doc: update end-to-end/walkthrough.md

Update the end-to-end walkthrough to reflect the latest changes to the
code line, and to improve its maintainability going forward.

- Mention native deployment as an alternative to Docker.
- Remove the installation instructions, pointing to the deployments'
  READMEs instead, and only giving the actual make command.
- Remove references to external `cocli` and `evcli` tools, instead
  relying on the ones that are part of the deployment and on the JSON
  "templates" that are part of this code base. This way, there is no
  risk of things getting out of sync.
- Remove relative paths from commands, instead using pre-defined root
  locations. This removes ambiguity as to where things are (are paths
  relative to the file, to the repo, PWD, etc), and make commands more
  robust when being executed via copying and pasting, as they won't rely
  on PWD.
- Adjust the instructions so that no new files are created or existing
  files modified in the source-controlled repo. Instead use a dedicated
  working directory created as part of the walkthrough for any new or
  modified files. This makes it clearer afterwards what was
  changed/crated, and reduced the possibility of stray changes being
  committed.
- Update CoRIM/CoMID "template" listings to reflect the updated formats.
- Reformat for readability and consistency with the rest of
  documentation: 79 column lines, use ```sh for shell listings.
- Minor typo fixes.

In addition to the walkthrough itself, the following related updates are
included:

- Update end-to-end inputs build script to build evidence, as well as
  corims from source.
- Update deployments' READMEs to include "git clone" followed by "cd" as
  part of the initial listing to give better context to where the rest
  of the commands in the READMEs are supposed to be executed.

Signed-off-by: Sergei Trofimov <[email protected]>

deployments/docker/README.md

@@ -1,6 +1,21 @@
 This directory contains the [Docker](https://www.docker.com/) source for the
-deployment of Veraison. In order to build it, you need to have Docker
-installed, and current user must be in the docker group.
+deployment of Veraison.
+
+## Dependencies
+
+You will need to make sure you have `make`, `git`, `docker` (and its builder),
+and `jq` installed on your system. Optionally, `tmux` can be used to
+conveniently monitor output from running services. The CLI front-end relies on
+`bash` shell, which should already be installed most systems, but if not, it
+would also need to be installed.
+
+```sh
+# on Ubuntu
+sudo apt install bash make git docker.io docker-buildx jq tmux
+
+# on Arch
+sudo pacman -S bash make git docker docker-buildx jq tmux
+```
 
 > **Warning** for `Ubuntu` users:
 > Make sure you have docker installed natively (via `sudo apt
@@ -9,29 +24,65 @@ installed, and current user must be in the docker group.
 > locations via the config, however we cannot guarantee that there won't be
 > other issues -- if you decide to stick with `snap`, you're on your own.
 
+### Docker set up
+
+If you're not already set up to use Docker on your system, you will need to
+make sure that it is enabled and running, and that you can access by adding
+your account to the `docker` group:
+
+```sh
+sudo systemctl enable --now docker
+sudo usrmod -a -G docker $USER
+```
+
+The user group modification won't take effect until you log out and log back
+in, or, alternatively, you can force in a specific shell with
+
+```sh
+newgrp docker
+```
+
+## Creating the Deployment
+
 Once you have the pre-requisites, you can create the deployment on your local
-system simply by running
+system 
 
-    make
+```sh
+git clone https://github.com/veraison/services.git
+cd services/deployments/docker
+
+make
+```
 
 Once the deployment is created, you can set up the front end by executing
 
-    source env.bash
+```sh
+source env.bash
+```
 
-Inside a bash shell. There is an equivalent `env.zsh` for zsh (other shells are
+inside a bash shell. There is an equivalent `env.zsh` for zsh (other shells are
 currently not supported). You can interact with the deployment via the
 `veraison` command. E.g.:
 
-    $ veraison status
-             vts: stopped
-    provisioning: stopped
-    verification: stopped
-      management: stopped
-        keycloak: stopped
+```sh
+veraison status
+```
+
+You should see output  similar to
+
+```
+         vts: stopped
+provisioning: stopped
+verification: stopped
+  management: stopped
+    keycloak: stopped
+```
 
 To start Veraison services run:
 
-    veraison start
+```sh
+veraison start
+```
 
 The provisioning service is now listening on port 8888, and verification
 service on port 8080 (these can be changed via configuration -- see below).
@@ -116,14 +167,18 @@ First, assuming you have frontend set up, and the services running, (if not,
 you can do so with `source env.bash; veraison start`), you will need to stop
 the "production" VTS service with:
 
-    veraison stop vts
+```sh
+veraison stop vts
+```
 
 this will stop `vts-service` but should leave the other services running (you
 can verify that by running `veraison status`).
 
 Next, enter the debug shell:
 
-    make DEBUG_HOST=vts-service debug
+```sh
+make DEBUG_HOST=vts-service debug
+```
 
 this will pop open a `bash` shell inside the builder. The `DEBUG_HOST` argument
 will set the hostname of the builder container. Here, we're setting it to the
@@ -139,9 +194,11 @@ Next, navigate to the location of the VTS service executable (keeping in mind
 that the root of the repo is mapped to `/veraison/build` inside the container),
 and start the debugger:
 
-    # inside the debug shell:
-    cd /veraison/build/vts/cmd/vts-service
-    debug
+```sh
+# inside the debug shell:
+cd /veraison/build/vts/cmd/vts-service
+debug
+```
 
 The `debug` command is an alias for `dlv debug` that will make sure that the
 debug executable will be built with evidence handling plugins compiled in (same
@@ -158,6 +215,8 @@ that, so you don't need to worry about it. However, if you want to run the
 service executable directly, then you must remember to specify the appropriate
 config, e.g.
 
-    # inside the debug shell:
-    cd /veraison/build/vts/cmd/vts-service
-    ./veraison-service --config config-docker.yaml
+```sh
+# inside the debug shell:
+cd /veraison/build/vts/cmd/vts-service
+./vts-service --config config-docker.yaml
+```

deployments/native/README.md

@@ -55,6 +55,9 @@ Arch, Ubuntu, and MacOSX (using [homebrew](https://brew.sh)) (see `bootstrap/`
 subdirectory). Running
 
 ```bash
+git clone https://github.com/veraison/services.git
+cd services/deployments/native
+
 make bootstrap
 ```
 

end-to-end/input/corim-src/build-endorsements.sh → end-to-end/input/src/build-inputs.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 # Copyright 2024 Contributors to the Veraison project.
 # SPDX-License-Identifier: Apache-2.0
+# shellcheck disable=SC2086
 set -e
 
 TEMP_DIR=/tmp/veraison-end-to-end
@@ -18,3 +19,12 @@ for scheme in psa cca cca-realm; do
                        --output ${SCRIPT_DIR}/../${scheme}-endorsements.cbor
 done
 
+evcli psa create --claims ${SCRIPT_DIR}/psa-evidence.json \
+	    --key ${SCRIPT_DIR}/../ec256.json \
+	    --token ${SCRIPT_DIR}/../psa-evidence.cbor
+
+evcli cca create --claims ${SCRIPT_DIR}/cca-evidence.json \
+	    --iak ${SCRIPT_DIR}/../ec256.json --rak ${SCRIPT_DIR}/../ec384.json \
+	    --token ${SCRIPT_DIR}/../cca-evidence.cbor
+
+echo "done."

end-to-end/input/src/cca-evidence.json

@@ -0,0 +1,51 @@
+{
+  "cca-platform-token": {
+    "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+    "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+    "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
+    "cca-platform-config": "AQID",
+    "cca-platform-lifecycle": 12288,
+    "cca-platform-sw-components": [
+      {
+          "measurement-type": "BL",
+          "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+          "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+          "version": "3.4.2"
+        },
+        {
+          "measurement-type": "M1",
+          "measurement-value": "CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+          "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+          "version": "1.2.0"
+        },
+        {
+          "measurement-type": "M2",
+          "measurement-value": "DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+          "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+          "version": "1.2.3"
+        },
+        {
+          "measurement-type": "M3",
+          "measurement-value": "EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+          "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
+          "version": "1.0.0"
+      }
+  ],
+    "cca-platform-service-indicator": "https://veraison.example/v1/challenge-response",
+    "cca-platform-hash-algo-id": "sha-256"
+  },
+  "cca-realm-delegated-token": {
+    "cca-realm-challenge": "QUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQg==",
+    "cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
+    "cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+    "cca-realm-extensible-measurements": [
+      "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+      "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+      "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
+      "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
+    ],
+    "cca-realm-hash-algo-id": "sha-256",
+    "cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==",
+    "cca-realm-public-key-hash-algo-id": "sha-512"
+  }
+}

end-to-end/input/src/psa-evidence.json

@@ -0,0 +1,31 @@
+{
+  "eat-profile": "http://arm.com/psa/2.0.0",
+  "psa-client-id": 1,
+  "psa-security-lifecycle": 12288,
+  "psa-implementation-id": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=",
+  "psa-boot-seed": "3q2+796tvu/erb7v3q2+796tvu/erb7v3q2+796tvu8=",
+  "psa-hardware-version": "1234567890123",
+  "psa-software-components": [
+    {
+      "measurement-type": "BL",
+      "measurement-value":  "h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=",
+      "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=",
+      "version": "2.1.0"
+    },
+    {
+      "measurement-type": "PRoT",
+      "measurement-value": "AmOCmYm2/ZVPcrqvL8ZLwuLwHWktTecphuqAj26ZgT8=",
+      "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=",
+      "version": "1.3.5"
+    },
+    {
+      "measurement-type": "ARoT",
+      "measurement-value": "o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg=",
+      "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=",
+      "version": "0.1.4"
+    }
+  ],
+  "psa-instance-id": "Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI",
+  "psa-verification-service-indicator": "https://psa-verifier.org",
+  "psa-nonce": "QUp8F0FBs9DpodKK8xUg8NQimf6sQAfe2J1ormzZLxk="
+}