IETF Logo Mail Archive

Re: [Teep] Protocol issue #213: full EAT CDDL example in TEEP Protocol

Akira Tsukamoto <akira.tsukamoto@gmail.com> Thu, 28 July 2022 21:53 UTC

Return-Path: <akira.tsukamoto@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1354C15C51E for <teep@ietfa.amsl.com>; Thu, 28 Jul 2022 14:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwJ4sAnrcxYB for <teep@ietfa.amsl.com>; Thu, 28 Jul 2022 14:52:59 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81138C15C521 for <teep@ietf.org>; Thu, 28 Jul 2022 14:52:20 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id m7so2450636qkk.6 for <teep@ietf.org>; Thu, 28 Jul 2022 14:52:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=R5zIVDRPNtiov+YQ/PdXs2b7+RSFBt1yBQmQLDSDUfE=; b=RFVi8Ygxxdrbns3EFfS5ykFScBYnYFnM0navqi75M92iE7z8jB5ytn1ORGMrYmCiyZ mYENqIuhv+Hw/r5c0Ne0cJl7lNb85B4bJq3Wp50CO0mKopIw0+pTeYU71WYivW/hRDIm h6XA8QykXHLEh7QmqPTP8prbUquSvAyWMg3+L6JYK7o8qzwGJVFZp1jWFPHm10I6aB0N WG13BPIKvbkz+jL2T+/332Xy0srmA+tj8fzAiQ6Wrg7SH3ai+jIfde7JKZbJiQCgR4Mo 69n4TZKt8K/sBrUGZAHk1dD0hvLWDY62Wbd8F10ag8uyj739c7P4ELYJqRJ/JcNB/45E SqPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=R5zIVDRPNtiov+YQ/PdXs2b7+RSFBt1yBQmQLDSDUfE=; b=KnPcEIpne9uzR0EbKAbyAtk6pZo/LJJ5kX/VqMnjqE8sfKRnJeJ8GbR/B0+4r4J/jd X2cWx6kTUF7eyAU2Kt5N/VNUsHm3Qc54jn0TXL7n/X28MXTxWouEavV6EVAK0UJhUiyj /Dbea44IRh5zDS12TpnliUuJ8BuxEXrJmu7MziSLA54790PChCuHrYiaejNu+RgrgpWl /B5QsU4v4LfdCqlufUl19lN78ZUERKYe/1M1ZP07QYwrpp8LA4NxFuvf2CkG2LjfNqWx fPspXUMOZRy0ugVYjPFkCcONYZ6y/7k9ow7jUUBI1wEe386ZjXQzmHiyy0wxBQF6SUUW ECGg==
X-Gm-Message-State: AJIora/qRmbfaXdVaXWAVtVCWi6p4NDVWTe1xl85v64Ix9vaDogBmAu6 3O0SW1abrUoG3uUO4jVMVOgqwM0U7IR0eV4hKC4+7LDkBi1yKq9HADK+Qg==
X-Google-Smtp-Source: AGRyM1tlr7naLL+J1cragCXCmeRNcq4GEDQBRCMcnF/MoYkNbmY0EpQCppnH+jiltynz/EfiJfbeeXEITvZlJa+Cd/E=
X-Received: by 2002:a05:620a:f10:b0:6aa:318e:55a9 with SMTP id v16-20020a05620a0f1000b006aa318e55a9mr671345qkl.559.1659045139168; Thu, 28 Jul 2022 14:52:19 -0700 (PDT)
MIME-Version: 1.0
References: <CH2PR21MB1464F9B1CEFFC812D1DEFC1CA3829@CH2PR21MB1464.namprd21.prod.outlook.com>
In-Reply-To: <CH2PR21MB1464F9B1CEFFC812D1DEFC1CA3829@CH2PR21MB1464.namprd21.prod.outlook.com>
From: Akira Tsukamoto <akira.tsukamoto@gmail.com>
Date: Thu, 28 Jul 2022 17:52:03 -0400
Message-ID: <CACuRN0PB2Ud2A=m4rmAQg7_XX_vY6vpMY9j40Yn3n5-JbaAKYg@mail.gmail.com>
To: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>
Cc: Kohei Isobe <ko-isobe@secom.co.jp>, Akira Tsukamoto <akira.tsukamoto@aist.go.jp>, "TEEP@ietf.org" <teep@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/-AK0rIgDK6H0oWO39Bmf9m_w664>
Subject: Re: [Teep] Protocol issue #213: full EAT CDDL example in TEEP Protocol
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 21:53:03 -0000

Hi,

This is a note for the people who were not at the hackathon at ietf114.

> I am, however, not convinced that hash-entries is needed, since it seems to
> me that that is what EAT's "Software Version Claim" (sw-version-type)
> is designed to solve.
>
> If that is not sufficient for some reason, then in my view either we should
> provide feedback on that part of the EAT spec, or propose an additional EAT
> claim.  However, my personal opinion is that the current EAT claim
> should be sufficient.

The discussion at the hackathon moved to
https://github.com/ietf-teep/teep-protocol/issues/221 and we decided
to use the manifests claim for the purpose.

Akira

On Fri, Jul 8, 2022 at 10:09 AM Dave Thaler
<dthaler=40microsoft.com@dmarc.ietf.org> wrote:
>
> https://github.com/ietf-teep/teep-protocol/issues/213 proposes changing the attestation-payload format to include a type.   I explained in the thread about issue #214 how I think the attestation-payload-format field should be used instead, with the fix in PR #216.
>
> However, issue 213 also proposes another change that I'd like to discuss here:
>
> > Add hash-entries in teep-evidence
> > As discussed at Reliably getting TEE properties #189, Verifiers in the back of TAM
> > or TAM would require the system information and the hash values of TEE-OS or
> > equivalent software to verify it.
> > We add the hash-entries in TEEP's EAT sample to convey such software's
> > information in evidence.
> > [...]
> > teep-evidence = {
> >   ? ueid-label => ueid-type,
> >   ? oemid => oemid-pen / oemid-ieee / oemid-random,
> >   ? class-identifier => RFC4122_UUID,
> >   ? hardware-model-label => hardware-model-type,
> >   ? hardware-version-label => hardware-version-type,
> >   ? sw-name-label => tstr,
> >   ? sw-version-label => sw-version-type,
> >   ? nonce-label => nonce-type / [ 2 * nonce-type ],
> >   ? hash-entries => [ + hash-entry ] ; hash value of TEE or device
> > }
>
> I am, however, not convinced that hash-entries is needed, since it seems to
> me that that is what EAT's "Software Version Claim" (sw-version-type)
> is designed to solve.
>
> If that is not sufficient for some reason, then in my view either we should
> provide feedback on that part of the EAT spec, or propose an additional EAT
> claim.  However, my personal opinion is that the current EAT claim
> should be sufficient.
>
> Dave
>
> _______________________________________________
> TEEP mailing list
> TEEP@ietf.org
> https://www.ietf.org/mailman/listinfo/teep

v2.23.0 | Report a Bug | By Email