diff --git a/specifications/device-identity-provisioning/cddl/attested-csr-eat.cddl b/specifications/device-identity-provisioning/cddl/attested-csr-eat.cddl new file mode 100644 index 0000000..cb76c63 --- /dev/null +++ b/specifications/device-identity-provisioning/cddl/attested-csr-eat.cddl @@ -0,0 +1,67 @@ +; An Attested CSR EAT is one of two variants: +; - A CSR response, returned for a specific KeyPairID > 0. +; - A keypair-inventory (discovery) response, returned when the +; Requester specifies KeyPairID = 0. +cwt-attested-csr-eat = + cwt-attested-csr-eat-csr / + cwt-attested-csr-eat-inventory + +cwt-attested-csr-eat-csr = { + ; Issuer claim is StringOrURI (tstr) + &(iss : 1) => tstr + + ; Nonce claim is nonce-type = bstr .size (8..64) + ? &(nonce : 10) => bstr + + ; Private Claims (they have to be < -65536 for rfc8392) + + ; CSR bytestring + &(csr: -70001) => bstr + + ; Attribute List of OIDs + &(attrib: -70002) => [+ $key-attributes-type] +} + +; Discovery response payload returned when KeyPairID = 0 in the request. +cwt-attested-csr-eat-inventory = { + &(iss : 1) => tstr + + ? &(nonce : 10) => bstr + + ; KeyPair Inventory private claim. Each entry pairs a KeyPairID + ; with the list of derivation-attribute OIDs that apply to it. + &(keypair-inventory: -70003) => [+ keypair-inventory-entry] +} + +keypair-inventory-entry = [ + keypair-id: 1..255, + attributes: [+ $key-attributes-type] +] + +$key-attributes-type = tagged-oid-type + +signed-cwt = #6.18(COSE-Sign1-attested-csr) + +COSE-Sign1-attested-csr = [ + protected: bstr .cbor protected-esc-header-map + unprotected: unprotected-esc-header-map + payload: bstr .cbor cwt-attested-csr-eat + signature: bstr +] + +protected-esc-header-map { + ; Well-defined header fields + &(alg-id: 1) => int + &(content-type: 3) => tstr / int + &(issuer-key-id: 4) => bstr + ; User-defined fields + * cose-label => cose-value +} + +unprotected-esc-header-map = { + ; The Attestation Key's certificate chain is NOT carried here; the + ; Requester retrieves it via SPDM GET_CERTIFICATE for the slot + ; identified by SignerSlotIDParam. + * cose-label => cose-value +} + diff --git a/specifications/device-identity-provisioning/cddl/envelope-signed-csr-eat.cddl b/specifications/device-identity-provisioning/cddl/envelope-signed-csr-eat.cddl deleted file mode 100644 index c833319..0000000 --- a/specifications/device-identity-provisioning/cddl/envelope-signed-csr-eat.cddl +++ /dev/null @@ -1,44 +0,0 @@ -cwt-envelope-signed-csr-eat = { - ; The EAT Profile for Envelope-Signed CSR OCP will register - &(eat-profile : 265 ) => ~oid ; "1.3.6.1.4.1.42623.1" - note: `~` strips CBOR tag #6.111(oid) from `oid` - - ; Issuer claim is StringOrURI (tstr) - &(iss : 1) => tstr - - ; Nonce claim is nonce-type = bstr .size (8..64) - ? &(nonce : 10) => bstr - - ; Private Claims (they have to be < -65536 for rfc8392) - - ; CSR bytestring - &(csr: -70001) => bstr - - ; Attribute List of OIDs - &(attrib: -70002) => [+ $key-attributes-type] -} - -$key-attributes-type = tagged-oid-type - -signed-cwt = #6.18(COSE-Sign1-envelope-signed-csr) - -COSE-Sign1-envelope-signed-csr = [ - protected: bstr .cbor protected-esc-header-map - unprotected: unprotected-esc-header-map - payload: bstr .cbor cwt-envelope-signed-csr-eat - signature: bstr -] - -protected-esc-header-map { - ; Well-defined header fields - &(alg-id: 1) => int - &(content-type: 3) => tstr / int - &(issuer-key-id: 4) => bstr - ; User-defined fields - * cose-label => cose-value -} - -unprotected-esc-header-map = { - ? &(x5-chain: 33) => bstr / [ 2*certs: bstr ] - * cose-label => cose-value -} - diff --git a/specifications/device-identity-provisioning/diag/attested-csr-eat-example.diag b/specifications/device-identity-provisioning/diag/attested-csr-eat-example.diag new file mode 100644 index 0000000..9c922fd --- /dev/null +++ b/specifications/device-identity-provisioning/diag/attested-csr-eat-example.diag @@ -0,0 +1,61 @@ +; ---------------------------------------------------------------------- +; Example: CSR response (returned when the Requester sent +; GET_ATTESTED_CSR with a specific KeyPairID > 0). The payload +; carries the CSR for the selected keypair along with the derivation- +; attribute OIDs that apply to it. +; ---------------------------------------------------------------------- + +signed-cwt / 18([ + / protected / <<{ + / alg-id / 1 : 7, + / content-type / 3 : "application/eat+cbor", + ; SHA-384 digest of the Attestation Key (i.e. the SPDM Signing Key) + ; that produced this envelope signature. + / kid / 4 : h'1a2b3c4d5e6f70819203a4b5c6d7e8f900112233445566778899aabbccddeeff00112233445566778899aabbccddeeff' + }>>, + / unprotected / {}, +/ payload / <<{ + / iss / 1 : "RT Alias Key", + / nonce / 10: h'AAAABBBBAAAABBBBAAAABBBB', + / csr / -70001 : h'59025630820252308201d9a003020102021431a4e0', + / attrib / -70002: [ + / tagged-oid-type / 111(h'6086480186F84D010F046301') + ] + }>>, + / signature / h'FA45AAB345AB4988' +]) + +; ---------------------------------------------------------------------- +; Example: discovery response (returned when the Requester sent +; GET_ATTESTED_CSR with KeyPairID = 0). The payload omits the +; CSR/attrib claims and instead carries the KeyPair Inventory claim, +; which enumerates every supported KeyPairID and its derivation OIDs. +; ---------------------------------------------------------------------- + +signed-cwt / 18([ + / protected / <<{ + / alg-id / 1 : 7, + / content-type / 3 : "application/eat+cbor", + ; SHA-384 digest of the Attestation Key (i.e. the SPDM Signing Key) + ; that produced this envelope signature. + / kid / 4 : h'1a2b3c4d5e6f70819203a4b5c6d7e8f900112233445566778899aabbccddeeff00112233445566778899aabbccddeeff' + }>>, + / unprotected / {}, + / payload / <<{ + / iss / 1 : "RT Alias Key", + / nonce / 10 : h'AAAABBBBAAAABBBBAAAABBBB', + / keypair-inventory / -70003 : [ + ; KeyPairID 1: IDevID, derived from First Mutable Code + [ 1, [ 111(h'6086480186F84D010F040602') ] ], + ; KeyPairID 2: LDevID, derived from Owner Entropy Fuse + + ; First Mutable Code + [ 2, [ + 111(h'6086480186F84D010F040601'), + 111(h'6086480186F84D010F040602') + ] ], + ; KeyPairID 3: Owner-provisioned alias key + [ 3, [ 111(h'6086480186F84D010F040604') ] ] + ] + }>>, + / signature / h'FA45AAB345AB4988' +]) diff --git a/specifications/device-identity-provisioning/diag/envelope-signed-csr-eat-example.diag b/specifications/device-identity-provisioning/diag/envelope-signed-csr-eat-example.diag deleted file mode 100644 index 8a1b1b3..0000000 --- a/specifications/device-identity-provisioning/diag/envelope-signed-csr-eat-example.diag +++ /dev/null @@ -1,18 +0,0 @@ -signed-cwt / 18([ - / protected / <<{ - / alg-id / 1 : 7, - / content-type / 3 : "application/eat+cbor", - / kid / 4 : 'Example OCP Envelope-Signed CSR CWT' - }>>, -/ unprotected / {/ x5-chain / 33 : h'59025630820252308201d9a003020102021431a4ef62e5244e4d952ea485976098090d5f242f300a06082a8648ce3d040303307b310b30090603550406130255533113301106035504080c0a43616c69666f726e69613116301406035504070c0d53616e204672616e636973636f311d301b060355040a0c144578616d706c65204f7267616e697a6174696f6e3120301e06035504030c174578616d706c652043575420456e646f7273656d656e74301e170d3235303231333139303230345a170d3236303231343139303230345a307b310b30090603550406130255533113301106035504080c0a43616c69666f726e69613116301406035504070c0d53616e204672616e636973636f311d301b060355040a0c144578616d706c65204f7267616e697a6174696f6e3120301e06035504030c174578616d706c652043575420456e646f7273656d656e743076301006072a8648ce3d020106052b8104002203620004fcd3fad48575addceee9638583aa7054f71a402f35993901923cc0ee9763b85b1e729c740331f4e91079559bce17d5c3b706748333faeb192120e32d815f88f7310ae05df55060f96fbdb2d0acb19e710d25ec27cfa8945fe5dda73332813feda31e301c301a0603551d1104133011820f7777772e6578616d706c652e636f6d300a06082a8648ce3d040303036700306402306e1166a8a3132d4a20e0200a26d1eba0937fec54fdb7547eb7c5ccca0370170853294cdd6b3a1eb0fe649f12446d8b17023071219daf2b7c1aa6f7727d053e1027309594fd8cab9f820fa89d8f88fc7e551c0d30781b12aea48b53fde200e6cf082b' }, -/ payload / <<{ - / eat-profile / 265 : h'88378952', - / iss / 1 : "RT Alias Key", - / nonce / 10: h'AAAABBBBAAAABBBBAAAABBBB', - / csr / -70001 : h'59025630820252308201d9a003020102021431a4e0', - / attrib / -70002: [ - / tagged-oid-type / 111(h'6086480186F84D010F046301') - ] - }>>, - / signature / h'FA45AAB345AB4988' -]) diff --git a/specifications/device-identity-provisioning/diagrams/envelope_signed_csr.drawio.svg b/specifications/device-identity-provisioning/diagrams/attested_csr.drawio.svg similarity index 100% rename from specifications/device-identity-provisioning/diagrams/envelope_signed_csr.drawio.svg rename to specifications/device-identity-provisioning/diagrams/attested_csr.drawio.svg diff --git a/specifications/device-identity-provisioning/diagrams/envelope_signed_csr_non_self_signed.drawio.svg b/specifications/device-identity-provisioning/diagrams/attested_csr_non_self_signed.drawio.svg similarity index 100% rename from specifications/device-identity-provisioning/diagrams/envelope_signed_csr_non_self_signed.drawio.svg rename to specifications/device-identity-provisioning/diagrams/attested_csr_non_self_signed.drawio.svg diff --git a/specifications/device-identity-provisioning/spec.ocp b/specifications/device-identity-provisioning/spec.ocp index d38455d..88cdccb 100644 --- a/specifications/device-identity-provisioning/spec.ocp +++ b/specifications/device-identity-provisioning/spec.ocp @@ -175,7 +175,35 @@ The following items are out of scope: ## Discovering device identity keypairs {#sec:discovering-device-keypairs} -TODO: fill in +A device may expose multiple identity keypairs (e.g., IDevID, LDevID, and other vendor- or owner-defined keys), each with its own derivation inputs. Before a PKI owner can select a suitable PKI anchor point, it must discover which keypairs the device supports and which derivation attributes are associated with each. + +This specification reuses the `GET_ATTESTED_CSR` command defined in @sec:establishing-trust-in-identity for keypair discovery, by reserving `KeyPairID = 0` as a discovery sentinel. SPDM 1.3 reserves the value 0 for the `KeyPairID` field, so it is safe to repurpose here without colliding with any valid keypair identifier. + +### Discovery request + +To discover the set of supported identity keypairs, the Requester sends a `GET_ATTESTED_CSR` request with the following field values: + +- `Param1` (`KeyPairID`) SHALL be `0`, indicating a discovery request rather than a CSR request. +- `Param2` (Request Attributes), `RequesterInfoLength`, `OpaqueDataLength`, `RequesterInfo`, and `OpaqueData` SHALL be `0` / empty. The Responder SHALL ignore any non-zero values in these fields when `KeyPairID` is `0`. +- `SignerSlotIDParam` SHALL be interpreted identically to the CSR case. Bit [4] selects whether the response is attested by an Attestation Key, and bits [3:0] select the SPDM slot whose Attestation Key signs the CWT. Requesters SHOULD request an attested response so that the inventory is attestable. +- `Nonce` SHALL be a fresh random value chosen by the Requester, and is used to bind the discovery response to this request. + +### Discovery response + +When `KeyPairID = 0` is specified in the request, the Responder SHALL return an `ATTESTED_CSR` response whose `AttestedCSRdata` is an EAT encoded as a CWT, with the following requirements: + +- The EAT SHALL include the standard issuer claim and a nonce claim whose value matches the `Nonce` provided in the discovery request. +- The EAT SHALL NOT include the CSR claim or the derivation-attribute-OID claim defined in @sec:establishing-trust-in-identity. Instead, it SHALL include a single private claim, the *KeyPair Inventory* claim, containing the device's keypair inventory. +- If `SignerSlotIDParam` indicated an attested response, the CWT SHALL be signed by the Attestation Key corresponding to the specified slot, following the same `kid` and signing rules as in @sec:establishing-trust-in-identity. + +The *KeyPair Inventory* claim SHALL be a CBOR array. Each element SHALL be a CBOR array of two elements: + +1. The `KeyPairID` as a CBOR unsigned integer in the range `1..255`. +2. An array of OIDs describing the derivation attributes of that keypair, drawn from the OIDs defined in @sec:defined-oids. + +The inventory SHALL include every `KeyPairID` for which the device is willing to issue an attested CSR. + +After consuming the inventory, the Requester can issue a follow-up `GET_ATTESTED_CSR` request with a specific `KeyPairID` to retrieve a CSR for the selected keypair, as described in @sec:establishing-trust-in-identity. ## Establishing trust in a selected identity keypair {#sec:establishing-trust-in-identity} @@ -183,7 +211,7 @@ To allow a remote party to establish trust in a selected keypair, the device can To allow a device to attest that a given key is trustworthy, the device should issue its own signature over the public key, which can include a freshness nonce and additional metadata, such as the key's derivation attribute OIDs. -![Envelope-signed CSR](./diagrams/envelope_signed_csr.drawio.svg){#fig:envelope-signed-csr} +![Attested CSR](./diagrams/attested_csr.drawio.svg){#fig:attested-csr} The CSR is included as a claim in an Entity Attestation Token (EAT) [@{ietf-eat}]. @@ -191,20 +219,22 @@ Metadata such as the key's derivation attribute OIDs can also be embedded in a C Some devices may not support the generation of self-signed CSRs for certain keys in their identity key hierarchy, such as LDevID. To support such devices, this specification defines a "non-self-signed CSR", which includes the subject public key but an all-zeroes signature field. The non-self-signed CSR is still itself signed, by way of the EAT. -![Envelope-signed Non-self-signed CSR](./diagrams/envelope_signed_csr_non_self_signed.drawio.svg){#fig:envelope-signed-csr-non-self-signed} +![Attested Non-self-signed CSR](./diagrams/attested_csr_non_self_signed.drawio.svg){#fig:attested-csr-non-self-signed} + +This specification provides a definition for a vendor-defined SPDM command, utilizing VENDOR_DEFINED_REQUEST from SPDM 1.3, which can be used to surface these attested CSRs. -This specification provides a definition for a vendor-defined SPDM command, utilizing VENDOR_DEFINED_REQUEST from SPDM 1.3, which can be used to surface these envelope-signed CSRs. +Note: the `GET_ATTESTED_CSR` request format described in this section (including the `VENDOR_DEFINED_REQUEST` framing and Tables [-@tbl:ecsr-req] / [-@tbl:ecsr-resp]) is provided as a reference only and is **non-normative**. This specification is normative on the contents and encoding of the response payload (the attested CSR EAT/CWT defined in this section), but does not mandate a particular transport or command format for the request. Implementations are free to surface the attested CSR via any suitable mechanism. Open-source implementations such as Caliptra [@{caliptra}] may define and carry their own implementation of the `GET_ATTESTED_CSR` command for interoperability convenience. -GET_ENVELOPE_SIGNED_CSR request and ENVELOPE_SIGNED_CSR response messages are transported as follows: +GET_ATTESTED_CSR request and ATTESTED_CSR response messages are transported as follows: - The Requester must use the SPDM VENDOR_DEFINED_REQUEST format - The Responder must use the SPDM VENDOR_DEFINED_RESPONSE format - The StandardID field of VENDOR_DEFINED_REQUEST and VENDOR_DEFINED_RESPONSE message must contain 4 (the value assigned in SPDM to identify IANA). - The VendorID field of VENDOR_DEFINED_REQUEST and VENDOR_DEFINED_RESPONSE message must contain 42623 (the value assigned in IANA to identify Open Compute Project). -- The first byte of the VendorDefinedReqPayload/VendorDefinedRespPayload is the Command Code, and must contain the value 01h to indicate GET_ENVELOPE_SIGNED_CSR / ENVELOPE_SIGNED_CSR. -- The GET_ENVELOPE_SIGNED_CSR request and ENVELOPE_SIGNED_CSR response forms the payload in the VendorDefinedReqPayload and VendorDefinedRespPayload respectively, defined in Tables [-@tbl:ecsr-req] and [-@tbl:ecsr-resp]. +- The first byte of the VendorDefinedReqPayload/VendorDefinedRespPayload is the Command Code, and must contain the value 01h to indicate GET_ATTESTED_CSR / ATTESTED_CSR. +- The GET_ATTESTED_CSR request and ATTESTED_CSR response forms the payload in the VendorDefinedReqPayload and VendorDefinedRespPayload respectively, defined in Tables [-@tbl:ecsr-req] and [-@tbl:ecsr-resp]. -Table: GET_ENVELOPE_SIGNED_CSR VendorDefinedReqPayload {#tbl:ecsr-req} +Table: GET_ATTESTED_CSR VendorDefinedReqPayload {#tbl:ecsr-req} +---------------------+---------------------+---------------------+----------------------------------------------+ | Byte offset | Field | Size (bytes) | Description | @@ -213,7 +243,7 @@ Table: GET_ENVELOPE_SIGNED_CSR VendorDefinedReqPayload {#tbl:ecsr-req} | | | | Shall be zero. | +---------------------+---------------------+---------------------+----------------------------------------------+ | 1 | CommandCode | 1 | Shall be 01h to indicate | -| | | | GET_ENVELOPE_SIGNED_CSR. | +| | | | GET_ATTESTED_CSR. | +---------------------+---------------------+---------------------+----------------------------------------------+ | 2 | Reserved | 4 | Reserved. | +---------------------+---------------------+---------------------+----------------------------------------------+ @@ -237,12 +267,13 @@ Table: GET_ENVELOPE_SIGNED_CSR VendorDefinedReqPayload {#tbl:ecsr-req} +---------------------+---------------------+---------------------+----------------------------------------------+ | 12 | SignerSlotIDParam | 1 | - Bit [7:5]. Reserved. | | | | | - Bit [4:4]. If this value is `1`, the CSR | -| | | | envelope is signed; otherwise the envelope | -| | | | is unsigned, and bits [3:0] are ignored. | +| | | | is attested (i.e., the CWT is signed by an | +| | | | Attestation Key); otherwise the CSR is not | +| | | | attested and bits [3:0] are ignored. | | | | | - Bit [3:0]. Shall be the SlotID. Slot | | | | | number of the Responder certificate chain | | | | | that shall be used for authenticating the | -| | | | CSR envelope. If the Responder’s public key | +| | | | attested CSR. If the Responder's public key | | | | | was provisioned to the Requester previously, | | | | | this field shall be 0xF. | +---------------------+---------------------+---------------------+----------------------------------------------+ @@ -272,10 +303,10 @@ The following fields should be treated identically as in GET_CSR from SPDM 1.3: The following fields present in this command are not present in GET_CSR: -- **SignerSlotIDParam** - defines which key signs the CSR envelope. +- **SignerSlotIDParam** - defines which Attestation Key signs the attested CSR. - **Nonce** - provides freshness. -Table: ENVELOPE_SIGNED_CSR VendorDefinedRespPayload {#tbl:ecsr-resp} +Table: ATTESTED_CSR VendorDefinedRespPayload {#tbl:ecsr-resp} +--------+-------------------------+-------------------------+------------------------------------------+ | Byte | Field | Size (bytes) | Description | @@ -285,31 +316,29 @@ Table: ENVELOPE_SIGNED_CSR VendorDefinedRespPayload {#tbl:ecsr-resp} | | | | Shall be zero. | +--------+-------------------------+-------------------------+------------------------------------------+ | 1 | CommandCode | 1 | Shall be 01h to indicate | -| | | | ENVELOPE_SIGNED_CSR. | +| | | | ATTESTED_CSR. | +--------+-------------------------+-------------------------+------------------------------------------+ | 2 | Reserved | 4 | Reserved. | +--------+-------------------------+-------------------------+------------------------------------------+ -| 6 | EnvelopeSignedCSRLength | 2 | Shall be the length of the | -| | | | EnvelopeSignedCSRdata in bytes. | +| 6 | AttestedCSRLength | 2 | Shall be the length of the | +| | | | AttestedCSRdata in bytes. | +--------+-------------------------+-------------------------+------------------------------------------+ -| 8 | EnvelopeSignedCSRdata | EnvelopeSignedCSRLength | Shall be the requested contents of the | -| | | | envelope-signed CSR. This field shall be | +| 8 | AttestedCSRdata | AttestedCSRLength | Shall be the requested contents of the | +| | | | attested CSR. This field shall be | | | | | CBOR-encoded. | +--------+-------------------------+-------------------------+------------------------------------------+ -The EnvelopeSignedCSRdata shall adhere to the following requirements: +The AttestedCSRdata shall adhere to the following requirements: - The payload SHALL be an EAT encoded as a CBOR Web Token (CWT) [@{ietf-cwt}]. -- The EAT SHALL conform to the OCP Envelope-Signed CSR EAT profile (see @sec:defined-oids for the defined OID). - The EAT SHALL include standard claims for issuer identification and nonce for freshness verification. - The EAT SHALL include private claims[^private-claims] containing: - The CSR as a byte string - An array of OIDs representing the key's derivation attributes (see @sec:defined-oids for defined OIDs) - The CSR included in the EAT SHALL be DER-encoded and may be either self-signed or non-self-signed depending on device capabilities. For non-self-signed CSRs, the signature field SHALL contain all zeroes and be the same size as would be required for a valid signature using the subject key's algorithm. -- The nonce claim SHALL match the nonce value provided in the GET_ENVELOPE_SIGNED_CSR request to ensure freshness. -- If SignerSlotIDParam indicates a signed envelope, the CWT SHALL be signed by an Attestation Key endorsed by the certificate chain corresponding to the specified SlotID. In addition, the unprotected header of the CWT SHALL contain the Attestation Key's certificate chain, including at least all certificates from the Attestation Key up to the identity certificate issued by the slot's PKI owner. - - E.g., Slot 0's certificate chain would extend at least to the vendor-endorsed certificate over IDevID. A separate slot's certificate chain would extend at least to the certificate issued by the slot's configured PKI owner. - - A device may report intermediate certificates for the slot's PKI owner if it is configured to do so. +- The nonce claim SHALL match the nonce value provided in the GET_ATTESTED_CSR request to ensure freshness. +- If SignerSlotIDParam indicates an attested response, the CWT SHALL be signed by an Attestation Key endorsed by the certificate chain corresponding to the specified SlotID. The Requester obtains the Attestation Key's certificate chain out-of-band via the SPDM `GET_CERTIFICATE` command for that slot. +- If SignerSlotIDParam indicates an attested response, the `kid` parameter (COSE header label `4`) in the CWT's protected header SHALL be the SHA-384 digest of the DER-encoded `SubjectPublicKeyInfo` of the Attestation Key. The Requester uses this digest to confirm that the signing key matches the Attestation Key whose certificate chain it retrieved from the selected SPDM slot. [^private-claims]: RFC 8392 [@{ietf-cwt}] defines a private claim as one whose key value has an integer value < -65536. @@ -317,8 +346,6 @@ The EnvelopeSignedCSRdata shall adhere to the following requirements: **OCP Security Branch**: `ocp-security OBJECT IDENTIFIER ::= {1 3 6 1 4 1 42623 1}` -**Envelope-signed EAT profile OID**: `ocp-security-dip-eat-profile OBJECT IDENTIFIER ::= {ocp-security 1}` - **Key Derivation Attribute OID Branch**: `ocp-security-dip-kda OBJECT IDENTIFIER ::= {ocp-security 2}` The following OIDs are defined for key derivation attributes: @@ -358,14 +385,14 @@ In TCG's DICE Hardware Requirements [@{tcg-dice-hardware-requirements}], FMC is The difference between First Measured Code and First Mutable Code is subtle but important. In Caliptra, the First Measured Code corresponds with the Caliptra ROM layer. As such, Caliptra's Device ID or IDevID keypair is wielded by ROM, rather than Caliptra's FMC. -## Envelope-signed CSR EAT CDDL +## Attested CSR EAT CDDL ```include {.small} -!include cddl/envelope-signed-csr-eat.cddl +!include cddl/attested-csr-eat.cddl ``` -## Envelope-signed CSR EAT example CDDL diag +## Attested CSR EAT example CDDL diag ```include {.small} -!include diag/envelope-signed-csr-eat-example.diag +!include diag/attested-csr-eat-example.diag ```