IETF Logo Mail Archive

Re: [Rats] Two types of secure attestation

Monty Wiseman <montywiseman32@gmail.com> Wed, 27 November 2019 20:12 UTC

Return-Path: <montywiseman32@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D14D1207FC for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 12:12:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DymIDag0Zk5O for <rats@ietfa.amsl.com>; Wed, 27 Nov 2019 12:12:00 -0800 (PST)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0572A120A78 for <rats@ietf.org>; Wed, 27 Nov 2019 12:11:56 -0800 (PST)
Received: by mail-qk1-x729.google.com with SMTP id x1so5961439qkl.12 for <rats@ietf.org>; Wed, 27 Nov 2019 12:11:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=EQDYeEI35TfwNNG/HH1X2QLyF0fQPDuPo9X/UxZLzM4=; b=aTs1rCkBwb7RqFyUTpl+19h4V8Xizllh7xpUigfKu8YVprXWm5x4IULHc8hZoRusfI jvQ++hJAxy0uMwdNH0jJCSbnGzoVIG2Z4LVldgInLhlwWRVNvSsj45V+pVdGVmplXQXd 3moOjesiJ3G/wqyoj72W5R5daI5t+TVtw1A+GVheyVKZ7o4+GS/03b4zDCflHN198kmI Kbv0h2ZcsMPGvrGscr+Z4iTo6d8azNhmQB3R11dXUjA9ITQmtRja7qA289EluK0Z2rhe Ljz1ORvsBD5k97rGx7iSLVskDFE0UF+CshA9fXZSRCPM4oi+pEF+RiRtExWQeY+lQ3Uj Yebg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=EQDYeEI35TfwNNG/HH1X2QLyF0fQPDuPo9X/UxZLzM4=; b=U8m12C6LnoPK23syyuB7Qso6nf7BQ7NGPzSaj+DJwQ7ogNQjklPZZQixGyFsG6PoY/ 94kb6vDuSyNzee3JZGYlw1ATmz6RBtXS3Fo5TUmQZbhaHtBft/m+UQS2BhPLOIvAFMIJ tFBxSneVfuTXB4LeAmCOct5WWWbrsKV4BkazbxxWe+8pgpUDUbxjukDq2AfaByU3yJ3G jRpo9KezKrDhgmVlVV5F1L4idtC7LP3vGFAGys07X6Aws5ue90zz42SUXU832OuYOeDx rhJp+rETChDfmSbnWtVVMYvUSKEid2VqKOqcP5FC/GgyHBvIV1EKcquIyQb1wMrX2tkw nxPA==
X-Gm-Message-State: APjAAAW9w68qqR5HLDZN0li8oQmz5eq2g52n/6bBFcZfZ5G1XToXM9Nn W5W4g12lfz3p6n2gKmYsKJmUhjk+
X-Google-Smtp-Source: APXvYqyCcqkS7NZ9WkgMfzx19++/faZsxzqoQ4l5eelloXRIR81QIkT45vMpSb/wg7f8MD7ynNF5KA==
X-Received: by 2002:a05:620a:a52:: with SMTP id j18mr6004867qka.385.1574885515724; Wed, 27 Nov 2019 12:11:55 -0800 (PST)
Received: from wmwdev1-f.mjwiseman.org (mobile-166-172-63-147.mycingular.net. [166.172.63.147]) by smtp.gmail.com with ESMTPSA id s63sm7301972qkf.129.2019.11.27.12.11.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Nov 2019 12:11:55 -0800 (PST)
To: rats@ietf.org
References: <B099349B-711D-4A11-9E58-0886307FB7AF@island-resort.com> <CAHbuEH6qtVbzRXUALKBrr3butc8qT8Y81X-nQ6+PjC1n08CkvA@mail.gmail.com> <5DB30E08-9AB2-452A-B8D6-55BFD0AE5264@island-resort.com> <CAHbuEH4R4GZQCq9E1Nza8uPC=jxiM-FkV4tMrv9B==GsjvCLtw@mail.gmail.com> <34EB67FD-E76A-4132-87C4-C89EA70C9365@intel.com> <DC9F1051-E33A-477F-A855-2FBA33F8E8DF@island-resort.com> <cbb5f662-b073-5b5b-e504-56ea66b72744@sit.fraunhofer.de> <5A3105EA-8E54-4BB9-B266-96B6645811A1@island-resort.com> <c4967ed2-e484-d8c9-406b-8e1bb1b3b88d@sit.fraunhofer.de> <FF6F2CEE-1049-4B6C-8E12-9E21FE92D2F2@island-resort.com> <3285c3da-0748-5607-90ed-ac024ac826d0@sit.fraunhofer.de> <0384FAEE-6C5B-4A99-BBA0-F080DD27AA9B@island-resort.com> <def7a722-e357-a12a-1467-8ff8c442337e@sit.fraunhofer.de> <A9E1ED3A-80D1-4585-9029-A49CA5AE3AB6@island-resort.com> <52AC3EB5-1BD0-4A41-8EAD-5A779E125BF8@intel.com> <06543a46-8218-fa9c-827f-8a0e2d364963@sit.fraunhofer.de> <F74104BF-35C6-4375-A5A0-93FFA34619B6@island-resort.com>
From: Monty Wiseman <montywiseman32@gmail.com>
Message-ID: <7e387a02-4d49-3a52-572d-f7e61b4e729f@gmail.com>
Date: Wed, 27 Nov 2019 15:11:54 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1
MIME-Version: 1.0
In-Reply-To: <F74104BF-35C6-4375-A5A0-93FFA34619B6@island-resort.com>
Content-Type: multipart/alternative; boundary="------------E54CCE35BD6A763A3CD5C48B"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/jkpMpnnj1I2NrR35CyQ1-zLCb9I>
Subject: Re: [Rats] Two types of secure attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 20:12:03 -0000

Let's not use confusing terms like TPM-style / TCG language. I propose
we start with lower-level fundamental definitions or even axioms for
boot types. Within those definitions, I recommend deprecating the term
"Secure Boot" as it's imprecise and even misleading. I expect there to
be variations on these creating derivative definitions but I postulate
these are fundamental as basic building blocks.

Root of Trust: Something that is assumed to always operate in the
expected manner. The implementation is assumed to be correct. How it is
implemented it outside the scope of its definition.

Verified Boot: Starts with a Root of Trust. For this type of boot the
Root of Trust is the Root of Trust for Verification (RTV). The RTV
includes a boot policy which is likely a verification key. The RTV
enforces the boot policy which continues through the boot process
assuming each component continues enforcing the boot policy or other
policies authorized by the RTV's boot policy. The trust in the device
depends on the RTV's boot policy and not on any external entity such as a
Verifier. The boot policy is locked by the RTV and cannot be further
evaluated beyond a binary "Trusted" or "Not Trusted" state. The evidence
of whether this device is trusted is, therefore, determined by whether
it boot to the correct state. (Some would say this is "existential boot.)

The TPM has no dependency on Verified Boot and Verified boot has no
architectural dependence on the TPM.

Measured Boot: Starts with the Root of Trust. For this type of boot it
is the Root of Trust for Measurement (RTM). The RTM contains no boot
policy. The device's components are recorded and stored through the boot
process as each component is assumed to continue measurement process. At
some time during the boot process these measurements are converted to
evidence and send to a Verifier. The trust in the device depends on a
Verifier's evaluation of this evidence. The Verifier has a rich set of
policy options available it beyond a binary "Trusted" or "Not Trusted"
state. The type of boot depends on a trusted component (such as a TPM)
record and converted the measurements into evidence.

Summary:
The difference between Verified Boot and Measured boot is where the
policy is enforced.

Verified Boot:
       1> Policy is hard coded at boot time, is immutable, and binary.
       (This form of boot is "existential" -- The device either boots to
       a valid state, or not)

       2> Is simpler to implement but less flexible

Measured Boot:
       1> The trust state is determined by a Verifier using evidence
       about the device and a flexible set of policies.

       2> Is more complex to implement but more flexible.

Diagram:

Verified Boot===>

     Policy

     |

     V

     RTV --- Component --- Component --- Component --- End State:

     A trusted device state is created only if all policies were met
     (i.e, the device booted). If any policy was not met, the device (as
     it is expected) doesn't really exist (it appears as a different
     device)

Measured Boot===>

Policy

                                                                |

                                                                V

     RTM --- Component --- Component --- Component --- End State:

    Trust State determined by a Verifier by appraising evidence collected
    using a set of policies.

Monty

Disclaimer: This is my personal opinion and not that of my employeer or
the Trusted Ccomputing Group. While I co-chair TCG's Trusted Network
Connect and Infrastructure Working Groups, the above defintions have
not been officially adopted by the TCG's Technical Committee or Board of
Directors.

On 11/24/19 3:01 PM, Laurence Lundblade wrote:
>
>
>> On Nov 24, 2019, at 7:31 AM, Henk Birkholz 
>> <henk.birkholz@sit.fraunhofer.de 
>> <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:
>>
>> Hi all,
>>
>> in a nutshell, one of the things I tried to express is that the 
>> following quite is simply not correct wrt to what is called here the 
>> "TPM-style" (I would really like to not use the words "TPM-style" and 
>> not to mixing authenticated & secure boot. Authenticated Boot is fine):
>> > Primarily the difference between TPM-style that doesn’t rely on 
>> secure boot and non-TPM-style that does rely on secure boot.
>
> It’s hard to know what to call things. I’m learning the “TCG language” 
> slowly and we’re also evolving (in the architecture document) a common 
> language. I keep trying terms and definitions to see what sticks and 
> what doesn’t. Pretty sure we agree on “attestation evidence”, 
> “verifier” and “attestation result”, but I don’t know what “secure 
> boot”, “authenticated boot” and “trusted boot” mean to you so I don’t 
> know which term to use.
>
>>
>> It is never possible to create TPM structures that are signed 
>> Attestation Evidence, if a device that is explicitly intended to 
>> conduct "secure boot" did actually not do so successfully. That is 
>> one of the key-features of TPM/TSS remote attestation procedures.
>
> It seems to me that TPM-style attestation where you measure each step 
> in the boot sequence and report to a verifier was designed to work 
> without secure boot. However I can see that it could also work with 
> secure / trusted / authenticated boot.
>
>
>>
>> On the other hand, what leaves me puzzled is the following. If these 
>> three quotes are all correct...
>>
>>> You cannot create an EAT unless the authenticated boot was 
>>> successful. The key material with which to sign the EAT is 
>>> inaccessible if authenticated boot fails (or else the device just 
>>> won’t boot at all).
>>
>> draft-ietf-rats-eat-01:
>>
>>> All claims are optional
>>
>> and draft-ietf-rats-eat-01 again:
>>
>>> 3.7.  Secure Boot and Debug Enable State Claims (boot_state)
>>>   This claim is an array of five Boolean values indicating the boot and
>>>   debug state of the entity.
>>
>> ... one is allowed either to omit that Claim in an EAT or set some 
>> values of the Claim members to false. Therefore indicating that the 
>> boot state is, e.g. "secure_boot_enabled=> false", and still be able 
>> to create the EAT. Is that correct? If not, why include this member 
>> of the boot_state Claim at all? It always made me think until now 
>> that it allows for a device to not conduct "secure boot" and still be 
>> able to create an EAT.
>
> Yes, you are right that in some cases it would make no sense to have 
> the secure boot claim. It is basically an implicit claim. Here’s some 
> where it does make sense to have an explicit secure boot claim.
>
>     The main attester might boot securely, but submods might not.
>
>     It is possible to build pure HW that implements EAT attestation.
>     It might be a part of a SoC. That attestation HW doesn’t use the
>     main CPU to implement the attester, but can report on how the main
>     CPU booted.
>
>
>
>>
>> Besides that, what I think we are actually talking about is implicit 
>> and explicit attestation.
>
> Seems like you have to say which claims are implicit and which claims 
> are explicit and in many attestations you need and get both.
>
> For example, you called out a situation where the secure boot claim is 
> implicit and questioned the need for the claim. I then called out a 
> situation where the secure boot claim is explicit.
>
> In one attestation the secure boot claim might be implicit and the GPS 
> location is explicit.
>
> LL
>
>
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email