Add Parsec-CCA Endorsement & Evidence Plugin and associated tests

Signed-off-by: Yogesh Deshpande <[email protected]>
veraison · Jul 12, 2023 · 2120443 · 2120443
1 parent cd945e6
commit 2120443
Show file tree

Hide file tree

Showing 50 changed files with 1,710 additions and 165 deletions.
diff --git a/capability/well-known.go b/capability/well-known.go
@@ -16,12 +16,29 @@ type WellKnownInfo struct {
 	ApiEndpoints map[string]string `json:"api-endpoints"`
 }
 
+var ssTrans = map[string]string{
+	"SERVICE_STATUS_UNSPECIFIED":  "UNSPECIFIED",
+	"SERVICE_STATUS_DOWN":         "DOWN",
+	"SERVICE_STATUS_INITIALIZING": "INITIALIZING",
+	"SERVICE_STATUS_READY":        "READY",
+	"SERVICE_STATUS_TERMINATING":  "TERMINATING",
+}
+
+func ServiceStateToAPI(ss string) string {
+	t, ok := ssTrans[ss]
+	if !ok {
+		return "UNKNOWN"
+	}
+	return t
+}
+
 func NewWellKnownInfoObj(key jwk.Key, mediaTypes []string, version string, serviceState string, endpoints map[string]string) (*WellKnownInfo, error) {
+	// MUST be kept in sync with proto/state.proto
 	obj := &WellKnownInfo{
 		PublicKey:    key,
 		MediaTypes:   mediaTypes,
 		Version:      version,
-		ServiceState: serviceState,
+		ServiceState: ServiceStateToAPI(serviceState),
 		ApiEndpoints: endpoints,
 	}
 

diff --git a/go.mod b/go.mod
@@ -27,14 +27,14 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0
 	github.com/spf13/viper v1.13.0
 	github.com/stretchr/testify v1.8.4
-	github.com/veraison/ccatoken v1.0.0
+	github.com/veraison/ccatoken v1.1.0
 	github.com/veraison/cmw v0.1.0
 	github.com/veraison/corim v1.0.0
 	github.com/veraison/dice v0.0.1
 	github.com/veraison/ear v1.1.0
 	github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53
-	github.com/veraison/parsectpm v0.0.4
-	github.com/veraison/psatoken v1.1.0
+	github.com/veraison/parsec v0.1.0
+	github.com/veraison/psatoken v1.2.0
 	go.uber.org/zap v1.23.0
 	golang.org/x/text v0.9.0
 	google.golang.org/grpc v1.53.0
@@ -65,7 +65,7 @@ require (
 	github.com/go-playground/validator/v10 v10.14.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.2
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
 	github.com/huandu/xstrings v1.3.3 // indirect
@@ -95,7 +95,7 @@ require (
 	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/vektah/gqlparser/v2 v2.4.6 // indirect
-	github.com/veraison/go-cose v1.0.0-rc.1 // indirect
+	github.com/veraison/go-cose v1.1.1-0.20230623043903-afdd177c3434
 	github.com/veraison/swid v1.1.0
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect

diff --git a/go.sum b/go.sum
@@ -1081,8 +1081,8 @@ github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX
 github.com/vektah/gqlparser/v2 v2.4.6 h1:Yjzp66g6oVq93Jihbi0qhGnf/6zIWjcm8H6gA27zstE=
 github.com/vektah/gqlparser/v2 v2.4.6/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0=
 github.com/veraison/apiclient v0.0.2/go.mod h1:H8YDx1ixM24GYP/aLbhq+HJsej0lVUqFCRIL5Uu4B0o=
-github.com/veraison/ccatoken v1.0.0 h1:8xMZdWKb9vzGy5VbxleVzhQ10ZvBRRWse1FN93mGzXo=
-github.com/veraison/ccatoken v1.0.0/go.mod h1:tHh48NBedUooX/DguS+cUC27yCgdv7bBtZ188jZ3fqo=
+github.com/veraison/ccatoken v1.1.0 h1:U0Z5fOQRsdz3ksvvxVzTITczo+kfRxIlkWahJNP6Irs=
+github.com/veraison/ccatoken v1.1.0/go.mod h1:qh/KBwsrhPyGJqttlh8PU56wt1rPkUCX9A3ZAA/53Nc=
 github.com/veraison/cmw v0.1.0 h1:vD6tBlGPROCW/HlDcG1jh+XUJi5ihrjXatKZBjrv8mU=
 github.com/veraison/cmw v0.1.0/go.mod h1:WoBrlgByc6C1FeHhdze1/bQx1kv5d1sWKO5ezEf4Hs4=
 github.com/veraison/corim v1.0.0 h1:B2eCyqHXq/Efv349WJCMO27EEcriS5sHWSpR9Bt68t4=
@@ -1094,12 +1094,13 @@ github.com/veraison/ear v1.1.0/go.mod h1:O3yKgZR04DWKHHiNxfXCMX9ky0cLVoC67TFks6J
 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 h1:5gnX2TrGd/Xz8DOp2OaLtg/jLoIubSUTrgz6iZ58pJ4=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=
-github.com/veraison/go-cose v1.0.0-rc.1 h1:4qA7dbFJGvt7gcqv5MCIyCQvN+NpHFPkW7do3EeDLb8=
 github.com/veraison/go-cose v1.0.0-rc.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
-github.com/veraison/parsectpm v0.0.4 h1:JFZkCUl2PC5dq83nHb3Cau6Es1cfZpXzG9noAb6GPnI=
-github.com/veraison/parsectpm v0.0.4/go.mod h1:HIytkTaOrZj2aPK1pF+YvvYftP7IRwVS/gtbqNPtJ9o=
-github.com/veraison/psatoken v1.1.0 h1:TG0+UWPCMrP0B69zteZyjHGhzYG1JYb5IX+66wuDlGw=
-github.com/veraison/psatoken v1.1.0/go.mod h1:2tHLoYMOIS4V4mO8MJT4VstRtpO50FLmhoOR35FyIr4=
+github.com/veraison/go-cose v1.1.1-0.20230623043903-afdd177c3434 h1:0f8c2TttCjCvVGfHhbv2OhE9BK6HESa/t4QjajfE3/I=
+github.com/veraison/go-cose v1.1.1-0.20230623043903-afdd177c3434/go.mod h1:/Bcd44VnE3YVGO+LY3wvyvjBniAVjlX4vaUZ8gNIfE0=
+github.com/veraison/parsec v0.1.0 h1:522DLNUeWFtO+nMRglKs/aevzw9T3Om51G9FzU5wZWU=
+github.com/veraison/parsec v0.1.0/go.mod h1:Pk/rDokqUqwJ9ZEi49OrxY1yAmvicviWcqK+wxhKusU=
+github.com/veraison/psatoken v1.2.0 h1:PeHy6YUbhFE9Z9xaQBoAMpMWUEqSHrF2JgfcwMTmFIA=
+github.com/veraison/psatoken v1.2.0/go.mod h1:2tHLoYMOIS4V4mO8MJT4VstRtpO50FLmhoOR35FyIr4=
 github.com/veraison/swid v1.0.0/go.mod h1:d5jt76uMNbTfQ+f2qU4Lt8RvWOTsv6PFgstIM1QdMH0=
 github.com/veraison/swid v1.1.0 h1:jEf/jobG6j7r9W9HSj2jDi1IGGs7aMKyDgfGEMxQ6is=
 github.com/veraison/swid v1.1.0/go.mod h1:d5jt76uMNbTfQ+f2qU4Lt8RvWOTsv6PFgstIM1QdMH0=

diff --git a/policy/test/inputs/parsec-cca-endorsements.json b/policy/test/inputs/parsec-cca-endorsements.json
@@ -0,0 +1,7 @@
+[
+    "{\"scheme\":\"PARSEC_CCA\",\"type\":\"REFERENCE_VALUE\",\"subType\": \"PARSEC_CCA.sw-component\",\"attributes\":{\"PARSEC_CCA.hw-model\":\"RoadRunner\",\"PARSEC_CCA.hw-vendor\":\"ACME\",\"PARSEC_CCA.impl-id\":\"f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=\",\"PARSEC_CCA.measurement-desc\":\"sha-256\",\"PARSEC_CCA.measurement-type\":\"BL\",\"PARSEC_CCA.measurement-value\":\"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=\",\"PARSEC_CCA.signer-id\":\"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=\",\"PARSEC_CCA.version\":\"3.4.2\"}}",
+    "{\"scheme\":\"PARSEC_CCA\",\"type\":\"REFERENCE_VALUE\",\"subType\": \"PARSEC_CCA.sw-component\",\"attributes\":{\"PARSEC_CCA.hw-model\":\"RoadRunner\",\"PARSEC_CCA.hw-vendor\":\"ACME\",\"PARSEC_CCA.impl-id\":\"f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=\",\"PARSEC_CCA.measurement-desc\":\"sha-256\",\"PARSEC_CCA.measurement-type\":\"M1\",\"PARSEC_CCA.measurement-value\":\"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=\",\"PARSEC_CCA.signer-id\":\"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=\",\"PARSEC_CCA.version\":\"1.2\"}}",
+    "{\"scheme\":\"PARSEC_CCA\",\"type\":\"REFERENCE_VALUE\",\"subType\": \"PARSEC_CCA.sw-component\",\"attributes\":{\"PARSEC_CCA.hw-model\":\"RoadRunner\",\"PARSEC_CCA.hw-vendor\":\"ACME\",\"PARSEC_CCA.impl-id\":\"f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=\",\"PARSEC_CCA.measurement-desc\":\"sha-256\",\"PARSEC_CCA.measurement-type\":\"M2\",\"PARSEC_CCA.measurement-value\":\"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=\",\"PARSEC_CCA.signer-id\":\"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=\",\"PARSEC_CCA.version\":\"1.2.3\"}}",
+    "{\"scheme\":\"PARSEC_CCA\",\"type\":\"REFERENCE_VALUE\",\"subType\": \"PARSEC_CCA.sw-component\",\"attributes\":{\"PARSEC_CCA.hw-model\":\"RoadRunner\",\"PARSEC_CCA.hw-vendor\":\"ACME\",\"PARSEC_CCA.impl-id\":\"f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=\",\"PARSEC_CCA.measurement-desc\":\"sha-256\",\"PARSEC_CCA.measurement-type\":\"M3\",\"PARSEC_CCA.measurement-value\":\"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=\",\"PARSEC_CCA.signer-id\":\"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=\",\"PARSEC_CCA.version\":\"1\"}}",
+    "{\"scheme\":\"PARSEC_CCA\",\"type\":\"REFERENCE_VALUE\",\"subType\": \"PARSEC_CCA.platform-config\",\"attributes\":{\"PARSEC_CCA.hw-model\":\"RoadRunner\",\"PARSEC_CCA.hw-vendor\":\"ACME\",\"PARSEC_CCA.impl-id\":\"f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=\",\"PARSEC_CCA.platform-config-label\": \"platform-config-label\",\"PARSEC_CCA.platform-config-id\": \"AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY\"}}"
+]
diff --git a/policy/test/inputs/parsec-cca-evidence.json b/policy/test/inputs/parsec-cca-evidence.json
@@ -0,0 +1,52 @@
+{
+    "evidence": {
+        "cca.platform": {
+            "cca-platform-challenge": "tZc8touqn8VVWHhrfsZ/aeQN9bpaqSHNDCf0BYegEeo=",
+            "cca-platform-config": "AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY",
+            "cca-platform-hash-algo-id": "sha-256",
+            "cca-platform-implementation-id": "f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=",
+            "cca-platform-instance-id": "AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY",
+            "cca-platform-lifecycle": 12291,
+            "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+            "cca-platform-service-indicator": "whatever.com",
+            "cca-platform-sw-components": [{
+                "measurement-description": "TF-M_SHA256MemPreXIP",
+                "measurement-type": "BL",
+                "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "version": "3.4.2"
+            }, {
+                "measurement-type": "M1",
+                "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "version": "1.2"
+            }, {
+                "measurement-type": "M2",
+                "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "version": "1.2.3"
+            }, {
+                "measurement-type": "M3",
+                "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "version": "1"
+            }]
+        },
+        "cca.realm": {
+            "cca-realm-challenge": "cqJXkxzhxf4rU34/UCEvka5SlX1AKjsp7FQO+k7L0aRgp4xorPOmOXDAEwM5y/5Y2ePbs84RCTRgx1L8iQqwIQ==",
+            "cca-realm-extensible-measurements": ["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="],
+            "cca-realm-hash-algo-id": "sha-256",
+            "cca-realm-initial-measurement": "X5A2VVSw+obQdbbWpOpYZtsXk9S06ZO7UuVk1yefEXg=",
+            "cca-realm-personalization-value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
+            "cca-realm-public-key": "BHb5iAkb5YXtQYAa7Pq4WFSMYwV+FrDmdhILvQ0vnCngVsXUGgEw65whUXiZ3CMUayjhsGK9PqSzFf0hnxy7Uoy250ykm+Fnc3NPYaHKYQMbK789kY8vlP/EIo5QkZVErg==",
+            "cca-realm-public-key-hash-algo-id": "sha-256"
+        },
+        "kat": {
+            "akpub": "pAECIAEhWCCb/9umdTMsm7td4rLaCfgYR0qYmsIAI/gowWILqA9h2CJYIMg5wnIw3wGYQNOkXJYYb40HGT68Q6hB4N3ixGP2TEoV",
+            "nonce": "AAECAwQFBgc="
+        }
+    },
+    "reference-id": "PARSEC_CCA://1/f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=",
+    "trust-anchor-id": "PARSEC_CCA://1/f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY",
+    "tenant-id": "1"
+}
diff --git a/policy/test/inputs/parsec-cca-mismatch-evidence.json b/policy/test/inputs/parsec-cca-mismatch-evidence.json
@@ -0,0 +1,52 @@
+{
+    "evidence": {
+        "cca.platform": {
+            "cca-platform-challenge": "tZc8touqn8VVWHhrfsZ/aeQN9bpaqSHNDCf0BYegEeo=",
+            "cca-platform-config": "AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY",
+            "cca-platform-hash-algo-id": "sha-256",
+            "cca-platform-implementation-id": "f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=",
+            "cca-platform-instance-id": "AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY",
+            "cca-platform-lifecycle": 12291,
+            "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+            "cca-platform-service-indicator": "whatever.com",
+            "cca-platform-sw-components": [{
+                "measurement-description": "TF-M_SHA256MemPreXIP",
+                "measurement-type": "BL",
+                "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "version": "3.4.2"
+            }, {
+                "measurement-type": "M1",
+                "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "version": "1.2"
+            }, {
+                "measurement-type": "M2",
+                "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "version": "1.2.3"
+            }, {
+                "measurement-type": "M3",
+                "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+                "version": "1"
+            }]
+        },
+        "cca.realm": {
+            "cca-realm-challenge": "cqJXkxzhxf4rU34/UCEvka5SlX1AKjsp7FQO+k7L0aRgp4xorPOmOXDAEwM5y/5Y2ePbs84RCTRgx1L8iQqwIQ==",
+            "cca-realm-extensible-measurements": ["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="],
+            "cca-realm-hash-algo-id": "sha-256",
+            "cca-realm-initial-measurement": "X5A2VVSw+obQdbbWpOpYZtsXk9S06ZO7UuVk1yefEXg=",
+            "cca-realm-personalization-value": "BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
+            "cca-realm-public-key": "BHb5iAkb5YXtQYAa7Pq4WFSMYwV+FrDmdhILvQ0vnCngVsXUGgEw65whUXiZ3CMUayjhsGK9PqSzFf0hnxy7Uoy250ykm+Fnc3NPYaHKYQMbK789kY8vlP/EIo5QkZVErg==",
+            "cca-realm-public-key-hash-algo-id": "sha-256"
+        },
+        "kat": {
+            "akpub": "pAECIAEhWCCb/9umdTMsm7td4rLaCfgYR0qYmsIAI/gowWILqA9h2CJYIMg5wnIw3wGYQNOkXJYYb40HGT68Q6hB4N3ixGP2TEoV",
+            "nonce": "AAECAwQFBgc="
+        }
+    },
+    "reference-id": "PARSEC_CCA://1/f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=",
+    "trust-anchor-id": "PARSEC_CCA://1/f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY",
+    "tenant-id": "1"
+}
diff --git a/policy/test/inputs/parsec-cca-result.json b/policy/test/inputs/parsec-cca-result.json
@@ -0,0 +1,24 @@
+{
+    "eat_profile": "tag:github.com,2023:veraison/ear",
+    "iat": 1666091373,
+    "ear.verifier-id": {
+      "build": "test",
+      "developer": "test"
+    },
+    "submods": {
+      "PARSEC_CCA": {
+        "ear.status": "affirming",
+        "ear.trustworthiness-vector": {
+          "instance-identity": 2,
+          "configuration": 2,
+          "executables": 2,
+          "file-system": 0,
+          "hardware": 2,
+          "runtime-opaque": 0,
+          "storage-opaque": 0,
+          "sourced-data": 0
+        }
+      }
+    }
+  }
+
diff --git a/policy/test/policies/parsec-cca-realm.rego b/policy/test/policies/parsec-cca-realm.rego
@@ -0,0 +1,14 @@
+package policy
+
+# Use the parsec_cca_executables rule iff the attestaion scheme is PARSEC_CCA,
+# otherwise, executables will remain undefined.
+executables = parsec_cca_executables { scheme == "PARSEC_CCA" }             
+
+# This sets executables trust vector value to APPROVED_RT iff Realm Initial Measurement
+# matches the given value AND 
+parsec_cca_executables = APPROVED_RT {
+  evidence["cca.realm"]["cca-realm-initial-measurement"] == "X5A2VVSw+obQdbbWpOpYZtsXk9S06ZO7UuVk1yefEXg="
+
+  # ...the Realm personalization value matches the given value.
+  evidence["cca.realm"]["cca-realm-personalization-value"] == "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
+} else =  UNSAFE_RT # unless the above condition is met, return UNSAFE_RT
diff --git a/policy/test/vectors.json b/policy/test/vectors.json
@@ -209,5 +209,75 @@
 				}
 			}
 		}
+	},
+	{
+		"title": "PARSEC_CCA realm verification SUCCESS",
+		"scheme": "PARSEC_CCA",
+		"result": "test/inputs/parsec-cca-result.json",
+		"evidence": "test/inputs/parsec-cca-evidence.json",
+		"endorsements": "test/inputs/parsec-cca-endorsements.json",
+		"policy": "test/policies/parsec-cca-realm.rego",
+		"expected": {
+			"error": null,
+			"outcome": {
+				"eat_profile": "tag:github.com,2023:veraison/ear",
+				"iat": 1666091373,
+				"ear.verifier-id": {
+					"build": "test",
+					"developer": "test"
+				},
+				"submods": {
+					"test": {
+						"ear.status": 0,
+						"ear.trustworthiness-vector": {
+							"instance-identity": 0,
+							"configuration":     0,
+							"executables":       2,
+							"file-system":       0,
+							"hardware":          0,
+							"runtime-opaque":    0,
+							"storage-opaque":    0,
+							"sourced-data":      0
+						},
+						"ear.veraison.policy-claims": {}
+					}
+				}
+			}
+		}
+	},
+	{
+		"title": "PARSEC_CCA realm verification FAILURE",
+		"scheme": "PARSEC_CCA",
+		"result": "test/inputs/parsec-cca-result.json",
+		"evidence": "test/inputs/parsec-cca-mismatch-evidence.json",
+		"endorsements": "test/inputs/parsec-cca-endorsements.json",
+		"policy": "test/policies/parsec-cca-realm.rego",
+		"expected": {
+			"error": null,
+			"outcome": {
+				"eat_profile": "tag:github.com,2023:veraison/ear",
+				"iat": 1666091373,
+				"ear.verifier-id": {
+					"build": "test",
+					"developer": "test"
+				},
+				"submods": {
+					"test": {
+						"ear.status": 0,
+						"ear.trustworthiness-vector": {
+							"instance-identity": 0,
+							"configuration":     0,
+							"executables":       32,
+							"file-system":       0,
+							"hardware":          0,
+							"runtime-opaque":    0,
+							"storage-opaque":    0,
+							"sourced-data":      0
+						},
+						"ear.veraison.policy-claims": {}
+					}
+				}
+			}
+		}
 	}
 ]
diff --git a/provisioning/api/handler_test.go b/provisioning/api/handler_test.go
@@ -599,7 +599,7 @@ func TestHandler_GetWellKnownProvisioningInfo_ok(t *testing.T) {
 	expectedBody := capability.WellKnownInfo{
 		MediaTypes:   supportedMediaTypes,
 		Version:      testGoodServiceState.ServerVersion,
-		ServiceState: testGoodServiceState.Status.String(),
+		ServiceState: capability.ServiceStateToAPI(testGoodServiceState.Status.String()),
 		ApiEndpoints: publicApiMap,
 	}
 
@@ -643,7 +643,7 @@ func TestHandler_GetWellKnownProvisioningInfo_GetRegisteredMediaTypes_empty(t *t
 	expectedBody := capability.WellKnownInfo{
 		MediaTypes:   []string{},
 		Version:      testGoodServiceState.ServerVersion,
-		ServiceState: testGoodServiceState.Status.String(),
+		ServiceState: capability.ServiceStateToAPI(testGoodServiceState.Status.String()),
 		ApiEndpoints: publicApiMap,
 	}
 

diff --git a/scheme/Makefile b/scheme/Makefile
@@ -7,6 +7,7 @@ SUBDIR += tcg-dice
 SUBDIR += psa-iot
 SUBDIR += tpm-enacttrust
 SUBDIR += parsec-tpm
+SUBDIR += parsec-cca
 
 clean: ; $(RM) -rf ./bin
 

diff --git a/scheme/README.md b/scheme/README.md
@@ -8,6 +8,10 @@ schemes. Currently the following schemes are implemented:
   attestation (note: this does not implement any specific DICE architecture).
 - `tmp-enacttrust`: TPM-based attestation for
   [EnactTrust](https://www.enacttrust.com/) security cloud.
+- `parsec-tpm` : Parsec TPM based hardware-backed attestation, details
+  [here](https://github.com/CCC-Attestation/attested-tls-poc/blob/main/doc/parsec-evidence-tpm.md)
+- `parsec-cca` : Parsec CCA based harware-backed attestation, details
+   [here](https://github.com/CCC-Attestation/attested-tls-poc/blob/main/doc/parsec-evidence-cca.md)
 
 
 ## Implementing Attestation Scheme Support