IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Laurence Lundblade <lgl@island-resort.com> Sun, 24 November 2019 20:01 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84EFE12004D for <rats@ietfa.amsl.com>; Sun, 24 Nov 2019 12:01:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WfHkNa7EZr8I for <rats@ietfa.amsl.com>; Sun, 24 Nov 2019 12:01:27 -0800 (PST)
Received: from p3plsmtpa06-04.prod.phx3.secureserver.net (p3plsmtpa06-04.prod.phx3.secureserver.net [173.201.192.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1B61120047 for <rats@ietf.org>; Sun, 24 Nov 2019 12:01:27 -0800 (PST)
Received: from [10.86.0.10] ([45.56.150.43]) by :SMTPAUTH: with ESMTPA id Yy4Uia0Ge1GdmYy4UiCdkE; Sun, 24 Nov 2019 13:01:27 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <F74104BF-35C6-4375-A5A0-93FFA34619B6@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A0530162-CBC2-474F-8A76-8BD400DF4B70"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sun, 24 Nov 2019 12:01:26 -0800
In-Reply-To: <06543a46-8218-fa9c-827f-8a0e2d364963@sit.fraunhofer.de>
Cc: "Smith, Ned" <ned.smith@intel.com>, "rats@ietf.org" <rats@ietf.org>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com> <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com> <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com> <DC9F1051-E33A-477F-A855-2FBA33F8E8DF@island-resort.com> <cbb5f662-b073-5b5b-e504-56ea66b72744@sit.fraunhofer.de> <5A3105EA-8E54-4BB9-B266-96B6645811A1@island-resort.com> <c4967ed2-e484-d8c9-406b-8e1bb1b3b88d@sit.fraunhofer.de> <FF6F2CEE-1049-4B6C-8E12-9E21FE92D2F2@island-resort.com> <3285c3da-0748-5607-90ed-ac024ac826d0@sit.fraunhofer.de> <0384FAEE-6C5B-4A99-BBA0-F080DD27AA9B@island-resort.com> <def7a722-e357-a12a-1467-8ff8c442337e@sit.fraunhofer.de> <A9E1ED3A-80D1-4585-9029-A49CA5AE3AB6@island-resort.com> <52AC3EB5-1BD0-4A41-8EAD-5A779E125BF8@intel.com> <06543a46-8218-fa9c-827f-8a0e2d364963@sit.fraunhofer.de>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfNYPhKO+eCYYB8p1Q11kPZZN70ZYc9GK8R7IlBEcrW5dg9Px5MKu/8KaVSmq7/vFNIj1npxqSU67xsrdWDg2yZcx14n48XJQmUD05saGZKZau6thFrd4 GF2nMkDbkZPyeXEKqN6K8dmThmhCYQTx95B9bh59DT2oRYlO4XGFviGaiqlcs4Xu+jRF97aTiFyyviq5v/XoDwdsVnYxwweO4zO6JFEHkkW4CJqS9tAhDnke
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/V3mFLBhdIOObHWIvlH7A7q2wSIw>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2019 20:01:30 -0000


> On Nov 24, 2019, at 7:31 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote:
> 
> Hi all,
> 
> in a nutshell, one of the things I tried to express is that the following quite is simply not correct wrt to what is called here the "TPM-style" (I would really like to not use the words "TPM-style" and not to mixing authenticated & secure boot. Authenticated Boot is fine):
> > Primarily the difference between TPM-style that doesn’t rely on secure boot and non-TPM-style that does rely on secure boot.

It’s hard to know what to call things. I’m learning the “TCG language” slowly and we’re also evolving (in the architecture document) a common language. I keep trying terms and definitions to see what sticks and what doesn’t. Pretty sure we agree on “attestation evidence”, “verifier” and “attestation result”, but I don’t know what “secure boot”, “authenticated boot” and “trusted boot” mean to you so I don’t know which term to use.

> 
> It is never possible to create TPM structures that are signed Attestation Evidence, if a device that is explicitly intended to conduct "secure boot" did actually not do so successfully. That is one of the key-features of TPM/TSS remote attestation procedures.

It seems to me that TPM-style attestation where you measure each step in the boot sequence and report to a verifier was designed to work without secure boot. However I can see that it could also work with secure / trusted / authenticated boot.


> 
> On the other hand, what leaves me puzzled is the following. If these three quotes are all correct...
> 
>> You cannot create an EAT unless the authenticated boot was successful. The key material with which to sign the EAT is inaccessible if authenticated boot fails (or else the device just won’t boot at all).
> 
> draft-ietf-rats-eat-01:
> 
>> All claims are optional
> 
> and draft-ietf-rats-eat-01 again:
> 
>> 3.7.  Secure Boot and Debug Enable State Claims (boot_state)
>>   This claim is an array of five Boolean values indicating the boot and
>>   debug state of the entity.
> 
> ... one is allowed either to omit that Claim in an EAT or set some values of the Claim members to false. Therefore indicating that the boot state is, e.g. "secure_boot_enabled=> false", and still be able to create the EAT. Is that correct? If not, why include this member of the boot_state Claim at all? It always made me think until now that it allows for a device to not conduct "secure boot" and still be able to create an EAT.

Yes, you are right that in some cases it would make no sense to have the secure boot claim. It is basically an implicit claim. Here’s some where it does make sense to have an explicit secure boot claim.

The main attester might boot securely, but submods might not.

It is possible to build pure HW that implements EAT attestation. It might be a part of a SoC. That attestation HW doesn’t use the main CPU to implement the attester, but can report on how the main CPU booted.


> 
> Besides that, what I think we are actually talking about is implicit and explicit attestation.

Seems like you have to say which claims are implicit and which claims are explicit and in many attestations you need and get both.

For example, you called out a situation where the secure boot claim is implicit and questioned the need for the claim. I then called out a situation where the secure boot claim is explicit. 

In one attestation the secure boot claim might be implicit and the GPS location is explicit.

LL

v2.23.0 | Report a Bug | By Email