Re: [Anima] IDevID and TPM devices and draft-richardson-anima-masa-considerations-02

Michael Richardson <> Tue, 03 March 2020 14:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 98C143A0CBC for <>; Tue, 3 Mar 2020 06:45:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VSfxlrV-18e3 for <>; Tue, 3 Mar 2020 06:45:48 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B04BA3A0CB7 for <>; Tue, 3 Mar 2020 06:45:47 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id D4C543897F for <>; Tue, 3 Mar 2020 09:44:37 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id EE402804 for <>; Tue, 3 Mar 2020 09:45:43 -0500 (EST)
From: Michael Richardson <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 03 Mar 2020 09:45:43 -0500
Message-ID: <10130.1583246743@localhost>
Archived-At: <>
Subject: Re: [Anima] IDevID and TPM devices and draft-richardson-anima-masa-considerations-02
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Mar 2020 14:45:51 -0000

Laurence's slides not yet posted to,
but I hope they will be.

From: "Smith, Ned" <>
To: Michael Richardson <>
Subject: Re: IDevID and TPM devices

I looked at and Laurence's tutorial slides. The IDevID aspects seem to be inline with my understanding. Laurence's slides don't go into much detail.

Section 2 of anima-masa is correct. There is variation of 1) that provisions some setup FW to generate the keys on the device then removes the setup FW so that in the case of DICE, the setup FW isn't included in the seed computation for generating the IDevID.

The basic difference between a DICE key derivation an 'traditional' is the key gen algorithm isn't a random seed, but a seed computed from a PUF or similar secret plus a hash of the FW. This way, if the FW changes, the key is not re-generated / usable. This forces the device to quarantine itself if the device is modified in an unexpected way.

The 3rd (TPM) approach isn't different from 1) or 2) in the draft as the TPM is a device that gets provisioned by a manufacturer. The difference is the software that uses the TPM has to execute on a trusted environment (e.g. Root of Trust for Measurement - RTM or a trusted execution environment such as NIST SP800-155 terminology "Measurement Agent"). The Measurement Agent and RTM have to be securely bound / connected to the TPM. The TCG uses the term "trusted building block" to abstractly refer to any number of ways the binding might be implemented.

The point of this background is the mfg needs to not only provision IDevID, but it needs to provision FW / SW into all the places where the "Measurement Agent" and Roots-of-trust exist. And provide Endorsement and/or Evidence that everything was constructed and provisioned correctly.

Section 3 possibly inaccurately positions that the "end entity" certificate is the end of the certificate chain. In reality, the EE is more like a CA if it creates keys that are allocated to another "measurement agent" in the device. This is where "layered attestation" and "layered device" concepts differ from Laurence's tutorial. Possibly, Composite Device concept also involves some form of 'embedded CA' that issues certificate (aka 'signed documents containing a public key').

I don't have suggested wording changes, only to point out there is hidden complexity and the current wording doesn't try to expose it. The wording you have may nevertheless be accurate as is.

In section 3.2 it suggests keys are stored in an HSM. A DICE layering model would not necessarily require an HSM but could be re-derived at power reset. Someone could argue that an always-on system has the equivalent of an HSM in memory.

Section 3.3 says " This suggests that it can not be the same
   intermediate CA that is used to sign the IDevID, since that CA should
   have the authority to sign vouchers.  If it did, then the End-
   Entities that it created, the IDevID for devices, would then be able
   to sign vouchers, which would not be an appropriate authorization."
I'm not sure the wording or sentence structure is clear. Reads like a fragment or collection of fragments.

Layering concepts allow the IDevID to be issued to a fundamental layer known to the mfg. Subsequent layers could have additional complexity that supports vouchers, onboarding and provisioning of cross-domain anchors as well as provisioning of LDevIDs.

I'm still not sure I understand how a MASA differs from either a CA or a EE. Both are authorized to sign things. If there is a cert path to a mfg then they are mfg authorized. Often CA can sign more than just certificates. It seems the paragraph in quotes is asserting otherwise?


On 2/21/20, 8:21 AM, "Smith, Ned" <> wrote:

    Is there a link to Laurence's slides?
    The link is to a draft spec for DICE. There is a final version available now.
    I'll look at draft-richardson-anima-masa-considerations-01


    On 2/21/20, 4:39 AM, "Michael Richardson" <> wrote:

        Smith, Ned <> wrote:
            > The TCG tries to avoid specifying HW implementation. However, the TCG
            > DICE spec
            > (
            > comes close. I'm aware of at least one implementation of a firmware TPM
            > that uses a DICE RoT.

            > There is also a TCG specification in progress that defines the various
            > TPM supported keys (IDevID, LDevID, IAK, LAK, EK) that may be used or
            > provisioned during onboarding. Unfortunately, this specification has
            > been under development for multiple years and it isn't clear how
            > motivated the authors are to publish it. (Fine wine?). This isn't
            > exactly what you're after, but it is a TCG document that says the most
            > about IDevID.

        Hi, trying to clean up some old email threads.
        Did you see Laurence's slides on the three ways to initialize the IDevID on Monday?
        THe specification you mention above, is that the DICE URL above, or a
        different document?

        I have too many TCG documents to read right now.

        I wrote draft-richardson-anima-masa-considerations-01 in December in an
        attempt to capture some of this: I'm seeking reviewers and/or co-authors with
        more contact at silicon and device makers who will tell me what is

        ]               Never tell me the odds!                 | ipv6 mesh networks [
        ]   Michael Richardson, Sandelman Software Works        | network architect  [
        ]        |   ruby on rails    [

Michael Richardson <>, Sandelman Software Works
 -= IPv6 IoT consulting =-