Re: [Rats] Propose a new event-log-type in CHARRA

Meiling Chen <> Wed, 02 September 2020 02:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6402C3A09DA; Tue, 1 Sep 2020 19:02:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 60BqVlEnS-Vb; Tue, 1 Sep 2020 19:02:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0EBF73A09E8; Tue, 1 Sep 2020 19:02:18 -0700 (PDT)
Received: from (unknown[]) by rmmx-syy-dmz-app10-12010 (RichMail) with SMTP id 2eea5f4efd1d26b-d76ab; Wed, 02 Sep 2020 10:02:06 +0800 (CST)
X-RM-TRANSID: 2eea5f4efd1d26b-d76ab
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[]) by rmsmtp-syy-appsvr06-12006 (RichMail) with SMTP id 2ee65f4efd1bdad-68d83; Wed, 02 Sep 2020 10:02:06 +0800 (CST)
X-RM-TRANSID: 2ee65f4efd1bdad-68d83
Date: Wed, 02 Sep 2020 10:02:05 +0800
From: Meiling Chen <>
To: "Panwei (William)" <>, "" <>
Cc: "" <>
References: <>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail[cn]
Mime-Version: 1.0
Message-ID: <>
Content-Type: multipart/alternative; boundary="----=_001_NextPart703851482113_=----"
Archived-At: <>
Subject: Re: [Rats] Propose a new event-log-type in CHARRA
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Sep 2020 02:02:23 -0000

Hi all, 
support +1,
Whether the boot process is deterministic is debatable, but recording the intermediate process is also a must.
It is recommended to add the other two attributes:
  the type of log: such as warning, error, normally
  event log time: record exactly when log was produced

From: Panwei (William)
Date: 2020-08-28 21:53
Subject: [Rats] Propose a new event-log-type in CHARRA
Hi authors, all,
We’ve proposed a new attested-event-log-type in the Github (PR#5) a while ago, but unfortunately there is little discussion about it. This is also mentioned at IETF 108 meeting. I think it might be better to bring this topic to the mailing list and give more description about it.
The blue part below is the format of the new type of log that we propose. It literally looks somewhat similar to the IMA log format, because it uses part of the IMA’s concepts in the devices boot measurement.
When the device boots, it needs to load/execute a lot of files, but the order in which these files are loaded/executed is not deterministic or hard to keep fixed, so it’s difficult to give an accurate reference value.
The method to overcome this difficulty is below:
1. The Attester measures each file before execution, extends the hash value of the file into PCR, and records the measurement information of the file in the log.
2. When doing the remote attestation, the Attester sends the final values of the PCRs and the detailed logs to the Verifier.
3. The Verifier has a list of reference values for all files. It compares the hash value of each file recorded in the log with the corresponding reference value. If all files’ hash values match with their reference values, then the Verifier extends the hash values one by one according to the order recorded in the log, gets the final value, and compares the final value with the PCR value sent by the Attester.
Based on this method, we propose the new type of log. Any thoughts?
+--ro output
   +--ro system-event-logs
      +--ro node-data* []
         +--ro tpm-name?     string
         +--ro up-time?      uint32
         +--ro log-result
            +--ro (attested-event-log-type)
               |  +--ro bios-event-logs
               |     +--ro bios-event-entry* [event-number]
               |        +--ro event-number    uint32
               |        +--ro event-type?     uint32
               |        +--ro pcr-index?      pcr
               |        +--ro digest-list* []
               |        |  +--ro hash-algo?   identityref
               |        |  +--ro digest*      binary
               |        +--ro event-size?     uint32
               |        +--ro event-data*     uint8
               |  +--ro boot-event-logs
               |     +--ro boot-event-entry* [event-number]
               |        +--ro event-number               uint64
               |        +--ro filename-hint?             string
               |        +--ro filedata-hash?             binary
               |        +--ro filedata-hash-algorithm?   string
               |        +--ro file-version?              string
               |        +--ro file-type?                 string
               |        +--ro pcr-index?                 pcr
                  +--ro ima-event-logs
                     +--ro ima-event-entry* [event-number]
                        +--ro event-number               uint64
                        +--ro ima-template?              string
                        +--ro filename-hint?             string
                        +--ro filedata-hash?             binary
                        +--ro filedata-hash-algorithm?   string
                        +--ro template-hash-algorithm?   string
                        +--ro template-hash?             binary
                        +--ro pcr-index?                 pcr
                        +--ro signature?                 binary
Regards & Thanks!
Wei Pan