Re: [Rats] RATS Digest, Vol 36, Issue 1

"Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com> Mon, 03 May 2021 07:36 UTC

Return-Path: <ian.oliver@nokia-bell-labs.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0B13A0DC6 for <rats@ietfa.amsl.com>; Mon, 3 May 2021 00:36:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G2D215B_VlOK for <rats@ietfa.amsl.com>; Mon, 3 May 2021 00:36:32 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00131.outbound.protection.outlook.com [40.107.0.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 481413A0E43 for <rats@ietf.org>; Mon, 3 May 2021 00:36:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gd0todXRuM/x2/UOu7KaUPL/PxB1J25pjiU+6BTqwgd5mI/zEn7PEdMXiaN8mz/xKUI+KAiimc1mjsioPv6rtT2vXlsrK8Nb5VOK8Vg1Dyarv16UyqNbCpz2Ktqg4XXAADB2FJMjBbzaapZSJvix1HOcf65hIYEMQ28a1XaELxCn/m7FhWQwc+V/7K9m1vJq+bXTtxVjAXNxKPjKeAPqTABP+HXLz1UIyuLmRL5vPjzslmIXgHsvn1vF+WTenozxmCy5CVFrubyPrQBS37ApPaIMqPrEPRHhWsjlI1W87U6sEuTfjamIQ6i7ZBsvIJXiOTt4tSModnqcceXoklmVeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yy6k9UfnkVeOF3CxbNpCJZVjSpM52qlp9LodJ715hQM=; b=LU+/7WVZsgcZ0tVgWCsZo/GNhCi102yihhgSkzgUZVBOGXSNAzVnjt45IgQp1Ncoc9/sxUIqIJ6BjnR6kxKZLLqxBg/mpQONsXlx5RL0seKhUC4ScKy0VYNaWb53MD7hqM9dl4fnVtvbiwkr92/L/FDklLxM0aiPfanyXkn/rNRNVk8EG0qgwVmYjiQF335RUyNHQHR8lnL4Elv/YxKZkn69rXuu5dObX4eNhcXTxSciXmVvITeo0uEjmzNxQreYv5YlFzWleYnH6YvSQBMEpNavYUq6OC4KxB96cQxZuPXDR6EWbtADaq3MclCsF3gxIt2GQm472s3yFn1ektenDg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia-bell-labs.com; dmarc=pass action=none header.from=nokia-bell-labs.com; dkim=pass header.d=nokia-bell-labs.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yy6k9UfnkVeOF3CxbNpCJZVjSpM52qlp9LodJ715hQM=; b=ees2lOBKw7/Lb5Dmb0DPCrzo58MKzlQHCa4Fef7lqtKC6+OqOv0O1T51APGOhWoq7qlRlhrhuLNmTwQvThR9d1zKT45yoPwDFBHHaFtLat+RPgCFiU9csGmk29Ws7vq680sqOoAdwOkP0SnPUQ/8kGWQOA/ICV3NX6uohsIRips=
Received: from HE1PR07MB4252.eurprd07.prod.outlook.com (2603:10a6:7:9f::21) by HE1PR0701MB2492.eurprd07.prod.outlook.com (2603:10a6:3:71::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.10; Mon, 3 May 2021 07:36:29 +0000
Received: from HE1PR07MB4252.eurprd07.prod.outlook.com ([fe80::c0c5:37a0:e87b:d7e5]) by HE1PR07MB4252.eurprd07.prod.outlook.com ([fe80::c0c5:37a0:e87b:d7e5%6]) with mapi id 15.20.4108.023; Mon, 3 May 2021 07:36:29 +0000
From: "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: RATS Digest, Vol 36, Issue 1
Thread-Index: AQHXP+ZNrI/m9WETpEeCxUvVncoOIKrRXOcs
Date: Mon, 03 May 2021 07:36:29 +0000
Message-ID: <HE1PR07MB4252DC6151A21BDBD2F185308F5B9@HE1PR07MB4252.eurprd07.prod.outlook.com>
References: <mailman.2273.1620023633.7119.rats@ietf.org>
In-Reply-To: <mailman.2273.1620023633.7119.rats@ietf.org>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=nokia-bell-labs.com;
x-originating-ip: [188.238.43.17]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7b5df7e9-f07d-4dcb-7b58-08d90e062aa4
x-ms-traffictypediagnostic: HE1PR0701MB2492:
x-microsoft-antispam-prvs: <HE1PR0701MB249230551EFFBC0B198BA6CE8F5B9@HE1PR0701MB2492.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 53Jcg0A0jdz6/5Y8qfDKLKb1jYyKJH9N4MZXiuKwbNRIIhfHsOqXBsvsNOJ3vdg6PaKCBQmj9gMsCDeIfDnPWnx0NsTpucG9acKk0d8RV/khatuy7GcxNTMYoFc/uj3+B1zsAhuWdDvqZ8ui28OxIT9AnzaTbq1Z6VQ2FhWGPxpasbO7VpZOHDdxWPR04NRDUM1vECjx+Yh5TIsU+xx+o3UMtopbB8YeemAJCnL57bbI7UNy29qbYzo4oqyBplecnnd7w7SemzGoTc3744lS/KR/1plihqxuR0v4gwSDvZ0K8UXCW7Ta8zRQrd2z4RhPK5UPyBsvCw2QD32wqF85Pkfsmuln5H5k2SaxQLPfoYjpkVEgVZ94c22oKyC/N2Sfr9OkkFYqeW6P6W/uwZNYT0+OLmkbikgvY9WpCx+g2hkBt5pXGnL8oZBaPR6j+aVewojDtIr2OlGUrqzNT/un6BtvKL1MITrEy+VjEElbr2NTfCyrauFx1KNxP0gRkaKkvTP64lWvl5A3ZcSouYNaS5kzeHxh8OzgabUijMMo6Lil4SsehoJfvn+tRj3bmdz/vQk7H03+iscczPd7DLeRkacFcXOCzJ3OrrjBzPQ6/NSVsksu5IMYp0QF4qPqTFFtL2HcrTELYZyKKuzrQ3RUjyvtmOL42GVFkDkackor4+dsrL7SmBhiikBRsExxhApv
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4252.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(346002)(366004)(39860400002)(33656002)(83380400001)(966005)(26005)(166002)(478600001)(5660300002)(52536014)(8936002)(186003)(86362001)(2906002)(55016002)(66446008)(19627405001)(6916009)(71200400001)(7696005)(64756008)(66556008)(122000001)(66476007)(76116006)(6506007)(9686003)(66946007)(38100700002)(316002)(53546011)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: KVChVr6xPQUtXvkR8bmtPbztcwx0iV/Mn8d76w9BMTg2tB4mrWUna6SizDnfdeAAuyBsC/Y5q62InpZmDgg9JFM5bJqX97W/Orpu86NU1q2MF6IxEi/wZgNCOOefqNz5K0bLaAn/1QSeZ7oFX3uKAGBtgq8xwWltGw8V3N7ThPXhwRgkV58RlLoGdWgWCa2GErec+0sF+NXXVegeZ9IKPOgH5cKxgoKI4brR/rmFSTa6etSal/IomLiaidPfEm53syR69cI7R7g0PSkCqkkDJOYdmgpaNAFw5PGTit/T0AihXoK9c8JyHXfpIA1owpcUUb9c0hdBBYSPWsmUIm4dIs/prdiDvJR2aZ42vivf+MF2cyuFL86fEODC+qOIWzHZnOffl2r8kmiLxOghaQR7dPAkOFSeMu1s0alntIsV4NQn30k+C7QTNsvRoDDUoVQxK+nzGzSqj5g5pMyKch8CtmrOGl7TJKC/SGOVq3t879ntzm9eFcyKnsVDKKCFPaejtGPK1Uqc8sbbkhudRPvu+i7j2nhybaZVil6TRjCqkJVwQT1ia4XCG2KrgA6hjx/ja9C3BC4hvHB5mfV5K0pTDL6TQqBWT7TmRdC4IrZ3m4xmOuvMJYaXObHvj1nxt6FV3lpnZwoZ+QUuYdC9wa0ZrZixEqsil3+uw8xJWDtPBFAzEfRCmYGXSyiTPr20Ch96+8Lp17SUiEMuHzoDtyK4jgL9oU1qSx+nwOcbTi6ABQZgogXaK3EK4159yf3AtRXAa5MnTeXUTd5eHHkSh6N1oY6+9ycTRxWAMSiirq+6R0qqTw/deqdiwZzOUQSm0WiMKyyaUz7AjHi0jhnCOVe/nx6gHIKK/QWHc3HV1n3dVRtvWiXHVICWZK7/ZhzO106bz0mSq5MjakeOJhMRBItT3cGANS47QKdWedW7r/TGe6PvyW3XJtaJz6rkXAGpt5kaITRBmoXg0Xo0oXqfeMMaW/+kISu534YkmC1QyrHEXrzGzeE+nEGb8508I7NQ2g3zE2YPI290WOvyLJILrYSZeI4m2No1PctC2WKfB+rLBgspz7P5ZU4nubx6zuZAN/voyD5GtOkLXKPJY4EO0gCZtdsl0AU08orHRCpGpNzyYp1z1ReVWLCLFHzoH1Q+4XyXvdZf6pGWtonBtp4xWVk9bf3YtBCxsTNxdt/ps+BQF/6rsYsV0S73t202MXWHDLxAPe1nkRE3d/gotATYoNq4Q2vXwaSSXK/aRipS5PHkj5cJryaAJdSK0hX9CmZ9c1jEXFgXOyER5tbuk3mgQ7GwV+YJdjFMLNVeP0nKYCidYj0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB4252DC6151A21BDBD2F185308F5B9HE1PR07MB4252eurp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia-bell-labs.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4252.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b5df7e9-f07d-4dcb-7b58-08d90e062aa4
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2021 07:36:29.6031 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fyKfxNqMAlPoB1Z2p+ytG7r8wJ32X1Pr8FabxVo/TD223vaMLoxbOkmLil1oQwTO3QSL497b4qWp5bd+2kvVh/IuRG5JIPOiUCcj5y9C5yQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2492
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/0iK5ZwRWUKj7JqI1nBssQJ6bfhM>
Subject: Re: [Rats] RATS Digest, Vol 36, Issue 1
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 07:36:37 -0000

Say a device has two attesting environments. Are they layered or composite?

By my theory of layered attestation, they are composite only if there are endorsements for both. It is layered when one attesting supplies claims that is the basis of trust in the other.

In this theory, it doesn’t matter how the two attesting environments are implemented. The subsystem that one runs in could be involved with secured/trusted boot/start of the other (staged boot and such), but that is not what determines if it is layered or not. What matters is what manifest in RATS protocols.


My take on this is that they are independent - at least up to the verification stage.

Consider a typicaly x86 server with TXT, UEFI and TPM -  I could attest this via the TPM by obtaining a quote, *or* I could attest whether this machine has successfully verified its bootloader/kernel via UEFI, *or* I could extract the ACPI TPM2 table and verify that against some crieria, *or*, I could just query whether TXT was successful (txt-stat).

I would consider it up to the verifier to decide whether these are composite - which in effect they are in this case - and that, for a device to be trusted I would need to ensure at minimum,  the TPM quote is correct *and* the bootloader/kernel passes the secure boot verification.  If I were more paranoid then I'd additionally audit the eventlog etc.

Is this what you mean?


--

Dr. Ian Oliver

Cybersecurity Research

Distinguished Member of Technical Staff

Nokia Bell Labs

+358 50 483 6237

________________________________
From: RATS <rats-bounces@ietf.org> on behalf of rats-request@ietf.org <rats-request@ietf.org>
Sent: 03 May 2021 09:33
To: rats@ietf.org <rats@ietf.org>
Subject: RATS Digest, Vol 36, Issue 1

Send RATS mailing list submissions to
        rats@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.ietf.org/mailman/listinfo/rats
or, via email, send a message with subject or body 'help' to
        rats-request@ietf.org

You can reach the person managing the list at
        rats-owner@ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of RATS digest..."