Re: [Rats] EAT claims needed by TEEP

Dave Thaler <dthaler@microsoft.com> Mon, 08 November 2021 17:20 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74FFF3A1263; Mon, 8 Nov 2021 09:20:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4MTJ24cokcN; Mon, 8 Nov 2021 09:20:37 -0800 (PST)
Received: from na01-obe.outbound.protection.outlook.com (mail-cusazon11020025.outbound.protection.outlook.com [52.101.61.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 018E33A125F; Mon, 8 Nov 2021 09:20:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nD/o+20kmVRmzOQ/t3zf3sGpz3EHMhStJOOGmeeNg4ileYLTZzv1r+VLl41/tk7UGUX4OPjxlyf8Qie3eTtnsAJ/1EV1dOczYyqqFGTe3E22i5zUA6Qz88zxJLAogisrzI4qByXhuJboQskDuZutJeNAg93Fr082UzupIJt7ul0VuonQHsXeq2gb1Kf4yBtKoDGY5ijLytfkmEv8HIfZ8UNOTUy0f4VpE91eF5QnaWpg1ad1vE/L3A/dcuHnNp0oaEjKcOLGw8nXdbX+WSAFHn5NORlhPV47BW4lOjT95pk7xN6P10Yuy+jyIRHq+EEhlOzZ6fZq+GeRdNQ6YI7ICA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2WdJyCJChWwTN6ATMIXWuTiuHPqSoJIr93Kq4A1qoBE=; b=A+J/mOpehJqv5F+I7FVt7q+dGOTgfsEkG1+pGF+/jK3K8t4HuJkD+Z+q5WIG/r0nriXl9RRFxdI8AzAtLX1xxUZZX+5ee40dir3GNNQMCwYNsiznFhYGhpDPnJztNatFKLiE3llufpdqj9iMOVvwRdoG8hWojtsHgyhgpBC5bczJM8PBXWhN5OjfYGQ7r/AkL/0hj4Wiq7v8R7yEgELX0CKhOm9Ve7y6IDwK3wClp9tRAJ13a0lHxDfDYyQxMMSJuCoTu9GF4bqJWItjkVPNoXlTCw5XuLsBmF+Vh8EP8V/r0mP0BQM3UxWgdxBX/ZS/8awaN2GkNQpl7Ox8RndBPg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2WdJyCJChWwTN6ATMIXWuTiuHPqSoJIr93Kq4A1qoBE=; b=M0zKuyhYvVtpaHaWoi070FAFqIlly5I3WhE1UlPS5fXwXI7nvQo+ZbcbHa9LZM19Rm3DqUSBAOGXNCTOqTG+/ag8AEh7DhWpo9rSEEsjljzXpjH7QF5C0YyfFFK8h9c3uKR+6JPYv3Fedj/p7V8pnRGrvzfvC+S42MJdsOQBgKY=
Received: from CH2PR21MB1464.namprd21.prod.outlook.com (2603:10b6:610:89::16) by CH2PR21MB1494.namprd21.prod.outlook.com (2603:10b6:610:88::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.0; Mon, 8 Nov 2021 17:20:33 +0000
Received: from CH2PR21MB1464.namprd21.prod.outlook.com ([fe80::9007:83c9:e722:5236]) by CH2PR21MB1464.namprd21.prod.outlook.com ([fe80::9007:83c9:e722:5236%7]) with mapi id 15.20.4713.005; Mon, 8 Nov 2021 17:20:33 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>, Giridhar Mandyam <mandyam@qti.qualcomm.com>
CC: "rats@ietf.org" <rats@ietf.org>, teep <teep@ietf.org>
Thread-Topic: [Rats] EAT claims needed by TEEP
Thread-Index: Adar5IMluvH5Xfk/TjCNoR5RTUTf2AAroFeAAAKv15AAARKhAAAtBI8AADYVQwAAAL1cOAABgHyAAABiwm5JodwIcA==
Date: Mon, 8 Nov 2021 17:20:33 +0000
Message-ID: <CH2PR21MB14640330E3DA58D2144659F7A3919@CH2PR21MB1464.namprd21.prod.outlook.com>
References: <BL0PR2101MB102770B8E03B95A44497004CA3190@BL0PR2101MB1027.namprd21.prod.outlook.com> <7607E6BF-459C-4A32-AAE2-08117A97E06B@island-resort.com> <BL0PR2101MB1027EA205417DAF375BA7085A3160@BL0PR2101MB1027.namprd21.prod.outlook.com> <B1FDD70B-2530-454C-90AF-F44EEDC4F1F3@island-resort.com> <AM6PR08MB342916CCDD01E8698BB3C883EF170@AM6PR08MB3429.eurprd08.prod.outlook.com> <2D53BD60-4FA8-4153-B28B-585E902845AE@island-resort.com> <AM6PR08MB423141370A5CE9DEF6C732C69C140@AM6PR08MB4231.eurprd08.prod.outlook.com>, <3370D92E-23C2-41C3-B86F-A65C168E9082@island-resort.com> <AM6PR08MB42311D76B24E866812171BDC9C140@AM6PR08MB4231.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB42311D76B24E866812171BDC9C140@AM6PR08MB4231.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=aab33fc6-77f4-4e30-b278-1432e006bdb1; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-11-08T16:48:07Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3f2fd76f-6df3-4cb3-fdfa-08d9a2dc1249
x-ms-traffictypediagnostic: CH2PR21MB1494:
x-microsoft-antispam-prvs: <CH2PR21MB149450E93A48DFD57C45DB7DA3919@CH2PR21MB1494.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iAXM9LrUON9BdDF7NgVqjx3m1KrOD32uRd1jUif2J3BI2/AxoTSHe8EEkyHVf063SGzAyhEgZWmfsUnDKWBRXEKLjuWCzb1Tmk2qEFFCABIOq8C9rEKQNQt79IJ7CLD1BAs7hASg5WIuLpCYsgoGXUKtTWuKXZLSAin8ANy02oukvHYclI9/wQDday+HBVlY2xHKX4/FyrO8RtEuGS0sRVHeq/A6uxw6Tk+NG15JZyl9IXlK4VnQ+066nQwgzxzpEgVrra8OsnwTjNa8dTeF1bcQh1VEPm4A0E5cIBV5gPyD8lRjGgassyFzK+7sfD1Byp72R4utLOdiuuIqH2hjEJfTmGqZJOF9lyCYNvpjwg9yTclN9iZ895XfyyZHVl2j1vOvFl1Nfg1+lgb2YlvQ95dt32pXw/O+MZoAfpga1/VRAd2k7WhJ//dJX46/aYz0ov3kqTK4vUr2/esQzKxmr0ENs5B+lfgJc6YZWW/0BMRdCmedaX+1DWRPkpguUMbgdC5NaU25yHJmcsaXnWW/s7h4A2EH2zTgcsZwiC14/xkAq+EmV29vyKR/3Zt3JLRe09NmTjdDrv5dC62MO9eWKWTDoYj9KPxrOWcdQhWfZ3KwxYnmC4as4cY3Q7S4ktrPpvG315mQDK5+m2EOFiEgEAYH1ek1+WR1+Jek0wkWG97CFZ2WuTkoa8nKaNWMHEdqAOf17yOha9bSs3wB2X+dfIihI6u015cXbtoL26a5Vs3nUgXygP7Y0gw2/kkQIGk0UdA/nb7YoKzxgDjFLEvrPm3lWMk5BRVvV81MGeHLnuaAwb6vSZNexsuzfL0sCpq00YQYKx+Lm6rCLYxpHzNuqA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR21MB1464.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(54906003)(508600001)(8990500004)(8676002)(966005)(55016002)(82950400001)(2906002)(8936002)(66476007)(66556008)(64756008)(66946007)(83380400001)(110136005)(4326008)(316002)(66446008)(186003)(52536014)(166002)(76116006)(71200400001)(122000001)(7696005)(9686003)(82960400001)(38070700005)(86362001)(38100700002)(5660300002)(6506007)(33656002)(53546011)(10290500003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?/SNxJWJWRSqxtypNdY88m+bWAxaDuef4FPZOnin1xkzWYcqejuqsvsy2edqj?= =?us-ascii?Q?OOs//JUR6MHZO2AUVLvSPxNj1BjBoX69tqSv8qEvEIT/graq4+3Pz5oO8Qde?= =?us-ascii?Q?GL/GZ5tHkqBKhZCqjufmM5lD/52G5JPMxndKyz4hPTKtKdFSY8t8lZGDXgdO?= =?us-ascii?Q?KcAhJTy8nmH2hV4h7Y5cN5waPOIAiQR0zYxspikZcu8dfwLcn3tgAElHp6HU?= =?us-ascii?Q?gLHEPoRY1J7c8U036DnT1LBxDaxFMMmv7z8BywWBMKi1yMalMEwvbv+3hPL+?= =?us-ascii?Q?N7bSro8uIhCsyKyB5UXoEM8X0kJEht++ZK3y+L7a4GTvJEqix/xxTwuacL+J?= =?us-ascii?Q?p3lIMSglrQKewh6o0EyRayJcYxQCu9XaScSoFLQMzufrkAq+yaE9YNXyjhdA?= =?us-ascii?Q?QqMl+MKMEvsC3xVcGI9KFhhSWpdG2pyb7J4FdIp3XROf8ZZexrEos2a18Kc0?= =?us-ascii?Q?QGX4FZAtUxjbIbIkRc73u+pp44+gIrnWnvJSeXOhcCRuqxtlXPYW/oFU/pSl?= =?us-ascii?Q?L1NEAe1M8LPEQ279S6uf2rSPWl781oRJJ46C9QJiiRuihPBJfCvBqFp2L614?= =?us-ascii?Q?gfckEyqs7fWpMdqYId4BzgxcWlg9G3t333boTJfLMxiyfTxBsRS7EJHlYkGP?= =?us-ascii?Q?GrngdPkUkyZ6jDyEEJYtjO5QBhgz0Vg20IQHDemVa77p0TeVz/YIDyA3WY4n?= =?us-ascii?Q?tFRhljfYms/Gfb/Gqs6b5oRrdbF+3KbbeKjqAobDOI8shgBq5cD7ct6wQ4bf?= =?us-ascii?Q?yVCTODfH8tjnQWFAL6M/GPVSgt6QIH+Hp+74C05cZwpXP+fTTQshDvt7EJyO?= =?us-ascii?Q?ED7o3Qmvtj74ZRyDb7t4A8XVirsAjvbSjPiHkiUOmTl4ZNKYPuRA+Cxv1U2D?= =?us-ascii?Q?3iaU3PjSe6Hi9uIiWdq7xdsEFE81iuK0ZBI0OakixoItOO2h8UB3gJFV+CPl?= =?us-ascii?Q?aQgIy9QiQiCb6UGq670K8VBZNQYT29f8I7U9jl1aguPYG5EscRh2k0Zw0Fqp?= =?us-ascii?Q?/FWmmGdPwUzuJk1f8cxFvCD8rP1keZKlk6chwwwGWebybiifgCZ4awOU4wmf?= =?us-ascii?Q?bfBJM9DLkA687Cj/xqcDeKsZ6fERb3s3Lx0UdrY5rqzfBO0RdnSOrlq3AB/F?= =?us-ascii?Q?bb+Gmzss5ioXMR76cA4fowENOg91PIgRr0xJIX6UZujfWJFkWhvshgNfMccs?= =?us-ascii?Q?E44n8DfysPFtd322e3sNWZB/Mo89tg6CrdBZxseJVXIU3GLMTmn27LE41jlt?= =?us-ascii?Q?j42iKHADwG8pbMbbmKsVj1ynpPvpApLz3U4FCWtZrKaTGpY7MWgsrCwAd1xb?= =?us-ascii?Q?aBgMRZ6817wdhYv6heYpzMa/hBJKYvaSrabWXt1DTGUVH6qJfsMwe0BcLvzK?= =?us-ascii?Q?h1gFhaOrRC8nwMVZTDiYba/HgtiJHJJrioa91pZEl5F+g+MA2MOawNrJbXMb?= =?us-ascii?Q?St/vkNgOlfYwmNxifxS0EqJHwcztxmXaq+wyHnXmYeJ/kGDVR3fB8W7FZDzv?= =?us-ascii?Q?YWWdMTlkChqpuO+LahJDX/7Oe8mbHjubf1jyU/hc6cgiiCF5W30B2eVzEk0U?= =?us-ascii?Q?7JeWr4ff4yo/qLTPUVvVOK32s3S4m39o3Sie4hjhxVRNN903oMtvF8Te01gL?= =?us-ascii?Q?GdWg7T5D4RadWKZLPMLrykZQMZPoGe6PIYZC2NQewXMp83k2P4NB6BxcnTSi?= =?us-ascii?Q?aclf3taXyD+W7gZO2rO0xsoYdJr/UkpWV4M6m55pL2kmzl5Qj58U77Tkc/SJ?= =?us-ascii?Q?di8z/90Frg=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_CH2PR21MB14640330E3DA58D2144659F7A3919CH2PR21MB1464namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR21MB1464.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3f2fd76f-6df3-4cb3-fdfa-08d9a2dc1249
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2021 17:20:33.1665 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UYDLz4QW84mYZxr0eNhK2A96avtBhTXZretd7FvSehzjdQ+GF/Oq0jahaYEQ+PnikARrxZG/cJLhzpSJrVbW8iZILKuxxVS4uc2kvkHJfQs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR21MB1494
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/G8tFwaCZ6DIAuD7i1KdCT-eA25Q>
Subject: Re: [Rats] EAT claims needed by TEEP
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 17:20:43 -0000

Following up on the RATS meeting today, I compared the latest EAT document
against the TEEP requirements discussed most recently at the IETF 111 RATS meeting.

There were 5 requirements from TEEP for claims, ideally general use ones not profile specific ones.
My reading is that the latest EAT doc now meets 4 of the 5 and only "device class" is missing,
and indeed the EAT document discussion of ueid explicitly says
"It does not identify types, models or classes of devices."
but nothing else in the document I could find provides a way to identify such.

Henk's proposal there was section 3.1.2 of draft-birkholz-rats-suit-claims:

> 3.1.2.  class-identifier
>
>   A RFC 4122 UUID representing the class of the Attester or one of its
>   hardware and/or software components.
>
>   $$system-property-claim //= ( class-identifier => RFC4122_UUID )

The other four requirements from TEEP can be met as follows, if I understand
the intent correctly:

  1.  Device unique identifier -> use ueid claim
  2.  Vendor of the device -> use oemid
  3.  Firmware type -> use sw-name
  4.  Firmware version -> use sw-version

The above claims would go in a claimset about the TEE (which may or may not be
a separate processor), but EAT already supports different claimsets for different
components as I understand it, so that's fine.

https://github.com/ietf-rats-wg/eat/issues/138 tracks this issue and my belief
is it should be simple to add a device class claim into a draft -12 of EAT.

I will also cover this in the TEEP WG meeting on Friday where I will discuss
what we need to change in the TEEP protocol spec, where this is tracked by
https://github.com/ietf-teep/teep-protocol/issues/165

Dave

From: Thomas Fossati <Thomas.Fossati@arm.com>
Sent: Thursday, October 29, 2020 2:21 PM
To: Laurence Lundblade <lgl@island-resort.com>
Cc: rats@ietf.org; teep <teep@ietf.org>rg>; Dave Thaler <dthaler@microsoft.com>om>; Simon Frost <Simon.Frost@arm.com>om>; Thomas Fossati <Thomas.Fossati@arm.com>
Subject: Re: [Rats] EAT claims needed by TEEP

On 29/10/2020, 21:07, "RATS" <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> wrote:
> On Oct 29, 2020, at 1:45 PM, Thomas Fossati <Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com>> wrote:
>
> Hi Laurence,
>
> > My understanding is that they are always encoded as CBOR text strings,
> > so floating-point doesn't mean #7.25 or such.
>
> Correct.  In (Co)SWID software-version is just a text string and version-scheme
> is there to do some semantic polishing.  But the underlying type is always #3.
>
> Maybe I'm misunderstanding your proposal here, but I would be circumspect
> in mixing SWIDs attributes, which are scoped to software artifacts, with HW
> identifiers.
>
>
> Hi Thomas,
>
> All the SW Version stuff would fall under a single EAT claims that
> contains a full CoSWID.
>
> For HW Version, I was thinking of two EAT claims, one for the version
> text, another for the version scheme (or we could go off and define a
> full CoHWID).

OK, looks like I had misunderstood your plan :-) thanks for the
clarification!
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.