IETF Logo Mail Archive

Re: [T2TRG] T2TRG interim meeting follow-ups - draft-irtf-t2trg-taxonomy-manufacturer-anchors-00

Mohit Sethi <mohit@iki.fi> Fri, 16 June 2023 11:54 UTC

Return-Path: <mohit@iki.fi>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C62C151B2F for <t2trg@ietfa.amsl.com>; Fri, 16 Jun 2023 04:54:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dlM8v8jgo9dp for <t2trg@ietfa.amsl.com>; Fri, 16 Jun 2023 04:54:53 -0700 (PDT)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0D28C151076 for <t2trg@irtf.org>; Fri, 16 Jun 2023 04:54:51 -0700 (PDT)
Received: from [10.228.32.130] (85-76-128-8-nat.elisa-mobile.fi [85.76.128.8]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mohit) by meesny.iki.fi (Postfix) with ESMTPSA id 4QjHdf1l1Mzyg7; Fri, 16 Jun 2023 14:54:46 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1686916486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sxuu85lOsO+/VGSGQTEbRezPIXsQC2ku4ByHgxjo4+8=; b=GA5ZH4npTT5dh8g+PvCT0AXdC9DkoxO6GePLkI2ayvsIfo3HS2Z8kZlHlB0ztsVNQzMzD6 MCoE2XMHkj/O/QegQ+8JqkHQo0jIai8xd0gPhlRHuC5ANIPrLG3Do7NbbQjqX67OP2rv/2 r5QHHY5Drx3MUDsY/fm93Ki2P/E0uWI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1686916486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sxuu85lOsO+/VGSGQTEbRezPIXsQC2ku4ByHgxjo4+8=; b=LbBUwwCi0HkW+NzLiL7BJcZRlhWYAOf7aoJuhRnY6RQ+9YS/6zgmPGZNZP+aU8BOVU+fpv k/VpFsEbMwi0EjUi42mugNWAum4V8UiPoJJWyOz4qj9l80JO+ddafftCXAT/yIEkKxPP42 auQzjRr9iAukVb+WlKkaE1GbGWL+CQQ=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=mohit smtp.mailfrom=mohit@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1686916486; a=rsa-sha256; cv=none; b=C/2ipMt9orIwOYz9Nw8dWCWWxkRs41OXAbi7Fp+f7ry3e4jfiY34jK7mfTZGlGXYrYxPvZ bSHzKgPIWwEJP9weg1s8fVKEcrOjoN4TCdwn40FRmSkjWT1pRn+TM/snQNbjjhS30FL0/Q cO0MWwVYskvWDrz2O7CMetNDXVgyUoQ=
Message-ID: <5c7e5ca3-0819-b4dc-bdfe-3d1af23eb361@iki.fi>
Date: Fri, 16 Jun 2023 14:54:45 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, t2trg@irtf.org
References: <f5044374-4c61-a14e-619b-e2284b79d3d9@iki.fi> <2039f4ba-4ffb-821e-a4c9-23257fa8e88c@gmx.net> <904fa8e3-246d-2c1e-9993-2b1b427c37da@iki.fi> <350a15c4-a32b-215a-e6c6-d48147f6753d@gmx.net>
From: Mohit Sethi <mohit@iki.fi>
In-Reply-To: <350a15c4-a32b-215a-e6c6-d48147f6753d@gmx.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/PgMSspNqmAw98M-R190aXbg1oKM>
Subject: Re: [T2TRG] T2TRG interim meeting follow-ups - draft-irtf-t2trg-taxonomy-manufacturer-anchors-00
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IRTF Thing-to-Thing Research Group <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2023 11:54:57 -0000

Hi Hannes,

On 6/15/23 17:33, Hannes Tschofenig wrote:
> Hi Mohit,
>
>
> Am 15.06.2023 um 12:29 schrieb Mohit Sethi:
>> Hi Hannes,
>>
>> On 6/15/23 12:57, Hannes Tschofenig wrote:
>>> Hi Mohit,
>>>
>>>
>>> Am 15.06.2023 um 11:34 schrieb Mohit Sethi:
>>>>
>>>> * Generally, reading and writing to TPM requires some minimal OS? How
>>>> is that signed/verified/booted?
>>>>
>>>
>>> A typical implementation of a TPM chip is some form of Cortex M
>>> processor (with crypto hardware) running a firmware to support the TPM
>>> specification functionality.
>>>
>>>
>>> The code calling the TPM features is run on a separate processor. You
>>> could call it the "application processor" since it will run the actual
>>> application code. Typically, TPM chips are used with higher-end
>>> processors (like Cortex A-class processors or similar) and they often
>>> run embedded Linux or similar.
>>
>> This is exactly my point. How is the embedded Linux signed, installed,
>> and trusted for interacting with the initially blank TPM in the
>> factory assembly line. Hence, my question "TPM requires some minimal
>> OS? How is that signed/verified/booted?"
>>
> I can tell you how this is done using non-TPM-based chips. The process
> is simple:

And I can tell you how it is done in a real-world deployment where TPM 
is used in conjunction with an NXP i.MX 6 processor.

But the real question is, does the draft have appropriate terminology 
available for these different cases.

>
> The ROM-based bootloader starts. Let's call this the first stage boot
> loader. It is typically located on a security processor (which is
> nothing more than a Cortex M MCU, which has some hardware crypto). This
> initial bootloader does very little since you cannot update it. It still
> has to be able to verify the second stage boot loader. It does so by
> verifying the digital signature covering the firmware image of the
> second stage BL. Therefore, the first stage BL needs to have crypto
> functionality for signature verification (typically the actual crypto
> will be in hardware but there is a software layer around it to fetch the
> public key and to call the API). Then, the first stage BL will release
> control to the second stage BL. At this point only the security chip is
> powered up. The second stage bootloader executes and now needs to load
> code from flash (or some other external storage) to RAM to boot the
> application processor. The details will vary depending what processor it
> is. If it is an A-class processor, it needs to start with the secure
> world first. Hence, it needs to load the code needed for that processor
> into memory before triggering it. Before it does so, it again has to do
> a signature check. The code on the secure world running on an A-class
> processor consists of multiple layers, from Arm Trusted Firmware-A to
> the trusted applications. Details again vary on what processor you use
> and how much software layers you want. Then, when the secure world OS is
> started it is time to start the normal world (which requires a
> bootloader again, such as U-boot). At each layer you would then verify
> the signature of the code running at the next layer.
>
>
>>>
>>> I have not seen TPM chips being used alongside low-end 
>>> microcontrollers.
>>>
>>> Secure boot is also a simple concept: At every layer of the boot chain
>>> you verify the next layer (before you hand over control to that next
>>> layer). Since there are multiple layers in the boot process, the
>>> hand-over happens several times.
>>>
>>> With secure boot the idea is that you stop the boot process when you
>>> fail to successfully verify software/firmware. With measured boot, you
>>> continue but report what you "measured". Measured typically means
>>> computing a hash over the software/firmware plus some meta data.
>> Thankfully, I understand the difference but somehow the terms are not
>> explained or distinguished in the draft. And as you write below,
>> manufacturers use a mixture of terminology which this draft should
>> identify and highlight. At least I have seen some people use "Secure
>> Boot" and "Verified Boot" interchangeably, as well as, use "Measured
>> Boot" and "Trusted Boot" interchangeably.
>
>
> Manufacturers invent new terms for marketing purposes. I would not
> capture those in the draft.
>
> For the "secure boot" and "measured boot" terminology reference some
> existing document. Forget verified and trusted boot.
>
>
>>>
>>> See also
>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmedia.fidoalliance.org%2Fwp-content%2Fuploads%2F2022%2F12%2FFIDO-Device-Onboard-The-Device-Key-White-Paper.pdf&data=05%7C01%7Cmohit.sethi%40aalto.fi%7C24b0b9fb84bf45fecd1e08db6dad8d68%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638224364826538666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=Ko8SlTQHT%2FgzkBra4a4EjSDOaYVCn7g6nMi2Bo6mTDM%3D&reserved=0 
>>>
>>>
>>> for more discussion about measured and secure boot.
>>>
>>>
>>>> * When manufacturing my IoT device, how is the primary stage
>>>> bootloader signed and verified?
>>>
>>>
>>> The concept is simple: there is a root of trust, which is used to get
>>> started. The root of trust includes a "minimum" amount of software,
>>> hardware, keys and configuration which everything else relies on. For
>>> the first stage bootloader you have to assume an immutable bootloader
>>> code (typically stored in ROM) and immutable public keys (serving as
>>> trust anchors). From a terminology point of view you have to decide
>>> whether you call the first stage the immutable part  or the bootloader
>>> that is started by the immutable part. When you read the data sheets of
>>> manufacturers then you will realize that they mix the terminology (and
>>> even invent their own terms). Hence, you have to read carefully.
>>
>> I think the draft does not explain the two possibilities: I give some
>> public keys to the chip vendor which are fused and then I am
>> responsible for signing my own bootloader. Or I give some public keys
>> which are incorporated into the bootloader written by the chip vendor
>> (which is then used for verifying the second stage of the boot process).
>
>
> The question is: How much flexibility do you want in manufacturing?
>
> You can ask a manufacturer to put your first stage bootloader with your
> cert into immutable memory (ROM). Then, you control what software is
> loaded in the second stage.
>
> You can also put the cert of the manufacturer in the first stage
> bootloader (in ROM). Then, you need to ask the manufacturer to sign your
> public key to be able to get code onto the device. (Involving your
> manufacturer every time you want to load a new second stage bootloader
> on your device is probably not a great idea.)
>
> You can also postpone loading the trust anchor to the chip to a later
> stage in the lifecycle by using OTP memory.

Thank you for documenting these different options. I have practical 
experience with only one them.

The question still remains, does the draft have appropriate terminology 
available for the different cases you describe.

--Mohit

>
>
> Ciao
>
> Hanns
>
>
> _______________________________________________
> T2TRG mailing list
> T2TRG@irtf.org
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Ft2trg&data=05%7C01%7Cmohit.sethi%40aalto.fi%7C24b0b9fb84bf45fecd1e08db6dad8d68%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638224364826538666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=UyJRfEnIjbut2cDUf%2B7pUSPu1qFYD89oqIk6cRL9Ldc%3D&reserved=0 
>

v2.23.0 | Report a Bug | By Email