Re: [Rats] EAT claims needed by TEEP

Laurence Lundblade <lgl@island-resort.com> Thu, 29 October 2020 20:02 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8FF3A0A9F for <rats@ietfa.amsl.com>; Thu, 29 Oct 2020 13:02:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.261
X-Spam-Level:
X-Spam-Status: No, score=-0.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, LH_URI_DOM_IN_PATH=1.533, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HAstI7ZviMxD for <rats@ietfa.amsl.com>; Thu, 29 Oct 2020 13:02:44 -0700 (PDT)
Received: from p3plsmtpa07-01.prod.phx3.secureserver.net (p3plsmtpa07-01.prod.phx3.secureserver.net [173.201.192.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1B0E3A0A06 for <rats@ietf.org>; Thu, 29 Oct 2020 13:02:43 -0700 (PDT)
Received: from [192.168.1.81] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id YE8AkgjHCt9NIYE8BkjmHZ; Thu, 29 Oct 2020 13:02:43 -0700
X-CMAE-Analysis: v=2.4 cv=Gd/SISbL c=1 sm=1 tr=0 ts=5f9b1fe3 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=7CQSdrXTAAAA:8 a=48vgC7mUAAAA:8 a=K6EGIJCdAAAA:8 a=yMhMjlubAAAA:8 a=UqCG9HQmAAAA:8 a=0XtbOteLAAAA:20 a=4XpDxwsG_RfU1CSojpIA:9 a=1X7SEse2vR9V7PBw:21 a=GcDnrxg9NVd9-G67:21 a=QEXdDO2ut3YA:10 a=xBUbfIdvo0FSlxAXXXAA:9 a=VZS-tT9bwXdszHz7:21 a=-0RGd8Tt2vlzolef:21 a=ZUW6dXMnZq9r3_3c:21 a=_W_S_7VecoQA:10 a=a-qgeE7W1pNrGK8U0ZQC:22 a=w1C3t2QeGrPiZgrLijVG:22 a=L6pVIi0Kn1GYQfi8-iRI:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <2D53BD60-4FA8-4153-B28B-585E902845AE@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_177CD464-4436-4B17-A712-A2657F621E93"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Thu, 29 Oct 2020 13:02:42 -0700
In-Reply-To: <AM6PR08MB342916CCDD01E8698BB3C883EF170@AM6PR08MB3429.eurprd08.prod.outlook.com>
Cc: Dave Thaler <dthaler@microsoft.com>, "rats@ietf.org" <rats@ietf.org>, teep <teep@ietf.org>
To: Simon Frost <Simon.Frost@arm.com>
References: <BL0PR2101MB102770B8E03B95A44497004CA3190@BL0PR2101MB1027.namprd21.prod.outlook.com> <7607E6BF-459C-4A32-AAE2-08117A97E06B@island-resort.com> <BL0PR2101MB1027EA205417DAF375BA7085A3160@BL0PR2101MB1027.namprd21.prod.outlook.com> <B1FDD70B-2530-454C-90AF-F44EEDC4F1F3@island-resort.com> <AM6PR08MB342916CCDD01E8698BB3C883EF170@AM6PR08MB3429.eurprd08.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfEQeJpYx64k9cCTY1qPeln9tf8eQTw3GxTj9TAcWpTbSqRjE+UDLWlDxTGGFa7fFmkVfVeyTinHAiih28mRQaQZtKMcYJMyLx4tl6FPHy1huIRifbAz1 +pG1jFEOvRi9Ez7rvT9n8c/6bDRsCbkh9m6JCvn4KJfDVQPpEv/OviIVFHI2a1qLVNS647crELtqNf6OqVp/2sk5XXiEthU9ASOgOW+3vsimI6+yH+r7Efse dFYPSyrdeH/GuViqbdA2AFRmHiTUgofgROR06g1VYQA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/8qIiyqqK5RayBvxFGgJzexufkXg>
Subject: Re: [Rats] EAT claims needed by TEEP
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 20:02:50 -0000

> On Oct 28, 2020, at 11:14 AM, Simon Frost <Simon.Frost@arm.com> wrote:
> 
> Note that some of the Arm team will be attending the upcoming hackathon and had been discussing doing some work there on describing components with CoSWID via EAT. This builds on some implementation work already completed as part of an Arm project that will shortly be upstreamed.
>  
> The PSA EAT profile originally introduced a hardware version based on an EAN-13. This was used as a reference to a general set of hardware in a certification scheme. Further work has shown this format is not suitable and it has will be deprecated in a future releases of the profile. The PSA profile also contains an ‘ImplementationID’ claim (byte string of sufficient size to hold a SHA2 hash) which is intended to be used as a much more specific identifier of a hardware group. The intent here is that reference values for an ImplementationID can be known by a verifier to assist appraisal policy.

I think we want to have a claim that is clearly and explicitly a HW version. There can be additional claims to look up reference values or other stuff Verifiers need. All claims are optional so, implementations that only use something like ImplementID can leave out HW version.

I think we should keep EAN-13 as an option, even though it won’t work for everyone.

In addition to EAN-13 versions, we can just define byte string, or we can go a lot further by reusing the version scheme from CoSWID. Here’s some of the types.

   +-------+-------------------------+--------------------------------+
   | Index | Version Scheme Name     | Definition                     |
   +=======+=========================+================================+
   | 1     | multipartnumeric        | Numbers separated by dots,     |
   |       |                         | where the numbers are          |
   |       |                         | interpreted as integers (e.g., |
   |       |                         | 1.2.3, 1.4.5, 1.2.3.4.5.6.7)   |
   +-------+-------------------------+--------------------------------+
   | 2     | multipartnumeric+suffix | Numbers separated by dots,     |
   |       |                         | where the numbers are          |
   |       |                         | interpreted as integers with   |
   |       |                         | an additional textual suffix   |
   |       |                         | (e.g., 1.2.3a)                 |
   +-------+-------------------------+--------------------------------+
   | 3     | alphanumeric            | Strictly a string, sorting is  |
   |       |                         | done alphanumerically          |
   +-------+-------------------------+--------------------------------+
   | 4     | decimal                 | A floating point number (e.g., |
   |       |                         | 1.25 is less than 1.3)         |
   +-------+-------------------------+--------------------------------+
   | 16384 | semver                  | Follows the [SEMVER <https://tools.ietf.org/html/draft-ietf-sacm-coswid-15#ref-SEMVER>]           |
   |       |                         | specification                  |
   +-------+-------------------------+--------------------------------+

My understanding is that they are always encoded as CBOR text strings, so floating-point doesn’t mean #7.25 or such.

LL



>  
> Thanks
> Simon
>  
> From: Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>> 
> Sent: 27 October 2020 20:45
> To: Dave Thaler <dthaler@microsoft.com <mailto:dthaler@microsoft.com>>
> Cc: rats@ietf.org <mailto:rats@ietf.org>; teep <teep@ietf.org <mailto:teep@ietf.org>>
> Subject: Re: [Rats] EAT claims needed by TEEP
>  
> CoSWID should cover all the identification of vendors, models, versions and stuff for SW. If it doesn’t talk to Henk about fixes to CoSWID. :-)
>  
> For HW, there is OEMID and recently proposed chip version, board version and device version. It seems like we need a model number claim for HW. I will work on that.
>  
> Seems like submodules would be used to organize claims for layered attestation and all of the above claims can occur in any submodule they need to.
>  
> Does this mostly cover it? 
>  
> I worry that the HW claims are bit too rigid in their use of EAN-13 and IEEE registries. Might need to do something about that.
>  
> LL
>  
> 
> 
> On Oct 27, 2020, at 1:26 PM, Dave Thaler <dthaler@microsoft.com <mailto:dthaler@microsoft.com>> wrote:
>  
> Inline below…
>  
> From: Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>> 
> Sent: Tuesday, October 27, 2020 11:57 AM
> To: Dave Thaler <dthaler@microsoft.com <mailto:dthaler@microsoft.com>>
> Cc: rats@ietf.org <mailto:rats@ietf.org>; teep <teep@ietf.org <mailto:teep@ietf.org>>
> Subject: Re: [Rats] EAT claims needed by TEEP
>  
> Personally, I think attestation of TEE’s is pretty important and should be handled well in EAT. So I’m interested in working on and adding claims for this to EAT.
>  
> After reading section 7.1 in TEEP architecture, it does seem like there some work to do here to get to specific standardized interoperable claims.
>  
> More comments below.
> 
> 
> 
> On Oct 26, 2020, at 3:15 PM, Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org <mailto:dthaler=40microsoft.com@dmarc.ietf.org>> wrote:
>  
> As discussed in previous IETF meetings, if there are claims beyond the base set that
> other WGs need, they can be specified by the other WGs with review by RATS.
>  
> The TEEP WG needs the following in EATs and I am not sure whether they can be
> covered by existing claims or whether TEEP-specific claims are needed.  From
> section 7.1 of draft-ietf-teep-architecture:
>  
> Ø     -  Device Identifying Information: TEEP attestations may need to
> Ø        uniquely identify a device to the TAM.  Unique device
> Ø        identification allows the TAM to provide services to the device,
> Ø        such as managing installed TAs, and providing subscriptions to
> Ø        services, and locating device-specific keying material to
> Ø        communicate with or authenticate the device.
>  
> I believe the Universal Entity ID Claim (ueid) is claim that meets the above requirement.
> But the TEEP arch then goes on to say:
>  
> Ø        In some use cases it
> Ø        may be sufficient to identify only the class of the device.  The
> Ø        security and privacy requirements regarding device identification
> Ø        will vary with the type of TA provisioned to the TEE.
> Which EAT claim contains the device class? The closest thing I see is OEM Identification by IEEE (oemid)
> but I am not sure that is sufficient since it's only the OEM not the device class from that OEM.
> This doesn’t seem like something that should be TEEP specific though, so can someone tell me how to
> represent device class using the claims in the EAT spec?
>  
> I don’t think the OEMID, UEID or other should be (ab)used  to represent device class. That would result in them being less reliable and useful in a generic sense. We should come up with a new claim.
>  
> +1
>  
> We can define a claim to be  the device class and make it a byte string like a UEID, but I think we have to go further to make it useful as an interoperable standardize claim. There has to be some method for the classification. TrustZone vs hypervisor based? Fast vs slow? Has a protected mode kernel and TAs? The TEEP document doesn’t say. This seems problematic without a classification scheme.
>  
> [DT] I’m not sure we need a classification scheme, at least for TEEP.  A simple device class byte string as you suggest would suffice in my opinion.
>  
> I wonder if the intent is more about grouping, in which case we can define a GEID (Group Entity ID) that looks a lot like a UEID. That seems useful and sensible to me. It is not about classification based on any characteristics. It lines up with the privacy preserving technique of one key per 100,000 devices.
>  
> Ø     -  TEE Identifying Information: The type of TEE that generated this
> Ø        attestation must be identified, including version identification
> Ø        information such as the hardware, firmware, and software version
> Ø        of the TEE, as applicable by the TEE type.  TEE manufacturer
> Ø        information for the TEE is required in order to disambiguate the
> Ø        same TEE type created by different manufacturers and address
> Ø        considerations around manufacturer provisioning, keying and
> Ø        support for the TEE.
>  
> Similarly for this requirement, the closest thing I see is Origination Claim (origination) but I am not sure
> that is sufficient since it's just the manufacturer not the "version identification information such as the
> hardware, firmware, and software version of the TEE”
>  
> Definitely not origination claim. 
>  
> +1
>  
> The intent of it something like Endorser identification and I think it should be replaced by an Endorser/X.509 cert URL.
>  
> I would say, this is a combination of claims
>  
> It’s just used:
> 1)     For a Verifier in appraising the evidence (nothing TEEP specific here, appraisal policy can involve any claim), and
> 2)     To be used by a TAM to decide which TA’s apply to the TEE.  In that sense it’s just like any other vendor id + device class for any non TEE, and I believe if there were a byte string for device class as you suggest that would be sufficient in my opinion.
>  
> Keeping in mind the “layered attestation” concept in the arch doc, as long as we have a claimset per layer, then I think the same “vendor id” and “class” claims that would apply to any device could be reused for the TEE, and reused for describing each layer.  E.g., a “version” claim would apply at the hardware layer and be the hardware version, at the firmware layer and be a firmware version, at the OS layer and be an OS version, etc.
>  
>  
> I’ve just added a PR <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-rats-wg%2Feat%2Fpull%2F68&data=04%7C01%7Cdthaler%40microsoft.com%7Cab1ee7788f1f4d449c5508d87aaa3006%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637394218658895685%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JyNCTwUJvkCPk3H9uYmD0BLfUXPu6vhnQomkIqiqiUM%3D&reserved=0> for HW version claims.
>  
> The intent for SW version claims is to use CoSWID. We should probably create some examples to see if it can represent what TEEP wants to represent.
>  
> Agree this sounds promising.
>  
> The paragraph mentions “type of TEE”. I’m not sure what is intended. I don’t know of any common taxonomy for classifying TEEs.
>  
> A unique identifier is sufficient in my view, no “classification” or “taxonomy” is required by anything that the TEEP WG has discussed to date, as far as I know.
> 
> 
> Should the TEEP WG define TEEP-specific claims for such information?
>  
> I’d like to see most of them go into EAT unless they are super specific to TEEP (TEEP not TEEs). I think there is value in broad standardize claims as it promotes interoperability of RATS.
>  
> Sounds good to me.   Consider this a request to add some way to express “vendor id”, “model” (or “class” or whatever you want to call it), and “version” as claims that can be applied in claimsets at various layers.   I glanced at the PR you referenced and it seems to be a chip-specific version, not a generic version claim that can be used at multiple layers, so is not sufficient to meet the TEEP arch draft’s requirements, we still need other claims added.
>  
> Thanks!
> Dave
>  
> LL
>  
> 
> 
> 
>  
> Dave
> _______________________________________________
> RATS mailing list
> RATS@ietf.org <mailto:RATS@ietf.org>
> https://www.ietf.org/mailman/listinfo/rats <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Frats&data=04%7C01%7Cdthaler%40microsoft.com%7Cab1ee7788f1f4d449c5508d87aaa3006%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637394218658895685%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O5LJZBw%2B6huYU7BrNSgOUQNw2H5uoDGwZj09%2FPghKrI%3D&reserved=0>
>  
>  
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.