IETF Logo Mail Archive

Re: [T2TRG] T2TRG interim meeting follow-ups - draft-irtf-t2trg-taxonomy-manufacturer-anchors-00

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 15 June 2023 14:33 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6F6EC151062 for <t2trg@ietfa.amsl.com>; Thu, 15 Jun 2023 07:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_0_p2XCUJJV for <t2trg@ietfa.amsl.com>; Thu, 15 Jun 2023 07:33:30 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D21AC14CE5D for <t2trg@irtf.org>; Thu, 15 Jun 2023 07:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1686839596; x=1687444396; i=hannes.tschofenig@gmx.net; bh=SZrDUHs7SrFPkz8mc0fkYZpJnyKuSXggVr/Zv1HzcjM=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=dVWABrZ6OqzJt2eqFfEaDnUU5nADDoMg3RhVi/1T65PeJeeSbt1km3ZMHuL+gVSLGkPoZr9 a65rDBHIAC8vwHW3FcEkIv44hVOWPY6IqAPiAvhYld0mkBxPoXb0TWl3/cWD/Ve5nRYxJ0rOm ljyhpyV98pv4j5Ss5nZOKrZFG7+QFZYIuLCcJ4b3UhoCWyvSeYD73DyAV9LyIrViTNBDpHWgu ZS2juq8o9OOB0ewVxokaTD9WroX1GvW/+SWL6S393fJBVPx332Uw0d3cmR9lDPMy+J55Lqkd5 3zsFxc9G5yQkDrOtmBzs6dGWroGyD3J6RTQllQtnGjl1ANpZfplw==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.181] ([195.149.218.225]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MTzfG-1qZguE2xAQ-00R5AG; Thu, 15 Jun 2023 16:33:16 +0200
Message-ID: <350a15c4-a32b-215a-e6c6-d48147f6753d@gmx.net>
Date: Thu, 15 Jun 2023 16:33:17 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
To: Mohit Sethi <mohit@iki.fi>, t2trg@irtf.org
References: <f5044374-4c61-a14e-619b-e2284b79d3d9@iki.fi> <2039f4ba-4ffb-821e-a4c9-23257fa8e88c@gmx.net> <904fa8e3-246d-2c1e-9993-2b1b427c37da@iki.fi>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <904fa8e3-246d-2c1e-9993-2b1b427c37da@iki.fi>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:ER4arGFOn23tWlV1CBNtMNinMwOb03GX5FtU6Vj+ayjxr82jW2L y0SMkwQPecNoX2bUzLhRUGcBMjJspOKTc8xdbv+T12+A4D5yr47pvDxcSQA2UzTJsMbwBYf 4pcm4MF3tDm3Jdqq7PrKJtJXnI1ixN4hLiMA83oBl/CUicIi7E1cyrmOMvhsRJf22NPHzxH JbEc8yBqlF/WGCGPg8ktg==
UI-OutboundReport: notjunk:1;M01:P0:CB/xjwj1IDI=;BkWua62ksW+h1PjAcnnkpVH/xeX VyQe+mQyYnPSBlpcjzyyB9MoJvEMkLI5Hpg2SqfSBEk2pzDLckrGPhOwlLUavPYx1YALNuTj7 M4MFGgXze58TJ1AwZgj9eC6Y1hx4XvCsdByOQEo8nSeZLr36aitYpAnJnCordrwtUA7uhOAd8 fXoXnDHBmlsuqenkY46Ud7tBMdWtwrwCdqKwHkQmRWbPqL6qYV8UA1RRW7kI2j/iFsBdp+xif U9H2ixhwOMse/ONaI9aiBEW6ibEId8UZBsHWwGCL9OI/5TxsOfVY2XFsdNJM7wrKOfVHY8fnJ IibKWFHxpocr0ZmyOZMCdxfB9ASMY7RE1b9JdrvErh0b3rLWGpCCk7sqhW9hLvh9hEuZYWGCI 0k1NvbVuQkE/nrnr8OgJ2Gw3VvKOKkCS4xtM8HIKEqyOgHbX8AOHOhlga+QUayHeTEewemvTa +du8SOPDuZVXzMkIGDw4VTBg1oOx8OR8hT9I8OeZJjRUT9qbq5iAHoLFlCvIKYOnGKFRTNU6/ iEtqFE5lOnrE03y5pWg/DejiTNo6kLe37j2L/NmANCKhGTZKfGWW1G8pQPsdii4FOYKRSPvW+ BAK6yIFXm8zPTVYkcgcTzvQ+BuQqAcmf0cfRzKYOCy3FSSAfeQRfbGJ+HOJE0nfYY/LBNeKlO OTR9gKdnez3cENDj/rQg6Cu0tT2HQ77CTbuO7VguQ9JoQQJ3+yK7eWqEec57cOkq3sdWV0doz V9sFdZPLxwrgWxPu9MDIbTXco1gRajMEjb2hBIqfmEuKP1+Z96vqk3eZCsvg3yVFjw+PbLEpq 631acqwRozWcOA6hy9+M1U2VY12ji8EzRXNQox5SBsZGl+02EnNuu7CZSaCSLfKWE3zncdYBy Dqtu1O2TTfY9ZSE6SQgRjwrIswkD4lxDeEHNWaX2C2Q0cz5VGNMEGQ5OHjTFHRECC9w52dtvy wX+H2CGp3ey8GNKggz6kfxSbx+A=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/rHnvM0CcMfBu16KWUkW6FXnWpjQ>
Subject: Re: [T2TRG] T2TRG interim meeting follow-ups - draft-irtf-t2trg-taxonomy-manufacturer-anchors-00
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IRTF Thing-to-Thing Research Group <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jun 2023 14:33:33 -0000

Hi Mohit,


Am 15.06.2023 um 12:29 schrieb Mohit Sethi:
> Hi Hannes,
>
> On 6/15/23 12:57, Hannes Tschofenig wrote:
>> Hi Mohit,
>>
>>
>> Am 15.06.2023 um 11:34 schrieb Mohit Sethi:
>>>
>>> * Generally, reading and writing to TPM requires some minimal OS? How
>>> is that signed/verified/booted?
>>>
>>
>> A typical implementation of a TPM chip is some form of Cortex M
>> processor (with crypto hardware) running a firmware to support the TPM
>> specification functionality.
>>
>>
>> The code calling the TPM features is run on a separate processor. You
>> could call it the "application processor" since it will run the actual
>> application code. Typically, TPM chips are used with higher-end
>> processors (like Cortex A-class processors or similar) and they often
>> run embedded Linux or similar.
>
> This is exactly my point. How is the embedded Linux signed, installed,
> and trusted for interacting with the initially blank TPM in the
> factory assembly line. Hence, my question "TPM requires some minimal
> OS? How is that signed/verified/booted?"
>
I can tell you how this is done using non-TPM-based chips. The process
is simple:

The ROM-based bootloader starts. Let's call this the first stage boot
loader. It is typically located on a security processor (which is
nothing more than a Cortex M MCU, which has some hardware crypto). This
initial bootloader does very little since you cannot update it. It still
has to be able to verify the second stage boot loader. It does so by
verifying the digital signature covering the firmware image of the
second stage BL. Therefore, the first stage BL needs to have crypto
functionality for signature verification (typically the actual crypto
will be in hardware but there is a software layer around it to fetch the
public key and to call the API). Then, the first stage BL will release
control to the second stage BL. At this point only the security chip is
powered up. The second stage bootloader executes and now needs to load
code from flash (or some other external storage) to RAM to boot the
application processor. The details will vary depending what processor it
is. If it is an A-class processor, it needs to start with the secure
world first. Hence, it needs to load the code needed for that processor
into memory before triggering it. Before it does so, it again has to do
a signature check. The code on the secure world running on an A-class
processor consists of multiple layers, from Arm Trusted Firmware-A to
the trusted applications. Details again vary on what processor you use
and how much software layers you want. Then, when the secure world OS is
started it is time to start the normal world (which requires a
bootloader again, such as U-boot). At each layer you would then verify
the signature of the code running at the next layer.


>>
>> I have not seen TPM chips being used alongside low-end microcontrollers.
>>
>> Secure boot is also a simple concept: At every layer of the boot chain
>> you verify the next layer (before you hand over control to that next
>> layer). Since there are multiple layers in the boot process, the
>> hand-over happens several times.
>>
>> With secure boot the idea is that you stop the boot process when you
>> fail to successfully verify software/firmware. With measured boot, you
>> continue but report what you "measured". Measured typically means
>> computing a hash over the software/firmware plus some meta data.
> Thankfully, I understand the difference but somehow the terms are not
> explained or distinguished in the draft. And as you write below,
> manufacturers use a mixture of terminology which this draft should
> identify and highlight. At least I have seen some people use "Secure
> Boot" and "Verified Boot" interchangeably, as well as, use "Measured
> Boot" and "Trusted Boot" interchangeably.


Manufacturers invent new terms for marketing purposes. I would not
capture those in the draft.

For the "secure boot" and "measured boot" terminology reference some
existing document. Forget verified and trusted boot.


>>
>> See also
>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmedia.fidoalliance.org%2Fwp-content%2Fuploads%2F2022%2F12%2FFIDO-Device-Onboard-The-Device-Key-White-Paper.pdf&data=05%7C01%7Cmohit.sethi%40aalto.fi%7C1d643e061b2c4709a2ab08db6d86fcbb%7Cae1a772440414462a6dc538cb199707e%7C1%7C0%7C638224199461843832%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rXOcTVSx518cVbDSkVBQWiaOm70OmVzyU7dY8Krx3Vw%3D&reserved=0
>>
>> for more discussion about measured and secure boot.
>>
>>
>>> * When manufacturing my IoT device, how is the primary stage
>>> bootloader signed and verified?
>>
>>
>> The concept is simple: there is a root of trust, which is used to get
>> started. The root of trust includes a "minimum" amount of software,
>> hardware, keys and configuration which everything else relies on. For
>> the first stage bootloader you have to assume an immutable bootloader
>> code (typically stored in ROM) and immutable public keys (serving as
>> trust anchors). From a terminology point of view you have to decide
>> whether you call the first stage the immutable part  or the bootloader
>> that is started by the immutable part. When you read the data sheets of
>> manufacturers then you will realize that they mix the terminology (and
>> even invent their own terms). Hence, you have to read carefully.
>
> I think the draft does not explain the two possibilities: I give some
> public keys to the chip vendor which are fused and then I am
> responsible for signing my own bootloader. Or I give some public keys
> which are incorporated into the bootloader written by the chip vendor
> (which is then used for verifying the second stage of the boot process).


The question is: How much flexibility do you want in manufacturing?

You can ask a manufacturer to put your first stage bootloader with your
cert into immutable memory (ROM). Then, you control what software is
loaded in the second stage.

You can also put the cert of the manufacturer in the first stage
bootloader (in ROM). Then, you need to ask the manufacturer to sign your
public key to be able to get code onto the device. (Involving your
manufacturer every time you want to load a new second stage bootloader
on your device is probably not a great idea.)

You can also postpone loading the trust anchor to the chip to a later
stage in the lifecycle by using OTP memory.


Ciao

Hanns

v2.23.0 | Report a Bug | By Email