[Rats] TPM background for RIV

Guy Fedorkow <gfedorkow@juniper.net> Tue, 25 August 2020 19:16 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43B8D3A08B1 for <rats@ietfa.amsl.com>; Tue, 25 Aug 2020 12:16:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=x0LOYpBf; dkim=pass (1024-bit key) header.d=juniper.net header.b=lA8CpEwt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RLPmKQgizcqv for <rats@ietfa.amsl.com>; Tue, 25 Aug 2020 12:16:13 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B2AB3A08AE for <rats@ietf.org>; Tue, 25 Aug 2020 12:16:13 -0700 (PDT)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 07PJCvSu024358; Tue, 25 Aug 2020 12:16:09 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : content-type : mime-version; s=PPS1017; bh=YJ0irfGCyQI4hLdLkFTEAu09QDgaG847sA0LpjQoJEE=; b=x0LOYpBfXPXx5XH1olnmoy8fNSYgKo03jdHrDoikOkL+SrADxueUgsX3s32eE/UbcAVn 99CgFdtHJ6ZwgOTSTyFBT3f7A7R3IvypB1G3aLGCo0C9QRc1PsS8b4Huo3BK5cHK5Kzh LVtHRdVDW4+w/Bvhs9smudxxBoJboXSwrARnJbWfFO16lqjBjkeOr4Qw92/ihbRs7+Fo SyxkJG//GW6mLClj8vAL/2ZFVfGs34d2MgHEYW1UFqiU6GEM1H4pwIj7ztDDeCQPsvaz x2t/+OuG0fbyIMlsxGns/T7oBH+EAmaZ2r9gE1lGvt6CRHkXahW+SSmjbPUjAIT3+oO+ TA==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2058.outbound.protection.outlook.com [104.47.36.58]) by mx0a-00273201.pphosted.com with ESMTP id 332y2qw63w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Aug 2020 12:16:09 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UtJFE6sf6bOQ7CXZSn/SDPA05ukj9AcZ5+IfvVdO/tR5fPSzwiIj4vf5FwPuxgvAslowZWjCGZvDAmR+NjkmiI47jL2AxKg+YmDxp4nSl5PUSvTIAilGXDZkfhKNnMQwd+Z98QHmo0h0vSyHy71zcQZ+sVVDlVeP5tSsotSku+Bprf9PwkWN2Nge3c223Z7H2e1pbVS8TiTsno5/6e/bBpINtSLziI+Xh53DuQjOYzRE9yHJQpLvbBLmomCnkz06S1oFZznCaXeovEMpf7WG4m5JGpS/YcJWq5GRErqeCxUUVFgUJ/YHUzFDZx1QeJjJ+cqPjzWPS0KX8/Iyl4cB8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YJ0irfGCyQI4hLdLkFTEAu09QDgaG847sA0LpjQoJEE=; b=FgdQtuSf/lol5FJI2BDlmj1TO14hSgjv1ogfrnW/r8Oz7cTx8HlaeO+oo/CGqwLvKtp9lNmv6z10iMIMXkUz5AQxM1UEAKsrN7hwqpNqagABT9JMAd9d22cV5VVoPYaNw6XcV//u2yGSL6K/F7tH1kqF7P7UgbU7emH04AxQ3Wx6oNwTfrsyZyhIuarnMGiNyVZjO79tmmQQsgnjmHVTywOke/6XgL5e4BO+LpfPmYtr9IBYZ7KnPRYUxRrQPQWxX8jrcJRdMwIRI55LsCAOGu/wG3Hn1Kjxc5vq3Q3UdgdSuxpxC0bJU5CdcSW0i/3vdtzK4BYDE8twKUtD5N1tHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YJ0irfGCyQI4hLdLkFTEAu09QDgaG847sA0LpjQoJEE=; b=lA8CpEwt55jNAW71Sg2NTeByibYIZFaz5Hjl2pZlhduw86ZLQnxxBRM1r+w6DNpWCICfD9sD2WktKTPRmgVXfFsn/g9qVr1WnaxuknzWtvFtRSPJFqGCmvH17BCC+AqGWH0bXLG4vAi2AHvNjfzXhh5mOtymDup/IlsxPSlu0do=
Received: from DM6PR05MB6889.namprd05.prod.outlook.com (2603:10b6:5:204::22) by DM5PR0501MB3752.namprd05.prod.outlook.com (2603:10b6:4:79::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.10; Tue, 25 Aug 2020 19:16:06 +0000
Received: from DM6PR05MB6889.namprd05.prod.outlook.com ([fe80::951c:3bee:1ef0:7e1c]) by DM6PR05MB6889.namprd05.prod.outlook.com ([fe80::951c:3bee:1ef0:7e1c%2]) with mapi id 15.20.3326.018; Tue, 25 Aug 2020 19:16:06 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: "rats@ietf.org" <rats@ietf.org>
CC: "Eric Voit (evoit)" <evoit@cisco.com>, "Jessica Fitzgerald-McKay (jmfmckay@gmail.com)" <jmfmckay@gmail.com>
Thread-Topic: TPM background for RIV
Thread-Index: AdZ7FCxmPJt+FRfUTmKTg8duYuoerA==
Date: Tue, 25 Aug 2020 19:16:05 +0000
Message-ID: <DM6PR05MB6889971FB32A359EFFF85D21BA570@DM6PR05MB6889.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-08-25T19:16:03Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=47b39a74-6a0b-4d3a-a050-9f0eb7851dce; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 6af4ab3f-7183-44f3-f6f8-08d8492b50d0
x-ms-traffictypediagnostic: DM5PR0501MB3752:
x-microsoft-antispam-prvs: <DM5PR0501MB3752A5DE7DBDCC8C7A457BE3BA570@DM5PR0501MB3752.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZRIhVCOVp61eAfmmrhg5PGyu+Fv5uN72Yh9Vh+Yaer+zo+KL4hi4BN150SF0lWJ+iVP1Se3CzVF54qRmmFmeqdNrQ2WNr6Mpj6SxHo34spH4jSis8m0OuCrKqUNRClgKblzw/DvFBxSJXQDboerwzWoWelflGOASZgZ92D2oDF73sVx+/u/3RCqQYWyrFT7KhnWi6j9GJd1LAlwWj5XdJQKj/MpduqtQubnt8cBHoruacXCW6l/tLmnfwH5WCWeica64E5rmaEc79obA6Yt0SpHN2XHlcZTvITMcr279c+6F0mAW7ZszP06crf017bIS9SPCWVb7s3DDHPjeYgMsDQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6889.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(376002)(346002)(39860400002)(366004)(66476007)(316002)(66616009)(8676002)(64756008)(66556008)(26005)(54906003)(4326008)(52536014)(66446008)(6506007)(33656002)(8936002)(5660300002)(186003)(478600001)(99936003)(76116006)(3480700007)(71200400001)(2906002)(7696005)(55016002)(9686003)(86362001)(83380400001)(6916009)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: VAFq1ikChL3K/JqHW1j4jrqZ4xRnhmECpNGBiP40unPJQme3colbZeYg2GwMx6Z1mBEptkIq33TVsiTgNylGwnlETrvxwr151kNcAbJfgfSqS+B5RE3GkFA9h7HrKck21HBgtyAHVAcnNFseljqB0euhH2/Xx8jv9zDHc5cxHaXL6YrTXHeFTq2LWn+JSo4WBHcrJxpiSfIRkfG9eAUUjgUYvTzA6kh2sL4+3CoqTVy7T8OpV5yBbtB7e8sknCa3xzG30Sv2u4PTBs8Slx27GuvQ9wqHi9x5hC6dJm5vCDytU7twpvwsm2hQvHZSNqBWwId1I67hjM8X4dWkm+VDUnC0idBb6D3Tc8M51HnclJgS3zuoa0W5HjfdptGkgvyP+MPdG0YUSb2OQBxnSbDD3+LiVASo+zy7qeD+5ARxwFfkEflDhG11eU0Z7PWBfGAD5qd2kw/zNp9fvv20Off+QzntJZp6SQSRd01jx7TZ5J+MMYvLjR8PvT+EmPju7oDn60GVOemetDjYeSLkDjdHGe/EY+dptZcaLtry7yxMR6fVHOoXVDjU/XX/+ffmsh+G1z1d/xc7vWKB+B6V3ZIvo0SxZ+i1LR6uSnWNyaKkc0O3a6gd2BGwbW9gAVee3mIfI/7PLVsKRRVgfvLEwVTrqg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_00F5_01D67AF2.A5D23760"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR05MB6889.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6af4ab3f-7183-44f3-f6f8-08d8492b50d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Aug 2020 19:16:05.9679 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IFDzPyVmW2RNeb7JQcU88cFB3ZOC/QweLzijM69zswIp46vK3fy7EtDoNV/didsucwtDSc43ZEubFnKEDsAUYg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0501MB3752
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-08-25_08:2020-08-25, 2020-08-25 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 impostorscore=0 spamscore=0 clxscore=1015 adultscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 lowpriorityscore=0 priorityscore=1501 phishscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008250144
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/S1y4kNmpggMXgJHzSoaW79JtBqM>
Subject: [Rats] TPM background for RIV
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2020 19:16:15 -0000

A recent reviewer of the RIV document (that would be a RIViewer) pointed out
that the doc assumes that the fundamental behavior of a TPM for attestation
is already well known by the reader.  Of course that may not be the case.

  Rather than add more tutorial material to be body of the document, I'd
like to suggest adding the following subsection to the existing appendices,
with cross references in a couple places in the doc.

  Let me know if this looks like it would be helpful to new readers.

  Thanks

/guy

 

  

 

*Appendix

 

**Using a TPM for Attestation

 

  The Trusted Platform Module and surrounding ecosystem provide three
interlocking capabilities to enable secure collection of evidence from a
remote device, Platform Configuration Registers (PCRs), a Quote mechanism,
and a standardized Event Log.

 

  Each TPM has at least sixteen PCRs, each one large enough to hold one hash
value (SHA-1, SHA-256, and other algorithms can be used for this hashing
depending on TPM version).  PCRs can't be accessed directly from outside the
chip, but the TPM interface provides a way to "extend" a new security
measurement hash into any PCR, a process by which the existing value in the
PCR is hashed with the new security measurement hash, and the result placed
back into the same PCR.  The result is a composite fingerprint of all the
security measurements extended into each PCR since the system was reset.

 

  Every time a PCR is extended, an entry should be added to the
corresponding Event Log.  Logs contain the security measurement hash plus
informative fields offering hints as to what event it was that generated the
security measurement.  The Event Log itself is protected against accidental
manipulation, but it is implicitly tamper-evident - any verification process
can read the security measurement hash from the log events, compute the
composite value and compare that to what ended up in the PCR.   If there's a
discrepancy, the logs do not provide an accurate view of what was placed
into the PCR.

 

  The TPM provides another mechanism called a Quote that can read the
current value of the PCRs and package them into a data structure signed by
an Attestation Key (which is private key that is known only to the TPM).

 

The Verifier uses the Quote and Log together.  The Quote, containing the
composite hash of the complete sequence of security measurement hashes, is
used to verify the integrity of the Event Log.  Each hash in the validated
Quote can then be compared to corresponding expected values in the set of
Reference Integrity Measurements to validate overall system integrity.

 

  Information about PCRs and Quotes can be found in {{TPM1.2}} and
{{TPM2.0}}.  Although there are several log formats, an example can be found
in {{XX}}

 


Juniper Business Use Only