Re: [Teep] clarification questions on draft-ietf-teep-architecture-14

[Hannes Tschofenig <Hannes.Tschofenig@arm.com>]

Hi Daniel,

Thanks for reading carefully through the draft.

Many of your questions relate to the use of TEEP for Intel SGX. I cannot answer those questions and the architecture was written to be independent of a particular TEE instantiation. I will skip the SGX related questions and someone else (maybe from Intel) can answer those.

Let me answer your questions that are unrelated to SGX.

~ snip ~

<mglt>
   To simplify the life of TA developers interacting with TAs in a TEE,

I am tempted to say that TA always run
in TEE, in which case "in a TEE" may be
redundant or may suppose that some TA
are not running in a TEE.  Note that it
appears at several different places in
the text.

[Hannes] The issue is that there is the TA in the secure world but then you also need code elsewhere to interact with it. In fact, there will have to be code pretty much everywhere (at least in TrustZone) to allow the transition from the app running in the normal world to the TA running in the secure world. It may sound like an easy thing to do but it isn’t in practice and the TF-M and OP-TEE code show this, see https://www.trustedfirmware.org/


</mglt>

   an interoperable protocol for managing TAs running in different TEEs
   of various devices is needed.
<mglt>
   This software update protocol needs to
   make sure that compatible trusted and untrusted components (if any)
   of an application are installed on the correct device.  In this TEE
   ecosystem, there often arises a need for an external trusted party to
   verify the identity, claims, and rights of TA developers, devices,
   and their TEEs.  This trusted third party is the Trusted Application
   Manager (TAM).

I am reading "this software update
protocol" as limiting the ability to
upgrade an already installed
application.  I have the impression that
installation of a software is in scope
and that in this case, installation will
only be permitted depending on the TEE
version.  If this is included in the
term "software upgrade" I have the
impression these tasks are beyond a
software upgrade.

[Hannes] We also cover installation and deletion of software. Maybe we should expand the sentence to make this clearer.

</mglt>

   The Trusted Execution Environment Provisioning (TEEP) protocol
   addresses the following problems:

   -  An installer of an Untrusted Application that depends on a given
      TA wants to request installation of that TA in the device's TEE so
      that the Untrusted Application can complete, but the TEE needs to
      verify whether such a TA is actually authorized to run in the TEE
      and consume potentially scarce TEE resources.

<mglt>
   -  A TA developer providing a TA whose code itself is considered
      confidential wants to determine security-relevant information of a
      device before allowing their TA to be provisioned to the TEE
      within the device.  An example is the verification of the type of
      TEE included in a device and that it is capable of providing the
      security protections required.

My first question reading this paragraph
concerns the TA developer versus the TA
manager or device manager.  I am tempted
to see these as two different roles, but
I would say the responsibility to
install a TA with a certain level of
version of the TEE is more likely to be
the responsibility of the TAM or a
Device Manager than the TA developer.

[Hannes] I think both entities need to work together. The TA developer writes the TA code and understands for what application it is meant to be used (at least typically). It might also have requirements on the type of TEE. An operator of  a TAM needs to decide what it wants to send to devices.

This may not exclude that TAM and TA
developer have a specific agreement and
some conditions are provided by the TA
developer.

[Hannes] They may have an agreement or in other cases the relationship may be pretty loose.

I am reading this text as a TA developer
or manager evaluates the trustworthiness
of the REE, but I would tempted to
consider such information as unlikely to
be reliable, so I am wondering if there
is anything I am missing.

[Hannes] Imagine that a TEE developer writes an app that does some machine learning and he only wants to release the code to devices that implement certain security features in the TEE. He would work together with the TAM operator to ensure that those requirements are met and the attestation functionality offered by the TEEP protocol gives him or her that assurance.

~snip~

While not related to the code itself,
but some sort of secret credentials
associated to the TA, I believe that a
TA Manager may check the level of trust
of the TEE before provisioning the TA
with secrets.
[Hannes] Yes.

I am wondering if that is
part of TEEP with Personalization Data
or if such instantiation is always
delegated to the TA.

[Hannes] This is part of the TEEP protocol. The ability to protect (encrypt) personalization data is offered by SUIT.

More specifically,
the TA sets a trusted communication with
the TAM that pushes the secret
credentials.
[Hannes] Sort-of. Details about the SUIT part will be added in a SUIT document on how the encryption looks like.

Now that I have read the full spec, it
seems that the bundle description
somehow addresses this, but I think that
mentioning the configuration of a TA in
the introduction or overview section
would ease the reading.

[Hannes] This is maybe the wrong document; the TEEP protocol document could give an example or should go into the details of this. My take-away from the last meeting was that we will cover this in a separate document in SUIT.


</mglt>

~snip~



[...]

4.  Architecture

4.1.  System Components

[...]

<mglt>
      A Trusted Component Signer or Device Administrator chooses a
      particular TAM based on whether the TAM is trusted by a device or
      set of devices.  The TAM is trusted by a device if the TAM's
      public key is, or chains up to, an authorized Trust Anchor in the
      device.  A Trusted Component Signer or Device Administrator may
      run their own TAM, but the devices they wish to manage must
      include this TAM's public key or certificate, or a certificate it
      chains up to, in the Trust Anchor Store.

The definition of Trust Anchor Store
implicitly seems to say the TAS is in
the TEE.  If that is the case, it might
worth being mentioned explicitly.

[Hannes] The trust anchor may not necessarily be in the same TEE that is running the TA. It could also be in an attached crypto processor / secure element.

</mglt>

~snip~

[...]


4.4.  Untrusted Apps, Trusted Apps, and Personalization Data

[...]

<mglt>
   There are three possible cases for bundling of an Untrusted
   Application, TA(s), and Personalization Data:

   1.  The Untrusted Application, TA(s), and Personalization Data are
       all bundled together in a single package by a Trusted Component
       Signer and either provided to the TEEP Broker through the TAM, or
       provided separately (with encrypted Personalization Data), with
       key material needed to decrypt and install the Personalization
       Data and TA provided by a TAM.

I suppose that in this case the
termination point of the TAM
communication is the broker, and the
broker is then responsible to dispatch
the TA and Personalization data to the
TEE and the Untrusted Application to the
REE.  I believe the reason for
encrypting the Personalization Data is
to perform end to end communication
between the TAM and the Agent.  I
believe the clarification would help the
reading. I also assume that the TAM will
use the public key of the Agent.
Overall I believe that this scenario
multiplexes two sort of end to end
communications. Some communications
between the TAM and Broker are related
to untrusted world while TAM or
developer - Agent are related to the
trusted worlds.
I would like to clarify between
Untrusted App, TA, and Personalization
Data what is the final destination, what
is encrypted and what key material is
used.
</mglt>

[Hannes] There are different layers of communiation, as shown in Figure 1. Section 4.4 only talks about how the different software components & personalization data may get to the device. Section 4.4 really has to be read in combination with the text related to Figure 1.

~snip~


[...]

4.5.  Entity Relations

[...]

<mglt>
   At step 3, a user will go to an Application Store to download the
   Untrusted Application (where the arrow indicates the direction of
   data transfer).

The arrow direction might be indicated
in the figure or with the first arrow
being represented.  In that case this
may correspond to the certificate
provisioning.  It seems to me - unless I
have missed it
- that certificates provisioning is
missing. If so this is clearly a nits.

</mglt>

[Hannes] Here is the figure:

    (App Developers)   (App Store)   (TAM)      (Device with TEE)  (CAs)
           |                   |       |                |            |
           |                   |       |      (Embedded TEE cert) <--|
           |                   |       |                |            |
           | <--- Get an app cert -----------------------------------|
           |                   |       |                |            |
           |                   |       | <-- Get a TAM cert ---------|
           |                   |       |                |            |
   1. Build two apps:          |       |                |            |
                               |       |                |            |
      (a) Untrusted            |       |                |            |
          App - 2a. Supply --> | --- 3. Install ------> |            |
                               |       |                |            |
      (b) TA -- 2b. Supply ----------> | 4. Messaging-->|            |
                               |       |                |            |

What certificate provisioning is missing?



5.  Keys and Certificate Types

[...]

<mglt>
   Figure 4 summarizes the relationships between various keys and where
   they are stored.  Each public/private key identifies a Trusted
   Component Signer, TAM, or TEE, and gets a certificate that chains up
   to some trust anchor.  A list of trusted certificates is then used to
   check a presented certificate against.

I have the impression so far that TEE
has not been involved into any
authentication.  I suspect that TEE and
TEEP Agent represent the same entity. If
that is correct I think that would worth
some clarification why we can use one
for the other and why we need to have
two distinct entities that share the
same identity.

</mglt>

[Hannes] A TEE is a system concept, which includes a combination of hardware and software.
Hence, you cannot really state something like "the TEE authenticates X". The TEE and the TEEP Agent are also not the same thing.

Figure 4 really only focuses on the security keys and tries to avoid going too much into details of how an implementation on a specific TEE works.
[...]


[...]

6.2.  TEEP Broker Implementation Consideration

[...]

<mglt>
                           Model:    A      B      C     ...

                                    TEE    TEE    TEE
        +----------------+           |      |      |
        |      TEEP      |     Agent |      |      | Agent
        | implementation |           |      |      |
        +----------------+           v      |      |
                 |                          |      |
        +----------------+           ^      |      |
        |    TEEP/HTTP   |    Broker |      |      |
        | implementation |           |      |      |
        +----------------+           |      v      |
                 |                   |             |
        +----------------+           |      ^      |
       |      HTTP      |           |      |      |
        | implementation |           |      |      |
        +----------------+           |      |      v
                 |                   |      |
        +----------------+           |      |      ^
        |   TCP or QUIC  |           |      |      | Broker
        | implementation |           |      |      |
        +----------------+           |      |      |
                                    REE    REE    REE

                       Figure 5: TEEP Broker Models

I am wondering if TLS could be included
into the TEE.  It is correct that I do
not envision TCP being in the TEE.

[Hannes] This can be done and is done regularly. I think we should update the figure to include this option since it is very common.
I added this issue: https://github.com/ietf-teep/architecture/issues/222

</mglt>

[...]

6.2.1.  TEEP Broker APIs

   The following conceptual APIs exist from a TEEP Broker to a TEEP
   Agent:

   1.  RequestTA: A notification from an REE application (e.g., an
       installer, or an Untrusted Application) that it depends on a
       given Trusted Component, which may or may not already be
       installed in the TEE.

<mglt>
   2.  UnrequestTA: A notification from an REE application (e.g., an
       installer, or an Untrusted Application) that it no longer depends
       on a given Trusted Component, which may or may not already be
       installed in the TEE.  For example, if the Untrusted Application
       is uninstalled, the uninstaller might invoke this conceptual API.

I understand Unrequest as being
equivalent to undo, or remove or
uninstall. If that is correct, I am
wondering if there are any reasons for
non calling it remove or uninstall ?

</mglt>

[Hannes] The reason is that a TA may be needed by another TA and hence you cannot just delete it. You can only say that you do not need it anymore.
Once nobody needs it anymore it can be removed by the system, if necessary.

[...]

7.  Attestation

   Attestation is the process through which one entity (an Attester)
   presents "evidence", in the form of a series of claims, to another
   entity (a Verifier), and provides sufficient proof that the claims
   are true.

<mglt>
Different Verifiers may require different degrees of
   confidence in attestation proofs and not all attestations are
   acceptable to every verifier.

the last verifier should be Verifier in
my opinion. If that is correct the nits
appears at multiple locations. This is a
nit.

</mglt>

[Hannes] We just used the terms from the RATS group.


[...]

9.  Security Considerations

9.2.  Data Protection

[...]

<mglt>

   The protocol between TEEP Agents and TAMs similarly is responsible
   for securely providing integrity and confidentiality protection
   against adversaries between them.  Since the transport protocol under
   the TEEP protocol might be implemented outside a TEE, as discussed in
   Section 6, it cannot be relied upon for sufficient protection.  The
   TEEP protocol provides integrity protection, but confidentiality must
   be provided by payload encryption, i.e., using encrypted TA binaries
   and encrypted attestation information.  See [I-D.ietf-teep-protocol]
   for more discussion.

There is also the case where a session
is established between the TAM and the
Agent.  If used this would require HTTP
to be in the TEE.

[Hannes] Yes, you could run HTTP into the TEE and this is done as well.
For the TEEP protocol you do, however, need to make some decisions about how you want to design the system and the current design assumes that there are cases where HTTP is terminated outside the TEEP.
Is this a good design? We will see.



Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.