IETF Logo Mail Archive

Re: [Rats] Implementation report

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 22 February 2024 21:30 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFD5FC14F5E9 for <rats@ietfa.amsl.com>; Thu, 22 Feb 2024 13:30:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmVQ1rdI4qZQ for <rats@ietfa.amsl.com>; Thu, 22 Feb 2024 13:30:47 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75C84C14F699 for <rats@ietf.org>; Thu, 22 Feb 2024 13:30:47 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2d21a68dd3bso3010841fa.1 for <rats@ietf.org>; Thu, 22 Feb 2024 13:30:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708637446; x=1709242246; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jYFaegjKfcMTm2fdCrfKtUbuz1uCsuS/K8N2mWhtevI=; b=VgFvBFvKyizAZxo8XzW0rbThxMYpUrGCQ0iWzeMw4TPDUjIWzrvhRTWjnX/VZCeRBA cd/qthrUCI7UhyLEk4f2NwJ5mrkgGWMDaQKC18mKuz8TABAOSr1gzQWD3rV0hYZU+z77 gbCigsOBcSCveZHQhxgKawJYSlrSEJEEclLm+oKjdBcq89/v+rqj+ZiHgeyb0PpC8+8R 1VKd9DvazD+WRYZlIQZUwfuAZSi6vR8bP4he7ykz+Nl7UzJgb1vyPpmCV3xRLZnzM2ae 7adA2/CLKD+0AStXaxlF6gjHDuqG7LFDReqfKKlZYuh4Srfo97iqLpuFSJn6QJB+ui8/ 0Epw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708637446; x=1709242246; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jYFaegjKfcMTm2fdCrfKtUbuz1uCsuS/K8N2mWhtevI=; b=SbH71zlY+2gDKn3gCgKFZu8rvjllRpyBtdOR6TD7556hAZdqnc3wRwLZOQekA/04Q6 vhuHOKrlwhyDHhQ4nsdmMtSn4SEgIEVUeq++j0AzeKz2JIs08Q77gdtb5ROn6bH3K/Vt r+5rcOhmv93ujIk+lo8EPQaKW7PI3f9iL5+K4i6UfgNEm7F1Nn+SmOgE+mTJ4LPdkOj/ 8cBS0vxEIqHIHUV9LeKnCU9fy18WLu23rE8PVrK4sbziPttl7Au0vUZBGrKd25UisXyT DJa88EEJavcHPGxziXZZ6VH+Q1gMv8oxvPH98Vzl7Z3yoWM3I6ewOPfmw5WNu0jyV7HG eMmA==
X-Forwarded-Encrypted: i=1; AJvYcCUTMoJhKrVTba0JtsP8lBd2R8jxLsZsyWk8Ffle72hNB8VOYnCfiFmGajJVzWZASX6XcVaD5YpX2JF6wTpT
X-Gm-Message-State: AOJu0Ywq4/9IseoUxAs01QqylH+MHk5fsETvnphiO8S9xO6ZQE2Ipoy9 /jDGBu/rMTNBTdnz81OokjsSD1cda5nhsDocFAg3tZy1A9uR40nCkFUlE56OnlB0iqV1N+k/Hva Jqk3upa86YwoC7U6vU/U2fzkSfEA=
X-Google-Smtp-Source: AGHT+IFYN8fWzw7AhK5U1i4AdJ0cQEFhngjSO1C+qEXng0G+VO8yMnTDybRuEvva1EkxTHMgy5cQTEz1g6y+IsHukRQ=
X-Received: by 2002:a05:6512:3584:b0:512:a959:af3d with SMTP id m4-20020a056512358400b00512a959af3dmr185749lfr.52.1708637445316; Thu, 22 Feb 2024 13:30:45 -0800 (PST)
MIME-Version: 1.0
References: <CAHbuEH6NU0yKDX=qwwf_xauKraejKuDa+5XNY-Q6pVv-i1RKbQ@mail.gmail.com> <4376cd0f-bd4d-c2dd-4ace-047e05d55677@ietf.contact> <DB9PR08MB9851138D941F1DFB92C9E0398E572@DB9PR08MB9851.eurprd08.prod.outlook.com> <SJ0PR84MB16490018E2E4428877DFC10281562@SJ0PR84MB1649.NAMPRD84.PROD.OUTLOOK.COM>
In-Reply-To: <SJ0PR84MB16490018E2E4428877DFC10281562@SJ0PR84MB1649.NAMPRD84.PROD.OUTLOOK.COM>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 22 Feb 2024 16:30:08 -0500
Message-ID: <CAHbuEH5M700GqWE33J-4Do9pPKqrduoBMQ9QcAGXuR84DkCq8Q@mail.gmail.com>
To: "Laffey, Tom (HPE Aruba)" <tom.laffey@hpe.com>
Cc: Yogesh Deshpande <Yogesh.Deshpande@arm.com>, Henk Birkholz <henk.birkholz@ietf.contact>, rats <rats@ietf.org>, John Schmidt <john.schmidt.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>, Allan Friedman <allan.friedman@cisa.dhs.gov>
Content-Type: multipart/alternative; boundary="000000000000fa647d0611ff2732"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/mDeCfCzLcj3D95g0fn9stxrgKCo>
Subject: Re: [Rats] Implementation report
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2024 21:30:52 -0000

Thank you for your comments!

I'd also like to see next steps include the reporting of compliance to a
set of configuration requirements (e.g. Benchmark) by using the attestation
set draft model. I am hoping we have a revision of that draft ready for
Brisbane and need to touch base with the co-authors who have volunteered.

A couple of notes, I have moved on from CIS and do remain very interested
in the larger picture of attestation and its intersection with supply chain
management with SBOMs. I'm in process of developing a course aimed at
vendors that will be Georgetown accredited to help support the needs of
small and medium businesses using these standards in use cases aligned to
their needs. In terms of additional projects, it likely won't happen
through CIS, however I could assist in leading such efforts elsewhere as a
consultant. I won't be in Brisbane, but would appreciate a sync on
potential efforts and future direction as this work is all very promising.

Another note: last I spoke with John Schmidt, who implemented the project
under my guidance, he was working on another MS degree and available for an
internship or full time position. It might be helpful to this list as the
base knowledge required takes a bit to gain.

Best regards,
Kathleen

On Thu, Feb 22, 2024 at 1:54 PM Laffey, Tom (HPE Aruba) <tom.laffey@hpe.com>
wrote:

> Hi Yogesh,
>
> Regarding Hardware BOM, TCG has a specification under public review at
> https://trustedcomputinggroup.org/wp-content/uploads/TCG-Platform-Certificate-Profile-Version-2.0-Revision-38_2February24.pdf.
> Comments on the specification can be addressed to
> admin@trustedcomputinggroup.org.
>
> The earlier (v1.1) version of this specification is supported by a number
> of hardware manufacturers.
>
> Regards,
> Tom
>
>
>
> -----Original Message-----
> From: RATS <rats-bounces@ietf.org> On Behalf Of Yogesh Deshpande
> Sent: Wednesday, February 21, 2024 3:31 AM
> To: Henk Birkholz <henk.birkholz@ietf.contact>; Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com>; rats <rats@ietf.org>; John Schmidt <
> john.schmidt.ietf@gmail.com>; Sean Turner <sean@sn3rd.com>
> Cc: Allan Friedman <allan.friedman@cisa.dhs.gov>
> Subject: Re: [Rats] Implementation report
>
> Hi Henk,
>
> What you mentioned below, is a perfect use case which is frequently been
> discussed across multiple groups.
> i.e. how remote attestation can assist getting access to deeper insight
> into authenticity of secure software supply chain.
>
> For this process to move forward, we not only need SBOM but also HBOM (
> https://www.cisa.gov/sites/default/files/2023-09/A Hardware Bill of
> Materials Framework for Supply Chain Risk Management (508).pdf )
>
> Hardware Profile is been discussed in SPDX community also, and linking
> various Bill of Materials can assist in visibility of overall end point
> security via remote attestation.
>
> I would be quite keen to promote this discussion during coming IETF
> (though attending remotely).
>
> Regards,
> Yogesh Deshpande
>
> -----Original Message-----
> From: RATS <rats-bounces@ietf.org> On Behalf Of Henk Birkholz
> Sent: Wednesday, February 21, 2024 11:11 AM
> To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; rats <
> rats@ietf.org>; John Schmidt <john.schmidt.ietf@gmail.com>; Sean Turner <
> sean@sn3rd.com>
> Cc: Allan Friedman <allan.friedman@cisa.dhs.gov>
> Subject: Re: [Rats] Implementation report
>
> Hi Kathleen,
>
> thank you for the pointers! Will you be in Brisbane?
>
> Looking at your last link, I am wondering if there are plans for future
> projects. Say... remote attestation based authenticity assurance in the
> software supply chain chain: and I am thinking along the lines of
> "Trustworthy SBOMs", which would be scenario that would combine various
> building blocks and that is definitely still in demand of more standards
> consolidation.
>
> Because
> https://learn.cisecurity.org/built-in-security-scale-hardware-support
> cited https://www.cisa.gov/securebydesign , I am reeling Alan into this
> reply. So that he is aware that we could do something meaningful here :-)
>
>
> Viele Grüße,
>
> Henk
>
> On 13.02.24 15:58, Kathleen Moriarty wrote:
> > Greetings!
> >
> > Last year, I introduced my team to RATS work and pulled together a
> > project that was a lead in to the attestation sets draft, implementing
> > largely what's described in
> > https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/
> > <https://datatracker.ietf.org/doc/draft-ietf-rats-endorsements/ >
> >
> > It took some time to complete due to some hyperscaler environments not
> > having a TPM or access to it from the container orchestration platform
> > or virtual server host. Once we secured an environment where this was
> > possible, through use of the IMA libraries (created for this purpose
> > and previously proven by RedHat), positive results were demonstrated.
> > The objective was to test assurance to CIS Benchmarks as that was my
> > employer at the time. We hope you find this report useful.
> >
> > https://www.rsaconference.com/Library/blog/automated-assurance-on-a-pa
> > th-to-becoming-practical
> > <https://www.rsaconference.com/Library/blog/automated-assurance-on-a-p
> > ath-to-becoming-practical>
> >
> > This was done at the same time other team members were researching the
> > prevalence of TPMs and TEEs in infrastructure. The purpose of that
> > work was to signal that hardware support is increasingly available and
> > should be used to ease configuration management and posture assurance
> capabilities.
> >
> > https://www.cisecurity.org/insights/white-papers/built-in-security-at-
> > scale-through-hardware-support
> > <https://www.cisecurity.org/insights/white-papers/built-in-security-at
> > -scale-through-hardware-support>
> >
> > The timeline could include more data points, we included key points.
> >
> > I am copying John Schmidt who did the work. Sean Turner joined the
> > project in September and assisted with key management, application of
> > cryptography, and validation. Thank you both for your great work to
> > successfully implement this PoC!
> >
> > --
> >
> > Best regards,
> > Kathleen
> >
> > _______________________________________________
> > RATS mailing list
> > RATS@ietf.org
> > https://www.ietf.org/mailman/listinfo/rats
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email