IETF Logo Mail Archive

Re: [Teep] [EXT] Re: My BoF impression

Jeremy O'Donoghue <jodonogh@qti.qualcomm.com> Thu, 20 April 2017 10:01 UTC

Return-Path: <jodonogh@qti.qualcomm.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612E81294BC for <teep@ietfa.amsl.com>; Thu, 20 Apr 2017 03:01:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISs80-gvR8e0 for <teep@ietfa.amsl.com>; Thu, 20 Apr 2017 03:01:23 -0700 (PDT)
Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 128B8126C7B for <teep@ietf.org>; Thu, 20 Apr 2017 03:01:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1492682483; x=1524218483; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=e5HKuWwDkeP7So1aPhtlx8zPbhCyD5u4CX8qDsX7css=; b=FD1d9J8AL7z4PWlGjLxotuwhMLYrftrvYh7CQi9W7Mn4eIpGaxPnQOMY M7Ez1OtO8kIdMV/+vGaE3NR7D52pePLtGr0AtBmeBykmBQI/lkAp60UJf hoWNesBf5L56LzsagCTLEn34vOUvLk7j6hBoJa7m7Oejhzuw+z2VPjxND Q=;
X-IronPort-AV: E=Sophos;i="5.37,225,1488873600"; d="scan'208,217";a="280196348"
Received: from unknown (HELO Ironmsg04-R.qualcomm.com) ([10.53.140.108]) by wolverine01.qualcomm.com with ESMTP; 20 Apr 2017 03:01:22 -0700
X-IronPort-AV: E=McAfee;i="5800,7501,8503"; a="1402335968"
X-MGA-submission: MDFy/49M0BG+yKv2d5o7v+7fm3P2MX+/4AtZePNRfgFj2CCuEIyWlihWuDzmV2BeaM0OmXm9QgjEEa/Rz5diH6Q+CzGdjDHl0FIowa95+xaVv3Uy/WvIkqgu5tYXfljlFdGr1V0ROX1csdYcrOLUx9JD
Received: from nasanexm01f.na.qualcomm.com ([10.85.0.32]) by Ironmsg04-R.qualcomm.com with ESMTP/TLS/RC4-SHA; 20 Apr 2017 03:01:21 -0700
Received: from euamsexm01b.eu.qualcomm.com (10.251.127.41) by NASANEXM01F.na.qualcomm.com (10.85.0.32) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 20 Apr 2017 03:01:20 -0700
Received: from euamsexm01a.eu.qualcomm.com (10.251.127.40) by euamsexm01b.eu.qualcomm.com (10.251.127.41) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 20 Apr 2017 12:01:17 +0200
Received: from euamsexm01a.eu.qualcomm.com ([10.251.127.40]) by euamsexm01a.eu.qualcomm.com ([10.251.127.40]) with mapi id 15.00.1178.000; Thu, 20 Apr 2017 12:01:17 +0200
From: Jeremy O'Donoghue <jodonogh@qti.qualcomm.com>
To: Nick Cook <Nick.Cook@intercede.com>
CC: Brian Witten <brian_witten@symantec.com>, "Wheeler, David M" <david.m.wheeler@intel.com>, Tero Kivinen <kivinen@iki.fi>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, teep <teep@ietf.org>
Thread-Topic: [Teep] [EXT] Re: My BoF impression
Thread-Index: AQHSri5/s+zvCtv0+U+ECLiK20l/g6HN8LcAgAALfgA=
Date: Thu, 20 Apr 2017 10:01:17 +0000
Message-ID: <A7F6BAAB-091B-4CF6-9C5D-105099F72920@qti.qualcomm.com>
References: <HE1PR0802MB2475515770704882F9CFBDBCFA080@HE1PR0802MB2475.eurprd08.prod.outlook.com> <22755.33183.740819.743679@fireball.acr.fi> <CB221FB1-18D2-4F7B-88D9-1E9F9828D468@qti.qualcomm.com> <0627F5240443D2498FAA65332EE46C84366ED746@CRSMSX102.amr.corp.intel.com> <MWHPR16MB148867B659709B96B2A30BB0930A0@MWHPR16MB1488.namprd16.prod.outlook.com> <VI1PR06MB3215D68D0DE0E914F40D6C99FF1B0@VI1PR06MB3215.eurprd06.prod.outlook.com>
In-Reply-To: <VI1PR06MB3215D68D0DE0E914F40D6C99FF1B0@VI1PR06MB3215.eurprd06.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3273)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.251.41.145]
Content-Type: multipart/alternative; boundary="_000_A7F6BAAB091B4CF69C5D105099F72920qtiqualcommcom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/fNpzTltwR9nD8h5xf82G8hOjBjg>
Subject: Re: [Teep] [EXT] Re: My BoF impression
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 10:01:27 -0000

The GP definition of a TEE[1] is not tied to Trustzone in any way, and I see nothing to suggest that it precludes the type of hypervisor-based environment you describe.

What GlobalPlatform says ([1], Section 2.2.1), is:

The primary purpose of a TEE is to protect its assets from the REE
and other environments.
- This is achieved through hardware mechanisms that those other
  environments cannot control.

This protection always includes protection against other execution
environments.
[…]
The TEE is instantiated through a secure boot process using assets
bound to the SoC or the Off-SoC Security Processor and isolated
from the REE.
- The integrity and authenticity gained through secure boot:
  - Extends throughout the lifetime of the TEE.
  - Is retained through any state transitions in the system such
    as power transitions or core migration.

It further defines the transition from the non-secure to secure world in a fairly abstract manner which covers the hypervisor use case sufficiently, I think ([1], Section 2.2.3):

The only way for the REE to get access to trusted resources is via
any API entry points or services exposed by the TEE and accessed
through, for example, the TEE Client API. This does not preclude
the capability of the REE passing buffers to the TEE (and vice versa)
in a controlled and protected manner.

In short, I agree with Brian that the GP definition of a TEE is a reasonable starting point for discussion, but I strongly support IETF exploring other use cases and system architectures that GP has not addressed - it seems to me that this is where the greatest value would be generated for the ecosystem.

I am concerned that it will be challenging to move forward effectively when many participants are unfamiliar with the GP standards-base on which the current draft draws heavily unless we are able to take steps to remedy this. Are there any suggestions as to how this could be managed? In short, how do we align the two different groups in Deep more closely?

Best regards
Jeremy

[1] GlobalPlatform TEE System Architecture, Version 1.1, January 2017.

On 20 Apr 2017, at 10:20, Nick Cook <Nick.Cook@intercede.com<mailto:Nick.Cook@intercede.com>> wrote:

Personally speaking, OTrP is about being able to install security applications into an environment that provides "trusted" hardware backed isolation between the different applications. OTrP does that by establishing it is working against the right device type and right isolation environment type and then proceeds to install the application in a way that provides protection for confidentiality and integrity. The term TEE is probably too often associated with a specific formulation of an isolation environment and therefore this is perhaps the first thing we should move forward.

As an example, I've been working on a hardware backed hypervisor environment that uses OTrP for the installation of the different containers/domains and the virtual machine contents that goes in them. The trust chain from OTrP is met and the isolation of applications and key material to those applications is also provided.

Based on that work and thinking specifically to my original goals for OTrP when we started this work a few years back, I would like to support Dave Wheeler's comment on needing to formulate a more abstract definition for TEE. I also agree with Brian that the GP definition doesn't need to be abandoned to do that - I believe, expressed in the right way, the GP definition of a TEE covers the hardware hypervisor case I described earlier in the email also and I'm sure it can cover the other environments too.


I do however think it is important that we restrict to isolation environments that are hardware backed as this is fundamental to the trust model.

I also support Dave's suggestion that we can be less normative on exact locations of the functional blocks of OTrP. I would like to have a companion document that does provide example deployments but the core protocol itself does not need to be locked down to a specific deployment approach.



Nick Cook
-----Original Message-----
From: Brian Witten [mailto:brian_witten@symantec.com]
Sent: 05 April 2017 18:02
To: Wheeler, David M <david.m.wheeler@intel.com<mailto:david.m.wheeler@intel.com>>; 'Jeremy O'Donoghue' <jodonogh@qti.qualcomm.com<mailto:jodonogh@qti.qualcomm.com>>; Tero Kivinen <kivinen@iki.fi<mailto:kivinen@iki.fi>>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>; teep <teep@ietf.org<mailto:teep@ietf.org>>
Subject: Re: [Teep] [EXT] Re: My BoF impression

Thank You Dave!  I'd like to echo & agree with many of your points, but ask for a clarification on one aspect.  "First, I (believe) this is exactly the type of conversation we need to have. Thanks for kicking this off very directly."  Well Said, Thank You Both!  "I am motivated to work jointly on developing OTrP to address a wider set of concerns common to TEEs and their environments, with the purpose of expanding the ease with which the marketplace can utilize TEE mechanisms." Again, I'm motivated by the same purpose.  "Part of this development of OTrP (from my perspective) is being less normative about the exact location and instantiation of certain parties (particularly the TSM) and be specific on the operations and activities at particular 'service access points' of the protocol."  I believe that is a great suggestion, and I'm fully supportive.  Still my clarifying question relates to the desire "to define a more abstract definition of a TEE, and desiring a protocol that is applicable to a wide set of TEEs."  I'm eager to support a wide set of TEE, including both SGX and TZ based TEE.   My question is, "do we need to abandon the Global Platform (GP) definition of a TEE to support both SGX and TZ based TEE?"  I believe that we do Not need to abandon the GP definition of a TEE to support both SGX and TZ based TEE, but I'd be eager to get your view here as you've framed the rest so very well.  Last, either way, "I believe IETF is exactly the place to have this conversation and define a very open and inclusive protocol."  Again, I agree completely.

Thank You Again!
Brian


From: TEEP <teep-bounces@ietf.org<mailto:teep-bounces@ietf.org>> on behalf of Wheeler, David M <david.m.wheeler@intel.com<mailto:david.m.wheeler@intel.com>>
Sent: Wednesday, April 5, 2017 9:34 AM
To: 'Jeremy O'Donoghue'; Tero Kivinen
Cc: Hannes Tschofenig; teep
Subject: [EXT] Re: [Teep] My BoF impression


I'm a bit behind on the thread, but want to respond to Jeremy's original comment.

First, I this is exactly the type of conversation we need to have. Thanks for kicking this off very directly.
I agree with your perception of the two groups, though I think it is important to understand the motivations in the second group, since they may be varied.

I will put myself voluntarily in the second bucket. I will present my personal perspective, which may be different from others in the "second group".

For myself, I am looking to define a more abstract definition of a TEE, and desiring a protocol that is applicable to a wide set of TEEs. From my perspective,  looking at TEEs that Intel has in the marketplace, and also having worked for several years on Intel's XScale processors (and am thus familiar with TZ), the current OTrP draft addresses Trust Zone concerns without really considering other TEEs. This is my  perception, of course.

It is also my opinion that an IETF protocol should do more than address implementation specific concerns.
I am motivated to work jointly on developing OTrP to address a wider set of concerns common to TEEs and their environments, with the purpose of expanding the  ease with which the marketplace can utilize TEE mechanisms.

Part of this development of OTrP (from my perspective) is being less normative about the exact location and instantiation of certain parties (particularly the  TSM) and be specific on the operations and activities at particular "service access points" of the protocol. My point here is that OTrP in its current rendition is <emphasis> too </emphasis> implementation specific and too normative in its description of the  marketplace. I believe this is fine as an example, but not as part of the protocol.

I believe IETF is exactly the place to have this conversation and define a very open and inclusive protocol. I realize that takes some time. I look forward  to having this conversation in more detail.

Thanks,
Dave Wheeler



From: TEEP [mailto:teep-bounces@ietf.org] On Behalf Of Jeremy O'Donoghue
Sent: Tuesday, April 4, 2017 7:13 AM
To: Tero Kivinen <kivinen@iki.fi<mailto:kivinen@iki.fi>>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>; teep <teep@ietf.org<mailto:teep@ietf.org>>
Subject: Re: [Teep] My BoF impression




On 4 Apr 2017, at 12:21, Tero Kivinen <kivinen@iki.fi<mailto:kivinen@iki.fi>> wrote:



My feeling that the main question what people did not understand was:

What is the real difference between TEEP and just normal application download. I.e., why separate protocol is needed.
How is this different from just having perhaps encrypted signed application blob from the marketplace and installing that.

At least that was my main question when we discussed this before the BoF.

Of course it does not help, that when you ask that question from different people you get different answer, as the idea of what TEEP is different for different people.



I think there is a degree of talking at cross-purposes.



There is one group - essentially those sponsoring the creation of this group - which has a very clear understanding of what it would like TEEP to be, which is essentially three things:



A mechanism for managing Trusted Applications and their associated secrets and key material in a GlobalPlatform TEE or something that is conceptually very similar.
A mechanism for establishing a chain of trust rooted in firmware and covering the TEE and possibly other system components up to and including the executing Task in a Security Domain.
A mechanism - targeted at phone and tablet type devices - which operates independently of the "App Store" mechanism, and is based on a PKI infrastructure allowing Service Providers to manage the Trusted Applications they control  without the need for user intervention.



The draft specification very clearly addresses such a system. Understanding it fully requires considerable familiarity with the GlobalPlatform TEE specifications, since much of the terminology and architectural assumptions are derived from  these.



There is a second group which is starting from a more abstract position of what a TEE should look like and what security services it might then provide to a system and how the control of these could be structured. This is a completely different  problem, and likely a much broader one which is difficult to encapsulate in a small scope.




Trying to make the architecture too generic also confuses things. It might be better to have more concrete example with more limited scope, that would explain things what TEEP should provide.

For example:

1) TEEP provides a way to install software from the Secure trusted application marketplace to the TEE running inside device.

2) The Secure trusted appliation marketplace needs to be able to verify that the TEE wanting to install an application is actual TEE, and not some fake device, for example using signature from the key installed by the manufacturer which is used to sign the installation request.

3) The Secure trusted application marketplace can then encrypt the trusted application with TEE specific key, so that nobody else than TEE can decrypt and install it. This will prevent leaking out confidential material inside the application.
Trusted application instlal package might also be personalized for the specific TEE. Secure trusted application marketplace will also sign the trusted application install package, so TEE can verify it is authentic.

4) TEE will verify the signature of the trusted application install package, and check that signer is trusted, and then it will decrypt the package, and install it.

5) The application running on the REE side might need to verify that the trusted application part of it has been properly installed to real TEE, so it can trust it doing its job. I am not sure if this will be part of the TEEP or not...

Is my understanding of TEEP correct? I do not know, and I assume other people have different ideas what should or should not be part of it.



I think this is a pretty good explanation of what the first group would like to see.


Best regards

Jeremy

v2.23.0 | Report a Bug | By Email