Add ML-DSA-87 DPE profile (#66)

Additionally, add a P384-SHA512 profile. This is to provide a classical
profile whose measurement format is compatible with ML-DSA-87.

Signed-off-by: Jordan Hand <jhand@google.com>

Author: jhand2

specifications/dpe-irot-profile/bibliography.yaml

@@ -1,4 +1,10 @@
 references:
+  - id: "fips204"
+    title: "FIPS 204: Module-Lattice-Based Digital Signature Standard"
+    publisher: "NIST"
+    issued:
+      year: 2024
+      month: 8
   - id: "ietf-rfc2986"
     title: "PKCS #10: Certification Request Syntax Specification"
     publisher: "IETF"

specifications/dpe-irot-profile/spec.ocp

@@ -105,6 +105,13 @@ This document defines multiple variants of the DPE iRoT profile:
 * `DPE_PROFILE_IROT_P384_SHA384`
 * `DPE_PROFILE_IROT_MIN_P256_SHA256`
 * `DPE_PROFILE_IROT_MIN_P384_SHA384`
+* `DPE_PROFILE_IROT_MLDSA_87_SHA384`
+
+Names follow the format:
+
+`DPE_PROFILE_IROT{_OPTIONAL_VARIANT}_{SIGNING_ALGORITHM}_{MEASUREMENT_DIGEST_ALGORITHM}`
+
+Currently, the only supported optional variant is "MIN", which supports a smaller subset of the DPE commands.
 
 The profile name will be embedded as ASCII within the version field of the TCBInfo(s), enabling a verifier to confirm that the evidence originates from this profile.
 
@@ -449,6 +456,13 @@ cryptographic algorithms:
 *   ECDSA P-384
 *   SHA2-384
 
+Profile `DPE_PROFILE_IROT_MLDSA87_SHA384` requires support for the following
+cryptographic algorithms:
+
+*   ML-DSA-87
+*   SHAKE256
+*   SHA2-384
+
 
 This profile defines the following derivation schemes for use in Profile
 Attributes.
@@ -485,6 +499,18 @@ The CDI derivation scheme “ocp.derive.kdf-cdi-384” is defined as follows:
 *   Outputs
     *   48-byte key
 
+### ocp.derive.kdf-cdi-512
+
+The CDI derivation scheme “ocp.derive.kdf-cdi-512” is defined as follows:
+
+*   This derivation scheme SHALL use a cryptographically secure KDF or DRBG.
+*   Inputs
+    *   CDI
+    *   `MEASUREMENT_DATA`
+    *   ASCII Bytes "DPE"
+*   Outputs
+    *   64-byte key
+
 ## CDI Export
 
 ### ocp.export-cdi.raw-256
@@ -499,6 +525,12 @@ The CDI export scheme "ocp.export-cdi.raw" is a raw 384-bit secret
 
 To generate exported keypair, use asymmetric-derivation for the relevant profile.
 
+### ocp.export-cdi.raw-512
+
+The CDI export scheme "ocp.export-cdi.raw" is a raw 512-bit secret
+
+To generate exported keypair, use asymmetric-derivation for the relevant profile.
+
 ## Key Derivation
 
 *   `LABEL`: LABEL parameter passed to Sign and CertifyKey
@@ -534,18 +566,31 @@ follows:
 *   Outputs
     *   48-byte key
 
-### ocp.key-format.p256.raw
+### ocp.derive.kdf-asymmetric-mldsa87
 
-The concatenation of the 32-byte X value and 32-byte Y value of the ECDSA public key.
+The asymmetric key derivation scheme “ocp.derive.kdf-asymmetric-mldsa87” is defined as
+follows:
 
-Both the X and Y value SHALL be big-endian and left-padded with zeros.
+*   The asymmetric key type is ML-DSA-87
+*   Signature scheme is ML-DSA
+*   This derivation scheme SHALL use a cryptographically secure KDF or DRBG.
+*   Inputs
+    *   CDI
+    *   `LABEL`
+    *   ASCII Bytes "MLDSA"
+*   Outputs
+    *   64-byte key
 
 ### ocp.key-format.p384.raw
 
 The concatenation of the 48-byte X value and 48-byte Y value of the ECDSA public key.
 
 Both the X and Y value SHALL be big-endian and left-padded with zeros.
 
+### ocp.key-format.mldsa87.raw
+
+A raw ML-DSA-87 key, encoded as using the pkEncode function in FIPS 204
+
 ## Sign Format
 
 ### ocp.tbs-format.digest-sha256
@@ -564,6 +609,15 @@ The format “ocp.tbs-format.digest-sha384” is defined as
     additional processing. The size of the value SHALL be a SHA2-384 digest of
     size 48 bytes.
 
+### ocp.tbs-format.mldsa87-external-mu
+
+The format “ocp.tbs-format.mldsa87-external-mu” is defined as
+
+The mu parameter as described in FIPS 204.
+
+*   tr = SHAKE256(public_key, 64)
+*   mu = SHAKE256(tr || message, 64)
+
 ### ocp.signature-format.p256.raw
 
 The concatenation of the 32-byte R value and 32-byte S value of the ECDSA signature.
@@ -576,6 +630,10 @@ The concatenation of the 48-byte R value and 48-byte S value of the ECDSA signat
 
 Both the R and S value SHALL be big-endian and left-padded with zeros.
 
+### ocp.signature-format.mldsa87.raw
+
+TODO
+
 ## Recursive Derivation
 
 ### ocp.recursive-derivation.extend-tci
@@ -745,7 +803,7 @@ following requirements:
         * version: The version of the CSR specification - the version SHALL be 0
         * subject: The subject name of the CSR
         * subjectPKInfo: This field SHALL contain the subject public key and the
-          OID for the EC public key algorithm used by the DPE profile
+          OID for the public key algorithm used by the DPE profile
         * attributes: An "Extension Request" attribute as defined in RFC 2985
           [@{ietf-rfc2985}] SHALL adhere to the following requirements
             *   The BasicConstraints extension SHALL be included
@@ -788,6 +846,16 @@ The format “ocp.certificate.irot-eca.p384” is defined as follows:
 *   For the Signature field, DPE SHALL use the ECDSA-with-SHA384 OID with NIST curve
     P-384.
 
+### ocp.certificate.irot-eca.mldsa87
+
+The format “ocp.certificate.irot-eca.mldsa87” is defined as follows:
+
+*   SHALL follow all "Requirements for ECA Certificates" in @sec:eca-cert-requirements
+*   For FWID hashAlg fields provided by DeriveContext, DPE SHALL use the
+    SHA2-512 OID.
+*   For the SubjectPublicKeyInfo field, DPE SHALL use the ML-DSA-87 OID.
+*   For the Signature field, DPE SHALL use the ML-DSA-87 OID.
+
 ### ocp.certificate.irot-leaf.p256
 
 The format ocp.certificate.irot-leaf.p256” is defined as follows:
@@ -812,6 +880,16 @@ The format “ocp.certificate.irot.p384” is defined as follows:
 *   For the Signature field, DPE SHALL use the ECDSA-with-SHA384 OID with NIST curve
     P-384.
 
+### ocp.certificate.irot-leaf.mldsa87
+
+The format “ocp.certificate.irot-eca.mldsa87” is defined as follows:
+
+*   SHALL follow all "Requirements for ECA Certificates" in @sec:eca-cert-requirements
+*   For FWID hashAlg fields provided by DeriveContext, DPE SHALL use the
+    SHA2-512 OID.
+*   For the SubjectPublicKeyInfo field, DPE SHALL use the ML-DSA-87 OID.
+*   For the Signature field, DPE SHALL use the ML-DSA-87 OID.
+
 ### ocp.csr.irot-leaf.p256
 
 The format “ocp.csr.irot-leaf.p256” is defined as follows:
@@ -836,6 +914,17 @@ The format “ocp.csr.irot-leaf.p384” is defined as follows:
 *   For the Signature of both the CMS message and the CertificationRequest, DPE SHALL
     use the ECDSA-with-SHA384 OID with NIST curve P-384.
 
+### ocp.csr.irot-leaf.mldsa87
+
+The format “ocp.csr.irot-eca.mldsa87” is defined as follows:
+
+*   SHALL follow all "Requirements for CSRs" in @sec:csr-requirements
+*   For FWID hashAlg fields provided by DeriveContext, DPE SHALL use the
+    SHA2-512 OID.
+*   For the SubjectPublicKeyInfo field, DPE SHALL use the ML-DSA-87 OID.
+*   For the Signature of both the CMS message and the CertificationRequest, DPE SHALL
+    use the ML-DSA-87 OID.
+
 ## Profile Attributes
 
 ### ocp.profile.irot.p256
@@ -1180,6 +1269,46 @@ The format “ocp.csr.irot-leaf.p384” is defined as follows:
 | supports-symmetric-sign       | False                                                            |
 +-------------------------------+------------------------------------------------------------------+
 
+### ocp.profile.irot.mldsa87
+
++-------------------------------+------------------------------------------------------------------+
+| **Attribute**                 | **Value**                                                        |
++===============================+==================================================================+
+| =========================================== General ============================================ |
++-------------------------------+------------------------------------------------------------------+
+| name                          | ocp.profile.irot.ml-dsa-87                                       |
++-------------------------------+------------------------------------------------------------------+
+| inherits                      | ocp.profile.irot.p256                                            |
++-------------------------------+------------------------------------------------------------------+
+| ============================================ Input ============================================= |
++-------------------------------+------------------------------------------------------------------+
+| input-format                  | ocp.format.digest-sha384                                         |
++-------------------------------+------------------------------------------------------------------+
+| ========================================= Derivation =========================================== |
++-------------------------------+------------------------------------------------------------------+
+| dice-derivation               | ocp.derive.kdf-cdi-512                                           |
++-------------------------------+------------------------------------------------------------------+
+| asymmetric-derivation         | ocp.derive.kdf-asymmetric-mldsa87                                |
++-------------------------------+------------------------------------------------------------------+
+| ======================================== Certificates ========================================== |
++-------------------------------+------------------------------------------------------------------+
+| leaf-certificate-format       | ocp.certificate.irot-leaf.mldsa87                                |
++-------------------------------+------------------------------------------------------------------+
+| eca-certificate-format        | ocp.certificate.irot-eca.mldsa87                                 |
++-------------------------------+------------------------------------------------------------------+
+| ========================================= Signatures =========================================== |
++-------------------------------+------------------------------------------------------------------+
+| to-be-signed-format           | ocp.format.mldsa87-external-mu.                                  |
++-------------------------------+------------------------------------------------------------------+
+| public-key-format             | ocp.key-format.mldsa87.raw                                       |
++-------------------------------+------------------------------------------------------------------+
+| signature-format              | ocp.signature-format.mldsa87.raw                                 |
++-------------------------------+------------------------------------------------------------------+
+| =========================================== Export ============================================= |
++-------------------------------+------------------------------------------------------------------+
+| export-cdi-format             | ocp.export-cdi.raw-512                                           |
++-------------------------------+------------------------------------------------------------------+
+
 ## ABI Structure Definitions {#sec:abi-structure-definitions}
 
 All structures are fixed size for a given profile. In some cases, command/response structures differ
@@ -1239,6 +1368,7 @@ Table: Profile Constants
 `DPE_PROFILE_IROT_MIN_P384_SHA384`                      | 0x2
 `DPE_PROFILE_IROT_P256_SHA256`                          | 0x3
 `DPE_PROFILE_IROT_P384_SHA384`                          | 0x4
+`DPE_PROFILE_IROT_MLDSA87_SHA384`                       | 0x5
 
 Table: Certificate Formats
 
@@ -1299,6 +1429,15 @@ Table: Profile-dependant ABI constants for `DPE_PROFILE_IROT_P384_SHA384`
 `S`          | Signature Size        | 96
 `C`          | Certificate Size      | 6144
 
+Table: Profile-dependant ABI constants for `DPE_PROFILE_IROT_MLDSA87_SHA384`
+
+**Name**     | **Description**       | **Value**
+------------ | --------------------- | --------
+`H`          | Hash Size             | 64
+`P`          | Public Key Size       | 2592
+`S`          | Signature Size        | 4697
+`C`          | Certificate Size      | TODO
+
 ### Types
 
 Table: ABI Types
@@ -1467,7 +1606,7 @@ Table: `SIGN_INPUT_ARGS` struct
 | -------         | ------------- | -------  | -------------------- | -------------------------------------------------------
 | 0x00            | `U32`         | 31:0     | `MAGIC`              | Magic number `DPE_COMMAND_MAGIC`.
 | 0x04            | `U32`         | 31:0     | `COMMAND_ID`         | `DPE_COMMAND_SIGN`.
-| 0x08            | `U32`         | 31:0     | `PROFILE`            | One of `DPE_PROFILE_IROT_SHA256_P256`.
+| 0x08            | `U32`         | 31:0     | `PROFILE`            | One of `DPE_PROFILE_*`.
 | 0x0C            | `BYTES`       | 127:0    | `CONTEXT_HANDLE`     | A numeric handle referring to a DPE context.
 | 0x1C            | `HASH`        |          | `LABEL`              | Digest measurement label used in key derivation.
 | 0x1C + H        | `BITFIELD`    | 31:0     | `RESERVED`           | Reserved
@@ -1479,7 +1618,7 @@ Table: `SIGN_OUTPUT_ARGS` struct
 | -------         | ----------    | -------  | ---------------------- | -------------------------------------------------
 | 0x00            | `U32`         | 31:0     | `MAGIC`                | Magic number `DPE_RESPONSE_MAGIC`.
 | 0x04            | `U32`         | 31:0     | `STATUS`               | One of `DPE_STATUS_*`.
-| 0x08            | `U32`         | 31:0     | `PROFILE`              | One of `DPE_PROFILE_IROT_SHA256_P256`.
+| 0x08            | `U32`         | 31:0     | `PROFILE`              | One of `DPE_PROFILE_*`.
 | 0x0C            | `BYTES`       | 127:0    | `NEW_CONTEXT_HANDLE`   | Numeric handle referring to the updated context.
 | 0x1C            | `SIGNATURE`   |          | `SIGNATURE`            | Signature over `TO_BE_SIGNED`