Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Capabilities of the Attestation Mechanism #17

Closed
hannestschofenig opened this issue Aug 2, 2018 · 3 comments
Closed

Capabilities of the Attestation Mechanism #17

hannestschofenig opened this issue Aug 2, 2018 · 3 comments
Assignees
@ncamwing
Labels
ready to close Ready for WG chairs to verify and close

Comments

@hannestschofenig
Copy link
Collaborator

In discussion with Ming we were wondering whether there are restrictions regarding the attestation mechanism on what it can sign. Currently, the OTrP design assumes that the secure OS running in the TEE has access to the device certificate, which was provisioned during manufacturing, and that it signs whatever data is given to it. There may, however, be restrictions in what an attestation mechanism signs, for example when it offers only a restricted API. If that's indeed the case then a message from the TEE to the TAM would have to contain two signatures, namely one for the signed attestation data and another one for the signed message.

To get an answer to this question we thought it would be useful to survey existing attestation technologies.
@dmwheel1
Copy link
Collaborator

dmwheel1 commented Aug 8, 2018

For SGX, and for other Intel TEEs, the Attestation Key is generally restricted, so you cannot sign "anything".
Typically the way this works (for Intel) is you get a signed attestation that includes a 256-bit or 512-bit value. This value could be a random nonce sent from the remote verifier, or it can be a hash of another structure "attached" to the attestation. In the case of a hashed structure, the verifier then must interpret the structure. The implication is that the attestation gives you data on the claimant, and the claimant provides the additional data. If the verifier believes it can trust the claimant based on the attestation, then it should be able to make some policy decision on the additional claims.

For TEEP running in SGX, the provided attestation would be an additional structure, which would be hashed, and then this hash would be signed in an attestation which would provide details of the SGX enclave code that requested the attestation (things like enclave-signer, hash-of-enclave-code, enclave-version-number, CPU-microcode-version, etc.) The verifier (TAM in this case) would need to validate the SGX Attestation, and then interpret the attached structure.

Hope this is clear enough.

@hannestschofenig hannestschofenig mentioned this issue Dec 10, 2018
Closed
@dmwheel1 dmwheel1 mentioned this issue Feb 1, 2019
Merged
@dmwheel1
Copy link
Collaborator

dmwheel1 commented Mar 6, 2019

See new Pull Request to address this issue

@dmwheel1 dmwheel1 mentioned this issue Mar 7, 2019
Merged
dmwheel1 pushed a commit that referenced this issue Mar 9, 2019
Merge pull request #47 from dmwheel1/master
dcacba3 
Capabilities of the Attestation Mechanism #17
@dthaler dthaler mentioned this issue Mar 24, 2019
Open
@dthaler
Copy link
Collaborator

dthaler commented Mar 24, 2019

Filed a separate issue to track impact on the OTrP spec.

dthaler added a commit that referenced this issue Nov 26, 2019
@dthaler
Proposed changes to depend on RATS for attestation
0170186 
Align picture with diagrams used in the TEEP WG at IETF 105

THis addresses issues #17, #31, and the part of #70 that talks about
digital signature formats.  Per discussion at IETF 106, the direction is
that the architecture document should explain the relationship between
TEEP and attestation, and leave protocol details to the TEEP protocol
spec. It should NOT discuss attestation details, including anything
about signing with any attestation key, seeding of attestation keys,
or using specific crypto algorithms for attestation.

Signed-off-by: Dave Thaler <[email protected]>
@dthaler dthaler mentioned this issue Nov 26, 2019
Merged
@dthaler dthaler assigned dthaler and unassigned dmwheel1 Nov 26, 2019
@dthaler dthaler added the have proposed text Ready for other editors to review and merge if ok label Nov 26, 2019
@dthaler dthaler mentioned this issue Nov 26, 2019
Closed
@dthaler dthaler assigned ncamwing and unassigned dthaler Dec 7, 2019
@dthaler dthaler added ready to close Ready for WG chairs to verify and close and removed have proposed text Ready for other editors to review and merge if ok labels Dec 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ncamwing ncamwing

Labels
ready to close Ready for WG chairs to verify and close
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hannestschofenig @dthaler @ncamwing @dmwheel1 @tireddy2