Re: [Rats] watchdog use case ... RE: Use cases in draft-ietf-rats-architecture-04
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 17 June 2020 12:21 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4115E3A00B3 for <rats@ietfa.amsl.com>; Wed, 17 Jun 2020 05:21:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0lLIi_uGyuV8 for <rats@ietfa.amsl.com>; Wed, 17 Jun 2020 05:21:48 -0700 (PDT)
Received: from mail-edgeKA27.fraunhofer.de (mail-edgeka27.fraunhofer.de [153.96.1.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBC883A0062 for <rats@ietf.org>; Wed, 17 Jun 2020 05:21:46 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2HQBQAtCupe/xmnZsBmHAEBAQEBAQcBARIBAQQEAQFAgUoCgXmBHoEzCoQakQiaFIFfCQsBAQEBAQEBAQEGAQEYCwoCBAEBAoFOgnUCghwBJDgTAhABAQYBAQEBAQYEAgKGFwYnDEIWAYJ8fgEBAQEBAQEBAQEBAQEBAQEBAQEWAkNVEgEBHQEBAQEDAQEhDwEFNgIJDAQJAhEBAwEBAQICJgICJyACBggGAQwBBQIBAYMiAYJ8BAuabJsEdoEyhVGDcIE6BoEOKgGLPIEPDw+BTD8maycPglo+glwBAYEhCQESAQcBAUSCaIJgBI51gyyhH1ooB4FYgQWBBgQLkj6FQAUKHYJwNYhlhG0GjWuRHYFjnFACBAIJAhWBaoEJcE0kT4JpUBcCDVWJM4RNbgECh12FRHI3AgYBBwEBAwl8jHeBbAGBEAEB
X-IPAS-Result: A2HQBQAtCupe/xmnZsBmHAEBAQEBAQcBARIBAQQEAQFAgUoCgXmBHoEzCoQakQiaFIFfCQsBAQEBAQEBAQEGAQEYCwoCBAEBAoFOgnUCghwBJDgTAhABAQYBAQEBAQYEAgKGFwYnDEIWAYJ8fgEBAQEBAQEBAQEBAQEBAQEBAQEWAkNVEgEBHQEBAQEDAQEhDwEFNgIJDAQJAhEBAwEBAQICJgICJyACBggGAQwBBQIBAYMiAYJ8BAuabJsEdoEyhVGDcIE6BoEOKgGLPIEPDw+BTD8maycPglo+glwBAYEhCQESAQcBAUSCaIJgBI51gyyhH1ooB4FYgQWBBgQLkj6FQAUKHYJwNYhlhG0GjWuRHYFjnFACBAIJAhWBaoEJcE0kT4JpUBcCDVWJM4RNbgECh12FRHI3AgYBBwEBAwl8jHeBbAGBEAEB
X-IronPort-AV: E=Sophos;i="5.73,522,1583190000"; d="scan'208";a="22511417"
Received: from mail-mtadd25.fraunhofer.de ([192.102.167.25]) by mail-edgeKA27.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Jun 2020 14:21:44 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHBwC3Cepe/1lIDI1mHAEBAQEBAQcBARIBAQQEAQFAgUoCgXkvbwNUMCwKhBqRCJoUgWgLAQMBAQEBAQYBARgLCgIEAQGBUIJ1AoIaAiQ4EwIQAQEFAQEBAgEGBG2FLgYnDEIWAYUZAQEBAQMBASEPAQU2AgkMBAkCEQEDAQEBAgImAgInIAIGCAYBDAEFAgEBgyIBgwALmmebBHaBMoVRg3GBOgaBDioBizyBDw8PgUw/JmsnD4JaPoJcAQGBIQkBEgEHAQFEgmiCYASOdYMsoR9aKAeBWIEFgQYEC5I+hUAFCh2CcDWIZYRtBo1rkR2BY5xQAgQCCQIVgWoiZnBNJE+CaVAXAg1ViTOETW4BAoddhURBMTcCBgEHAQEDCXyMd4FsAYEQAQE
X-IronPort-AV: E=Sophos;i="5.73,522,1583190000"; d="scan'208";a="84341304"
Received: from mailext.sit.fraunhofer.de ([141.12.72.89]) by mail-mtaDD25.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Jun 2020 14:21:41 +0200
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 05HCLeKg016681 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 17 Jun 2020 14:21:40 +0200
Received: from [192.168.16.50] (79.234.115.101) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 17 Jun 2020 14:21:35 +0200
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>, "rats@ietf.org" <rats@ietf.org>
References: <AM0PR08MB3716A2C59320D3FB8D403FADFA9D0@AM0PR08MB3716.eurprd08.prod.outlook.com> <12088.1592338780@localhost> <AM0PR08MB3716F8C518E0CDF43FA23D40FA9A0@AM0PR08MB3716.eurprd08.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <53a1c6c3-5e85-cb04-b10b-e0d8d5b5ded5@sit.fraunhofer.de>
Date: Wed, 17 Jun 2020 14:21:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <AM0PR08MB3716F8C518E0CDF43FA23D40FA9A0@AM0PR08MB3716.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.234.115.101]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/7o7V2BhGEYVbJqP4rgqbYOztxIA>
Subject: Re: [Rats] watchdog use case ... RE: Use cases in draft-ietf-rats-architecture-04
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2020 12:21:51 -0000
Hi Hannes, the fact remains that the corresponding use case text alone was not enough to get you exited (I am glad that you are now *g*). Are you in a position to maybe provide a proposal how to rephrase the use case description in a way that would have helped you from the very start? Viele Grüße, Henk On 17.06.20 14:17, Hannes Tschofenig wrote: > Hi Michael, > > thanks for the reference to the TCG "Authenticated Countdown Timer" spec. I have not seen that spec before. > > It says: > > " > A typical example for the use of an ACT is as a watchdog timer that will cause a platform reset when the timer reaches > zero (expires). In a system using an ACT, a periodic platform action outside the TPM indicates that the timeout should > be set anew using TPM2_ACT_SetTimeout(). The most common reason why timeout is not set anew is that the local > system is not behaving properly because of some type of corruption (either inadvertent or malicious). The intent of > the timer is that, in the absence of a properly authorized timeout extension, the platform would be reset, putting it back > into a known state with the expectation that the corruption can be removed. > " > > Thanks for the description of a possible message flow. This makes much more sense to me now. > > In fact, we have the building blocks to get this working already when you combine the EAT token (for the attestation), the CWT for authorization (as mentioned in the TPM spec above), and SUIT (for the update of the software that is needed to fix the system). When we look at TEEP then we actually see these building blocks combined to get this use case working via a standardized protocol. > > Now I am excited about this and maybe someone in the RATS/TEEP group wants to prototype it. > > Ciao > Hannes > > -----Original Message----- > From: Michael Richardson <mcr+ietf@sandelman.ca> > Sent: Tuesday, June 16, 2020 10:20 PM > To: Hannes Tschofenig <Hannes.Tschofenig@arm.com> > Cc: Oliver, Ian (Nokia - FI/Espoo) <ian.oliver@nokia-bell-labs.com>; rats@ietf.org > Subject: Re: watchdog use case ... RE: [Rats] Use cases in draft-ietf-rats-architecture-04 > > > Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > > Could the authors of the use case explain the watchdog use case a bit > > more? > > Sure. > Dave's reference to the TCG "Authenticated Countdown Timer" is rather detailed, but perhaps misses the forest for the trees. > Perhaps I can be a bit more concise. > Ian, please let us know if this describes your situation as well. > > > I do not understand how this is supposed to work. How is the device > > allowed to reboot when it sends attestation information to a remote > > server? > > There are usual three parties: Attester, Verifier, Relying Party. > > The Attester (secure enclave/TPM/etc.) collects Evidence as to health and sends this to a remote Verifier. > > The Verify creates an Attestation Result as normal. > > But, in the case, the Relying Party is the Watch Dog timer in the TPM/secure enclave itself. So the Attestation Results are returned to the PC, and provided to the enclave. > > If the watch dog does not receive regular, and fresh, Attestation Results as to the systems' health, then it forces a reboot. > > > If malware prevents the device from rebooting, as the text indicates, > > why doesn't that malware also prevent the interaction with the > > attestation server (for example, pretending that network connectivity > > is down)? > > The arrangement is that of a deadman's switch: if the malware were to prevent the communication, then the watch dog would go off. > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats >
- [Rats] watchdog use case ... RE: Use cases in dra… Hannes Tschofenig
- Re: [Rats] watchdog use case ... RE: Use cases in… Dave Thaler
- Re: [Rats] watchdog use case ... RE: Use cases in… Michael Richardson
- Re: [Rats] watchdog use case ... RE: Use cases in… Hannes Tschofenig
- Re: [Rats] watchdog use case ... RE: Use cases in… Henk Birkholz
- Re: [Rats] watchdog use case ... RE: Use cases in… Hannes Tschofenig
- Re: [Rats] watchdog use case ... RE: Use cases in… Ira McDonald
- Re: [Rats] watchdog use case ... RE: Use cases in… Henk Birkholz