Skip to content

Instantly share code, notes, and snippets.

@sameo

sameo/dice.md

Last active September 22, 2022 17:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sameo/d68587f58b9459a9388a108bfd3a47a5 to your computer and use it in GitHub Desktop.
Save sameo/d68587f58b9459a9388a108bfd3a47a5 to your computer and use it in GitHub Desktop.
Download ZIP
DICE notes
Raw
dice.md

Terminology

  • UDS: Unique Device Secret. This is a per-device hardware-level secret accessible to the DICE but not accessible after the DICE runs.
  • CDI: Compound Device Identifier. This value represents the hardware/software combination measured by the DICE. This is the DICE output and is passed to the software which has been measured. This is a secret.

Definitions

Hash Function

A hash function (e.g. SHA2-384):

hash = H(input)

Key Derivation Function

CDI = KDF(length, ikm, salt, info): Key Derivation Function. Output length is length. It takes an Initial Key Material (ikm), a cryptographic salt and additional information info.

Asymetric Key Pair Derivation Function

PrivateKey, PublicKey = ASYM_KDF(input)

which can be decomposed in:

  1. PrivateKey = KDF(N, input, KEY_SALT, "Key Pair")
  2. PublicKey is derived from PrivateKey depending on the chosen algorithm.

DICE cycle

Input

InputValues = [Code, Config, Mode] (for the loaded layer)

CDI Generation

CDI_1 = KDF(N, CDI_0, H(InputValues), "CDI") where CDI_0 is UDS.

CDI_1_PrivateKey, CDI_1_PublicKey = ASYM_KDF(CDI_1)

CDI Certificate Generation

Subject = CDI_1_Public Issuer = CDI_0_Public

Output

CDI_1 and CDI_1_Certificate

References

Open DICE

HKDF RFC

HKDF Rust Crate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment