Re: [Teep] Review of draft https://tools.ietf.org/html/draft-ietf-teep-otrp-over-http-06
Dave Thaler <dthaler@microsoft.com> Fri, 17 July 2020 23:16 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F1153A0B14 for <teep@ietfa.amsl.com>; Fri, 17 Jul 2020 16:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6i_qOYXNwYe for <teep@ietfa.amsl.com>; Fri, 17 Jul 2020 16:15:59 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2122.outbound.protection.outlook.com [40.107.220.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 362AB3A0B13 for <teep@ietf.org>; Fri, 17 Jul 2020 16:15:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GUvbmeY2peFpLXqb14t6YGqxsiBX0W2SMpN0G16Uf2f1JzW8HIgURYm8U4JpOiIriqpzmFhSZxihM7F+PYmC6iF2WKPrDtODtYjovl8SzNHOAxCy/EknMh8xVJfz8g/9OllWyShYMEJn24HIrO0WVU93eVe3d+tgKczPPCmHKpPorOfm/vrz+W50QXCWmv6gFJt+h0UuBykKNDdmdXaqQRA9ue/2qHKVxH4XlwqCM437+d1mO4IES+xH55DfK3bJurmhmPNHF/4BRBGSBFv6mvnG2jQQQl4TsBCq3hx0gUzes4706qUFVYt55Ka43s75C+HoORH13T1G7tctfqp8dg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RtLc/RX6ks+C7TwGmZbXsLzVbaqzp4q5cTRRJTa4KAI=; b=cFw2WmEUz0na+62+MLR3eNcZG9oKvTgbTvrL7S2Yeg07CXLB9OHMFtrUkb4ZAV8u0CIjScErSZNSM3gLUrWgrm3FV29B5UQFMEZhFiqOzZRRAJ7q67hOd+ZeqaRYWVsXWDyOWez8z7WKtVbOwiz3/G74SeG6sATm446O3mKlve09YRFFvyrXJbGtcL/d4noBZ/T2N807t7y7r/21IxBtaRkZ9qM23sNxhqlIcw+GMl644oWZJkvHX49J+Fi4Vbl1KTru+cQl+63fDCzdx98xoweDMhM03du3mHVIySPtzsC1DY5IXC8is8yEtdJG2hihY4upbnnGpVp7oTiynWf7cA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RtLc/RX6ks+C7TwGmZbXsLzVbaqzp4q5cTRRJTa4KAI=; b=WZiWlNhQqE/Kvu1VHRC/ubTckVKtMlmRNPU3tG9gqHusop2rTRoSEqaXG8MDwd6LcavZ3n3ZJ15kmsiGgWTkalfZ1nT7HzMGx52s+oEtjLAqVQgHZYl3sRqUSHk9o17b2jsQOthJZMzW00DePrJxPhpvNUgoCCrGns/XWlKfpNo=
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com (2603:10b6:207:30::33) by BL0PR2101MB1346.namprd21.prod.outlook.com (2603:10b6:208:92::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.7; Fri, 17 Jul 2020 23:15:57 +0000
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::29cb:295d:97bc:3f7f]) by BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::29cb:295d:97bc:3f7f%9]) with mapi id 15.20.3216.011; Fri, 17 Jul 2020 23:15:57 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Mingliang Pei <mingliang.pei@broadcom.com>
CC: "teep@ietf.org" <teep@ietf.org>
Thread-Topic: Review of draft https://tools.ietf.org/html/draft-ietf-teep-otrp-over-http-06
Thread-Index: AQHWW7mDmQ9YhfvJ10asxXOZvn2t0akK7sLggAAPJQCAAWhxUA==
Date: Fri, 17 Jul 2020 23:15:57 +0000
Message-ID: <BL0PR2101MB10271ABD88F20FE5AA2D04AFA37C0@BL0PR2101MB1027.namprd21.prod.outlook.com>
References: <CABDGos7q25AYrMOCtkJP3+j1oVpBm61HywY5JthkVGHiYPSMdA@mail.gmail.com> <CABDGos4T2NYLU7KL_+phVMYyOwT6iB99zHNkYAu9+jo8dXSksg@mail.gmail.com> <BL0PR2101MB102755F22E8C32200EEA7A69A37C0@BL0PR2101MB1027.namprd21.prod.outlook.com> <CABDGos7Li-W1-h66__epf4RMboigTPuZ2VEZFNB5rt_QKBMs=w@mail.gmail.com>
In-Reply-To: <CABDGos7Li-W1-h66__epf4RMboigTPuZ2VEZFNB5rt_QKBMs=w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-17T23:15:55Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=cf8cfaa6-5368-4864-94b4-73778ca0f570; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: broadcom.com; dkim=none (message not signed) header.d=none; broadcom.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:9780:16f0:8434:77bb:d5be:ef8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0e72e998-3227-4410-5d94-08d82aa75cc9
x-ms-traffictypediagnostic: BL0PR2101MB1346:
x-microsoft-antispam-prvs: <BL0PR2101MB134653AB3EADF6366B3B5D3DA37C0@BL0PR2101MB1346.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /KJAKPvJwLhBhthCRL2a3A1+4Vlw6BY9YWI+H13BI0voOmlJBEjbFRL/NuJxgmq7h58sFmgMxqCR5f04HyzQ+r3BJN762GwCTjomk73SicBLvZV+KPr9KrmHkb4rL8Fjsw7dcwlxk3vJOqsVuDtR99br+JtdLoCyXws8uZZYd4BrEE5lBNAluYRGfanh3ic+KZKJQ0EUYQZaB16dwePg3xFa7SCSBbdzspp3BJisCf3Xc4unlOv62uoiAaRWDRvwI9YvSVUs+XbutpDle7Wq6yPi2qXtfcHHSYFfQYJxzNXic7xvWGbsSypxehe3xcqxACNkogeusXAE0kWFOU/GOhz1e+/4Xeg7n8gppKur3rSOaxOlNnScHVXQclL2MjAprWqBzcQWXtG1hr+Bbl6zqg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR2101MB1027.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(346002)(376002)(39860400002)(396003)(136003)(66556008)(66446008)(66476007)(66946007)(4326008)(76116006)(82960400001)(5660300002)(6506007)(8990500004)(64756008)(82950400001)(478600001)(8676002)(316002)(71200400001)(186003)(33656002)(8936002)(6916009)(83380400001)(9686003)(10290500003)(52536014)(2906002)(86362001)(7696005)(55016002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: BCw3J6xvWiLqzWhMgaryOY+41OhIwLKvLJTtdYGu32oSUvpxO+SgR7aVxkM3DIMy0zxFAuP6O6Otf1gSCxayShhf3ATL4W08dN6GW85yVKeABOYORL+z934gXL6jFevdZ/fDGz+W2rZE1HVUoqDgBLFBeQzqDw6JeVvEIX28sfxuCHTPxenhGagV3vopHY4XbwoZZpqsF3GJ1/06+OFknDFpXmFuGK99Vw0fbBBxjiwpkmock2AxcAXyDTLfvODwyOvMplpEKu77Rvc8sWFapZTAfS8nkd8OsyRPwehOHrNg1iSw66m6ZsUkUMUmEapGrwyPmaG8r4jxy10L5jLSvmRb7FE4rzQFvPeWM/aJWnxuz0aSFFJUgDfq0NL7gLATTtUdyTBz08TzwSEaE2J05RHlCElTdoMf8Pc9/TI6DCCzrKPSVcQPPkxwmgRaDJfQXVIwA/nVlqZAl7cOT9tYmkn6RWYbwA4fEHlKOpHcJK5JZngbnt5LatR5dHjeOhYlRsSJ50C8JCWPPqmFIFKxX1EJMUS0B0L+wkWSEjIayczn9PfjD22eJYu+kCwv3Zyd
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR2101MB10271ABD88F20FE5AA2D04AFA37C0BL0PR2101MB1027_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR2101MB1027.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e72e998-3227-4410-5d94-08d82aa75cc9
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2020 23:15:57.5831 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: R2L4ZzOLKCl8GFuVRo+tQirCK2nNvQcViRnObXuVEKDP+U7lWlXSQ5Pncet3jSyuaKbTz5IZaKEVR+Zd8m/EzBLCM+jSsN/axDN6yU2v3Oc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR2101MB1346
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/KZQOtxbUMhoyXMRdanF5UPtgD80>
Subject: Re: [Teep] Review of draft https://tools.ietf.org/html/draft-ietf-teep-otrp-over-http-06
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 23:16:01 -0000
Mingliang Pei mingliang.pei@broadcom.com<mailto:mingliang.pei@broadcom.com> wrote: > 1) Abstract section says "is used to manage code and configuration data" > > Should it just say manage "Trusted Applications" as this can > assume the context defined in TEEP architecture and TEEP protocol > document. No. TEEP can also be used to manage code that isn't a "TA" per se. For example, it could also be used to update OP-TEE (or any other TEE "OS"). MP: Non-TA code management is out of scope for TEEP. TEEP architecture doc only targets to support TA management per use cases and scope sections; it doesn't have design to update OP-TEE or any other TEE OS. TEEP protocol doesn't have methods for non-TA code. It defines only two methods: TrustedAppInstall TrustedAppDelete The transport is to support TEEP protocol doc. I suggest that we limit the scope of TA management across all three docs. I disagree with the above. TEEP is for provisioning TEEs, and TEE architectures vary. For example, CreateSD in OTrP manages a TEE but is not about a TA per se. And in the TEEP protocol we use a SUIT manifest which can express dependencies among TAs, and dependencies on system components, and install (or install updates to) such dependencies as part of SUIT manifest processing. That means if you have TA1 that depends on TA2 that depends on having the latest version of trusted firmware or OP-TEE or whatever, the RATS attestation can include the current state, and the SUIT workflow can install/update it. The fact that the TEEP protocol uses a TA as the leaf/trigger doesn’t mean it can’t also do things that it depends on, whether that is creating an SD or updating OP-TEE. Trying to make some dependencies be out of scope and other dependencies not be out of scope would be arbitrary, complicate the protocol (by saying some SUIT manifests would be illegal, as opposed to just using a SUIT processor), and create discrepancies between TEE implementations (e.g., SGX vs OP-TEE/TrustZone) that in my opinion would not make sense and provide no value. This sounds like something that needs WG consensus either way but I feel strongly about this one. Dave
- [Teep] Review of draft https://tools.ietf.org/htm… Mingliang Pei
- Re: [Teep] Review of draft https://tools.ietf.org… Dave Thaler
- Re: [Teep] Review of draft https://tools.ietf.org… Mingliang Pei
- Re: [Teep] Review of draft https://tools.ietf.org… Dave Thaler
- Re: [Teep] Review of draft https://tools.ietf.org… Mingliang Pei
- Re: [Teep] Review of draft https://tools.ietf.org… Dave Thaler
- Re: [Teep] Review of draft https://tools.ietf.org… Mingliang Pei
- Re: [Teep] Review of draft https://tools.ietf.org… Dave Thaler