[Rats] Propose a new event-log-type in CHARRA

"Panwei (William)" <william.panwei@huawei.com> Fri, 28 August 2020 13:53 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1FB813A0BEF; Fri, 28 Aug 2020 06:53:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id g8XyM1nRuPsS; Fri, 28 Aug 2020 06:53:14 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27A163A0BC8; Fri, 28 Aug 2020 06:53:14 -0700 (PDT)
Received: from lhreml719-chm.china.huawei.com (unknown []) by Forcepoint Email with ESMTP id A71D2F657CEB120231F1; Fri, 28 Aug 2020 14:53:11 +0100 (IST)
Received: from nkgeml707-chm.china.huawei.com ( by lhreml719-chm.china.huawei.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 28 Aug 2020 14:53:10 +0100
Received: from nkgeml705-chm.china.huawei.com ( by nkgeml707-chm.china.huawei.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 28 Aug 2020 21:53:08 +0800
Received: from nkgeml705-chm.china.huawei.com ([]) by nkgeml705-chm.china.huawei.com ([]) with mapi id 15.01.1913.007; Fri, 28 Aug 2020 21:53:08 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Propose a new event-log-type in CHARRA
Thread-Index: AdZ9F2S3YE6HUmniRGqctvSTG8eYFQ==
Date: Fri, 28 Aug 2020 13:53:08 +0000
Message-ID: <f92d4256061948a3aa89952b912c81e3@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_f92d4256061948a3aa89952b912c81e3huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/M06l9t3X4ihxkP7dPkMx6r725OQ>
Subject: [Rats] Propose a new event-log-type in CHARRA
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 13:53:16 -0000

Hi authors, all,

We've proposed a new attested-event-log-type in the Github (PR#5<https://github.com/ietf-rats-wg/basic-yang-module/pull/5>) a while ago, but unfortunately there is little discussion about it. This is also mentioned at IETF 108 meeting. I think it might be better to bring this topic to the mailing list and give more description about it.
The blue part below is the format of the new type of log that we propose. It literally looks somewhat similar to the IMA log format, because it uses part of the IMA's concepts in the devices boot measurement.
When the device boots, it needs to load/execute a lot of files, but the order in which these files are loaded/executed is not deterministic or hard to keep fixed, so it's difficult to give an accurate reference value.
The method to overcome this difficulty is below:
1. The Attester measures each file before execution, extends the hash value of the file into PCR, and records the measurement information of the file in the log.
2. When doing the remote attestation, the Attester sends the final values of the PCRs and the detailed logs to the Verifier.
3. The Verifier has a list of reference values for all files. It compares the hash value of each file recorded in the log with the corresponding reference value. If all files' hash values match with their reference values, then the Verifier extends the hash values one by one according to the order recorded in the log, gets the final value, and compares the final value with the PCR value sent by the Attester.
Based on this method, we propose the new type of log. Any thoughts?

+--ro output
   +--ro system-event-logs
      +--ro node-data* []
         +--ro tpm-name?     string
         +--ro up-time?      uint32
         +--ro log-result
            +--ro (attested-event-log-type)
               |  +--ro bios-event-logs
               |     +--ro bios-event-entry* [event-number]
               |        +--ro event-number    uint32
               |        +--ro event-type?     uint32
               |        +--ro pcr-index?      pcr
               |        +--ro digest-list* []
               |        |  +--ro hash-algo?   identityref
               |        |  +--ro digest*      binary
               |        +--ro event-size?     uint32
               |        +--ro event-data*     uint8
               |  +--ro boot-event-logs
               |     +--ro boot-event-entry* [event-number]
               |        +--ro event-number               uint64
               |        +--ro filename-hint?             string
               |        +--ro filedata-hash?             binary
               |        +--ro filedata-hash-algorithm?   string
               |        +--ro file-version?              string
               |        +--ro file-type?                 string
               |        +--ro pcr-index?                 pcr
                  +--ro ima-event-logs
                     +--ro ima-event-entry* [event-number]
                        +--ro event-number               uint64
                        +--ro ima-template?              string
                        +--ro filename-hint?             string
                        +--ro filedata-hash?             binary
                        +--ro filedata-hash-algorithm?   string
                        +--ro template-hash-algorithm?   string
                        +--ro template-hash?             binary
                        +--ro pcr-index?                 pcr
                        +--ro signature?                 binary

Regards & Thanks!
Wei Pan