|
| 1 | +# Linux DICE Example |
| 2 | + |
| 3 | +This directory contains a set of Linux kernel modules and a userspace CLI tool |
| 4 | +that together implement a software DICE node using libnat20. |
| 5 | + |
| 6 | +## Architecture |
| 7 | + |
| 8 | +The example is structured as four kernel modules with the following dependency |
| 9 | +chain: |
| 10 | + |
| 11 | +``` |
| 12 | +nat20lib ──► nat20crypto ──► nat20sw |
| 13 | + nat20device ──► |
| 14 | +``` |
| 15 | + |
| 16 | +### nat20lib |
| 17 | + |
| 18 | +A kernel module wrapper around the core libnat20 C library. It compiles all |
| 19 | +core library sources (CBOR, COSE, CWT, X.509, HKDF, service dispatch) into a |
| 20 | +single `.ko` and re-exports their symbols via `EXPORT_SYMBOL()` so that other |
| 21 | +kernel modules can use them. |
| 22 | + |
| 23 | +### nat20crypto |
| 24 | + |
| 25 | +Implements the libnat20 crypto interface (`n20_crypto_context_t`) using the |
| 26 | +Linux kernel's crypto API. Provides ECDSA signing (P-256, P-384), HKDF key |
| 27 | +derivation, and SHA-2 hashing — all in kernel space. |
| 28 | + |
| 29 | +### nat20device |
| 30 | + |
| 31 | +A generic character device framework for DICE services. On load it allocates |
| 32 | +the `nat20` device class. Backend modules (like `nat20sw`) register via |
| 33 | +`nat20device_register_driver()`, which creates: |
| 34 | + |
| 35 | +- `/dev/nat20<N>` — a character device for DICE service requests (write a CBOR |
| 36 | + request, read the CBOR response). |
| 37 | +- `/sys/kernel/security/nat20<N>/dice_chain` — a read-only securityfs file |
| 38 | + exposing the boot-time DICE certificate chain. |
| 39 | + |
| 40 | +### nat20sw |
| 41 | + |
| 42 | +A concrete software DICE node that wires `nat20lib`, `nat20crypto`, and |
| 43 | +`nat20device` together. On load it derives a UDS from a hardcoded passphrase |
| 44 | +(for demonstration purposes only), issues a self-signed X.509 certificate, and |
| 45 | +registers itself with the `nat20device` framework. |
| 46 | + |
| 47 | +### nat20cli |
| 48 | + |
| 49 | +A userspace command-line tool that communicates with the DICE service via |
| 50 | +`/dev/nat200`. It can issue CDI certificates, ECA certificates, and advance |
| 51 | +the DICE layer via the `promote` command. |
| 52 | + |
| 53 | +## The `dice_chain` securityfs interface |
| 54 | + |
| 55 | +Each registered nat20device driver instance exposes a `dice_chain` file at |
| 56 | +`/sys/kernel/security/nat20<N>/dice_chain`. This file contains the DICE |
| 57 | +certificate chain constructed during bootup, encoded as a CBOR |
| 58 | +indefinite-length array. |
| 59 | + |
| 60 | +### Encoding |
| 61 | + |
| 62 | +The file contains a single CBOR indefinite-length array (`0x9f ... 0xff`). |
| 63 | +Each element in the array is one of the following CBOR-tagged values: |
| 64 | + |
| 65 | +| CBOR tag | Content | Description | |
| 66 | +|----------|---------|-------------| |
| 67 | +| `#6.80150(bstr)` | DER-encoded X.509 certificate | An X.509 certificate, typically with the Open DICE Input extension (OID `1.3.6.1.4.1.11129.2.1.24`). | |
| 68 | +| `#6.18(COSE_Sign1)` | COSE_Sign1 with CWT payload | A COSE certificate as specified by the Open DICE profile or a similar custom DICE profile. | |
| 69 | +| `#8.80152(COSE_Key)` | COSE_Key | A public key. | |
| 70 | + |
| 71 | +### Ordering and semantics |
| 72 | + |
| 73 | +- The first element represents the root device identity key. It may be a |
| 74 | + self-signed certificate, a CA-signed certificate, or a bare public key |
| 75 | + (`#8.80152`). |
| 76 | +- A benign implementation orders the remaining certificates from root to leaf. |
| 77 | +- The chain only contains certificates generated during bootup. Userspace is |
| 78 | + responsible for managing additional CDI certificates issued via the |
| 79 | + `/dev/nat20<N>` character device. |
| 80 | + |
| 81 | +## Building with Buildroot |
| 82 | + |
| 83 | +The `br_external/` directory provides a Buildroot external tree for building |
| 84 | +all components targeting a QEMU x86_64 virtual machine. |
| 85 | + |
| 86 | +```sh |
| 87 | +# Bootstrap the Buildroot environment (build directory must be outside the repo) |
| 88 | +examples/linux/br_external/bootstrap.sh qemu /path/to/buildroot.build |
| 89 | + |
| 90 | +# Build everything |
| 91 | +cd /path/to/buildroot.build/buildroot |
| 92 | +make |
| 93 | + |
| 94 | +# Run the QEMU VM |
| 95 | +cd /path/to/buildroot.build |
| 96 | +./run-qemu.sh |
| 97 | +``` |
| 98 | + |
| 99 | +Inside the VM, use `nat20clitest.sh` to exercise the full DICE flow. |
0 commit comments