[Rats] Re: Security considerations of remote attestation (RFC9334)

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Fri, 15 November 2024 14:37 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAB24C1D4A93 for <rats@ietfa.amsl.com>; Fri, 15 Nov 2024 06:37:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sHP3QycFFtXU for <rats@ietfa.amsl.com>; Fri, 15 Nov 2024 06:37:35 -0800 (PST)
Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A754C1CAE9F for <rats@ietf.org>; Fri, 15 Nov 2024 06:37:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=In-Reply-To:From:References:CC:To:Subject: MIME-Version:Date:Message-ID:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=D3AItiCC7d22Fq0SBU9Q+RXt2KBX3h5JLkiB/6iw7PQ=; b=GPQasnoOnowNQOCBtRWJBOR2b8 p2c+SsRSYjy5SipsqQlmWnXwgOvTvfCUF4jDccaCU9uDrh3ZLTLHuoyfP2uwVvP/V5wX12xdxCxUS ilIy5mNc1SKMgc7iQd6qwsiZ/5kpnxxZu9TFNQ3owda/kzW2Qspq9eMARPnWJlst8NP0Wn6HHXHdG pXdpyHtacawSKF0CpH/cjzx0YtZ7q7yT8/4DrTFFim/+bxEdlvdiMwnFj+zV85IaPAC+o6Ur8UBFM QaB6Xj2CptQr9MviHZ3Q5jxHj6wj1O1lvHH+AQ5rwiboXHtKSLZAEaxTLw0xz1NELcSwbHrzQNG0+ U4pIMitQ==;
Received: from [172.26.35.111] (helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1tBxRz-003Vgb-TB; Fri, 15 Nov 2024 15:37:32 +0100
Received: from msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) by MSX-T311.msx.ad.zih.tu-dresden.de (172.26.35.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Fri, 15 Nov 2024 15:37:25 +0100
Received: from [192.168.1.2] (77.11.153.232) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Fri, 15 Nov 2024 15:37:24 +0100
Content-Type: multipart/alternative; boundary="------------o1rPXPRwm0poKE78nNdZMU2o"
Message-ID: <c4648553-75e7-43dd-820a-cd01c6b61edf@tu-dresden.de>
Date: Fri, 15 Nov 2024 15:37:23 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "lgl island-resort.com" <lgl@island-resort.com>
References: <4ffdd034-05ec-4565-9cad-b40ff82f83fc@tu-dresden.de> <CA+1=6yfZUNuy8gd2xj1eicL86qA5sq+=G8+4V9GT_3YffhuyfQ@mail.gmail.com> <AD3F6AC6-C112-4A7A-BBA4-8646CF277EED@island-resort.com> <2bed23f7-19bb-4c03-8ff8-58f12fb6a25a@tu-dresden.de> <6E00CCDE-4B56-4D81-B44B-4080170FFEDE@island-resort.com>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <6E00CCDE-4B56-4D81-B44B-4080170FFEDE@island-resort.com>
X-ClientProxiedBy: MSX-L316.msx.ad.zih.tu-dresden.de (172.26.34.116) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de
Message-ID-Hash: IRCVZGETQTO6IERV5NPD6IPNQN66IOQS
X-Message-ID-Hash: IRCVZGETQTO6IERV5NPD6IPNQN66IOQS
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Thomas Fossati <thomas.fossati@linaro.org>, "rats@ietf.org" <rats@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: Security considerations of remote attestation (RFC9334)
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/nsXcf5m22Eo7v5T31QGblVoOkpo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Laurence,

On 14.11.24 19:45, lgl island-resort.com wrote:
> Generally, I’m only hoping for some attention to be put on some of the 
> fundamentals that get less attention like key lifecycles. Certainly 
> not objecting to any work. 
Indeed, I misunderstood your previous email to mean that we should not 
work on these because they are pretty well-understood. Anyway, thanks 
for the clarification.
> Maybe I’m missing something, but freshness doesn’t seem any different 
> for a TEE than any other environment.

I feel that it is even less understood in TEEs - perhaps because of the 
complexity and the strict threat model. Additionally, the confidential 
computing hardware vendors as well as the framework developers either do 
not specify things at all or leave it underspecified.

>>> Integrity and authenticity are pretty well understood too.
>>>
>> Disagree here as well and a couple of Pandora boxes for TEEs to get 
>> started:
>>
>>   * For authenticity, we need identity. What exactly is the identity
>>     of the workload?
>>   * If the certificates tie the workload to a unique physical
>>     platform, how does the migration of workload work?
>>
> Agree that identity is not well understood. I wasn’t including that in 
> the “integrity and authenticity” frame when I made my comment. I'm 
> happy that we work on identify however we classify it.
>
To me, authenticity (or authentication) refers to the guarantee that 
Verifier communicates with the /intended/ Attester (as we defined in 
Sec. II.C.3 of [1]); and to distinguish intended Attester from other 
Attesters, we need to have some form of identity of Attester. Happy to 
know/discuss if WG interprets it differently.

[1] 
https://www.researchgate.net/publication/375592777_Formal_Specification_and_Verification_of_Architecturally-defined_Attestation_Mechanisms_in_Arm_CCA_and_Intel_TDX

>
>>> How keys are stored in the device and how they are put into the 
>>> device is really important? Typically this is during manufacturing 
>>> and requires secure facilities.
>>>
>> Fully agree, and I think no vendor ever specified this. If anyone is 
>> aware of any spec, please point me to it.
>>
> Vendors may not share much here. From what I know it is often 
> proprietary. It may be in the realm of where physical and operational 
> security come into play. That doesn’t mean that we can’t have useful 
> things to say.
Would be great to have your and WG insights added to the document, since 
I don't have much to add here.

Regards,

Usama