Skip to content

Commit b483906

Browse files
fdamatofdamato
committed
Address Comments on Device Identity Provisioning
Signed-off-by: Fabrizio Damato <fabrizio.damato@amd.com>
1 parent 6b9f6ba commit b483906

1 file changed

Lines changed: 6 additions & 8 deletions

File tree

  • specifications/device-identity-provisioning

specifications/device-identity-provisioning/spec.ocp

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -394,7 +394,7 @@ In this specification, a "slot" refers to a storage location within the device t
394394

395395
- **SPDM context**: SPDM defines 8 possible slots (0-7) where certificate chains can be stored. When an SPDM requester invokes `GET_CERTIFICATE`, they specify which slot's certificate chain they want to retrieve.
396396

397-
- **Attestation context**: During attestation, the device uses these certificate chains to establish trust. For example, when generating an EAT, the device may include a LEAF certificate that chains to one of the certificates stored in these slots. The verifier can then retrieve the appropriate certificate chain to validate the complete trust path.
397+
- **Attestation context**: During attestation, the device uses these certificate chains to establish trust. For example, when generating Evidence, the device may include a LEAF certificate that chains to one of the certificates stored in these slots. The verifier can then retrieve the appropriate certificate chain to validate the complete trust path.
398398

399399
- **OCP abstraction**: While SPDM uses numeric slot IDs (0-7), the OCP commands abstract this using Key Provisioning Entity identifiers (VENDOR, OWNER, TENANT). The device internally maps these entities to specific slot numbers, which can be discovered via `OCP_GET_SLOT_ID_MAPPING`.
400400

@@ -574,14 +574,12 @@ Table: GET_ENDORSEMENT VendorDefinedRespPayload {#tbl:get-endorsement-resp}
574574
| 1 | CommandCode | 1 | Shall be 05h to indicate |
575575
| | | | GET_ENDORSEMENT. |
576576
+--------+-------------------------+-------------------------+------------------------------------------+
577-
| 2 | Reserved | 4 | Reserved. |
578-
+--------+-------------------------+-------------------------+------------------------------------------+
579-
| 6 | Reserved | 1 | Reserved. |
577+
| 2 | Reserved | 2 | Reserved. |
580578
+--------+-------------------------+-------------------------+------------------------------------------+
581-
| 7 | CertChainLength | 2 | Length of the certificate chain. |
579+
| 4 | CertChainLength | 2 | Length of the certificate chain. |
582580
| | | | Zero if status is not success. |
583581
+--------+-------------------------+-------------------------+------------------------------------------+
584-
| 9 | CertChain | CertChainLength | DER-encoded certificate chain. |
582+
| 6 | CertChain | CertChainLength | DER-encoded certificate chain. |
585583
| | | | Does NOT include LEAF certificate. |
586584
| | | | Present only if status is success. |
587585
+--------+-------------------------+-------------------------+------------------------------------------+
@@ -604,9 +602,9 @@ For SPDM-aware implementations:
604602
For devices that support both SPDM and OCP attestation paths:
605603

606604
- `OCP_SET_ENDORSEMENT` internally manages slot allocation based on the KeyProvisioningEntity
607-
- `OCP_GET_ENDORSEMENT` retrieves endorsements by entity rather than slot number
605+
- `OCP_GET_ENDORSEMENT` retrieves endorsements by KeyProvisioningEntity rather than slot number
608606
- `GET_CERTIFICATE` (SPDM) can still be used with the slot numbers reported by `OCP_GET_SLOT_ID_MAPPING`
609-
- The device ensures consistency between OCP entity-based and SPDM slot-based access
607+
- The device ensures consistency between OCP KeyProvisioningEntity and SPDM slot-based access
610608

611609
This approach simplifies the interface by abstracting slot management while maintaining full compatibility with SPDM.
612610

0 commit comments

Comments
 (0)