Re: [Rats] Propose a new event-log-type in CHARRA

"Smith, Ned" <ned.smith@intel.com> Fri, 04 September 2020 15:39 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 740C43A0E1B; Fri, 4 Sep 2020 08:39:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=intel.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfbiJIa-SoDg; Fri, 4 Sep 2020 08:39:53 -0700 (PDT)
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3615C3A0E25; Fri, 4 Sep 2020 08:39:53 -0700 (PDT)
IronPort-SDR: Y4iS9wthIqP8LeVa7bN0iJsYYog6J7OpYxUTRwwpLV/HvBjEpCJWKSymhhCw8bxE1ck3XmV1uA bUQdN9mtceTw==
X-IronPort-AV: E=McAfee;i="6000,8403,9734"; a="219317970"
X-IronPort-AV: E=Sophos;i="5.76,389,1592895600"; d="scan'208,217";a="219317970"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Sep 2020 08:39:52 -0700
IronPort-SDR: 5S3GaoOMrW0lAS2lPjt6stPWpFjcCpq98XG2/s7g4FGCR9LSKbbA4wdo73AaFBPG7gHPnJ4TDh 5ySSPNQvFMng==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.76,389,1592895600"; d="scan'208,217";a="339773698"
Received: from fmsmsx602.amr.corp.intel.com ([10.18.126.82]) by FMSMGA003.fm.intel.com with ESMTP; 04 Sep 2020 08:39:52 -0700
Received: from fmsmsx609.amr.corp.intel.com (10.18.126.89) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 4 Sep 2020 08:39:51 -0700
Received: from fmsmsx602.amr.corp.intel.com (10.18.126.82) by fmsmsx609.amr.corp.intel.com (10.18.126.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 4 Sep 2020 08:39:51 -0700
Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Fri, 4 Sep 2020 08:39:51 -0700
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (104.47.37.55) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Fri, 4 Sep 2020 08:39:45 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BlH21EEusqWi5XEWgcctmIXzU7rgIVx4yEbuy8qvZ90UevZPB8e3/io4xpMgheGquVqMPuPOFFda1ki1GoZ8vaEmmXgixIG3wMOm18QCUzyMpMjWECxqkFzOmfR/7wd1Y/QR7U7xdzlD8sjaK1eA6EmA6fnDW2de3ce1bn9Vy/NQHIb7L5226hMwcoTLb5SexCSRQ/IP+KwxBHBAxHc67nzPXhtG/+FoDlUR0qAH/1YYWNQDlZMclgnk2fEOYq3OunfmRTxKiywTClb4Ud5d/fA8bI++qonzYnQqs86807eKUIuoxbc2F1Ms3XtkBt9vDsALEIIRY3eXmgJe+Mz0rA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vJC3Lz3Sy0jlC11MMPGTbyWhdb+h1Kj+HWTizHQtstM=; b=MRyNmXzvRlmkoirGINUwvqiYhM2NQYgrKug+hpbMEILCIvah7KH5Vz9H5d+XEXndwIgwG+gui1ZO4agb/mVefL/1+T4tA5NLcgYMePVqOrBnuUCrvv+0axkFw6dh5EvzJHNAxl/7k7RDZCxsOkit2oQIZePvJYOHacYRSbrPmo9NRSdoitfie4pHzEAxL+Q5f8ZtEbruLuCPWA6eftxUYdD/ZJLoExkmfLnbKGDb8twBqyAF8kx4VxSgYUFxH68WmA+EfoLpdN+YsJHi03TX8EDOfe/Ma5rBvqZuPQVJrh5imXfA3Jon+jjnJoVtpH8tQq2DYw7qIblhP2HS9mE2Sw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vJC3Lz3Sy0jlC11MMPGTbyWhdb+h1Kj+HWTizHQtstM=; b=rANy6XZFolHFqe4VUxKitE6vcBfAEsOwQCS6qpI5LU4abvNw/4q6niGmJkCPlXPsltQ6h/27qldjDNOW1wt1h+w0xE5fatVy609xYxAuo61RmH8Pv2R33TrzcKT8+eqV39btMB6B3YQSWMqTZzV1aqYUPmoa1qqXzDAN/0cBxHc=
Received: from MWHPR11MB1439.namprd11.prod.outlook.com (2603:10b6:301:9::20) by MW3PR11MB4618.namprd11.prod.outlook.com (2603:10b6:303:5f::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Fri, 4 Sep 2020 15:39:43 +0000
Received: from MWHPR11MB1439.namprd11.prod.outlook.com ([fe80::1fe:5ef0:8591:7fef]) by MWHPR11MB1439.namprd11.prod.outlook.com ([fe80::1fe:5ef0:8591:7fef%8]) with mapi id 15.20.3348.015; Fri, 4 Sep 2020 15:39:43 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Meiling Chen <chenmeiling@chinamobile.com>, "Panwei (William)" <william.panwei@huawei.com>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Propose a new event-log-type in CHARRA
Thread-Index: AdZ9F2S3YE6HUmniRGqctvSTG8eYFQDtiujqAHJX9AA=
Date: Fri, 4 Sep 2020 15:39:43 +0000
Message-ID: <5A1AAAA8-A309-41DF-9E16-CDA4C512C2C0@intel.com>
References: <f92d4256061948a3aa89952b912c81e3@huawei.com> <2020090210020386129720@chinamobile.com>
In-Reply-To: <2020090210020386129720@chinamobile.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: chinamobile.com; dkim=none (message not signed) header.d=none;chinamobile.com; dmarc=none action=none header.from=intel.com;
x-originating-ip: [50.53.43.22]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 808881fa-bdec-4b64-591e-08d850e8bee1
x-ms-traffictypediagnostic: MW3PR11MB4618:
x-microsoft-antispam-prvs: <MW3PR11MB461831BD1EC98BF0AA97AF69E52D0@MW3PR11MB4618.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 63JFpACOe3LMPSPiTE2ORtuNtR0TBV80b0/ouHD1BDiufDnm3q7M/8muJTKhc5H7B+8d9Cda9PJNdY57pBKzWjYXsNJZ33+6zSnF7My68Dr8PmCD4xXuGzbdadczWfCrAJBQ3wrXa05N5cmd9vIavarFHbPpbWwSlyVUjFpkaZsd3q7L4UzF+R9k+Rwtr6P3f16RjU0VVzcoF/EyL6cDkxs5WrRzEpvHJrfmB3RMaNYssTyEIy6L6TZo3VUYh0MjAibHwmgWq4R94098a56vk7AfxJje9fM/UkXvDmkUgMNwSLMWTqM19+7PhnQKTyLPITDlD614w/9vgTFbUz0O++vX6uq6e9yPTyIY9ETznWPzOX7pk1d7IsmmVkNpr68GIKdKwzeD7NBxndjgKkXcxQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR11MB1439.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(396003)(376002)(136003)(346002)(36756003)(316002)(66946007)(6512007)(110136005)(6506007)(66556008)(76116006)(478600001)(53546011)(66446008)(8936002)(66476007)(64756008)(8676002)(26005)(186003)(4326008)(86362001)(71200400001)(2906002)(5660300002)(6486002)(166002)(83380400001)(33656002)(2616005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: B7Ok+jxUC6ZBp9h8AzRCSGvzhNbrS5btZUdTXTXDenbrEQtBmMoYV7f32zp+wxgkGKBJVWvm54LMQ5iJESZ1nV46n+sGiQ+gaYOg8tfV2aHehrSQKpM+EJldvavSc0z6URvg87CLsKWy9tIS8lVM68fel3vSPEDpb5mNhracBr7Rkqgp104wiC/gwR11h3HNKv+FLyCg5hVmOQSiFVGXEorUdJJH+QmB0l3Vz6EaK5UYz884EWD+WTqC1JqMHXrh5jCq1pr3D5HDJjLPi8dy50UMp0QZGj6iZ6qSIJaLfhmzuKZdasmJOORvCeW8taDiiu+1WjdvjVeliv7PSwblI6U/PVB2X6gBB0+mRUtmvBBi5sc7OTKZGec/lkbh4dLL/9cAKuHCKq3zeGZuUx+0+RSGDU1EpKp19MR4rmIwvStkC4nBvEJZsq74i9JhUpycKOLG6xZsn2dLLYmxfTKXHzOQHcCcFF+EqXLbiUFdQ/nADEMTdyqrguSjH/lNCAm04eluXubFoVs0DKbWSybl/cB2sqPwEhNQYsgmUtjrCXjH3aWECsBgIXtTHwTpcRBGGpo4qCuceqH2dpVwdMIShbuwKi9u7EGs8xfu6QqjFvS4lRxT3hRfGjxROPoEhH1aoxDkCOjaJJRqacGpRoPI/g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_5A1AAAA8A30941DF9E16CDA4C512C2C0intelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR11MB1439.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 808881fa-bdec-4b64-591e-08d850e8bee1
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2020 15:39:43.5340 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KOfmnJEgVHGfs9aY/avoQ93TdOfUSsuOfWYqqwEQO7KvNvlL6OqTLoIJoOo0hnmV27LXRJ4kZF20PYycA/lHWA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR11MB4618
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/DCaYCBZZCBdfzx9GohASPEhYzOA>
Subject: Re: [Rats] Propose a new event-log-type in CHARRA
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2020 15:39:55 -0000

For the TCG-ers on the list, does this and other CHARRA event log definition align with TCG’s Canonical Event Log definition? For example, the ima definition includes a signature while the TCG CEL doesn’t anticipate signatures.



From: RATS <rats-bounces@ietf.org> on behalf of Meiling Chen <chenmeiling@chinamobile.com>
Date: Tuesday, September 1, 2020 at 7:05 PM
To: "Panwei (William)" <william.panwei@huawei.com>om>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
Cc: "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] Propose a new event-log-type in CHARRA

Hi all,
support +1,

·         Whether the boot process is deterministic is debatable, but recording the intermediate process is also a must.
·

o    It is recommended to add the other two attributes:

o      the type of log: such as warning, error, normally

o      event log time: record exactly when log was produced

Best,
Meiling

From: Panwei (William)<mailto:william.panwei@huawei.com>
Date: 2020-08-28 21:53
To: draft-ietf-rats-yang-tpm-charra@ietf.org<mailto:draft-ietf-rats-yang-tpm-charra@ietf.org>
CC: rats@ietf.org<mailto:rats@ietf.org>
Subject: [Rats] Propose a new event-log-type in CHARRA
Hi authors, all,

We’ve proposed a new attested-event-log-type in the Github (PR#5<https://github.com/ietf-rats-wg/basic-yang-module/pull/5>) a while ago, but unfortunately there is little discussion about it. This is also mentioned at IETF 108 meeting. I think it might be better to bring this topic to the mailing list and give more description about it.
The blue part below is the format of the new type of log that we propose. It literally looks somewhat similar to the IMA log format, because it uses part of the IMA’s concepts in the devices boot measurement.
When the device boots, it needs to load/execute a lot of files, but the order in which these files are loaded/executed is not deterministic or hard to keep fixed, so it’s difficult to give an accurate reference value.
The method to overcome this difficulty is below:
1. The Attester measures each file before execution, extends the hash value of the file into PCR, and records the measurement information of the file in the log.
2. When doing the remote attestation, the Attester sends the final values of the PCRs and the detailed logs to the Verifier.
3. The Verifier has a list of reference values for all files. It compares the hash value of each file recorded in the log with the corresponding reference value. If all files’ hash values match with their reference values, then the Verifier extends the hash values one by one according to the order recorded in the log, gets the final value, and compares the final value with the PCR value sent by the Attester.
Based on this method, we propose the new type of log. Any thoughts?

+--ro output
   +--ro system-event-logs
      +--ro node-data* []
         +--ro tpm-name?     string
         +--ro up-time?      uint32
         +--ro log-result
            +--ro (attested-event-log-type)
               +--:(bios)
               |  +--ro bios-event-logs
               |     +--ro bios-event-entry* [event-number]
               |        +--ro event-number    uint32
               |        +--ro event-type?     uint32
               |        +--ro pcr-index?      pcr
               |        +--ro digest-list* []
               |        |  +--ro hash-algo?   identityref
               |        |  +--ro digest*      binary
               |        +--ro event-size?     uint32
               |        +--ro event-data*     uint8
               +--:(netequip-boot)
               |  +--ro boot-event-logs
               |     +--ro boot-event-entry* [event-number]
               |        +--ro event-number               uint64
               |        +--ro filename-hint?             string
               |        +--ro filedata-hash?             binary
               |        +--ro filedata-hash-algorithm?   string
               |        +--ro file-version?              string
               |        +--ro file-type?                 string
               |        +--ro pcr-index?                 pcr
               +--:(ima)
                  +--ro ima-event-logs
                     +--ro ima-event-entry* [event-number]
                        +--ro event-number               uint64
                        +--ro ima-template?              string
                        +--ro filename-hint?             string
                        +--ro filedata-hash?             binary
                        +--ro filedata-hash-algorithm?   string
                        +--ro template-hash-algorithm?   string
                        +--ro template-hash?             binary
                        +--ro pcr-index?                 pcr
                        +--ro signature?                 binary

Regards & Thanks!
Wei Pan