IETF Logo Mail Archive

Re: [Rats] Implementation report

Yogesh Deshpande <Yogesh.Deshpande@arm.com> Wed, 21 February 2024 11:30 UTC

Return-Path: <Yogesh.Deshpande@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3073C14F681 for <rats@ietfa.amsl.com>; Wed, 21 Feb 2024 03:30:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oiRPbJi8J1nY for <rats@ietfa.amsl.com>; Wed, 21 Feb 2024 03:30:48 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2053.outbound.protection.outlook.com [40.107.22.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70580C14F61E for <rats@ietf.org>; Wed, 21 Feb 2024 03:30:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ype7dXsbgHnGcvvimPiGfqNm+IE/m2VD3R4fHNRXlsiMY6X+nB8Nm7ocbudv2GxN7BYkSMdXL9zcaINstVIo0ju0r0oqDPcwR7tXTFeSfg0yIDMkqo28Qefx2Ajp9W15kj6ttVViRjEPePoB4nG8hcm3+Lscw8lzKKySgTw6DLqg8wE+A7fwnp8vge31rxjjJhVuwMK53d/q474UyNoLiwNZfJzAU+fyev+kgf9g4kGaZWHlU0gUNvMGtHOIHswgezmnDgFs0+/akAnaGrrmbJqzELX7RdvANGW0F0rQiW/d2xBqLtMxY2tG8HJnGpwON6JB8JkboxF2y9aAD5Ydaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BS0VGD3eacT3E+AT0ICBqgwQSgaWqv0NtSJBswBQUJo=; b=kZf1ZTf2Mxq4WMbUiAr6zIeh2FwBUurJgF4TJvWtlhiZl4WDlyswGyHNrlUrrspNt/V48u10fyZFwjqhpgEYYJl91VHIL21CyzaEBLJvgvT23WNS1q/nV26jzRUGnn+60xa+XYIfMWMzHJQDY7jzErUZsCO3QST7yZ/2eq4R7WLPULm3hZV7cgywJddeRSel8uRfxr8B776Tu3R2eKFyiuJoOAKs/6Fa/PFfzB1MXsi+XeKvF64X1Z6KkVWSPuqLfMAyKjB2M3jsDStVbpJ2D9UvmEgnBep+dt6r6g+p5YFdUbKPIicEXeCDJA0zO78lyOHJogqupXAbSe/QYxZblw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BS0VGD3eacT3E+AT0ICBqgwQSgaWqv0NtSJBswBQUJo=; b=LRRTAQTMF0HB5z0hfYg5z6GU3q06c+aqasybSGz0NkhVeAytxL2bBGctddr2zOjknRJxwIq2HfXF+AtdYXs0R/OIRk04PrdooHpwKiKFsfRKAGpuXWMk7X7U+iU0r+uXZ3C3eQFIuUrKCjHNLgKlQ4mirXAPOMCNIYOC3C3jWOg=
Received: from DB9PR08MB9851.eurprd08.prod.outlook.com (2603:10a6:10:460::17) by DBAPR08MB5639.eurprd08.prod.outlook.com (2603:10a6:10:1a2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.39; Wed, 21 Feb 2024 11:30:45 +0000
Received: from DB9PR08MB9851.eurprd08.prod.outlook.com ([fe80::8d94:e71f:7e40:585e]) by DB9PR08MB9851.eurprd08.prod.outlook.com ([fe80::8d94:e71f:7e40:585e%6]) with mapi id 15.20.7292.036; Wed, 21 Feb 2024 11:30:44 +0000
From: Yogesh Deshpande <Yogesh.Deshpande@arm.com>
To: Henk Birkholz <henk.birkholz@ietf.contact>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, rats <rats@ietf.org>, John Schmidt <john.schmidt.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
CC: Allan Friedman <allan.friedman@cisa.dhs.gov>
Thread-Topic: [Rats] Implementation report
Thread-Index: AQHaXo03AdVQva8lu0ykESRI4yIUdrEUsDaAgAAB27A=
Date: Wed, 21 Feb 2024 11:30:44 +0000
Message-ID: <DB9PR08MB9851138D941F1DFB92C9E0398E572@DB9PR08MB9851.eurprd08.prod.outlook.com>
References: <CAHbuEH6NU0yKDX=qwwf_xauKraejKuDa+5XNY-Q6pVv-i1RKbQ@mail.gmail.com> <4376cd0f-bd4d-c2dd-4ace-047e05d55677@ietf.contact>
In-Reply-To: <4376cd0f-bd4d-c2dd-4ace-047e05d55677@ietf.contact>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 7778D85B6E5AD149887C7D9833885C27.0
x-checkrecipientchecked: true
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9PR08MB9851:EE_|DBAPR08MB5639:EE_
x-ms-office365-filtering-correlation-id: a889d8e7-7399-40b7-9d1d-08dc32d08ac6
nodisclaimer: true
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: onFEw4tElZE8rLW0WrTYL59h17Cdgx4VLUkZp+RW9yNem13VTD8haiWDclr443X8HtKubdFV6TU2fBcZeAXzihW4CKNUZkXejy0SDsMHDqqlGKz9oDrgJCqheUNy+ReVmcuH6okb8LKummqxXpEoRzKzIZgR7+hBPQaOOyLwewP/3K4uDI+77KlhLKRVDHy1GGw1aZ5O0qSCTeo4BeB31irtzbEzZJVMRA6wvL8MT4Mh0pPjkLzqvIx/cIWkKgPh1v3qj8gTTG4qLwDUaCbSkDuIUpI106p9tjFwWRkqGGwWsBXZE4ovV8bBkJgQDthGgpRfsJjpDeDa6HAKtY4sP5kRUbM545OLSMiJ/sXL7yixLKNsWG4WaimiD0c0vPfDoxW6VoB0GlECpABoaMHjHgdAl53CGNA8Lc52I9sJhuhRpbakH45JIPJxoyLGummh7QlnKLepUwe4hlScgE5R3+T3lt/N8A/6+lZP3aZx1s+OXhBOBJZMA4zpqETtZ3ALrGcgmc9uJnQZjvCjmz0Xuc4yCYGqyHEmEXP8dRhu0JAaoJqZCNpOHHMBrhj8ylgY6JnhGk8xk1QztZ4cY+WG4e84SR9pq/cOSqGpXPBaTdU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB9851.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bCInEsDn4DLVtJizCCP9zHeZFslwyKYgnFgXXtQxHOjwo3NRWV8z5aujicD9Ew+X/bFEyOgCxpd6wVBGS2CRbGCY4qJIRG32fUmkCRNpa99yyiNvKwT6kot/m3UzCNziLu/Xjl0DP0S65018Yv7CvlSA5YABS7IvOaMZdWqvSpdRq4LTDz5oIF1O7tchWbcxkrAplSDSjSQ+5A//4W5Xl0qYf9VAxCW9rhst7UOvRtLDls8EAxcG+urPZnu1hHyTWRgJC3sr8KwisC44wsyL1mq09dp7QdOmSPpNz1JAMyEI5V8Z+vm7hebssLwBGP9Utl2D7W14bYn4qiem3F+4Hy9WMlZxTw2NNVt1uck9NLr9y38SwxQRGMvQW2gPdnI1pyyBhve451YX7klp/MEuLc6Wti9QmgrH/b+0B9bDjZGuZuAnbraoF9rINjXYDJwmH78CsNxlw12SjDLd33DON/vMKTFMKlqpXXgCxlY1CjNMm3wEl0udkVsHyjL6vgCWGKpB+Cps5kPdW7PY96i2oqfVYptrjFPl6Il3Fw9U378WVp1A08ERBnqSoAkF/ywJKvcAkRrly5sg5fgM8he2aTFx07PiDJLwSYF3sf1B0qZF/TM0qdZcSySRenPm4L5npAX+tr/dGeFmdIOCyHY59pP4u+//KFbyBHC+x8rhDuHMDB4gAVmgKR7aCX8Kb8BWrk/lU5OlAQNT1kkQoCBoL3eSlyDX78em8HmCOhcTYeUs9eHYB+IA/hxm7I5Q/adVBg7smzmGaYwGiYGP7syJxcZ/UObyPz4b7fExzCGQ71WM2I2mPBfOaD2ZdPySnEk+FHIK0FSGCrHRoRNSaJowwLAIpq+Np/zTMcAtVlPk2E7uWN4ZfzG7FwcRyQEIM38hDsOWblj6c1zOu/ozXlE4jzfl9thD2AZVobglLQABmMpZ4UhWWHsq5EsmbOnzMI2846ihSBoZR98OGyoChzhr3o1lb7S+xiA4NwqfAir2W0juIDl+iAvK60Y6bvotggxTsL51Ahb2SNOdLabGEunAxKZxcJi9kU8hu8zs6oky5/eNqAPPSYguB/gypJBBQ+HfwFJrbW4w0ni10ySduva4AOCx1KIYQH1B2fky8AWZjsI/agpGxVixqa8zZI9ep/0V38X66a1zSzKeT/+Fxm7FDKSJqhawZWxrXQbfvyEwiUsyBjMZwETx8sFXZ9kQeuYtRlQUpwbu5rrdzcJwjpOLJ+zAsXZZBCyl1/vI5gy2Ajvbn0IFF7yx+eRnL91msrDwXbkE+YqxYOGP85SjmmBlv6sQJ8m6k9IHHfaoNwXjMQ8K1MimNYRzulbay2BSQn+BqFCb5h3uVF1P1ZDGEMiAFus0oBnMMpz6GnGRmpE77YUn1Oaj5dHOkpW47bYbysG05yHMbAl/7MbAiKugoqqyLQCgynDjjd5D5tdFKIs/hj9AK8/WQz69Sq6we+o8uklWcxNeD/0kSsATdB3ejf/OPN6SnOoXLNeNNXv5KscoQ+sIIXAmqxaxI4LBxrkok6MY7Ln3W1dtyWgi1HkOlH1wSKDG0bNnnpsSVgTgISFisqnEDVDtiNCIexglxtIzX1iM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR08MB9851.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a889d8e7-7399-40b7-9d1d-08dc32d08ac6
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2024 11:30:44.2130 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jPh79JJ5wUeajJdjEK1SkpihrTK1Upu+c+2j5Lov5nLRu9YHtzU6+sxHpyL65UcPE+jJ0ESEXLMJ2GZD10mPLlFydCYFoEHQcqdYMHhaUG0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR08MB5639
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/DQf9i6rsMRxagOcEUeYTO93Fceo>
Subject: Re: [Rats] Implementation report
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 11:30:52 -0000

Hi Henk,

What you mentioned below, is a perfect use case which is frequently been discussed across multiple groups.
i.e. how remote attestation can assist getting access to deeper insight into authenticity of secure software supply chain.

For this process to move forward, we not only need SBOM but also
HBOM ( https://www.cisa.gov/sites/default/files/2023-09/A%20Hardware%20Bill%20of%20Materials%20Framework%20for%20Supply%20Chain%20Risk%20Management%20%28508%29.pdf)

Hardware Profile is been discussed in SPDX community also, and linking various Bill of Materials can assist in visibility of overall end point security via remote attestation.

I would be quite keen to promote this discussion during coming IETF (though attending remotely).

Regards,
Yogesh Deshpande

-----Original Message-----
From: RATS <rats-bounces@ietf.org> On Behalf Of Henk Birkholz
Sent: Wednesday, February 21, 2024 11:11 AM
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; rats <rats@ietf.org>; John Schmidt <john.schmidt.ietf@gmail.com>; Sean Turner <sean@sn3rd.com>
Cc: Allan Friedman <allan.friedman@cisa.dhs.gov>
Subject: Re: [Rats] Implementation report

Hi Kathleen,

thank you for the pointers! Will you be in Brisbane?

Looking at your last link, I am wondering if there are plans for future projects. Say... remote attestation based authenticity assurance in the software supply chain chain: and I am thinking along the lines of "Trustworthy SBOMs", which would be scenario that would combine various building blocks and that is definitely still in demand of more standards consolidation.

Because
https://learn.cisecurity.org/built-in-security-scale-hardware-support
cited https://www.cisa.gov/securebydesign, I am reeling Alan into this reply. So that he is aware that we could do something meaningful here :-)


Viele Grüße,

Henk

On 13.02.24 15:58, Kathleen Moriarty wrote:
> Greetings!
>
> Last year, I introduced my team to RATS work and pulled together a
> project that was a lead in to the attestation sets draft, implementing
> largely what's described in
> https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/
> <https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/>
>
> It took some time to complete due to some hyperscaler environments not
> having a TPM or access to it from the container orchestration platform
> or virtual server host. Once we secured an environment where this was
> possible, through use of the IMA libraries (created for this purpose
> and previously proven by RedHat), positive results were demonstrated.
> The objective was to test assurance to CIS Benchmarks as that was my
> employer at the time. We hope you find this report useful.
>
> https://www.rsaconference.com/Library/blog/automated-assurance-on-a-pa
> th-to-becoming-practical
> <https://www.rsaconference.com/Library/blog/automated-assurance-on-a-p
> ath-to-becoming-practical>
>
> This was done at the same time other team members were researching the
> prevalence of TPMs and TEEs in infrastructure. The purpose of that
> work was to signal that hardware support is increasingly available and
> should be used to ease configuration management and posture assurance capabilities.
>
> https://www.cisecurity.org/insights/white-papers/built-in-security-at-
> scale-through-hardware-support
> <https://www.cisecurity.org/insights/white-papers/built-in-security-at
> -scale-through-hardware-support>
>
> The timeline could include more data points, we included key points.
>
> I am copying John Schmidt who did the work. Sean Turner joined the
> project in September and assisted with key management, application of
> cryptography, and validation. Thank you both for your great work to
> successfully implement this PoC!
>
> --
>
> Best regards,
> Kathleen
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

_______________________________________________
RATS mailing list
RATS@ietf.org
https://www.ietf.org/mailman/listinfo/rats
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email