IETF Logo Mail Archive

Re: [Rats] Definition of an Attesting Environment (and layered attestation)

Thomas Fossati <tho.ietf@gmail.com> Thu, 24 June 2021 12:41 UTC

Return-Path: <tho.ietf@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 454A53A1B81 for <rats@ietfa.amsl.com>; Thu, 24 Jun 2021 05:41:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qG_zKpLHa6zT for <rats@ietfa.amsl.com>; Thu, 24 Jun 2021 05:41:01 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 503843A1B78 for <rats@ietf.org>; Thu, 24 Jun 2021 05:41:01 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id c16so7535721ljh.0 for <rats@ietf.org>; Thu, 24 Jun 2021 05:41:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=r4BoGqZnr9dyCcaEM5HhbuKgOlUC93KFicMrDoN5ltA=; b=uoE1gytpZzwaqZaeQ2PjRcKsmEyd2/KMj58Z+y+PAfgDMA52xb2W3YtNPbkXWnQxLf UWP5G/QGBB3/dPaF/Bbo6w70dCJRmJHN1RIjZN6GkCnehEyrM3BEszYr4pL9jrge30Cy pp2hCahQUh0Fw55df4Du7HV1xl+RWEHDfV0G2vCgzMwerBRCROWtuNXSEFo/X5TxVXhw FsNeu86hlv30x18xXbjXkyb/r9RywTDP6r1U7xBhhfsHoyynY8YANe24K5LFF7ozPv2u aghFINHgSvctNiqP+HfK3zpeE34qcX0axOg/ovsTB5mjofn+kpMfpVvo0DbTI+zsrIru T42Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=r4BoGqZnr9dyCcaEM5HhbuKgOlUC93KFicMrDoN5ltA=; b=UujZjJKXaRpsLl4v80xyE+sPeZs+3FqbIogXjLvmOsuXmDuW7Ege4STPMoC+hNPMbP +onBWKJ1JPVxpvuQNZpSWPNtVae05BIIC/G2DlmrR/0T5sV+Taa3FPXiJry3oe6qeAqP aozKfAKTv+bG2sYO2z5X4+DlMd8jHtqp1HLQZmPGEEFCng5prUbxEmdy48H5x7Ly0rKV OZ6HkAoV+DDxdMjMezintBMTt7Z8KS1QV28WqoET/PowNWQL6b2w+vNsb2bBaZQb6osv m+R6IDeEKtZ9dxB/Z9eZoLFIatmmcXlNwBVqtTaXIIZ8P3PN0yuH+N7YxL/LjdyfeQnz 9B9A==
X-Gm-Message-State: AOAM5309InsuFihwe5jQMTSwbjyb9qL2PipGwdcGCHlrNkd2nOXGTKkw WGwv9BiMGh7+c7arGneGvc//tzj7REX1j/hqJWYNYypPMr/JOw==
X-Google-Smtp-Source: ABdhPJwe99OnKhGb7kzO6n0K2wCVo8dado5WXU+RwDllrYDhrucRbea8IVL3JjdLjzx9Eeg37+4c/wzdlC6sBgjWGio=
X-Received: by 2002:a2e:7a16:: with SMTP id v22mr3752225ljc.101.1624538457427; Thu, 24 Jun 2021 05:40:57 -0700 (PDT)
MIME-Version: 1.0
References: <617FC3B4-5C1B-4D35-BD4B-9AC2D1362930@island-resort.com>
In-Reply-To: <617FC3B4-5C1B-4D35-BD4B-9AC2D1362930@island-resort.com>
From: Thomas Fossati <tho.ietf@gmail.com>
Date: Thu, 24 Jun 2021 13:40:46 +0100
Message-ID: <CAObGJnNRbA1sKuTCBLpdUtLmjNW+qgRZrGd=dHZ7ZrfXkJJizw@mail.gmail.com>
To: Laurence Lundblade <lgl@island-resort.com>
Cc: rats@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ptJBKHRCGW92lB3VpnvwhtdOXZU>
Subject: Re: [Rats] Definition of an Attesting Environment (and layered attestation)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jun 2021 12:41:06 -0000

Hi Laurence, just a couple of points (see below).

On Wed, Jun 23, 2021 at 8:53 PM Laurence Lundblade
<lgl@island-resort.com> wrote:
>
> The definition of Attesting Environment seems more implied than explicit.
>
> Does an Attesting Environment always have key material?

I don't think so.  An Attesting Environment (AE) could create unsigned
evidence and rely on a "trusted communication path" with some other AE
(e.g., one at a lower layer in the boot chain) that has the signing
capability.  (I don't know if this changes the picture you are trying
to make though.)

> Does an Attesting Environment always create Attestation Evidence (or vice versa, does Attestation Evidence always come from an Attesting Environment)?
> Does the output of an Attesting Environment always go to a Verifier?
>
> I think the answer to all of the above is yes. I think it is yes because this is *remote* attestation. The Verifier is always remote in relation to the Attester.
>
> the layered attestation diagram is not right because it has the output of one Attesting Environment going into another Attesting Environment.

I agree with you that the figures in the architecture document might
become slightly surprising when you try to combine them together.  See
[1].

[1] draft https://github.com/ietf-rats-wg/architecture/issues/344

> My thought is that the ROM is a Target Environment from which some claims originate, not an Attesting Environment in the RATS sense. I think it is fine that it works as described, but I don’t see it as an Attesting Environment. I don’t think the ROM has key material it uses to sign Attestation Evidence.

In some cases it doesn't, in others (notably DICE [2]) it does.

[2] https://trustedcomputinggroup.org/wp-content/uploads/Hardware-Requirements-for-Device-Identifier-Composition-Engine-r78_For-Publication.pdf

cheers!

> To go further here, how do subsystems in a device boot up and trust each other? I think there’s number of ways this can happen. One of them is what is described in the layered attestation section, but this is particularly complex and interesting SoC / device that has tens of very different subsystems of very different natures with different CPUs and CPU types. For example a mobile phone has a GPU, a modem, a security processor / TEE, a main CPU, a Secure Element, an audio DSP and… It’s far more complex than what is described in the layered attestation section.
>
> Sometimes two subsystems trust each other just because they are on the same silicon die or because they are soldered on to the same PCB. Or, they can trust each other because they were booted out of the same ROM. It can also be because of staged boot as described in layered attestation. They can trust each other because some main system like the TEE booted each of them.
>
> In a mobile phone, there’s only one RAM part that is used by all the subsystems. For each subsystem to have integrity the MMU’s and SMMU’s have to be set up correctly and play a part in how subsystems trust each other.
>
> So I kind of don’t see the point of the current section of layered attestation in the RATS architecture draft. It is too simplistic to cover complex devices.
>
> It also seems a bit of an overreach to try to detail how al the different subsystems on a device can or should trust each other. It would be complex, hard and take a year or two to do.
>
> Also, in previous emails, I have suggested that layered attestation might be something quite different. It is more of an alternative to endorsements for establishing trust in an attesters.
>
> LL

-- 
Thomas

v2.23.0 | Report a Bug | By Email