| Internet-Draft | Network Device RIV | April 2020 |
| Fedorkow, et al. | Expires 18 October 2020 | [Page] |
This document describes a workflow for remote attestation of integrity of network devices.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 18 October 2020.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
There are many aspects to consider in fielding a trusted computing device, from operating systems to applications. Mechanisms to prove that a device installed at a customer's site is authentic (i.e., not counterfeit) and has been configured with authorized software, all as part of a trusted supply chain, are just a few of the many aspects which need to be considered concurrently to have confidence that a device is truly trustworthy.¶
A generic architecture for remote attestation has been defined in [I-D.ietf-rats-architecture]. Additionally, the use case for remotely attesting networking devices is within Section 6 of [I-D.richardson-rats-usecases]. However, two these documents do not provide sufficient guidance for equipment vendors and network operators and to design, build, and deploy interoperable platforms.¶
The intent of this document is to provide such guidance. It does this by outlining the Remote Integrity Verification (RIV) problem, and then identifies elements that are necessary to get the complete, scalable attestation procedure working with commercial networking products such as Routers and Switches. An underlying assumption will be the availability within the device of a Trusted Platform Module (TPM) compliant cryptoprocessor to enable the remote trustworthy assessment of the device's software and hardware.¶
A number of terms are reused from [I-D.ietf-rats-architecture]. These include: Appraisal Policy for Attestation Result, Attestation Result, Attester, Endorser, Evidence, Relying Party, Verifier, Verifier Owner.¶
Additionally, this document defines the following terms:¶
Attestation: the process of creating, conveying and appraising assertions about Platform trustworthiness characteristics, including supply chain trust, identity, platform provenance, software configuration, hardware configuration, platform composition, compliance to test suites, functional and assurance evaluations, etc.¶
The goal of attestation is simply to assure an administrator that the software that was launched when the device was last started is the same as the software that the device vendor initially shipped.¶
Within the Trusted Computing Group context, attestation is the process by which an independent Verifier can obtain cryptographic proof as to the identity of the device in question, evidence of the integrity of software loaded on that device when it started up, and then verify that what's there is what's supposed to be there. For networking equipment, a verifier capability can be embedded in a Network Management Station (NMS), a posture collection server, or other network analytics tool (such as a software asset management solution, or a threat detection and mitigation tool, etc.). While informally referred to as attestation, this document focuses on a subset defined here as Remote Integrity Verification (RIV). RIV takes a network equipment centric perspective that includes a set of protocols and procedures for determining whether a particular device was launched with untampered software, starting from Roots of Trust. While there are many ways to accomplish attestation, RIV sets out a specific set of protocols and tools that work in environments commonly found in Networking Equipment. RIV does not cover other platform characteristics that could be attested, although it does provide evidence of a secure infrastructure to increase the level of trust in other platform characteristics attested by other means (e.g., by Entity Attestation Tokens [I-D.ietf-rats-eat].¶
The remainder of this document is organized into several sections:¶
Network operators benefit from a trustworthy attestation mechanism that provides assurance that their network comprises authentic equipment, and has loaded software free of known vulnerabilities and unauthorized tampering. In line with the overall goal of assuring integrity, attestation can be used for asset management, vulnerability and compliance assessment, plus configuration management.¶
As a part of a trusted supply chain, the RIV attestation workflow outlined in this document is intended to meet the following high-level goals:¶
In addition, RIV is designed to operate in a centralized environment, such as with a central authority that manages and configures a number of network devices, or 'peer-to-peer', where network devices independently verify one another to establish a trust relationship. (See Section 3.3 below, and also [I-D.voit-rats-trusted-path-routing])¶
Attestation requires two interlocking services between the Attester network device and the Verifier::¶
Using these two interlocking services, RIV provides a procedure that assures a network operator that the equipment in their network can be reliably identified, and that untampered software of a known version is installed on each endpoint. Equipment in the network includes devices that make up the network itself, such as routers, switches and firewalls.¶
RIV includes several major processes:¶
All implementations supporting this RIV specification require the support of the following three technologies : 1. Identity: Platform identity can be based on IEEE 802.1AR Device Identity [IEEE-802-1AR], coupled with careful supply-chain management by the manufacturer. The DevID certificate contains a statement by the manufacturer that establishes the identity of the device as it left the factory. Some applications with a more-complex post-manufacture supply chain (e.g. Value Added Resellers), or with different privacy concerns, may want to use alternate mechanisms for platform authentication (for example, TCG Platform Certificates [Platform-Certificates]).¶
Remote Integrity Verification must address the "Lying Endpoint" problem, in which malicious software on an endpoint may subvert the intended function, and also prevent the endpoint from reporting its compromised status. (See Section 5 for further Security Considerations)¶
RIV attestation is designed to be simple to deploy at scale. RIV should work "out of the box" as far as possible, that is, with the fewest possible provisioning steps or configuration databases needed at the end-user's site, as network equipment is often required to "self-configure", to reliably reach out without manual intervention to prove its identity and operating posture, then download its own configuration. See [RFC8572] for an example of Secure Zero Touch Provisioning.¶
Remote Attestation is a very general problem that could apply to most network-connected computing devices. However, this document includes several assumptions that limit the scope to Network Equipment (e.g. routers, switches and firewalls):¶
RIV Attestation is a process which can be used to determine the identity of software running on a specifically-identified device. Remote Attestation is broken into two phases, shown in Figure 1:¶
The result is that the Verifier can verify the device's identity by checking the certificate containing the TPM's attestation public key, and can validate the software that was launched by comparing digests in the log with known-good values, and verifying their correctness by comparing with the signed digests from the TPM.¶
It should be noted that attestation and identity are inextricably linked; signed Evidence that a particular version of software was loaded is of little value without cryptographic proof of the identity of the Attester producing the Evidence.¶
+-------------------------------------------------------+
| +--------+ +--------+ +--------+ +---------+ |
| | BIOS |--->| Loader |-->| Kernel |--->|Userland | |
| +--------+ +--------+ +--------+ +---------+ |
| | | | |
| | | | |
| +------------+-----------+-+ |
| Step 1 | |
| V |
| +--------+ |
| | TPM | |
| +--------+ |
| Router | |
+--------------------------------|----------------------+
|
| Step 2
| +-----------+
+--->| Verifier |
+-----------+
Reset---------------flow-of-time-during-boot--...------->
In Step 1, measurements are "extended" into the TPM as processes start. In Step 2, signed PCR digests are retrieved from the TPM for off-box analysis after the system is operational.¶
TPM attestation is strongly focused around Platform Configuration Registers (PCRs), but those registers are only vehicles for certifying accompanying Evidence, conveyed in log entries. It is the hashes in log entries are extended into PCRs, where they can be retrieved in the form of a Quote signed by a key known only to the TPM (xref). The use of multiple PCRs serves only to provide some independence between different classes of object, so that one class of objects can be updated without changing the extended hash for other classes. Although PCRs can be used for any purpose, this section outlines the objects within the scope of this document which may be extended into the TPM.¶
In general, PCRs are organized to independently attest three classes of object:¶
The TCG PC Client Platform Firmware Profile Specification [PC-Client-BIOS-TPM-2.0] gives considerable detail on what is to be measured during the boot phase of a platform boot using a UEFI BOIS (www.uefi.org), but the goal is simply to measure every bit of code executed in the process of starting the device, along with any configuration information related to security posture. Table XX summarizes the functions that are measured, and how this document recommends they be allocated to PCRs. It's important to note that each PCR may contain results from dozens (or even thousands) of individual measurements.¶
+------------------------------------------------------------------+ | | Allocated PCR # | | Function | Code | Configuration| -------------------------------------------------------------------- | BIOS Static Root of Trust, plus embedded | 0 | 1 | | Option ROMs and drivers | | | -------------------------------------------------------------------- | Pluggable Option ROMs to initialize and | 2 | 3 | | configure add-in devices | | | -------------------------------------------------------------------- | Boot Manager code and configuration (UEFI | 4 | 5 | | uses a separate module to implement | | | | policies for selecting among a variety of | | | | potential boot devices). This PCR records | | | | boot attempts, and identifies what | | | | resources were used to boot the OS. | | | -------------------------------------------------------------------- | Vendor Specific Measurements during boot | 6 | 6 | -------------------------------------------------------------------- | Secure Boot Policy. This PCR records keys | | 7 | | and configuration used to validate the OS | | | | loader | | | -------------------------------------------------------------------- | OS Loader (e.g GRUB2 for Linux) | 8 | 9 | -------------------------------------------------------------------- | Reserved for OS (e.g. Linux IMA) | 10 | 10 | +------------------------------------------------------------------+
RIV attestation relies on two keys:¶
In TPM application, the Attestation key must be protected by the TPM, and the DevID should be as well. Depending on other TPM configuration procedures, the two keys may be different. Some of the considerations are outlined in TCG Guidance for Securing Network Equipment [NetEq].¶
TCG Guidance for Securing Network Equipment specifies further conventions for these keys:¶
RIV workflow for networking equipment is organized around a simple use-case, where a network operator wishes to verify the integrity of software installed in specific, fielded devices. This use-case implies several components:¶
These components are illustrated in Figure 2.¶
A more-detailed taxonomy of terms is given in [I-D.ietf-rats-architecture]¶
+---------------+ +-------------+ +---------+--------+
| | | Attester | Step 1 | Verifier| |
| Endorser | | (Device |<-------| (Network| Relying|
| (Device | | under |------->| Mngmt | Party |
| Manufacturer | | attestation)| Step 2 | Station)| |
| or other | | | | | |
| authority) | | | | | |
+---------------+ +-------------+ +---------+--------+
| /\
| Step 0 |
-----------------------------------------------
In Step 0, The Asserter (the device manufacturer) provides a Software Image accompanied by one or more Reference Integrity Manifests (RIMs) to the Attester (the device under attestation) signed by the asserter. In Step 1, the Verifier (Network Management Station), on behalf of a Relying Party, requests Identity, Measurement Values (and possibly RIMs) from the Attester. In Step 2, the Attester responds to the request by providing a DevID, quotes (measured values), and optionally RIMs, signed by the Attester.¶
The following standards components may be used:¶
This document makes the following simplifying assumptions to reduce complexity:¶
[I-D.ietf-rats-yang-tpm-charra] focuses on collecting and transmitting evidence in the form of PCR measurements and attestation logs. But the critical part of the process is enabling the verifier to decide whether the measurements are "the right ones" or not.¶
While it must be up to network administrators to decide what they want on their networks, the software supplier should supply the Reference Integrity Measurements that may be used by a verifier to determine if evidence shows known good, known bad or unknown software configurations.¶
In general, there are two kinds of reference measurements:¶
In both cases, the expected values can be expressed as signed SWID or CoSWID tags, but the SWID structure in the second case is somewhat more complex, as reconstruction of the extended hash in a PCR may involve thousands of files and other objects.¶
The TCG has published an information model defining elements of reference integrity manifests under the title TCG Reference Integrity Manifest Information Model [RIM]. This information model outlines how SWID tags should be structured to allow attestation, and defines "bundles" of SWID tags that may be needed to describe a complete software release. The RIM contains some metadata relating to the software release it belongs to, plus hashes for each individual file or other object that could be attested.¶
TCG has also published the PC Client Reference Integrity Measurement specification [PC-Client-RIM], which focuses on a SWID-compatible format suitable for expressing expected measurement values in the specific case of a UEFI-compatible BIOS, where the SWID focus on files and file systems is not a direct fit. While the PC Client RIM is not directly applicable to network equipment, many vendors do use a conventional UEFI BIOS to launch their network OS.¶
Quotes from a TPM can provide evidence of the state of a device up to the time the evidence was recorded, but to make sense of the quote in most cases an event log that identifies which software modules contributed which values to the quote during startup must also be provided. The log must contain enough information to demonstrate its integrity by allowing exact reconstruction of the digest conveyed in the signed quote (i.e., PCR values).¶
There are multiple event log formats which may be supported as viable formats of Evidence between the Attester and Verifier:¶
The Reference Interaction Model for Challenge-Response-based Remote Attestation is based on the standard roles defined in [I-D.ietf-rats-architecture]. However additional prerequisites must be established to allow for interoperable RIV use case implementations. These prerequisites are intended to provide sufficient context information so that the Verifier can acquire and evaluate Attester measurements.¶
A Secure device Identity (DevID) in the form of an IEEE 802.1AR certificate [IEEE-802-1AR] must be provisioned in the Attester's TPMs.¶
The Attestation Identity Key (AIK) and certificate must also be provisioned on the Attester according to [Platform-DevID-TPM-2.0], [PC-Client-BIOS-TPM-1.2], or [Platform-ID-TPM-1.2].¶
The Attester's TPM Keys must be associated with the DevID on the Verifier (see Section 5 Security Considerations).¶
The Verifier must obtain the Appraisal Policy for Evidence. This policy may be in the form of reference measurements (e.g., Known Good Values, CoSWID tags [I-D.birkholz-yang-swid]). These reference measurements will eventually be compared to signed PCR Evidence acquired from an Attester's TPM.¶
This document does not specify the format or contents for the Appraisal Policy for Evidence. But acquiring this policy may happen in one of two ways:¶
************* .-------------. .-----------.
* Verifier * | Attester | | Verifier/ |
* Owner * | | | Relying |
*(Device *----2--->| (Network |----2--->| Party |
* config * | Device) | |(Ntwk Mgmt |
* Authority)* | | | Station) |
************* '-------------' '-----------'
| ^
| |
'----------------1--------------------------'
In either case the Appraisal Policy for Evidence must be generated, acquired and delivered in a secure way. This includes reference measurements of:¶
Once the prerequisites for RIV are met, a Verifier may acquire Evidence from an Attester. The following diagram illustrates a RIV information flow between a Verifier and an Attester. Event times shown correspond to the time types described within Appendix A of [I-D.ietf-rats-architecture]:¶
.----------. .--------------------------.
| Attester | | Relying Party / Verifier |
'----------' '--------------------------'
time(vg) |
|<-- requestAttestation(nonce,PcrSelection)-------time(ns)
| |
time(eg) LogEvidence(assertionsSelection) |
| SignedPcrEvidence(PCR, nonce) |
| |
|-----------LogEvidence,SignedPcrEvidence---------->|
| |
| verifyAttestationEvidence time(rg,ra)
| ~
time(rx)
time(eg): On the Attester, measured values are retrieved from the Attester's TPM. This requested PCR evidence is signed by the Attestation Identity Key (AIK) associated with the DevID. Quotes are retrieved according to TCG TAP Information Model [TAP]. While the TAP IM gives a protocol-independent description of the data elements involved, it's important to note that quotes from the TPM are signed inside the TPM, so must be retrieved in a way that does not invalidate the signature, as specified in [I-D.ietf-rats-yang-tpm-charra], to preserve the trust model. (See Section 5 Security Considerations).¶
time(rg,ra): The Verifier reviews the Evidence and takes action as needed. As the Relying Party and Verifier are assumed co-resident, this can happen in one step.¶
Network Management systems may retrieve signed PCR based Evidence as shown in Figure 5, and can be accomplished via:¶
Retrieval of Log Evidence will be via log interfaces on the network device. (For example, see [I-D.ietf-rats-yang-tpm-charra]).¶
Figure 5 above assumes that the Verifier is implicitly trusted, while the Attesting device is not. In a Peer-to-Peer application such as two routers negotiating a trust relationship [I-D.voit-rats-trusted-path-routing], the two peers can each ask the other to prove software integrity. In this application, the information flow is the same, but each side plays a role both as an Attester and a Verifier. Each device issues a challenge, and each device responds to the other's challenge, as shown in Figure 6. Peer-to-peer challenges, particularly if used to establish a trust relationship between routers, require devices to carry their own signed reference measurements (RIMs) so that each device has everything needed for attestation, without having to resort to a central authority.¶
+---------------+ +---------------+
| | | |
| Asserter A | | Asserter B |
| Firmware | | Firmware |
| Configuration | | Configuration |
| Authority | | Authority |
| | | |
+---------------+ +---------------+
| |
| +-------------+ +------------+ |
| | | Step 1 | | | \
| | Attester |<------>| Verifier | | |
| | |<------>| | | | Router B
+------>| | Step 2 | | | |- Challenges
Step 0A| | | | | | Router A
| |------->| | | |
|- Router A --| Step 3 |- Router B -| | /
| | | | |
| | | | |
| | Step 1 | | | \
| Verifier |<------>| Attester |<-+ | Router A
| |<------>| | |- Challenges
| | Step 2 | | | Router B
| | | | |
| |<-------| | |
+-------------+ Step 3 +------------+ /
In this application, each device may need to be equipped with signed RIMs to act as an Attester, and also a selection of trusted x.509 root certificates to allow the device to act as a Verifier. An existing link layer protocol such as 802.1x [IEEE-802.1x] or 802.1AE [IEEE-802.1ae], with Evidence being enclosed over a variant of EAP [RFC3748] or LLDP [LLDP] are suitable methods for such an exchange.¶
Networking Equipment such as routers, switches and firewalls has a key role to play in guarding the privacy of individuals using the network:¶
Functions that protect privacy are implemented as part of each layer of hardware and software that makes up the networking device. In light of these requirements for protecting the privacy of users of the network, the Network Equipment must identify itself, and its boot configuration and measured device state (for example, PCR values), to the Equipment's Administrator, so there's no uncertainty as to what function each device and configuration is configured to carry out. This allows the administrator to ensure that the network provides individual and peer privacy guarantees.¶
RIV specifically addresses the collection information from enterprise network devices by an enterprise network. As such, privacy is a fundamental concern for those deploying this solution, given EU GDPR, California CCPA, and many other privacy regulations. The enterprise should implement and enforce their duty of care.¶
See [NetEq] for more context on privacy in networking devices¶
Attestation results from the RIV procedure are subject to a number of attacks:¶
Trustworthiness of RIV attestation depends strongly on the validity of keys used for identity and attestation reports. RIV takes full advantage of TPM capabilities to ensure that results can be trusted.¶
Two sets of keys are relevant to RIV attestation¶
TPM practices usually require that these keys be different, as a way of ensuring that a general-purpose signing key cannot be used to spoof an attestation quote.¶
In each case, the private half of the key is known only to the TPM, and cannot be retrieved externally, even by a trusted party. To ensure that's the case, specification-compliant private/public key-pairs are generated inside the TPM, where they're never exposed, and cannot be extracted (See [Platform-DevID-TPM-2.0]).¶
Keeping keys safe is just part of attestation security; knowing which keys are bound to the device in question is just as important.¶
While there are many ways to manage keys in a TPM (See [Platform-DevID-TPM-2.0]), RIV includes support for "zero touch" provisioning (also known as zero-touch onboarding) of fielded devices (e.g. Secure ZTP, [RFC8572]), where keys which have predictable trust properties are provisioned by the device vendor.¶
Device identity in RIV is based on IEEE 802.1AR DevID. This specification provides several elements¶
The x.509 certificate contains several components¶
With these elements, the device's manufacturer and serial number can be identified by analyzing the DevID certificate plus the chain of intermediate certs leading back to the manufacturer's root certificate. As is conventional in TLS connections, a nonce must be signed by the device in response to a challenge, proving possession of its DevID private key.¶
RIV uses the DevID to validate a TLS connection to the device as the attestation session begins. Security of this process derives from TLS security, with the DevID providing proof that the TLS session terminates on the intended device. [RFC8446].¶
Evidence of software integrity is delivered in the form of a quote signed by the TPM itself. Because the contents of the quote are signed inside the TPM, any external modification (including reformatting to a different data format) will be detected as tampering.¶
A critical feature of the YANG model described in [I-D.ietf-rats-yang-tpm-charra] is the ability to carry TPM data structures in their native format, without requiring any changes to the structures as they were signed and delivered by the TPM. While alternate methods of conveying TPM quotes could compress out redundant information, or add an additional layer of signing using external keys, the important part is to preserve the TPM signing, so that tampering anywhere in the path between the TPM itself and the Verifier can be detected.¶
Prevention of spoofing attacks against attestation systems is also important. There are two cases to consider:¶
Protection against spoofed quotes from a device with valid identity is a bit more complex. An identity key must be available to sign any kind of nonce or hash offered by the verifier, and consequently, could be used to sign a fabricated quote. To block spoofed attestation result, the quote generated inside the TPM must by signed by a key that's different from the DevID, called an Attestation Key (AK).¶
Given separate Attestation and DevID keys, the binding between the AK and the same device must also be proven to prevent a man-in-the-middle attack (e.g. the 'Asokan Attack' [RFC6813]).¶
This is accomplished in RIV through use of an AK certificate with the same elements as the DevID (i.e., same manufacturer's serial number, signed by the same manufacturer's key), but containing the device's unique AK public key instead of the DevID public key. [this will require an OID that says the key is known by the CA to be an Attestation key]¶
These two keys and certificates are used together:¶
Replay attacks, where results of a previous attestation are submitted in response to subsequent requests, are usually prevented by inclusion of a nonce in the request to the TPM for a quote. Each request from the Verifier includes a new random number (a nonce). The resulting quote signed by the TPM contains the same nonce, allowing the verifier to determine freshness, i.e., that the resulting quote was generated in response to the verifier's specific request. Time-Based Uni-directional Attestation [I-D.birkholz-rats-tuda] provides an alternate mechanism to verify freshness without requiring a request/response cycle.¶
Requiring results of attestation of the operating software to be signed by a key known only to the TPM also removes the need to trust the device's operating software (beyond the first measurement; see below); any changes to the quote, generated and signed by the TPM itself, made by malicious device software, or in the path back to the verifier, will invalidate the signature on the quote.¶
Although RIV recommends that device manufacturers pre-provision devices with easily-verified DevID and AK certs, use of those credentials is not mandatory. IEEE 802.1AR incorporates the idea of an Initial Device ID (IDevID), provisioned by the manufacturer, and a Local Device ID (LDevID) provisioned by the owner of the device. RIV extends that concept by defining an Initial Attestation Key (IAK) and Local Attestation Key (LAK) with the same properties.¶
Device owners can use any method to provision the Local credentials.¶
Clearly, Local keys can't be used for secure Zero Touch provisioning; installation of the Local keys can only be done by some process that runs before the device is configured for network operation.¶
On the other end of the device life cycle, provision should be made to wipe Local keys when a device is decommissioned, to indicate that the device is no longer owned by the enterprise. The manufacturer's Initial identity keys must be preserved, as they contain no information that's not already printed on the device's serial number plate.¶
In addition to trustworthy provisioning of keys, RIV depends on other trust anchors. (See [GloPlaRoT] for definitions of Roots of Trust.)¶
RIV also depends on reliable reference measurements, as expressed by the RIM [RIM]. The definition of trust procedures for RIMs is out of scope for RIV, and the device owner is free to use any policy to validate a set of reference measurements. RIMs may be conveyed out-of-band or in-band, as part of the attestation process (see Section 3.1.3). But for embedded devices, where software is usually shipped as a self-contained package, RIMs signed by the manufacturer and delivered in-band may be more convenient for the device owner.¶
TCG technologies can play an important part in the implementation of Remote Integrity Verification. Standards for many of the components needed for implementation of RIV already exist:¶
This memo includes no request to IANA.¶
Retrieval of identity and attestation state uses one protocol stack, while retrieval of Reference Measurements uses a different set of protocols. Figure 5 shows the components involved.¶
+-----------------------+ +-------------------------+
| | | |
| Attester |<-------------| Verifier |
| (Device) |------------->| (Management Station) |
| | | | |
+-----------------------+ | +-------------------------+
|
-------------------- --------------------
| |
---------------------------------- ---------------------------------
|Reference Integrity Measurements| | Attestation |
---------------------------------- ---------------------------------
********************************************************************
* IETF Attestation Reference Interaction Diagram *
********************************************************************
....................... .......................
. Reference Integrity . . TAP (PTS2.0) Info .
. Manifest . . Model and Canonical .
. . . Log Format .
....................... .......................
************************* .............. **********************
* YANG SWID Module * . TCG . * YANG Attestation *
* I-D.birkholz-yang-swid* . Attestation. * Module *
* * . MIB . * I-D.ietf-rats- *
* * . . * yang-tpm-charra *
************************* .............. **********************
************************* ************ ************************
* XML, JSON, CBOR (etc) * * UDP * * XML, JSON, CBOR (etc)*
************************* ************ ************************
************************* ************************
* RESTCONF/NETCONF * * RESTCONF/NETCONF *
************************ *************************
************************* ************************
* TLS, SSH * * TLS, SSH *
************************* ************************
IETF documents are captured in boxes surrounded by asterisks. TCG documents are shown in boxes surrounded by dots. The IETF Attestation Reference Interaction Diagram, Reference Integrity Manifest, TAP Information Model and Canonical Log Format, and both YANG modules are works in progress. Information Model layers describe abstract data objects that can be requested, and the corresponding response SNMP is still widely used, but the industry is transitioning to YANG, so in some cases, both will be required. TLS Authentication with TPM has been shown to work; SSH authentication using TPM-protected keys is not as easily done [as of 2019]¶
Even in embedded systems, adding Attestation at the OS level (e.g. Linux IMA, Integrity Measurement Architecture [IMA]) increases the number of objects to be attested by one or two orders of magnitude, involves software that's updated and changed frequently, and introduces processes that begin in unpredictable order.¶
TCG and others (including the Linux community) are working on methods and procedures for attesting the operating system and application software, but standardization is still in process.¶
Table 1 summarizes many of the actions needed to complete an Attestation system, with links to relevant documents. While documents are controlled by several standards organizations, the implied actions required for implementation are all the responsibility of the manufacturer of the device, unless otherwise noted.¶
+------------------------------------------------------------------+
| Component | Controlling |
| | Specification |
--------------------------------------------------------------------
| Make a Secure execution environment | TCG RoT |
| o Attestation depends on a secure root of | UEFI.org |
| trust for measurement outside the TPM, as | |
| well as roots for storage amd reporting | |
| inside the TPM. | |
| o Refer to TCG Root of Trust for Measurement.| |
| o NIST SP 800-193 also provides guidelines | |
| on Roots of Trust | |
--------------------------------------------------------------------
| Provision the TPM as described in | TCG TPM DevID |
| TCG documents. | TCG Platform |
| | Certificate |
--------------------------------------------------------------------
| Put a DevID or Platform Cert in the TPM | TCG TPM DevID |
| o Install an Initial Attestation Key at the | TCG Platform |
| same time so that Attestation can work out | Certificate |
| of the box |-----------------
| o Equipment suppliers and owners may want to | IEEE 802.1AR |
| implement Local Device ID as well as | |
| Initial Device ID | |
--------------------------------------------------------------------
| Connect the TPM to the TLS stack | Vendor TLS |
| o Use the DevID in the TPM to authenticate | stack (This |
| TAP connections, identifying the device | action is |
| | simply |
| | configuring TLS|
| | to use the |
| | DevID as its |
| | trust anchor.) |
--------------------------------------------------------------------
| Make CoSWID tags for BIOS/LoaderLKernel objects | IETF CoSWID |
| o Add reference measurements into SWID tags | ISO/IEC 19770-2|
| o Manufacturer should sign the SWID tags | NIST IR 8060 |
| o The TCG RIM-IM identifies further | |
| procedures to create signed RIM | |
| documents that provide the necessary | |
| reference information | |
--------------------------------------------------------------------
| Package the SWID tags with a vendor software | Retrieve tags |
| release | with |
| o A tag-generator plugin such | {{I-D.birkholz-yang-swid}}|
| as https://github.com/Labs64/swid-maven-plugin |
| can be used |----------------|
| | TCG PC Client |
| | RIM |
--------------------------------------------------------------------
| Use PC Client measurement definitions | TCG PC Client |
| to define the use of PCRs | BIOS |
| (although Windows OS is rare on Networking | |
| Equipment, UEFI BIOS is not) | |
--------------------------------------------------------------------
| Use TAP to retrieve measurements | |
| o Map TAP to SNMP | TCG SNMP MIB |
| o Map to YANG | YANG Module for|
| Use Canonical Log Format | Basic |
| | Attestation |
| | TCG Canonical |
| | Log Format |
--------------------------------------------------------------------
| Posture Collection Server (as described in IETF | |
| SACMs ECP) should request the | |
| attestation and analyze the result | |
| The Management application might be broken down | |
| to several more components: | |
| o A Posture Manager Server | |
| which collects reports and stores them in | |
| a database | |
| o One or more Analyzers that can look at the| |
| results and figure out what it means. | |
--------------------------------------------------------------------
The measurements needed for attestation require that the device being attested is equipped with a Root of Trust for Measurement, i.e., some trustworthy mechanism that can compute the first measurement in the chain of trust required to attest that each stage of system startup is verified, and a Root of Trust for Reporting to report the results [TCGRoT], [GloPlaRoT].¶
While there are many complex aspects of a Root of Trust, two aspects that are important in the case of attestation are:¶
The first measurement must be computed by code that is implicitly trusted; if that first measurement can be subverted, none of the remaining measurements can be trusted. (See [NIST-SP-800-155])¶