewed, 25 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "DONTMERGE" found in commit messages' one-liners (waiting on @dimakuv)
-- commits line 11 at r6:
SGX/TDX
Code quote:
SGX
Documentation/attestation.rst line 251 at r6 (raw file):
SGX enclave (attester). .. image:: ./img/ratls-interoperable.svg
Same question (see below) for the pubkey of claims in the diagram.
Code quote:
/img/ratls-interoperable.svgDocumentation/attestation.rst line 267 at r6 (raw file):
the so-called evidence claims, with the most important one being the "pubkey" claim that contains the ephemeral public key (in DER format) generated by the enclavized application. For reasons of standardization, the OID object and all
Isn't it just ""pubkey-hash"" rather than the key itself?
Code quote:
the so-called evidence claims, with the most important one being the "pubkey"
claim that contains the ephemeral public key (in DER format) generated by the
enclavized application. For reasons of standardization, the OID object and allDocumentation/attestation.rst line 273 at r6 (raw file):
complete claims buffer. This is how the RA-TLS certificate is tied to the enclavized application that generated it (through the claims buffer that contains the enclave-generated public key). In the end, the RA-TLS certificate
Same question as above.
Code quote:
contains the enclave-generated public keyDocumentation/attestation.rst line 282 at r6 (raw file):
The diagram above shows the non-standard X.509 certificate generated by RA-TLS. This format, with a non-standard X.509 extension field (and a dummy OID), was developed prior to the "Interoperable RA-TLS" specification, and is deprecated.
will be?
Code quote:
isDocumentation/attestation.rst line 283 at r6 (raw file):
This format, with a non-standard X.509 extension field (and a dummy OID), was developed prior to the "Interoperable RA-TLS" specification, and is deprecated. One can see that the non-standard OID directly embeds the SGX quote, doesn't
It's not accurate. The OID is just an identifier.
Code quote:
OIDDocumentation/attestation.rst line 286 at r6 (raw file):
have the concept of claims and doesn't use the CBOR data format. Gramine generates RA-TLS certificates that contain both the new standard OID and
ditto
Code quote:
OIDsubprojects/libcbor-0.9.0.wrap line 2 at r6 (raw file):
[wrap-file] directory = libcbor-0.9.0
Note: there is a newer version of libcbor available.
Code quote:
libcbor-0.9.0
subprojects/packagefiles/libcbor/meson.build line 33 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
FYI: this hack is taken from c15ca88 (PR #773). Thanks to Kailun for this!
We eventually droped the hack in the merged version of #773. Does the solution applies to this PR as well?
tools/sgx/ra-tls/ra_tls.h line 46 at r6 (raw file):
/* standard TCG DICE "tagged evidence" OID (2.23.133.5.4.9) */ #define TCG_DICE_TAGGED_EVIDENCE_OID { 0x67, 0x81, 0x05, 0x05, 0x04, 0x09 } #define TCG_DICE_TAGGED_EVIDENCE_OID_RAW { 0x06, 0x06, 0x67, 0x81, 0x05, 0x05, 0x04, 0x09 }
Where is this "raw" OID used?
tools/sgx/ra-tls/ra_tls_attest.c line 223 at r6 (raw file):
/*! generate hash-entry -- CBOR array with [ hash-alg-id, hash-value -- hash of pubkey ] */ static int generate_serialized_hash_entry(mbedtls_pk_context* pk, uint8_t** out_hash_entry_buf,
Suggest to rename to generate_serialized_pk_hash_entry() as this only works for pk.
Code quote:
generate_serialized_hash_entrytools/sgx/ra-tls/ra_tls_attest.c line 282 at r6 (raw file):
static int generate_serialized_claims(mbedtls_pk_context* pk, uint8_t** out_claims_buf, size_t* out_claims_buf_size) { cbor_item_t* cbor_claims = cbor_new_definite_map(1);
Looks like we do not support per-session nonce at this moment. But we do cite it in the format description comment below.
Should we just not mention it at all (until we extend the support) or we add a TODO w/ it?
Similar question for the endorsement extention.
Code quote:
cbor_new_definite_map(1)tools/sgx/ra-tls/ra_tls_attest.c line 327 at r6 (raw file):
cbor_decref(&cbor_pubkey_hash_val); cbor_decref(&cbor_pubkey_hash_key); cbor_decref(&cbor_claims);
Any issues w/ implementing the generate_serialized_xxx() functions in a goto cleanup/error handling style? It's a bit hard to read.
tools/sgx/ra-tls/ra_tls_attest.c line 426 at r6 (raw file):
* CBOR array -> * [ * 0: CBOR uint (hash-alg-id),
Seems it's not precisely uint8 but whatever uint (from spec), just our implementation picks uint8 for it.
Code quote:
uinttools/sgx/ra-tls/ra_tls_attest.c line 461 at r6 (raw file):
ssize_t quote_size = rw_file("/dev/attestation/quote", quote, SGX_QUOTE_MAX_SIZE, /*do_write=*/false);
Please align.
tools/sgx/ra-tls/ra_tls_attest.c line 491 at r6 (raw file):
uint8_t* evidence = NULL; /* TODO: this legacy OID with plain SGX quote should be removed at some point */
Suggest to also elaborate/explain a bit further that below we create X.509 certs that have both the old (legacy) OID as well as the new OID. This is for keeping the backward compatibility by sacrificing a bit the size of certs.
tools/sgx/ra-tls/ra_tls_verify_common.c line 241 at r6 (raw file):
cbor_hash_value = cbor_array_get(cbor_hash_entry, /*index=*/1); if (!cbor_hash_value || !cbor_isa_bytestring(cbor_hash_value) || !cbor_bytestring_is_definite(cbor_hash_value)) {
Check cbor_bytestring_length()?
tools/sgx/ra-tls/ra_tls_verify_common.c line 259 at r6 (raw file):
switch (hash_alg_id) { /* assume that RESERVED (ID = 0) means SHA256 */
Why can we make this assumption?
Update: Interesting... I found the proposal in CCC-Attestation/interoperable-ra-tls#6, but it's not claimed in the doc/spec.
tools/sgx/ra-tls/ra_tls_verify_common.c line 365 at r6 (raw file):
size_t quote_size = cbor_bytestring_length(cbor_quote); if (quote_size < sizeof(*quote)) {
What if quote_size > sizeof(*quote)?
Code quote:
quote_sizetools/sgx/ra-tls/ra_tls_verify_common.c line 428 at r6 (raw file):
} if (strncmp((char*)cbor_string_handle(claims_pairs[i].key), "pubkey-hash",
Suggest to define a macro for the key name.
Code quote:
"pubkey-hash"tools/sgx/ra-tls/ra_tls_verify_common.c line 514 at r6 (raw file):
if (!ret) return 0;
Do we need to verify the legacy quote if the standard one is verified pass?
There was a problem hiding this comment.
Reviewable status: 0 of 18 files reviewed, 21 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " and "DONTMERGE" found in commit messages' one-liners (waiting on @dimakuv and @kailun-qin)
a discussion (no related file):
However, to finalize the PR, we need [...] registered CBOR tags. This is work in progress.
CBOR tags were registered, see here: https://github.com/CCC-Attestation/interoperable-ra-tls/blob/main/docs/Interoperable-RA-TLS-SGX-TDX-evidence-formats.md#sgx--tdx-evidence-cbor-tags-registration
This PR is updated with these new tags (in a fixup commit).
Previously, kailun-qin (Kailun Qin) wrote…
SGX/TDX
I don't want to mention TDX in this context. This will only confuse people. I'd like to concentrate on SGX.
-- commits line 14 at r6:
I must change from hash-entry to pubkey-hash during final rebase
Documentation/attestation.rst line 251 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Same question (see below) for the
pubkeyof claims in the diagram.
Done. Thanks. This was on old spec.
Documentation/attestation.rst line 267 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Isn't it just
""pubkey-hash""rather than the key itself?
Done. Thanks. This was on old spec.
Documentation/attestation.rst line 273 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Same question as above.
Done
Documentation/attestation.rst line 282 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
will be?
But as soon as this PR is merged, the previous format becomes deprecated. So I think the current wording is correct.
Documentation/attestation.rst line 283 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
It's not accurate. The OID is just an identifier.
True, but could you propose a better wording here? Maybe ...OID object directly embeds ...?
Documentation/attestation.rst line 286 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
ditto
How should I rephrase? The text looks reasonable to me as is.
subprojects/packagefiles/libcbor/meson.build line 33 at r1 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
We eventually droped the hack in the merged version of #773. Does the solution applies to this PR as well?
The solution from your dropped commit applies well here, whereas the actual merged solution doesn't apply. That's because RA-TLS sources are part of Gramine codebase itself, and not a subproject (like it was in your case of Curl + mbedTLS).
tools/sgx/ra-tls/ra_tls.h line 55 at r5 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Exact list of supported hash funcs is under discussion, see CCC-Attestation/interoperable-ra-tls#6
Done, this was already added in the spec: https://github.com/CCC-Attestation/interoperable-ra-tls/pull/7/files
tools/sgx/ra-tls/ra_tls.h line 46 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Where is this "raw" OID used?
See my other comment.
tools/sgx/ra-tls/ra_tls.h line 52 at r6 (raw file):
static const size_t g_evidence_oid_raw_size = sizeof(g_evidence_oid_raw); #define TCG_DICE_TAGGED_EVIDENCE_CBOR_TAG 0x1A7501 /* FIXME: proper IANA tag once registered */
FYI: Renamed from TCG_DICE_TAGGED_EVIDENCE_CBOR_TAG to TCG_DICE_TAGGED_EVIDENCE_TEE_QUOTE_CBOR_TAG, now that this is registered with IANA.
tools/sgx/ra-tls/ra_tls_attest.c line 223 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Suggest to rename to
generate_serialized_pk_hash_entry()as this only works forpk.
Done.
tools/sgx/ra-tls/ra_tls_attest.c line 282 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Looks like we do not support per-session nonce at this moment. But we do cite it in the format description comment below.
Should we just not mention it at all (until we extend the support) or we add a TODO w/ it?
Similar question for the endorsement extention.
Done
tools/sgx/ra-tls/ra_tls_attest.c line 327 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Any issues w/ implementing the
generate_serialized_xxx()functions in agoto cleanup/error handlingstyle? It's a bit hard to read.
Yeah, there are issues with goto cleanup style... CBOR library (libcbor) has a complicated system of object ownership. Keeping track of what CBOR function incremented which object is complicated to implement in the goto style (I tried first).
tools/sgx/ra-tls/ra_tls_attest.c line 426 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Seems it's not precisely
uint8but whateveruint(from spec), just our implementation picksuint8for it.
Yes, your comment is correct. Is there anything I should do/change?
tools/sgx/ra-tls/ra_tls_attest.c line 461 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Please align.
Done.
tools/sgx/ra-tls/ra_tls_attest.c line 491 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Suggest to also elaborate/explain a bit further that below we create X.509 certs that have both the old (legacy) OID as well as the new OID. This is for keeping the backward compatibility by sacrificing a bit the size of certs.
Done. Expanded the comment above.
tools/sgx/ra-tls/ra_tls_verify_common.c line 241 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Check
cbor_bytestring_length()?
I have a check if (cbor_bytestring_length(cbor_hash_value) != sha_size) below already. Isn't it enough? What would the additional check bring?
tools/sgx/ra-tls/ra_tls_verify_common.c line 259 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Why can we make this assumption?
Update: Interesting... I found the proposal in CCC-Attestation/interoperable-ra-tls#6, but it's not claimed in the doc/spec.
I just wanted to assume something for ID=0. How do you think we should proceed?
Ok, I asked the question here: CCC-Attestation/interoperable-ra-tls#6. Let's see what the result will be.
tools/sgx/ra-tls/ra_tls_verify_common.c line 324 at r6 (raw file):
uint8_t* evidence_buf; size_t evidence_buf_size; int ret = find_oid(crt->v3_ext.p, crt->v3_ext.len, g_evidence_oid_raw, g_evidence_oid_raw_size,
@kailun-qin Here is where we use the raw OID.
tools/sgx/ra-tls/ra_tls_verify_common.c line 365 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
What if
quote_size > sizeof(*quote)?
The actual quote actually must be larger than struct sgx_quote_t, because the actual SGX quote contains the signature string (the list of Intel certificates). See this:
tools/sgx/ra-tls/ra_tls_verify_common.c line 428 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Suggest to define a macro for the key name.
To be honest, I don't see a point. If it becomes a standard, this name will 100% never change.
Also, if we would have a macro, this won't help in anything -- we have this pubkey-hash string all over our code (in comments) and documentation, so we'll have to change the whole code anyway.
tools/sgx/ra-tls/ra_tls_verify_common.c line 514 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Do we need to verify the legacy quote if the standard one is verified pass?
No, we don't need to verify the legacy quote. This is what the current code does already... Note the if (!ret) return 0 line above -- this is exactly this.
subprojects/libcbor-0.9.0.wrap line 2 at r6 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
Note: there is a newer version of libcbor available.
Done
There was a problem hiding this comment.
Reviewable status: 0 of 18 files reviewed, 21 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " and "DONTMERGE" found in commit messages' one-liners (waiting on @kailun-qin)
tools/sgx/ra-tls/ra_tls_verify_common.c line 259 at r6 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
I just wanted to assume something for ID=0. How do you think we should proceed?
Ok, I asked the question here: CCC-Attestation/interoperable-ra-tls#6. Let's see what the result will be.
Done, I removed the "RESERVED implies SHA256" logic. Now Gramine's RA-TLS fails on finding RESERVED hash alg id.
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
aa1ab39 to
de28d46
Compare
There was a problem hiding this comment.
Reviewable status: 7 of 27 files reviewed, 11 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv, @kailun-qin, and @mkow)
a discussion (no related file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
FYI: I rebased this PR again against latest Gramine (v1.6), it's ready for review.
Note that libcbor is still v0.10.2 -- the latest as of January 2024.
FYI: Rebased against latest Gramine (v1.7), ready for review.
libcbor is now v0.11.0
a discussion (no related file):
Previously, mkow (Michał Kowalczyk) wrote…
Could you do it now? (or maybe after the doc PR? see my comments below)
Done
.ci/ubuntu20.04.dockerfile line 1 at r9 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Let's do the rebase now then :)
Done.
CI-Examples/ra-tls-mbedtls/src/server.c line 190 at r10 (raw file):
/* user asks to maliciously modify the embedded SGX quote (for testing purposes); we * have two quotes currently (with legacy OID and with standard TCG DICE OID), so we * modify them both */
Done.
CI-Examples/ra-tls-mbedtls/src/server.c line 196 at r10 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Could you move the OID definitions to
ra_tls.h? This way you could use them here.
Done.
Documentation/sgx-intro.rst line 246 at r10 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
What about claims? (but we probably should say
Claims (attestation), it's a very generic term.
Done.
Documentation/sgx-intro.rst line 269 at r10 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Now that I'm reading it, it's quite a lot, maybe you could make a separate PR out of it which we'd quickly review and merge separately?
It would make the review easier for me.
Done. See #1927
Blocking myself on this prerequisite (this PR will need to be rebased on top of 1927).
There was a problem hiding this comment.
Reviewed 1 of 19 files at r8, 1 of 9 files at r10, 16 of 18 files at r11, all commit messages.
Reviewable status: 24 of 27 files reviewed, 14 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv and @kailun-qin)
a discussion (no related file):
No version number in the directory name? (packagefiles/libcbor/)
.ci/ubuntu22.04.dockerfile line 58 at r11 (raw file):
gcc-12 \ gdb \ gettext \
Why is this list of added libs so different than for 24.04?
Documentation/attestation.rst line 271 at r9 (raw file):
.. image:: ./img/ratls.svg :target: ./img/ratls.svg :alt: Figure: The X.509 certificate generated by RA-TLS (legacy)
TODO for myself: render this and verify
subprojects/libcbor-0.11.0.wrap line 3 at r11 (raw file):
[wrap-file] directory = libcbor-0.11.0 source_url = https://github.com/PJK/libcbor/archive/refs/tags/v0.11.0.tar.gz
Just a note: A significant (IMO) drawback of this PR is pulling some niche project into our TCB and exposing it to untrusted input.
subprojects/libcbor-0.11.0.wrap line 4 at r11 (raw file):
directory = libcbor-0.11.0 source_url = https://github.com/PJK/libcbor/archive/refs/tags/v0.11.0.tar.gz source_fallback_url = https://packages.gramineproject.io/distfiles/libcbor-v0.11.0.tar.gz
@woju: Please upload.
subprojects/packagefiles/libcbor/compile.sh line 9 at r11 (raw file):
} CURRENT_SOURCE_DIR="$1"
What do you mean by "current"? Are there any other source directories? Ditto for build dir.
Code quote:
CURRENT_subprojects/packagefiles/libcbor/compile.sh line 11 at r11 (raw file):
CURRENT_SOURCE_DIR="$1" CURRENT_BUILD_DIR="$2" PRIVATE_DIR="$3"
Please verify that the arguments were actually passed (and print usage info if not).
subprojects/packagefiles/libcbor/meson.build line 26 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Could you link to it in the comment?
There was a problem hiding this comment.
Reviewed 2 of 19 files at r8, 1 of 18 files at r11.
Reviewable status: 25 of 27 files reviewed, 19 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv and @kailun-qin)
tools/sgx/ra-tls/ra_tls_attest.c line 140 at r11 (raw file):
/* embed the SGX quote into the generated certificate (as X.509 extension) in two formats: * - legacy non-standard "SGX quote" OID (used from Gramine v1.0)
If you specify Gramine versions here then please specify them fully, i.e. also in TCG DICE.
tools/sgx/ra-tls/ra_tls_attest.c line 140 at r11 (raw file):
/* embed the SGX quote into the generated certificate (as X.509 extension) in two formats: * - legacy non-standard "SGX quote" OID (used from Gramine v1.0)
Suggestion:
sincetools/sgx/ra-tls/ra_tls_common.h line 27 at r11 (raw file):
#define IAS_REQUEST_NONCE_LEN 32 #ifndef NON_STANDARD_INTEL_SGX_QUOTE_OID
Why not including ra_tls.h instead of duplicating the constants?
tools/sgx/ra-tls/ra_tls_common.h line 31 at r11 (raw file):
{ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF8, 0x4D, 0x8A, 0x39, 0x06 } #endif static const uint8_t g_quote_oid[] = NON_STANDARD_INTEL_SGX_QUOTE_OID;
Could you prefix these with g_ratls_ instead? I think this way is better, as they are in the global namespace.
tools/sgx/ra-tls/ra_tls_verify_dcap.c line 102 at r11 (raw file):
int ret; sgx_quote_t* quote = NULL;
That's an unrelated fix, right? Could you extract it to another PR, so we can quickly merge it?
tools/sgx/ra-tls/ra_tls_verify_epid.c line 124 at r11 (raw file):
int ret; sgx_quote_t* quote = NULL;
ditto
There was a problem hiding this comment.
Reviewable status: 25 of 27 files reviewed, 19 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @kailun-qin and @mkow)
a discussion (no related file):
Previously, mkow (Michał Kowalczyk) wrote…
No version number in the directory name? (
packagefiles/libcbor/)
I can add it. I didn't add the version because about half of our dependencies don't have the version number: https://github.com/gramineproject/gramine/tree/master/subprojects/packagefiles. Not sure what our policy in the directory names is.
.ci/ubuntu22.04.dockerfile line 58 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Why is this list of added libs so different than for 24.04?
Looks like a merge fail that I didn't notice. I'll fix during rebase (once dependency PRs are merged)
Documentation/sgx-intro.rst line 269 at r10 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Done. See #1927
Blocking myself on this prerequisite (this PR will need to be rebased on top of 1927).
Also blocking on #1947
tools/sgx/ra-tls/ra_tls_verify_dcap.c line 102 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
That's an unrelated fix, right? Could you extract it to another PR, so we can quickly merge it?
Done, see #1947
tools/sgx/ra-tls/ra_tls_verify_epid.c line 124 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
ditto
Done.
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
de28d46 to
bf515ed
Compare
There was a problem hiding this comment.
Reviewable status: 22 of 27 files reviewed, 19 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @kailun-qin and @mkow)
a discussion (no related file):
FYI: Rebased to the latest master, at the request of @mkow, to incorporate the following prerequisite PRs:
- [tools/RA-TLS] Copy quote from X.509 cert into a separate object #1947
- [Docs] Add remote attestation terminology #1927
.ci/ubuntu22.04.dockerfile line 58 at r11 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Looks like a merge fail that I didn't notice. I'll fix during rebase (once dependency PRs are merged)
Done.
Documentation/sgx-intro.rst line 269 at r10 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Also blocking on #1947
Done.
There was a problem hiding this comment.
Reviewable status: 17 of 27 files reviewed, 19 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @kailun-qin and @mkow)
a discussion (no related file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
I can add it. I didn't add the version because about half of our dependencies don't have the version number: https://github.com/gramineproject/gramine/tree/master/subprojects/packagefiles. Not sure what our policy in the directory names is.
Done, now with version number
tools/sgx/ra-tls/ra_tls_attest.c line 140 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
If you specify Gramine versions here then please specify them fully, i.e. also in TCG DICE.
Done.
tools/sgx/ra-tls/ra_tls_attest.c line 140 at r11 (raw file):
/* embed the SGX quote into the generated certificate (as X.509 extension) in two formats: * - legacy non-standard "SGX quote" OID (used from Gramine v1.0)
Done.
tools/sgx/ra-tls/ra_tls_common.h line 27 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Why not including
ra_tls.hinstead of duplicating the constants?
Done, yeah, agreed. Users of this header file will anyhow want to use ra_tls.h too.
tools/sgx/ra-tls/ra_tls_common.h line 31 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Could you prefix these with
g_ratls_instead? I think this way is better, as they are in the global namespace.
Done
tools/sgx/ra-tls/ra_tls_verify_dcap.c line 102 at r11 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Done, see #1947
Also note that I already rebased this PR on top of #1947.
subprojects/packagefiles/libcbor/compile.sh line 9 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
What do you mean by "current"? Are there any other source directories? Ditto for build dir.
Done.
subprojects/packagefiles/libcbor/compile.sh line 11 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Please verify that the arguments were actually passed (and print usage info if not).
Done.
Btw, this script is not supposed to be used by users. It's only supposed to be called by Meson.
subprojects/packagefiles/libcbor/meson.build line 26 at r1 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Could you link to it in the comment?
Done.
There was a problem hiding this comment.
Reviewed 3 of 5 files at r12, 6 of 7 files at r13, all commit messages.
Reviewable status: 26 of 27 files reviewed, 13 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv and @kailun-qin)
tools/sgx/ra-tls/ra_tls_attest.c line 231 at r13 (raw file):
return MBEDTLS_ERR_X509_ALLOC_FAILED; /* RA-TLS always generates SHA256 hash over pubkey */
Is this what you mean? Or something else? The current comment sounds weird to me.
Suggestion:
/* RA-TLS always uses SHA256 */tools/sgx/ra-tls/ra_tls_attest.c line 280 at r13 (raw file):
} /*! generate claims -- CBOR map with { "pubkey-hash" = <serialized CBOR array hash-entry> } */
What a weird format, why does this CBOR map contain a byte string with serialized CBOR array, instead of a normal CBOR array?
tools/sgx/ra-tls/ra_tls_attest.c line 328 at r13 (raw file):
cbor_serialize_alloc(cbor_claims, &claims_buf, &claims_buf_size); cbor_decref(&cbor_pubkey_hash_val);
Please add a similar comment about references as in generate_serialized_pk_hash_entry().
tools/sgx/ra-tls/ra_tls_attest.c line 340 at r13 (raw file):
} /*! generate evidence -- CBOR tag with CBOR array of CBOR bstrs: [ quote, claims ] */
whyyyy
This is map("asdf": serialize(map("qwer": serialize("asdf")) at this point... Is there any reason for such a weird format with nested serialization?
Code quote:
CBOR array of CBOR bstrstools/sgx/ra-tls/ra_tls_attest.c line 404 at r13 (raw file):
} /*! generate SGX-quote evidence with \p pk as one of the embedded claims (standard format) */
Suggestion:
SGX-quote evidence (a set of claims)tools/sgx/ra-tls/ra_tls_attest.c line 405 at r13 (raw file):
/*! generate SGX-quote evidence with \p pk as one of the embedded claims (standard format) */ static int generate_evidence_with_claims(mbedtls_pk_context* pk, uint8_t** out_evidence,
Using TCG DICE meanings, "evidence with claims" is like saying "numbers with digits" ;P
Both this and the previous function have IMO very confusing names. Both return serialized evidence, but only generate_serialized_evidence() has that in its name. Both generate evidence with claims (obviously), but only generate_evidence_with_claims() has that in its name.
tools/sgx/ra-tls/ra_tls_attest.c line 489 at r13 (raw file):
int ret; /*
Weird comment formatting (empty first line, but not the last.
subprojects/packagefiles/libcbor/compile.sh line 11 at r11 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Done.
Btw, this script is not supposed to be used by users. It's only supposed to be called by Meson.
Yeah, but it could have been annoying to us when debugging / doing stuff manually.
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
AFAIR Meson breaks if you don't do this (it doesn't track changes in subprojects, so it wouldn't recompile it after you e.g. checked out a branch with a different subproject version). They say it works as intended, as usual ¯\_(ツ)_/¯ |
There was a problem hiding this comment.
Reviewed 1 of 7 files at r13.
Reviewable status: all files reviewed, 19 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
tools/sgx/ra-tls/ra_tls_verify_common.c line 193 at r13 (raw file):
/*! fill buffer \p pk_der with DER-formatted public key from \p crt */ static int fill_crt_pk_der(mbedtls_x509_crt* crt, uint8_t* pk_der, size_t* pk_der_size) {
It's a bit confusing without it IMO.
Suggestion:
size_t* inout_pk_der_sizetools/sgx/ra-tls/ra_tls_verify_common.c line 194 at r13 (raw file):
/*! fill buffer \p pk_der with DER-formatted public key from \p crt */ static int fill_crt_pk_der(mbedtls_x509_crt* crt, uint8_t* pk_der, size_t* pk_der_size) { mbedtls_ecp_keypair* key = mbedtls_pk_ec(crt->pk);
FYI: mbedtls_pk_ec() may disappear in the future (see Mbed-TLS/mbedtls#7572).
tools/sgx/ra-tls/ra_tls_verify_common.c line 194 at r13 (raw file):
I don't think it's legal to call mbedtls_pk_ec() just like that.
Warning: You must make sure the PK context actually holds an EC context before using this function!
See https://arm-software.github.io/CMSIS-mbedTLS/latest/pk_8h.html#a4b9c1b47e90acc7c01800edbfb8cff56.
tools/sgx/ra-tls/ra_tls_verify_common.c line 197 at r13 (raw file):
if (key == NULL || (key->MBEDTLS_PRIVATE(grp).id != MBEDTLS_ECP_DP_SECP384R1 && key->MBEDTLS_PRIVATE(grp).id != MBEDTLS_ECP_DP_SECP256R1)) {
Is there any way to get this information without using mbedtls private APIs?
tools/sgx/ra-tls/ra_tls_verify_common.c line 342 at r13 (raw file):
&evidence_buf_size); if (ret < 0) return ret;
You leave *out_found_oid uninitialized here.
tools/sgx/ra-tls/ra_tls_verify_common.c line 376 at r13 (raw file):
cbor_quote = cbor_array_get(cbor_evidence, /*index=*/0); if (!cbor_quote || !cbor_isa_bytestring(cbor_quote) || !cbor_bytestring_is_definite(cbor_quote) || cbor_bytestring_length(cbor_quote) == 0) {
You already check this more precisely in the next if.
Code quote:
cbor_bytestring_length(cbor_quote) == 0tools/sgx/ra-tls/ra_tls_verify_common.c line 446 at r13 (raw file):
if (strncmp((char*)cbor_string_handle(claims_pairs[i].key), "pubkey-hash", cbor_string_length(claims_pairs[i].key)) == 0) {
- I think CBOR strings are not NULL-terminated.
- Doesn't this also accept stuff like
"pubkey-hash\0dupa"?
tools/sgx/ra-tls/ra_tls_verify_common.c line 461 at r13 (raw file):
if (cbor_result.error.code != CBOR_ERR_NONE) { ERROR("Certificate: cannot parse 'pubkey-hash' array in CBOR format (error %d)\n", cbor_result.error.code);
wrong alignment
There was a problem hiding this comment.
Reviewable status: 25 of 27 files reviewed, 19 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @mkow)
tools/sgx/ra-tls/ra_tls_attest.c line 231 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Is this what you mean? Or something else? The current comment sounds weird to me.
Done. Yes, that's what I meant. The idea of the comment is to explain why we choose the SHA256 algorithm for the CBOR hash, and that's because RA-TLS uses this hash algo (at least currently) to do the only hashing operation it does -- a hash over the public key of the generated ephemeral X.509 certificate.
tools/sgx/ra-tls/ra_tls_attest.c line 280 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
What a weird format, why does this CBOR map contain a byte string with serialized CBOR array, instead of a normal CBOR array?
Yes, you are right. This is weird, and I also mentioned this here: CCC-Attestation/interoperable-ra-tls#2 (comment)
Generally, the reason is that taking a hash over "some in-memory representation of a CBOR array" is ambiguous. How do you deal with pointers in that representation? What do you do with little-endian vs big-endian? Basically, you need a set of rules to transform the "in-memory representation" of a CBOR object to a "uniform unambiguous representation". That's why we perform serialization.
Also, that's just generally the reason why everything in this PR is "serialized CBOR object". Almost any CBOR object used in this PR has the potential of being hashed. And Interoperable RA-TLS uses the CoSWID standard, which forces a special CBOR representation of the "hashed value", see https://datatracker.ietf.org/doc/rfc9393/, Chapter 2.9.1. So, anything that can be hashed, should be represented as a hash over a serialized object.
Finally, why embed serialized objects inside CBOR objects, and not directly the CBOR objects (and calculate serialized variants on the side, for hashing purposes)? (Now I realize that was the crux of @mkow's question.) From what I was told, it's just more explicit to represent it this way -- all the objects that are hashed must be present in the CBOR composite. One side effect is that we are guaranteed to catch bugs in the serialization logic of the CBOR implementation. Another side effect that the CBOR implementation in the verifier may only implement a subset of CBOR functionality (well, maybe?) -- even it only wants to check the hash, it can just extract the serialized value without any need to deserialize it.
Well, long story short: I'm not confident why it was done this way, but I was told that's typical.
tools/sgx/ra-tls/ra_tls_attest.c line 328 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Please add a similar comment about references as in
generate_serialized_pk_hash_entry().
Done. Also split from cbor_claims, because that one's reference is decremented because we serialized this object into the claims_buf buffer.
tools/sgx/ra-tls/ra_tls_attest.c line 340 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
whyyyy
This ismap("asdf": serialize(map("qwer": serialize("asdf"))at this point... Is there any reason for such a weird format with nested serialization?
See my answer above. But yes, you are right. Please also check CCC-Attestation/interoperable-ra-tls#2 if that helps.
TLDR: serialized objects are used because hashes are taken over them.
tools/sgx/ra-tls/ra_tls_attest.c line 404 at r13 (raw file):
} /*! generate SGX-quote evidence with \p pk as one of the embedded claims (standard format) */
Done.
tools/sgx/ra-tls/ra_tls_attest.c line 405 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Using TCG DICE meanings, "evidence with claims" is like saying "numbers with digits" ;P
Both this and the previous function have IMO very confusing names. Both return serialized evidence, but only
generate_serialized_evidence()has that in its name. Both generate evidence with claims (obviously), but onlygenerate_evidence_with_claims()has that in its name.
Done. What about new names?
tools/sgx/ra-tls/ra_tls_attest.c line 489 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Weird comment formatting (empty first line, but not the last.
Done.
tools/sgx/ra-tls/ra_tls_verify_common.c line 193 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
It's a bit confusing without it IMO.
Done.
tools/sgx/ra-tls/ra_tls_verify_common.c line 194 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
FYI:
mbedtls_pk_ec()may disappear in the future (see Mbed-TLS/mbedtls#7572).
Yes, but this discussion seems a long way from being finished: Mbed-TLS/mbedtls#8452
Any reason you put this comment as blocking?
tools/sgx/ra-tls/ra_tls_verify_common.c line 194 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
I don't think it's legal to call
mbedtls_pk_ec()just like that.Warning: You must make sure the PK context actually holds an EC context before using this function!
See https://arm-software.github.io/CMSIS-mbedTLS/latest/pk_8h.html#a4b9c1b47e90acc7c01800edbfb8cff56.
Done. The correct usage is peeked from this example: https://github.com/Mbed-TLS/mbedtls/blob/f938f4ff063a6714caa64be454728a501f01be5a/programs/pkey/key_app_writer.c#L403
tools/sgx/ra-tls/ra_tls_verify_common.c line 197 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Is there any way to get this information without using mbedtls private APIs?
No, I don't see the way (by searching the official mbedTLS github repo for keywords).
Well, I think we can just remove this check, if you wish to get rid of private APIs. This check is more of a sanity check. We'll check the hash of this key anyway, so we'll fail a bit later.
tools/sgx/ra-tls/ra_tls_verify_common.c line 342 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
You leave
*out_found_oiduninitialized here.
That was on purpose, see the caller of this func (the caller initializes this variable).
Or this is a weird convention? You would prefer the caller to have an uninitialized variable, and this called function should initialize the variable at the very beginning? I can do that, just thought that my current way is clear enough.
tools/sgx/ra-tls/ra_tls_verify_common.c line 376 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
You already check this more precisely in the next
if.
Done.
tools/sgx/ra-tls/ra_tls_verify_common.c line 446 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
- I think CBOR strings are not NULL-terminated.
- Doesn't this also accept stuff like
"pubkey-hash\0dupa"?
Done. Good catch.
tools/sgx/ra-tls/ra_tls_verify_common.c line 461 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
wrong alignment
Done.
There was a problem hiding this comment.
Reviewed 2 of 2 files at r14, all commit messages.
Reviewable status: all files reviewed, 7 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv and @kailun-qin)
tools/sgx/ra-tls/ra_tls_attest.c line 280 at r13 (raw file):
Generally, the reason is that taking a hash over "some in-memory representation of a CBOR array"
Yup, but that explains only the middle serialization, not the serialization of alg+hash.
And Interoperable RA-TLS uses the CoSWID standard, which forces a special CBOR representation of the "hashed value", see https://datatracker.ietf.org/doc/rfc9393/, Chapter 2.9.1. So, anything that can be hashed, should be represented as a hash over a serialized object.
Why would you hash a hash?
Well, long story short: I'm not confident why it was done this way, but I was told that's typical.
ACK.
tools/sgx/ra-tls/ra_tls_attest.c line 340 at r13 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
See my answer above. But yes, you are right. Please also check CCC-Attestation/interoperable-ra-tls#2 if that helps.
TLDR: serialized objects are used because hashes are taken over them.
But not over alg+hash? Anyways, let's continue the discussion there.
tools/sgx/ra-tls/ra_tls_attest.c line 405 at r13 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Done. What about new names?
Still confusing, the comment on the other function says /*! generate tagged evidence [...], and you renamed this function here to generate_tcg_dice_tagged_evidence. I'm really confused by this split and what are the roles of both.
tools/sgx/ra-tls/ra_tls_verify_common.c line 194 at r13 (raw file):
Any reason you put this comment as blocking?
To ensure I get a response to this before merging.
tools/sgx/ra-tls/ra_tls_verify_common.c line 197 at r13 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
No, I don't see the way (by searching the official mbedTLS github repo for keywords).
Well, I think we can just remove this check, if you wish to get rid of private APIs. This check is more of a sanity check. We'll check the hash of this key anyway, so we'll fail a bit later.
Ok, let's keep it maybe, it can only lead to more failures, not accepting incorrect keys.
tools/sgx/ra-tls/ra_tls_verify_common.c line 342 at r13 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
That was on purpose, see the caller of this func (the caller initializes this variable).
Or this is a weird convention? You would prefer the caller to have an uninitialized variable, and this called function should initialize the variable at the very beginning? I can do that, just thought that my current way is clear enough.
Yes, that's IMO confusing. I'd initialize it in both places, as there no clear convention what happens with out-args on function failure.
Or maybe @kailun-qin has an idea for a better convention?
tools/sgx/ra-tls/ra_tls_verify_common.c line 451 at r14 (raw file):
if ((cbor_string_length(claims_pairs[i].key) == sizeof(PUBKEY_HASH_STR) - 1) && (memcmp(cbor_string_handle(claims_pairs[i].key), PUBKEY_HASH_STR, cbor_string_length(claims_pairs[i].key)) == 0)) {
They are the same, but this one is a constant.
Suggestion:
sizeof(PUBKEY_HASH_STR) - 1
There was a problem hiding this comment.
Reviewable status: 25 of 27 files reviewed, 7 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @kailun-qin and @mkow)
tools/sgx/ra-tls/ra_tls_attest.c line 280 at r13 (raw file):
Generally, the reason is that taking a hash over "some in-memory representation of a CBOR array"
Yup, but that explains only the middle serialization, not the serialization of alg+hash.
Yes, that's probably "for future". I agree, it is redundant.
Why would you hash a hash?
I mean, it's not really a hash, it's a hash over a non-trivial CBOR object ("hash-entry"). But yes, I understand your point, does sound a bit useless, even for future-proof.
tools/sgx/ra-tls/ra_tls_attest.c line 405 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Still confusing, the comment on the other function says
/*! generate tagged evidence [...], and you renamed this function here togenerate_tcg_dice_tagged_evidence. I'm really confused by this split and what are the roles of both.
Done.
tools/sgx/ra-tls/ra_tls_verify_common.c line 194 at r13 (raw file):
Any reason you put this comment as blocking?
To ensure I get a response to this before merging.
In Reviewable, "FYI" at the beginning of the message implies "not blocking", so it was surprising to me that this comment blocks. Just a mental hiccup.
tools/sgx/ra-tls/ra_tls_verify_common.c line 342 at r13 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Yes, that's IMO confusing. I'd initialize it in both places, as there no clear convention what happens with out-args on function failure.
Or maybe @kailun-qin has an idea for a better convention?
Done.
tools/sgx/ra-tls/ra_tls_verify_common.c line 451 at r14 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
They are the same, but this one is a constant.
Done.
There was a problem hiding this comment.
Reviewed 2 of 2 files at r15, all commit messages.
Reviewable status: all files reviewed, 4 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
tools/sgx/ra-tls/ra_tls_verify_common.c line 194 at r13 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Any reason you put this comment as blocking?
To ensure I get a response to this before merging.
In Reviewable, "FYI" at the beginning of the message implies "not blocking", so it was surprising to me that this comment blocks. Just a mental hiccup.
It doesn't imply that - it only sets that disposition as default, you can change it. And I even disabled this option of auto-selecting dispositions ;)
There was a problem hiding this comment.
Reviewable status: all files reviewed, 5 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
Documentation/attestation.rst line 247 at r15 (raw file):
.. image:: ./img/ratls-interoperable.svg :target: ./img/ratls-interoperable.svg :alt: Figure: The X.509 certificate generated by RA-TLS (standardized)
Everything in this SVG overlaps (mostly text) with each other and some places are completely unreadable. I tried both Firefox and Chromium (on Linux).
Documentation/img/ratls-interoperable.svg line 1 at r15 (raw file):
<svg width="4025" height="2497" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" overflow="hidden"><defs><clipPath id="clip0"><rect x="383" y="64" width="4025" height="2497"/></clipPath><clipPath id="clip1"><rect x="-2770.55" y="-0.363636" width="822960" height="820189"/></clipPath><image width="225" height="225" xlink:href="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCADhAOEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9U6KKKACiivnL/goZ8Tr/AOE/7IPxC1jSpXg1S6tY9Kt5o2KNGbmVIHdWHKssbuwI6ECgD4d/bi/4Kra7e+JNR8D/AAT1OPTNFs3e2vPF0AWSe9kHDC0Y5CRA5HmgFm4KFQAW/OXxR428ReOL37Z4j1/VPEF5/wA/Gq3slzJz1+Z2JrFr9B/2U/8AgkzqPx1+FGleO/FnjRvCdtrUf2jTdNsrEXMzW5PySyuzqF34LBQG+UqSQSVFFH58UV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5O6Xq19ol5Heade3Gn3cZylxaytFIp9QykEV9i/sq/8FQPiZ8DdatNP8aalf8AxF8Du4W4tdSn87ULVCeZLe4c7mIHSORihA2gx53D37x1/wAERzaeF7648I/EyXUNehjMltZappixQXLAHEZkWQmMk4+bawHcc5H5bXVrNY3U1tcRPBcQu0ckUgwyMDgqR2IIoA/qE8GeMtG+IXhPSfEvh6/i1TQ9Vtku7O8hztkjcZBweQexBwQQQQCCK2q/OX/git8Ub3xH8IfG/ga7lkmi8MalDd2Zc8Rw3iyExL7CSCV/rKa/RqpJCiiigAooooAKKKKACiiigAr46/4Ky/8AJlfib/sI6d/6UpX2LXx1/wAFZf8AkyvxN/2EdO/9KUoA/CGv6PP2L/8Ak0v4Qf8AYraf/wCiFr+cOv6PP2L/APk0v4Qf9itp/wD6IWmxs9nooopCCiiigAooooAKKKKACiiigAooooAKKKKACv5h/i1/yVbxp/2G73/0e9f08V/MP8Wv+SreNP8AsN3v/o96aGj9H/8Aghv/AMf3xnP/AEz0f+d7X6s1+U//AAQ3B+2fGg9vL0b+d9X6sUMGFFFFIQUUUUAFFFFABRRRQAV8df8ABWX/AJMr8Tf9hHTv/SlK+xa+Ov8AgrL/AMmV+Jv+wjp3/pSlAH4Q1/R5+xf/AMml/CD/ALFbT/8A0Qtfzh1/R5+xf/yaX8IP+xW0/wD9ELTY2ez14t8cP2yPg/8As66tbaT478YwaXrFxH5yadb2013cCM9HdIUYoD2L4zg4zivaa/nk/wCCgng/xX4R/a7+JLeLEuGl1TVZdR0+7mUhJ7GQ5tvLYjDKkeyI4zhomXqpoEfrH/w9W/Zq/wCh4u//AARX3/xmj/h6t+zV/wBDxd/+CK+/+M1+Ce4etG4etMdj97P+Hq37NX/Q8Xf/AIIr7/4zR/w9W/Zq/wCh4u//AARX3/xmvwT3D1o3D1oCx+9n/D1b9mr/AKHi7/8ABFff/GaP+Hq37NX/AEPF3/4Ir7/4zX4J7h60bh60BY/ez/h6t+zV/wBDxd/+CK+/+M0f8PVv2av+h4u//BFff/Ga/BPcPWjcPWgLH72f8PVv2av+h4u//BFff/GaP+Hq37NX/Q8Xf/givv8A4zX4J7h60bh60BY/oa+Fv/BQb4C/GLxhZ+F/DnjuJtdvWCWlrqFlcWYuHJwI0eWNULkkAJncxOADX0VX8vXgHwr4h8ceNNF0HwlZ3WoeJb66SKwgsciUy5yGUj7u3G4tkBQpJIAzX9PmmxXEGnWsd3Ks92kSLNIowHcAbiPqc0gLNfzD/Fr/AJKt40/7Dd7/AOj3r+niv5h/i1/yVbxp/wBhu9/9HvQgR+kX/BDb/j5+NP8AuaN/O+r9Vq/Kr/ghr/r/AI1f7ui/zvq/VWhgwooopCCiiigAooooAKKKKACvjr/grL/yZX4m/wCwjp3/AKUpX2LXx1/wVl/5Mr8Tf9hHTv8A0pSgD8Ia/o8/Yv8A+TS/hB/2K2n/APoha/nDr+jz9i//AJNL+EH/AGK2n/8AohabGz2esjxF4R0Lxhbxwa9ouna3BE26OLUbSO4VD6gOCAa16KQjif8AhR/w4/6J/wCF/wDwTW3/AMRR/wAKP+HH/RP/AAv/AOCa2/8AiK7aigDif+FH/Dj/AKJ/4X/8E1t/8RR/wo/4cf8ARP8Awv8A+Ca2/wDiK7aigDif+FH/AA4/6J/4X/8ABNbf/EUf8KP+HH/RP/C//gmtv/iK7aigDif+FH/Dj/on/hf/AME1t/8AEUf8KP8Ahx/0T/wv/wCCa2/+IrtqKAOJ/wCFH/Dj/on/AIX/APBNbf8AxFH/AAo/4cf9E/8AC/8A4Jrb/wCIrtqKAOf8O/D3wt4QuJLjQfDWj6JPIux5dOsIrdmX0JRQSK6CiigAr+Yf4tf8lW8af9hu9/8AR71/TxX8w/xa/wCSreNP+w3e/wDo96aGj9JP+CGv+s+Nf00T/wBv6/VSvyt/4Iafe+Nn/cE/9v6/VKhgwooopCCiiigAooooAKKKKACvjr/grL/yZX4m/wCwjp3/AKUpX2LXx1/wVl/5Mr8Tf9hHTv8A0pSgD8Ia/o8/Yv8A+TS/hB/2K2n/APoha/nDr+jz9i//AJNL+EH/AGK2n/8AohabGz2evyG/bb/4Kh/E7QfjZ4l8E/C7Ubbwrovhq+k0yfUDYxXN1eXMTFJyfPRlSMSBlUKuTs3bsNtH681+a/7Y/wDwSb1X4yfFbWPHvw28S6RpFxrs32rUdH10SxwrcEfvJopYkc/OfmKMnDFjuwwVUI+J/wDh55+03/0U5/8AwR6b/wDI1H/Dzz9pv/opz/8Agj03/wCRq9Z/4cr/ABw/6Gn4f/8Agwvv/kOj/hyv8cP+hp+H/wD4ML7/AOQ6eg9Dyb/h55+03/0U5/8AwR6b/wDI1H/Dzz9pv/opz/8Agj03/wCRq9Z/4cr/ABw/6Gn4f/8Agwvv/kOj/hyv8cP+hp+H/wD4ML7/AOQ6NA0PJv8Ah55+03/0U5//AAR6b/8AI1H/AA88/ab/AOinP/4I9N/+Rq9Z/wCHK/xw/wChp+H/AP4ML7/5Do/4cr/HD/oafh//AODC+/8AkOjQNDyb/h55+03/ANFOf/wR6b/8jUf8PPP2m/8Aopz/APgj03/5Gr1n/hyv8cP+hp+H/wD4ML7/AOQ6P+HK/wAcP+hp+H//AIML7/5Do0DQ8m/4eeftN/8ARTn/APBHpv8A8jUf8PPP2m/+inP/AOCPTf8A5Gr1n/hyv8cP+hp+H/8A4ML7/wCQ6P8Ahyv8cP8Aoafh/wD+DC+/+Q6NA0Oc+EP/AAVq+OHg/wAaWN5421uHxz4ZMire6bNptrbS+Vn5mhkhjjIkA6bsqccjvX7h2V5FqFnBdW7+ZBPGssbYxlWGQfyNfkv8Hv8Agiv4qj8Z2Nz8TvF2gN4Yt5VlnsfDctxNPeKDkxb5IovKB6FhuOM4API/WyGJLeJIo0WONFCqijAUDgAD0pCH1/MP8Wv+SreNP+w3e/8Ao96/p4r+Yf4tf8lW8af9hu9/9HvTQ0fpN/wQ0+98bP8AuCf+39fqlX5W/wDBDT73xs/7gn/t/X6pUMGFFFFIQUUUUAFFFFABRRRQAV8df8FZf+TK/E3/AGEdO/8ASlK+xa+Ov+Csv/Jlfib/ALCOnf8ApSlAH4Q1/R5+xf8A8ml/CD/sVtP/APRC1/OHX9Hn7F//ACaX8IP+xW0//wBELTY2ez0UUUhBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABX8w/xa/5Kt40/wCw3e/+j3r+niv5h/i1/wAlW8af9hu9/wDR700NH6Tf8ENPvfGz/uCf+39fqlX5W/8ABDT73xs/7gn/ALf1+qVDBhRRRSEFFFFABRRRQAUUUUAFfHX/AAVl/wCTK/E3/YR07/0pSvsWvjr/AIKy/wDJlfib/sI6d/6UpQB+ENf0efsX/wDJpfwg/wCxW0//ANELX84df0efsX/8ml/CD/sVtP8A/RC02Nns9FFFIQUUUUAFFFFABRXm37R3xmtf2fPgf4v+IN1bC9GiWfmQ2rMVE87usUMZI6BpXQE9gSa/DHxB/wAFD/2hvEPiifXG+Juq6dLI5ZLLTgkNnEuThFhC7SAOMsGY4ySTzQB/QvWb4k8SaV4P0DUNc1zULfStI0+Fri6vbqQJFDGoyzMx6ACvw18G/wDBWf8AaJ8LZF9r+j+KkzkLrOkRDA9M2/lE/iSeetcN+0d+3h8XP2sNOs/D3iO5stP0QSow0Lw7bSQw3UwPyNIGd3kIOMKWKg4IXPNMZ3/7dn/BQzxD+0l4kuPD3g6/v/D/AMM7N2jit4ZGgm1Y9DNcYIOw/wAMR4A5Ybvu+Z/sk/tneNv2UfGdrd6ZeXGreEJH26l4ZuJ2+zzxk/M0YORFKOodR14bKkiuW8P/ALJnxr8URrLpnwn8ZXEDDcszaJcRxsPZ3QA/gata1+xv8dNAj8y8+EXjLy+7W+jTzgcZyfLVsD3NPQeh/QZ8HfjF4V+PHw/0zxl4O1JdS0a+Xj+GWCQY3wypn5JFJwV+hGQQT2tfzk/Af9pr4q/sc+ML9vDVxJpUkxC6n4d1y0Y29wQDt82FtrqwzkMpVu2dpIPtHi//AIK8/tCeJrYxafe+HfCjnH77R9IDsOf+nl5hz9O9IR+51fIH7UX/AATN+Fnx+0u+1DQNMtvAPjdt0sWq6RCIre4lOTi5gUbXDEkl1CyZwdzAFT+TN1+31+0Lea1DqknxY8QLcwtuWOKRI4Dzn5oFURsPYqa/ZD/gn/8AtRX/AO1Z8B4/EGuW0Vt4m0m9fSNUaBQkVxKkccizooJ2h0kXI4wyvgAYoA+Zv+CPvw71/wCEvjz9ofwf4osW07XtHuNFtrq3bkBh9vIZT/EjKVZWHBVgR1r9Lq5XSfh9p+jfErxL4xtkWO/17TtPsLraMb/sj3TI59Wxdbc+iKO1dVSEFFFFABRRRQAUUUUAFFFFABXx1/wVl/5Mr8Tf9hHTv/SlK+xa+Ov+Csv/ACZX4m/7COnf+lKUAfhDX9Hn7F//ACaX8IP+xW0//wBELX84df0efsX/APJpfwg/7FbT/wD0QtNjZ7PRRRSEFFFFABRRXKfEr4reEPg74am8QeNfEWn+G9Iiz/pF9ME3sBnZGv3pHx0VAWPYUAfJn/BYLxf/AMI5+yDJpgyW8Qa9ZafhSPup5lySRnpm3A+pFfh2iNI6oilnY4CqMkn0Ffan/BSH9ubS/wBqvWtD8O+DYLqHwR4flluBdXkflyajcsAgl2HlERdwUHDHzGLAcAfVH/BMb9ge08C6Fpvxk+I+nq3iW6QXWg6XeKNumQEZW6kB485h8yg/6tSD984RjPGv2R/+CR+v/ES0sfFPxguLrwjoMyrNB4dtxs1O4U8/vywIt1Ix8uDJyQRGQCfuPUPFf7K/7AdmLFP+EZ8G6ssKqbWxgN5rMyEHaZCoecqecNIdvXmvjz9ur/gqlqGrahqfgH4J6kbHSYt1tfeM7V8T3LchksmH+rQcjzx8zHlNoAd/zMvLufULue6uppLm6nkaWWeZy7yOxyzMx5JJJJJ9aAP2I8Tf8FsPhnY3Dx6D4E8UavGpIEt41vaK2O4AeQ4PuAeegqloX/BbjwFcXCjWfhx4ksIc/M9jdW90w+isY8/nX4/0U7Dsfvh4X/ai/Zb/AG0rWDw7qlzoOr6hLhYdE8YWCwXIdgcCFpRtZ+v+pcsK+Zv2pv8AgjpbfY7zxD8D76SOdA0jeEdWuN6uAPu21y5yDxwsxOSf9YuMV+VFfcn7FX/BTfxb8CdQsPC3xBu7zxd8O2IhWSdjLf6UvQNE5OZIgOsTHgAbCuNrIR8Va94f1PwrrV5o+taddaTq1lKYbmxvoWhmgkHVXRgCpHoRX6i/8EPvFbtD8WfDUkg8tW0/UYI++SJ45T/47DXuv7bH7HfhP9tb4V23xE+HktjceN1sBd6TqtmyrFrVvtytvK3AyRwjNgo3ythc4/L39jD9pq+/Y1+O769qekXd3pU0Muj69pABjuVj8xSSiOQBNHJGDtfGRvTK7twAP6HKK8y+CP7Snw2/aK0ZtQ8A+KrPW2jQPcWOTFeWuTj97A4DoMggMRtbHykjmvTaQgooooAKKKKACiiigAooooAK+Ov+Csv/ACZX4m/7COnf+lKV9i18df8ABWX/AJMr8Tf9hHTv/SlKAPwhr+jz9i//AJNL+EH/AGK2n/8Aoha/nDr+jz9i/wD5NL+EH/Yraf8A+iFpsbPZ6KKKQgooooA+Zv8AgoL+1FqX7KnwHOveH7aG48T6vfppOmyXCb4rZ2R5HnZcjdtSNsDpuZMggEH8HviR8U/F3xg8SS6/408Rah4l1eTj7TfzF9i5zsRfuxpknCqAo7Cv3k/4KFfs6zftI/s2a1pGlxNN4m0Vxrejxp1mniRw0OO5kjeRAOm4oT0r+fLrTQ0fU3/BOP8AZqt/2kP2irCDWrMXfhDw7H/a+rxyJuiuArAQ27ZGCJJCMqeqJIK+4f8Agrv+1jc/D/wjafB3wzdmDWPElqbjXJ4mIeHTiSiwAjvMVcNz9xCCMSA1vf8ABGf4ax+Gf2ctc8XywIt94o1qQLMv3mtbZRFGp+kpuT/wKvyv/ao+K0vxs/aI8f8AjJrhbq11DVplsZF6fY4j5VsBz/zySP6nJ70AeVUUUVRQUUUUAFFFFAH6Mf8ABIz9rK68FePv+FN+Ir5pPDfiB2l0Rpnytlf4LNEueiTAHjOPMVcDMjE1P+CwX7NcPw9+J+l/FPQ7MQaN4uZrfVFiXCRaki539ePOjBbAH3oZGJy1fAGg65f+F9c07WdKunstU065jvLS6jxuhmjYOjjPcMoP4V+6v7Z+n2P7TP8AwTv1bxRawIGk0C08YWW5cm3MaJcSAeh8kzJ7bjUkn4V6D4g1TwrrFrq+ianeaNq1o/mW9/p9w8E8LYI3JIhDKcE8g96/Z3/gln+2d4t/aL0jxL4O8fXC6t4h8PRQ3VrrWxUku7Z2ZSsyqAu+NggDjlw/IypZvxTr9nP+CPf7Otx8O/hDqvxL1iFodU8ZsiWELjBj0+EttfBAIMshdu4KJEw+8abGz9B6KKKkkKKKKACiiigAooooAK+Ov+Csv/Jlfib/ALCOnf8ApSlfYtfHX/BWX/kyvxN/2EdO/wDSlKAPwhr+jz9i/wD5NL+EH/Yraf8A+iFr+cOv6PP2L/8Ak0v4Qf8AYraf/wCiFpsbPZ6KKKQgooooAK/AL/gpb8H9K+Df7Wvia00TZFpmuRR6/HaoOLZ5y3mp9DKkjgDAVXVR0r96fFHibTfBfhrVdf1m6Sx0jS7WW9vLqT7sUMaF3Y/RQTX83X7SHxt1L9oj41eKfHupB4v7UuibS1c5+y2qAJBF6ZWNVyRwW3HvTQ0ftD/wT5ZdJ/4J3+DJ7PiRNM1WcHOT5n2y6Yn/AL6r8E1+6K/dD/gkv4ps/GH7FumaKPmOhanqGlXKEY5klNz36grdDn6+lfih8QvBd38OfH3iTwpfnN7oepXGmzNtxueGVoyceh25/GhAjn6KKKooKKKKACiiigAr95f2X0Hir/gmPo9rqQVobjwZqVlIsgypiC3EQz7bAK/Bqv3v1+3f9nf/AIJj3VnqDLYajpfw++ySbsDy76e28sL7nz5gPf8AGpZLPxP/AGffhvB8YPjd4E8FXc5tbLXNXtrK5mVtrLCzjzCpx97Zux74r+lfRdGsfDuj2Gk6ZaxWOm2EEdra2sK7UhiRQqIo7AKAAPav5efDviDUfCPiDS9c0e6ex1fS7qK9s7qMAtDNE4eNxkEZDKDyO1f0ifs0/HLTf2jfgl4X8e6cqQtqVsBe2iEn7Ldodk8PPOFcNgnGVKt0NAHp9FFFIQUUUUAFFFFABRRRQAV8df8ABWX/AJMr8Tf9hHTv/SlK+xa+Pv8AgrBbyTfsT+LHRSyxX2nO59B9rjXP5sB+NAH4O1/R5+xf/wAml/CD/sVtP/8ARC1/OHX9E/7BvinSvFn7IXwsn0m9jvI7PQ7fTrjyzzFcQII5Y2HYhlPXqCD0IpsbPfKKKKQgooooA+FP+CxXjjWvCn7LNhpmlyNb2XiHX7fTtRlXq0KxTTiLPbc8KE+oQjoTX4j1/Tn8WvhP4Y+N/gHVfBvjDTV1TQtRQLLEWKujA5SRGHKurAEEencZFfkt+0d/wR78d+AftWr/AAs1EePdETL/ANlXRSDVIl9B0jnwM8rsY9AhpoaLH/BGn47R+D/i54h+GepXCxWPiq2F3p/mPgC+twSUUYxmSEuSc/8ALBRzmqf/AAWA/Zxn8BfF+0+KemWx/wCEf8XBYL51HywalHHjB9PNiQOPVo5TXwzaz+JvhP45tblY7/wx4s0G8juI1uYGgubO4jYOhZHGVYEA4YfhX7s/Bj4pfD7/AIKSfsv6jpOu28Rup4FsfEWjxNtn068xuSeHOcKWXzIn5HylTkq6gA/Aaivb/wBqn9kfxv8Asn+N5dI8R2rXug3Erf2T4it4yLW/jHI9fLlA+9ETlTnBZdrt4hTGFFFFMYUUV3XwY+CfjH4/+PLHwj4J0iXVdVuTud8EQWsWQGmnkxiONcjJPUkAAsQCAet/8E+/2b5/2kP2jNDsbq0abwpoLprGuSOmYjDGwKW5JGCZXCptyCU8wj7pr7p/4LPfHiLQPhz4c+FFhcj+0tfnXVdTiRhlLKFiIlYdcSTDcD/07tXvfw18AfDf/gmV+y/qV/qt99oaBftmraltAudYvyuEhgQnjONkcecKNzMeZHP4kfHf4z+If2i/i5rvjjXyzajq1x+5s4yXS1hHyw28fHRVwOmWOWPLGpJPPa/Ub/giJ4y1ttW+JvhMtJL4cSG11RVP3ILpmaIke8iKM/8AXAeleG/s3/8ABKr4sfGn7LqvimL/AIVt4Xkw3natCWv5l/6Z2uQy/WUp1yA1frj+zR+y34G/ZU8ES+HfBlrOzXcouNQ1S+kEl3fSgYVpGAACqOFRQFGScZZiQD16iiikIKKKKACiiigAooooAK4P47fCfT/jp8H/ABZ4C1NxFba5YPbLOV3eRLw0UuO5SRUfH+zXeUUAfzAfEj4d6/8ACXx1rfg/xRYPpuvaPctbXVu4/iHIZT/EjKVZWHDKykcGn+Dfij4z+Ha3C+FPF2veGFuSDOujanPaCUjoW8tl3Y96/oF/ag/Yv+G37WGlwL4ssJrHXrRPLs/EOlMsV7Cm7d5ZYqVkjyT8jggbmK7Sc18FeIv+CIPiKG/f+wvilpd1ZFiUOo6XJDIozwDsdwT78Z9BTuM+E/8Ahp34x/8ARWvHX/hSXv8A8do/4ad+Mf8A0Vrx1/4Ul7/8dr7X/wCHI/j3/opHhz/wEuP8KP8AhyP49/6KR4c/8BLj/CmPQ+KP+GnfjH/0Vrx1/wCFJe//AB2j/hp34x/9Fa8df+FJe/8Ax2vtf/hyP49/6KR4c/8AAS4/wo/4cj+Pf+ikeHP/AAEuP8KA0Mn9hL/god8cI/GmhfDa50i6+Mdpfz+XCl3csuqWqk5eT7W2Q0aDcx87OAAPMRQK/ZevnP8AYx/Yt8L/ALIvglre1aPWvGWooP7X8QNFtaTuIYgeUhU9urEbm7BeC/b+/b+0v9l3QZfC/heW31X4n6hDmG3bEkWlRsOLicd2I5SM9fvN8uA0knif/Ba74T6RJ4D8EfEmCzSHXINU/sK6uY0AaeCSGWaMSHqdjQvt9PNb1Ffmp8Cfj54z/Zx+IFp4v8Eal9h1GIeXPbzAvbXsJILQzx5G9DgdwQQCpVgCP1E+PmtXvx//AOCQWleKrmefXdZtNO068ubqRjJLLNbXaW1zK57kATMxPoxr8eKaGj95/gX+158E/wBvbwPJ4L8S2Gnw67eQgX3gzX9rea4Gd9rIQBLtILBkxImNxVeDXzr8ev8Agi3bX15c6l8IfFkemo5LLoPiUu8SZOcR3SBnCgcAOjH1fvX5SRSvbypLE7RyowZHQkMpHIIPY19V/B//AIKdfHz4P2MdgviW38Y6bEu2K18WQNeFP+2yukx+jSEDAwBQBV8Tf8Eyf2kPDN5LCfh5JqsKttS60vUbWaOQf3gPMDgf7yg1S0n/AIJuftI6zcCKH4X30Jzy93fWkCj3y8wz+FfWXh3/AILh3kccaa78IoZ3x88+na8YxnHaN4G/9Dq3rX/BcRdpXSPg+xYj/W33iAAA/wC4tvz/AN9CjUNTnPgz/wAEVfE2pXkN38UfGllounhgz6b4bBubqRccqZpFVImz3CSjj34+y/Evj79nr/gmr8NRpNrDa6HLcL5sOi6fm51bVZADh5CxLEfeHmSsqL90EcLX5p/Fj/grN8d/iRaTWOk32l+ArGQsCfD9qftLIc4Uzys7Kf8AajCHjtXx7rWtaj4k1S51PVr+61TUrp/MnvL2ZpppW/vO7Elj7k0Ae1ftZ/th+NP2uPGSanr5XSvD9kzDSvDtrKXgs1PBZmIHmSkY3SEDPQBR8tfRH/BG34S6Z44+PXiPxbqtpFer4T01HskmQMIrueQqkwz/ABKkcwHHBbIwQK+AK/XD/gjLo9v4S+BvxY8d3Q8uGXUkt5JG4Hl2dsZjz6D7S1MZ+mdFfmn/AME6f+Clb/EC6sfhf8XdTUeJpnEWh+JbghF1Ak/La3B6Cfsj9JOFP7zBl/SypJCiiigAooooAKKKKACiiigAooooAKKKKACiiigAoorx79r34meJvg5+zX498ZeDrAah4i0mwEtsjR+YIQ0iJJcFcHIhjZ5SCMYj54zQB4t+39+39pf7LuhS+FvC8tvqvxQv4MwwNh4tJjYcXE46FyOUjPXhm+XAb8N/EXiPVPF+vX+t63qFxqur6hM1xdXt3IZJZpGOWZmPUk0niLxFqfi7XtQ1vWr+41XVtQna5u726kLyzSMcszMepJrPqij9E/8Agmz+214P8B+DtU+CXxdkt4vBWqvMLC/1BN9nEs42z2lyMYWFySwYjaC77iAQR7hqX/BIP4IeKNQbxD4e+I+sWPhS4LTJb2t3a3USI3IWK4ZT8g7Ft5xjLE8n8fKTaPSiwWP18j/Y/wD2Efg+jw+LfHmn+ILuHmSLVvFymf8AGKzaNv8Ax2uf+N3/AATj+Enx++Dv/Cwv2Xru3+3Rb3j0yC/lls9S2/fh/fsXt5xxtDFV6BlUNvX8+P2b/wBm/wAX/tPfEa18J+ErT0lv9TmU/Z9PgzgyykfkFHLHgdyP38/Zv/Zz8Jfsw/DW08H+FLdiinzr7UZgPPv7ggBppCPoAFHCgACkI/m31DT7vR9QurC/tZrG+tZWguLW5jMcsMikqyOpAKsCCCDyCKr1+6X7bP8AwTX8O/tSasni7w5qcHgzx2FCXd01sZLbVEC4Xz1UgrIvAEoydo2lWwpTz79kv/gklpXwh8aWvi/4ma3YeM9QsGEtho1nbsLGKYHIlkaTmUjghSqgEZO7jDuO54t+xl/wTR8P33w+uPip+0J5mj+GRbG8tdDuLprILahdxubuRSrxqRyqBlOOWPO2vUE+AX/BPf4tRFdC8VaL4cuZjtVofE09jLu6DbFeORn2CfhX6DfEf4c+Hfi34I1fwj4s0uHWPD+qw+TdWk2cMMgqykcqysAysCCrKCCCBX4K/tsfsT+JP2RfGwDGbWvAWpysNH14p9T9muMDCzqAfQSAFlxhlRCPutf+COPwW1Ax6pp/xO8SP4fX5pXF1ZS5X2nWIKv1KmuY/bQ/a1+FfwD/AGeZ/wBnr4Gz2eoyXdpJpl9daZMLi2sbaTP2gPNyJbiXc6tgnbvckqQqn8pto9KWnYdgr9cv+Cb/APwUg/4TL+y/hN8WdV/4qH5bXQfE15J/yEegS1uXP/LfoEkP+t4Vv3mDL+RtB96AP6o6K+PP+CWvxo8dfGj9ms3fjp59RuNH1KTS9P1q6VhLqFskcZDSMf8AWujMyGT+LaN2XDsfsOpJCiiigAooooAKKKKACiiigAooooAKKKKACkZQykEZB4INLRQB4740/Y7+CHxBaeTXPhZ4XuLi4OZbq306O2nc+pliCuT75r82P+Cn37D3w3/Zy+Hfhfxj8O9JutFiu9YOl3trJfS3MXzwySRlfNZmBHkuPvc5r9ia+V/+CnPgOXx5+xf47W1tvtN7o4t9YiUAkqsMyGZ/wgMxoA/ASvVP2b/2b/F/7T/xGtfCfhO19Jb/AFOZT9n0+DODLKR+QUcseB3IP2b/ANnDxf8AtQfEa18J+ErX0lv9TmU/Z9PgzgyykfkFHLHgdyP36/Zv/Zv8Ifsv/Dm18J+E7X0lv9TmUfaNQnxgyyEfkFHCjgdyaKD9m/8AZv8ACH7L/wAObXwn4TtfSW/1OZR9o1CfGDLIR+QUcKOB3J9VooqSQooooAK5n4kfDfw38XPBOq+EvFulQa1oGpxeVc2k4OD3DKRyrqQGVlIKkAggiumooA/nw/bY/Yn8SfsieNgCZ9a8BanKw0fXinOeT9muMDCzqAfQSAFlxhlT5rr+n74kfDfw38XPBOq+EvFulQa1oGpxeTc2k44I6hlI5V1IDKykFSAQQRX4LftsfsS+Jf2RPGgz5+teAdTmYaPr5Tvgt9muMDCTqAfQSKpZcYdUoo6//gmf+yj4W/ak+KHiiDxvbXd34a0PS0nMFpcNAXuZJlEYZ1527Em4BBzjniv1k8EfsG/s/fD+NF0v4U+HrhlORJrFudSfOc53XJkIOfTp2r5c/wCCJ/gB9I+D/j3xjLbywvrmsRWEUkisBLDaxbgyZ4K77mRcjuhH8PH6PUhFfT9PtdJsobOytobO0hUJFb28YSONR0CqOAPYVYoopCCiiigAooooAKKKKACiiigAooooAKKKKACiiigAqrqn/INu/wDri/8A6CaKKAPhn/gkr/yTn4nf9jbc/wBa+8KKKACiiigAooooAKKKKACvm7/got/yZn8TP+vBf/Ri0UUAdh+x7/ya98Mf+wHb/wDoNew0UUAFFFFABRRRQAUUUUAf/9k=" preserveAspectRatio="none" id="img2"></image><clipPath id="clip3"><rect x="0" y="0" width="817418" height="817418"/></clipPath><clipPath id="clip4"><rect x="1458" y="97" width="1217" height="540"/></clipPath><clipPath id="clip5"><rect x="1458" y="239" width="1217" height="540"/></clipPath><clipPath id="clip6"><rect x="1458" y="359" width="1217" height="540"/></clipPath><clipPath id="clip7"><rect x="1492" y="497" width="1148" height="540"/></clipPath><clipPath id="clip8"><rect x="1492" y="619" width="1148" height="540"/></clipPath><clipPath id="clip9"><rect x="1492" y="-3647" width="1148" height="10781"/></clipPath><clipPath id="clip10"><rect x="1665" y="1683" width="931" height="540"/></clipPath><clipPath id="clip11"><rect x="1665" y="1125" width="931" height="2157"/></clipPath><clipPath id="clip12"><rect x="1665" y="1125" width="931" height="2157"/></clipPath><clipPath id="clip13"><rect x="1665" y="2159" width="931" height="540"/></clipPath><clipPath id="clip14"><rect x="1468" y="-154" width="1207" height="617"/></clipPath><clipPath id="clip15"><rect x="-0.181818" y="-2770.82" width="315884" height="318655"/></clipPath><clipPath id="clip16"><path d="M-0.0153809 0.326172 313113 0.326172 313113 313113 0 313113Z" fill-rule="evenodd" clip-rule="evenodd"/></clipPath><clipPath id="clip17"><rect x="-2770.55" y="-0.363636" width="315884" height="313113"/></clipPath><clipPath id="clip18"><rect x="0" y="0" width="313112" height="313112"/></clipPath><clipPath id="clip19"><rect x="-2770.55" y="-2770.64" width="315884" height="315884"/></clipPath><clipPath id="clip20"><path d="M-0.152322 0.164928 313113 0.164928 313113 313113-0.15625 313113Z" fill-rule="evenodd" clip-rule="evenodd"/></clipPath><clipPath id="clip21"><rect x="1665" y="838" width="931" height="540"/></clipPath><clipPath id="clip22"><rect x="1665" y="948" width="931" height="540"/></clipPath><clipPath id="clip23"><rect x="1665" y="1476" width="931" height="540"/></clipPath><clipPath id="clip24"><rect x="1694" y="1086" width="881" height="540"/></clipPath><clipPath id="clip25"><rect x="1694" y="1220" width="881" height="540"/></clipPath><clipPath id="clip26"><rect x="1694" y="1330" width="881" height="540"/></clipPath></defs><g clip-path="url(#clip0)" transform="translate(-383 -64)"><g clip-path="url(#clip1)" transform="matrix(0.000360892 0 0 0.000360892 986 158)"><g clip-path="url(#clip3)" transform="matrix(1.00339 0 0 1 -0.127797 -0.00765716)"><use width="100%" height="100%" xlink:href="#img2" transform="scale(3632.97 3632.97)"></use></g></g><path d="M1458.03 311.799 2674.38 311.799 2674.38 454.188 1458.03 454.188Z" fill-rule="evenodd"/><path d="M1456.31 454.188 2676.09 454.188" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1456.31 573.538 2676.09 573.538" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1456.31 715.927 2676.09 715.927" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1458.03 310.081 1458.03 2559.22" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2674.38 310.081 2674.38 2559.22" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1456.31 311.799 2676.09 311.799" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1456.31 2557.5 2676.09 2557.5" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip4)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1491.03 388)">X.509 cert</text></g><g clip-path="url(#clip5)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1491.03 531)">SUBJECT = “CN=RATLS,O=…”</text></g><g clip-path="url(#clip6)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1491.03 650)">ISSUER = “CN=RATLS,O=…”</text></g><path d="M1492.45 711.562 2640 711.562 2640 834.374 1492.45 834.374Z" fill-rule="evenodd"/><path d="M1490.73 834.374 2641.72 834.374" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1490.73 957.185 2641.72 957.185" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1492.45 709.844 1492.45 2531.9" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2640 709.844 2640 2531.9" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1490.73 711.562 2641.72 711.562" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1490.73 2530.19 2641.72 2530.19" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip7)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1525.45 788)">TCG DICE tagged evidence OID</text></g><g clip-path="url(#clip8)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1525.45 911)">CBOR tagged object = </text></g><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 2103.95 911)">Intel TEE quote<tspan fill="#100019" font-weight="400" font-size="64" x="-549.862" y="123">CBOR array = [</tspan></text><g clip-path="url(#clip9)"><text fill="#100019" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1525.45 2497)">]</text></g><path d="M1665.46 1897.68 2595.41 1897.68 2595.41 2033.28 1665.46 2033.28Z" fill-rule="evenodd"/><path d="M1665.46 2033.28 2595.41 2033.28 2595.41 2374.28 1665.46 2374.28Z" fill="#E7E7E7" fill-rule="evenodd"/><path d="M1665.46 2374.28 2595.41 2374.28 2595.41 2509.88 1665.46 2509.88Z" fill="#FFFFFF" fill-rule="evenodd"/><path d="M1663.16 2033.28 2597.7 2033.28" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.16 2374.28 2597.7 2374.28" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1665.46 1895.39 1665.46 2512.17" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2595.41 1895.39 2595.41 2512.17" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.16 1897.68 2597.7 1897.68" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.16 2509.88 2597.7 2509.88" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip10)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1698.46 1974)">Claims (as CBOR </text></g><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 2143.61 1974)">bstr<tspan font-size="64" x="104.385" y="0">)</tspan></text><g clip-path="url(#clip11)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 2110)">“</text></g><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1725.38 2110)">pubkey<tspan font-size="64" x="189.452" y="0">-</tspan><tspan font-size="64" x="208.931" y="0">hash” CBOR array </tspan><tspan font-size="64" x="682.527" y="0">= </tspan>[<tspan font-size="64" x="30.3646" y="77">“hash</tspan><tspan font-size="64" x="181.042" y="77">-</tspan><tspan font-size="64" x="200.521" y="77">alg</tspan><tspan font-size="64" x="276.719" y="77">-</tspan><tspan font-size="64" x="296.198" y="77">id”: </tspan>uint<tspan font-size="64" x="507.008" y="77">,</tspan><tspan font-size="64" x="30.3646" y="154">“hash</tspan><tspan font-size="64" x="181.042" y="154">-</tspan><tspan font-size="64" x="200.521" y="154">value”: hash(PK)</tspan></text><g clip-path="url(#clip12)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 2341)">]</text></g><g clip-path="url(#clip13)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 2451)">… more claims in future …</text></g><path d="M2.42842-6.43183 141.82 46.1973 136.963 59.0609-2.42842 6.43183ZM140.245 30.9052 171.551 64.7712 125.675 69.4961Z" fill="#100019" transform="matrix(1 0 0 -1 1274 234.771)"/><path d="M1468.35 64.6239 1468.35 244.939" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2674.38 64.6239 2674.38 244.939" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1466.63 66.3425 2676.09 66.3425" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1466.63 243.221 2676.09 243.221" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip14)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="73" transform="matrix(1 0 0 1 1501.35 180)">X.509 public key (PK)</text></g><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="73" transform="matrix(1 0 0 1 2136.87 180)">, in DER format</text><g clip-path="url(#clip15)" transform="matrix(0.000360892 0 0 0.000360892 2147 1704)"><g clip-path="url(#clip16)"><use width="100%" height="100%" xlink:href="#img2" transform="matrix(1391.61 0 0 1391.61 -0.0153809 0.326172)"></use></g></g><g clip-path="url(#clip17)" transform="matrix(0.000360892 0 0 0.000360892 2174 1720)"><g clip-path="url(#clip18)" transform="matrix(1 0 0 1 0.349387 0.207386)"><use width="100%" height="100%" xlink:href="#img2" transform="scale(1391.61 1391.61)"></use></g></g><g clip-path="url(#clip19)" transform="matrix(0.000360892 0 0 0.000360892 2185 1735)"><g clip-path="url(#clip20)"><use width="100%" height="100%" xlink:href="#img2" transform="matrix(1391.61 0 0 1391.61 -0.152322 0.164928)"></use></g></g><path d="M1275.99 291.419 1414.63 333.318 1410.66 346.48 1272.01 304.581ZM1412.03 318.167 1445.55 349.843 1400.1 357.653Z" fill="#100019"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="83" transform="matrix(1 0 0 1 832.734 542)">RA<tspan font-size="83" x="96.25" y="0">-</tspan><tspan font-size="83" x="121.458" y="0">TLS certificate</tspan><tspan font-size="83" x="66.4813" y="99">(DCAP</tspan>-<tspan font-size="83" x="307.106" y="99">based,</tspan><tspan font-size="83" x="3.94165" y="198">TCG DICE format)</tspan></text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2902.55 370)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2917.06 393)">Self<tspan font-size="83" x="123.177" y="0">-</tspan><tspan font-size="83" x="148.386" y="0">signed certificate</tspan></text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2887.55 1605)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2896.31 1631)">Must verify against expected</text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2877.55 1474)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2886.28 1497)">Compare CBOR<tspan font-size="83" x="512.256" y="0">-</tspan><tspan font-size="83" x="537.465" y="0">bstr</tspan><tspan font-size="83" x="686.813" y="0">claims against this hash</tspan></text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2886.55 1751)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2895.45 1778)">Must verify against Intel PCS <tspan font-size="83" x="0" y="99">provided attestation certificates</tspan></text><path d="M1665.46 1053.43 2595.41 1053.43 2595.41 1163.43 1665.46 1163.43Z" fill-rule="evenodd"/><path d="M1663.74 1163.43 2597.13 1163.43" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.74 1273.43 2597.13 1273.43" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.74 1691.43 2597.13 1691.43" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1665.46 1051.71 1665.46 1855.19" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2595.41 1051.71 2595.41 1855.19" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.74 1053.43 2597.13 1053.43" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.74 1853.47 2597.13 1853.47" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip21)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1698.46 1130)">SGX Quote (as CBOR </text></g><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 2255.7 1130)">bstr<tspan font-size="64" x="104.386" y="0">)</tspan></text><g clip-path="url(#clip22)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 1240)">VERSION = 1..</text></g><g clip-path="url(#clip23)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 1768)">Intel SGX certs = </text></g><path d="M1694.3 1300.74 2574.79 1300.74 2574.79 1434.58 1694.3 1434.58Z" fill-rule="evenodd"/><path d="M1694.3 1434.58 2574.79 1434.58 2574.79 1544.58 1694.3 1544.58Z" fill="#E7E7E7" fill-rule="evenodd"/><path d="M1694.3 1544.58 2574.79 1544.58 2574.79 1678.41 1694.3 1678.41Z" fill="#FFFFFF" fill-rule="evenodd"/><path d="M1692.01 1434.58 2577.08 1434.58" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1692.01 1544.58 2577.08 1544.58" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1694.3 1298.45 1694.3 1680.7" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2574.79 1298.45 2574.79 1680.7" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1692.01 1300.74 2577.08 1300.74" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1692.01 1678.41 2577.08 1678.41" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip24)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1727.3 1377)">SGX Report (EREPORT)</text></g><g clip-path="url(#clip25)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1727.3 1511)">REPORTDATA = sha256(claims)</text></g><g clip-path="url(#clip26)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1727.3 1621)">… measurements …</text></g><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2886.55 2241)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2895.45 2264)">Compare cert PK against this one</text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2886.55 762)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2901.28 785)">Registered IANA OID: <tspan font-weight="700" font-size="83" x="727.856" y="0">2.23.133.5.4.9</tspan></text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2886.55 883)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2901.28 906)">Registered IANA CBOR tag: <tspan font-weight="700" font-size="83" x="913.619" y="0">60000</tspan><tspan fill="#7F7F7F" font-size="83" x="-2282.61" y="864">Claims is a CBOR map, </tspan><tspan fill="#7F7F7F" font-size="83" x="-2282.61" y="963">serialized as CBOR </tspan><tspan fill="#7F7F7F" font-size="83" x="-1652.54" y="963">bstr</tspan></text><path d="M1032.84 1886.18 1073.78 1891.24 1072.1 1904.88 1031.16 1899.82ZM1087.43 1892.92 1128.37 1897.98 1126.68 1911.63 1085.74 1906.57ZM1142.01 1899.67 1182.95 1904.73 1181.26 1918.37 1140.33 1913.31ZM1196.6 1906.41 1237.54 1911.47 1235.85 1925.12 1194.91 1920.06ZM1251.18 1913.16 1292.12 1918.22 1290.43 1931.87 1249.5 1926.81ZM1305.77 1919.91 1346.71 1924.97 1345.02 1938.61 1304.08 1933.55ZM1360.35 1926.65 1401.29 1931.71 1399.6 1945.36 1358.67 1940.3ZM1414.94 1933.4 1455.87 1938.46 1454.19 1952.1 1413.25 1947.04ZM1469.52 1940.14 1510.46 1945.2 1508.77 1958.85 1467.83 1953.79ZM1524.11 1946.89 1565.04 1951.95 1563.36 1965.6 1522.42 1960.54ZM1578.69 1953.64 1588.39 1954.84 1586.71 1968.48 1577 1967.28ZM1583.25 1940.35 1621.66 1965.87 1578.2 1981.28Z" fill="#7F7F7F"/><text fill="#7F7F7F" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 433.125 2112)">p<tspan font-size="83" x="43.5417" y="0">ubkey</tspan><tspan font-size="83" x="243.169" y="0">-</tspan><tspan font-size="83" x="268.377" y="0">hash is </tspan><tspan font-size="83" x="515.877" y="0">a CBOR </tspan><tspan font-size="83" x="781.138" y="0">array, </tspan><tspan font-size="83" x="0" y="99">serialized as CBOR </tspan><tspan font-size="83" x="630.071" y="99">bstr</tspan></text><path d="M0.928261-6.81204 41.8005-1.24248 39.944 12.3816-0.928261 6.81204ZM55.4246 0.614047 96.2969 6.18362 94.4404 19.8077 53.5681 14.2381ZM109.921 8.04014 150.793 13.6097 148.937 27.2338 108.064 21.6642ZM164.417 15.4662 205.29 21.0358 203.433 34.6599 162.561 29.0903ZM218.914 22.8923 259.329 28.3996 257.473 42.0237 217.057 36.5164ZM254.374 13.8473 292.461 39.853 248.804 54.7195Z" fill="#7F7F7F" transform="matrix(1 0 0 -1 1385 2147.85)"/></g></svg>
Suggestion:
more claims in the future
There was a problem hiding this comment.
Reviewable status: 26 of 27 files reviewed, 5 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @kailun-qin and @mkow)
Documentation/attestation.rst line 247 at r15 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Everything in this SVG overlaps (mostly text) with each other and some places are completely unreadable. I tried both Firefox and Chromium (on Linux).
To me, it rendered fine...
I changed the font from Calibri to Arial. See https://gramine--1039.org.readthedocs.build/en/1039/attestation.html
Is it better for you now?
Documentation/img/ratls-interoperable.svg line 1 at r15 (raw file):
<svg width="4025" height="2497" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" overflow="hidden"><defs><clipPath id="clip0"><rect x="383" y="64" width="4025" height="2497"/></clipPath><clipPath id="clip1"><rect x="-2770.55" y="-0.363636" width="822960" height="820189"/></clipPath><image width="225" height="225" xlink:href="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCADhAOEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9U6KKKACiivnL/goZ8Tr/AOE/7IPxC1jSpXg1S6tY9Kt5o2KNGbmVIHdWHKssbuwI6ECgD4d/bi/4Kra7e+JNR8D/AAT1OPTNFs3e2vPF0AWSe9kHDC0Y5CRA5HmgFm4KFQAW/OXxR428ReOL37Z4j1/VPEF5/wA/Gq3slzJz1+Z2JrFr9B/2U/8AgkzqPx1+FGleO/FnjRvCdtrUf2jTdNsrEXMzW5PySyuzqF34LBQG+UqSQSVFFH58UV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5JUV+tv/Dj/wAN/wDRVtW/8FEX/wAdo/4cf+G/+irat/4KIv8A47RcLn5O6Xq19ol5Heade3Gn3cZylxaytFIp9QykEV9i/sq/8FQPiZ8DdatNP8aalf8AxF8Du4W4tdSn87ULVCeZLe4c7mIHSORihA2gx53D37x1/wAERzaeF7648I/EyXUNehjMltZappixQXLAHEZkWQmMk4+bawHcc5H5bXVrNY3U1tcRPBcQu0ckUgwyMDgqR2IIoA/qE8GeMtG+IXhPSfEvh6/i1TQ9Vtku7O8hztkjcZBweQexBwQQQQCCK2q/OX/git8Ub3xH8IfG/ga7lkmi8MalDd2Zc8Rw3iyExL7CSCV/rKa/RqpJCiiigAooooAKKKKACiiigAr46/4Ky/8AJlfib/sI6d/6UpX2LXx1/wAFZf8AkyvxN/2EdO/9KUoA/CGv6PP2L/8Ak0v4Qf8AYraf/wCiFr+cOv6PP2L/APk0v4Qf9itp/wD6IWmxs9nooopCCiiigAooooAKKKKACiiigAooooAKKKKACv5h/i1/yVbxp/2G73/0e9f08V/MP8Wv+SreNP8AsN3v/o96aGj9H/8Aghv/AMf3xnP/AEz0f+d7X6s1+U//AAQ3B+2fGg9vL0b+d9X6sUMGFFFFIQUUUUAFFFFABRRRQAV8df8ABWX/AJMr8Tf9hHTv/SlK+xa+Ov8AgrL/AMmV+Jv+wjp3/pSlAH4Q1/R5+xf/AMml/CD/ALFbT/8A0Qtfzh1/R5+xf/yaX8IP+xW0/wD9ELTY2ez14t8cP2yPg/8As66tbaT478YwaXrFxH5yadb2013cCM9HdIUYoD2L4zg4zivaa/nk/wCCgng/xX4R/a7+JLeLEuGl1TVZdR0+7mUhJ7GQ5tvLYjDKkeyI4zhomXqpoEfrH/w9W/Zq/wCh4u//AARX3/xmj/h6t+zV/wBDxd/+CK+/+M1+Ce4etG4etMdj97P+Hq37NX/Q8Xf/AIIr7/4zR/w9W/Zq/wCh4u//AARX3/xmvwT3D1o3D1oCx+9n/D1b9mr/AKHi7/8ABFff/GaP+Hq37NX/AEPF3/4Ir7/4zX4J7h60bh60BY/ez/h6t+zV/wBDxd/+CK+/+M0f8PVv2av+h4u//BFff/Ga/BPcPWjcPWgLH72f8PVv2av+h4u//BFff/GaP+Hq37NX/Q8Xf/givv8A4zX4J7h60bh60BY/oa+Fv/BQb4C/GLxhZ+F/DnjuJtdvWCWlrqFlcWYuHJwI0eWNULkkAJncxOADX0VX8vXgHwr4h8ceNNF0HwlZ3WoeJb66SKwgsciUy5yGUj7u3G4tkBQpJIAzX9PmmxXEGnWsd3Ks92kSLNIowHcAbiPqc0gLNfzD/Fr/AJKt40/7Dd7/AOj3r+niv5h/i1/yVbxp/wBhu9/9HvQgR+kX/BDb/j5+NP8AuaN/O+r9Vq/Kr/ghr/r/AI1f7ui/zvq/VWhgwooopCCiiigAooooAKKKKACvjr/grL/yZX4m/wCwjp3/AKUpX2LXx1/wVl/5Mr8Tf9hHTv8A0pSgD8Ia/o8/Yv8A+TS/hB/2K2n/APoha/nDr+jz9i//AJNL+EH/AGK2n/8AohabGz2esjxF4R0Lxhbxwa9ouna3BE26OLUbSO4VD6gOCAa16KQjif8AhR/w4/6J/wCF/wDwTW3/AMRR/wAKP+HH/RP/AAv/AOCa2/8AiK7aigDif+FH/Dj/AKJ/4X/8E1t/8RR/wo/4cf8ARP8Awv8A+Ca2/wDiK7aigDif+FH/AA4/6J/4X/8ABNbf/EUf8KP+HH/RP/C//gmtv/iK7aigDif+FH/Dj/on/hf/AME1t/8AEUf8KP8Ahx/0T/wv/wCCa2/+IrtqKAOJ/wCFH/Dj/on/AIX/APBNbf8AxFH/AAo/4cf9E/8AC/8A4Jrb/wCIrtqKAOf8O/D3wt4QuJLjQfDWj6JPIux5dOsIrdmX0JRQSK6CiigAr+Yf4tf8lW8af9hu9/8AR71/TxX8w/xa/wCSreNP+w3e/wDo96aGj9JP+CGv+s+Nf00T/wBv6/VSvyt/4Iafe+Nn/cE/9v6/VKhgwooopCCiiigAooooAKKKKACvjr/grL/yZX4m/wCwjp3/AKUpX2LXx1/wVl/5Mr8Tf9hHTv8A0pSgD8Ia/o8/Yv8A+TS/hB/2K2n/APoha/nDr+jz9i//AJNL+EH/AGK2n/8AohabGz2evyG/bb/4Kh/E7QfjZ4l8E/C7Ubbwrovhq+k0yfUDYxXN1eXMTFJyfPRlSMSBlUKuTs3bsNtH681+a/7Y/wDwSb1X4yfFbWPHvw28S6RpFxrs32rUdH10SxwrcEfvJopYkc/OfmKMnDFjuwwVUI+J/wDh55+03/0U5/8AwR6b/wDI1H/Dzz9pv/opz/8Agj03/wCRq9Z/4cr/ABw/6Gn4f/8Agwvv/kOj/hyv8cP+hp+H/wD4ML7/AOQ6eg9Dyb/h55+03/0U5/8AwR6b/wDI1H/Dzz9pv/opz/8Agj03/wCRq9Z/4cr/ABw/6Gn4f/8Agwvv/kOj/hyv8cP+hp+H/wD4ML7/AOQ6NA0PJv8Ah55+03/0U5//AAR6b/8AI1H/AA88/ab/AOinP/4I9N/+Rq9Z/wCHK/xw/wChp+H/AP4ML7/5Do/4cr/HD/oafh//AODC+/8AkOjQNDyb/h55+03/ANFOf/wR6b/8jUf8PPP2m/8Aopz/APgj03/5Gr1n/hyv8cP+hp+H/wD4ML7/AOQ6P+HK/wAcP+hp+H//AIML7/5Do0DQ8m/4eeftN/8ARTn/APBHpv8A8jUf8PPP2m/+inP/AOCPTf8A5Gr1n/hyv8cP+hp+H/8A4ML7/wCQ6P8Ahyv8cP8Aoafh/wD+DC+/+Q6NA0Oc+EP/AAVq+OHg/wAaWN5421uHxz4ZMire6bNptrbS+Vn5mhkhjjIkA6bsqccjvX7h2V5FqFnBdW7+ZBPGssbYxlWGQfyNfkv8Hv8Agiv4qj8Z2Nz8TvF2gN4Yt5VlnsfDctxNPeKDkxb5IovKB6FhuOM4API/WyGJLeJIo0WONFCqijAUDgAD0pCH1/MP8Wv+SreNP+w3e/8Ao96/p4r+Yf4tf8lW8af9hu9/9HvTQ0fpN/wQ0+98bP8AuCf+39fqlX5W/wDBDT73xs/7gn/t/X6pUMGFFFFIQUUUUAFFFFABRRRQAV8df8FZf+TK/E3/AGEdO/8ASlK+xa+Ov+Csv/Jlfib/ALCOnf8ApSlAH4Q1/R5+xf8A8ml/CD/sVtP/APRC1/OHX9Hn7F//ACaX8IP+xW0//wBELTY2ez0UUUhBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABX8w/xa/5Kt40/wCw3e/+j3r+niv5h/i1/wAlW8af9hu9/wDR700NH6Tf8ENPvfGz/uCf+39fqlX5W/8ABDT73xs/7gn/ALf1+qVDBhRRRSEFFFFABRRRQAUUUUAFfHX/AAVl/wCTK/E3/YR07/0pSvsWvjr/AIKy/wDJlfib/sI6d/6UpQB+ENf0efsX/wDJpfwg/wCxW0//ANELX84df0efsX/8ml/CD/sVtP8A/RC02Nns9FFFIQUUUUAFFFFABRXm37R3xmtf2fPgf4v+IN1bC9GiWfmQ2rMVE87usUMZI6BpXQE9gSa/DHxB/wAFD/2hvEPiifXG+Juq6dLI5ZLLTgkNnEuThFhC7SAOMsGY4ySTzQB/QvWb4k8SaV4P0DUNc1zULfStI0+Fri6vbqQJFDGoyzMx6ACvw18G/wDBWf8AaJ8LZF9r+j+KkzkLrOkRDA9M2/lE/iSeetcN+0d+3h8XP2sNOs/D3iO5stP0QSow0Lw7bSQw3UwPyNIGd3kIOMKWKg4IXPNMZ3/7dn/BQzxD+0l4kuPD3g6/v/D/AMM7N2jit4ZGgm1Y9DNcYIOw/wAMR4A5Ybvu+Z/sk/tneNv2UfGdrd6ZeXGreEJH26l4ZuJ2+zzxk/M0YORFKOodR14bKkiuW8P/ALJnxr8URrLpnwn8ZXEDDcszaJcRxsPZ3QA/gata1+xv8dNAj8y8+EXjLy+7W+jTzgcZyfLVsD3NPQeh/QZ8HfjF4V+PHw/0zxl4O1JdS0a+Xj+GWCQY3wypn5JFJwV+hGQQT2tfzk/Af9pr4q/sc+ML9vDVxJpUkxC6n4d1y0Y29wQDt82FtrqwzkMpVu2dpIPtHi//AIK8/tCeJrYxafe+HfCjnH77R9IDsOf+nl5hz9O9IR+51fIH7UX/AATN+Fnx+0u+1DQNMtvAPjdt0sWq6RCIre4lOTi5gUbXDEkl1CyZwdzAFT+TN1+31+0Lea1DqknxY8QLcwtuWOKRI4Dzn5oFURsPYqa/ZD/gn/8AtRX/AO1Z8B4/EGuW0Vt4m0m9fSNUaBQkVxKkccizooJ2h0kXI4wyvgAYoA+Zv+CPvw71/wCEvjz9ofwf4osW07XtHuNFtrq3bkBh9vIZT/EjKVZWHBVgR1r9Lq5XSfh9p+jfErxL4xtkWO/17TtPsLraMb/sj3TI59Wxdbc+iKO1dVSEFFFFABRRRQAUUUUAFFFFABXx1/wVl/5Mr8Tf9hHTv/SlK+xa+Ov+Csv/ACZX4m/7COnf+lKUAfhDX9Hn7F//ACaX8IP+xW0//wBELX84df0efsX/APJpfwg/7FbT/wD0QtNjZ7PRRRSEFFFFABRRXKfEr4reEPg74am8QeNfEWn+G9Iiz/pF9ME3sBnZGv3pHx0VAWPYUAfJn/BYLxf/AMI5+yDJpgyW8Qa9ZafhSPup5lySRnpm3A+pFfh2iNI6oilnY4CqMkn0Ffan/BSH9ubS/wBqvWtD8O+DYLqHwR4flluBdXkflyajcsAgl2HlERdwUHDHzGLAcAfVH/BMb9ge08C6Fpvxk+I+nq3iW6QXWg6XeKNumQEZW6kB485h8yg/6tSD984RjPGv2R/+CR+v/ES0sfFPxguLrwjoMyrNB4dtxs1O4U8/vywIt1Ix8uDJyQRGQCfuPUPFf7K/7AdmLFP+EZ8G6ssKqbWxgN5rMyEHaZCoecqecNIdvXmvjz9ur/gqlqGrahqfgH4J6kbHSYt1tfeM7V8T3LchksmH+rQcjzx8zHlNoAd/zMvLufULue6uppLm6nkaWWeZy7yOxyzMx5JJJJJ9aAP2I8Tf8FsPhnY3Dx6D4E8UavGpIEt41vaK2O4AeQ4PuAeegqloX/BbjwFcXCjWfhx4ksIc/M9jdW90w+isY8/nX4/0U7Dsfvh4X/ai/Zb/AG0rWDw7qlzoOr6hLhYdE8YWCwXIdgcCFpRtZ+v+pcsK+Zv2pv8AgjpbfY7zxD8D76SOdA0jeEdWuN6uAPu21y5yDxwsxOSf9YuMV+VFfcn7FX/BTfxb8CdQsPC3xBu7zxd8O2IhWSdjLf6UvQNE5OZIgOsTHgAbCuNrIR8Va94f1PwrrV5o+taddaTq1lKYbmxvoWhmgkHVXRgCpHoRX6i/8EPvFbtD8WfDUkg8tW0/UYI++SJ45T/47DXuv7bH7HfhP9tb4V23xE+HktjceN1sBd6TqtmyrFrVvtytvK3AyRwjNgo3ythc4/L39jD9pq+/Y1+O769qekXd3pU0Muj69pABjuVj8xSSiOQBNHJGDtfGRvTK7twAP6HKK8y+CP7Snw2/aK0ZtQ8A+KrPW2jQPcWOTFeWuTj97A4DoMggMRtbHykjmvTaQgooooAKKKKACiiigAooooAK+Ov+Csv/ACZX4m/7COnf+lKV9i18df8ABWX/AJMr8Tf9hHTv/SlKAPwhr+jz9i//AJNL+EH/AGK2n/8Aoha/nDr+jz9i/wD5NL+EH/Yraf8A+iFpsbPZ6KKKQgooooA+Zv8AgoL+1FqX7KnwHOveH7aG48T6vfppOmyXCb4rZ2R5HnZcjdtSNsDpuZMggEH8HviR8U/F3xg8SS6/408Rah4l1eTj7TfzF9i5zsRfuxpknCqAo7Cv3k/4KFfs6zftI/s2a1pGlxNN4m0Vxrejxp1mniRw0OO5kjeRAOm4oT0r+fLrTQ0fU3/BOP8AZqt/2kP2irCDWrMXfhDw7H/a+rxyJuiuArAQ27ZGCJJCMqeqJIK+4f8Agrv+1jc/D/wjafB3wzdmDWPElqbjXJ4mIeHTiSiwAjvMVcNz9xCCMSA1vf8ABGf4ax+Gf2ctc8XywIt94o1qQLMv3mtbZRFGp+kpuT/wKvyv/ao+K0vxs/aI8f8AjJrhbq11DVplsZF6fY4j5VsBz/zySP6nJ70AeVUUUVRQUUUUAFFFFAH6Mf8ABIz9rK68FePv+FN+Ir5pPDfiB2l0Rpnytlf4LNEueiTAHjOPMVcDMjE1P+CwX7NcPw9+J+l/FPQ7MQaN4uZrfVFiXCRaki539ePOjBbAH3oZGJy1fAGg65f+F9c07WdKunstU065jvLS6jxuhmjYOjjPcMoP4V+6v7Z+n2P7TP8AwTv1bxRawIGk0C08YWW5cm3MaJcSAeh8kzJ7bjUkn4V6D4g1TwrrFrq+ianeaNq1o/mW9/p9w8E8LYI3JIhDKcE8g96/Z3/gln+2d4t/aL0jxL4O8fXC6t4h8PRQ3VrrWxUku7Z2ZSsyqAu+NggDjlw/IypZvxTr9nP+CPf7Otx8O/hDqvxL1iFodU8ZsiWELjBj0+EttfBAIMshdu4KJEw+8abGz9B6KKKkkKKKKACiiigAooooAK+Ov+Csv/Jlfib/ALCOnf8ApSlfYtfHX/BWX/kyvxN/2EdO/wDSlKAPwhr+jz9i/wD5NL+EH/Yraf8A+iFr+cOv6PP2L/8Ak0v4Qf8AYraf/wCiFpsbPZ6KKKQgooooAK/AL/gpb8H9K+Df7Wvia00TZFpmuRR6/HaoOLZ5y3mp9DKkjgDAVXVR0r96fFHibTfBfhrVdf1m6Sx0jS7WW9vLqT7sUMaF3Y/RQTX83X7SHxt1L9oj41eKfHupB4v7UuibS1c5+y2qAJBF6ZWNVyRwW3HvTQ0ftD/wT5ZdJ/4J3+DJ7PiRNM1WcHOT5n2y6Yn/AL6r8E1+6K/dD/gkv4ps/GH7FumaKPmOhanqGlXKEY5klNz36grdDn6+lfih8QvBd38OfH3iTwpfnN7oepXGmzNtxueGVoyceh25/GhAjn6KKKooKKKKACiiigAr95f2X0Hir/gmPo9rqQVobjwZqVlIsgypiC3EQz7bAK/Bqv3v1+3f9nf/AIJj3VnqDLYajpfw++ySbsDy76e28sL7nz5gPf8AGpZLPxP/AGffhvB8YPjd4E8FXc5tbLXNXtrK5mVtrLCzjzCpx97Zux74r+lfRdGsfDuj2Gk6ZaxWOm2EEdra2sK7UhiRQqIo7AKAAPav5efDviDUfCPiDS9c0e6ex1fS7qK9s7qMAtDNE4eNxkEZDKDyO1f0ifs0/HLTf2jfgl4X8e6cqQtqVsBe2iEn7Ldodk8PPOFcNgnGVKt0NAHp9FFFIQUUUUAFFFFABRRRQAV8df8ABWX/AJMr8Tf9hHTv/SlK+xa+Pv8AgrBbyTfsT+LHRSyxX2nO59B9rjXP5sB+NAH4O1/R5+xf/wAml/CD/sVtP/8ARC1/OHX9E/7BvinSvFn7IXwsn0m9jvI7PQ7fTrjyzzFcQII5Y2HYhlPXqCD0IpsbPfKKKKQgooooA+FP+CxXjjWvCn7LNhpmlyNb2XiHX7fTtRlXq0KxTTiLPbc8KE+oQjoTX4j1/Tn8WvhP4Y+N/gHVfBvjDTV1TQtRQLLEWKujA5SRGHKurAEEencZFfkt+0d/wR78d+AftWr/AAs1EePdETL/ANlXRSDVIl9B0jnwM8rsY9AhpoaLH/BGn47R+D/i54h+GepXCxWPiq2F3p/mPgC+twSUUYxmSEuSc/8ALBRzmqf/AAWA/Zxn8BfF+0+KemWx/wCEf8XBYL51HywalHHjB9PNiQOPVo5TXwzaz+JvhP45tblY7/wx4s0G8juI1uYGgubO4jYOhZHGVYEA4YfhX7s/Bj4pfD7/AIKSfsv6jpOu28Rup4FsfEWjxNtn068xuSeHOcKWXzIn5HylTkq6gA/Aaivb/wBqn9kfxv8Asn+N5dI8R2rXug3Erf2T4it4yLW/jHI9fLlA+9ETlTnBZdrt4hTGFFFFMYUUV3XwY+CfjH4/+PLHwj4J0iXVdVuTud8EQWsWQGmnkxiONcjJPUkAAsQCAet/8E+/2b5/2kP2jNDsbq0abwpoLprGuSOmYjDGwKW5JGCZXCptyCU8wj7pr7p/4LPfHiLQPhz4c+FFhcj+0tfnXVdTiRhlLKFiIlYdcSTDcD/07tXvfw18AfDf/gmV+y/qV/qt99oaBftmraltAudYvyuEhgQnjONkcecKNzMeZHP4kfHf4z+If2i/i5rvjjXyzajq1x+5s4yXS1hHyw28fHRVwOmWOWPLGpJPPa/Ub/giJ4y1ttW+JvhMtJL4cSG11RVP3ILpmaIke8iKM/8AXAeleG/s3/8ABKr4sfGn7LqvimL/AIVt4Xkw3natCWv5l/6Z2uQy/WUp1yA1frj+zR+y34G/ZU8ES+HfBlrOzXcouNQ1S+kEl3fSgYVpGAACqOFRQFGScZZiQD16iiikIKKKKACiiigAooooAK4P47fCfT/jp8H/ABZ4C1NxFba5YPbLOV3eRLw0UuO5SRUfH+zXeUUAfzAfEj4d6/8ACXx1rfg/xRYPpuvaPctbXVu4/iHIZT/EjKVZWHDKykcGn+Dfij4z+Ha3C+FPF2veGFuSDOujanPaCUjoW8tl3Y96/oF/ag/Yv+G37WGlwL4ssJrHXrRPLs/EOlMsV7Cm7d5ZYqVkjyT8jggbmK7Sc18FeIv+CIPiKG/f+wvilpd1ZFiUOo6XJDIozwDsdwT78Z9BTuM+E/8Ahp34x/8ARWvHX/hSXv8A8do/4ad+Mf8A0Vrx1/4Ul7/8dr7X/wCHI/j3/opHhz/wEuP8KP8AhyP49/6KR4c/8BLj/CmPQ+KP+GnfjH/0Vrx1/wCFJe//AB2j/hp34x/9Fa8df+FJe/8Ax2vtf/hyP49/6KR4c/8AAS4/wo/4cj+Pf+ikeHP/AAEuP8KA0Mn9hL/god8cI/GmhfDa50i6+Mdpfz+XCl3csuqWqk5eT7W2Q0aDcx87OAAPMRQK/ZevnP8AYx/Yt8L/ALIvglre1aPWvGWooP7X8QNFtaTuIYgeUhU9urEbm7BeC/b+/b+0v9l3QZfC/heW31X4n6hDmG3bEkWlRsOLicd2I5SM9fvN8uA0knif/Ba74T6RJ4D8EfEmCzSHXINU/sK6uY0AaeCSGWaMSHqdjQvt9PNb1Ffmp8Cfj54z/Zx+IFp4v8Eal9h1GIeXPbzAvbXsJILQzx5G9DgdwQQCpVgCP1E+PmtXvx//AOCQWleKrmefXdZtNO068ubqRjJLLNbXaW1zK57kATMxPoxr8eKaGj95/gX+158E/wBvbwPJ4L8S2Gnw67eQgX3gzX9rea4Gd9rIQBLtILBkxImNxVeDXzr8ev8Agi3bX15c6l8IfFkemo5LLoPiUu8SZOcR3SBnCgcAOjH1fvX5SRSvbypLE7RyowZHQkMpHIIPY19V/B//AIKdfHz4P2MdgviW38Y6bEu2K18WQNeFP+2yukx+jSEDAwBQBV8Tf8Eyf2kPDN5LCfh5JqsKttS60vUbWaOQf3gPMDgf7yg1S0n/AIJuftI6zcCKH4X30Jzy93fWkCj3y8wz+FfWXh3/AILh3kccaa78IoZ3x88+na8YxnHaN4G/9Dq3rX/BcRdpXSPg+xYj/W33iAAA/wC4tvz/AN9CjUNTnPgz/wAEVfE2pXkN38UfGllounhgz6b4bBubqRccqZpFVImz3CSjj34+y/Evj79nr/gmr8NRpNrDa6HLcL5sOi6fm51bVZADh5CxLEfeHmSsqL90EcLX5p/Fj/grN8d/iRaTWOk32l+ArGQsCfD9qftLIc4Uzys7Kf8AajCHjtXx7rWtaj4k1S51PVr+61TUrp/MnvL2ZpppW/vO7Elj7k0Ae1ftZ/th+NP2uPGSanr5XSvD9kzDSvDtrKXgs1PBZmIHmSkY3SEDPQBR8tfRH/BG34S6Z44+PXiPxbqtpFer4T01HskmQMIrueQqkwz/ABKkcwHHBbIwQK+AK/XD/gjLo9v4S+BvxY8d3Q8uGXUkt5JG4Hl2dsZjz6D7S1MZ+mdFfmn/AME6f+Clb/EC6sfhf8XdTUeJpnEWh+JbghF1Ak/La3B6Cfsj9JOFP7zBl/SypJCiiigAooooAKKKKACiiigAooooAKKKKACiiigAoorx79r34meJvg5+zX498ZeDrAah4i0mwEtsjR+YIQ0iJJcFcHIhjZ5SCMYj54zQB4t+39+39pf7LuhS+FvC8tvqvxQv4MwwNh4tJjYcXE46FyOUjPXhm+XAb8N/EXiPVPF+vX+t63qFxqur6hM1xdXt3IZJZpGOWZmPUk0niLxFqfi7XtQ1vWr+41XVtQna5u726kLyzSMcszMepJrPqij9E/8Agmz+214P8B+DtU+CXxdkt4vBWqvMLC/1BN9nEs42z2lyMYWFySwYjaC77iAQR7hqX/BIP4IeKNQbxD4e+I+sWPhS4LTJb2t3a3USI3IWK4ZT8g7Ft5xjLE8n8fKTaPSiwWP18j/Y/wD2Efg+jw+LfHmn+ILuHmSLVvFymf8AGKzaNv8Ax2uf+N3/AATj+Enx++Dv/Cwv2Xru3+3Rb3j0yC/lls9S2/fh/fsXt5xxtDFV6BlUNvX8+P2b/wBm/wAX/tPfEa18J+ErT0lv9TmU/Z9PgzgyykfkFHLHgdyP38/Zv/Zz8Jfsw/DW08H+FLdiinzr7UZgPPv7ggBppCPoAFHCgACkI/m31DT7vR9QurC/tZrG+tZWguLW5jMcsMikqyOpAKsCCCDyCKr1+6X7bP8AwTX8O/tSasni7w5qcHgzx2FCXd01sZLbVEC4Xz1UgrIvAEoydo2lWwpTz79kv/gklpXwh8aWvi/4ma3YeM9QsGEtho1nbsLGKYHIlkaTmUjghSqgEZO7jDuO54t+xl/wTR8P33w+uPip+0J5mj+GRbG8tdDuLprILahdxubuRSrxqRyqBlOOWPO2vUE+AX/BPf4tRFdC8VaL4cuZjtVofE09jLu6DbFeORn2CfhX6DfEf4c+Hfi34I1fwj4s0uHWPD+qw+TdWk2cMMgqykcqysAysCCrKCCCBX4K/tsfsT+JP2RfGwDGbWvAWpysNH14p9T9muMDCzqAfQSAFlxhlRCPutf+COPwW1Ax6pp/xO8SP4fX5pXF1ZS5X2nWIKv1KmuY/bQ/a1+FfwD/AGeZ/wBnr4Gz2eoyXdpJpl9daZMLi2sbaTP2gPNyJbiXc6tgnbvckqQqn8pto9KWnYdgr9cv+Cb/APwUg/4TL+y/hN8WdV/4qH5bXQfE15J/yEegS1uXP/LfoEkP+t4Vv3mDL+RtB96AP6o6K+PP+CWvxo8dfGj9ms3fjp59RuNH1KTS9P1q6VhLqFskcZDSMf8AWujMyGT+LaN2XDsfsOpJCiiigAooooAKKKKACiiigAooooAKKKKACkZQykEZB4INLRQB4740/Y7+CHxBaeTXPhZ4XuLi4OZbq306O2nc+pliCuT75r82P+Cn37D3w3/Zy+Hfhfxj8O9JutFiu9YOl3trJfS3MXzwySRlfNZmBHkuPvc5r9ia+V/+CnPgOXx5+xf47W1tvtN7o4t9YiUAkqsMyGZ/wgMxoA/ASvVP2b/2b/F/7T/xGtfCfhO19Jb/AFOZT9n0+DODLKR+QUcseB3IP2b/ANnDxf8AtQfEa18J+ErX0lv9TmU/Z9PgzgyykfkFHLHgdyP36/Zv/Zv8Ifsv/Dm18J+E7X0lv9TmUfaNQnxgyyEfkFHCjgdyaKD9m/8AZv8ACH7L/wAObXwn4TtfSW/1OZR9o1CfGDLIR+QUcKOB3J9VooqSQooooAK5n4kfDfw38XPBOq+EvFulQa1oGpxeVc2k4OD3DKRyrqQGVlIKkAggiumooA/nw/bY/Yn8SfsieNgCZ9a8BanKw0fXinOeT9muMDCzqAfQSAFlxhlT5rr+n74kfDfw38XPBOq+EvFulQa1oGpxeTc2k44I6hlI5V1IDKykFSAQQRX4LftsfsS+Jf2RPGgz5+teAdTmYaPr5Tvgt9muMDCTqAfQSKpZcYdUoo6//gmf+yj4W/ak+KHiiDxvbXd34a0PS0nMFpcNAXuZJlEYZ1527Em4BBzjniv1k8EfsG/s/fD+NF0v4U+HrhlORJrFudSfOc53XJkIOfTp2r5c/wCCJ/gB9I+D/j3xjLbywvrmsRWEUkisBLDaxbgyZ4K77mRcjuhH8PH6PUhFfT9PtdJsobOytobO0hUJFb28YSONR0CqOAPYVYoopCCiiigAooooAKKKKACiiigAooooAKKKKACiiigAqrqn/INu/wDri/8A6CaKKAPhn/gkr/yTn4nf9jbc/wBa+8KKKACiiigAooooAKKKKACvm7/got/yZn8TP+vBf/Ri0UUAdh+x7/ya98Mf+wHb/wDoNew0UUAFFFFABRRRQAUUUUAf/9k=" preserveAspectRatio="none" id="img2"></image><clipPath id="clip3"><rect x="0" y="0" width="817418" height="817418"/></clipPath><clipPath id="clip4"><rect x="1458" y="97" width="1217" height="540"/></clipPath><clipPath id="clip5"><rect x="1458" y="239" width="1217" height="540"/></clipPath><clipPath id="clip6"><rect x="1458" y="359" width="1217" height="540"/></clipPath><clipPath id="clip7"><rect x="1492" y="497" width="1148" height="540"/></clipPath><clipPath id="clip8"><rect x="1492" y="619" width="1148" height="540"/></clipPath><clipPath id="clip9"><rect x="1492" y="-3647" width="1148" height="10781"/></clipPath><clipPath id="clip10"><rect x="1665" y="1683" width="931" height="540"/></clipPath><clipPath id="clip11"><rect x="1665" y="1125" width="931" height="2157"/></clipPath><clipPath id="clip12"><rect x="1665" y="1125" width="931" height="2157"/></clipPath><clipPath id="clip13"><rect x="1665" y="2159" width="931" height="540"/></clipPath><clipPath id="clip14"><rect x="1468" y="-154" width="1207" height="617"/></clipPath><clipPath id="clip15"><rect x="-0.181818" y="-2770.82" width="315884" height="318655"/></clipPath><clipPath id="clip16"><path d="M-0.0153809 0.326172 313113 0.326172 313113 313113 0 313113Z" fill-rule="evenodd" clip-rule="evenodd"/></clipPath><clipPath id="clip17"><rect x="-2770.55" y="-0.363636" width="315884" height="313113"/></clipPath><clipPath id="clip18"><rect x="0" y="0" width="313112" height="313112"/></clipPath><clipPath id="clip19"><rect x="-2770.55" y="-2770.64" width="315884" height="315884"/></clipPath><clipPath id="clip20"><path d="M-0.152322 0.164928 313113 0.164928 313113 313113-0.15625 313113Z" fill-rule="evenodd" clip-rule="evenodd"/></clipPath><clipPath id="clip21"><rect x="1665" y="838" width="931" height="540"/></clipPath><clipPath id="clip22"><rect x="1665" y="948" width="931" height="540"/></clipPath><clipPath id="clip23"><rect x="1665" y="1476" width="931" height="540"/></clipPath><clipPath id="clip24"><rect x="1694" y="1086" width="881" height="540"/></clipPath><clipPath id="clip25"><rect x="1694" y="1220" width="881" height="540"/></clipPath><clipPath id="clip26"><rect x="1694" y="1330" width="881" height="540"/></clipPath></defs><g clip-path="url(#clip0)" transform="translate(-383 -64)"><g clip-path="url(#clip1)" transform="matrix(0.000360892 0 0 0.000360892 986 158)"><g clip-path="url(#clip3)" transform="matrix(1.00339 0 0 1 -0.127797 -0.00765716)"><use width="100%" height="100%" xlink:href="#img2" transform="scale(3632.97 3632.97)"></use></g></g><path d="M1458.03 311.799 2674.38 311.799 2674.38 454.188 1458.03 454.188Z" fill-rule="evenodd"/><path d="M1456.31 454.188 2676.09 454.188" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1456.31 573.538 2676.09 573.538" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1456.31 715.927 2676.09 715.927" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1458.03 310.081 1458.03 2559.22" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2674.38 310.081 2674.38 2559.22" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1456.31 311.799 2676.09 311.799" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1456.31 2557.5 2676.09 2557.5" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip4)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1491.03 388)">X.509 cert</text></g><g clip-path="url(#clip5)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1491.03 531)">SUBJECT = “CN=RATLS,O=…”</text></g><g clip-path="url(#clip6)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1491.03 650)">ISSUER = “CN=RATLS,O=…”</text></g><path d="M1492.45 711.562 2640 711.562 2640 834.374 1492.45 834.374Z" fill-rule="evenodd"/><path d="M1490.73 834.374 2641.72 834.374" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1490.73 957.185 2641.72 957.185" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1492.45 709.844 1492.45 2531.9" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2640 709.844 2640 2531.9" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1490.73 711.562 2641.72 711.562" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1490.73 2530.19 2641.72 2530.19" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip7)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1525.45 788)">TCG DICE tagged evidence OID</text></g><g clip-path="url(#clip8)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1525.45 911)">CBOR tagged object = </text></g><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 2103.95 911)">Intel TEE quote<tspan fill="#100019" font-weight="400" font-size="64" x="-549.862" y="123">CBOR array = [</tspan></text><g clip-path="url(#clip9)"><text fill="#100019" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1525.45 2497)">]</text></g><path d="M1665.46 1897.68 2595.41 1897.68 2595.41 2033.28 1665.46 2033.28Z" fill-rule="evenodd"/><path d="M1665.46 2033.28 2595.41 2033.28 2595.41 2374.28 1665.46 2374.28Z" fill="#E7E7E7" fill-rule="evenodd"/><path d="M1665.46 2374.28 2595.41 2374.28 2595.41 2509.88 1665.46 2509.88Z" fill="#FFFFFF" fill-rule="evenodd"/><path d="M1663.16 2033.28 2597.7 2033.28" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.16 2374.28 2597.7 2374.28" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1665.46 1895.39 1665.46 2512.17" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2595.41 1895.39 2595.41 2512.17" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.16 1897.68 2597.7 1897.68" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.16 2509.88 2597.7 2509.88" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip10)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1698.46 1974)">Claims (as CBOR </text></g><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 2143.61 1974)">bstr<tspan font-size="64" x="104.385" y="0">)</tspan></text><g clip-path="url(#clip11)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 2110)">“</text></g><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1725.38 2110)">pubkey<tspan font-size="64" x="189.452" y="0">-</tspan><tspan font-size="64" x="208.931" y="0">hash” CBOR array </tspan><tspan font-size="64" x="682.527" y="0">= </tspan>[<tspan font-size="64" x="30.3646" y="77">“hash</tspan><tspan font-size="64" x="181.042" y="77">-</tspan><tspan font-size="64" x="200.521" y="77">alg</tspan><tspan font-size="64" x="276.719" y="77">-</tspan><tspan font-size="64" x="296.198" y="77">id”: </tspan>uint<tspan font-size="64" x="507.008" y="77">,</tspan><tspan font-size="64" x="30.3646" y="154">“hash</tspan><tspan font-size="64" x="181.042" y="154">-</tspan><tspan font-size="64" x="200.521" y="154">value”: hash(PK)</tspan></text><g clip-path="url(#clip12)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 2341)">]</text></g><g clip-path="url(#clip13)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 2451)">… more claims in future …</text></g><path d="M2.42842-6.43183 141.82 46.1973 136.963 59.0609-2.42842 6.43183ZM140.245 30.9052 171.551 64.7712 125.675 69.4961Z" fill="#100019" transform="matrix(1 0 0 -1 1274 234.771)"/><path d="M1468.35 64.6239 1468.35 244.939" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2674.38 64.6239 2674.38 244.939" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1466.63 66.3425 2676.09 66.3425" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1466.63 243.221 2676.09 243.221" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip14)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="73" transform="matrix(1 0 0 1 1501.35 180)">X.509 public key (PK)</text></g><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="73" transform="matrix(1 0 0 1 2136.87 180)">, in DER format</text><g clip-path="url(#clip15)" transform="matrix(0.000360892 0 0 0.000360892 2147 1704)"><g clip-path="url(#clip16)"><use width="100%" height="100%" xlink:href="#img2" transform="matrix(1391.61 0 0 1391.61 -0.0153809 0.326172)"></use></g></g><g clip-path="url(#clip17)" transform="matrix(0.000360892 0 0 0.000360892 2174 1720)"><g clip-path="url(#clip18)" transform="matrix(1 0 0 1 0.349387 0.207386)"><use width="100%" height="100%" xlink:href="#img2" transform="scale(1391.61 1391.61)"></use></g></g><g clip-path="url(#clip19)" transform="matrix(0.000360892 0 0 0.000360892 2185 1735)"><g clip-path="url(#clip20)"><use width="100%" height="100%" xlink:href="#img2" transform="matrix(1391.61 0 0 1391.61 -0.152322 0.164928)"></use></g></g><path d="M1275.99 291.419 1414.63 333.318 1410.66 346.48 1272.01 304.581ZM1412.03 318.167 1445.55 349.843 1400.1 357.653Z" fill="#100019"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="83" transform="matrix(1 0 0 1 832.734 542)">RA<tspan font-size="83" x="96.25" y="0">-</tspan><tspan font-size="83" x="121.458" y="0">TLS certificate</tspan><tspan font-size="83" x="66.4813" y="99">(DCAP</tspan>-<tspan font-size="83" x="307.106" y="99">based,</tspan><tspan font-size="83" x="3.94165" y="198">TCG DICE format)</tspan></text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2902.55 370)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2917.06 393)">Self<tspan font-size="83" x="123.177" y="0">-</tspan><tspan font-size="83" x="148.386" y="0">signed certificate</tspan></text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2887.55 1605)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2896.31 1631)">Must verify against expected</text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2877.55 1474)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2886.28 1497)">Compare CBOR<tspan font-size="83" x="512.256" y="0">-</tspan><tspan font-size="83" x="537.465" y="0">bstr</tspan><tspan font-size="83" x="686.813" y="0">claims against this hash</tspan></text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2886.55 1751)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2895.45 1778)">Must verify against Intel PCS <tspan font-size="83" x="0" y="99">provided attestation certificates</tspan></text><path d="M1665.46 1053.43 2595.41 1053.43 2595.41 1163.43 1665.46 1163.43Z" fill-rule="evenodd"/><path d="M1663.74 1163.43 2597.13 1163.43" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.74 1273.43 2597.13 1273.43" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.74 1691.43 2597.13 1691.43" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1665.46 1051.71 1665.46 1855.19" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2595.41 1051.71 2595.41 1855.19" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.74 1053.43 2597.13 1053.43" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1663.74 1853.47 2597.13 1853.47" stroke="#000000" stroke-width="3.4375" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip21)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1698.46 1130)">SGX Quote (as CBOR </text></g><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 2255.7 1130)">bstr<tspan font-size="64" x="104.386" y="0">)</tspan></text><g clip-path="url(#clip22)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 1240)">VERSION = 1..</text></g><g clip-path="url(#clip23)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1698.46 1768)">Intel SGX certs = </text></g><path d="M1694.3 1300.74 2574.79 1300.74 2574.79 1434.58 1694.3 1434.58Z" fill-rule="evenodd"/><path d="M1694.3 1434.58 2574.79 1434.58 2574.79 1544.58 1694.3 1544.58Z" fill="#E7E7E7" fill-rule="evenodd"/><path d="M1694.3 1544.58 2574.79 1544.58 2574.79 1678.41 1694.3 1678.41Z" fill="#FFFFFF" fill-rule="evenodd"/><path d="M1692.01 1434.58 2577.08 1434.58" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1692.01 1544.58 2577.08 1544.58" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1694.3 1298.45 1694.3 1680.7" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M2574.79 1298.45 2574.79 1680.7" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1692.01 1300.74 2577.08 1300.74" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><path d="M1692.01 1678.41 2577.08 1678.41" stroke="#000000" stroke-width="4.58333" stroke-linejoin="round" stroke-miterlimit="10" fill="none" fill-rule="evenodd"/><g clip-path="url(#clip24)"><text fill="#FFFFFF" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="700" font-size="64" transform="matrix(1 0 0 1 1727.3 1377)">SGX Report (EREPORT)</text></g><g clip-path="url(#clip25)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1727.3 1511)">REPORTDATA = sha256(claims)</text></g><g clip-path="url(#clip26)"><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="64" transform="matrix(1 0 0 1 1727.3 1621)">… measurements …</text></g><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2886.55 2241)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2895.45 2264)">Compare cert PK against this one</text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2886.55 762)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2901.28 785)">Registered IANA OID: <tspan font-weight="700" font-size="83" x="727.856" y="0">2.23.133.5.4.9</tspan></text><path d="M1.69303e-05-6.875 112.175-6.87472 112.175 6.87528-1.69303e-05 6.875ZM105.3-20.6247 146.55 0.000360892 105.3 20.6253Z" transform="matrix(-1 0 0 1 2886.55 883)"/><text font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 2901.28 906)">Registered IANA CBOR tag: <tspan font-weight="700" font-size="83" x="913.619" y="0">60000</tspan><tspan fill="#7F7F7F" font-size="83" x="-2282.61" y="864">Claims is a CBOR map, </tspan><tspan fill="#7F7F7F" font-size="83" x="-2282.61" y="963">serialized as CBOR </tspan><tspan fill="#7F7F7F" font-size="83" x="-1652.54" y="963">bstr</tspan></text><path d="M1032.84 1886.18 1073.78 1891.24 1072.1 1904.88 1031.16 1899.82ZM1087.43 1892.92 1128.37 1897.98 1126.68 1911.63 1085.74 1906.57ZM1142.01 1899.67 1182.95 1904.73 1181.26 1918.37 1140.33 1913.31ZM1196.6 1906.41 1237.54 1911.47 1235.85 1925.12 1194.91 1920.06ZM1251.18 1913.16 1292.12 1918.22 1290.43 1931.87 1249.5 1926.81ZM1305.77 1919.91 1346.71 1924.97 1345.02 1938.61 1304.08 1933.55ZM1360.35 1926.65 1401.29 1931.71 1399.6 1945.36 1358.67 1940.3ZM1414.94 1933.4 1455.87 1938.46 1454.19 1952.1 1413.25 1947.04ZM1469.52 1940.14 1510.46 1945.2 1508.77 1958.85 1467.83 1953.79ZM1524.11 1946.89 1565.04 1951.95 1563.36 1965.6 1522.42 1960.54ZM1578.69 1953.64 1588.39 1954.84 1586.71 1968.48 1577 1967.28ZM1583.25 1940.35 1621.66 1965.87 1578.2 1981.28Z" fill="#7F7F7F"/><text fill="#7F7F7F" font-family="Calibri,Calibri_MSFontService,sans-serif" font-weight="400" font-size="83" transform="matrix(1 0 0 1 433.125 2112)">p<tspan font-size="83" x="43.5417" y="0">ubkey</tspan><tspan font-size="83" x="243.169" y="0">-</tspan><tspan font-size="83" x="268.377" y="0">hash is </tspan><tspan font-size="83" x="515.877" y="0">a CBOR </tspan><tspan font-size="83" x="781.138" y="0">array, </tspan><tspan font-size="83" x="0" y="99">serialized as CBOR </tspan><tspan font-size="83" x="630.071" y="99">bstr</tspan></text><path d="M0.928261-6.81204 41.8005-1.24248 39.944 12.3816-0.928261 6.81204ZM55.4246 0.614047 96.2969 6.18362 94.4404 19.8077 53.5681 14.2381ZM109.921 8.04014 150.793 13.6097 148.937 27.2338 108.064 21.6642ZM164.417 15.4662 205.29 21.0358 203.433 34.6599 162.561 29.0903ZM218.914 22.8923 259.329 28.3996 257.473 42.0237 217.057 36.5164ZM254.374 13.8473 292.461 39.853 248.804 54.7195Z" fill="#7F7F7F" transform="matrix(1 0 0 -1 1385 2147.85)"/></g></svg>
Done.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r16, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
Documentation/attestation.rst line 247 at r15 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
To me, it rendered fine...
I changed the font from Calibri to Arial. See https://gramine--1039.org.readthedocs.build/en/1039/attestation.html
Is it better for you now?
Yup, works now.
There was a problem hiding this comment.
Reviewable status: all files reviewed, 3 unresolved discussions, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @mkow)
subprojects/libcbor-0.11.0.wrap line 3 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
Just a note: A significant (IMO) drawback of this PR is pulling some niche project into our TCB and exposing it to untrusted input.
This is the only significant C implementation of CBOR, packaged in every major distro, I guess it gets as much eyeballs as it would. Not that CBOR is a widely used format though.
subprojects/libcbor-0.11.0.wrap line 4 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
@woju: Please upload.
Done.
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
4b73942 to
7d589f8
Compare
There was a problem hiding this comment.
Reviewed all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @dimakuv)
subprojects/libcbor-0.11.0.wrap line 3 at r11 (raw file):
Previously, woju (Wojtek Porczyk) wrote…
This is the only significant C implementation of CBOR, packaged in every major distro, I guess it gets as much eyeballs as it would. Not that CBOR is a widely used format though.
ACK
subprojects/libcbor-0.11.0.wrap line 4 at r11 (raw file):
Previously, woju (Wojtek Porczyk) wrote…
Done.
404
Interoperable RA-TLS is a spec that allows different RA-TLS implementations (from different SGX frameworks, e.g. Gramine and Occlum) to interoperate and recognize each others' SGX evidence (SGX quotes and attached SGX claims). For example, Gramine app enclave can establish a TLS connection with an Occlum app enclave and verify its SGX evidence. The spec standardizes the OID extension for X.509 certs that is used for the SGX evidence. It also standardizes the format of the OID contents: a CBOR-formatted tag with an array that contains the SGX quote and a dict of related claims (with the most important dict item being the public key hash encoded as a CBOR array `pubkey-hash`). Current RA-TLS implementation creates X.509 certs that have both the old (legacy) OID with plain SGX quote as well as the new (standardized) OID with the CBOR-formatted SGX evidence. Thus, backward compatibility is preserved at a small cost of larger-sized certs. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
dimakuv
force-pushed
the
dimakuv/interoperable-ra-tls
branch
from
7d589f8 to
71fa288
Compare
There was a problem hiding this comment.
Reviewable status: 26 of 27 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @mkow)
subprojects/libcbor-0.11.0.wrap line 4 at r11 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
404
Done. Now should work.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r18, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved
Description of the changes
Interoperable RA-TLS is a spec that allows different RA-TLS implementations (from different SGX frameworks, e.g. Gramine and Occlum) to interoperate and recognize each others' SGX evidence (SGX quotes and attached SGX claims). For example, Gramine app enclave can establish a TLS connection with an Occlum app enclave and verify its SGX evidence.
The spec standardizes the OID extension for X.509 certs that is used for the SGX evidence. It also standardizes the format of the OID contents: a CBOR-formatted tag with an array that contains the SGX quote and a dict of related claims (with the most important dict item being the public key).
Current RA-TLS implementation creates X.509 certs that have both the old (legacy) OID with plain SGX quote as well as the new (standardized) OID with the CBOR-formatted SGX evidence. Thus, backward compatibility is preserved at a small cost of larger-sized certs.
https://github.com/CCC-Attestation/meetings/blob/main/materials/ShanweiCen_Interoperable_ATLS.pdf -- the presentation serving as the basis for the "Interoperable RA-TLS" spec.
The spec is work in progressUPDATE 30. August 2023: The spec is complete, and there was no need to modify it for ~6 months, so we can consider the spec stable.TODOs:
TCG_DICE_TAGGED_EVIDENCE_CBOR_TAGto IANA tag once registeredTCG_DICE_TAGGED_EVIDENCE_TEE_QUOTE_CBOR_TAGhttps://packages.gramineproject.io/distfiles/libcbor-v0.9.0.tar.gzhttps://packages.gramineproject.io/distfiles/libcbor-v0.10.2.tar.gzHow to test this PR?
CI.
This change is