IETF Logo Mail Archive

[Rats] Definition of an Attesting Environment (and layered attestation)

Laurence Lundblade <lgl@island-resort.com> Wed, 23 June 2021 19:53 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AFB13A0E5F for <rats@ietfa.amsl.com>; Wed, 23 Jun 2021 12:53:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sp1vcOrhb6xE for <rats@ietfa.amsl.com>; Wed, 23 Jun 2021 12:53:42 -0700 (PDT)
Received: from p3plsmtpa07-02.prod.phx3.secureserver.net (p3plsmtpa07-02.prod.phx3.secureserver.net [173.201.192.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 960303A0E61 for <rats@ietf.org>; Wed, 23 Jun 2021 12:53:39 -0700 (PDT)
Received: from [192.168.4.71] ([135.180.5.239]) by :SMTPAUTH: with ESMTPSA id w8wIlJe5o31BXw8wKl7HZ0; Wed, 23 Jun 2021 12:53:37 -0700
X-CMAE-Analysis: v=2.4 cv=T49J89GQ c=1 sm=1 tr=0 ts=60d39142 a=yGLcT55IBd5ZT4hal3HKuA==:117 a=yGLcT55IBd5ZT4hal3HKuA==:17 a=48vgC7mUAAAA:8 a=xIc7ZIiAm-eg2V-mR_IA:9 a=E0F0pHRBDkyLHWco:21 a=lnNOOb9zHXxSVAdU:21 a=QEXdDO2ut3YA:10 a=kAuZeg-bGFjgqmXwczsA:9 a=04BTZDMbtlcfO9Pt:21 a=BciJjCMI4JfOHqw8:21 a=UhcOHh37kl-dyWtU:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_93EB7CDE-D7B7-4437-B3D3-0573A936926D"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Message-Id: <617FC3B4-5C1B-4D35-BD4B-9AC2D1362930@island-resort.com>
Date: Wed, 23 Jun 2021 12:53:34 -0700
To: rats@ietf.org
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-CMAE-Envelope: MS4xfEtcdwBwO//GNnouCs4VmZ9kAdsmnV8pO7dtoGNBQwtFWUkHKhy37jPJwZPj8s+p9uYI311Y9oFwKfwRmLIKRPxjEKUhWBfYtczRgK5xw4Ve+jC8IyA/ a3s7NEAU5M+yJPLBGrVABSko+hOOLPrrD7o8xDNbTC7yD7Hjy/NY7LXjcLXTyytU7Om77TJr00BUfA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/UuFwOfLnRitCbnfKpE-IgZ9ANcU>
Subject: [Rats] Definition of an Attesting Environment (and layered attestation)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jun 2021 19:53:45 -0000

The definition of Attesting Environment seems more implied than explicit.
Does an Attesting Environment always have key material?
Does an Attesting Environment always create Attestation Evidence (or vice versa, does Attestation Evidence always come from an Attesting Environment)?
Does the output of an Attesting Environment always go to a Verifier?
I think the answer to all of the above is yes. I think it is yes because this is *remote* attestation. The Verifier is always remote in relation to the Attester.

If yes is the answer to the above, then the layered attestation diagram is not right because it has the output of one Attesting Environment going into another Attesting Environment.

My thought is that the ROM is a Target Environment from which some claims originate, not an Attesting Environment in the RATS sense. I think it is fine that it works as described, but I don’t see it as an Attesting Environment. I don’t think the ROM has key material it uses to sign Attestation Evidence.

To go further here, how do subsystems in a device boot up and trust each other? I think there’s number of ways this can happen. One of them is what is described in the layered attestation section, but this is particularly complex and interesting SoC / device that has tens of very different subsystems of very different natures with different CPUs and CPU types. For example a mobile phone has a GPU, a modem, a security processor / TEE, a main CPU, a Secure Element, an audio DSP and… It’s far more complex than what is described in the layered attestation section.

Sometimes two subsystems trust each other just because they are on the same silicon die or because they are soldered on to the same PCB. Or, they can trust each other because they were booted out of the same ROM. It can also be because of staged boot as described in layered attestation. They can trust each other because some main system like the TEE booted each of them.

In a mobile phone, there’s only one RAM part that is used by all the subsystems. For each subsystem to have integrity the MMU’s and SMMU’s have to be set up correctly and play a part in how subsystems trust each other.

So I kind of don’t see the point of the current section of layered attestation in the RATS architecture draft. It is too simplistic to cover complex devices.

It also seems a bit of an overreach to try to detail how al the different subsystems on a device can or should trust each other. It would be complex, hard and take a year or two to do.

Also, in previous emails <https://mailarchive.ietf.org/arch/msg/rats/NsGYYPmqo4q8sT6mBWyTWdgwQvg/>, I have suggested that layered attestation might be something quite different. It is more of an alternative to endorsements for establishing trust in an attesters.

LL

v2.23.0 | Report a Bug | By Email