IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Thu, 21 November 2019 10:18 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 555FB120852 for <rats@ietfa.amsl.com>; Thu, 21 Nov 2019 02:18:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HDVmbtHcYR8a for <rats@ietfa.amsl.com>; Thu, 21 Nov 2019 02:18:03 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5676712087C for <rats@ietf.org>; Thu, 21 Nov 2019 02:18:03 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xALAHv7P013670 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Thu, 21 Nov 2019 11:17:58 +0100
Received: from [31.133.132.87] (31.133.132.87) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Thu, 21 Nov 2019 11:17:52 +0100
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
To: Laurence Lundblade <lgl@island-resort.com>
CC: "rats@ietf.org" <rats@ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Smith, Ned" <ned.smith@intel.com>
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com> <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com> <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com> <DC9F1051-E33A-477F-A855-2FBA33F8E8DF@island-resort.com> <cbb5f662-b073-5b5b-e504-56ea66b72744@sit.fraunhofer.de> <5A3105EA-8E54-4BB9-B266-96B6645811A1@island-resort.com> <c4967ed2-e484-d8c9-406b-8e1bb1b3b88d@sit.fraunhofer.de> <FF6F2CEE-1049-4B6C-8E12-9E21FE92D2F2@island-resort.com> <3285c3da-0748-5607-90ed-ac024ac826d0@sit.fraunhofer.de>
Message-ID: <02ec1d3f-3ef6-fbb6-3f59-b846cba1b3ce@sit.fraunhofer.de>
Date: Thu, 21 Nov 2019 11:17:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <3285c3da-0748-5607-90ed-ac024ac826d0@sit.fraunhofer.de>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [31.133.132.87]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/JhDLC984mAjmg7mkKT6urJutvd8>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 10:18:05 -0000

I re-read this as it made really no sense to me. I realize that I 
actually do not understand this sentence:

On 21.11.19 09:06, Laurence Lundblade wrote:
> In this non-TPM style attestation there is hashing of code booted as part of secure boot implemented in the boot ROM, but that all happens inside the boot sequence and never manifests outside of it (I also do not think it is helpful to refer to this part of the boot ROM as a “verifier” in this context because it is not the same as a RATS verifier that produces attestation evidence, is remote and such).

What is "this part of the boot ROM" and why should anything in the boot 
ROM be called "verifier". It seems that it has occurred already. Could 
someone please tell me where and why? Was it mentioned on this list?

Viele Grüße,

Henk

v2.23.0 | Report a Bug | By Email