IETF Logo Mail Archive

Re: [Rats] Definition of an Attesting Environment (and layered attestation)

"Smith, Ned" <ned.smith@intel.com> Fri, 16 July 2021 23:30 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 558163A0AB8 for <rats@ietfa.amsl.com>; Fri, 16 Jul 2021 16:30:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=intel.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4jXgzssBpzhv for <rats@ietfa.amsl.com>; Fri, 16 Jul 2021 16:30:22 -0700 (PDT)
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C1BC3A0AB7 for <rats@ietf.org>; Fri, 16 Jul 2021 16:30:20 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6200,9189,10047"; a="296446257"
X-IronPort-AV: E=Sophos;i="5.84,246,1620716400"; d="scan'208,217";a="296446257"
Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jul 2021 16:30:19 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.84,246,1620716400"; d="scan'208,217";a="429399474"
Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga007.fm.intel.com with ESMTP; 16 Jul 2021 16:30:19 -0700
Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Fri, 16 Jul 2021 16:30:19 -0700
Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Fri, 16 Jul 2021 16:30:19 -0700
Received: from NAM02-BN1-obe.outbound.protection.outlook.com (104.47.51.45) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Fri, 16 Jul 2021 16:30:18 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VNWJhcukmqfxYe5xpw66kCYnk8DYvldW2muZHIjavB7vkAsXqJKtc+MAwuL28x9eAzOpY3P8Jp6lal+Ii7fds361R6X0L+hrnVvMnJ/I6pEx+KvbYFkuaLH1MnMQsRnN9yn0vi+2Def2+92DongQYdcegNaH02dt6tM/p1HZwJaXt0b0ZpbxzJHxu9ZSqHCyXxwP49UjdyDmveAHKB91ZsqXgpWUOPa0ZAtRjpfvCYsvD3GwItx1xNwXw1Nt7xkaKXdyid2d5qXR9KTTxU/ZT/lvdb6J3hAYamGzp+lKCYAK85GC0OB3VWYqfy0Bo5FxFV/rngeXG9SY5ZmEHbiV9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QGkp9ysbQC9x14QrDt6f4dWaCtOitg0cXQf0sXyKhqc=; b=mHK3e5zTlU3kV+ipPOc9KMBUmQXpLlD+Jdst6wmqyMAyLOQB1GWjWZVf58TTKqwnbp7JjhR4tCSLmWbFr/Pumuk9N4o/AxxahvjKwQOAAwb1DBYafvWgkfEpdH/Uj/Bikz/kkCXa077RTX0AdYJ/Dx/8YpBmJpcRGI+CnHJnpX8wXnPxwbxX+pqMtuaEzZsN9kc0jmGES4Hh8vb5Z4ZlnjAcLNdYqcqQtcWZLEutgrML/Ff3CKvbF1T5dnQk/wpzppX1ZDr3kIdUORLdDXC+VMcJFTXdPUq42t2K8rw+JjU80aKy1/iNFX7OOjcgy9sYI+zwTX+BRKAhdaX6+4iKbA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QGkp9ysbQC9x14QrDt6f4dWaCtOitg0cXQf0sXyKhqc=; b=qAkRRLEk0o0zub/3goKtmJ1km84DQ01MSpmRS1zXDRTIvNTnhYVj9/KprGkB9ad+DyPhH+i9vVFTW/tx9M/8JGo9BUa84ejWfct2T2xQDCYGTXaBZ1dbXVBYHrQGMZV2qpbudfjPmPcG8N6ylrSrhRgxT48LJE/sH2YgCLaza4Q=
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by MWHPR11MB2030.namprd11.prod.outlook.com (2603:10b6:300:28::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20; Fri, 16 Jul 2021 23:30:12 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::e9f3:b903:83f2:d244]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::e9f3:b903:83f2:d244%2]) with mapi id 15.20.4331.026; Fri, 16 Jul 2021 23:30:12 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: Thomas Fossati <tho.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Definition of an Attesting Environment (and layered attestation)
Thread-Index: AQHXaGmB6CwAiJX4JkiQuLOMsIY/wKsjG3sAgAIOywD//6t2gIAZYMaAgAL85ACAANTdAIAB9tIAgAIPvYD//+AMgA==
Date: Fri, 16 Jul 2021 23:30:12 +0000
Message-ID: <9FCC49EC-BFC4-4A8E-902C-2DE7B5F124B1@intel.com>
References: <617FC3B4-5C1B-4D35-BD4B-9AC2D1362930@island-resort.com> <CAObGJnNRbA1sKuTCBLpdUtLmjNW+qgRZrGd=dHZ7ZrfXkJJizw@mail.gmail.com> <5426682C-48CB-4D7D-A9DF-01FB17B168E8@island-resort.com> <9EDE7661-4443-4D2E-BF72-FBF238A6EF4D@intel.com> <CABF0A5F-DC51-4D38-8772-6351FA80E6A8@island-resort.com> <A998AEAF-3E1C-480A-866D-410D0B0D4362@intel.com> <B525A1CF-C9CE-46DC-BCCD-BF3BE6684A22@island-resort.com> <13651801-BEC5-450B-B814-BD85A1D1C08E@intel.com> <A663DF45-B72E-422B-85A2-05C0651D4550@island-resort.com>
In-Reply-To: <A663DF45-B72E-422B-85A2-05C0651D4550@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.51.21071101
authentication-results: island-resort.com; dkim=none (message not signed) header.d=none;island-resort.com; dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c38c70c9-3766-4675-eab0-08d948b1a88e
x-ms-traffictypediagnostic: MWHPR11MB2030:
x-microsoft-antispam-prvs: <MWHPR11MB2030F6CED3F0B7277A99A15DE5119@MWHPR11MB2030.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: U4iIbIra10USAYks9u7HpfzinRUURYXzpGxPAH3Ov9CA1SQXgl3UPThsr9nfohlCsVTAeS//cqwcseIpgRoE3RUm06k4Gzm33t7sAS0TH3RlX23+s8P0KC9hVFcnQ7WPYLRg4RKNaH1SYJTq3NPJQ+K+TEFvI/vKMtWt9utoMXhp29plUqy4c3oygCyYwrozmv/YzdrP8g0n4JESiNN82QShfRTvo6hCxMOw+1E06yzXyzMUNp+qLeQxshlaCRM5byBtVXKGGd5HUpoLJ/XME7G4357ffz8jSqcdW7+hL+VRyTFZqJJ3P7Qum2Sy3q8Jjil3iE0LIoHb04TvfQ7/N5/8sF1kVLO516LNR9Rm9UDPchzCLqHgGbRS3Q9naJXJjJVlRYHNcp4HZtvcfgNCBwu82/X0v0e2UdpWePIu5XrjXpkUhIwhg0yWLJQs3bOQS28QbGiY+10SAIS5G/qGD21O2iXuseA/eEFMGxcWbzBN19NBnZIGNvitMcy5QWppVEJrgcxivFurjxZGVPYZIOUnPiJLDZP1q/F9iEWUAfdXo6qIwT/s2pRx7fOmGwM+abzx6pVXiwUeyhSECLUiLKcimpqtpTfD20DYKl8fNf0uTvogA/oEiiRYT0R3Wa9Yrd4aaCzDfKw1wuGbgR3xUCK3jJ0myxV+9DY9eWeeS6WVb2d775N2K/8vTVCx82ImO7kLBFjtkfd4kVLlabZYAflsfYgBsHyz7mVqIsDiGcaPK5o5NXzLCO3pij3Kx6cn
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(39860400002)(366004)(376002)(346002)(136003)(83380400001)(54906003)(66556008)(4326008)(5660300002)(86362001)(6512007)(66476007)(64756008)(316002)(71200400001)(66946007)(186003)(2616005)(8676002)(36756003)(53546011)(33656002)(76116006)(478600001)(122000001)(6916009)(26005)(8936002)(6506007)(66446008)(38100700002)(6486002)(2906002)(38070700004)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: C5d/OFWxbN0QVndi+ZdmYNqLICEqHXyo6k9mUD+9kmfyBZxnX9ZK4gEhbxt3LZG/StiaxZSeXiq5U4ZVMIr5kPi1TYWgSFfw258uyj8CGamHOaw3o/RAc5gGeq3xvIkhaTUtEHXzM8LVzWv9C6uEV/3YfUJvkkTdp5UAN8NhVvatY2HLRDUDjfsB8Fh3DTgQkpakI9uGbfcBLMekha2oNh4WVOp6vSk2CKCjGvkKXQO0ZfRIespM+Wqi0nB2xwHMUwIu4C9CxIWm1Z/5LiwstwXaiO+pSZvteauzphLH6CC4L6WS3hpttCEDMcRk7/tjwEMIsN4h+OttEqNYce7JNsUMKGD6F/Ry2iI+8h5XgleI/2Qh+0quMMCoUyDFTFn1GW1RxRAdWROZkRvWNCaVr9SA6ivfoS8309wij8mTc4+c3UJF22E9zJn1CrMsOJwwbKNAT3OgyRo6kVE4fK8G0f4vw9PFhehng69aLsKEg6HQM6V1b9ZhPQcVGj8CnJzXSOqKbGj6TakKMznPB2tKjdgE5wQmJFlA64girgKJe6EhMrNoxUL1CYh9hVNi70iKw/5IvsGOGRRAVxmzA4o486IGZwPC0I+Q2i47iA6Hrwz0N1D+CeerumVFshuvqcf8NAnD+wHElQKJfj+Ri/vFRN6unRcsc2+rlaqqNOWrgJEbuzwOPMfhe7T13xNk/It12josrwDUjgmJM0/VwbuEBSnX2PrguaduO50riEcE385o6O1bOi51eZDeYPfDkxC83dgUotcpB1yZTd0tDUXOJDZMsE9xBPQ469n7zMSzWBm+x5mN/Qf9jKUjSJjREwMuv/JSPSoDyYCC+X26aFDePHvh1ild9Kp//NBhrXTtnJBTsr/dhfSfIRpP+5kaUuJXIAD/jF+xc6/uZmxNjubD1zS10kjitDnu94o8xTd9zzs9eADcxj3Psy5xqdj/tUSmlPpQbkJKUO/qZ9lrK5f1TIQlFyA3QPLHlHcE/12/J/Yh3mQe2iMV3JcFe/GUzMEIs5w5ViMkc34bLMuLGekG9DaZc+IJIjy8qVVNgHAYXv5LNCapUhHVe1hk6yAEKYyw1WDFtEu6WZUS1K3E0TSREfXCVMvjrtbN7RZEg+5//ryX0Bs/Rebw+0RSTg0HUc+5sRfq2DCNyG3uKCIawF6gywDBUs93LBtMnrro48EJYejkUmGIgAkCiwl3UUpNO3+FCf9MlPJdmwpillM3qd/HV0bBVObWNCOlD4JhPVM2crSFhkg+1xBaUHQRq0sooL8DzM6dhYpvlGWr7RbAVfdxLJiA6s64rlN1Wv+2tA6EAzgJ4Mrel23/qqjNvNXwVDOp
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_9FCC49ECBFC44A8E902C2DE7B5F124B1intelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c38c70c9-3766-4675-eab0-08d948b1a88e
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2021 23:30:12.3457 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 80bD7g2zEJdNfUMXF9Jwi4361DuJupHxXcqDnEHJIAG/tTyT9kHfwetJKJPHs5PO/mn8WpDWpzenc8jBrODe/Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB2030
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/AEXechG9IIm0acKyCOjJYGtTk2Y>
Subject: Re: [Rats] Definition of an Attesting Environment (and layered attestation)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 23:30:28 -0000

It is good to cite counter examples. There are cases where a composite device will have a target environment that is measured so it isn’t an incorrect statement. The RATS architecture isn’t trying to be normative or exclusionary. So any cases to the contrary are also reasonable.

From: Laurence Lundblade <lgl@island-resort.com>
Date: Friday, July 16, 2021 at 11:24 AM
To: "Smith, Ned" <ned.smith@intel.com>
Cc: Thomas Fossati <tho.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] Definition of an Attesting Environment (and layered attestation)


On Jul 15, 2021, at 10:55 AM, Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:

The Arch draft captures two duties of an Attesting Env fairly clearly (1- collect Claims, 2- create Evidence). In a layering context the Attesting Env has another duty (3- pass execution thread to the Target Env).

#3 is probably also true for composite device as well, though in composite device the Attesting Env retains a thread of control.

Does the list believe these points should be in the arch draft or are they reasonably inferred?

Hi Ned,

I don’t think #3 should be part of RATS.

- It is not necessary in composite devices
- Many devices using composite attestation will not do it

Here’s an example of a mobile phone. It has three Attesting Environments:
- A TrustZone-based TEE that is the lead Attester
- The HLOS, say Android
- A Secure Element soldered to the PCB

The Secure Element boots fully on its own using SW from the Secure Element vendor. The HW and SW on the Secure Element is certified to EAL 5 or such. The TEE and HLOS have no role in its security or its startup.

The Secure Element is connected to the TEE by HW that can’t be manipulated by the HLOS.

The Secure Element produces full, proper signed Attestation Evidence. That goes to the Attester on the TEE and gets cryptographically bound into the Attestation Evidence produced by the TEE as a nested token.

The Endorser for the Secure Element is one that just handles Secure Elements, knows about their certification levels and such. It is separate from the Endorser for the TEE.


That is the main point about #3. To go a little further…

The HLOS also has an attester that collects evidence about itself and about apps.

It feeds its Attestation Evidence to the TEE, but this is probably not signed and secured as a nested token. It’s just a common submodule as per EAT.

Perhaps the TEE was involved in the start up and validation of the HLOS. Perhaps it wasn’t. It can work either way if the Endorsements are done right.


Note also that all three of the Attestation Environments are up and running all the time. None are short-lived running only during the boot cycle.

A good use of this architecture is to produce fully live Attestation Evidence each time a payment is made by the user of the mobile phone. This is a useful thing to do because payment app, the HLOS, the TEE, the fingerprint authentication in the TEE and the Secure Element all are used to make the payment.

So new fresh attestations of large parts of the system are produced day in and day out. It’s not just re sending the measurements that were taken and stored when the device booted.

(Any interest in this as an example as an addition to section 3 next to the layered attestation example?)

LL

v2.23.0 | Report a Bug | By Email