Closed yogeshbdeshpande closed 2 months ago
thomas-fossati
commented
4 months ago Follow up on this:
- is it possible to provide an incomplete integrity register (e.g., if I don't care about REMs and only care about RIM)?
I think there should be a RealmAttributes::Valid() method that makes it clear what are the exact requirements in terms of what we are willing to ingest.
yogeshbdeshpande
commented
4 months ago RealmAttributes
@thomas-fossati: I will look into this further! Basically my initial thought was REM slots will always be 4 in token, so we provide 4 to Supply Chain. They can use whatever they want to use 1,2,3, or all. The rest will be filled with nil values same as received in the token. When comparing, we compare the whole blob and should work, isn't it?
thomas-fossati
commented
4 months ago RealmAttributes
@thomas-fossati: I will look into this further! Basically my initial thought was REM slots will always be 4 in token, so we provide 4 to Supply Chain. They can use whatever they want to use 1,2,3, or all. The rest will be filled with
nilvalues same as received in the token. When comparing, we compare the whole blob and should work, isn't it?
Not really. Suppose at run-time the workload app extends the REMs but the verifier is only in the "pure" TCB (i.e., platform + RIM).
If both RIM and REMs must be specified there is no way to tell the verifier to "ignore REMs".
yogeshbdeshpande
commented
2 months ago Closing this PR as the changes intended for this Pull Request will be addressed using the PR #233
This change introduces Realm Provisioning Plugin