Re: [Rats] TPM background for RIV

Ira McDonald <blueroofmusic@gmail.com> Wed, 26 August 2020 11:01 UTC

Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01553A0EB0 for <rats@ietfa.amsl.com>; Wed, 26 Aug 2020 04:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7_XwJDT65h4 for <rats@ietfa.amsl.com>; Wed, 26 Aug 2020 04:00:58 -0700 (PDT)
Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFE283A0EAD for <rats@ietf.org>; Wed, 26 Aug 2020 04:00:58 -0700 (PDT)
Received: by mail-vk1-xa32.google.com with SMTP id k1so319594vkb.7 for <rats@ietf.org>; Wed, 26 Aug 2020 04:00:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mdtu5WoolD56PgLgsN0753VYZmn0fpcxKD7xOvMlwQw=; b=XyQA/B/3/XASFaRb0Zr/9sCp6bhuHd5sg72HxTT6jmYQyO5wkZ8WZSUyi743VvsJ/I VrmSGwt3/m77gGmBA3MLR+FXEmgZSdiHSy0Jhv1tBZCwROMu0LHPO+klx01b4IyAxzkL DVE3tHrpU0zUhVtzooAaBz/uPgzJguZjFnrTkU+DMW861E3JBBYCSt1ukTpvhdxt1Q10 ZufFPAnJxvz41j+HpCqStFZQQICqKwU3xtv0AOUooAk6SeUDpdFZkS0nxUc0iGcP3O3f 4xhx+xo2Bw3Gj2jos9TgseR/dpfGsfTOHVe9//c6XwJA3KrwNKE+ErioTwCS0JBo2bpQ 7c1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mdtu5WoolD56PgLgsN0753VYZmn0fpcxKD7xOvMlwQw=; b=MX6MriGn854M9mxtVl3lNUxEYeSbPbNgKsrPFmf4OyQfDhrXuzp0ubEfRJ+SeKnIwv 3JgVk6/Odeg0k1SwjPduEsq/nu/3v2XMr4oJIPNKorIe9+fQrXOP1srPcvr2uO/yxn0U gcJedTNmj9gt9BRCfx11hKAxUoVpO2O1i3JV0LqM6DvDgWcCHdHAYMKt5CSMLpBA9Xf5 9WKduii4wqdTs7MFszWiI8LZWBRYWNvHGJMtFtgji0Vp7CN/bmU/CoQHInJzRkZDuOtb 65db6gr/0z00hmwKZxSlvP1vuGUHLzz3WlDeeShBiqtCM5Hf3DZhqAdHClCBKo7dpi+E FSUw==
X-Gm-Message-State: AOAM531QYhMLrVbi2HlSZiQjxMCVE75+RXOHcAFAddOn1tSQ4CpyJh8/ x5e3NBhapaOf/QV8X80ecSB7B2qc/pu8cn3awg8=
X-Google-Smtp-Source: ABdhPJwGHQE2JlcFJg6mVWm20EeHBPTZHamoOaF/XTJjDyAcxG1fhla9HnDUOk5XTLbEjmvlXTDS8ZmabRrcARbI0NQ=
X-Received: by 2002:a1f:b6d4:: with SMTP id g203mr8442463vkf.2.1598439657803; Wed, 26 Aug 2020 04:00:57 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB6889971FB32A359EFFF85D21BA570@DM6PR05MB6889.namprd05.prod.outlook.com> <CAN40gSuS_5skTXE-g1UpeaqO2Ms-QXSG2Jhs7npXf8MgBV001g@mail.gmail.com> <19865.1598394565@localhost> <HE1PR07MB425261EEB8D1CEFA8EA6C2778F540@HE1PR07MB4252.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR07MB425261EEB8D1CEFA8EA6C2778F540@HE1PR07MB4252.eurprd07.prod.outlook.com>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Wed, 26 Aug 2020 07:00:45 -0400
Message-ID: <CAN40gStQ02boSNpOEgkcmqLvqNsZOioWV4SEQRiGs2PY_rnaiQ@mail.gmail.com>
To: "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>, Ira McDonald <blueroofmusic@gmail.com>
Cc: Michael Richardson <mcr@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ff9d7505adc5bb54"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/zrSnN_IpSQmD_tqO8CcI8GAOcJc>
Subject: Re: [Rats] TPM background for RIV
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 11:01:01 -0000

Hi Ian,

No, the TPM 2.0 Library standard (the base standard) does not specify the
size
(number of PCRs) or number of banks (different hash algorithms) for PCRs.

That's only specified in specific profiles.  And it's definitely not the
same across
all TCG profiles.

Cheers,
- Ira


*Ira McDonald (Musician / Software Architect)Co-Chair - TCG Trusted
Mobility Solutions WG*

*Co-Chair - TCG Metadata Access Protocol SG*








*Chair - Linux Foundation Open Printing WGSecretary - IEEE-ISTO Printer
Working GroupCo-Chair - IEEE-ISTO PWG Internet Printing Protocol WGIETF
Designated Expert - IPP & Printer MIBBlue Roof Music / High North
Inchttp://sites.google.com/site/blueroofmusic
<http://sites.google.com/site/blueroofmusic>http://sites.google.com/site/highnorthinc
<http://sites.google.com/site/highnorthinc>mailto: blueroofmusic@gmail.com
<blueroofmusic@gmail.com>(permanent) PO Box 221  Grand Marais, MI 49839
906-494-2434*


On Wed, Aug 26, 2020 at 3:07 AM Oliver, Ian (Nokia - FI/Espoo) <
ian.oliver@nokia-bell-labs.com> wrote:

> Doesn't the TPM 2 standard state PCRs 0 through to 23 with two banks being
> provided SHA1 and SHA256 (at particular handles 0x4......?)
>
> It is the boot specification - at least for x86 - that states PCRs 0-7 are
> utilised for specific purposes, ie: CRTM, BIOS, configuration, boot loader,
> LCP and manufacturer defined.
>
> At least on some of our UEFI machines I see 8, 9 and 10 being used.
>
> 11 is the default for Linux IMA and 17 and 18 for Intel DRTM measurements
>
> There are restrictions due to locality, so at least on a PC, PCRS 16 and
> 23 are available to userland modification.
>
> Ian
>
> --
>
> Dr. Ian Oliver
>
> Cybersecurity Research
>
> Distinguished Member of Technical Staff
>
> Nokia Bell Labs
>
> +358 50 483 6237
>
> ------------------------------
> *From:* Michael Richardson <mcr@sandelman.ca>
> *Sent:* 26 August 2020 01:29
> *To:* Ira McDonald <blueroofmusic@gmail.com>om>; rats@ietf.org <rats@ietf.org
> >
> *Subject:* Re: [Rats] TPM background for RIV
>
> Ira McDonald <blueroofmusic@gmail.com> wrote:
>     > Small note:  Although you say each TPM has at least 16 PCRs, in fact
> the
>     > TPM 2.0 Mobile Common Profile
>     > (2015) only requires the implementation of one SHA-256 bank of 8
> PCRs (a
>     > SHA-1 bank is prohibited here).
>     > That design choice was made to avoid the squabbles over the
> inconsistent
>     > usage of PCR8 through PCR15
>     > across various TPM 2.0 profiles.
>
> I just want to understand.
> TPM 2 mobile, only requires PCR0-7.  It doesn't forbid PCR8->15 though?
> Do devices tend to implement them all?  Or?
>
> So what do the profiles do now?
>
> What is the impact on RIV?
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
>