Re: [Rats] Standardizing TPM output in attestation evidence
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 20 August 2021 12:17 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3417D3A260F for <rats@ietfa.amsl.com>; Fri, 20 Aug 2021 05:17:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QToRgALobC4c for <rats@ietfa.amsl.com>; Fri, 20 Aug 2021 05:17:31 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2303F3A260E for <rats@ietf.org>; Fri, 20 Aug 2021 05:17:31 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id x6so527732uai.11 for <rats@ietf.org>; Fri, 20 Aug 2021 05:17:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K+EK0kHMsApe1WG/+GMpQIy034p8xAJROcZ81/LZb+A=; b=LPH7kVGypn49AGs2SRyl8WBepsbeAjLwM0onPFZ4KOSN80W2guNsOyIdB2EKoszdcZ W5ZOphKYfd6Mj/195ksCHOZEQbC0PCnUlWQoMByTi2Y/MCMn8JXyXldt714fy9oOMQ6F I1J2X66k38siUIY9To+pyM5Qi1vbZtw3yFCWDSRLULXNc+XDSuDPIKG73KmKZSQnFRBf wB8UyIZVs2IsXRYb5mxGFkexoDgStk5yNyXNBi6ZA/ibiicDO1MmGEFir/u8pEZEmzvF JDIEURLf4NNLPTpVShjQXcxj4lfmsX/cgNTjBoL23h6qPEXkRafSEZ27kMjBccFlfNqE dXeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K+EK0kHMsApe1WG/+GMpQIy034p8xAJROcZ81/LZb+A=; b=KFo5rR3pGJKRdimFP0axsPjiPLz/4R3H28JeRepgkhoN8/t5o9zWY6JtM5usPqg0Zv 2W0eCSca9QhgqJ6EfZ3hsx/hmw5XdA4rlxd0tC4zYQuF6LxOv2G5zig95MD649LQVjjq VVfVOh4zoD7PM/2MyijcjO4J2CD01zlVDw41XrtnolawZZZowIMMicRo8B1Byu11KyM6 4wr6dAeBy+jJB6ZgkngujmH9IsX3Yx3b5EIzKbP2jzg+spi0bG2LEi0PU4fbwmobTgPe s4ovTSU4+gIGxc62sJSznn9L+SCh769+zvZOLMgJvsR2eDy+Uwm3E3hc9KyITQOWN3tE Bfzw==
X-Gm-Message-State: AOAM530ZRikz2Y2ypj5BBxesoXrCRauBmYny1rQuzy0VDoiDRNn1U9bw vvYxchmBmEbSF711rmt0rqhr1LHqDk0v6qXqWyA=
X-Google-Smtp-Source: ABdhPJxpZnlFWZi7w+f2ZBJlX2gX3Mq6WJt3vseD4Q3FIZVWiwr2JddZfGxNdhW8Gu55TQSAlhIZBQrito148OqVNaI=
X-Received: by 2002:ab0:49a4:: with SMTP id e33mr14828804uad.12.1629461849137; Fri, 20 Aug 2021 05:17:29 -0700 (PDT)
MIME-Version: 1.0
References: <88C94025-5596-4E81-9618-036D6CF9F6E9@island-resort.com> <fa4098b851034bcbb9504928bfcd903d@huawei.com>
In-Reply-To: <fa4098b851034bcbb9504928bfcd903d@huawei.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 20 Aug 2021 08:16:53 -0400
Message-ID: <CAHbuEH7unUvLxbhcVhm3OhtzgBXYwe=JGpVyMprG3XP7NHC_Xw@mail.gmail.com>
To: "Panwei (William)" <william.panwei@huawei.com>, "Fontes, Antonio" <Antonio.fontes@dell.com>
Cc: Laurence Lundblade <lgl@island-resort.com>, rats <rats@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b1658105c9fca645"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/jQxKKnnRumCXMJdJau92bCndcqg>
Subject: Re: [Rats] Standardizing TPM output in attestation evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2021 12:17:36 -0000
Panwei, I agree and that's what's proposed in my draft, to share the log output or a link to the TPM log. I don't think we need to replicate the format of the TPM and for the design in attestation sets, you'd include all of the relevant logs (or a pointer if that can work) to the TPM log, PCR log, or other relevant signed log on other platforms (TBD) that align to a set of policies or measurements to that defined set. Best regards, Kathleen On Thu, Aug 5, 2021 at 6:07 AM Panwei (William) <william.panwei@huawei.com> wrote: > Hi Laurence, > > Thanks for sharing your thoughts. I think the use case is reasonable. > I agree with you that these types of devices may not use YANG, so some > other means need to be provided, for example defining the CWT claims. > > The CHARRA draft defines the attestation evidence suitable for devices > using TPMs in YANG, but YANG doesn't provide security protection for the > output of TPM. Actually the output of TPM is already signed by the TPM > itself, what we need is to provide a secure transportation for the output, > for example using NETCONF. TPM itself isn't the Attesting Environment, so > it doesn't produce the Evidence directly, it needs other component's help > to generate the YANG styled Evidence, and TPM's output is > So this may be a little different than the current EAT claims. We have two > options to handle the TPM's output, one is to define the traditional CWT > claims, and the TPM's output is the "value" part of the claim, and then use > the EAT attester's key to protect the claim. The other option is to just > define the UCCS-style claims and use the secure transportation to transfer > the claims and no need to sign the claims again. > > I don't know whether this should be defined in EAT draft or a separate > draft. But I'd like to highlight that even if the device only has TPM and > has no EAT attester/Attesting environment, the YANG data models may also > not be suitable for this device and it has to use some other format data > models. > > Regards & Thanks! > Wei Pan > > > -----Original Message----- > > From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Laurence > > Lundblade > > Sent: Thursday, August 5, 2021 4:27 AM > > To: rats <rats@ietf.org> > > Subject: [Rats] Standardizing TPM output in attestation evidence > > > > There has been a side discussion about TPMs and EAT. This is to bring it > to > > the main RATS list and to state more clearly the use case I have in mind. > > > > The devices I’m thinking of are roughly this: > > - Desktops, servers, IoT devices… (not network equipment, probably not > > mobile phones) > > - They have an off-the-shelf TPM2 soldered on to their PCB > > - Likely to be Intel CPUs, but not necessarily > > > > We want these devices to do attestation and generate attestation evidence > > (all devices on the Internet should do attestation at some point!). We > want > > that attestation evidence to include measurements taken by the TPM. We > > also want attestation evidence from parts of the device other than the > TPM. > > > > That’s the very general use case I have in mind very simply stated. > > > > Assuming this use case makes sense, then how should this get standardized > > and implemented? > > > > There is protocol standardization in YANG now for TPM output, but I don’t > > think we want to use YANG for this. I don’t think YANG is in common use > for > > these types of devices and has a particular interaction model. I think > EAT is > > a good candidate because it is an independently secured blob that can be > > carried by the protocols already in use with these devices. > > > > This then requires that some output from the TPM be put into an EAT. It > > seems useful to standardize that here in RATS and it seems in scope for > the > > charter. > > > > I don’t have a strong opinion or detailed proposal for what TPM output > > goes into the EAT or the particular HW, SW and attestation architecture > of > > the device. That’s something we can work out. I am pretty sure the device > > would have two attesters in a compound/layered arrangement. The > > attestation evidence produced by the TPM would be nested in the > > attestation evidence produced by the EAT attester. > > > > I have some leaning towards putting this work in the EAT document, but it > > could also be in another document. > > > > I think this is important for RATS because of the very strong > association of > > TPMs with good attestation and for the goal to support attestation for > all > > kinds of devices and environments (not just network equipment). > > > > > > A few things this is not about: > > > > - This is not about changing the format that a TPM2 outputs. This is > about > > the ability to use the off-the-shelf TPMs that are manufactured by the > > millions and sitting in warehouses today. > > > > - This is not about local device boot architecture. This is about remote > > attestation, about attestation evidence transmitted to the > verifier/relying > > party. > > > > LL > > _______________________________________________ > > RATS mailing list > > RATS@ietf.org > > https://www.ietf.org/mailman/listinfo/rats > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats > -- Best regards, Kathleen
- [Rats] Standardizing TPM output in attestation ev… Laurence Lundblade
- Re: [Rats] Standardizing TPM output in attestatio… Panwei (William)
- Re: [Rats] Standardizing TPM output in attestatio… Eric Voit (evoit)
- Re: [Rats] Standardizing TPM output in attestatio… Smith, Ned
- Re: [Rats] Standardizing TPM output in attestatio… Laurence Lundblade
- Re: [Rats] Standardizing TPM output in attestatio… Smith, Ned
- Re: [Rats] Standardizing TPM output in attestatio… Laurence Lundblade
- Re: [Rats] Standardizing TPM output in attestatio… Kathleen Moriarty
- Re: [Rats] Standardizing TPM output in attestatio… Kathleen Moriarty