opencomputeproject
diff --git a/‎Documentation/corim_profile/OCP-SAFE-CoRIM-Extension-Profile-Specification.md‎
Lines changed: 509 additions & 0 deletions b/‎Documentation/corim_profile/OCP-SAFE-CoRIM-Extension-Profile-Specification.md‎
Lines changed: 509 additions & 0 deletions
diff --git a/‎Documentation/corim_profile/examples/ocp-safe-sfr-fw-example.diag‎
Lines changed: 104 additions & 0 deletions b/‎Documentation/corim_profile/examples/ocp-safe-sfr-fw-example.diag‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎Documentation/corim_profile/ocp-safe-sfr-profile.cddl‎
Lines changed: 59 additions & 0 deletions b/‎Documentation/corim_profile/ocp-safe-sfr-profile.cddl‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎shortform_report-main/.gitignore‎
Lines changed: 7 additions & 0 deletions b/‎shortform_report-main/.gitignore‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎shortform_report-main/AUDITOR_GUIDE.md‎
Lines changed: 222 additions & 0 deletions b/‎shortform_report-main/AUDITOR_GUIDE.md‎
Lines changed: 222 additions & 0 deletions
@@ -0,0 +1,104 @@
+/ tagged-corim-map / 501({
+  / corim.id (0) /
+  0: "acme-trap-audit-2025-08-03",
+  / corim.profile (3) /
+  3: 111(h'060A2B0601040182F4170101'), / OID 1.3.6.1.4.1.42623.1.1 for OCP SAFE SFR profile /
+  / corim.entities (5) /
+  5: [
+    / audit-entity / {
+      / entity-name (0) / 0: "My Pentest Corporation",
+      / role (2) /        2: [ 1 ] / manifest-creator /
+    }
+  ],
+   / corim.tags / 1 : [
+    / concise-mid-tag / 506( <<
+      / concise-mid-tag / {
+        / comid.tag-identity / 1 : {
+          / comid.tag-id / 0 : "acme-trap-review-comid-001"
+        },
+        / comid.triples / 4 : {
+              / conditional-endorsement-triples / 10 : [	
+              [  / conditional-endorsement-triple-record /
+                [ / conditions array /
+                  [ / *** stateful-environment-record *** /
+                    / environment-map / {
+                      / comid.class / 0 : {
+                        / comid.vendor / 1 : "ACME Inc.",
+                        / comid.model / 2 : "ACME RoadRunner Trap"
+                    }
+                  },
+                  [ / claims-list / 
+                      / *** measurement-map *** / {
+                        / comid.mval / 1 : {
+                          / comid.digests / 2 : [ [
+                            / hash-alg-id / -43, / sha384 /
+                            / hash-value / h'52047e070cddf496a7f77bf6a47792797e8ee90a149bb7555d08c5f93c5ca7ea46a63a7c99edaa1659e8afadfb9c6114'
+                          ],
+                          [
+                            / hash-alg-id / -44, / sha512 /
+                            / hash-value / h'12a5b961a5eb7e548ed436fe7b5848d428bff908cb6ffcb47ec3ac1e2a43e0b8d1ff047d387fb0a940dc7b8b0014acf344364c43ab4de624dcd15f98bee552a5'
+                          ]      
+                        ]
+                      }
+                    }
+                  ]
+                ]
+              ], /*** end stateful-environment-records ***/
+              [  /*** endorsements ***/
+                [ /*** endorsed-triple-record ***/
+                  / environment-map / {
+                    / class / 0 : {	
+                      / vendor / 1 : "ACME Inc.",	
+                      / model / 2 : "ACME RoadRunner Trap"	
+                    }
+                  },
+                  [ / endorsement #1/
+                    / measurement-map / {
+                      / comid.mval / 1 : { / measurement-values-map /
+                        / ocp-safe-sfr / -1 : {
+                          / 0: review-framework-version / 0: "1.1",
+                          / 1: report-version /           1: "1.2",
+                          / 2: completion-date /          2: 1(1687651200),
+                          / 3: scope-number /             3: 1,
+                          / 4: fw-identifiers /           4: [
+                            /fw-identifier / {
+                                / 0: fw-version /  0: {
+                                      / 0: version /         0: "1.2.3",
+                                      / 1: version-scheme /  1: "semver"
+                                }
+                            }
+                          ],
+                          / 5: device-category /          5: 0,  / 0: storage, 1: network, 2: gpu, 3: cpu, 4: apu, 5: bmc /
+                          / 6: issues /                   6: [
+                               / issue-entry / {
+                                / 0: title /         0: "Memory corruption when reading record from SPI flash",
+                                / 1: cvss-score /    1: "7.9",
+                                / 2: cvss-vector /   2: "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L",
+                                / 3: cwe /           3: "CWE-111",
+                                / 4: description /   4: "Due to insufficient input validation in the firmware, a local attacker who tampers with a configuration structure in SPI flash, can cause stack-based memory corruption.",
+                                / 5: cvss-version /  5: "3.1"
+                            },
+                              / issue-entry / {
+                                / 0: title /         0: "Debug commands enable arbitrary memory read/write",
+                                / 1: cvss-score /    1: "8.7",
+                                / 2: cvss-vector /   2: "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
+                                / 3: cwe /           3: "CWE-222",
+                                / 4: description /   4: "The firmware exposes debug command handlers that enable host-side drivers to read and write arbitrary regions of the device's SRAM.",
+                                / 5: cvss-version /  5: "3.1",
+                                / 6: cve /           6: "CVE-2014-10000"
+                            }                            
+                          ]
+                        }                        
+                      }
+                    }
+                  ]
+                ]
+              ]
+              ]
+            ]
+        }
+      }
+    >> )
+    ]
+  }
+)
@@ -0,0 +1,59 @@
+; Auditor CoRIM – Corim which embeds the SFR fields
+; OCP SAFE SFR CoRIM Profile OID: 1.3.6.1.4.1.42623.1.1
+
+$$measurement-values-map-extension //= (
+  &(ocp-safe-sfr: -1) => ocp-safe-sfr-map ; Private extension for OCP SAFE SFR
+)
+
+ocp-safe-sfr-map = {
+  &(review-framework-version: 0) => tstr
+  &(report-version: 1) => tstr
+  &(completion-date: 2) => time
+  &(scope-number: 3) => integer
+  &(fw-identifiers: 4) => [ + fw-identifier ]
+  ? &(device-category: 5) => $device-category
+  ? &(issues: 6) => [ + issue-entry ]
+  * $$ocp-safe-sfr-map-ext
+}
+
+issue-entry = {
+  &(title: 0) => tstr
+  &(cvss-score: 1) => tstr
+  &(cvss-vector: 2) => tstr
+  &(cwe: 3) => tstr
+  &(description: 4) => tstr
+  ? &(cvss-version: 5) => tstr
+  ? &(cve: 6) => tstr
+  * $$ocp-safe-issue-entry-ext
+}
+
+fw-identifier = non-empty<{
+  ? &(fw-version: 0) => version-map
+  ? &(fw-file-digests: 1) => digests-type
+  ? &(repo-tag: 2) => tstr
+  ? &(src-manifest: 3) => src-manifest
+}>
+
+manifest-entry = {
+  &(filename: 0) => tstr
+  &(file-hash: 1) => digests-type 
+}
+
+src-manifest = {
+  &(manifest-digest: 0) => digests-type 
+  &(manifest: 1) => [ + manifest-entry ]
+}
+
+$device-category /= storage
+$device-category /= network
+$device-category /= gpu
+$device-category /= cpu
+$device-category /= apu
+$device-category /= bmc
+
+storage = 0
+network = 1
+gpu = 2
+cpu = 3
+apu = 4
+bmc = 5
@@ -0,0 +1,7 @@
+file_hashes.txt
+testkey_ecdsa_p521.pub
+testkey_p521.pem
+__pycache__
+*.cbor
+*.jws
+*.json
@@ -0,0 +1,222 @@
+# CBOR CoRIM Human-Readable Inspector - Auditor Guide
+
+## Overview
+
+The CBOR CoRIM Human-Readable Inspector is a tool designed specifically for security auditors and reviewers who need to visually inspect and verify the contents of CBOR-encoded CoRIM (CBOR Object Representation of Information Model) files. This tool converts the binary CBOR format into a clear, human-readable report that shows all fields, their meanings, and their values.
+
+## Why This Tool is Needed
+
+CBOR is a binary format that is not human-readable in its raw form. While CBOR is efficient for machine processing, auditors need to be able to:
+
+- **Verify Data Integrity**: Ensure all expected fields are present and correctly formatted
+- **Validate Content**: Check that security review data matches expectations
+- **Audit Compliance**: Confirm that CoRIM files follow the OCP SAFE SFR profile specification
+- **Troubleshoot Issues**: Identify problems in CoRIM generation or encoding
+
+## Quick Start
+
+### Basic Usage
+
+```bash
+# Inspect a CoRIM file
+python cbor_human_inspector.py my_security_review.cbor
+
+# Show raw CBOR data in addition to decoded structure (currently only supports unsigned CoRIM)
+python cbor_human_inspector.py my_security_review.cbor --show-raw
+```
+
+## Understanding the Output
+
+The inspector provides a hierarchical view of the CoRIM structure with clear explanations:
+
+### 1. Top-Level Information
+```
+📊 Total CBOR size: 1286 bytes
+🔍 Analysis timestamp: 2025-01-15 14:30:22
+✅ CBOR Tag Found: 501 (CoRIM (CBOR Object Representation of Information Model))
+```
+
+### 2. CoRIM Fields Breakdown
+
+The tool explains each field with its purpose:
+
+- **Field 0 (CoRIM ID)**: Unique identifier for this CoRIM
+- **Field 1 (Tags)**: List of COMID tags containing the actual security review data
+- **Field 3 (Profile)**: Should show OID 1.3.6.1.4.1.42623.1.1 for OCP SAFE SFR
+- **Field 5 (Entities)**: Information about who created/maintains this CoRIM
+
+### 3. Security Review Data (SFR Extension)
+
+The most important section for auditors shows the actual security review findings:
+
+```
+🔐 SFR Extension (-1) Found!
+   📋 SFR Data contains 7 fields:
+   
+   🔸 Field 0: Review Framework Version
+   🔸 Field 1: Report Version  
+   🔸 Field 2: Completion Date
+   🔸 Field 3: Scope Number
+   🔸 Field 4: Firmware Identifiers
+   🔸 Field 5: Device Category
+   🔸 Field 6: Issues - List of security issues found
+```
+
+### 4. Security Issues Detail
+
+Each security issue is clearly displayed:
+
+```
+🔴 Issue #1:
+   Title: Buffer Overflow in Firmware Parser
+   CVSS Score: 9.1
+   CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+   CWE: CWE-787
+   Description: A critical buffer overflow vulnerability...
+   CVE: CVE-2025-0123
+```
+
+## Validation Checklist for Auditors
+
+When reviewing a CoRIM file, verify the following:
+
+### ✅ Structure Validation
+- [ ] File has correct CoRIM CBOR tag (501)
+- [ ] CoRIM contains required fields (0, 1, 3, 5) - **Inspector automatically checks this**
+- [ ] Profile field (3) contains OID 1.3.6.1.4.1.42623.1.1 - **Inspector flags if missing**
+- [ ] Tags field (1) contains at least one COMID tag (506)
+
+### ✅ SFR Extension Validation
+- [ ] SFR extension (-1) is present in measurement values
+- [ ] All required SFR fields are present (0-6)
+- [ ] Completion date is properly encoded with CBOR timestamp tag
+- [ ] Device category is a valid integer (0-5)
+- [ ] Framework version matches expected value
+
+### ✅ Security Issues Validation
+- [ ] Each issue has required fields: title, CVSS score, CVSS vector, CWE, description
+- [ ] CVSS scores are valid (0.0-10.0)
+- [ ] CVSS vectors follow proper format
+- [ ] CWE identifiers are properly formatted
+- [ ] CVE identifiers are present when applicable
+
+### ✅ Data Quality Validation
+- [ ] Firmware identifiers contain vendor, product, version information
+- [ ] Hash values are properly formatted (SHA384/SHA512)
+- [ ] Entity information includes name and roles
+- [ ] All text fields contain meaningful content
+
+## Common Issues and Troubleshooting
+
+### Missing Profile Field
+```
+❌ Profile should be OID tag (111), found: <type>
+```
+**Solution**: The CoRIM must include the OCP SAFE SFR profile OID. Check CoRIM generation code.
+
+### Incorrect Extension Value
+```
+❌ Missing SFR extension (-1)
+```
+**Solution**: Verify that the SFR extension is using -1 (private extension) instead of 1029.
+
+### Invalid Date Encoding
+```
+❌ Should be datetime with CBOR tag 1
+```
+**Solution**: Completion dates must be encoded with CBOR timestamp tag (1).
+
+### Missing Required Fields
+```
+❌ Required CoRIM field X missing
+```
+**Solution**: Check that all mandatory CoRIM fields are included during generation.
+
+## Device Category Reference
+
+The tool automatically translates device category numbers:
+
+- **0**: CPU (Central Processing Unit)
+- **1**: GPU (Graphics Processing Unit)
+- **2**: BMC (Baseboard Management Controller)
+- **3**: NIC (Network Interface Controller)
+- **4**: Storage (Storage devices)
+- **5**: Other (Other device types)
+
+## CBOR Tag Reference
+
+Common CBOR tags you'll see in the output:
+
+- **Tag 1**: POSIX timestamp (seconds since epoch)
+- **Tag 111**: Object Identifier (OID)
+- **Tag 501**: CoRIM (CBOR Object Representation of Information Model)
+- **Tag 506**: COMID (Concise Module Identifier)
+
+## Advanced Usage
+
+### Comparing Multiple CoRIMs
+
+```bash
+# Inspect multiple files for comparison
+python cbor_human_inspector.py review_v1.cbor > review_v1_analysis.txt
+python cbor_human_inspector.py review_v2.cbor > review_v2_analysis.txt
+diff review_v1_analysis.txt review_v2_analysis.txt
+```
+
+### Automated Validation
+
+The inspector can be integrated into automated validation workflows:
+
+```bash
+# Check if inspection succeeds (exit code 0 = success)
+if python cbor_human_inspector.py security_review.cbor; then
+    echo "CoRIM structure is valid"
+else
+    echo "CoRIM has structural issues"
+fi
+```
+
+### Raw Data Analysis
+
+Use `--show-raw` to see the actual CBOR bytes for deep analysis:
+
+```bash
+python cbor_human_inspector.py review.cbor --show-raw
+```
+
+This shows the first 100 bytes of raw CBOR data, useful for debugging encoding issues.
+
+## Integration with Other Tools
+
+### With CDDL Validation
+
+The human inspector complements CDDL schema validation:
+
+1. **First**: Run CDDL validation to check schema compliance
+2. **Then**: Use human inspector to verify content and meaning
+3. **Finally**: Review the human-readable output for audit purposes
+
+### With JSON Reports
+
+The inspector works with CoRIM files generated from JSON security review reports:
+
+```
+JSON Report → CoRIM Generation → CBOR Encoding → Human Inspector
+```
+
+## Best Practices for Auditors
+
+1. **Always inspect the profile field** - Ensure it contains the correct OCP SAFE SFR OID
+2. **Verify issue count matches expectations** - Check that all reported issues are present
+3. **Validate timestamps** - Ensure completion dates are reasonable and properly encoded
+4. **Check firmware identifiers** - Verify they match the actual firmware being reviewed
+5. **Review CVSS scores** - Ensure they align with the severity of described issues
+6. **Examine entity information** - Confirm the Security Review Provider is correctly identified
+
+## Support and Troubleshooting
+
+If you encounter issues with the inspector:
+
+1. **Check file format**: Ensure the file is a valid CBOR file
+2. **Verify file size**: Empty or corrupted files will cause errors
+3. **Review error messages**: The tool provides detailed error information