OCP认证更新.pdf

1、Fabrizio DAmato(AMD)Jeff Andersen(Google)Roksana Golizadeh(Microsoft)OCP Attestation UpdatesOCP Attestation UpdateFabrizio DAmato(AMD)Jeff Andersen(Google)Roksana Golizadeh(Microsoft)Security TrackFrom Dublin to TodayWhat we discussed in Dublin:Need for EAT Profile to improve interoperabilityEvidenc

2、e format divergence is not scalableWhat we have now:IETF OCP Entity Attestation Token(EAT)Profile-Draft availableDevice Identity Provisioning Spec-Draft availableBoth in OCP Security GitHub for reviewTimeline:Apr25:Dublin announcementJun25:Development phase Aug25:Drafts to GitHubOct25:Community feed

3、back phaseThe Evidence Format ProblemData Center Verifier“I need to understand everyones proprietary format”Proprietary EvidenceFormat#1Proprietary EvidenceFormat#NWhy Convergence Matters?The Cost:Custom parser for each SoC vendor No code reuse across integrations Security review for each format Int

4、egration time measured in monthsOCP EAT Profile SolutionSolving Evidence FragmentationA single evidence format that every SoC vendor can adoptFoundation:IETF EAT RFC 9711 RATS ArchitectureEarly Adopter:CaliptraResult:True interoperabilitySingle Standardized Format Simplified Verification *RATS:Remot

5、e ATtestation ProcedureSConcise Evidence ArchitectureCore Innovation:Concise Evidence encapsulates claimsusing CoRIM Reference Triple semanticsWhy This Matters:1:1 mapping between reference and evidenceNo complex transformation logicAppraisal becomes simple matchingBased on TCG published standardExa

6、mple:Reference:env:“Bootloader,measure:0 xABCEvidence:env:“Bootloader,measure:0 xABCResult:MatchOCP EAT Profile Evidence FlowHow Evidence Maps to Reference ValuesBeyond Evidence FormatWhat We Just Covered:OCP EAT Profile Single evidence format Simplified verificationBut Evidence is Only Trusted If t