TCG DICE specs versus Open Dice Profile

[Sanjeev Verma]

Dear All,

I see that there is a TCG DICE profile that allows for flexible proprietary implementations. The open Dice profile has a very clear definition of DICE flow and implementation steps. I am just trying to understand the current status. -- Is there any understanding in the Industry regarding going with the Open Dice profile implementation instead of going forward with flexible TCG DICE implementation? 

Thanks,

best regards,

Sanjeev

[Darren Krahn]

Hi Sanjeev,

You're absolutely right that the TCG DICE specs offer a lot of flexibility, and that the Open Profile narrows this significantly (by design). The challenge with the flexibility is that it's difficult for implementers to know exactly what to build and in practice they need to make a lot of important design decisions. This profile is intended to offer one way of doing DICE where many of these decisions have been thought through and many of the subtle details have been ironed out, e.g. certificate consistency. It's not, however, intended to be an industry standard. Implementers should build what works best for their use case and we hope this profile is helpful, even if only as a point of reference. :)

Cheers,

Darren

--
You received this message because you are subscribed to the Google Groups "Open Profile for DICE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open-profile-for...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/open-profile-for-dice/CAAO7ukS6G-Fz%3DnxBXFyrzaQvunCtYsf3wgQqNrRF-xzv%3DPmBQg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Sanjeev Verma]

Hello Darren,

Thank you for the clarification. I agree with you. I was trying to see if this is a de facto standard in the industry. I see that Open Titan profile is also now aligned with the Open Dice profile.

Sometimes major players in the industry agree on a certain way of doing things without going through the formal standardization process.

I agree that there ha to be some agreement on certificate in order for compatibility--means that BMC can attest any Silicon RoT without modifying its code irrespective of Silicon RoT vendor.

What is market acceptance of this approach?

best regards,

Sanjeev

[Darren Krahn]

I don't have an answer for your question (sorry), but you may find these public references to the profile interesting: 

https://cs.android.com/android/platform/superproject/+/master:hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/ProtectedData.aidl;l=143-201

https://lwn.net/Articles/880338/