Firmware Validation for a PC Component

For a PC component, the RIM is created as a Concise Binary Object Representation (CBOR)-encoded file. The RIM-Tool supports the CoSWID Tag, the TCG Component RIM, and the CoRIM.

CoSWID

CoSWID is defined by rfc 9393 . It is based on the SWID spec (ISO/IEC 19770-2:2015). NIST created NIST IR 8060 as an open stand-in for the spec, which defines a few extra meta fields that are contained within CoSWID (edition, colloquial-version, product, etc.). A couple of items about the structure of CoSWID:

1. Encoding: CoSWID drops the xml encoding specified in SWID in favor of CBOR - rfc 8949 .

2. Structure: The CoSWID spec uses Concise Data Definition Language (CDDL) - rfc 8610 . CDDL uses both arrays and maps to define data structures (a map type of array limited to key/value pairs). Most CoSWID items are optional.

3. Signature: CoSWID objects are signed using the COSE signature envelope. Rfc 9393 defines a context attribute of “application/swid+cbor” to provide a hint to the parser that the payload is a CoSWID object.

While there are technically few implementations of systems requiring CoSWID, it is making its way into other specifications listed on this page.

TCG Component RIM Binding for SWID/CoSWID

The TCG Component RIM Binding for SWID/CoSWID defines 2 formats/encoding for component RIMs: SWID(XML) and CoSWID (CBOR). It provides extensions support attestation of the DMTF’s Security Protocols and Data Model Specification . The attributes defined in this specification closely mimic those defined by the PC Client RIM specification. This specification is intended to support devices adhering the TCG DICE specifications , which support devices that do not contain a TPM. DICE has definitions for CoRIM as well, so DICE may use either TCG Component RIM or CoRIM format.

CoRIM

Concise RIM (CoRIM) is defined by IETF. IETF sponsors the Remote ATtestation ProcedureS (RATS) working Group which promotes specifications that support attestation.

As shown in the corim.txt diagram, the CoRIM can contain a CoSWID, CoMID, or a Concise Tag List (CoTL). For the RIM-Tool’s create command, the use of rim-type parameter is used to denote which option is uses. Note that currently only the CoSWID and CoMID options are supported.

CoRIMs are digitally signed using COSE with extra requirements placed upon the protected header. Of interest is the context parameter defined as “application/rim+cbor” for CoRIM as opposed to “application/swid+cbor” when signing a CoSWID object. This helps the parser determine the type of data found in the payload.

Reference Integrity Manifest Specifications for a PC Component

• The TCG Component Reference Integrity Manifest Information Model complements the RIM Information Model by defining a Component Reference Integrity Manifest (RIM) Information Model (IM) for components of a platform, e.g., a PC Client or Server platform.
• The TCG Component RIM Binding for SWID/CoSWID complies with the TCG Component RIM Information Model Specification and provides additional requirements for a SWID/CoSWID RIM file.