Re: [Rats] Propose a new event-log-type in CHARRA

"Eric Voit (evoit)" <evoit@cisco.com> Tue, 01 September 2020 12:28 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58FDA3A101A; Tue, 1 Sep 2020 05:28:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Z++7G6jH; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=vdY9kNwL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivtjonnz3JUh; Tue, 1 Sep 2020 05:28:47 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FEE13A1018; Tue, 1 Sep 2020 05:28:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=39103; q=dns/txt; s=iport; t=1598963327; x=1600172927; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=hzzr4Imuu/gsm7EQ0ZMvN3TXEn6o0Uuj3T8ewHtJDfQ=; b=Z++7G6jHxAqb3+3VwAOi+L60nX6kNTy62qLTU5rPxU9TYlNJYLcyJTQ8 nlXZsmDHQJR7jGGDVA+WRYeboVn6KM8ZXNQ//14YabXiDZAbX7XM6MPzy qGCbqTxVQsPqJ9MD3ex0yvquYWKF78Z1ULrOOOK6HXkxbBmXyPTRvw8jj M=;
X-Files: smime.p7s : 3975
IronPort-PHdr: =?us-ascii?q?9a23=3ATEdVgBB6sLO1T7vxF3QcUyQJPHJ1sqjoPgMT9p?= =?us-ascii?q?ssgq5PdaLm5Zn5IUjD/qw00A3GWIza77RPjO+F+6zjWGlV55GHvThCdZFXTB?= =?us-ascii?q?YKhI0QmBBoG8+KD0D3bZuIJyw3FchPThlpqne8N0UGF8P3ZlmUqXq3vnYeHx?= =?us-ascii?q?zlPl9zIeL4UofZk8Ww0bW0/JveKwVFjTawe/V8NhKz+A7QrcIRx4BlL/U8?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DlBQBeE05f/4MNJK1dAxwBAQEBAQE?= =?us-ascii?q?HAQESAQEEBAEBggqBIy8pKAdwKy0vLAqELoNGA411iguOZoJTA1AFBAcBAQE?= =?us-ascii?q?JAwEBGAEKCgIEAQGBVoJ2AoIjAiQ4EwIDAQELAQEFAQEBAgEGBG2FXAyFcgE?= =?us-ascii?q?BAQEDAQEQEQoTAQEpAwsBDwIBCBUjAQYDAgICHwYLFBEBAQQBDQUIBg0Hgjl?= =?us-ascii?q?LAYF+TQMfDwEOpFgCgTmIYXaBMoMBAQEFggMFg0MNC4IJBwmBOIFTgR6EZ4V?= =?us-ascii?q?NG4FBP4ERQ4IfLj6BeSE3CwEBgWEVCgwJEYJQM4ItmiubTiRRCoJlhDyCXYF?= =?us-ascii?q?PhlCFdoUlhDCcJoRNjgSKToJnkiICBAIEBQIOAQEFgUEqIyoNgSBwFTuCaQk?= =?us-ascii?q?JPhcCDVaNSQsYgQIBDII/hRSFQnQ0AwIGAQkBAQMJfI5tAYEQAQE?=
X-IronPort-AV: E=Sophos;i="5.76,379,1592870400"; d="p7s'?scan'208,217";a="535213520"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Sep 2020 12:28:45 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 081CSjnw026786 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 1 Sep 2020 12:28:45 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 1 Sep 2020 07:28:45 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 1 Sep 2020 07:28:44 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 1 Sep 2020 08:28:44 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jJTQj24WbI1BxuHtXOTPJVKBq8qWUrp8jLT7zmP6BO5wM5YfYzsG73soL9EpvdgQf2eFirLKALRKK2L0Lx+iFgaa1GsLfb1hQBCS7h4lCjFJuw9dh61Q1W1ZYpTQO2/BR8P63dANEuyUyNSQiO4YDKzEN/jmdAMrgLnitbwBpk5af8ZdM3/RaC9thLESOuBYhnTNxza4M24FYSMy+zwHfUwsy0OP22mI0PJHtpPXljoNGFTMW7pmCF/pqJWphK+4Pw2G5knSszNgoYLr6qfFwT4KesHd5LknpLOLzRtZUY1oYJdSqM7B/tFa2nKKBRFFfrJrZlbqFkCPIAgXK4jzsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rzfqCMopbRM/GNnV5ix7pZsQ8J5i/jqJhiVXYs1gBOo=; b=AhRElUuLNId0dhb+2hFkpb7/Y5NlXfb7G/B9L8Y8jvz7ehZ6R3mslgnzTpImn4vIm4/A8YQldP2ntQ9xHL5zvRdm3mqJQwHoz+OvEWv8ebvEW3RFOERAG+q1ygP9Z72RFOyhSwG9MKoPQlw2pLuAqgW8a1t97JzsaIvNPnRDBuC4aYgNZaDLKu+5xk1D8MxERWqPK12iGecQYMSxXKybEv5T/KG54oWhCKMihbjB7VGchlgok3V//vLpaM/EBn+4kY+yu+kQByjbpeW5I1p4/+YwWXOF8+zVe63Gt1n9JSoG0VPzMqH9TcD+c3NT91T03X9r4gXEQN/EvkWgyVukCw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rzfqCMopbRM/GNnV5ix7pZsQ8J5i/jqJhiVXYs1gBOo=; b=vdY9kNwLOtKBHr79h+qRVeuewqYu+8vjYLDJfCfYUKRee0tLTXc86G1y8NEm9132g72HArDqYZN/QMYwE3swSKFC5Tun3GpiL4HwBlq7G9SUPXoKE66XwlBv+5B/IjoP2H42Gq5e9J0cz8P6zMLyd0OH1FZUDBr8xj8OIjajx3Q=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4552.namprd11.prod.outlook.com (2603:10b6:208:263::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Tue, 1 Sep 2020 12:28:43 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::8c6f:bb1:c5f4:16ca]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::8c6f:bb1:c5f4:16ca%3]) with mapi id 15.20.3348.015; Tue, 1 Sep 2020 12:28:43 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Ira McDonald <blueroofmusic@gmail.com>, "Panwei (William)" <william.panwei@huawei.com>
CC: "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Propose a new event-log-type in CHARRA
Thread-Index: AdZ9F2S3YE6HUmniRGqctvSTG8eYFQALTQmAAMWs2LA=
Date: Tue, 1 Sep 2020 12:28:43 +0000
Message-ID: <BL0PR11MB31225AEE100E23658B3068A5A12E0@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <f92d4256061948a3aa89952b912c81e3@huawei.com> <CAN40gSubRW5=Sn7niFn5wuZPQOEqZPLicC0_py9SOuMAj1_VZw@mail.gmail.com>
In-Reply-To: <CAN40gSubRW5=Sn7niFn5wuZPQOEqZPLicC0_py9SOuMAj1_VZw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.68]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a3a9d926-e766-4de8-7a40-08d84e7290de
x-ms-traffictypediagnostic: MN2PR11MB4552:
x-microsoft-antispam-prvs: <MN2PR11MB4552D166791A85A023086269A12E0@MN2PR11MB4552.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: h7OhwQuhjuyBpGPEyqVmUVh+lzro5PRfqUeLQH5ygJ9kyg+rzlkEoExJ4b0brC7v/UthAPDoaYZNsNvly0zsYmB8RMvIzpwXuNfDQUrC/fdro26+EHGWYcN3pAUp3uUPWjqWXIR4oQUM16+1/FvQCOOo4QKx2auKre7YqzWbz3r8e0XTTVHIA2Z3rMFq1uMXjloWYld4Ytd2JKy/3gYAlgQL/3QW7Z4ZF9+syGWeKeHZIVVU85KpHCUK46df0IsDMHwEE6oNzmG54rolaMknEDjBMo2m5Co/+vXUfFUt89und9EVxWhdjuoR8JCZNHZF+Sj8Ql+5dugD0EFLfH0q54k+l2YQFFZdkpwbExF/7Y4SL5xKGX+0815s1nRcE/hvfMT+yNKEm+MwgkO8eprWN7Tuh2Dk4YweIfA5jFpFfLmohaTILAPrT5CYcJLVZ1UF+0WkZCgEnNKlogFjz2LeDQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(136003)(39860400002)(366004)(376002)(346002)(478600001)(66446008)(76116006)(66476007)(66946007)(66616009)(19273905006)(66556008)(64756008)(53546011)(6506007)(2906002)(86362001)(4326008)(7696005)(26005)(186003)(316002)(83380400001)(5660300002)(33656002)(99936003)(9686003)(8676002)(55016002)(71200400001)(52536014)(66574015)(110136005)(54906003)(8936002)(966005)(166002)(563064011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: /RWijFoAhe5mf6E1gib78jiMGmE8nqar4eFcZRwAqMwanYWDPQJMILufwq9pis7T8y3nNP/lfyT+IgWugCWiYLA+5njiaTVh7RKCuY1wsNtHTJeycdSVe/Ot9/3OhRk0yL4ILkiJI7wSL/c4l1w1ixHYSSO0NSRFWTRTrn9ORvnBlSqEfQ6fBgIVsBVO6+DnjzMjFKSWjisEv8QWtq3LvzzubaPvFxtH1DCrfUyZPUMzcb1EDgUKpmjqcfxMukPy1QEw1AwIp65IwRA7x3V0xf76KcmWMdxi9+1DcKtlsypb63U7N0i4utiupkjjVLUiz3LmfGFqbEikUSF+Hi64djp3qlZuCAZ1Nu7eODNmczYLORHQPKi6WaRenLmkcnxNRvo4xRgJmynbv8x6/9gmL+UQxsamPhF04qaiJfELYspk9E5Xe0wYrPqQ7e2NFOhXj25WZ+Vi/qFE/z4u66Z3ocGI+xlbqPXS2IhxMprICpnD/LbKiTBYrX7vLmWpOM0SOHXNk8TNZGTGwylaF3wfHZIOAP7wcJ9kobG8NztmbA0elrK7+cOl9Sa362dXc2TudGIfTANwDsooZUqwNjI0KwySj+dhsnMh7JmmsBnA5xDDRGWxkWV6UBZf+Hh6VuTluua/sa6Ld0o/ymqM7yrD9g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0BBC_01D68039.E5593BD0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a3a9d926-e766-4de8-7a40-08d84e7290de
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Sep 2020 12:28:43.4644 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3QeIi3uniG95lLUmm/g6tb9SGd75xu3/vn908sLKQDPDQT609s7E6JNwIKbA66bv
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4552
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/guI9PY5dbX4KRoWQb5wuKndSUP4>
Subject: Re: [Rats] Propose a new event-log-type in CHARRA
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2020 12:28:50 -0000

I also have no objection to this addition to Charra.


Eric

 

From: Ira McDonald, August 28, 2020 10:08 AM



Hi,

 

+1

 

I've worried about this fragility in RIMs (Reference Integrity Metrics) all along.

 

You might be able to fix the boot order of drivers (well maybe not), but you

certainly almost always can't fix the load order of applications and libraries.

 

Cheers,

- Ira

 

Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG

Co-Chair - TCG Metadata Access Protocol SG

Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
 <http://sites.google.com/site/blueroofmusic> http://sites.google.com/site/blueroofmusic
 <http://sites.google.com/site/highnorthinc> http://sites.google.com/site/highnorthinc
mailto: blueroofmusic@gmail.com <mailto:blueroofmusic@gmail.com> 
(permanent) PO Box 221  Grand Marais, MI 49839  906-494-2434

 

 

On Fri, Aug 28, 2020 at 9:53 AM Panwei (William) <william.panwei@huawei.com <mailto:william.panwei@huawei.com> > wrote:

Hi authors, all,

 

We’ve proposed a new attested-event-log-type in the Github (PR#5 <https://github.com/ietf-rats-wg/basic-yang-module/pull/5> ) a while ago, but unfortunately there is little discussion about it. This is also mentioned at IETF 108 meeting. I think it might be better to bring this topic to the mailing list and give more description about it.

The blue part below is the format of the new type of log that we propose. It literally looks somewhat similar to the IMA log format, because it uses part of the IMA’s concepts in the devices boot measurement.

When the device boots, it needs to load/execute a lot of files, but the order in which these files are loaded/executed is not deterministic or hard to keep fixed, so it’s difficult to give an accurate reference value.

The method to overcome this difficulty is below:

1. The Attester measures each file before execution, extends the hash value of the file into PCR, and records the measurement information of the file in the log.

2. When doing the remote attestation, the Attester sends the final values of the PCRs and the detailed logs to the Verifier.

3. The Verifier has a list of reference values for all files. It compares the hash value of each file recorded in the log with the corresponding reference value. If all files’ hash values match with their reference values, then the Verifier extends the hash values one by one according to the order recorded in the log, gets the final value, and compares the final value with the PCR value sent by the Attester.

Based on this method, we propose the new type of log. Any thoughts?

 

+--ro output

   +--ro system-event-logs

      +--ro node-data* []

         +--ro tpm-name?     string

         +--ro up-time?      uint32

         +--ro log-result

            +--ro (attested-event-log-type)

               +--:(bios)

               |  +--ro bios-event-logs

               |     +--ro bios-event-entry* [event-number]

               |        +--ro event-number    uint32

               |        +--ro event-type?     uint32

               |        +--ro pcr-index?      pcr

               |        +--ro digest-list* []

               |        |  +--ro hash-algo?   identityref

               |        |  +--ro digest*      binary

               |        +--ro event-size?     uint32

               |        +--ro event-data*     uint8

               +--:(netequip-boot)

               |  +--ro boot-event-logs

               |     +--ro boot-event-entry* [event-number]

               |        +--ro event-number               uint64

               |        +--ro filename-hint?             string

               |        +--ro filedata-hash?             binary

               |        +--ro filedata-hash-algorithm?   string

               |        +--ro file-version?              string

               |        +--ro file-type?                 string

               |        +--ro pcr-index?                 pcr

               +--:(ima)

                  +--ro ima-event-logs

                     +--ro ima-event-entry* [event-number]

                        +--ro event-number               uint64

                        +--ro ima-template?              string

                        +--ro filename-hint?             string

                        +--ro filedata-hash?             binary

                        +--ro filedata-hash-algorithm?   string

                        +--ro template-hash-algorithm?   string

                        +--ro template-hash?             binary

                        +--ro pcr-index?                 pcr

                        +--ro signature?                 binary

 

Regards & Thanks!

Wei Pan

_______________________________________________
RATS mailing list
RATS@ietf.org <mailto:RATS@ietf.org> 
https://www.ietf.org/mailman/listinfo/rats