Re: [Teep] Keeping Secrets from the TAM
Brendan Moran <Brendan.Moran@arm.com> Fri, 30 July 2021 00:29 UTC
Return-Path: <Brendan.Moran@arm.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 566833A1210 for <teep@ietfa.amsl.com>; Thu, 29 Jul 2021 17:29:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.399
X-Spam-Level: **
X-Spam-Status: No, score=2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FAKE_REPLY_B=4.299, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=IfNAt5WX; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=IfNAt5WX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxVQeYjDWc2u for <teep@ietfa.amsl.com>; Thu, 29 Jul 2021 17:29:49 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80074.outbound.protection.outlook.com [40.107.8.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 662DE3A11BE for <teep@ietf.org>; Thu, 29 Jul 2021 17:29:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BuYeFEcL7Ni4ZyT028b0yDOZkqPvhp+ObU0bzOrCe88=; b=IfNAt5WXG1TXYl3PNtnuV3ue9dv6rXVAhuz0z3O0txEQMfjQJ1Vqb+Qbo6xkjmIyY/rYgvHhKSDaDKzEamnGgOk8O+TFP9902TrvikdNSIWYIb1e7ZyyBceNUISedf9nqi1aeu80ReHUN8nfci4OjIrFfG7P64b28swP+jNCZfo=
Received: from DB9PR05CA0015.eurprd05.prod.outlook.com (2603:10a6:10:1da::20) by HE1PR08MB2939.eurprd08.prod.outlook.com (2603:10a6:7:33::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18; Fri, 30 Jul 2021 00:29:42 +0000
Received: from DB5EUR03FT023.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:1da:cafe::23) by DB9PR05CA0015.outlook.office365.com (2603:10a6:10:1da::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18 via Frontend Transport; Fri, 30 Jul 2021 00:29:42 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT023.mail.protection.outlook.com (10.152.20.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18 via Frontend Transport; Fri, 30 Jul 2021 00:29:41 +0000
Received: ("Tessian outbound 69e1fde53269:v100"); Fri, 30 Jul 2021 00:29:41 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 8586889ce97aad71
X-CR-MTA-TID: 64aa7808
Received: from f916b3acb049.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 5AE01581-6742-4F1A-8DF5-C0D63B4758AE.1; Fri, 30 Jul 2021 00:29:35 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f916b3acb049.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 30 Jul 2021 00:29:35 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=acY9BsjJUwUCQ+nmZwBfFwyBEZ+aQSR1u1uUAv/M6Zvauw637fkAcwXveIoe8xh0QIuAgPl7MlhHfQF6v142Y2zZxGPTdZ4qvAlxhmq4sFx/hJOl+jS63SbF/GCSMYsW4JJjanUzvM0cIIgxNwXXN5qcr4EJ899MmBQu5EyLNJpJybgmCbMCVYYHwkIalzuMyx8K8d+2+77R0I5kQirKhU47+Dv0S0OBYm1rY+Z0xMp4tv9HXYxYecEWxWPMtOf1kZtNEdCbLe13lFP9aAHLUXFL6/Mtfk1xS8Zn8tzSv/6+fgMCk5QMga/7VrB17+3Cap0mYSbpZ+slozZVDfY36A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BuYeFEcL7Ni4ZyT028b0yDOZkqPvhp+ObU0bzOrCe88=; b=U+8j/kkLpa3JsvjbfroVJkr88NmASgSwMpQ3ki7eZ2HA4fO0U9PamFW0BJ5Rau+eJH+3puwmh/LutJ8K8RTya1luCFi7KAhDvvdHbvSFByOJRdTrAW2nB1vTguELFVkCREUqMkkQ6f1VlF3v4bV1DmfwwpJhBP9/el95d23TWyLNCavd2PGMAdANLTuiK11GrvP+gBRaIygOsi9syP32ZwSlQ9OJ9YwfsEyW+t9185MnN0gex70e7XfAbU2YzdDc9D3vlbPl4S04wPwS8GeACB86xwoYZRMnW5RQOkArUq7f2Sji+SvIugY2Gh9ZONg+PYQ+OOgBDUNOOVfdcj1qhw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BuYeFEcL7Ni4ZyT028b0yDOZkqPvhp+ObU0bzOrCe88=; b=IfNAt5WXG1TXYl3PNtnuV3ue9dv6rXVAhuz0z3O0txEQMfjQJ1Vqb+Qbo6xkjmIyY/rYgvHhKSDaDKzEamnGgOk8O+TFP9902TrvikdNSIWYIb1e7ZyyBceNUISedf9nqi1aeu80ReHUN8nfci4OjIrFfG7P64b28swP+jNCZfo=
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com (2603:10a6:10:1ae::11) by DB6PR0802MB2310.eurprd08.prod.outlook.com (2603:10a6:4:85::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.28; Fri, 30 Jul 2021 00:29:32 +0000
Received: from DBAPR08MB5576.eurprd08.prod.outlook.com ([fe80::f4d7:fc24:6a91:25a4]) by DBAPR08MB5576.eurprd08.prod.outlook.com ([fe80::f4d7:fc24:6a91:25a4%9]) with mapi id 15.20.4373.024; Fri, 30 Jul 2021 00:29:31 +0000
From: Brendan Moran <Brendan.Moran@arm.com>
To: teep <teep@ietf.org>
Thread-Topic: Keeping Secrets from the TAM
Thread-Index: AQHXhNn2RjvKQKUnpUWOYUsgEvN40Q==
Date: Fri, 30 Jul 2021 00:29:31 +0000
Message-ID: <EAA7A4AE-8F6B-40D1-B7B3-B7FF6555C082@arm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.100.0.2.22)
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: e23296b8-f4da-4f51-fb9e-08d952f11f37
x-ms-traffictypediagnostic: DB6PR0802MB2310:|HE1PR08MB2939:
X-Microsoft-Antispam-PRVS: <HE1PR08MB29399F787359E90F85382EC9EAEC9@HE1PR08MB2939.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: JqG/iZkSQegG2bhSRjbIixAqGi1rxjA9eRaygGybLPCOt7zyQEbo9B88qHZWo4IamcAmWH1ckIxStsdhaXSb5xuQxqZjBNzsDIoyIppdVT+QBNkccRdEBVaMqTXS+TyzwBYUyvtqYVtBwqupyJ4XX6SrcFdksj71pM1tnx4SSb7D8859Hbx/07BDWC8fKGt4H6WErYUAMZhHPY0SAzaUNu37LDJNX8LajoBcfIxehzwx66t855q45hJ9V1aThiDFJSFOw3iTE1DkazWXEH4NkCR7q6Tlt7tyQbXqXhpdv+ety2M4QrbjUd1y1ob3AjMJ8vqHwC1c0aYPv5ir/XazPoJloAEWamJfqjziktzEEzthLBuFJnewP1KlxIpf/9MPJIikmZTZZ/2oM4wEE5BeyNYGlpsziLHXiWgsvQei4awBzP9t0asTdzPlNGo85yG4XnE6i6wG/iTRCNApUKzHnT2qDSNO+SClpNSV7/XRbmBvc6q2AWHyg9MyQ+4Aes8tB8dnxF6dXttLAWBIcPDr6bHF59+SaP0exQQ8eIIUOkAMHLYd1zb3ikGB7jOrv0T94zm2yLusQ4mY9kuVe41HF3dYT8fyxqmDDWO08l6MnrAX5c9R1LJGnpVSRn/F208MI+AsnTvTrRX0Z1UxzcaXkxxFEbVcQJXKkDXoNhRav2r0GihSZb3n8nLHnQ4jlnanX4KNWHwJVZZtpIq/3RFjF/r0uMhZuuz8ZrurgM0FePOwvjzFdIX86cB7UYMZonMW
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR08MB5576.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(39850400004)(366004)(136003)(396003)(38100700002)(2906002)(36756003)(6506007)(5660300002)(6486002)(8676002)(71200400001)(86362001)(91956017)(76116006)(66946007)(33656002)(478600001)(66476007)(66446008)(316002)(66556008)(83380400001)(8936002)(122000001)(2616005)(64756008)(38070700005)(6512007)(186003)(26005)(6916009)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dhybGQQUyLzuR8FMd2WALIOuz7p14fZFIuTF+b8QGTkYg5v0BGnFxtR5KebFzyLaT3/IP6UKsJyYMiEn/b3s1i1nyWef6XPFfNnEp0o1+0Mnvtf1IPZ60gx9p/RGAZYEmJzy9daf8t8JMXQ/LBfEPB5v3jlDetWX6msRY3P/CvWzfNJpxK/aEDW0hEuwbcc8abpbJ08Nm3JYdxEPl0riLWXpFgvf0o7hcgTISwrrhmZMWXheDx9nN86MACDMgQyqEL/dSFTwLzWQvzuVZI2N5rAzhLP1w5G8dnDCTtCdpQRcog+WySwBJ48xr/t7qXCISVSAvH+Xzq5OwLlfXqnMhvEmbg4/e8wyeq+o8tvlkm7ry0/i+vM5o2O3Qbi+K6u9AV6NAb/OOgqEUyQlIZQMvknHAuOPUvoF8bWqrMtLEkrGMhMPg1QXnXh4jkvdqNDKHx9l7ukWnHvyvlYvSe11EfGbZ9MtbWX/IlePYOwX+TYMcXXD4/IQz63FCgukMIdIFzsYiPIqlf/hm68cZOdwk5nl5g6KotPsvUyATF6QbUzR3V3uACM3e5zEKZztMdcKK4ls+thr0EYg6e4T/6ARQj5eLxFlpqPsm/0+iysR4Je80Q0qzgr38ZGLoVekaXll9e/85cI3e5WWm4M5oBvGQbr8ivNyPeqaPu+UNUV6Vqa4ZlFXtl1xihVu3n5C0CaXibGs/oaBKMeKaNc6soGy3Qf9pxGxTB7EoAJ8B3NM+msZmOYnCM3Ba4Mc/cHprjmKS6huLv9JNjvXXY3X3SIvomSKgjTJ8S9A2tLu7WH/neKIouyx6T7EHDDbqf90T231xI4Gv+gstQD+mcMkxrwCvedrcePc6pSZk84dhUPAmQn/n9t++yJ2mH2IW6PzCL/CqXpd2W1p9WQzXeG7nT8V1pah9P78oLprPCv9uf+SOXxzHdCfd4HG2Mh7EVcmCCtWHHei67Ka7OPkY8Hz40AVMe3brl6lp6tAW6N3UGYIs5UEgKSyrcNZDT9oKIbYy+FWAE4jGT8kbjLJnmvapX/LMW2Pft/7wDCalMZPwKsQGo7OujjQcG8w4WbJKIvlJrxlInCAfKGwf9L7p/iwYzTgVihVP+3v/PKmCTkEnk6N7kTNzYvbvsbCPpJsrFKt6VB8H0/Jek8u8uLwtvsczWf2YuDsynKgm5xmDgwcF2dQAUR0IJE+ywa9mgu6IsRFwyAqMU4lO+IHWUMf1cdo6tTa38OcRE7p0SkxkCAM+TMmOP321/hHrPE8wLYQUq/+K5l91Xxh2IpJhZj7RnjSIVVZHebb7WaHUgDUrY6QkxRg3Cco1fGgIn+V8BPfS5MOcy4W
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_EAA7A4AE8F6B40D1B7B3B7FF6555C082armcom_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0802MB2310
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT023.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: ed5eb239-9c2f-421b-93f8-08d952f1198d
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: DuN5JVpprculgNUOJ+nwjoT70o9dHofe7RX4cgbp6AHqzYnlUzWamLOJt+VqE5TpMnfvZn3bjFsadJ5pD5+mkeW4PQARJt/JzBvCD8a/SHroBchfDDjj/PGN8B1NR3Xi1NibOXPl8UWznmQQ+MX8mN1rHrDvDGlTKNG8PetbsruRdvMuoIplmM/K++SpMoVA31QUTvBw5gp6mTXtybHygL7GvTBO7fTKeKphIK6jenaIzF8+JLGV53Y3cUG7vuZ8f0OoUpJMgtMHwopE15F2l5uQ22irq+cfhVZzlcjdrc/taZfNt7jZS9t6pxAbnE+yLgr1RojwuahQryNhm+W2vO6JsUWLpRkGzMGCSKERZ3fgfwOgSb/tBuewT/VW/vT1enKJdAaTDZi+UybzA/1YC3DmRhM3G/3IW0NNGET7JtUGDJvSz1/+xQNXrOIRkqiK2f0N0PNFjrwWzFqMFGBnRsdSZTYQhQhtptHoE8Zg5VyZ7PZyeMUqFspi8rZdxv2RqgnZtYk3+AD8mfTPB/AIWDiEsiSDCgdMWRIXVY2azI9vkkYXyBRnRGwn39lZ0z7u73ddt3dNwy/79L8cyj3mfFxFg0jLSo+i+LMHtCOtYUVNqdP5zOW2QvCMfycot1jo3b7xrH0EBq9IGiTXcXMp4ohRl60UHAN/1ooLJ9sRQsJyQoRUzKQMLFrHqxpX9yjcoYhKFrwdrh512wSZ5FzwRA==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(46966006)(36840700001)(36756003)(356005)(6506007)(82310400003)(47076005)(26005)(8936002)(33964004)(8676002)(316002)(336012)(33656002)(186003)(81166007)(83380400001)(2616005)(2906002)(6512007)(508600001)(70586007)(6916009)(70206006)(45080400002)(36860700001)(6486002)(5660300002)(86362001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jul 2021 00:29:41.3924 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e23296b8-f4da-4f51-fb9e-08d952f11f37
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT023.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR08MB2939
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/4ZdUa_WADGOUG0C4jefiL9EfPSs>
Subject: Re: [Teep] Keeping Secrets from the TAM
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 00:29:52 -0000
The current text for section 9.8 of draft-ietf-teep-architecture-15 says: One way to do this is for the Trusted Component Signer to run its own TAM so that it can distribute the decryption key via the TEEP protocol, and the key file can be a dependency in the manifest of the encrypted TA. Thus, the TEEP Agent would look at the Trusted Component manifest, determine there is a dependency with a TAM URI of the Trusted Component Signer's TAM. The Agent would then install the dependency, and then continue with the Trusted Component installation steps, including decrypting the TA binary with the relevant key. While this is possible, it’s not the approach I would choose for TEEP. For TEEP, I would use either the HPKE or ECDH-ES + A(128/192/256)KW options from draft-tschofenig-suit-firmware-encryption. Then, the TC Signer provides a service that the TAM can query, where it will provide a COSE_Encrypt targeted to any specified device, subject to attestation and security posture assessment. This is much lighter-weight. Best Regards, Brendan IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- Re: [Teep] Keeping Secrets from the TAM Brendan Moran