IETF Logo Mail Archive

[Rats] Standardizing TPM output in attestation evidence

Laurence Lundblade <lgl@island-resort.com> Wed, 04 August 2021 20:26 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 585BC3A090B for <rats@ietfa.amsl.com>; Wed, 4 Aug 2021 13:26:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4hTYM3aNNRN for <rats@ietfa.amsl.com>; Wed, 4 Aug 2021 13:26:55 -0700 (PDT)
Received: from p3plsmtpa07-06.prod.phx3.secureserver.net (p3plsmtpa07-06.prod.phx3.secureserver.net [173.201.192.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 499903A0925 for <rats@ietf.org>; Wed, 4 Aug 2021 13:26:55 -0700 (PDT)
Received: from [192.168.0.100] ([71.92.144.145]) by :SMTPAUTH: with ESMTPSA id BNTZmig6XI6mhBNTamT0yc; Wed, 04 Aug 2021 13:26:54 -0700
X-CMAE-Analysis: v=2.4 cv=fKL8YbWe c=1 sm=1 tr=0 ts=610af80e a=E5cCtQzjhQJ5yJ7bKjC7Hg==:117 a=E5cCtQzjhQJ5yJ7bKjC7Hg==:17 a=IkcTkHD0fZMA:10 a=_OUPKxvn79tyqdqHG4kA:9 a=QEXdDO2ut3YA:10
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Message-Id: <88C94025-5596-4E81-9618-036D6CF9F6E9@island-resort.com>
Date: Wed, 04 Aug 2021 13:26:53 -0700
To: rats <rats@ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-CMAE-Envelope: MS4xfBM71Z+HiRPXz4N/H5ck1uQG7DNzs4IaJomb1UclG6xE6OWDlX8BTLhkfH3Udqp8yXgMJnqSvhd4FxN6PfNBSay4dlP5C0jHHiWKXDJyjkIRxngQ4hc4 O+5vb08DaoUdtqV3dtA9sGcF7BMN+kZzPq33NJGSQYfS3PIKTEhHWsYlGgXNUWB9R+efKX10PKE3cQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/KIIfvl2CnlNxjmmPZWNTSruhcNE>
Subject: [Rats] Standardizing TPM output in attestation evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 20:27:06 -0000

There has been a side discussion about TPMs and EAT. This is to bring it to the main RATS list and to state more clearly the use case I have in mind.

The devices I’m thinking of are roughly this:
 - Desktops, servers, IoT devices… (not network equipment, probably not mobile phones)
 - They have an off-the-shelf TPM2 soldered on to their PCB
 - Likely to be Intel CPUs, but not necessarily

We want these devices to do attestation and generate attestation evidence (all devices on the Internet should do attestation at some point!). We want that attestation evidence to include measurements taken by the TPM. We also want attestation evidence from parts of the device other than the TPM.

That’s the very general use case I have in mind very simply stated.

Assuming this use case makes sense, then how should this get standardized and implemented?

There is protocol standardization in YANG now for TPM output, but I don’t think we want to use YANG for this. I don’t think YANG is in common use for these types of devices and has a particular interaction model. I think EAT is a good candidate because it is an independently secured blob that can be carried by the protocols already in use with these devices.

This then requires that some output from the TPM be put into an EAT. It seems useful to standardize that here in RATS and it seems in scope for the charter.

I don’t have a strong opinion or detailed proposal for what TPM output goes into the EAT or the particular HW, SW and attestation architecture of the device. That’s something we can work out. I am pretty sure the device would have two attesters in a compound/layered arrangement. The attestation evidence produced by the TPM would be nested in the attestation evidence produced by the EAT attester.

I have some leaning towards putting this work in the EAT document, but it could also be in another document.

I think this is important for RATS because of the very strong association of TPMs with good attestation and for the goal to support attestation for all kinds of devices and environments (not just network equipment).


A few things this is not about:

- This is not about changing the format that a TPM2 outputs. This is about the ability to use the off-the-shelf TPMs that are manufactured by the millions and sitting in warehouses today.

- This is not about local device boot architecture. This is about remote attestation, about attestation evidence transmitted to the verifier/relying party.

LL

v2.23.0 | Report a Bug | By Email