IETF Logo Mail Archive

[Rats] Re: Security considerations of remote attestation (RFC9334)

"lgl island-resort.com" <lgl@island-resort.com> Thu, 14 November 2024 18:45 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E795C14F6B8 for <rats@ietfa.amsl.com>; Thu, 14 Nov 2024 10:45:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91X6Oz7jbR20 for <rats@ietfa.amsl.com>; Thu, 14 Nov 2024 10:45:45 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2127.outbound.protection.outlook.com [40.107.94.127]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73D7BC14F6EA for <rats@ietf.org>; Thu, 14 Nov 2024 10:45:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=o+MdRkAsaB1hcIefTPsuzbW1YpftFDk97ru7L3HFgcEBIj0xQMN8tLzNPYRH5luhsMZIm5D4b3aK7shv5dmO3D/l9E9z81ceoPTGI3x9607D67g295axhpZiogJ3hURLxqDQ5WuKELciYjZrcbVkBjX63wfYWTeRG99x5TtkWROfdu90wjIFqo3WlcI42HLY+jSdxl0LtgDItpqeuE8mSAWX47kD4NjIa9K+6HxmnYSVW2ROVGsXBkVUBhEpzR+ic1Md8RqbpXwu2yY2NBUShpLSh0dspdcatfX3ILARaoG0olE1Zz+eiYFGtILwAzDb7ZHYbQ2bRsNcUIYpD6FxKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ig1HehL44glDs7GePApDasQisdnmHd6/E2hS/zjNfQk=; b=BLs6RYk0/DXeaBbpCjO1IW9v4UfkJyX3f8qQ2lQBnibKFcFr2PJkqYmk3iyV0sEAbw2Y5g0aNESceIula3kj0KdObpICUx/zU1LSdXoHxCBwgEj+C0d3SwtMDV+fwxNDkz+NYMVeodUTKbjUcdWsrEM82KMM+HPEsHk47o7zLKJCModL6cNtVWQ22n0krOulnTtRrDtyf15AwY3ugW6ThxX52AV5Z1IhKQO5CXpEfF74knbvdNcemMe+FhYOM0yxg8NuFmSaX4pGLbw7VXr6+VRhGVSofKZoWLIVR3dxhlHRqd5mfyNhlXQACym07UVOxZ1UBAF2L4r1UCqWQgHFpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by PH7PR22MB3795.namprd22.prod.outlook.com (2603:10b6:510:2a4::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.28; Thu, 14 Nov 2024 18:45:41 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::8515:3aa6:3ced:15e]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::8515:3aa6:3ced:15e%3]) with mapi id 15.20.8137.027; Thu, 14 Nov 2024 18:45:40 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Thread-Topic: [Rats] Security considerations of remote attestation (RFC9334)
Thread-Index: AQHbNUD830GTwMNe1UebeAFLGQrKB7K2rJYAgABzqQA=
Date: Thu, 14 Nov 2024 18:45:40 +0000
Message-ID: <6E00CCDE-4B56-4D81-B44B-4080170FFEDE@island-resort.com>
References: <4ffdd034-05ec-4565-9cad-b40ff82f83fc@tu-dresden.de> <CA+1=6yfZUNuy8gd2xj1eicL86qA5sq+=G8+4V9GT_3YffhuyfQ@mail.gmail.com> <AD3F6AC6-C112-4A7A-BBA4-8646CF277EED@island-resort.com> <2bed23f7-19bb-4c03-8ff8-58f12fb6a25a@tu-dresden.de>
In-Reply-To: <2bed23f7-19bb-4c03-8ff8-58f12fb6a25a@tu-dresden.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|PH7PR22MB3795:EE_
x-ms-office365-filtering-correlation-id: 6e47a938-ba53-494c-32c8-08dd04dc89e7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|8096899003|38070700018;
x-microsoft-antispam-message-info: xeaPKYC0+vX0ETVEdY/g8C8ozYuTmSPfo8TUNdqx1VKtvAlEg1xeq9hd+xuqcMlyy8M7+54TN8opHv3/GODECP17bJD84+bP8ei+H9pBUDg1IVUgwT+R9i3nd/GjwkYJ/UClurrGKrMWG9HsMsDRApSxEwGkqQATJIJTM2xOUetUOJnEDvs8tzqjEZsyCOFbboQZfPUVmkPeHsSvx8SMqd0HoSesfV+aE6jWb4UOHHYrjPRv26CzROvhn4uFKX8jBxl69XkSseB5kb+52Zpjb4HpjiHe7DcLN3q8BIrgtPs5vz/g5njPTBU0llR9g9WsUlZnadZy1B/6amDzrE1axSfsp2QQDN2ZKSCyefUpeiwyR7aOX75F2SvdoTLAKYUoZu2UZyMK6bWFQbESP3aT5QEWi7/HWPDn5WAc+XvRjtff+M4FVD5zPuEkLNk+x0S4DrJ2Rc6JNlthWthlD/22p6/nlKi5v4SnEcU3FG4cyA+ozxR2ZRHxlq2A1yZPV4NN96/xmZ3oX4OGznWX0KTV/AHUVfvgaYfKKamcrDRfT0dqWiu0pJk09/K0SMoPHRrEa0aTN3h39/wfdF1ME5GAnGYZgUcBqwJ7iFpq77D4GwpSjBV+Bx5K8uIFA/BwAdpHSHElk4E3+sK2EyDApq+vyrQoTrzZIYTFah4ZiMXgnNs3EPJP0DvAP6rEEGNhz7KfQEi27AsSLo0HphpwlAUspfxp13F0CUTRev0PMI/grsYVKc/ZRXbiXM6HCQwr1tLClmHnro/+9vg6561UbRkyBvhrVcbJAf7b8VLzrl6+79VkUfwQj+9Nwy8bBYjU2OzrQDUcK1xE2qPEBKkZ8dE1Ui+YDDw/kgTJjkhaVXnA2UZsWjoa9xjsOq6JKtyMAbSRdt6bMffm3RD9T2YjomNYXFyYcc4BrybKcjkMYI2+NMGM6e0jBRbrLo4hBvOrcywCE9lSSvcSL2osmQcMawPcqsh0CShHnlvuILNDvYueA0NH+PWKxh/CUyEjXknjao1J0KzNaFw0vQKSnWUkePicT6KSopfVpD002OXi3uX/d+YapyH7FFgdqGG2xsS4isbORzxvTt+R6ePEITLhJmXG3nWOLm0KycHePXLG/baw3VHSy6sLcf5k/Z3ETRxO1q219k5Nsp+OF4hAda6geoqmmQbDYBWsv5402FvVKcwqJB7wPnuikhwAKmm9pStxZl16OXWxC9QXaM6/N4uuaIr/Mg45HY9PGWrfeG542PDsJgpP07iXMqJXVK3IPUWAoyQah08DcD4jf0qoIcnhC1nZsHv2SgaAW5G5rsofe5tyhdHF1jqJ+ThF03GLP64twMXAnuWUDlWmBLkVh3mqMAdZlBhp7mUIxrF0JasPJjymu5g=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR22MB3092.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(8096899003)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tNaV/1nOl0Ri/8l/2ZBO/BM9UYiNWJqG1NQDolbfA7IjIv2YhWayN8HAXFyziaG+gqm2Z0KitDmz4Le/WcZ6hkaNKSYpZqIqMSCYBA5U9VWUSrgeAV6Ym0NKAkWGKBlD1Pz9k1fCfwPqZUPnKTaCmVtMqKXkYfDeJX8mJ+wIfxuvacs9i7FcaKwmqMmceSKMBHDSqOLz3etTxDHMsd6mTP6tJfAo2WFg36VduOzb7IpZp19DAbaIlekPunkFTJJh/O0+eHPFGtfhpuuhazG91l7XFc/HqZRWhSTt+3Ijw4qLjVC69GxL7hMbnHy6XE7aF4965hWqJkNvdFX/NaS7UiWwhs40C3ro4617t0TWh0dKNMnK/F9l/hehBkAHlXvrdkGtcZ8EEbkcD8g52Se8kHsswLGv1IcuH6sJYRYoDKjWjw9L001DtLY+9gRmCsgGEjUaxzHGHvOCs0EInxzxLvSbSY78e/vTQYVk9k+loc+5pcJvLk13SrHPxFCoEkXiB2IdzOxhxRG+++PNwL5e7BBQQPzgYduc5WAn3/bMvM/Ma+Hj+fh9yBmgmwfByRm8gmgR2Lx96I8PFkTYQZDpi2wnssXO4nJZ9bFCH6lGnm5F9KaD2x9b5BZQAv+aCZZehJ9PL3sRKJR8tp/N9bC/jfBsK8n9Wrtxx5tgkCtybidJdC+8RyGeyI2yOUmiwiUO1SRjkBGskwjvnWeYBdLxHbmLvFO0Fz39B0zIMwWlyIBLlmw/Wvrhb5EWN04M+4IDduTNOzO49mJnXQ29YguxSwyWgVcB7AO8nXTicShKpLPnoeHburLXlf2HKWeCp9kA3diu7Iz+3pwvqlfP92K8PyNIXZGZZkKaUDFL3O/eUwU6pI5vjd7pJcGpoaI92IaMiaI4AKDeHQqzrEFDlfDWVfoyA/2NqBIrRUSn92KfTXBPsNcGymD/16oPJZ6L9iHHQ9RzSFuP7mPFyfm5vlrWIwvw8UhH0mnAA99K7ccP3JcTaM05MnZBpHEv7G6b9Hkvt8xZqj9Ku9pQ7CqC3JPNZDzHPRr1Y9F5/4cDHv6r3uP2dMVjv/SvM6UFEgHfeMm8Pf3kwb6ELjiKFtQRBhXqF9HR4jL/KehDLD1ePcMVLREtQ1rP8DYyaiIyDdueRhCMQeUXd70nHvl6eQUZSb2i6Y8ojOXrD8jd/hhuIAs33h5DMmDAjPF1Oswm58xT61RveLc4FYRpxMFPqXjrLikliNwohkb+AtVXkQsosRer8w/6DGiq930xJWxv+6xaoVsr2ypydY1y6wirAlw9Kngk6qx2DBe08sjSLg6krvOfAji+gjTVmNkNc0ETyWSfWcDDoDPcSrs9pnXAGDCyZq1aHAZWgHPM53f+A4pTTLj7dz11MxmJ7e7vFnv4EFhEYnF95wILxa1Qg8Z8YMt9/Lnb3XaQKHP2hj3N1GWRWKsAc8UK1AIzgGFAZyp0cBEswh67phv8qWBFHafEl+RpBDrxQfn9M98hwP+8GiHIgBDkqW7V5QpU/H/V7SZSU624ooHFrTIU7DEmXtUSv1OiDDcIrfERKe58xqD5viYxEWXtBqYnLmuVaoNV8jPpFCUzDltflDKBQDogGnzsEjrd3CJy2g==
Content-Type: multipart/alternative; boundary="_000_6E00CCDE4B564D81B44B4080170FFEDEislandresortcom_"
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e47a938-ba53-494c-32c8-08dd04dc89e7
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Nov 2024 18:45:40.9332 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Y6Qgt7RkNA1hkNuP6+RIa390tkt2Bo876yKPP2qndXN3DB7lT/4dekYAul8IWPTS/5b52+EUUTrDLGyg3D2y6Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR22MB3795
Message-ID-Hash: 562PWYBPRUO6BMI6KGFFI6RYFQAZ37IB
X-Message-ID-Hash: 562PWYBPRUO6BMI6KGFFI6RYFQAZ37IB
X-MailFrom: lgl@island-resort.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Thomas Fossati <thomas.fossati@linaro.org>, "rats@ietf.org" <rats@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: Security considerations of remote attestation (RFC9334)
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/HD7PrZpn_lfGUoj1wdocfcKUHS8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Usama,

Generally, I’m only hoping for some attention to be put on some of the fundamentals that get less attention like key lifecycles. Certainly not objecting to any work.

A little background for my comment:

Seems like so far we have written a lot more about freshness than security considerations for attestation system architecture and key life cycles.

I did work on what was essentially an attestation project ten years ago. For freshness, it was a system design that a mid level system architect could handle in a month or so and for implementation it was a few months by a mid-level engineer. OTOH, setting up the attestation keys management system took years and multimillion dollar contracts because it affected the factory floor and the set up of crypto operations (HSMs). It was not the same as HSMs for TLS at all. Some of it hinged on complex system architecture, particularly the interconnect between sub modules.

OTOOH, many will avoid such complexity by buying chips or systems that have already done this.

A few more comments below.


On Nov 14, 2024, at 3:51 AM, Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> wrote:


Hi Laurence,

On 12.11.24 21:25, lgl island-resort.com wrote:

On Nov 11, 2024, at 6:21 AM, Thomas Fossati <thomas.fossati@linaro.org><mailto:thomas.fossati@linaro.org> wrote:
...

At least, we need these three base properties:

* integrity -- the conceptual messages cannot be manipulated;
* authenticity -- the protocol principals are really who you think they are; and
* freshness -- the temporal aspects of the session cannot be distorted
(e.g., re-ordering of events, compression/dilation of the timeline);

I don’t worry much about freshness. *Everyone* gets it. When I started presenting EAT in 2018, that was the first question every time. We have lots of docs. Still needs mention of course.


I would respectfully disagree here. In fact, freshness is currently my biggest worry :) If we talk about it theoretically, yes the concept of freshness exists since several decades. But is it well-understood for TEEs? I think "no". Even the five authors mentioned on my first slide currently have a very diverse view of freshness, let alone the whole WG. In Dublin, I even heard people saying that the Attesting Environment can also generate a nonce because it is trusted. Recently, in CCC Attestation SIG, we had one hour of inconclusive discussion alone on the topic of freshness where folks had very diverse opinions.

But for those who consider it well-understood, I can open a couple of Pandora boxes for TEEs:

  *   I have heard Henk distinguishing freshness and recentness in previous meetings. I discussed this with him in Dublin. It is never defined in RFC9334 and I don't see how to incorporate this in protocol analysis. I wonder how do folks perceive the difference between the two.
  *   What happens when the Attester gets an attestation nonce? Does it just collect the measurements from cache or does it remeasure some of the components?

Maybe I’m missing something, but freshness doesn’t seem any different for a TEE than any other environment.


Integrity and authenticity are pretty well understood too.

Disagree here as well and a couple of Pandora boxes for TEEs to get started:

  *   For authenticity, we need identity. What exactly is the identity of the workload?
  *   If the certificates tie the workload to a unique physical platform, how does the migration of workload work?

Agree that identity is not well understood. I wasn’t including that in the “integrity and authenticity” frame when I made my comment. I'm happy that we work on identify however we classify it.


What seems less articulated is things like how much of the device was covered. Was the HW covered. Is the device architecture, all the way to the HW, well designed so that the attestation isn’t subverted?
Fully agree. I talked about this in meeting 118.
How is attestation composition secured? That depends on the security of the interconnect between lead and sub attesters which is probably secured by SoC architecture.

Fully agree, though it can be abstracted to some level for generalization, as we did for Arm CCA.
How keys are stored in the device and how they are put into the device is really important? Typically this is during manufacturing and requires secure facilities.


Fully agree, and I think no vendor ever specified this. If anyone is aware of any spec, please point me to it.

Vendors may not share much here. From what I know it is often proprietary. It may be in the realm of where physical and operational security come into play. That doesn’t mean that we can’t have useful things to say.

LL

v2.46.0 | Report a Bug | By Email | System Status