New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support non DMTF measurement specifications #2456
Comments
In the short term you would embed the measurement(s) inside the @xiaoyuruan might have an opinion as well. |
How would that be specified if |
@bhenning10 too. |
It's cleaner to allocate a bit in MeasurementSpecification for EAT in SPDM 1.4 than trying to using DMTF format to hold EAT. Is the need of supporting EAT in SPDM MEASUREMENTS response so urgent that can't wait for SPDM 1.4? |
There is no urgency, this can wait for 1.4. |
Do we want to open the door for Measurement format definition using other standard? Anyway, I think it should be SPDM-WG discussion, and opened https://github.com/DMTF/SPDM-WG/issues/3297 |
I believe using 0xa is a better approach, because then we can use SVH format to indicate this is EAT format. |
The conclusion is to add IETF as a standards body in SVH, and add SVH support to the measurement block with type 0xA. |
Some standard bodies like IETF attempt to define formally specified, extensible and compact formats for expressing an attested set of claims describing the state and characteristics of an entity, like e.g. a device. The Entity Attestation Token is one such format, and it is being adopted by multiple silicon vendors on the platform side.
Using common attestation and measurement formats across both platforms and devices makes sense from multiple perspectives: security, complexity, ease of deployment and scalability.
I'm opening this issue to understand how a device manufacturer willing to use an IETF standard like EAT would do so on top of the DMTF-defined measurement specification for SPDM:
Measurement Specification Field Format
during the algorithm negotiation phase?0x4
Measurement value type?The same question could be generalized to other attestation/measurement formats that device vendors would prefer to use over the DMTF-defined one.
The text was updated successfully, but these errors were encountered: