Re: [Teep] clarification questions on draft-ietf-teep-architecture-14

[Daniel Migault <mglt.ietf@gmail.com>]

Hi Hannes,

Thanks for the clarifications. Please find my responses inline.

Yours,
Daniel

On Tue, Mar 23, 2021 at 5:10 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com>
wrote:

> Hi Daniel,
>
>
>
> Thanks for reading carefully through the draft.
>
>
>
> Many of your questions relate to the use of TEEP for Intel SGX. I cannot
> answer those questions and the architecture was written to be independent
> of a particular TEE instantiation. I will skip the SGX related questions
> and someone else (maybe from Intel) can answer those.
>
>
>
<mglt>
just to clarify, I agree that the description is TEE technologie
independent, but I just willing to align the text with my understanding of
SGX. Overall I believe that the text in section 4.4 that positioned the
abstract architecture toward TrustZone and SGX was very clarifying and
believe that more example sections or appendices sections related to
existing implementation might be clarifying.
</mglt>

> Let me answer your questions that are unrelated to SGX.
>
>
>
> ~ snip ~
>
>
>
> <mglt>
>
>    To simplify the life of TA developers interacting with TAs in a TEE,
>
>
>
> I am tempted to say that TA always run
>
> in TEE, in which case "in a TEE" may be
>
> redundant or may suppose that some TA
>
> are not running in a TEE.  Note that it
>
> appears at several different places in
>
> the text.
>
>
>
> [Hannes] The issue is that there is the TA in the secure world but then
> you also need code elsewhere to interact with it. In fact, there will have
> to be code pretty much everywhere (at least in TrustZone) to allow the
> transition from the app running in the normal world to the TA running in
> the secure world. It may sound like an easy thing to do but it isn’t in
> practice and the TF-M and OP-TEE code show this, see
> https://www.trustedfirmware.org/
>
>
>
<mglt>
Thanks for the link. This is obviously not a huge issue - at least to me -
but it sounds to me that TA may designate different things depending on the
TEE technology and it might be clarifying to illustrate what it means in
SGX and TrustZone. There are potentially multiple ways to do that and maybe
an illustrative example in the appendix would be in my opinion enough so to
avoid major changes in the text.
</mglt>

>
>
> </mglt>
>
>
>
>    an interoperable protocol for managing TAs running in different TEEs
>
>    of various devices is needed.
>
> <mglt>
>
>    This software update protocol needs to
>
>    make sure that compatible trusted and untrusted components (if any)
>
>    of an application are installed on the correct device.  In this TEE
>
>    ecosystem, there often arises a need for an external trusted party to
>
>    verify the identity, claims, and rights of TA developers, devices,
>
>    and their TEEs.  This trusted third party is the Trusted Application
>
>    Manager (TAM).
>
>
>
> I am reading "this software update
>
> protocol" as limiting the ability to
>
> upgrade an already installed
>
> application.  I have the impression that
>
> installation of a software is in scope
>
> and that in this case, installation will
>
> only be permitted depending on the TEE
>
> version.  If this is included in the
>
> term "software upgrade" I have the
>
> impression these tasks are beyond a
>
> software upgrade.
>
>
>
> [Hannes] We also cover installation and deletion of software. Maybe we
> should expand the sentence to make this clearer.
>
>
>
<mglt>
I think that would good. This would have at least prevent me wondering this
question. .
</mglt>

> </mglt>
>
>
>
>    The Trusted Execution Environment Provisioning (TEEP) protocol
>
>    addresses the following problems:
>
>
>
>    -  An installer of an Untrusted Application that depends on a given
>
>       TA wants to request installation of that TA in the device's TEE so
>
>       that the Untrusted Application can complete, but the TEE needs to
>
>       verify whether such a TA is actually authorized to run in the TEE
>
>       and consume potentially scarce TEE resources.
>
>
>
> <mglt>
>
>    -  A TA developer providing a TA whose code itself is considered
>
>       confidential wants to determine security-relevant information of a
>
>       device before allowing their TA to be provisioned to the TEE
>
>       within the device.  An example is the verification of the type of
>
>       TEE included in a device and that it is capable of providing the
>
>       security protections required.
>
>
>
> My first question reading this paragraph
>
> concerns the TA developer versus the TA
>
> manager or device manager.  I am tempted
>
> to see these as two different roles, but
>
> I would say the responsibility to
>
> install a TA with a certain level of
>
> version of the TEE is more likely to be
>
> the responsibility of the TAM or a
>
> Device Manager than the TA developer.
>
>
>
> [Hannes] I think both entities need to work together. The TA developer
> writes the TA code and understands for what application it is meant to be
> used (at least typically). It might also have requirements on the type of
> TEE. An operator of  a TAM needs to decide what it wants to send to
> devices.
>
>
>
<mglt>
So I understand the developer specifies a code for a specific type of TEE.
I think I misread "type of TEE", reading your response, it seems that type
of TEE designates SGX or TrustZone as opposed to the different version
proposed by SGX or TrustZone. If that the case, it sounds relatively
obvious to me that app.trustzone and app.sgx are different app and the
developper chose where the app is expected to run. In my inital comment, I
read type of TEE as a TEE version with some microcodes enables. This means
that app.sgx is likely to run on every declination of it and the actual
configuration or instantiation of the TEE cannot - as I understand be
decided but the application developer. As I understand it, the
configuration of the TEE is revealed during the attestation.
If that is correct, I would say that mentioning (TrustZone or SGX) after
type of TEE would have been clearer to me.

</mglt>

> This may not exclude that TAM and TA
>
> developer have a specific agreement and
>
> some conditions are provided by the TA
>
> developer.
>
>
>
> [Hannes] They may have an agreement or in other cases the relationship may
> be pretty loose.
>
>
>
<mglt>
ok
</mglt>

> I am reading this text as a TA developer
>
> or manager evaluates the trustworthiness
>
> of the REE, but I would tempted to
>
> consider such information as unlikely to
>
> be reliable, so I am wondering if there
>
> is anything I am missing.
>
>
>
> [Hannes] Imagine that a TEE developer writes an app that does some machine
> learning and he only wants to release the code to devices that implement
> certain security features in the TEE. He would work together with the TAM
> operator to ensure that those requirements are met and the attestation
> functionality offered by the TEEP protocol gives him or her that assurance.
>
>
>
<mglt>
I understand the use case. I think what my concern was that with SGX, my
understanding is that enclaves are built from the REE and code is loaded
from the REE.  In this case, that seems to me difficult to ensure
confidentiality with a level equivalent to the one associated to the one
provided by a TEE. It seems to me that TrustZone would enable to provision
the code directly to the TEE via the agent without passing through the REE.
I think that would be good to specify that the problem is only related to
one TEE technology.
</mglt>

> ~snip~
>
>
>
> While not related to the code itself,
>
> but some sort of secret credentials
>
> associated to the TA, I believe that a
>
> TA Manager may check the level of trust
>
> of the TEE before provisioning the TA
>
> with secrets.
>
> [Hannes] Yes.
>
>
>
> I am wondering if that is
>
> part of TEEP with Personalization Data
>
> or if such instantiation is always
>
> delegated to the TA.
>
>
>
> [Hannes] This is part of the TEEP protocol. The ability to protect
> (encrypt) personalization data is offered by SUIT.
>
>
>
<mglt>
ok
</mglt>

> More specifically,
>
> the TA sets a trusted communication with
>
> the TAM that pushes the secret
>
> credentials.
>
> [Hannes] Sort-of. Details about the SUIT part will be added in a SUIT
> document on how the encryption looks like.
>
> <mglt>
ok, thanks.
</mglt>

>
>
> Now that I have read the full spec, it
>
> seems that the bundle description
>
> somehow addresses this, but I think that
>
> mentioning the configuration of a TA in
>
> the introduction or overview section
>
> would ease the reading.
>
>
>
> [Hannes] This is maybe the wrong document; the TEEP protocol document
> could give an example or should go into the details of this. My take-away
> from the last meeting was that we will cover this in a separate document in
> SUIT.
>
>
>
<mglt>
What I meant was that the bundle section provided a sufficient high level
view of how it works. To me a simple referenc eto that section would be
sufficient. Of course additional details and a reference to a suit document
may be better, but I do not think that is necessary in that document.
</mglt>

>
>
> </mglt>
>
>
>
> ~snip~
>
>
>
>
>
>
>
> [...]
>
>
>
> 4.  Architecture
>
>
>
> 4.1.  System Components
>
>
>
> [...]
>
>
>
> <mglt>
>
>       A Trusted Component Signer or Device Administrator chooses a
>
>       particular TAM based on whether the TAM is trusted by a device or
>
>       set of devices.  The TAM is trusted by a device if the TAM's
>
>       public key is, or chains up to, an authorized Trust Anchor in the
>
>       device.  A Trusted Component Signer or Device Administrator may
>
>       run their own TAM, but the devices they wish to manage must
>
>       include this TAM's public key or certificate, or a certificate it
>
>       chains up to, in the Trust Anchor Store.
>
>
>
> The definition of Trust Anchor Store
>
> implicitly seems to say the TAS is in
>
> the TEE.  If that is the case, it might
>
> worth being mentioned explicitly.
>
>
>
> [Hannes] The trust anchor may not necessarily be in the same TEE that is
> running the TA. It could also be in an attached crypto processor / secure
> element.
>
<mglt>
ok.thanks.
</mglt>

>
>
> </mglt>
>
>
>
> ~snip~
>
>
>
> [...]
>
>
>
>
>
> 4.4.  Untrusted Apps, Trusted Apps, and Personalization Data
>
>
>
> [...]
>
>
>
> <mglt>
>
>    There are three possible cases for bundling of an Untrusted
>
>    Application, TA(s), and Personalization Data:
>
>
>
>    1.  The Untrusted Application, TA(s), and Personalization Data are
>
>        all bundled together in a single package by a Trusted Component
>
>        Signer and either provided to the TEEP Broker through the TAM, or
>
>        provided separately (with encrypted Personalization Data), with
>
>        key material needed to decrypt and install the Personalization
>
>        Data and TA provided by a TAM.
>
>
>
> I suppose that in this case the
>
> termination point of the TAM
>
> communication is the broker, and the
>
> broker is then responsible to dispatch
>
> the TA and Personalization data to the
>
> TEE and the Untrusted Application to the
>
> REE.  I believe the reason for
>
> encrypting the Personalization Data is
>
> to perform end to end communication
>
> between the TAM and the Agent.  I
>
> believe the clarification would help the
>
> reading. I also assume that the TAM will
>
> use the public key of the Agent.
>
> Overall I believe that this scenario
>
> multiplexes two sort of end to end
>
> communications. Some communications
>
> between the TAM and Broker are related
>
> to untrusted world while TAM or
>
> developer - Agent are related to the
>
> trusted worlds.
>
> I would like to clarify between
>
> Untrusted App, TA, and Personalization
>
> Data what is the final destination, what
>
> is encrypted and what key material is
>
> used.
>
> </mglt>
>
>
>
> [Hannes] There are different layers of communiation, as shown in Figure 1.
> Section 4.4 only talks about how the different software components &
> personalization data may get to the device. Section 4.4 really has to be
> read in combination with the text related to Figure 1.
>
>
>
<mglt>
ok thanks for the clarification. I am tempted to say that maybe the text
could be a bit more explicit to ease connecting the dots.
</mglt>

> ~snip~
>
>
>
>
>
> [...]
>
>
>
> 4.5.  Entity Relations
>
>
>
> [...]
>
>
>
> <mglt>
>
>    At step 3, a user will go to an Application Store to download the
>
>    Untrusted Application (where the arrow indicates the direction of
>
>    data transfer).
>
>
>
> The arrow direction might be indicated
>
> in the figure or with the first arrow
>
> being represented.  In that case this
>
> may correspond to the certificate
>
> provisioning.  It seems to me - unless I
>
> have missed it
>
> - that certificates provisioning is
>
> missing. If so this is clearly a nits.
>
>
>
> </mglt>
>
>
>
> [Hannes] Here is the figure:
>
>
>
>     (App Developers)   (App Store)   (TAM)      (Device with TEE)  (CAs)
>
>            |                   |       |                |            |
>
>            |                   |       |      (Embedded TEE cert) <--|
>
>            |                   |       |                |            |
>
>            | <--- Get an app cert -----------------------------------|
>
>            |                   |       |                |            |
>
>            |                   |       | <-- Get a TAM cert ---------|
>
>            |                   |       |                |            |
>
>    1. Build two apps:          |       |                |            |
>
>                                |       |                |            |
>
>       (a) Untrusted            |       |                |            |
>
>           App - 2a. Supply --> | --- 3. Install ------> |            |
>
>                                |       |                |            |
>
>       (b) TA -- 2b. Supply ----------> | 4. Messaging-->|            |
>
>                                |       |                |            |
>
>
>
>
> What certificate provisioning is missing?
>
>
>
>
>
<mglt>
I have not found the description of the 3 first arrows - unless I am
missing it.
</mglt>

>
>
>
>
> 5.  Keys and Certificate Types
>
>
>
> [...]
>
>
>
> <mglt>
>
>    Figure 4 summarizes the relationships between various keys and where
>
>    they are stored.  Each public/private key identifies a Trusted
>
>    Component Signer, TAM, or TEE, and gets a certificate that chains up
>
>    to some trust anchor.  A list of trusted certificates is then used to
>
>    check a presented certificate against.
>
>
>
> I have the impression so far that TEE
>
> has not been involved into any
>
> authentication.  I suspect that TEE and
>
> TEEP Agent represent the same entity. If
>
> that is correct I think that would worth
>
> some clarification why we can use one
>
> for the other and why we need to have
>
> two distinct entities that share the
>
> same identity.
>
>
>
> </mglt>
>
>
>
> [Hannes] A TEE is a system concept, which includes a combination of
> hardware and software.
>
> Hence, you cannot really state something like "the TEE authenticates X".
> The TEE and the TEEP Agent are also not the same thing.
>
>
>
<mglt>
I agree that I had issue with "the TEE authenticates X" and similarly to "X
authenticates TEE" but this is how I am reading the section 5 "Keys and
certificates Types. I have the impression that TEE should be replaced by
TEEP Agent.
</mglt>

> Figure 4 really only focuses on the security keys and tries to avoid going
> too much into details of how an implementation on a specific TEE works.
>
> [...]
>
>
>
>
>
> [...]
>
>
>
> 6.2.  TEEP Broker Implementation Consideration
>
>
>
> [...]
>
>
>
> <mglt>
>
>                            Model:    A      B      C     ...
>
>
>
>                                     TEE    TEE    TEE
>
>         +----------------+           |      |      |
>
>         |      TEEP      |     Agent |      |      | Agent
>
>         | implementation |           |      |      |
>
>         +----------------+           v      |      |
>
>                  |                          |      |
>
>         +----------------+           ^      |      |
>
>         |    TEEP/HTTP   |    Broker |      |      |
>
>         | implementation |           |      |      |
>
>         +----------------+           |      v      |
>
>                  |                   |             |
>
>         +----------------+           |      ^      |
>
>        |      HTTP      |           |      |      |
>
>         | implementation |           |      |      |
>
>         +----------------+           |      |      v
>
>                  |                   |      |
>
>         +----------------+           |      |      ^
>
>         |   TCP or QUIC  |           |      |      | Broker
>
>         | implementation |           |      |      |
>
>         +----------------+           |      |      |
>
>                                     REE    REE    REE
>
>
>
>                        Figure 5: TEEP Broker Models
>
>
>
> I am wondering if TLS could be included
>
> into the TEE.  It is correct that I do
>
> not envision TCP being in the TEE.
>
>
>
> [Hannes] This can be done and is done regularly. I think we should update
> the figure to include this option since it is very common.
>
> I added this issue: https://github.com/ietf-teep/architecture/issues/222
>
>
>
> </mglt>
>
>
>
<mglt>
thanks.
</mglt>

> [...]
>
>
>
> 6.2.1.  TEEP Broker APIs
>
>
>
>    The following conceptual APIs exist from a TEEP Broker to a TEEP
>
>    Agent:
>
>
>
>    1.  RequestTA: A notification from an REE application (e.g., an
>
>        installer, or an Untrusted Application) that it depends on a
>
>        given Trusted Component, which may or may not already be
>
>        installed in the TEE.
>
>
>
> <mglt>
>
>    2.  UnrequestTA: A notification from an REE application (e.g., an
>
>        installer, or an Untrusted Application) that it no longer depends
>
>        on a given Trusted Component, which may or may not already be
>
>        installed in the TEE.  For example, if the Untrusted Application
>
>        is uninstalled, the uninstaller might invoke this conceptual API.
>
>
>
> I understand Unrequest as being
>
> equivalent to undo, or remove or
>
> uninstall. If that is correct, I am
>
> wondering if there are any reasons for
>
> non calling it remove or uninstall ?
>
>
>
> </mglt>
>
>
>
> [Hannes] The reason is that a TA may be needed by another TA and hence you
> cannot just delete it. You can only say that you do not need it anymore.
>
> Once nobody needs it anymore it can be removed by the system, if necessary.
>
>
>
<mglt>
thanks for the clarification. I think that would worth having it mentioned.
</mglt>

> [...]
>
>
>
> 7.  Attestation
>
>
>
>    Attestation is the process through which one entity (an Attester)
>
>    presents "evidence", in the form of a series of claims, to another
>
>    entity (a Verifier), and provides sufficient proof that the claims
>
>    are true.
>
>
>
> <mglt>
>
> Different Verifiers may require different degrees of
>
>    confidence in attestation proofs and not all attestations are
>
>    acceptable to every verifier.
>
>
>
> the last verifier should be Verifier in
>
> my opinion. If that is correct the nits
>
> appears at multiple locations. This is a
>
> nit.
>
>
>
> </mglt>
>
>
>
> [Hannes] We just used the terms from the RATS group.
>
>
>
<mglt>
I just mentioned there were a mix of verifier and Verifier and I suppose
that is not intentional.
</mglt>

>
>
> [...]
>
>
>
> 9.  Security Considerations
>
>
>
> 9.2.  Data Protection
>
>
>
> [...]
>
>
>
> <mglt>
>
>
>
>    The protocol between TEEP Agents and TAMs similarly is responsible
>
>    for securely providing integrity and confidentiality protection
>
>    against adversaries between them.  Since the transport protocol under
>
>    the TEEP protocol might be implemented outside a TEE, as discussed in
>
>    Section 6, it cannot be relied upon for sufficient protection.  The
>
>    TEEP protocol provides integrity protection, but confidentiality must
>
>    be provided by payload encryption, i.e., using encrypted TA binaries
>
>    and encrypted attestation information.  See [I-D.ietf-teep-protocol]
>
>    for more discussion.
>
>
>
> There is also the case where a session
>
> is established between the TAM and the
>
> Agent.  If used this would require HTTP
>
> to be in the TEE.
>
>
>
> [Hannes] Yes, you could run HTTP into the TEE and this is done as well.
>
> For the TEEP protocol you do, however, need to make some decisions about
> how you want to design the system and the current design assumes that there
> are cases where HTTP is terminated outside the TEEP.
>
> Is this a good design? We will see.
>
>
>
<mglt>
I see your point. [I-D.ietf-teep-protocol] made a choice the text is based
upon. I think that might be clarified up front that this results from a
choice and it is not an architecture design.
</mglt>

>
>
> Ciao
>
> Hannes
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>


-- 
Daniel Migault
Ericsson