IETF Logo Mail Archive

Re: [Rats] Standardizing TPM output in attestation evidence

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 20 August 2021 12:17 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3417D3A260F for <rats@ietfa.amsl.com>; Fri, 20 Aug 2021 05:17:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QToRgALobC4c for <rats@ietfa.amsl.com>; Fri, 20 Aug 2021 05:17:31 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2303F3A260E for <rats@ietf.org>; Fri, 20 Aug 2021 05:17:31 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id x6so527732uai.11 for <rats@ietf.org>; Fri, 20 Aug 2021 05:17:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K+EK0kHMsApe1WG/+GMpQIy034p8xAJROcZ81/LZb+A=; b=LPH7kVGypn49AGs2SRyl8WBepsbeAjLwM0onPFZ4KOSN80W2guNsOyIdB2EKoszdcZ W5ZOphKYfd6Mj/195ksCHOZEQbC0PCnUlWQoMByTi2Y/MCMn8JXyXldt714fy9oOMQ6F I1J2X66k38siUIY9To+pyM5Qi1vbZtw3yFCWDSRLULXNc+XDSuDPIKG73KmKZSQnFRBf wB8UyIZVs2IsXRYb5mxGFkexoDgStk5yNyXNBi6ZA/ibiicDO1MmGEFir/u8pEZEmzvF JDIEURLf4NNLPTpVShjQXcxj4lfmsX/cgNTjBoL23h6qPEXkRafSEZ27kMjBccFlfNqE dXeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K+EK0kHMsApe1WG/+GMpQIy034p8xAJROcZ81/LZb+A=; b=KFo5rR3pGJKRdimFP0axsPjiPLz/4R3H28JeRepgkhoN8/t5o9zWY6JtM5usPqg0Zv 2W0eCSca9QhgqJ6EfZ3hsx/hmw5XdA4rlxd0tC4zYQuF6LxOv2G5zig95MD649LQVjjq VVfVOh4zoD7PM/2MyijcjO4J2CD01zlVDw41XrtnolawZZZowIMMicRo8B1Byu11KyM6 4wr6dAeBy+jJB6ZgkngujmH9IsX3Yx3b5EIzKbP2jzg+spi0bG2LEi0PU4fbwmobTgPe s4ovTSU4+gIGxc62sJSznn9L+SCh769+zvZOLMgJvsR2eDy+Uwm3E3hc9KyITQOWN3tE Bfzw==
X-Gm-Message-State: AOAM530ZRikz2Y2ypj5BBxesoXrCRauBmYny1rQuzy0VDoiDRNn1U9bw vvYxchmBmEbSF711rmt0rqhr1LHqDk0v6qXqWyA=
X-Google-Smtp-Source: ABdhPJxpZnlFWZi7w+f2ZBJlX2gX3Mq6WJt3vseD4Q3FIZVWiwr2JddZfGxNdhW8Gu55TQSAlhIZBQrito148OqVNaI=
X-Received: by 2002:ab0:49a4:: with SMTP id e33mr14828804uad.12.1629461849137; Fri, 20 Aug 2021 05:17:29 -0700 (PDT)
MIME-Version: 1.0
References: <88C94025-5596-4E81-9618-036D6CF9F6E9@island-resort.com> <fa4098b851034bcbb9504928bfcd903d@huawei.com>
In-Reply-To: <fa4098b851034bcbb9504928bfcd903d@huawei.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 20 Aug 2021 08:16:53 -0400
Message-ID: <CAHbuEH7unUvLxbhcVhm3OhtzgBXYwe=JGpVyMprG3XP7NHC_Xw@mail.gmail.com>
To: "Panwei (William)" <william.panwei@huawei.com>, "Fontes, Antonio" <Antonio.fontes@dell.com>
Cc: Laurence Lundblade <lgl@island-resort.com>, rats <rats@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b1658105c9fca645"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/jQxKKnnRumCXMJdJau92bCndcqg>
Subject: Re: [Rats] Standardizing TPM output in attestation evidence
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2021 12:17:36 -0000

Panwei,

I agree and that's what's proposed in my draft, to share the log output or
a link to the TPM log. I don't think we need to replicate the format of the
TPM and for the design in attestation sets, you'd include all of the
relevant logs (or a pointer if that can work) to the TPM log, PCR log, or
other relevant signed log on other platforms (TBD) that align to a set of
policies or measurements to that defined set.

Best regards,
Kathleen

On Thu, Aug 5, 2021 at 6:07 AM Panwei (William) <william.panwei@huawei.com>
wrote:

> Hi Laurence,
>
> Thanks for sharing your thoughts. I think the use case is reasonable.
> I agree with you that these types of devices may not use YANG, so some
> other means need to be provided, for example defining the CWT claims.
>
> The CHARRA draft defines the attestation evidence suitable for devices
> using TPMs in YANG, but YANG doesn't provide security protection for the
> output of TPM. Actually the output of TPM is already signed by the TPM
> itself, what we need is to provide a secure transportation for the output,
> for example using NETCONF. TPM itself isn't the Attesting Environment, so
> it doesn't produce the Evidence directly, it needs other component's help
> to generate the YANG styled Evidence, and TPM's output is
> So this may be a little different than the current EAT claims. We have two
> options to handle the TPM's output, one is to define the traditional CWT
> claims, and the TPM's output is the "value" part of the claim, and then use
> the EAT attester's key to protect the claim. The other option is to just
> define the UCCS-style claims and use the secure transportation to transfer
> the claims and no need to sign the claims again.
>
> I don't know whether this should be defined in EAT draft or a separate
> draft. But I'd like to highlight that even if the device only has TPM and
> has no EAT attester/Attesting environment, the YANG data models may also
> not be suitable for this device and it has to use some other format data
> models.
>
> Regards & Thanks!
> Wei Pan
>
> > -----Original Message-----
> > From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Laurence
> > Lundblade
> > Sent: Thursday, August 5, 2021 4:27 AM
> > To: rats <rats@ietf.org>
> > Subject: [Rats] Standardizing TPM output in attestation evidence
> >
> > There has been a side discussion about TPMs and EAT. This is to bring it
> to
> > the main RATS list and to state more clearly the use case I have in mind.
> >
> > The devices I’m thinking of are roughly this:
> >  - Desktops, servers, IoT devices… (not network equipment, probably not
> > mobile phones)
> >  - They have an off-the-shelf TPM2 soldered on to their PCB
> >  - Likely to be Intel CPUs, but not necessarily
> >
> > We want these devices to do attestation and generate attestation evidence
> > (all devices on the Internet should do attestation at some point!). We
> want
> > that attestation evidence to include measurements taken by the TPM. We
> > also want attestation evidence from parts of the device other than the
> TPM.
> >
> > That’s the very general use case I have in mind very simply stated.
> >
> > Assuming this use case makes sense, then how should this get standardized
> > and implemented?
> >
> > There is protocol standardization in YANG now for TPM output, but I don’t
> > think we want to use YANG for this. I don’t think YANG is in common use
> for
> > these types of devices and has a particular interaction model. I think
> EAT is
> > a good candidate because it is an independently secured blob that can be
> > carried by the protocols already in use with these devices.
> >
> > This then requires that some output from the TPM be put into an EAT. It
> > seems useful to standardize that here in RATS and it seems in scope for
> the
> > charter.
> >
> > I don’t have a strong opinion or detailed proposal for what TPM output
> > goes into the EAT or the particular HW, SW and attestation architecture
> of
> > the device. That’s something we can work out. I am pretty sure the device
> > would have two attesters in a compound/layered arrangement. The
> > attestation evidence produced by the TPM would be nested in the
> > attestation evidence produced by the EAT attester.
> >
> > I have some leaning towards putting this work in the EAT document, but it
> > could also be in another document.
> >
> > I think this is important for RATS because of the very strong
> association of
> > TPMs with good attestation and for the goal to support attestation for
> all
> > kinds of devices and environments (not just network equipment).
> >
> >
> > A few things this is not about:
> >
> > - This is not about changing the format that a TPM2 outputs. This is
> about
> > the ability to use the off-the-shelf TPMs that are manufactured by the
> > millions and sitting in warehouses today.
> >
> > - This is not about local device boot architecture. This is about remote
> > attestation, about attestation evidence transmitted to the
> verifier/relying
> > party.
> >
> > LL
> > _______________________________________________
> > RATS mailing list
> > RATS@ietf.org
> > https://www.ietf.org/mailman/listinfo/rats
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email