IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

"Smith, Ned" <ned.smith@intel.com> Tue, 03 December 2019 20:14 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D26012002F for <rats@ietfa.amsl.com>; Tue, 3 Dec 2019 12:14:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lhZoqg-l5eCR for <rats@ietfa.amsl.com>; Tue, 3 Dec 2019 12:14:35 -0800 (PST)
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAAE212000F for <rats@ietf.org>; Tue, 3 Dec 2019 12:14:35 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Dec 2019 12:14:35 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.69,274,1571727600"; d="scan'208,217";a="201127505"
Received: from orsmsx106.amr.corp.intel.com ([10.22.225.133]) by orsmga007.jf.intel.com with ESMTP; 03 Dec 2019 12:14:35 -0800
Received: from orsmsx109.amr.corp.intel.com ([169.254.11.161]) by ORSMSX106.amr.corp.intel.com ([169.254.1.150]) with mapi id 14.03.0439.000; Tue, 3 Dec 2019 12:14:34 -0800
From: "Smith, Ned" <ned.smith@intel.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: Monty Wiseman <montywiseman32@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Two types of secure attestation
Thread-Index: AQHVntzp4M6ZJzqVJUiVsZ6c2vuAXaeTFYmAgACwdgCAAA6xgIAAu9YAgAEdtgCAAAn4gIAABdyAgAADQoCAAAxJgIAAES0AgAEKygCAABdNAIACgfQA//+lc4CAAdh8AIAAS4gAgAS56wCAA0WiAIAEcVIAgAGqxQD//4bmAA==
Date: Tue, 03 Dec 2019 20:14:34 +0000
Message-ID: <74222797-B10C-41E0-B16B-4B81AD27DF3A@intel.com>
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com> <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com> <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com> <DC9F1051-E33A-477F-A855-2FBA33F8E8DF@island-resort.com> <cbb5f662-b073-5b5b-e504-56ea66b72744@sit.fraunhofer.de> <5A3105EA-8E54-4BB9-B266-96B6645811A1@island-resort.com> <c4967ed2-e484-d8c9-406b-8e1bb1b3b88d@sit.fraunhofer.de> <FF6F2CEE-1049-4B6C-8E12-9E21FE92D2F2@island-resort.com> <3285c3da-0748-5607-90ed-ac024ac826d0@sit.fraunhofer.de> <0384FAEE-6C5B-4A99-BBA0-F080DD27AA9B@island-resort.com> <def7a722-e357-a12a-1467-8ff8c442337e@sit.fraunhofer.de> <A9E1ED3A-80D1-4585-9029-A49CA5AE3AB6@island-resort.com> <52AC3EB5-1BD0-4A41-8EAD-5A779E125BF8@intel.com> <06543a46-8218-fa9c-827f-8a0e2d364963@sit.fraunhofer.de> <F74104BF-35C6-4375-A5A0-93FFA34619B6@island-resort.com> <7e387a02-4d49-3a52-572d-f7e61b4e729f@gmail.com> <29A9E618-69D4-4765-B516-2F8F69AB7406@island-resort.com> <A31A4379-AC39-44EA-8449-931692D43C32@intel.com> <86598EC5-8DA1-4A35-8C08-A30677BC0FF4@island-resort.com>
In-Reply-To: <86598EC5-8DA1-4A35-8C08-A30677BC0FF4@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [10.24.10.102]
Content-Type: multipart/alternative; boundary="_000_74222797B10C41E0B16B4B81AD27DF3Aintelcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/7B3e_emww1TOyguv1uIfIdxUj50>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 20:14:38 -0000

See inline [nms]

From: Laurence Lundblade <lgl@island-resort.com>
Date: Tuesday, December 3, 2019 at 11:28 AM
To: "Smith, Ned" <ned.smith@intel.com>
Cc: Monty Wiseman <montywiseman32@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] Two types of secure attestation




On Dec 2, 2019, at 6:00 PM, Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:

In both Measured Boot and Verified Boot the Relying Party is applying the (boot) Policy.

Maybe an exercise to map the various RATS roles onto the two forms of boot (Measured/Verified) would be helpful?
Measured Boot:

·         Attester performs: RTM --- Component --- Component --- Component --- End State

·         Verifier: Receives Evidence about the End State from the Attester and produces an Attestation Result of the form (End State is/is-not acceptable or it could also simply assert “End State” to the Relying Party)

·         Relying Party:  Boot Policy identifies Verifiers trusted to say end state is/is-not acceptable or lists acceptable/unacceptable end states that RP compares to Attestation Results asserted End State.


Yes, this makes sense.



Verified Boot:

·         Attesting Env (aka Root of Trust) is the RTV.

·         Attested Env executes: --- Component(A) and becomes Attesting Env for --- Component(B) etc…

o    For each stage of the boot process the Attesting Env Measures Attested Env; Attesting Env performs the Verifier Role and Relying Party Roles (as described above for Measured Boot). These are local Verfiers / Relying Parties.

Conceptually and technically, I understand this frame up and its generality.

However, I think the spirit of work in RATS is that the verifier and relying party are not local. The spirit of the definition of relying party is that is separate from the device OEM, for example a bank or an enterprise, that wants to know about device.
[nms] Agree that the spirit of RATS is that Verifier is remote e.g. “Remote ATtestation procedureS”. However, the architecture should allow for (and not artificially constrain) RATS Roles to be only remote since there are common scenarios that aren’t remote.

Most implementations today use proprietary formats in their implementation of Verified Boot.  There are lots of idiosyncrasies to it that depend on the HW and OS, boot speed requirements, updatability requirements, manufacturing requirements and so on. It is not a design goal of ours that Evidence and Result formats be useful for local verification internal to Verified Boot.
[nms] Agree. In at least one iteration of the RATS architecture the Roles and Actors were separable / composable and in cases where multiple Roles were performed by the same Actor, it was considered ‘uninteresting’ for RATS to define interoperability.

Since this is IETF, we should make the IP-based network protocols our focus.
[nms] And interoperable claims structures.


Here’s how I’d make some sense of the use cases for these in RATS
Verified Boot only

The OEM of the device controls the SW on it. The end user does not. The OEM provisions attestation key material that is only accessible when Verified Boot succeeds. This is classic EAT.
[nms] The Attester claims that a particular boot sequence occurred, possibly without explicitly identifying which software was used? It is up to the claim definition to define what it means to report the ending state of a verified boot. This claim is an attestation in every sense of the word.

Measure Boot only
The end user can install whatever SW they want. The OEM doesn’t control it. A remote Boot Measurement is sent as an attestation to the remote Verifier and on to the remote Relying Party. That Relying Party decides if they trust the device by comparing to known-good-values.
[nms] +1

Verified Boot + Measured Boot
The OEM controls SW on the device. The end user does not. Attestation can be performed either EAT style or Measured Boot style or both at the same time. If Measured Boot style, then a TPM is probably needed and adds to the BoM cost. If EAT style, the extra BoM cost is in the key set up and a little SW and HW to prevent the keys use when Verified Boot fails. If both, then both BoM cost additions.
[nms] DICE is probably a good example of hybrid of verified + measured boot. I don’t think it makes sense to stereotype RATS claims in terms of a particular RoT. Systems with TPM can also implement all of the above forms.

I think we want to support all three in RATS.
               [nms] Agree, but it may not be in the form of a single claim. It might make sense to use multiple claims. Possibly there should be profiles for how a set of claims might be needed to support one of the above three boot options?

All that said, I don’t know that much about the use of Measured Boot, in particular end-end use cases with a remote verifier and relying party. It would be really helpful to have description of some real concrete examples.

LL

v2.23.0 | Report a Bug | By Email