IETF Logo Mail Archive

[Rats] Implementation report

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 13 February 2024 14:58 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72B4DC151091 for <rats@ietfa.amsl.com>; Tue, 13 Feb 2024 06:58:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xJQL7mNnaO8E for <rats@ietfa.amsl.com>; Tue, 13 Feb 2024 06:58:53 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30A9BC14CE5D for <rats@ietf.org>; Tue, 13 Feb 2024 06:58:53 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-5114c05806eso7119640e87.1 for <rats@ietf.org>; Tue, 13 Feb 2024 06:58:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707836330; x=1708441130; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=yT/j2k6Ev3PjJ23nqjeR9zAXTjhLMwGJvLtDuBY0Wz8=; b=Nr/9YwD2W/Dfp4hk7fLApKV+cFhmkr2wx0npVW3l5Bkjf4dRGXkgYs81PdnGZ+fSBa BSD1dLnO+kcID1ubAHdUaiAz5KWDL3c9kSXnIdeyfJHDdGCe7GKM5mmIL4eXcqpNVXag FuaqJitr5SrpNSVAkzBqV5UUGfvzVEKp0mH4kS6C0BS8d2AM09w6tKg9x6etnaQYz44o FONRFJiVqN4mUahjh8MBzHpH4hr+T3X0RbXNMKil5r97MreY10V7xD7+ILhSi8r2joxC STISdRwPbSEQieQKswiTKcTXVWmLBsil04Apix9a+7l+TO9UhbtwQd5irmqffvT2PFp8 v0dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707836330; x=1708441130; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=yT/j2k6Ev3PjJ23nqjeR9zAXTjhLMwGJvLtDuBY0Wz8=; b=QgsFflSkUAeiEzrSyWhfangmBQ5ntY4nYzyTkwaXY4UcyIPGzG/9al/kK6mn8itqd+ r6SmdGUAkOu2JcHrTLf1qPCUtWH7WY973yUt/sTLb45kyeeHdpC/0LX/lfjNoBH5pwBM fL4o6FEPn3nfWKDbHugjTEOPq5nbqg3uufFPr0rRxKLdHcdSIlPWNvFqQnHeryVxjsRV Od2CtwEk1qGNTkAcYG1//uwvMN7Z/r69TgrEAtV4jgbV3YB3S8cu+oKZHXYvsu3YdJe/ eZXLE1djt7xbrvNHclu+zqYreyJreV1biqfTL8fHKpAmgU0UADXiTY78EsKrp48foGJC 8yZg==
X-Gm-Message-State: AOJu0YxSvzmGkjhIKuDFyv8XcBFaTQ3VtgzMwaCDZoWburF0UceqcBnm OQj5yKtT/j2y4wGenvN9CGMPI6mH2onYM+AZEG0a52lWdsuNbxydGaJ5LGDrasF28oRxuW1yyQw E7oHgBV+E99Ul7D1RnJBtx6GV9Zv0RslExT8=
X-Google-Smtp-Source: AGHT+IFSNHdKNN56Ge61gONV6y1czu0zOX7xptF+2jibysXP7V43a/oTKJChzCrryuyyQObyZNbWzCkc/I+Ip7ble6o=
X-Received: by 2002:ac2:5976:0:b0:511:78bb:1a4d with SMTP id h22-20020ac25976000000b0051178bb1a4dmr6659473lfp.17.1707836329591; Tue, 13 Feb 2024 06:58:49 -0800 (PST)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 13 Feb 2024 09:58:12 -0500
Message-ID: <CAHbuEH6NU0yKDX=qwwf_xauKraejKuDa+5XNY-Q6pVv-i1RKbQ@mail.gmail.com>
To: rats <rats@ietf.org>, John Schmidt <john.schmidt.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="000000000000c28822061144a176"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/HV-aro4LQ318GYgmG5tb1VaEHEc>
Subject: [Rats] Implementation report
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 14:58:57 -0000

Greetings!

Last year, I introduced my team to RATS work and pulled together a project
that was a lead in to the attestation sets draft, implementing largely
what's described in
https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/

It took some time to complete due to some hyperscaler environments not
having a TPM or access to it from the container orchestration platform or
virtual server host. Once we secured an environment where this was
possible, through use of the IMA libraries (created for this purpose and
previously proven by RedHat), positive results were demonstrated. The
objective was to test assurance to CIS Benchmarks as that was my employer
at the time. We hope you find this report useful.

https://www.rsaconference.com/Library/blog/automated-assurance-on-a-path-to-becoming-practical

This was done at the same time other team members were researching the
prevalence of TPMs and TEEs in infrastructure. The purpose of that work was
to signal that hardware support is increasingly available and should be
used to ease configuration management and posture assurance capabilities.

https://www.cisecurity.org/insights/white-papers/built-in-security-at-scale-through-hardware-support

The timeline could include more data points, we included key points.

I am copying John Schmidt who did the work. Sean Turner joined the project
in September and assisted with key management, application of cryptography,
and validation. Thank you both for your great work to successfully
implement this PoC!

--

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email