Re: [Rats] EAT claims for composite and layered attestation
Laurence Lundblade <lgl@island-resort.com> Sat, 10 April 2021 19:50 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A07F03A193A for <rats@ietfa.amsl.com>; Sat, 10 Apr 2021 12:50:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.916
X-Spam-Level:
X-Spam-Status: No, score=-1.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJMYJ2eRwvDd for <rats@ietfa.amsl.com>; Sat, 10 Apr 2021 12:50:42 -0700 (PDT)
Received: from p3plsmtpa07-09.prod.phx3.secureserver.net (p3plsmtpa07-09.prod.phx3.secureserver.net [173.201.192.238]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 837163A1939 for <rats@ietf.org>; Sat, 10 Apr 2021 12:50:42 -0700 (PDT)
Received: from [192.168.1.81] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id VJcvl0YYsdIHpVJcvl4kZA; Sat, 10 Apr 2021 12:50:41 -0700
X-CMAE-Analysis: v=2.4 cv=UdWU9IeN c=1 sm=1 tr=0 ts=60720191 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=0XtbOteLAAAA:20 a=QyXUC8HyAAAA:8 a=48vgC7mUAAAA:8 a=K6EGIJCdAAAA:8 a=xt6ew7UTAAAA:8 a=qEBIri3aM2xN_5tpVdwA:9 a=KzW4eGrKhGfi6lK1:21 a=B6PuNhNAEZU2Bp-g:21 a=QEXdDO2ut3YA:10 a=BcVNYV5MXGjEUz_FCB8A:9 a=SHB8E9ClKQFTI_Yc:21 a=r6abEea5LNzwka5g:21 a=N2EWjIIkH4onY9yN:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=L6pVIi0Kn1GYQfi8-iRI:22 a=tn93DeGZTgJ6DdWMtdD4:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <C76BDA71-D2D8-4EA4-B639-68EAD41707AC@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DFC06757-2A7F-435A-B6DF-5BFA422E2689"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Sat, 10 Apr 2021 12:50:41 -0700
In-Reply-To: <F3A7B322-D60E-41FC-981F-4A32F12922AB@intel.com>
Cc: "rats@ietf.org" <rats@ietf.org>
To: "Smith, Ned" <ned.smith@intel.com>
References: <9A7D356D-23EE-4E84-8682-E6E8C81E78E2@island-resort.com> <F3A7B322-D60E-41FC-981F-4A32F12922AB@intel.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfOGsCIxJwsqrwOiWuVLTwk4+LaPLXwxGJLJcqW21E8+NgqJwIQ6kqurLfWAAE/8R/BuTiDpQzwvfAlO083CZChHP38Z8OQq52FCBX5tSFODXnbPpwzyH vaSeyGYIbq6MaMHqLIysNrTYmvJqNFzz1AEBn1OTEEL2OJbT8RRbpKUR4vy2oqWpBeDYbO+biUfXshwaRXsm/ICBGhUZKwUiFDs=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/A686hMZY2EUPr6AIKaXImG7pC7o>
Subject: Re: [Rats] EAT claims for composite and layered attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 19:50:48 -0000
I’ve made a PR for EAT claims for layered attestation. https://github.com/ietf-rats-wg/eat/pull/105 LL > On Apr 5, 2021, at 1:29 PM, Smith, Ned <ned.smith@intel.com> wrote: > > See inline (NMS>) > > From: RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> on behalf of Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>> > Date: Friday, April 2, 2021 at 11:51 AM > To: "rats@ietf.org <mailto:rats@ietf.org>" <rats@ietf.org <mailto:rats@ietf.org>> > Subject: [Rats] EAT claims for composite and layered attestation > > To try to get clarity on architecture for devices with multiple attesting environments, I’ve started thinking about what an EAT would look like for such. > > > I think composite attestation is straight forward. > > In composite attestation, the attesting environments are trusted independently. The verifier will get a separate endorsement for each attesting environment. There’s no claim in one set of attestation evidence that is involved in establishing another, so no special claims are needed. > > What is needed is the ability to embed the attestation evidence from one attesting environment in attestation evidence from another. We have that now in EAT with nested tokens in the submodule section. > > > The distinguishing characteristic of layered attestation is that the trust in attesting environments is NOT independent. One attesting environment plays a role in the verifier coming to trust another. > > There is clearly has to be root attesting environment, trust in which is established by the usual way, most likely by an endorsement from the manufacturer. > > From there, it seems there are two paths. > > In the first one, the root attesting environment can collect evidence about a layered attesting environment, put it in an EAT and send it to the verifier. It is the *verifier* that evaluates and decides on the trust in the layered attesting environment. Probably the evidence about the layered attesting environment appears in EAT as a submodule. The verifier will look at the evidence and decide if the layered attesting environment is trustworthy. It may look at measurements, debug state for the attesting environment. > > To complete, that submodule probably needs to contain the public key of the layered attesting environment. It probably needs to be clearly labeled as the verification key for attestations from that layered attesting environment, so we need to define a new claim for this. > > > In the second one, the *root attesting environment* is the one that decides whether the layered environment is trustworthy. It can do this however it sees fit. It might just trust it because they are in the same HW running from the same ROM. It might do some staged secure boot. It might do run time integrity checks. > > It then tells the verifier that the layered attesting environment is trustworthy. This basically amounts to the root attesting environment sending an endorsement or the equivalent of an endorsement to the verifier. The root attesting environment might construct the endorsement on the fly or > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > NMS> It would likely not be viewed by Verifier as an Endorsement unless it was signed by a trusted Endorser (aka mfg). Since, the root attesting env isn’t a traditional CA (that can be physically audited), the Verifier isn’t likely to have TA policy for it. It would likely still be considered a ‘device’. The TCG DICE Layering Architecture specificationhttps://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf <https://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf> describes this sort of thing as an ‘embedded CA’ because it issues the certificate for the next layer environment. It is also an Attesting Environment because it might also include Evidence in the certificate. > > This sort of root attesting environment wouldn’t be called an Endorser since it is also being called an Attesting Environment. The mfg CA that signs the root attesting env key is the likely line of demarcation; i.e., the mfg CA (and the cert chain to the root CA) is the Endorser, while the root attesting environment cert + any additional embedded CA issued certs + the ‘target environment’ claims would be the “Attester” Evidence. (Assuming Certs contain evidence extensions). > > Note: The https://trustedcomputinggroup.org/wp-content/uploads/TCG_DICE_Attestation_Architecture_r22_02dec2020.pdf <https://trustedcomputinggroup.org/wp-content/uploads/TCG_DICE_Attestation_Architecture_r22_02dec2020.pdf> defines an OID for UCCS evidence as a certificate extension. This might be used to include EAT claims as evidence in an X.509 certificate that is issued by an attesting environment in a layering pattern. > <SMN > > it might have been programmed in a the factory. > > Probably this endorsement should be in attestation evidence from the root attesting environment so that the verifier knows that the root attesting environment did the checks it needed to do. That means we need a claim that holds an endorsement like those based on X.509 or to consider some set of attestation evidence that includes a public key to be considered and endorsement. > > (I’ve worded this in terms of two layers, the root and a layered attesting environment. I don’t mean to exclude multiple layers, though there’s just one root). > > > I don’t really know what was intended by layered attestation in the architecture draft. It seems halfway the first path and halfway the second path. Seems just fine to have both paths, but they need to be described distinctly. I filed an issue <https://github.com/ietf-rats-wg/architecture/issues/293> and a PR <https://github.com/ietf-rats-wg/architecture/pull/294> to try to sort this out in the architecture document. Hopefully, this email helps clarify those. > > I’m interested in what the consensus is here before I go off and try to define the EAT claims I’ve mentioned above. > > LL > > > > >
- [Rats] EAT claims for composite and layered attes… Laurence Lundblade
- Re: [Rats] EAT claims for composite and layered a… Smith, Ned
- Re: [Rats] EAT claims for composite and layered a… Laurence Lundblade
- [Rats] -12 text on layered attestation (was Re: E… Laurence Lundblade
- Re: [Rats] -12 text on layered attestation (was R… Laurence Lundblade