IETF Logo Mail Archive

Re: [Rats] Implementation report

"Laffey, Tom (HPE Aruba)" <tom.laffey@hpe.com> Thu, 22 February 2024 18:54 UTC

Return-Path: <tom.laffey@hpe.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD309C180B59 for <rats@ietfa.amsl.com>; Thu, 22 Feb 2024 10:54:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.103
X-Spam-Level:
X-Spam-Status: No, score=-7.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hpe.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id adSIYS-VgJvq for <rats@ietfa.amsl.com>; Thu, 22 Feb 2024 10:54:22 -0800 (PST)
Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58F40C1654EB for <rats@ietf.org>; Thu, 22 Feb 2024 10:54:21 -0800 (PST)
Received: from pps.filterd (m0150245.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 41MF3age015441; Thu, 22 Feb 2024 18:54:13 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pps0720; bh=vNN813ewW6pypdBqZhCux12LUyOto9XHvsbFYJso1tY=; b=oo4OnsE+ZB4f2TenG2YQeQoCZzYQa4cVKtW2wosCFC3l/nfyrEBFxtQ5/nfjTY0pvTzP bFq9oi084E7Xv5WltR3ybYhvfmmJp5slvHJqcj1xYFD14J2mbmrEVJJGPeQAKUQTiHHR zExr6y78G5w2Oh6CPJSVfQio3EC9Bf9OY6mXB+/sHcZYm+G8dKs2lOnbTZOCGxzn5E1Q mw3okQ62DfEZEEWkF8t4GkW6xf+YmB9Zz6+zgo2iAWsDsN0/Kz7h5Am+XoBbBuNcAkLs VKktqPREFmgy4M0eR1X/7JbCpiSiNaaVKUUXNCuBX8AVK1KC5LyctPamIYD5DyskJBvo lg==
Received: from p1lg14879.it.hpe.com ([16.230.97.200]) by mx0b-002e3701.pphosted.com (PPS) with ESMTPS id 3we29070dk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Feb 2024 18:54:12 +0000
Received: from p1wg14923.americas.hpqcorp.net (unknown [10.119.18.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by p1lg14879.it.hpe.com (Postfix) with ESMTPS id 2AC4813046; Thu, 22 Feb 2024 18:54:10 +0000 (UTC)
Received: from p1wg14923.americas.hpqcorp.net (10.119.18.111) by p1wg14923.americas.hpqcorp.net (10.119.18.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.42; Thu, 22 Feb 2024 06:53:56 -1200
Received: from p1wg14919.americas.hpqcorp.net (16.230.19.122) by p1wg14923.americas.hpqcorp.net (10.119.18.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.42 via Frontend Transport; Thu, 22 Feb 2024 06:53:56 -1200
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (192.58.206.38) by edge.it.hpe.com (16.230.19.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.42; Thu, 22 Feb 2024 06:53:55 -1200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lIDdCAnqPtwfBRfd8uIIkvA5adxrsLJAgux1kt8q3dZqWyWr6/Qytk0fKAjCsmFK+bC2QsZ7eYh88/Ffa9A99TNAxLMgDNO7vtj5qiGl1O+rwPCyXrgGgPdR/tfmD2SaWw70/UPOUY8S7knK06UVET5RN28nOzFu/yE2E1JQy8aIcQWcB+Y1Uz8Jd7+v5VxmYY9M9U67u1rpjkxcyNg/u3UTI1GqC9gVdNHV0AwHARlqRPedrbZXZKXgi2JL2itHcvVJOQ78gH908yYuIMKCzVAey1TIRj2UAlbDY7LHZoIQvO5KrcMzEygEZY9rf2j/LWNpSUPX/OsaJYNsZqpyuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X6xXVYrF55rFQdVqPhAg2NFzkG5VvNYx50+bq2vX8BQ=; b=OS3tlup8yUeVO8NFGqSWxcUbaBgIpB+ReJ/V5NPpHWkbtLfTmQ0lnL3iC9p/BmXMIXWRCAIA3IOUPLJPhfWICPVUU4XSqKnzahqiiulfUXXKgdpbPMrzvON19W4c6j8F2yfZZI1CZ+4heebtyNzHG7sbs2hF7DFYdOw1sVoNccsewhcdJjSm07yKzm8/pRBZT314owOaOCJOCfGmY9ceW7dIyiulY0SpQaTVUiIhtoL4IhMBE8lx7SlNN7SHQtQeJ8DWQv4cMIjry9dopTXMb4Ur+6gipOHPT1vswidxNNiM4YiWUWBSDAQlPoCeaZRpvfzPmpdiZA+n0vXSi21IIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from SJ0PR84MB1649.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:a03:430::19) by LV8PR84MB3786.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:408:1cb::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.22; Thu, 22 Feb 2024 18:53:54 +0000
Received: from SJ0PR84MB1649.NAMPRD84.PROD.OUTLOOK.COM ([fe80::856d:bf70:2ae0:fe78]) by SJ0PR84MB1649.NAMPRD84.PROD.OUTLOOK.COM ([fe80::856d:bf70:2ae0:fe78%3]) with mapi id 15.20.7292.036; Thu, 22 Feb 2024 18:53:54 +0000
From: "Laffey, Tom (HPE Aruba)" <tom.laffey@hpe.com>
To: Yogesh Deshpande <Yogesh.Deshpande@arm.com>, Henk Birkholz <henk.birkholz@ietf.contact>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, rats <rats@ietf.org>, John Schmidt <john.schmidt.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
CC: Allan Friedman <allan.friedman@cisa.dhs.gov>
Thread-Topic: [Rats] Implementation report
Thread-Index: AQHaXo02fpdyuMbnRkWoJe/UUIkbRrEUsDaAgAAFfwCAAgyYMA==
Date: Thu, 22 Feb 2024 18:53:54 +0000
Message-ID: <SJ0PR84MB16490018E2E4428877DFC10281562@SJ0PR84MB1649.NAMPRD84.PROD.OUTLOOK.COM>
References: <CAHbuEH6NU0yKDX=qwwf_xauKraejKuDa+5XNY-Q6pVv-i1RKbQ@mail.gmail.com> <4376cd0f-bd4d-c2dd-4ace-047e05d55677@ietf.contact> <DB9PR08MB9851138D941F1DFB92C9E0398E572@DB9PR08MB9851.eurprd08.prod.outlook.com>
In-Reply-To: <DB9PR08MB9851138D941F1DFB92C9E0398E572@DB9PR08MB9851.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR84MB1649:EE_|LV8PR84MB3786:EE_
x-ms-office365-filtering-correlation-id: 920cb59f-eeaf-4d4a-056b-08dc33d79dfe
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gMUJSnRefcXYbV/HJR3B4nX4NUnHNJ5d1NrZGpU2OMX40sXGBQR+uAWIDUOj+oz0RyTn7yJuwhvNN9Z6zTnLgX4zkRJ3hN9HNH/lLLOMM0PTzG7R2BcUxuNiBmQ/1gjvKZy9Mvu2033sIPpkae/qVjldpnRGSqVi8R3J2dL8e3XBa7jZlo8euJWBwDDUkWWyNsxv/D+X+MgWVruatIg6zV2O0hlVnphRBzNEy3Jbgc0xQSDsOcNjkIP9F570XgXBfMDkXiDuA9Nrr11uP2YwwD/tr+UzDWfc1suc6gY/0irt3milerihVIxJuRa8ID8pYv+4aqEPV7kX5oRMo5MBkzIDNxEh8aAKMvScBP5p1PsSGsSlt2AB2SgW+9wHe6/OH6KBFJ9z10N3z13lhjgi9q9acEoQ0cdvjTXs03jg60rjGanZR495YlTjBfFRnExIFSVmY7ppMXljSlf5OR/q9F7yqlYtNa4hKbVaXaeD1zvfwh26OIwunyNlLHvgEdGFYDFpVE+6aKbxQvvYuikWKr5yKeAgFzE3Vv18pUFZwARdCghyNtWJYdn3HuWTGJInbinuaEulOvEI1aJVCgLZeIUjjpfMA6nX0R4mgXG2qo4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR84MB1649.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Qy6YT+CPwKRCs68IW1kgKehERi4jXg2p2lIGW0Pl2ZTDyynkEXjuVA0trWiu7zZqiU4rCSCfWlh/DCMVvgqFMfVSEpacSgDWP5qAET1RlQuPpFNEb/JYb/Rx+2Wxkwn01yZdT1WrcjzvOZncTJRIQcrbV1/B7MlPhXRzwYPkt1ZbubAs5sukAQ9mnOGsKfliYs/r7il8Ne6OfrYgdqdbGTfvy+ut1CB4+fmqFyq6mmC8dOiie02LjqajGETE0/yZaYhT4j7aZq8Jw5jfboyWIlaVWJB55tDU3fMornaZbQJDPkgL+cJ5bA+Gn2SyPv76MSYWpoNv61QZbdfS7+sYTr8jmVYo6vNrkN6/VkGHZNwRZfge+toRC4eNzOV+lmjghGwjq7KzKs6NQm8rer7TlA6btzBzmjGO4f1dgRTtvQKR6LZf3vDGto4uKiuDtsziD3xcDds/0L+fbqHHXs5XO7oar3Mn+dUEiCWZYN1lrddmzhnOhwNt1wn9GdSG1p5iA8hgwRSxjN9IVyuYK8i5/4fMYBIxe3SGTHWjXWRgWRt0Dv3sk9zcoasWOY2FUl3/2SUO0Nu1Ax/NoTyDofNtkZAKT5pVPO8MiJ038Za85fmxHPolYJjEnFPaRjL5Emab4nfQE40X2EochruAms3syqTuW7bLKj47hj9vVMITllNUofm/0RKd5kflolHcPll6Reof0iGxpcLB40JuuhskX1lBIYoAefdyYUSfSRGZKaWVovqCjU/mmKBKlX0CsxbNJjEf9l6kVFVDl5fu97iipKBesVV51lLFIaAx7UjL+tTJgb30W3aJxKOFpblilunmh/mZtnhg3rxMRndiv2oyjpwyZc18YU9fwPIa4wXnWsDL7IA1jU8RkLT7Vfm5rfRawmggsIpNctPxkRabbrbVLFaHp+1pFgDt1i+5Y+r47rzhniZSYzIrQ20sCxTA1S6mYhXxi93mWUfjOz69PB/ZGPKknVBjZUGrySHzbSHAFV4fpftIJ6nxtcXkiQA1ojJtGXrV1QP4AO9vNO5lFdH43pWxnxUFJseFxPtNbxzwdlfVPNdZEuGpRJvscA2l1KQfAHYPhYJ2ngdb4ob/wCcN7xtURXuZLfKvk2YEPETSeFvywGW71BsnfsFxKL+K75XaL50UDCxX2NkmtgDomPxNudVn8TRMktMdQVdIsg1mrpdAnk6SxFqXWiXY9cAEJbaJ8oi55vrOrV+YD3kLFta/ZbjdlB9vbI6DByhIzT7r4C9yvfZ7b6HhSqhQhbNgprAnY9kVV5ZTdai2HbOVBCnVpulinOrQrx28faJCDL8oYOw0DBol0QgXTjlzRQrQ8XkFu2b+a4DEbBGVa12VguOmvJ3JBoTdSW4Jt7VfBRgvCZp8kcd+7DvoIsHWrMnJ3+Y1H7OoVvysTIQEtpnWSPdgb0naISv48cj3PsAKG6PLFsfNanaYLW1ruy2q30TarR0XEnu32XOEZf46JKf8Zg+60FBT8/UaG2JedozzlXEZoQT7E/OtO7HbKWQRjsPNWeicljPBTspTlrbhAvA0M4MljX8ubY1qrhrZe30fzvsubRI=
Content-Type: text/plain; charset="utf-8"
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR84MB1649.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 920cb59f-eeaf-4d4a-056b-08dc33d79dfe
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2024 18:53:54.1379 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: I1TFyGptm41jOOb/QkLJnfJRtK+txdNLmIYihd3Xvx8W8lrK+IrhV1lN52dcNjDwYMUfXZXC2+9Hbs67TKtR8A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR84MB3786
X-OriginatorOrg: hpe.com
X-Proofpoint-GUID: g1_H4C2uUP7qJ3nMHBSQJ6OlrV1E6RNv
X-Proofpoint-ORIG-GUID: g1_H4C2uUP7qJ3nMHBSQJ6OlrV1E6RNv
Content-Transfer-Encoding: base64
X-Proofpoint-UnRewURL: 12 URL's were un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-22_14,2024-02-22_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 clxscore=1011 priorityscore=1501 lowpriorityscore=0 suspectscore=0 bulkscore=0 impostorscore=0 phishscore=0 malwarescore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2402220148
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/lfHZexpZ7Nfm0u5ue47DoP6ugRI>
Subject: Re: [Rats] Implementation report
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2024 18:54:26 -0000

Hi Yogesh,

Regarding Hardware BOM, TCG has a specification under public review at https://trustedcomputinggroup.org/wp-content/uploads/TCG-Platform-Certificate-Profile-Version-2.0-Revision-38_2February24.pdf. Comments on the specification can be addressed to admin@trustedcomputinggroup.org.

The earlier (v1.1) version of this specification is supported by a number of hardware manufacturers.

Regards,
Tom



-----Original Message-----
From: RATS <rats-bounces@ietf.org> On Behalf Of Yogesh Deshpande
Sent: Wednesday, February 21, 2024 3:31 AM
To: Henk Birkholz <henk.birkholz@ietf.contact>; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; rats <rats@ietf.org>; John Schmidt <john.schmidt.ietf@gmail.com>; Sean Turner <sean@sn3rd.com>
Cc: Allan Friedman <allan.friedman@cisa.dhs.gov>
Subject: Re: [Rats] Implementation report

Hi Henk,

What you mentioned below, is a perfect use case which is frequently been discussed across multiple groups.
i.e. how remote attestation can assist getting access to deeper insight into authenticity of secure software supply chain.

For this process to move forward, we not only need SBOM but also HBOM ( https://www.cisa.gov/sites/default/files/2023-09/A Hardware Bill of Materials Framework for Supply Chain Risk Management (508).pdf )

Hardware Profile is been discussed in SPDX community also, and linking various Bill of Materials can assist in visibility of overall end point security via remote attestation.

I would be quite keen to promote this discussion during coming IETF (though attending remotely).

Regards,
Yogesh Deshpande

-----Original Message-----
From: RATS <rats-bounces@ietf.org> On Behalf Of Henk Birkholz
Sent: Wednesday, February 21, 2024 11:11 AM
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; rats <rats@ietf.org>; John Schmidt <john.schmidt.ietf@gmail.com>; Sean Turner <sean@sn3rd.com>
Cc: Allan Friedman <allan.friedman@cisa.dhs.gov>
Subject: Re: [Rats] Implementation report

Hi Kathleen,

thank you for the pointers! Will you be in Brisbane?

Looking at your last link, I am wondering if there are plans for future projects. Say... remote attestation based authenticity assurance in the software supply chain chain: and I am thinking along the lines of "Trustworthy SBOMs", which would be scenario that would combine various building blocks and that is definitely still in demand of more standards consolidation.

Because
https://learn.cisecurity.org/built-in-security-scale-hardware-support
cited https://www.cisa.gov/securebydesign , I am reeling Alan into this reply. So that he is aware that we could do something meaningful here :-)


Viele Grüße,

Henk

On 13.02.24 15:58, Kathleen Moriarty wrote:
> Greetings!
>
> Last year, I introduced my team to RATS work and pulled together a
> project that was a lead in to the attestation sets draft, implementing
> largely what's described in
> https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/ 
> <https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/ >
>
> It took some time to complete due to some hyperscaler environments not
> having a TPM or access to it from the container orchestration platform
> or virtual server host. Once we secured an environment where this was
> possible, through use of the IMA libraries (created for this purpose
> and previously proven by RedHat), positive results were demonstrated.
> The objective was to test assurance to CIS Benchmarks as that was my
> employer at the time. We hope you find this report useful.
>
> https://www.rsaconference.com/Library/blog/automated-assurance-on-a-pa 
> th-to-becoming-practical
> <https://www.rsaconference.com/Library/blog/automated-assurance-on-a-p 
> ath-to-becoming-practical>
>
> This was done at the same time other team members were researching the
> prevalence of TPMs and TEEs in infrastructure. The purpose of that
> work was to signal that hardware support is increasingly available and
> should be used to ease configuration management and posture assurance capabilities.
>
> https://www.cisecurity.org/insights/white-papers/built-in-security-at- 
> scale-through-hardware-support
> <https://www.cisecurity.org/insights/white-papers/built-in-security-at 
> -scale-through-hardware-support>
>
> The timeline could include more data points, we included key points.
>
> I am copying John Schmidt who did the work. Sean Turner joined the
> project in September and assisted with key management, application of
> cryptography, and validation. Thank you both for your great work to
> successfully implement this PoC!
>
> --
>
> Best regards,
> Kathleen
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats 

_______________________________________________
RATS mailing list
RATS@ietf.org
https://www.ietf.org/mailman/listinfo/rats 
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
RATS mailing list
RATS@ietf.org
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email