Re: [Rats] Standardizing TPM output in attestation evidence
"Eric Voit (evoit)" <evoit@cisco.com> Thu, 05 August 2021 14:34 UTC
Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 326033A1451 for <rats@ietfa.amsl.com>; Thu, 5 Aug 2021 07:34:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.097
X-Spam-Level:
X-Spam-Status: No, score=-10.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=IgalG9Uf; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=WmcUO3Bp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kb7-TcNN1EG6 for <rats@ietfa.amsl.com>; Thu, 5 Aug 2021 07:34:52 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 387AB3A144F for <rats@ietf.org>; Thu, 5 Aug 2021 07:34:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13502; q=dns/txt; s=iport; t=1628174092; x=1629383692; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BFErKEFT+bC4+V/y1lEIBV5UOPgD0lsVQ78Omv/Gkro=; b=IgalG9UfRKNaktqKJBgnJJC2Nube4cyRmglg2nON1Baj0uIqaXarYck/ O8+ow/0hXYnonyd+703dQR1HXwGNsnwpDkYeqMPcZlMlb1OOI4Le+UiOV Vba+uPdWNuFEVzZB4RTLUs8sRA052fsNepLi3dwQ2GHTkgKqVusiwOBfB M=;
X-Files: smime.p7s : 3975
X-IPAS-Result: A0AIAwCO9gthl5RdJa1RCR4BAQsSDIIOC4FTUX4sLjcxhEeDSAOFOYhlA4EQmSSCUwNUBAcBAQEKAwEBKgsMBAEBhFgCgwMCJTcGDgECBAEBAQEDAgMBAQEBBQEBBQEBAQIBBgQUAQEBAQEBAQGBCIVoDYZCAQEBAwEBARARHQEBJQcLAQQHBAIBCA4EMAICAiULFw4CBAEJBAUIBg0Hgk8BgX5XAw4REAEOnxsBgToCih96gTGBAYIHAQEGBASFIxiCLQcDBoE6gVOBKYQPhmQXEByBSUSBFUOCKwcwPoJiAQGBNAMrgxU2gi6CNVsONiYEQxAUOwwqEwIFNQMDCyAiAQQRIgcRkTQdGaoRgRcKgyiBMoQJgweBdpQpEqZslSBvjDuTV4UDAgQCBAUCDgEBBoF2I4FbcBU7gjUBATJQGQ6OHwsOCYNPhFk7hUpzOAIGAQoBAQMJiAkCJgeCGAEB
IronPort-PHdr: A9a23:ng9A1x1qGJ6lD4ZbsmDPR1BlVkEcU/3cPxUR45wrzqhDaaO549LpO 0mMrflujVqcW4Ld5roEjufNqKnvVCQG5orJq3ENdpFAFnpnwcUblgAtGoiJXEv8KvO5bjc+F cJOEUVo5HahLQ5eH8OtL1HXq2e5uDgVHBi3PAFpJ+PzT4jVicnStaiy9pTfbh8OiiC6ZOZ5L Q69qkPascxF6bY=
IronPort-HdrOrdr: A9a23:LQlEbaz3v/IWMI9KBXnPKrPxjuskLtp133Aq2lEZdPULSK2lfp GV8sjziyWatN9IYgBepTiBUJPwJk80hqQFn7X5XI3SHTUO3VHJEGgM1/qY/9SNIVyaygcZ79 YdT0EcMqyxMbEZt7eB3ODQKb9Jq7PrnNHK9IXjJjVWPHxXgspbnmFE43OgYzVLrX59dOME/f Snl656jgvlXU5SQtWwB3EDUeSGjcbMjojabRkPAANiwBWSjBuzgYSKUCSw71M7aXdi0L0i+W /Kn0jS/aO4qcy2zRfayiv684lWot380dFObfb8yPT9aw+czzpAVr4RHIFqjwpF5t1HL2xaye Ukli1Qe/ibLUmhJl1d7yGdgDUImwxemkMKgWXo8UcL5/aJHg7Tz6F69N5kmtyz0Tt8gDg06t M540uJ85VQFh/OhyL7+pzBUAxrjFO9pT44nfcUlGE3a/pSVFZ9l/1VwKpuKuZLIMs60vFRLM B+SMXHoPpGe1KTaH7U+mFp3dy3R3w2WhOLWFILtMCZ2yVf2CkR9TpW+OUP2nMbsJ4tQZhN4O rJdqxuibFVV8cTKaZwHv0IT8e7AnHEBRjMLGWRK1L6E7xvAQOAl7fnpLEuoO26cp0By5U/3J zHTVNDrGY3P1njDMWftac7uiwlgF/NFAgF7/suqaSRloeMMYYDABfzPmzGyfHQ0cn3KverL8 qOBA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.84,296,1620691200"; d="p7s'?scan'208";a="751724602"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Aug 2021 14:34:50 +0000
Received: from mail.cisco.com (xbe-rcd-005.cisco.com [173.37.102.20]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 175EYoVZ021266 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 5 Aug 2021 14:34:50 GMT
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by xbe-rcd-005.cisco.com (173.37.102.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 5 Aug 2021 09:34:50 -0500
Received: from xfe-rtp-002.cisco.com (64.101.210.232) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 5 Aug 2021 09:34:49 -0500
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-002.cisco.com (64.101.210.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 5 Aug 2021 10:34:49 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KNhv08JNwdM3p7PnCJYLjeMvpDUURsd/VM7HlrUErT82XfqQ55Lr3aazH/yrsShPIgkg+7tEWBrdjrVRWNmg8J2REFWeFgyQNvKoVOTA7MNytWwHq6r4Ib1EcDdImvUagEu1/T2kmKwAdTG03Dbvqm1n3C6coRnut+DXzMid26gGZyvVG5PSyUnzTrfr+qUoy7boPPSr3dcCRRrnxsMT40uk2oO+RRLYZASrhaCqF+iUclZzxwRXwrz7p0hlnmHA+KP5W+ZQb1LORHSBKad8Jw4+RM43jmybaqRZ/DeVYlKQtFF8C8pTzYl9VNuPyweEk3kCjzamfc5i4rSE+pN5uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tBi9CYpTPOrFq3Jb7raDpyiKl83HvO3QNmiidryxjdQ=; b=JT6x6CAfIW6xwHS08UI3MBPIlCVhl4rp77/4MsYtXMRaqUnzu6S/Acb9LN61tisIi0vW5QJ33oqiBbMUGmO9yAnXPppdqqE8D2UW5VQmcpewDOPjBA3XSWFzIhq0cFGj0oOM9+SzK6gGCWqpOLwoAzf4aHAsxHDlC628TwDTcsl8xajkfwfCx5dnfRvX7dYiXkpTaILeCxcjD7xVM1JXaYE10azB4yqUGgTJz6pT4xc8Vj3G8wUAbtn3xLSZYdB31emCBHp01nmKO0pJwQdBg79nodXJHDZlokPC7hyOcSHm/AAZc7KqH9ANMYhhdXPwIY30uA1vxhYRpB12AbY8jA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tBi9CYpTPOrFq3Jb7raDpyiKl83HvO3QNmiidryxjdQ=; b=WmcUO3Bp+5ZGwtJ5U7VgVV6ghUU8+9EFaYgKWNIhFurnmOU5wKBBuRDPNp1iCLj3+m7+NBKLn406zak0fBPYxnWv4tb7EMQZ2fkndKWIz5JiK5Okg4piNBlNcDZPnNgQqJpYvrU2JmgPZOOlUC6GPGTfV+9cpVKXVtxqgeqXFs8=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by BL1PR11MB5480.namprd11.prod.outlook.com (2603:10b6:208:314::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18; Thu, 5 Aug 2021 14:34:48 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::9923:df2f:c942:4aaa]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::9923:df2f:c942:4aaa%7]) with mapi id 15.20.4394.018; Thu, 5 Aug 2021 14:34:48 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Laurence Lundblade <lgl@island-resort.com>, "Panwei (William)" <william.panwei@huawei.com>
CC: rats <rats@ietf.org>
Thread-Topic: [Rats] Standardizing TPM output in attestation evidence
Thread-Index: AQHXiW87fMLtrg0bjU6R31UTnWUtX6tk5wmw
Date: Thu, 05 Aug 2021 14:34:48 +0000
Message-ID: <BL0PR11MB31226B4CFFB4A9DAC7642324A1F29@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <88C94025-5596-4E81-9618-036D6CF9F6E9@island-resort.com>
In-Reply-To: <88C94025-5596-4E81-9618-036D6CF9F6E9@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: island-resort.com; dkim=none (message not signed) header.d=none;island-resort.com; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 797330b8-ba3c-499f-f869-08d9581e2d6d
x-ms-traffictypediagnostic: BL1PR11MB5480:
x-microsoft-antispam-prvs: <BL1PR11MB54809058FCC6EBBA072C348DA1F29@BL1PR11MB5480.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jdKraNTR3YwCsZrYijG/+A/mtKI0Jcu52znPjgAiMRx47eqoBQQ9wW3ynYfh95ZKXTcO8Pd6KiROznkeKO3POi3XJBboMgbmSetCESj8mu5c5m0XXZHpn28CP+Duivv6Na8IAw9VWLk7q/r6NguU2OEUvNBFmSxCABDj95h0jLaFRxcNOL5v9QCHfnRchh8qKOs+0Mgi8YErPpk88Vj4USL58TXLAMOvYS7v+aDc/67Vtx7vVIQKLM8ci2kT0iSOaJzwulnQM3H2eIWYSy55wYvgf3mUEKM+1NDWHmgQVD1kaKsOsCZjLoppazluafFgtYKjs7cvKiDKdbCgSYyFSIMlOElEGIfzPx5itoDbrn4hyMUTLLCLgm9RhmC/r7WyF7HMs+/QsQAAO1DF7UbCXD3bHNgsP7yN3IHPHYnnSJn3qBzJ7H3Je5uLgWlE3nq0fj2p6wuRDtpWOTcCZyrcyRyg0HBe7jALXowR3aBdopeQbQ+MSDDnfwl8XSZnFqQMulYHaAZbTSriRLsZM5+VwaJ7tO3me/ELZ2TDGjF42fadyftN2gk3lk9j9XqJflK5vpS9oFvqj5zObspE+kYzxONVOy9/aljh04QsK296IByw878s8M8LSFlh2Y3pWB+30LmPeMI242I9F/zvtDC87d9q4IsFsz+Oyuu708GjqZIy9q154tg5KxaeAEDel7yNG6EPhRjmdMhrA6eSWwpJLj1PUiC5HBtzR2Bnux8L0/ate473PpfxQJO1iuuy8jEGkaAmpeahhYE6oZ3tMT4ksVbtIUnNeExd4OCzcBfo6tUaAwRvK5y/Y2VQ0slw4pSLNm1LeR+ufHf7fOeW0ikwZw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(4326008)(83380400001)(76116006)(99936003)(66946007)(66574015)(8936002)(8676002)(2906002)(6506007)(52536014)(9686003)(38070700005)(55016002)(86362001)(33656002)(26005)(66446008)(66616009)(64756008)(66556008)(66476007)(38100700002)(316002)(110136005)(122000001)(966005)(508600001)(71200400001)(7696005)(5660300002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0DpjcdL3L1dOzf5SHe4Db+YHEHmLNcgtBz7p769rxdTDUL+MSr1VWVNbaYMkJeut60WFoQIPI3MiiYucxYL8gmkxWYFPi2CEpRv+BMR6c8jy/1yChboZRioEeV82lkhwSvD9jJHk1FVUcTarOtkexupT9ehbowkqoBSnjIbiPt7O6TZESYTeHz21GWyNZNsL/JJBFiCAYw0hYu+udOzUZwjr/Ty9VN98vC6NgFWVa6Jkxk1TM4jUjm1B/PLH/ojYxPVvoIHO07TbpfC4FlFojA/Pqgex/iwRMsIEIy/FdAGpgFw4gDqAEsqRLRjpGyzJn2txUyVj+pXBCqWR9lvcSe2S/SQkck5v2BY7mAFYeOknFIrniKhbY4fw7nK9c1hFnCVimq5yOj7zHcbs71Qlj+M8w3gY40gmBJ8b0dO+Z1DBFrqwgKBy/ZUKOKxtx+keMGgZI1gM38Lrq1TEyT3IrwpsxNfL1spN1zHQkFN2EXsHQAAJhbn54Oi7TXDCGGn3mi78uhsX4cpeWcf6PVhOe0GTISZxfsIEu0IpPS9LgI4q/jzqv9mTt2rtX730oIbY3qrzWVhrzqrzLKocBqBwC9QZFyJW2thTdKiAlgxL30Gu9BygLRycU1k+OI6y+5EF1iK80s+lJFOCMO05kq9xyvE/SfNSdkJiUJJDeb9tvJUpiUpleAj3U24rfIsa6oamU6w7CcZDAsyZY1QquRioDRKqcjTzcq9IlScdLzA+10AUFDHPAB9RQasRXnTGk3x5ycZzbAGUVvNn3mep63qzDhJHQGLLTlmI51VrCmMv50Fk4Vyt03fPBGLLBEpDxn873X8nPxmOijzwydye5gdK+TdRwM3crLu+vYnFV9JJO61JcTTEhstIUPUpKRXG2StLU4xmhFQ31U/cR+SFhg3EIJEFP/mDu1+isE97kx3kpfz7wd3RmSEcyMI7uVoy5pjFKRjI61pJQb4OL3s2OvTd+2PmIj4W/QRMfZq6V4YNQSKtae/m8uj6+P4FAjCIj49/Qlei49RDo8Yf0ibkCXYmcxBMJwWJbLglSvg/xaEMf9oO6yiSVQr4tdPskmih5WgroGWjhsMKNAARnswQFBd/iyiGacrnYMEFchxXwmdpS+TqaoridSw01wHlC2ONPEuIwroQx4GTjdpvOlEDZ46n773a1QTWwi900kE1yS9vXmDnqpweNQh7MXJbmz8PJmfnys+sUMJgc9Kz3wO+7DE0uPdmWWhmOZ75CfF6xyMTwLG/UbpE+hfgf1vKmvXAE7Td7iL3bXdS+iv82bh3KDWN4G5U3yU28OOfqRKHnxhM7vufUq2i3NDp1GADBVEYEvUn
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0304_01D789E5.61302420"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 797330b8-ba3c-499f-f869-08d9581e2d6d
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2021 14:34:48.2691 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9dUovlqa8kIOee2n/Srz+CBp8W1evyvXqEV/3JMHZ8EO3TIZhx8I/S50jfosmcIz
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR11MB5480
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.20, xbe-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/cn9SFHkh6EcJoU9WNsHZ8uFAsfQ>
Subject: Re: [Rats] Standardizing TPM output in attestation evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 14:34:57 -0000
Hi Laurence, I agree with you and Panwei that TPM2 support for PCs/IoT could be interesting for this WG to investigate. I don't think it is an easy match for the EAT draft for reasons embedded below. > -----Original Message----- > Panwei , August 5, 2021 6:08 AM > > Hi Laurence, > > Thanks for sharing your thoughts. I think the use case is reasonable. > I agree with you that these types of devices may not use YANG, so some other > means need to be provided, for example defining the CWT claims. > > The CHARRA draft defines the attestation evidence suitable for devices using > TPMs in YANG, but YANG doesn't provide security protection for the output of > TPM. Actually the output of TPM is already signed by the TPM itself, what we > need is to provide a secure transportation for the output, for example using > NETCONF. TPM itself isn't the Attesting Environment, so it doesn't produce the > Evidence directly, it needs other component's help to generate the YANG styled > Evidence, and TPM's output is So this may be a little different than the current > EAT claims. We have two options to handle the TPM's output, one is to define > the traditional CWT claims, and the TPM's output is the "value" part of the claim, > and then use the EAT attester's key to protect the claim. The other option is to > just define the UCCS-style claims and use the secure transportation to transfer > the claims and no need to sign the claims again. Agree. Nesting the signing of TPM claims again with an EAT attester key is of limited value. Some method of proving both freshness and a binding between the two nested environments is needed. Proving the proper binding of nesting of claims and disproving a MITM to a Relying Party is non-trivial, and needs WG discussion. (E.g., when the PC/IoT device doesn't have a unique key for each instance, how do you prove that the nested claims are not coming from a TPM which is elsewhere?) > I don't know whether this should be defined in EAT draft or a separate draft. But > I'd like to highlight that even if the device only has TPM and has no EAT > attester/Attesting environment, the YANG data models may also not be suitable > for this device and it has to use some other format data models. > > Regards & Thanks! > Wei Pan > > Laurence Lundblade, Wednesday, August 4, 2021 4:27 PM > > There has been a side discussion about TPMs and EAT. This is to bring it to the > main RATS list and to state more clearly the use case I have in mind. > > The devices I’m thinking of are roughly this: > - Desktops, servers, IoT devices… (not network equipment, probably not mobile > phones) > - They have an off-the-shelf TPM2 soldered on to their PCB > - Likely to be Intel CPUs, but not necessarily > > We want these devices to do attestation and generate attestation evidence (all > devices on the Internet should do attestation at some point!). We want that > attestation evidence to include measurements taken by the TPM. We also want > attestation evidence from parts of the device other than the TPM. > > That’s the very general use case I have in mind very simply stated. > > Assuming this use case makes sense, then how should this get standardized and > implemented? TPM based evidence is typically backed by logs. E.g.: see IMA logs; https://sourceforge.net/p/linux-ima/wiki/Home/ So standardizing TPM output is of limited value unless you also standardize log deliver and have something which can validate the logs which back the evidence. (Or if you restrict the scope to specific Known Good Values, PCR banks, and hash algorithms.) > There is protocol standardization in YANG now for TPM output, but I don’t think > we want to use YANG for this. I don’t think YANG is in common use for these > types of devices and has a particular interaction model. I agree that YANG is not right for PCs/IoT. However the Charra has other aspects which need to be addressed in any solution here: - operational ownership of the TPM keys: Routers/switches can prove their individual identity based on locally managed keys. PC/IoT typically don't want to have devices uniquely tracked. Without such ownership, you might have to rely on TPM chip manufacturer as a root-of-trust. In such a case, how do you prove that the environment surrounding the TPM is providing good hash values? There are quite a number of constraints which need to be nailed down. - freshness: a TPM needs a nonce or some other mechanism to protect against replay attacks. This is why Charra exposes RPCs and not the raw TPM datastore structures. - supporting evidence: per the comment above, TPM PCRs contained hashed evidence used to validate the full set of logs which are stored in more vulnerable locations. > I think EAT is a good > candidate because it is an independently secured blob that can be carried by the > protocols already in use with these devices. I do think EAT can play here. But I would want more requirements / information in the draft on how exactly the blob needs to be secured. E.g., Where is the private key stored which secures this EAT blob? It shouldn't be in some general application running on the main CPU. Beyond this, what are the mechanisms for proofs of proper integration (and no MITM) between the nested signatures. > This then requires that some output from the TPM be put into an EAT. It seems > useful to standardize that here in RATS and it seems in scope for the charter. > > I don’t have a strong opinion or detailed proposal for what TPM output goes > into the EAT or the particular HW, SW and attestation architecture of the device. > That’s something we can work out. I am pretty sure the device would have two > attesters in a compound/layered arrangement. The attestation evidence > produced by the TPM would be nested in the attestation evidence produced by > the EAT attester. Makes sense. There needs to be significant thought placed into the nested structures. Such needs were the reason for the "AR Augmented Evidence" structures within draft-voit-rats-attestation-results. > I have some leaning towards putting this work in the EAT document, but it could > also be in another document. > > I think this is important for RATS because of the very strong association of TPMs > with good attestation and for the goal to support attestation for all kinds of > devices and environments (not just network equipment). > > > A few things this is not about: > > - This is not about changing the format that a TPM2 outputs. This is about the > ability to use the off-the-shelf TPMs that are manufactured by the millions and > sitting in warehouses today. > > - This is not about local device boot architecture. This is about remote > attestation, about attestation evidence transmitted to the verifier/relying party. It might not be possible to fully get away from device boot architecture. Lower numbered PCRs typically contain information on boot metrics. And without being able to verify these boot metric are ok, nobody using a TPM will assume higher numbered PCRs indicate trustworthiness. Eric > LL > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats
- [Rats] Standardizing TPM output in attestation ev… Laurence Lundblade
- Re: [Rats] Standardizing TPM output in attestatio… Panwei (William)
- Re: [Rats] Standardizing TPM output in attestatio… Eric Voit (evoit)
- Re: [Rats] Standardizing TPM output in attestatio… Smith, Ned
- Re: [Rats] Standardizing TPM output in attestatio… Laurence Lundblade
- Re: [Rats] Standardizing TPM output in attestatio… Smith, Ned
- Re: [Rats] Standardizing TPM output in attestatio… Laurence Lundblade
- Re: [Rats] Standardizing TPM output in attestatio… Kathleen Moriarty
- Re: [Rats] Standardizing TPM output in attestatio… Kathleen Moriarty