Re: [Teep] [Rats] EAT claims needed by TEEP

Dave Thaler <dthaler@microsoft.com> Tue, 27 October 2020 20:26 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C98FE3A1595; Tue, 27 Oct 2020 13:26:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.468
X-Spam-Level:
X-Spam-Status: No, score=-0.468 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, LH_URI_DOM_IN_PATH=1.533, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kBeSL9ztnrkO; Tue, 27 Oct 2020 13:26:33 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2100.outbound.protection.outlook.com [40.107.92.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E0083A1593; Tue, 27 Oct 2020 13:26:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H4PVZ4frIUr8gCfSpgNMmIWZTTSW3DBe/9YSn9rziDbYe+VtPY5eaf579db3uKmD3TFz7YpUaDLDaMMUsYhoUOICsVPtGDaZQK9TxRM/LhouCF0BgTk+VDZrrNmETQUxrD77xdhtlFECWv6UhGgz2+z8nmHLKVCOev3ertx5MtEPWJcrfKf5RZjhii5vW00e6Lk+Yb4FuNg2ICmBepnOFYWY/ak5woRecE/LM6rswGe1sMCqOTzIWLEeYxq5E/GiJKegxdsOyiW7CGLj2ohAvKTW2AoW4Ew9ecC0HCqwTE6dDhUA3+FlVsPicKGGYyT3XuJWnHlJ3gBweAcACZMJQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oIt2vOs7qSPQ7ePo6x0f53zxsRE7zviDTXda+X7ohJw=; b=NYZ7p6Y3hx45EAzQWJ35epUF/5OTwow42P4iq+z2Lc0vAoEcef0HOslP59QHOpWoD76IagK2DriEu2sSPVeCQq5chYqx/mY/CvotUPDYPJHJAv7YQL+YwEDDOmjugalK55pei3paM884owxgndMlUl626jo8Od74jv2ziKoFAuga326rS0Q/GMBAR90tTybcNCntWYm/NY7zSAd39gILtBJi+z2Sw1KKLxAc8kIp3kG/SHe6vIGFvYNVaKgDmpmYFfcWod3L/DIdNcxlQdw590vvYtAFGUQhp5ZHFJmV1dKsxn/pqVDNHtSaIgNwh/z4FDbltk8JiT8Q7FzQlgblyA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oIt2vOs7qSPQ7ePo6x0f53zxsRE7zviDTXda+X7ohJw=; b=XTzN9C2ef/s4UgKfB5pnuBgtdjSq9NYw+LL/yeHQB80wZJFqNarw2pARX9JZZfY0iVtKdCyy2tLV71ar3l6Oj2C/7daJsZGiEwaswJB+w//56BymZzQj+RRBzmBCBoM687GbzA344k3Yl78J018+41JMte1UiY9WnE780QXYdTA=
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com (2603:10b6:207:30::33) by MN2PR21MB1485.namprd21.prod.outlook.com (2603:10b6:208:205::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.3; Tue, 27 Oct 2020 20:26:28 +0000
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::4da:87a4:8d47:889f]) by BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::4da:87a4:8d47:889f%6]) with mapi id 15.20.3499.017; Tue, 27 Oct 2020 20:26:27 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: "rats@ietf.org" <rats@ietf.org>, teep <teep@ietf.org>
Thread-Topic: [Rats] EAT claims needed by TEEP
Thread-Index: Adar5IMluvH5Xfk/TjCNoR5RTUTf2AAroFeAAAKv15A=
Date: Tue, 27 Oct 2020 20:26:27 +0000
Message-ID: <BL0PR2101MB1027EA205417DAF375BA7085A3160@BL0PR2101MB1027.namprd21.prod.outlook.com>
References: <BL0PR2101MB102770B8E03B95A44497004CA3190@BL0PR2101MB1027.namprd21.prod.outlook.com> <7607E6BF-459C-4A32-AAE2-08117A97E06B@island-resort.com>
In-Reply-To: <7607E6BF-459C-4A32-AAE2-08117A97E06B@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-10-27T20:26:26Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=4bdee0f3-772d-4f33-839c-2abfacd9215a; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: island-resort.com; dkim=none (message not signed) header.d=none;island-resort.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:9780:8d0:581c:556e:bbac:acfc]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 9b647215-13cc-472f-a770-08d87ab69541
x-ms-traffictypediagnostic: MN2PR21MB1485:
x-microsoft-antispam-prvs: <MN2PR21MB148542BB22798D22B060A15AA3160@MN2PR21MB1485.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LJbiZRYfFD28SsbX9DBCj8UzcbsBzEUSWK8y4qYw1VNvXTx1C4RgvvMoTNyTbSWN0U/Um7PlTegetXrdRec7tKeeOumTJJXSErIR5TVghsHLx8PUjWyVKjO8eem2WV26GO32ZDZ0UX9iT0LHAex5vWKx0KX0jVdfVYBt68u0p3u4MRGgtrAYzt6tIa+RXiy3WpJ1awy2sHxmSy01xuXudxwRUydRqMXnguYUSKVd0Bg9PjuZGIw7lYw+vcS/xU5y56BFEIbnRf6EAaVEiyWrswDegPFZd9vZw4OuPH05aXYqHhUwYBYjc5WCY0fTUcQQeqgfyirPQNgiIOlHS8GJXP49/PTHMPZjfc5Ar+Lf2fhGF5Gldy65xmCEsbUvvHX9I6ZPxxTDEwskwTM+FY3NKg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR2101MB1027.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(366004)(396003)(39860400002)(346002)(7696005)(54906003)(83380400001)(82950400001)(82960400001)(6916009)(52536014)(186003)(8936002)(316002)(53546011)(6506007)(66946007)(66556008)(86362001)(64756008)(66476007)(66446008)(5660300002)(76116006)(9686003)(478600001)(33656002)(55016002)(8676002)(966005)(2906002)(71200400001)(166002)(10290500003)(8990500004)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ELfrgl9DCAda4Q0OP98+KyAFWnUwUKA6iTzAweHgJ420ckxgY4ZFJNs0NwVN0/puD9tSrKi8Sm9HBAXaGzzwUy9ujhB3ovrgyPpHhYVDLgwsRFz0vMhDcYBprzJO8IUrfLwboTi6FU72NOqMo/l+MIFBrGkvCiIhbcn4r9ArSGBcJbjC/irhDaO2KinPdC9wO9lnMBR/UXvLXiqbtEyTxkdUgw5SvQQ/RHt+nUic5/6qmUEAL9fKKMaBeBoQx2zCYNCZTTn3W1/8KOjeF/znRBLe94eU/0P88Z8V6EBDf9Bo+unw/jdvKhSecwpSSc4pzwVTrkl+ugeRY3Wr5hk148QkYOU0z82pbZPDlq38rg8wHX4W6vsku4YNszfyrAV0WIo98w5gKnEQczTpRWvHh4WkR4c4a5+ycVw2468EVdIewhI3Ui6bxFN7QZkcs0tdcSJktVH3NZNSTe3Q/wFSdXUMH6VzDI1icZyC1OzamgdGWRR4rVlnrXbdj1aWokCTdVACJiBEOLfNdwO9GsSgTPjq1SCNgY3f6eR1zuszZMxAK82V7YY5K7Jsbyv8ZBufzMEqy6/H6apmZAYB26CaF9Hyd92N6EQDAbPmptzL/ArHroLRcEjapF9tfIGgi0+jdWIUy/Siu9qKHKNEplXyx/Z78kPViDhjCrTAtStaMfAHoLqj2MPMgW/GlMYSrQ14bNO9VUg/O0vWiS/wey3ncg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR2101MB1027EA205417DAF375BA7085A3160BL0PR2101MB1027_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR2101MB1027.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b647215-13cc-472f-a770-08d87ab69541
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2020 20:26:27.7840 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YV1FBImzGfZadgeAbfGipBb5KeN4E05tPOV9MRy21qo7HhjQc4SpzbSe0Nd8nnRTpwEYm/dwTAId3NmPnVa5MI3XgBt1YbZwYBtwEPYkhwc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR21MB1485
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/wiNaRvtmSUTxpCTnVIiku-IfeWo>
Subject: Re: [Teep] [Rats] EAT claims needed by TEEP
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 20:26:36 -0000

Inline below…

From: Laurence Lundblade <lgl@island-resort.com>
Sent: Tuesday, October 27, 2020 11:57 AM
To: Dave Thaler <dthaler@microsoft.com>
Cc: rats@ietf.org; teep <teep@ietf.org>
Subject: Re: [Rats] EAT claims needed by TEEP

Personally, I think attestation of TEE’s is pretty important and should be handled well in EAT. So I’m interested in working on and adding claims for this to EAT.

After reading section 7.1 in TEEP architecture, it does seem like there some work to do here to get to specific standardized interoperable claims.

More comments below.


On Oct 26, 2020, at 3:15 PM, Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org<mailto:dthaler=40microsoft.com@dmarc.ietf.org>> wrote:

As discussed in previous IETF meetings, if there are claims beyond the base set that
other WGs need, they can be specified by the other WGs with review by RATS.

The TEEP WG needs the following in EATs and I am not sure whether they can be
covered by existing claims or whether TEEP-specific claims are needed.  From
section 7.1 of draft-ietf-teep-architecture:

>     -  Device Identifying Information: TEEP attestations may need to
>        uniquely identify a device to the TAM.  Unique device
>        identification allows the TAM to provide services to the device,
>        such as managing installed TAs, and providing subscriptions to
>        services, and locating device-specific keying material to
>        communicate with or authenticate the device.

I believe the Universal Entity ID Claim (ueid) is claim that meets the above requirement.
But the TEEP arch then goes on to say:

>        In some use cases it
>        may be sufficient to identify only the class of the device.  The
>        security and privacy requirements regarding device identification
>        will vary with the type of TA provisioned to the TEE.
Which EAT claim contains the device class? The closest thing I see is OEM Identification by IEEE (oemid)
but I am not sure that is sufficient since it's only the OEM not the device class from that OEM.
This doesn’t seem like something that should be TEEP specific though, so can someone tell me how to
represent device class using the claims in the EAT spec?

I don’t think the OEMID, UEID or other should be (ab)used  to represent device class. That would result in them being less reliable and useful in a generic sense. We should come up with a new claim.

+1

We can define a claim to be  the device class and make it a byte string like a UEID, but I think we have to go further to make it useful as an interoperable standardize claim. There has to be some method for the classification. TrustZone vs hypervisor based? Fast vs slow? Has a protected mode kernel and TAs? The TEEP document doesn’t say. This seems problematic without a classification scheme.

[DT] I’m not sure we need a classification scheme, at least for TEEP.  A simple device class byte string as you suggest would suffice in my opinion.

I wonder if the intent is more about grouping, in which case we can define a GEID (Group Entity ID) that looks a lot like a UEID. That seems useful and sensible to me. It is not about classification based on any characteristics. It lines up with the privacy preserving technique of one key per 100,000 devices.


>     -  TEE Identifying Information: The type of TEE that generated this

>        attestation must be identified, including version identification

>        information such as the hardware, firmware, and software version

>        of the TEE, as applicable by the TEE type.  TEE manufacturer

>        information for the TEE is required in order to disambiguate the

>        same TEE type created by different manufacturers and address

>        considerations around manufacturer provisioning, keying and

>        support for the TEE.


Similarly for this requirement, the closest thing I see is Origination Claim (origination) but I am not sure
that is sufficient since it's just the manufacturer not the "version identification information such as the
hardware, firmware, and software version of the TEE”

Definitely not origination claim.

+1

The intent of it something like Endorser identification and I think it should be replaced by an Endorser/X.509 cert URL.

I would say, this is a combination of claims

It’s just used:

1)     For a Verifier in appraising the evidence (nothing TEEP specific here, appraisal policy can involve any claim), and

2)     To be used by a TAM to decide which TA’s apply to the TEE.  In that sense it’s just like any other vendor id + device class for any non TEE, and I believe if there were a byte string for device class as you suggest that would be sufficient in my opinion.

Keeping in mind the “layered attestation” concept in the arch doc, as long as we have a claimset per layer, then I think the same “vendor id” and “class” claims that would apply to any device could be reused for the TEE, and reused for describing each layer.  E.g., a “version” claim would apply at the hardware layer and be the hardware version, at the firmware layer and be a firmware version, at the OS layer and be an OS version, etc.


I’ve just added a PR<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fietf-rats-wg%2Feat%2Fpull%2F68&data=04%7C01%7Cdthaler%40microsoft.com%7Cab1ee7788f1f4d449c5508d87aaa3006%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637394218658895685%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JyNCTwUJvkCPk3H9uYmD0BLfUXPu6vhnQomkIqiqiUM%3D&reserved=0> for HW version claims.

The intent for SW version claims is to use CoSWID. We should probably create some examples to see if it can represent what TEEP wants to represent.

Agree this sounds promising.

The paragraph mentions “type of TEE”. I’m not sure what is intended. I don’t know of any common taxonomy for classifying TEEs.

A unique identifier is sufficient in my view, no “classification” or “taxonomy” is required by anything that the TEEP WG has discussed to date, as far as I know.

Should the TEEP WG define TEEP-specific claims for such information?

I’d like to see most of them go into EAT unless they are super specific to TEEP (TEEP not TEEs). I think there is value in broad standardize claims as it promotes interoperability of RATS.

Sounds good to me.   Consider this a request to add some way to express “vendor id”, “model” (or “class” or whatever you want to call it), and “version” as claims that can be applied in claimsets at various layers.   I glanced at the PR you referenced and it seems to be a chip-specific version, not a generic version claim that can be used at multiple layers, so is not sufficient to meet the TEEP arch draft’s requirements, we still need other claims added.

Thanks!
Dave

LL




Dave
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Frats&data=04%7C01%7Cdthaler%40microsoft.com%7Cab1ee7788f1f4d449c5508d87aaa3006%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637394218658895685%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O5LJZBw%2B6huYU7BrNSgOUQNw2H5uoDGwZj09%2FPghKrI%3D&reserved=0>