A VM DICE chain is a cryptographically linked certificates chain that captures measurements of the VM's entire execution environment.
This chain should be rooted in the device‘s ROM and encompass all components involved in the VM’s loading and boot process. To achieve this, we typically extract measurements of all the components after verified boot at each stage of the boot process. These measurements are then used to derive a new DICE certificate describing the next boot stage.
Vendors are responsible for constructing the first portion of the DICE chain, from ROM to the pvmfw loader (e.g., ABL). This portion describes the VM‘s loading environment. The final certificate in the vendor’s chain must include measurements of pvmfw, the hypervisor, and any other code relevant to pvmfw's secure execution.
Vendors then pass this DICE chain, along with its corresponding CDI values, in a handover to pvmfw. The pVM takes over this handover and extends it with additional nodes describing its own execution environment.
Key derivation is a critical step in the DICE handover process within pvmfw. Vendors need to ensure that both pvmfw and their final DICE node use the same method to derive a key pair from CDI_Attest
in order to maintain a valid certificate chain. Pvmfw uses open-dice with the following formula:
CDI_Attest_pub, CDI_Attest_priv = KDF_ASYM(KDF(CDI_Attest))
Where KDF = HKDF-SHA-512 (RFC 5869).
Currently, KDF_ASYM = Ed25519, but EC p-384 and p-256 (RFC 6979) support is coming soon.
Vendors must use a supported algorithm for the last DICE node to ensure compatibility and chain integrity.
While pvmfw and the Microdroid OS extend the VM DICE chain, they don‘t perform comprehensive validation of the chain’s structure or its ROM-rooted origin. The VM Remote Attestation feature is specifically designed to ensure the validity and ROM-rooted nature of a VM DICE chain.
To verify that the DICE handover is successful in pvmfw and eventually the pVM has a valid DICE chain, you can run the VSR test MicrodroidTests#protectedVmHasValidDiceChain
. The test retrieves the DICE chain from within a Microdroid VM in protected mode and checks the following properties using the hwtrust library: