Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture

Dave Thaler <dthaler@microsoft.com> Tue, 14 January 2020 00:21 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3F091200E3 for <teep@ietfa.amsl.com>; Mon, 13 Jan 2020 16:21:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kePBofcmOA7H for <teep@ietfa.amsl.com>; Mon, 13 Jan 2020 16:21:32 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2099.outbound.protection.outlook.com [40.107.94.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7878B120020 for <teep@ietf.org>; Mon, 13 Jan 2020 16:21:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UuUGtDxANaHC8BhqAuiCJBTERSxts943KlFbmLEbjsWsNKP6fp+wbcrrVhQXpDZvpBqvylS5+DAopXxFqU/vPv81x4HSQwcrdspOaYaFGVZ/OPo0SaS5VF9HE7JFtZIPn8ize9VWv4yEQdnEC8hPwvcrYjJWtc3rff70u3nPKbi7R4pcAvyMtnk7IOzolXqw5vVrg2nZfRzF15AbmgWF4lRY+q7zyBK6I6RpO7gNPh3yFYMquflTCNigDeS2wWavFbhy5QA551Rgb2b4ENV++ATzte+hcFQzqaHt8PDEm4fHFQs9808OyOoV1hr+H9JrB4/5a764XClcF/RD6/JyHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XAUxt7wWuqcCzQMufFsr8il4oDdI/n3RAwjeNC7O/gI=; b=mZHCGlp9DBPxgJcyUN8+/AJscOwEG5P+L0jkJ3vnqE3YAonUIA4KMUC7c1PUIq/W4/d1qIC9hdn3g5LtSwcS+OQrKKu87COoP/qCn3/GIyJU6cx7zVmyjuep79ZMTV5qbDFxcvEP3on918jzebOSnWJyHxKd0DI2y3iZzTHpeY5eOcpFeGn/ud4ScwjmvgbsQFIN125Bv7qwIU/E4W5C4awya327Ebh9rXlhwxskS3T7XMoMqgL+0o/78ISuoSnuNEuMoLnm5Jc6hPSQr3hF1daN1HB09g/yaMr6tT3Dsr19OAR+mUa+x6fHGEg29tVuxqlvjg/v14+nTOFaWuiJlg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XAUxt7wWuqcCzQMufFsr8il4oDdI/n3RAwjeNC7O/gI=; b=YKlapLpuMcYFc+3ihXwf1lJzuQHyj3zsA271CfnBmNnUA3j0ov6vM1gBwMYAjAUAweb8UGiDuwSj6yWhCKvKcNU7RwAnRsUuFpg97t3U0r6S18LMC3rkU++IXRc2A/aKRtMOArzzxsAAdt2pytpuvzCYA/t7ktf775CUResDuJY=
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com (52.132.20.161) by BL0PR2101MB1076.namprd21.prod.outlook.com (52.132.24.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.3; Tue, 14 Jan 2020 00:21:30 +0000
Received: from BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::c50e:86ef:6bf3:d535]) by BL0PR2101MB1027.namprd21.prod.outlook.com ([fe80::c50e:86ef:6bf3:d535%9]) with mapi id 15.20.2644.013; Tue, 14 Jan 2020 00:21:30 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "teep@ietf.org" <teep@ietf.org>
Thread-Topic: Working Group Last Call for draft-ietf-teep-architecture
Thread-Index: AdW5iepOELmpRRFXSAWsc0EhHQP19ALfbySAAAc0BIAABIf9gAAWBUMgACJiNvABFeOUkA==
Date: Tue, 14 Jan 2020 00:21:30 +0000
Message-ID: <BL0PR2101MB10276A753111010D9422A7DFA3340@BL0PR2101MB1027.namprd21.prod.outlook.com>
References: <CY4PR1601MB1254CD83B0DAADAA67A54CF3EA2E0@CY4PR1601MB1254.namprd16.prod.outlook.com> <BL0PR2101MB10278417515DEF077714D693A33F0@BL0PR2101MB1027.namprd21.prod.outlook.com> <CY4PR1601MB125400678B0DA9EE37683FBBEA3F0@CY4PR1601MB1254.namprd16.prod.outlook.com> <AM6PR08MB5285F0C0209A745F1FAABA23FA3F0@AM6PR08MB5285.eurprd08.prod.outlook.com> <BL0PR2101MB1027BB4B1FDB272B61D04468A33F0@BL0PR2101MB1027.namprd21.prod.outlook.com> <CY4PR1601MB125473BCC69227A45D62FAA7EA390@CY4PR1601MB1254.namprd16.prod.outlook.com>
In-Reply-To: <CY4PR1601MB125473BCC69227A45D62FAA7EA390@CY4PR1601MB1254.namprd16.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-01-07T03:14:02.9467153Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=113fc599-cef6-4df9-bb00-5e0a626ea5d7; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2601:600:9780:16f0:a0b2:4eeb:ebaf:3df9]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0821c5ac-2e89-46af-8332-08d79887b413
x-ms-traffictypediagnostic: BL0PR2101MB1076:
x-microsoft-antispam-prvs: <BL0PR2101MB1076BF63773CB6B4595355B1A3340@BL0PR2101MB1076.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 028256169F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(396003)(366004)(136003)(346002)(376002)(199004)(189003)(966005)(66446008)(110136005)(8936002)(66556008)(55016002)(9686003)(52536014)(76116006)(81166006)(186003)(5660300002)(66476007)(7696005)(81156014)(66946007)(64756008)(478600001)(6506007)(33656002)(71200400001)(8676002)(8990500004)(10290500003)(316002)(2906002)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR2101MB1076; H:BL0PR2101MB1027.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3Qk7mbz6zhJmVj3gyjV5O+7tmk9NJjXm8FBoowJU0kmRCOG2wqNnLC/bgdT8KT/Y7ZSIiu5VUHnbvejRjd8CaU0CWp28ZzdrhOA6lWgnJsvNng//k/vaMB6CG9U8jqxkkyYaFx+N52/UIuTFYF4Ohck3liZO81AMfFw+RoK3l6ndRNg4i4Af4rnFSyMjIN+HOFvNT5RQRR2lnebBkU4oJDP3sLK9xZY+HoNitUZoCaBRtoBmZbH29CLZQQt6zMbQ1froGqXG7tCtPrF9LI6wXGLUBKKdP+2PULcdl3cFCG2DH+Oi0UP1CGP0Q7N/9qNCURZ2Qp/q91pLn3bb3DYqDWl7TRLgLKwXIu5VrLenAdFSwn3Kq+zudWsMVX/UW+Uq3SJncNPHNNOp/j32YyNtDkgo901XKKPmyjxFJZQLrUqKc0wGnpR8Jz9a6+L3yrL8
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR2101MB10276A753111010D9422A7DFA3340BL0PR2101MB1027_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0821c5ac-2e89-46af-8332-08d79887b413
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jan 2020 00:21:30.2920 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: r86PryZtjyTJXO738KDj2+9yiVzmwXp9YN0PKK93Tm4lkufrKAEUvQF4cS4W3Wov6/7vD6zLh3LQWXk5QK4F2L+mPH0PjkxPo5rLPh/1mWU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR2101MB1076
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/toG0qPIwRihVJYpsqCqljyo_Bwc>
Subject: Re: [Teep] Working Group Last Call for draft-ietf-teep-architecture
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 00:21:38 -0000

[...]

a) It is not clear from the Introduction how TEE is different from a Closed OS like Google Chromebook or Windows 10S ?

[...]



[DT] The document (intentionally) makes no statement about whether a "close OS" as you put it, is or is not a TEE.   The question is really about whether such an OS prevents code injection attacks (e.g., due to buffer overruns or whatever else), prevents data modification attacks, etc.



[TR] Closed OS prevent the above attacks, a malicious app cannot read/modify the data of the other apps (e.g., ransomware attack is not possible, see https://support.google.com/chromebook/answer/3438631?hl=en<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fchromebook%2Fanswer%2F3438631%3Fhl%3Den&data=02%7C01%7Cdthaler%40microsoft.com%7C4a1e761bc5b7412883c508d794d8f70d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637141531903517840&sdata=AqPSd3PJDgbfJRXfJMRIg7EiK8GYWqGY3XNaFQJj5tQ%3D&reserved=0>;).



That link contains insufficient information to say whether a ransomware attack is possible, or whether the environment meets the other criteria of a TEE.  For example, the page mentions verified boot, which checks at boot time, but contains no statements about whether code modifications or additions are prevented post-boot.   The Sandboxing section implies (especially the part about "app" in there) that code can be added after boot, without requiring a security protocol equivalent to the TEEP protocol.  As such, I suspect it is inherently weaker than a TEE, and it would be an REE with classic security techniques.



It is not, however, the intent of this document to state whether such an OS is, or is not, a TEE.   The intent is to state the criteria for what is a TEE, and then provide an architecture for provisioning one, in a way that is sufficient for a reader to draw their own conclusions.



Dave