Re: [Rats] TPM background for RIV

To me as well.  Which reference can I use to look at the formats for TPM
attestations?

Thanks,
Kathleen

On Tue, Aug 25, 2020 at 4:53 PM Dave Thaler <dthaler=
40microsoft.com@dmarc.ietf.org> wrote:

> That looks like a great improvement to me.
>
>
>
> Dave
>
>
>
> *From:* RATS <rats-bounces@ietf.org> *On Behalf Of * Guy Fedorkow
> *Sent:* Tuesday, August 25, 2020 12:16 PM
> *To:* rats@ietf.org
> *Cc:* Jessica Fitzgerald-McKay (jmfmckay@gmail.com) <jmfmckay@gmail..com>;
> Eric Voit (evoit) <evoit@cisco.com>
> *Subject:* [Rats] TPM background for RIV
>
>
>
> A recent reviewer of the RIV document (that would be a RIViewer) pointed
> out that the doc assumes that the fundamental behavior of a TPM for
> attestation is already well known by the reader.  Of course that may not be
> the case.
>
>   Rather than add more tutorial material to be body of the document, I’d
> like to suggest adding the following subsection to the existing appendices,
> with cross references in a couple places in the doc.
>
>   Let me know if this looks like it would be helpful to new readers.
>
>   Thanks
>
> /guy
>
>
>
>
>
>
>
> *Appendix
>
>
>
> **Using a TPM for Attestation
>
>
>
>   The Trusted Platform Module and surrounding ecosystem provide three
> interlocking capabilities to enable secure collection of evidence from a
> remote device, Platform Configuration Registers (PCRs), a Quote mechanism,
> and a standardized Event Log.
>
>
>
>   Each TPM has at least sixteen PCRs, each one large enough to hold one
> hash value (SHA-1, SHA-256, and other algorithms can be used for this
> hashing depending on TPM version).  PCRs can’t be accessed directly from
> outside the chip, but the TPM interface provides a way to “extend” a new
> security measurement hash into any PCR, a process by which the existing
> value in the PCR is hashed with the new security measurement hash, and the
> result placed back into the same PCR.  The result is a composite
> fingerprint of all the security measurements extended into each PCR since
> the system was reset.
>
>
>
>   Every time a PCR is extended, an entry should be added to the
> corresponding Event Log.  Logs contain the security measurement hash plus
> informative fields offering hints as to what event it was that generated
> the security measurement.  The Event Log itself is protected against
> accidental manipulation, but it is implicitly tamper-evident – any
> verification process can read the security measurement hash from the log
> events, compute the composite value and compare that to what ended up in
> the PCR.   If there’s a discrepancy, the logs do not provide an accurate
> view of what was placed into the PCR.
>
>
>
>   The TPM provides another mechanism called a Quote that can read the
> current value of the PCRs and package them into a data structure signed by
> an Attestation Key (which is private key that is known only to the TPM).
>
>
>
> The Verifier uses the Quote and Log together.  The Quote, containing the
> composite hash of the complete sequence of security measurement hashes, is
> used to verify the integrity of the Event Log.  Each hash in the validated
> Quote can then be compared to corresponding expected values in the set of
> Reference Integrity Measurements to validate overall system integrity.
>
>
>
>   Information about PCRs and Quotes can be found in {{TPM1.2}} and
> {{TPM2.0}}.  Although there are several log formats, an example can be
> found in {{XX}}
>
>
>
>
>
> Juniper Business Use Only
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>

-- 

Best regards,
Kathleen