[Rats] Re: comments on draft-poirier-rats-eat-da-09
Mathieu Poirier <mathieu.poirier@linaro.org> Wed, 03 June 2026 21:27 UTC
Return-Path: <mathieu.poirier@linaro.org>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 726EEFA5528E for <rats@mail2.ietf.org>; Wed, 3 Jun 2026 14:27:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780522063; bh=295gggh2hhL8jO2nsYP/Ckk16eRhASmRNsnPdYoVBxk=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=EoR8OnKyco38j9b31Co9Cja0LnndVGCELzUd0B2PRiLDYy6t0tVGZrnF5ADhXwqmk xJ4lR696JZ+fMuvblNryguJKVZKOwO8TbgvkEz6XUMF8/0GIB9EBE2DmnvbfCKuL87 ht6cObuxIHKHcSbaIYfL2anWMOwaiwONMO0iCBDU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nYmGT2BDkOa for <rats@mail2.ietf.org>; Wed, 3 Jun 2026 14:27:42 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 25C94FA550EB for <rats@ietf.org>; Wed, 3 Jun 2026 14:26:03 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-6870ad8072eso17231a12.0 for <rats@ietf.org>; Wed, 03 Jun 2026 14:26:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780521962; cv=none; d=google.com; s=arc-20240605; b=T/QzSqQLzZnONMxF132duY9l3byuOAmQ1WU9u+Zl2D9mzq6wK4pOcQjFs44FyMl0Fa 3kOOQUETNBXWBYNrCNsIqOrplRGSDaUcfbh4bKrwMpcaLuP79ylmG53YowGr8nisB3fs isTqBtgsGwNNVpHZ65xtfTv3KbwSMQQcD7G9R13hKCXB835LBr2xq8okUOiq8ML45ckv q2gxnu+tyS78qTSxi9t/9/ey0O94Tq6oOxq/tDOmYmuokWWfaStnZ6SWXr9ptJFfBpkF N7pz5faGAKoE8xQTErMnIIAq1lqWVPWWl6vqGso0RIhreDOWFIg4ZLdBO5DTREU1ORkQ Ky4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=SuGdQfDPy8lICrLTMfgPK4dnKBD1sBvBxjgdxoWPJTk=; fh=FyJOn/Ofd7QITsch6E2p+TKS13NlBzTY5pdVOZE4Yk4=; b=iKBpePZoSbMU1LKeraz2uVY2NmaejHdHwYfUoq92l/u9Es/Ky2MwuhwK74epTNHCGo FyD2ivw+IIYnxspWWSkt+spHXRdgRA2pED6sLYdzWwwb+kll/BXhSvkvApShrPbeq+HD IYwC+BPRYXsQMZ1c9FINYTA8zgtjeCnPkqxhetHKMAL8ubSuAnMqD9mn4kZzHL9o/6gF a5GDuOM5WJQ2G3JQ72AQY1QioyByK6IetL3iLtZpvn/Rdv4a96z297KSXVSuERoWtvTo l8ciw+IYwBdS3Iuo4xwwl1+anTcO9KLfk1FGeWJTeb+xPrHK1+SSqqueHcC2+CUjiT95 BGvA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1780521962; x=1781126762; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=SuGdQfDPy8lICrLTMfgPK4dnKBD1sBvBxjgdxoWPJTk=; b=OZwkVYaAKgg288myEYDyyTdkSpg42Vskqi9/Kv6HvYM+jpUQf9IZzVoXa2MMkfMY3G l7C4V8wbFDie+HTv305V6DdboHn+ADge9TDDgePRNYKcVZHhYdjQy15jcaEZvSmcNzn6 CvSE70P/p0iq4P+S0SRdZKSkm9OBtqQpAmQTSbmrNz9S5ToPjpWhKL0Koe/e+uIXDHRw NahIxS/t0MQJkLPCYXRk9UpuJEa/EWFzyGwpDaNFzbFaSeLOnMMDbAyAyIXWEBMp0h0m w24yQ3woBl0VvljRQ5oVf1jsoIY72F7cjt3K7koBTVBENBmtmiBq7ecgWgXC+H7I6zad hAow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780521962; x=1781126762; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SuGdQfDPy8lICrLTMfgPK4dnKBD1sBvBxjgdxoWPJTk=; b=LocqqlCXYtEKgQ3xdwy3/0tXthsDhLQ14HyTJWl0sDlsoEbYZCW/jSN4DdHOaNHBt5 x3OblqDc85SjLDUu2Lgqp9uLy+1l7TsEUqbbiSWtuRarhP7ZY0Ek0EBQCW3IGEIEaaS3 FvQunb5FiIsvNjLsZOO881axjx+0GkO/KtDpcCJJCkNVdbhT8RIXtClPIThuhUhb/DGe fJM1GkfzoRicQPpT3pCdRUuGuq3buCuzUz87NZuF/UPJe+fiRcfTUwiGdH/Wuc880AEi Qol+SRtwXrVPabZT+qjITzOsKREWc2usCWsij5lqdaobBCxXm99XCT9Pk/VDCy/jQpWo LejQ==
X-Gm-Message-State: AOJu0Yxu85gfyEe/vspdlgQaeHteKjRXXZy9EGuxqJnsKdEAEJUw5q51 SuygsRpzWKRaj/xPQNJuSnLRtWt4MVCHdE1ygW4PCDb7Q7Dbv4Dn8dRoXz5xSucooz0fuGPrzuI mqoAWEixDKctk4bIOclyG0GuhTeiVR6F9QisLHiuFOIL7X5uBEXgJRRk=
X-Gm-Gg: Acq92OE+9cavg2KjFKErtw7aryK9GUV2+7lOmQGSpouuP8heqlO7Ci3dPc40BZVw783 NC8TCqsZjQLblmfEBsQP7o0TbuN2RRAnx5Sm4WSWpS8F6I+fskTVmsfQd/nxpgawk6d4QS2VIcN s8rEyrJMbkZkB+P8qBBcft07RbiLx4FnHlXyFhiRE7tz44OXqNxEe58GU/DTjj4ncg4T/KuiWb2 iepaXsCzqjPIXCAEJ/TghurldQg+tFHZtveQEM5LRxDNmcrpspbPvkykY0Wl0pjTuD8crZMXvcF zoqY0mAZWfjXJbhf9+fc/Nrin29DZ1vm+57xD+HYRpjEc8DqW0AblH6rZ6DgJfY=
X-Received: by 2002:a05:6402:3d9:b0:671:9dec:ba3 with SMTP id 4fb4d7f45d1cf-68f0f5e7843mr331678a12.13.1780521962040; Wed, 03 Jun 2026 14:26:02 -0700 (PDT)
MIME-Version: 1.0
References: <CA+1=6yf9i6au=C3wi6tiP9B5-Q+RrNig1Qfujb992p58F4BPLg@mail.gmail.com> <26710.1780425426@obiwan.sandelman.ca>
In-Reply-To: <26710.1780425426@obiwan.sandelman.ca>
From: Mathieu Poirier <mathieu.poirier@linaro.org>
Date: Wed, 03 Jun 2026 15:25:49 -0600
X-Gm-Features: AVHnY4Iz7D6hmonoqpeBNnyk0wKed5r3A_Cuk6y93qa_kT4VZ40-LcVg9Grhgrg
Message-ID: <CANLsYkwoOCs5yF8jPJbOTGNeN6V=PFvBi7mY2vidStsU3B4KRQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 3CMGEDDTRVZHSRHTKBLJYBYETNQ425LT
X-Message-ID-Hash: 3CMGEDDTRVZHSRHTKBLJYBYETNQ425LT
X-MailFrom: mathieu.poirier@linaro.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: rats@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: comments on draft-poirier-rats-eat-da-09
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/-0wIZjj2aSrak1VlKJrrdSQBGCU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>
Good day Michael, Many thanks for the review and thoughtfull comments. Thomas and I have jointly formulated the inline comments below. On Tue, 2 Jun 2026 at 12:37, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > I've read draft-poirier-rats-eat-da-09. > I understand that it is an EAT Profile. > The problem statement seems clear as to positive goals, but I find that I do > understand the attack/risk of doing this wrong. > > Is it that the TVM is suspicious of the device (GPU, NPU), so would be > reluctant to sends it's model/workload down to it? > This feels like a variation of the multi-verifier and composite attester > problem. > > 1. I think that a black diagram (including one or two PCIe bridges), would be > helpful. Figure 1 in Appendix B... move it up. > 2. It seems that the device attestation mechanism is meaningless without > some connection to the hypervisor/host attestation. Confidential Computing does not rely on anything from the hypervisor or the host. The TVM uses the platform, i.e., PCIe DOE protocol, but does so over encrypted channels. The platform delivers the bits between the trusted and non-trusted worlds, but all the information is encrypted. > 3. I'm not convinced this is actually an EAT *Evidence* Profile. > To me, this feels like device Attestation Results that need to be > included in the TVW/CCC Evidence as part of it's trusthworthiness > evaluation. This would be the TEEP/TAM model. > How is this different? > In some use cases, the lead attester can be co-located with a verifier that can verify the evidence and present the DAT claims as attestation results. In our scenario, there is no local verifier and the DAT claims-set is effectively evidence. Therefore, it is probably more accurate to say that DAT is an EAT profile for both evidence and attestation results. This is fully consistent with the objectives and scope of RFC9711. > "A DAT can be used as a > standalone entity but can also be embedded in a larger, platform- > specific attestation token." > > Don't sit on any fences: I'd be happier if it did one or the other. > EAT was way less specfic than I wanted, and now we have a profile that > appears to also need a profile to be used. > In the use cases we are targeting, embedding the DAT in a composite evidence is unavoidable. However, when it is part of a wider evidence collection, the DAT can be embedded without any further profiling. > >3.1.1. Measurements Claim > > > > There can be up to 239 measurements per device with the entire > > measurement log optionally signed by the certificate populated in one > > I'm guessing 239 = 256 - someoverhead? > It's otherwise an odd number that probably needs a reference to explain. > The SPDM specification reserves measurement indexes between 240 and 256, hence the 1..239 range. We will clarify this in the draft. > > > ; M1 /= GET_VERSION , GET_CAPABILITIES , NEGOTIATE_ALGORITHMS , \ > > GET_DIGESTS , GET_CERTIFICATE , CHALLENGE (A1, B1, C1) > > Since these are comments, can you just pre-wrap them? > Just slightly easier to read that way. Very well, we will adjust this. > > >3.1.4. TDISP Device Interface Report > > > > A TDISP Device Interface Report can only be obtained if the device > > interface has transitioned to the CONFIG_LOCK or RUN state of the > > TDISP state machine. > > What? state machine? CONFIG_LOCK? RUN? > Clearly I need more background to understand this. > At least I am intimately familiar with PCI BARs, gosh... building NPUs 25 > years ago... The TEE Device Interface Security Protocol (TDISP) is part of the PCI Express specification. By way of a state machine, TDISP defines a set of steps (along with the security requirements for each step) a device needs to go through to be trusted by a TVM. CONFIG_LOCK and RUN are two of the states of the TDISP state machine where a TDISP report is available. Do you think the above should be added to the draft? > Is there any concern that PCI(e) device A would be judged trustworthy, > and then the hypervisor would then rewrite the BARs such that the physical > address space mapped into the TVM is now on malicious device B? Good question. The measurements and their potential signature allow a TVM to trust that the device FW is properly enacting the TDISP protocol. The TDISP protocol states that no modifications can be made to the BARs when the device is in the CONFIG_LOCK or RUN state. If this happens, TDISP requires the device FW to destroy all memory allocated to the device and return to the CONFIG_UNLOCK state. At that point the TVM can't use the device anymore. > Given that PCI Functional space, (where the BARs are), is very very much > protected against everything, I can't see how a TVM would be able to > independently evaluate that. Thus... the need for a strong connection up to > the physical trustworthiness evaluation? > I think this goes back to the measurements and signatures obtained from the device. The TVM can then use these to assess the trustworthiness of the TDISP implementation. > 4.4 Freshness model. > I can see how nonces would work, but in the context of PCIe, I'd think that > Epoch IDs would need to be distributed via some kind of PCI broadcast. > We assume the existence of a coordinator (e.g., a lead attester) to distribute the freshness obtained from the challenger (RP or verifier) to the assigned devices. The challenge can be either a nonce or an epoch marker, but this information is opaque to the devices. Note that in order to work in this context, the epoch marker must be compatible with the eat_nonce encoding requirements. > 7. SC is missing the point. Tell me about what can go wrong... and how we > prevent, detect or mitigate that using the techniques described. > It's good to reference the SC from 9711, but maybe explain for each section, > to which part of this document they apply. > > > tracking of a given workload across multiple TVM instances in both > > the temporal and spatial dimensions. > Fair enough, we will look into this. > Good terms, but probably not manager-compatible. > temporally: so across reboots of a specific piece of hardware > spatially: so across migrations between hardware, and even between data centers > (e.g., outsiders know if a customer fires supplier A and move to > supplier B?) > We will clarify this part. > > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > I lived in the Ottawa area for close to 30 years. Best regards, Mathieu > ** My working hours and your working hours may be different. ** > ** Please do not feel obligated to reply outside your normal working hours ** > > > > > _______________________________________________ > RATS mailing list -- rats@ietf.org > To unsubscribe send an email to rats-leave@ietf.org
- [Rats] comments on draft-poirier-rats-eat-da-09 Michael Richardson
- [Rats] Re: comments on draft-poirier-rats-eat-da-… Mathieu Poirier
- [Rats] Re: comments on draft-poirier-rats-eat-da-… Michael Richardson
- [Rats] Re: comments on draft-poirier-rats-eat-da-… Mathieu Poirier
- [Rats] Re: comments on draft-poirier-rats-eat-da-… Michael Richardson