IETF Logo Mail Archive

Re: [Rats] Definition of an Attesting Environment (and layered attestation)

"Smith, Ned" <ned.smith@intel.com> Thu, 15 July 2021 17:57 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F61D3A15B8 for <rats@ietfa.amsl.com>; Thu, 15 Jul 2021 10:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=intel.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUSZ9V9JZKha for <rats@ietfa.amsl.com>; Thu, 15 Jul 2021 10:57:12 -0700 (PDT)
Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 967B93A15B4 for <rats@ietf.org>; Thu, 15 Jul 2021 10:57:06 -0700 (PDT)
X-IronPort-AV: E=McAfee;i="6200,9189,10046"; a="271713532"
X-IronPort-AV: E=Sophos;i="5.84,243,1620716400"; d="scan'208,217";a="271713532"
Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jul 2021 10:57:00 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.84,243,1620716400"; d="scan'208,217";a="460473669"
Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by orsmga008.jf.intel.com with ESMTP; 15 Jul 2021 10:57:00 -0700
Received: from fmsmsx606.amr.corp.intel.com (10.18.126.86) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Thu, 15 Jul 2021 10:56:59 -0700
Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Thu, 15 Jul 2021 10:56:59 -0700
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.175) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Thu, 15 Jul 2021 10:56:42 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=buseNwBdj83FmL+TwMnU/+fA+wZBTINsVh9pjxgJPQOQfap4TJcFB5BPCsrI7fQTm6Z03LAFwqxmpvqzYp0SjgIn+shMqJ/DNJ1/s/m8huQw0K++8m+cOcSqpwu4Sajtr99rbPawVxJBz8COy9mONakx45+YNkkR89slqxcfLOoeznMCPwfXWZBlTRU9vPF4R+1FhdgnsOX66azDDeVruB3q8Uqvu/JIzwZHrt2VYygx22oLdUqlMCOSn/00UBjHhHE76blto6/qSSHmLpJ4yXvhvvF50oLol6PcyjIcu5Z6qhO0SpJg1PviFse2gWfMw3wFyKh2IriG753YzIF21g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WL+HFVzQuz0OVW8fj2Wv4rLLa0thwOyXWC1jdhkCfes=; b=U/zYreDQbG8HsNkkO8wtnQdx/A50TMkghq/8oTtP4+4R305jzDYPOzrr9RTr1oppylgWtqJ6Z1py0bNPqwoq9rrvk2WxGHWVy2lHSCncKM7PQUHtgE95QtfTldVRZcEiUMY61cV6dJ6oTEmSdYk1wgdSMGOXoW28mZryCW6EHal873iJyPZigvCaDvFZ/I6lqg3++qx8nuZ9KWiuVy63pNKOLHbYjalyfQ4mdoSAPLPNR2bgpzxOq3fDEK8Qiq/1vbZlKWT0eF9JSezNm05ij5e0L2U1WpPa4r12ZVGJ0RiyOD9FltrpENH1e9TuGBEAuzMe2RUktWSIwMMPEvNDiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WL+HFVzQuz0OVW8fj2Wv4rLLa0thwOyXWC1jdhkCfes=; b=k/IWqZSlhlMBOuJ1F+Jz0t8LVcHA1+8nbhNVMV4cYAuQXvWqp1xj0OMMORryfQ1jAo0aGmfJa5pl+B2lqWdM14shSd+QdGxzNQ96bZmsnFjo4A7EA17UfOdANrv9zqFHn8E2ugL20hPVPG9QQus9KwsfNrsGFh57JblsIdc+SRQ=
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by MW3PR11MB4524.namprd11.prod.outlook.com (2603:10b6:303:2c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.22; Thu, 15 Jul 2021 17:55:43 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::e9f3:b903:83f2:d244]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::e9f3:b903:83f2:d244%2]) with mapi id 15.20.4331.021; Thu, 15 Jul 2021 17:55:43 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: Thomas Fossati <tho.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Definition of an Attesting Environment (and layered attestation)
Thread-Index: AQHXaGmB6CwAiJX4JkiQuLOMsIY/wKsjG3sAgAIOywD//6t2gIAZYMaAgAL85ACAANTdAIAB9tIA
Date: Thu, 15 Jul 2021 17:55:43 +0000
Message-ID: <13651801-BEC5-450B-B814-BD85A1D1C08E@intel.com>
References: <617FC3B4-5C1B-4D35-BD4B-9AC2D1362930@island-resort.com> <CAObGJnNRbA1sKuTCBLpdUtLmjNW+qgRZrGd=dHZ7ZrfXkJJizw@mail.gmail.com> <5426682C-48CB-4D7D-A9DF-01FB17B168E8@island-resort.com> <9EDE7661-4443-4D2E-BF72-FBF238A6EF4D@intel.com> <CABF0A5F-DC51-4D38-8772-6351FA80E6A8@island-resort.com> <A998AEAF-3E1C-480A-866D-410D0B0D4362@intel.com> <B525A1CF-C9CE-46DC-BCCD-BF3BE6684A22@island-resort.com>
In-Reply-To: <B525A1CF-C9CE-46DC-BCCD-BF3BE6684A22@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.51.21071101
authentication-results: island-resort.com; dkim=none (message not signed) header.d=none;island-resort.com; dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 85155f98-5758-4e32-ac1b-08d947b9c405
x-ms-traffictypediagnostic: MW3PR11MB4524:
x-microsoft-antispam-prvs: <MW3PR11MB4524CD74EC19980A8B6DC769E5129@MW3PR11MB4524.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7nu96UrlbYHTeQ2tVSLHVQhTz153QNizbA1rKPOXZCAVAH8VuBVO1RxP+1/1Zo4IcHNsWMDGPNZzPTdOkKtypivU6CWEEPvB3Nx6YZC0sj3gXSxrQsTk2td45eTPNudOQrvHn2Rzrw5ZQJceiMVL9FJqVogKX1F0MViXHIe5sF8vomAFIem5Ltj8fhbzRrxjRhARdd+clL1NYu8pbIsVo0bce5oQ31mUz2QjtFg805xkHQSY5WvPmUPlMGsoDK/POsI8Aalz6Z9GSQn65MkwdViZyn7mCBA6ouQ3q0g7ojj3dbi9ydYq18Je7RGrt9Bh+0enabd2IVkzMRAy0xDH0JsDdx4MY5/id8srsGzOsWbNwJcnJe5WXKatT+Dnj9pndJsn9B8TdU+c/vFdT92LFDXreNCIvow5IbPcszkmsN/vp/vu5SXtli0RwR+PjgMUSbYLA05dKpQuwPa1+mnzl/Oq60egni1+t/5KnCr+g1wAD6dYCyDppceJdAWlnAFk3OarQ2XM9cPr8VOTP45qk9yT4qmMyEgubl+FgzR3alJImiMH934Wr36zzQ2QLP+dQDMfPyKvBITigXygQAkuSwthnGxTf4PAkel2BYbwHcwbYiVAQnYPj3pgIDLXc2UYKqewmp/1YwQ0ocXRxV2TpItWUS1oNxjzXwghD6evMobPW+mJhzjwspmdT/rVM3w5AqlaEC3tO+wuvCfWOTwLWJy+w6vUVRzlsIVZPWvC0k6XypGAJ5ctCg1Xe1UfFxPk
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(39860400002)(396003)(346002)(136003)(33656002)(76116006)(2616005)(6486002)(26005)(86362001)(66446008)(4326008)(64756008)(186003)(8936002)(6512007)(316002)(66476007)(66946007)(66556008)(122000001)(8676002)(2906002)(38100700002)(478600001)(83380400001)(5660300002)(54906003)(71200400001)(53546011)(6916009)(6506007)(36756003)(45980500001)(38070700004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wS8mzxbRiIsPHnSP0FOeon/0nXgBLN5aTIiqn6FSMzSCoQndRxKdAwppbHNOHc2Cj31jD7x+KDEplr0pr9nf8GzE4iyWHQia45jttpV84pAHYLundhd8AB7LX4k8e95FBLRk6wopAejPVey5QHaUz++k9z6dO7VbLX+190lpuLLY769jTljZ9Lz7VpCXPdOTuU3wkaJr0JEDqu5jNNYGgxWfEK7SVM4k/G09TJINqU16YC9DOJgYuuEXpfHVofdsevAKngUmiz3uY403GqrRqe+G32biVsg3Q0IkC2RKvLYexefa0z1LMkYoDUvf3PKURN1Dd+zkM9BXMfWC0mTvXVY7HtVyyzVfdKh4JCCY1jrwT5xl7eVFD5qga3WEFc67N5Fj0f5dXNxLLVBoGW5FeUKGbaZXgnNMC64q9rIXoNNmRJHKkWXfCRkCI87Y6yybL+BedvKcDcW8HdrKmBb75zEdE3H0khnJeLEK2jP5zfDRIOfRaCt3VuCpNlZXfKa9AjcpM5FDehKpluDFQpDK5wdr/hhBcfgQwiC9/xpenCcn9CXP5oTz8qHRh52Vheykbj1vNVF/mgIo5a91evS6JCrkK1CnEIKRzBylFN7ecjA9f5HmKRtOGy2/fsuVhgD6Mus1TqLShlzwq4fCdd7pIEy1J9MxLXZ+Ot8PVIehuqyKb4bl2/U/v5l+I7anDGXyXYNfZqUgPdtr4h1//Q/n3Ve2LeQzvfPJN47zn+Y54Nw2kusHpfeCOpekXsyz9nIsF1zBnIqXAcNLJSyM7yGkRdCeyWZDxPNJmrSICysMJZY5i75/E2fPBXePMQsSmW4Uc1U9ULufh5P+y4YPYSzEK3BG6/FjV8UCcnnPhAWJVvTDui2swpIQSZ71cNBTZuzAz6hYX7BmORRe3B/wFKeqFxtjAJ1aLY0/DPnpDc4SUlRgTAN1WI4Bk/h6QUurNF6xFP4AOWloWq509lXiYHSrmLFyDIQ8A9ZEpYeYuufB8XTE7JtFLCwavVIvIIiZKb6qvVMLWmnARzIsQ+ROPmG7iy0lkn3u45xtGEXN7+ApH3a7R45AwUGqJ7AR7frfTDL11iNyoXbMVn3+7bHQ0ddUdGrp72PNDwcW2cF2Ye5qdDPExVQZVhxri4B1LBkysjA0NjPIQIav1gsqfPf3n5//1ue3n4c+uBY7SuNWhDdKToboD6DYoK3f+HoPrZHN+1Z42iFOE0hmrO78oservnIUVDj5vC3a1BnsmUDn9AVadirllYJAjN5Sg/7J0Erq2JtVHDG3yxDt7uNt99y4Qk1iKgpgpgDB7p7rDZQHtG4nEC6H2cKnlMoWuOmVXrUzgcJv
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_13651801BEC5450BB814BD85A1D1C08Eintelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 85155f98-5758-4e32-ac1b-08d947b9c405
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2021 17:55:43.1071 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 66EuQ2zKknVKUWauX32+geMewYbIJTP3W/UwAYMjym7Ka6DptmEu2AAQheNCK55oxNKM/vNCbmcNGklFT/JyMg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR11MB4524
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/tc8SnzlrvML6LtMJXXrwtMEs24M>
Subject: Re: [Rats] Definition of an Attesting Environment (and layered attestation)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 17:57:19 -0000

The Arch draft captures two duties of an Attesting Env fairly clearly (1- collect Claims, 2- create Evidence). In a layering context the Attesting Env has another duty (3- pass execution thread to the Target Env).

#3 is probably also true for composite device as well, though in composite device the Attesting Env retains a thread of control.

Does the list believe these points should be in the arch draft or are they reasonably inferred?

Thx,
Ned

From: Laurence Lundblade <lgl@island-resort.com>
Date: Tuesday, July 13, 2021 at 9:56 PM
To: "Smith, Ned" <ned.smith@intel.com>
Cc: Thomas Fossati <tho.ietf@gmail.com>, "rats@ietf.org" <rats@ietf.org>
Subject: Re: [Rats] Definition of an Attesting Environment (and layered attestation)

Thanks for the comments, Ned. Helps close the loop.


On Jul 13, 2021, at 4:14 PM, Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:


 Attesting Environment don’t ensure integrity
There is a sentence in layered attestation that goes “The first Attesting Environment… has to ensure integrity of the boot loader”.

Yes, the “ROM” does need to ensure integrity of the boot loader in this architecture, but I don’t think it's the Attestation Environment that is doing it. It’s another part of the  ROM that’s doing it. I would call that functionality staged boot and don’t think it has much to do with attestation.
NMS> The term ‘attesting environment’ is normative while ‘ROM’ is exemplary. The statement above seems to blend terminology between something that might read like normative from exemplary text. E.g., ‘attesting environments’ seems more normative language while ‘the boot loader’ seems more exemplary. Given the goal wasn’t to write a normative definition of layered device it seems to live up to its expectation. Does the WG want to see normative definition of common device patterns like layered device and composite device?

The statement that the normatively defined “Attesting Environment” “has to ensure the integrity of the boot loader” is the biggest point of confusion in all this for me. Personally I don’t think it is correct.
NMS>  I think the text “the read-only BIOS in this example,  has to ensure the integrity of the bootloader” is wrong since the example no longer has a “read-only BIOS” component. It should say “ROM” to be consistent. If ROM is changed to RoT then it would be changed along with all other occurances.


The thing that resolves this sentence "The first Attesting Environment… has to ensure integrity of the boot loader” is making explicit that the first execution environment (the ROM/BIOS/…) has two jobs:
   - Securely start up the following environment, the boot loader (which it can do in many different ways)
   - Host the Attesting Environment that measures the following environment, the boot loader

It would help me (and maybe others) understand layered attestation if the text made this clear.

With the sentence as is, I wondered if there was a RATS Verifier on the device or not. The definition of Attesting Environment is something that produces Evidence and Evidence has to be checked by a Verifier… so maybe the intention is that there is a Verifier and that is the means by which the integrity is ensured. It is through this email thread that I am clear that is not the intent.

LL

v2.23.0 | Report a Bug | By Email