--- 1/draft-ietf-teep-architecture-01.txt 2019-03-11 07:13:50.649110128 -0700 +++ 2/draft-ietf-teep-architecture-02.txt 2019-03-11 07:13:50.801113787 -0700 @@ -1,25 +1,25 @@ TEEP M. Pei Internet-Draft Symantec Intended status: Informational H. Tschofenig -Expires: April 26, 2019 Arm Limited +Expires: September 12, 2019 Arm Limited D. Wheeler Intel A. Atyeo Intercede L. Dapeng Alibaba Group - October 23, 2018 + March 11, 2019 Trusted Execution Environment Provisioning (TEEP) Architecture - draft-ietf-teep-architecture-01 + draft-ietf-teep-architecture-02 Abstract A Trusted Execution Environment (TEE) is designed to provide a hardware-isolation mechanism to separate a regular operating system from security-sensitive application components. This architecture document motivates the design and standardization of a protocol for managing the lifecycle of trusted applications running inside a TEE. @@ -32,25 +32,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 26, 2019. + This Internet-Draft will expire on September 12, 2019. Copyright Notice - Copyright (c) 2018 IETF Trust and the persons identified as the + Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -65,65 +65,75 @@ the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 3. Scope and Assumptions . . . . . . . . . . . . . . . . . . . . 7 + 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.1. Payment . . . . . . . . . . . . . . . . . . . . . . . . . 8 - 4.2. Authentication . . . . . . . . . . . . . . . . . . . . . 8 + 4.2. Authentication . . . . . . . . . . . . . . . . . . . . . 9 4.3. Internet of Things . . . . . . . . . . . . . . . . . . . 9 4.4. Confidential Cloud Computing . . . . . . . . . . . . . . 9 5. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1. System Components . . . . . . . . . . . . . . . . . . . . 9 5.2. Different Renditions of TEEP Architecture . . . . . . . . 12 - 5.3. Entity Relations . . . . . . . . . . . . . . . . . . . . 12 - 5.4. Trust Anchors in TEE . . . . . . . . . . . . . . . . . . 15 - 5.5. Trust Anchors in TAM . . . . . . . . . . . . . . . . . . 15 - 5.6. Keys and Certificate Types . . . . . . . . . . . . . . . 15 - 5.7. Scalability . . . . . . . . . . . . . . . . . . . . . . . 18 - 5.8. Message Security . . . . . . . . . . . . . . . . . . . . 18 - 5.9. Security Domain Hierarchy and Ownership . . . . . . . . . 18 - 5.10. SD Owner Identification and TAM Certificate Requirements 19 - 5.11. Service Provider Container . . . . . . . . . . . . . . . 20 - 5.12. A Sample Device Setup Flow . . . . . . . . . . . . . . . 20 - 6. TEEP Broker . . . . . . . . . . . . . . . . . . . . . . . . . 21 - 6.1. Role of the Agent . . . . . . . . . . . . . . . . . . . . 22 - 6.2. Agent Implementation Consideration . . . . . . . . . . . 22 - 6.2.1. Agent Distribution . . . . . . . . . . . . . . . . . 22 - 6.2.2. Number of Agents . . . . . . . . . . . . . . . . . . 23 - 7. Attestation . . . . . . . . . . . . . . . . . . . . . . . . . 23 - 7.1. Attestation Hierarchy . . . . . . . . . . . . . . . . . . 23 - 7.1.1. Attestation Hierarchy Establishment: Manufacture . . 23 - 7.1.2. Attestation Hierarchy Establishment: Device Boot . . 24 - 7.1.3. Attestation Hierarchy Establishment: TAM . . . . . . 24 - 8. Algorithm and Attestation Agility . . . . . . . . . . . . . . 24 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 25 - 9.1. TA Trust Check at TEE . . . . . . . . . . . . . . . . . . 25 - 9.2. One TA Multiple SP Case . . . . . . . . . . . . . . . . . 25 - 9.3. Agent Trust Model . . . . . . . . . . . . . . . . . . . . 25 - 9.4. Data Protection at TAM and TEE . . . . . . . . . . . . . 26 - 9.5. Compromised CA . . . . . . . . . . . . . . . . . . . . . 26 - 9.6. Compromised TAM . . . . . . . . . . . . . . . . . . . . . 26 - 9.7. Certificate Renewal . . . . . . . . . . . . . . . . . . . 26 - 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 - 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 - 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 - 12.1. Normative References . . . . . . . . . . . . . . . . . . 27 - 12.2. Informative References . . . . . . . . . . . . . . . . . 27 - Appendix A. History . . . . . . . . . . . . . . . . . . . . . . 28 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 + 5.3. Multiple TAMs and Relationship to TAs . . . . . . . . . . 13 + 5.4. Client Apps, Trusted Apps, and Personalization Data . . . 15 + 5.5. Examples of Application Delivery Mechanisms in Existing + TEEs . . . . . . . . . . . . . . . . . . . . . . . . . . 16 + 5.6. TEEP Architectural Support for Client App, TA, and + Personalization Data Delivery . . . . . . . . . . . . . . 17 + 5.7. Entity Relations . . . . . . . . . . . . . . . . . . . . 17 + 5.8. Trust Anchors in TEE . . . . . . . . . . . . . . . . . . 20 + 5.9. Trust Anchors in TAM . . . . . . . . . . . . . . . . . . 20 + 5.10. Keys and Certificate Types . . . . . . . . . . . . . . . 20 + 5.11. Scalability . . . . . . . . . . . . . . . . . . . . . . . 23 + 5.12. Message Security . . . . . . . . . . . . . . . . . . . . 23 + 5.13. Security Domain Hierarchy and Ownership . . . . . . . . . 23 + 5.14. SD Owner Identification and TAM Certificate Requirements 24 + 5.15. Service Provider Container . . . . . . . . . . . . . . . 25 + 5.16. A Sample Device Setup Flow . . . . . . . . . . . . . . . 25 + 6. TEEP Broker . . . . . . . . . . . . . . . . . . . . . . . . . 26 + 6.1. Role of the Agent . . . . . . . . . . . . . . . . . . . . 27 + 6.2. Agent Implementation Consideration . . . . . . . . . . . 27 + 6.2.1. Agent Distribution . . . . . . . . . . . . . . . . . 27 + 6.2.2. Number of Agents . . . . . . . . . . . . . . . . . . 27 + 7. Attestation . . . . . . . . . . . . . . . . . . . . . . . . . 28 + 7.1. Attestation Cryptographic Properties . . . . . . . . . . 30 + 7.2. TEEP Attestation Structure . . . . . . . . . . . . . . . 31 + 7.3. TEEP Attestation Claims . . . . . . . . . . . . . . . . . 32 + 7.4. TEEP Attestation Flow . . . . . . . . . . . . . . . . . . 33 + 7.5. Attestation Key Example . . . . . . . . . . . . . . . . . 33 + 7.5.1. Attestation Hierarchy Establishment: Manufacture . . 33 + 7.5.2. Attestation Hierarchy Establishment: Device Boot . . 34 + 7.5.3. Attestation Hierarchy Establishment: TAM . . . . . . 34 + 8. Algorithm and Attestation Agility . . . . . . . . . . . . . . 34 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 35 + 9.1. TA Trust Check at TEE . . . . . . . . . . . . . . . . . . 35 + 9.2. One TA Multiple SP Case . . . . . . . . . . . . . . . . . 35 + 9.3. Agent Trust Model . . . . . . . . . . . . . . . . . . . . 35 + 9.4. Data Protection at TAM and TEE . . . . . . . . . . . . . 36 + 9.5. Compromised CA . . . . . . . . . . . . . . . . . . . . . 36 + 9.6. Compromised TAM . . . . . . . . . . . . . . . . . . . . . 36 + 9.7. Certificate Renewal . . . . . . . . . . . . . . . . . . . 36 + 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 + 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 37 + 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 + 12.1. Normative References . . . . . . . . . . . . . . . . . . 37 + 12.2. Informative References . . . . . . . . . . . . . . . . . 37 + Appendix A. History . . . . . . . . . . . . . . . . . . . . . . 38 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 1. Introduction Applications executing in a device are exposed to many different attacks intended to compromise the execution of the application, or reveal the data upon which those applications are operating. These attacks increase with the number of other applications on the device, with such other applications coming from potentially untrustworthy sources. The potential for attacks further increase with the complexity of features and applications on devices, and the @@ -209,21 +218,22 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The following terms are used: - Client Application: An application running in a Rich Execution - Environment, such as an Android, Windows, or iOS application. + Environment, such as an Android, Windows, or iOS application. We + sometimes refer to this as the 'Client App'. - Device: A physical piece of hardware that hosts a TEE along with a Rich Execution Environment. A Device contains a default list of Trust Anchors that identify entities (e.g., TAMs) that are trusted by the Device. This list is normally set by the Device Manufacturer, and may be governed by the Device's network carrier. The list of Trust Anchors is normally modifiable by the Device's owner or Device Administrator. However the Device manufacturer and network carrier may restrict some modifications, for example, by not allowing the manufacturer or carrier's Trust Anchor to be @@ -233,41 +243,63 @@ and governed by a typical OS (e.g., Linux, Windows, Android, iOS), potentially in conjunction with other supporting operating systems and hypervisors; it is outside of the TEE. This environment and applications running on it are considered un-trusted. - Service Provider (SP): An entity that wishes to provide a service on Devices that requires the use of one or more Trusted Applications. A Service Provider requires the help of a TAM in order to provision the Trusted Applications to remote devices. - - Device Administrator: An entity that owns or is responsible for - administration of a Device. A Device Administrator has privileges - on the Device to install and remove applications and TAs, approve - or reject Trust Anchors, and approve or reject Service Providers, - among possibly other privileges on the Device. A device owner can - manage the list of allowed TAMs by modifying the list of Trust - Anchors on the Device. Although a Device Administrator may have - privileges and Device-specific controls to locally administer a - device, the Device Administrator may choose to remotely - administrate a device through a TAM. + - Device User: A human being that uses a device. Many devices have + a single device user. Some devices have a primary device user + with other human beings as secondary device users (e.g., parent + allowing children to use their tablet or laptop). Relates to + Device Owner and Device Administrator. + + - Device Owner: A device is always owned by someone. It is common + for the (primary) device user to also own the device, making the + device user/owner also the device administrator. In enterprise + environments it is more common for the enterprise to own the + device, and device users have no or limited administration rights. + In this case, the enterprise appoints a device administrator that + is not the device owner. + + - Device Administrator (DA): An entity that is responsible for + administration of a Device, which could be the device owner. A + Device Administrator has privileges on the Device to install and + remove applications and TAs, approve or reject Trust Anchors, and + approve or reject Service Providers, among possibly other + privileges on the Device. A Device Administrator can manage the + list of allowed TAMs by modifying the list of Trust Anchors on the + Device. Although a Device Administrator may have privileges and + Device-specific controls to locally administer a device, the + Device Administrator may choose to remotely administrate a device + through a TAM. - Trust Anchor: A public key in a device whose corresponding private key is held by an entity implicitly trusted by the device. The - Trust Anchor may be a certificate or it may be a raw public key. - The trust anchor is normally stored in a location that resists - unauthorized modification, insertion, or replacement. - The trust anchor private key owner can sign certificates of other - public keys, which conveys trust about those keys to the device. - A certificate signed by the trust anchor communicates that the - private key holder of the signed certificate is trusted by the - trust anchor holder, and can therefore be trusted by the device. + Trust Anchor may be a certificate or it may be a raw public key + along with additional data if necessary such as its public key + algorithm and parameters. The Trust Anchor is normally stored in + a location that resists unauthorized modification, insertion, or + replacement. The digital fingerprint of a Trust Anchor may be + stored along with the Trust Anchor certificate or public key. A + device can use the fingerprint to uniquely identify a Trust + Anchor. The Trust Anchor private key owner can sign certificates + of other public keys, which conveys trust about those keys to the + device. A certificate signed by the Trust Anchor communicates + that the private key holder of the signed certificate is trusted + by the Trust Anchor holder, and can therefore be trusted by the + device. Trust Anchors in a device may be updated by an authorized + party when a Trust Anchor should be deprecated or a new Trust + Anchor should be added. - Trusted Application (TA): An application component that runs in a TEE. - Trusted Execution Environment (TEE): An execution environment that runs alongside of, but is isolated from, an REE. A TEE has security capabilities and meets certain security-related requirements. It protects TEE assets from general software attacks, defines rigid safeguards as to data and functions that a program can access, and resists a set of defined threats. It @@ -280,28 +312,28 @@ (c) Memory that cannot be read by code outside the TEE. There are multiple technologies that can be used to implement a TEE, and the level of security achieved varies accordingly. - Root-of-Trust (RoT): A hardware or software component in a device that is inherently trusted to perform a certain security-critical function. A RoT should be secure by design, small, and protected by hardware against modification or interference. Examples of RoTs include software/firmware measurement and verification using - a trust anchor (RoT for Verification), provide signed assertions + a Trust Anchor (RoT for Verification), provide signed assertions using a protected attestation key (RoT for Reporting), or protect the storage and/or use of cryptographic keys (RoT for Storage). Other RoTs are possible, including RoT for Integrity, and RoT for Measurement. Reference: NIST SP800-164 (Draft). - Trusted Firmware (TFW): A firmware in a device that can be - verified with a trust anchor by RoT for Verification. + verified with a Trust Anchor by RoT for Verification. - Bootloader key: This symmetric key is protected by electronic fuse (eFUSE) technology. In this context it is used to decrypt a TFW private key, which belongs to a device-unique private/public key pair. Not every device is equipped with a bootloader key. This document uses the following abbreviations: - CA: Certificate Authority @@ -315,48 +347,29 @@ - SP: Service Provider - TA: Trusted Application - TAM: Trusted Application Manager - TEE: Trusted Execution Environment - TFW: Trusted Firmware -3. Scope and Assumptions +3. Assumptions This specification assumes that an applicable device is equipped with one or more TEEs and each TEE is pre-provisioned with a device-unique - public/private key pair, which is securely stored. This key pair is - referred to as the 'root of trust' for remote attestation of the - associated TEE in a device by an TAM. - - New note: SD is for managing keys for TAs - A Security Domain (SD) concept is used as the security boundary - inside a TEE for trusted applications. Each SD is typically - associated with one TA provider as the owner, which is a logical - space that contains an SP's TAs. One TA provider may request to have - multiple SDs in a TEE. One SD may contain multiple TAs. Each - Security Domain requires the management operations of TAs in the form - of installation, update and deletion. - - Each TA binary and configuration data can be from either of two - sources: - - 1. A TAM supplies the signed and encrypted TA binary and any - required configuration data - - 2. A Client Application supplies the TA binary + public/private key pair, which is securely stored. - The architecture covers the first case where the TA binary and - configuration data are delivered from a TAM. The second case calls - for an extension when a TAM is absent. + A TEE uses an isolation mechanism between Trusted Applications to + ensure that one TA cannot read, modify or delete the data and code of + another TA. 4. Use Cases 4.1. Payment A payment application in a mobile device requires high security and trust about the hosting device. Payments initiated from a mobile device can use a Trusted Application to provide strong identification and proof of transaction. @@ -425,48 +438,49 @@ | | | +---+ +---+ | +-------+ | | | Device Administrator | | +-------------+ | App-1 | | | | | | | | | | | | +--------------------| |---+ | | | | |--------+ | | +-------+ | +-------------------------------------------+ Figure 1: Notional Architecture of TEEP - - Service Providers and Device Administrators utilize the services - of a TAM to manage TAs on Devices. SPs do not directly interact - with devices. DAs may elect to use a TAM for remote + - Service Providers (SP) and Device Administrators (DA) utilize the + services of a TAM to manage TAs on Devices. SPs do not directly + interact with devices. DAs may elect to use a TAM for remote administration of TAs instead of managing each device directly. - TAM: A TAM is responsible for performing lifecycle management activity on TA's and SD's on behalf of Service Providers and Device Administrators. This includes creation and deletion of TA's and SD's, and may include, for example, over-the-air updates to keep an SP's TAs up-to-date and clean up when a version should be removed. TAMs may provide services that make it easier for SPs or DAs to use the TAM's service to manage multiple devices, although that is not required of a TAM. The TAM performs its management of TA's and SD's through an interaction with a Device's TEEP Broker. As shown in #notionalarch, the TAM cannot directly contact a Device, but must wait for a the TEEP Broker or a Client Application to contact the TAM requesting a particular service. This architecture is intentional in order to accommodate network and application firewalls that normally protect user and enterprise devices from arbitrary connections from external network entities. - A TAM may be publically available for use by many SPs, or a TAM - may be private, and accessible by only one or a limited number of - SPs. It is expected that manufacturers and carriers will run - their own private TAM. Another example of a private TAM is a TAM - running as a Software-as-a-Service (SaaS) within an SP. + A TAM may be publicly available for use by many SPs, or a TAM may + be private, and accessible by only one or a limited number of SPs. + + It is expected that manufacturers and carriers will run their own + private TAM. Another example of a private TAM is a TAM running as + a Software-as-a-Service (SaaS) within an SP. A SP or Device Administrator chooses a particular TAM based on whether the TAM is trusted by a Device or set of Devices. The TAM is trusted by a device if the TAM's public key is an authorized Trust Anchor in the Device. A SP or Device Administrator may run their own TAM, however the Devices they wish to manage must include this TAM's pubic key in the Trust Anchor list. A SP or Device Administrator is free to utilize multiple TAMs. This may be required for a SP to manage multiple different types @@ -501,76 +515,293 @@ only one active TEE. A TEE may provide such an Agent to the device manufacturer to be bundled in devices. Such a TEE must also include an Agent counterpart, namely, a processing module inside the TEE, to parse TAM messages sent through the Agent. An Agent is generally acting as a dummy relaying box with just the TEE interacting capability; it doesn't need and shouldn't parse protocol messages. - Certification Authority (CA): Certificate-based credentials used for authenticating a device, a TAM and an SP. A device embeds a - list of root certificates (trust anchors), from trusted CAs that a + list of root certificates (Trust Anchors), from trusted CAs that a TAM will be validated against. A TAM will remotely attest a device by checking whether a device comes with a certificate from a CA that the TAM trusts. The CAs do not need to be the same; different CAs can be chosen by each TAM, and different device CAs can be used by different device manufacturers. 5.2. Different Renditions of TEEP Architecture -5.3. Entity Relations + There is nothing prohibiting a device from implementing multiple + TEEs. In addition, some TEEs ( for example, SGX) present themselves + as separate containers within memory without a controlling manager + within the TEE. In these cases, the rich operating system hosts + multiple TEEP brokers, where each broker manages a particular TEE or + set of TEEs. Enumeration and access to the appropriate broker is up + to the rich OS and the applications. Verification that the correct + TA has been reached then becomes a matter of properly verifying TA + attestations, which are unforgeable. The multiple TEE approach is + shown in the diagram below. For brevity, TEEP Broker 2 is shown + interacting with only one TAM and UA, but no such limitation is + intended to be implied in the architecture. + + +-------------------------------------------+ + | Device | + | +--------+ | Service Provider + | | |----------+ | + | +-------------+ | TEEP |---------+| | + | | TEE-1 |<------| Broker | | || +--------+ | + | | | | 1 |<---+ | |+-->| |<-+ + | | +---+ +---+ | | | | | | +-| TAM-1 | + | | |TA1| |TA2| | | |<-+ | | +->| | |<-+ + | +-->| | | |<---+ +--------+ | | | | +--------+ | + | | | +---+ +---+ | | | | | | TAM-2 | | + | | | | | +-------+ | | | +--------+ | + | | +-------------+ +-----| App-2 |--+ | | ^ | + | | +-------+ | | | | Device + | +--------------------| App-1 | | | | | Administrator + | +------| | | | | | + | +-----------|-+ | |---+ | | | + | | TEE-2 | | | |--------+ | | + | | | | | |------+ | | + | | +---+ | | +-------+ | | | + | | |TA3|<----+ | +----------+ | | | + | | | | | | TEEP |<--+ | | + | | +---+ |<---| Broker |----------------+ + | | | | 2 | | + | | | | | | + | +-------------+ +----------+ | + | | + +-------------------------------------------+ + + Figure 2: Notional Architecture of TEEP wtih multiple TEEs + + In the diagram above, TEEP Broker 1 controls interactions with the + TA's in TEE-1, and TEEP Broker 2 controls interactions with the TA's + in TEE-2. This presents some challenges for a TAM in completely + managing the device, since a TAM may not interact with all the TEEP + Brokers on a particular platform. In addition, since TEE's may be + physically separated, with wholly different resources, there may be + no need for TEEP Brokers to share information on installed TAs or + resource usage. However, the architecture guarantees that the TAM + will receive all the relevant information from the TEEP Broker to + which it communicates. + +5.3. Multiple TAMs and Relationship to TAs + + As shown in Figure 2, the TEEP Broker provides connections from the + TEE and the Client App to one or more TAMs. The selection of which + TAM to communicate with is dependent on information from the Client + App and is directly related to the TA. + + When a SP offers a service which requires a TA, the SP associates + that service with a specific TA. The TA itself is digitally signed, + protecting its integrity, but the signature also links the TA back to + the signer. The signer is usually the SP, but in some cases may be + another party that the SP trusts. The SP selects one or more TAMs + through which to offer their service, and communicates the + information of the service and the specific client apps and TAs to + the TAM. + + The SP chooses TAMs based upon the markets into which the TAM can + provide access. There may be TAMs that provide services to specific + types of mobile devices, or mobile device operating systems, or + specific geographical regions or network carriers. A SP may be + motivated to utilize multiple TAMs for its service in order to + maximize market penetration and availability on multiple types of + devices. This likely means that the same service will be available + through multiple TAMs. + + When the SP publishes the Client App to an app store or other app + repositories, the SP binds the Client App with a manifest that + identifies what TAMs can be contacted for the TA. In some + situations, an SP may use only a single TAM - this is likely the case + for enterprise applications or SPs serving a closed community. For + broad public apps, there will likely be multiple TAMs in the manifest + - one servicing one brand of mobile device and another servicing a + different manufacturer, etc. Because different devices and different + manufacturers trust different TAMs, the manifest will include + different TAMs that support this SP's client app and TA. Multiple + TAMs allow the SP to provide thier service and this app (and TA) to + multiple different devices. + + When the TEEP Broker recieves a request to contact the TAM for a + Client App in order to install a TA, a list of TAMs may be provided. + The TEEP Broker selects a single TAM that is consistent with the list + of trusted TAMs (trust anchors) provisioned on the device. For any + client app, there should be only a single TAM for the TEEP Broker to + contact. This is also the case when a Client App uses multiple TAs, + or when one TA depends on anther TA in a software dependency (see + section TBD). The reason is that the SP should provide each TAM that + it places in the Client App's manifest all the TAs that the app + requires. There is no benefit to going to multiple different TAMs, + and there is no need for a special TAM to be contacted for a specific + TA. + + [Note: This should always be the case. When a particular device or + TEE supports only a special proprietary attestation mechanism, then a + specific TAM will be needed that supports that attestation scheme. + The TAM should also support standard atttestation signatures as well. + + It is highly unlikely that a set of TAs would use different + proprietary attestation mechanisms since a TEE is likley to support + only one such proprietary scheme.] + + [Note: This situation gets more complex in situations where a Client + App expects another application or a device to already have a + specific TA installed. This situation does not occur with SGX, but + could occur in situations where the secure world maintains an trusted + operating system and runs an entire trusted system with multiple TAs + running. This requires more discussion.] + +5.4. Client Apps, Trusted Apps, and Personalization Data + + In TEEP, there is an explicit relationship and dependence between the + client app in the REE and one or more TAs in the TEE, as shown in + Figure 2. From the perspective of a device user, a client app that + uses one or more TA's in a TEE appears no different from any other + untrusted application in the REE. However, the way the client app + and its corresponding TA's are packaged, delivered, and installed on + the device can vary. The variations depend on whether the client app + and TA are bundled together or are provided separately, and this has + implications to the management of the TAs in the TEE. In addition to + the client app and TA, the TA and/or TEE may require some additional + data to personalize the TA to the service provider or the device + user. This personalization data is dependent on the TEE, the TA and + the SP; an example of personalization data might be username and + password of the device user's account with the SP, or a secret + symmetric key used to by the TA to communicate with the SP. The + personalization data must be encrypted to preserve the + confidentiality of potentially sensitive data contained within it. + Other than this requirement to support confidentiality, TEEP place no + limitations or requirements on the personalization data. + + There are three possible cases for bundling of the Client App, TA, + and personalizaiton data: + + 1. The Client App, TA, and personnalization data are all bundled + together in a single package by the SP and provided to the TEEP + Broker through the TAM. + + 2. The Client App and the TA are bundled together in a single + binary, which the TAM or a publicly accessible app store + maintains in repository, and the personalization data is + separately provided by the SP. In this case, the personalization + data is collected by the TAM and included in the InstallTA + message to the TEEP Broker. + + 3. All components are independent. The device user installs the + Client App through some independent or device-specific mechanism, + and the TAM provides the TA and personalization data from the SP. + Delivery of the TA and personalization data may be combined or + separate. + +5.5. Examples of Application Delivery Mechanisms in Existing TEEs + + In order to better understand these cases, it is helpful to review + actual implementations of TEEs and their application delivery + mechanisms. + + In Intel Software Guard Extensions (SGX), the Client App and TA are + typically bound into the same binary (Case 2). The TA is compiled + into the Client App binary using SGX tools, and exists in the binary + as a shared library (.so or .dll). The Client App loads the TA into + an SGX enclave when the client needs the TA. This organization makes + it easy to maintain compatibility between the Client App and the TA, + since they are updated together. It is entirely possible to create a + Client App that loads an external TA into an SGX enclave and use that + TA (Case 3). In this case, the Client App would require a reference + to an external file or download such a file dynamically, place the + contents of the file into memory, and load that as a TA. Obviously, + such file or downloaded content must be properly formatted and signed + for it to be accepted by the SGX TEE. In SGX, for Case 2 and Case 3, + the personalization data is normally loaded into the SGX enclave (the + TA) after the TA has started. Although Case 1 is possible with SGX, + there are no instances of this known to be in use at this time, since + such a construction would required a special installation program and + SGX TA to recieve the encrypted binary, decrypt it, separate it into + the three different elements, and then install all three. This + installation is complex, because the Client App decrypted inside the + TEE must be passed out of the TEE to an installer in the REE which + would install the Client App; this assumes that the Client App binary + includes the TA code also, otherwise there is a significant problem + in getting the SGX encalve code (the TA) from the TEE, through the + installer and into the Client App in a trusted fashion. Finally, the + personalization data would need to be sent out of the TEE (encrypted + in an SGX encalve-to-enclave manner) to the REE's installation app, + which would pass this data to the installed Client App, which would + in turn send this data to the SGX enclave (TA). This complexity is + due to the fact that each SGX enclave is separate and does not have + direct communication to one another. + + [NOTE: Need to add an equivalent discussion for an ARM/TZ + implementation] + +5.6. TEEP Architectural Support for Client App, TA, and Personalization + Data Delivery + + This section defines TEEP support for the three different cases for + delivery of the Client App, TA, and personalization data. + + [Note: discussion of format of this single binary, and who/what is + responsible for splitting these things apart, and installing the + client app into the REE, the TA into the TEE, and the personalization + data into the TEE or TA. Obviously the decryption must be done by + the TEE but this may not be suported by all TAs.] + +5.7. Entity Relations This architecture leverages asymmetric cryptography to authenticate a device to a TAM. Additionally, a TEE in a device authenticates a TAM - and TA signer. The provisioning of trust anchors to a device may + and TA signer. The provisioning of Trust Anchors to a device may different from one use case to the other. A device administrator may want to have the capability to control what TAs are allowed. A device manufacturer enables verification of the TA signers and TAM - providers; it may embed a list of default trust anchors that the + providers; it may embed a list of default Trust Anchors that the signer of an allowed TA's signer certificate should chain to. A device administrator may choose to accept a subset of the allowed TAs via consent or action of downloading. PKI CA -- CA CA -- | | | | | | | | | Device | | --- Agent / Client App --- | SW | | | | | | | | | | | | | | | | -- TEE TAM------- | | FW - Figure 2: Entities + Figure 3: Entities (App Developer) (App Store) (TAM) (Device with TEE) (CAs) | | | --> (Embedded TEE cert) <-- | | | <------------------------------ Get an app cert ----- | | | <-- Get a TAM cert ------ | | 1. Build two apps: Client App TA | | Client App -- 2a. --> | ----- 3. Install -------> | TA ------- 2b. Supply ------> | 4. Messaging-->| | | | | - Figure 3: Developer Experience + Figure 4: Developer Experience - Figure 3 shows an application developer building two applications: 1) + Figure 4 shows an application developer building two applications: 1) a rich Client Application; 2) a TA that provides some security functions to be run inside a TEE. At step 2, the application developer uploads the Client Application (2a) to an Application Store. The Client Application may optionally bundle the TA binary. Meanwhile, the application developer may provide its TA to a TAM provider that will be managing the TA in various devices. 3. A user will go to an Application Store to download the Client Application. The Client Application will trigger TA installation by initiating communication with a TAM. This is the step 4. The Client Application will get messages from TAM, and interacts with device TEE @@ -598,21 +829,21 @@ | | Cert | | Cert | | Cert | | | FW Key/ | | | | | | | Cert | | | | | -------------------- --------------- ---------- | | | | | | ------------- ---------- --------- | TEE CA | | TAM CA | | SP CA | ------------- ---------- --------- - Figure 4: Keys + Figure 5: Keys In the previous diagram, different CAs can be used for different types of certificates. Messages are always signed, where the signer key is the message originator's private key such as that of a TAM, the private key of trusted firmware (TFW), or a TEE's private key. The main components consist of a set of standard messages created by a TAM to deliver device SD and TA management commands to a device, and device attestation and response messages created by a TEE that responds to a TAM's message. @@ -628,46 +859,57 @@ namely, an agent in this protocol architecture, not directly from the network. It is imperative to have an interoperable protocol to communicate with different TAMs and different TEEs in different devices. This is the role of the agent, which is a software component that bridges communication between a TAM and a TEE. The agent does not need to know the actual content of messages except for the TEE routing information. -5.4. Trust Anchors in TEE +5.8. Trust Anchors in TEE - Each TEE comes with a trust store that contains a whitelist of root - CA certificates that are used to validate a TAM's certificate. A TEE - will accept a TAM to create new Security Domains and install new TAs - on behalf of an SP only if the TAM's certificate is chained to one of + Each TEE comes with a trust store that contains a whitelist of Trust + Anchors that are used to validate a TAM's certificate. A TEE will + accept a TAM to create new Security Domains and install new TAs on + behalf of an SP only if the TAM's certificate is chained to one of the root CA certificates in the TEE's trust store. A TEE's trust store is typically preloaded at manufacturing time. It - is out of the scope in this document to specify how the trust store + is out of the scope in this document to specify how the trust anchors should be updated when a new root certificate should be added or existing one should be updated or removed. A device manufacturer is - expected to provide its TEE trust store live update or out-of-band - update to devices. + expected to provide its TEE trust anchors live update or out-of-band + update to Device Administrators. + + When trust anchor update is carried out, it is imperative that any + update must maintain integrity where only authentic trust anchor list + from a device manufacturer or a Device Administrator is accepted. + This calls for a complete lifecycle flow in authorizing who can make + trust anchor update and whether a given trust anchor list are non- + tampered from the original provider. The signing of a trust anchor + list for integrity check and update authorization methods are + desirable to be developed. This can be addressed outside of this + architecture document. Before a TAM can begin operation in the marketplace to support a device with a particular TEE, it must obtain a TAM certificate from a CA that is listed in the trust store of the TEE. -5.5. Trust Anchors in TAM +5.9. Trust Anchors in TAM - The trust anchor store in a TAM consists of a list of CA certificates - that sign various device TEE certificates. A TAM decides what - devices it will trust the TEE in. + The Trust Anchor store in a TAM consists of a list of CA certificates + that sign various device TEE certificates. A TAM will accept a + device for TA management if the TEE in the device uses a TEE + certificate that is chained to a CA that the TAM trusts. -5.6. Keys and Certificate Types +5.10. Keys and Certificate Types This architecture leverages the following credentials, which allow delivering end-to-end security without relying on any transport security. +-------------+----------+--------+-------------------+-------------+ | Key Entity | Location | Issuer | Checked Against | Cardinality | | Name | | | | | +-------------+----------+--------+-------------------+-------------+ | 1. TFW key | Device | FW CA | A whitelist of | 1 per | @@ -687,21 +929,21 @@ | 4. SP key | SP | SP | A SP uses a TAM. | 1 or | | pair and | | signer | TA is signed by a | multiple | | certificate | | CA | SP signer. TEE | can be used | | | | | delegates trust | by a TAM | | | | | of TA to TAM. SP | | | | | | signer is | | | | | | associated with a | | | | | | SD as the owner. | | +-------------+----------+--------+-------------------+-------------+ - Figure 5: Key and Certificate Types + Figure 6: Key and Certificate Types 1. TFW key pair and certificate: A key pair and certificate for evidence of trustworthy firmware in a device. This key pair is optional for TEEP architecture. Some TEE may present its trusted attributes to a TAM using signed attestation with a TFW key. For example, a platform that uses a hardware based TEE can have attestation data signed by a hardware protected TFW key. o Location: Device secure storage @@ -757,48 +999,48 @@ sizes should be anticipated in future. o Issuer: An SP signer CA that chains to a root CA o Checked Against: An SP uses a TAM. A TEE trusts an SP by validating trust against a TAM that the SP uses. A TEE trusts a TAM to ensure that a TA is trustworthy. o Cardinality: One or multiple can be used by an SP -5.7. Scalability +5.11. Scalability - This architecture uses a PKI. Trust anchors exist on the devices to - enable the TEE to authenticate TAMs, and TAMs use trust anchors to + This architecture uses a PKI. Trust Anchors exist on the devices to + enable the TEE to authenticate TAMs, and TAMs use Trust Anchors to authenticate TEEs. Since a PKI is used, many intermediate CA certificates can chain to a root certificate, each of which can issue many certificates. This makes the protocol highly scalable. New factories that produce TEEs can join the ecosystem. In this case, such a factory can get an intermediate CA certificate from one of the existing roots without requiring that TAMs are updated with information about the new device factory. Likewise, new TAMs can join the ecosystem, providing they are issued a TAM certificate that chains to an existing root whereby existing TEEs will be allowed to be personalized by the TAM without requiring changes to the TEE itself. This enables the ecosystem to scale, and avoids the need for centralized databases of all TEEs produced or all TAMs that exist. -5.8. Message Security +5.12. Message Security Messages created by a TAM are used to deliver device SD and TA management commands to a device, and device attestation and messages created by the device TEE to respond to TAM messages. These messages are signed end-to-end and are typically encrypted such that only the targeted device TEE or TAM is able to decrypt and view the actual content. -5.9. Security Domain Hierarchy and Ownership +5.13. Security Domain Hierarchy and Ownership The primary job of a TAM is to help an SP to manage its trusted applications. A TA is typically installed in an SD. An SD is commonly created for an SP. When an SP delegates its SD and TA management to a TAM, an SD is created on behalf of a TAM in a TEE and the owner of the SD is assigned to the TAM. An SD may be associated with an SP but the TAM has full privilege to manage the SD for the SP. @@ -822,21 +1064,21 @@ Since a TAM may support multiple SPs, sharing the same SD name for different SPs creates a dependency in deleting an SD. An SD can be deleted only after all TAs associated with the SD are deleted. An SP cannot delete a Security Domain on its own with a TAM if a TAM decides to introduce such sharing. There are cases where multiple virtual SPs belong to the same organization, and a TAM chooses to use the same SD name for those SPs. This is totally up to the TAM implementation and out of scope of this specification. -5.10. SD Owner Identification and TAM Certificate Requirements +5.14. SD Owner Identification and TAM Certificate Requirements There is a need of cryptographically binding proof about the owner of an SD in a device. When an SD is created on behalf of a TAM, a future request from the TAM must present itself as a way that the TEE can verify it is the true owner. The certificate itself cannot reliably used as the owner because TAM may change its certificate. ** need to handle the normal key roll-over case, as well as the less frequent key compromise case @@ -857,126 +1099,117 @@ A CA can verify the domain ownership of the URL with the TAM in the certificate enrollment process. A TEE can assign this certificate attribute value as the TAM owner ID for the SDs that are created for the TAM. An alternative way to represent an SD ownership by a TAM is to have a unique secret key upon SD creation such that only the creator TAM is able to produce a proof-of-possession (PoP) data with the secret. -5.11. Service Provider Container +5.15. Service Provider Container - A sample Security Domain hierarchy for the TEE is shown in Figure 6. + A sample Security Domain hierarchy for the TEE is shown in Figure 7. ---------- | TEE | ---------- | | ---------- |----------| SP1 SD1 | | ---------- | ---------- |----------| SP1 SD2 | | ---------- | ---------- |----------| SP2 SD1 | ---------- - Figure 6: Security Domain Hierarchy + Figure 7: Security Domain Hierarchy The architecture separates SDs and TAs such that a TAM can only manage or retrieve data for SDs and TAs that it previously created for the SPs it represents. -5.12. A Sample Device Setup Flow +5.16. A Sample Device Setup Flow Step 1: Prepare Images for Devices - - - 1. [TEE vendor] Deliver TEE Image (CODE Binary) to device OEM - - - - 1. [CA] Deliver root CA Whitelist - - - + 2. [CA] Deliver root CA Whitelist - 1. [Soc] Deliver TFW Image + 3. [Soc] Deliver TFW Image Step 2: Inject Key Pairs and Images to Devices - - 1. [OEM] Generate TFW Key Pair (May be shared among multiple devices) - - - - 1. [OEM] Flash signed TFW Image and signed TEE Image onto devices + 2. [OEM] Flash signed TFW Image and signed TEE Image onto devices (signed by TFW Key) Step 3: Set up attestation key pairs in devices - - - 1. [OEM] Flash TFW Public Key and a bootloader key. - - - - 1. [TFW/TEE] Generate a unique attestation key pair and get a + 2. [TFW/TEE] Generate a unique attestation key pair and get a certificate for the device. - Step 4: Set up trust anchors in devices - - - + Step 4: Set up Trust Anchors in devices 1. [TFW/TEE] Store the key and certificate encrypted with the bootloader key - - - - 1. [TEE vendor or OEM] Store trusted CA certificate list into + 2. [TEE vendor or OEM] Store trusted CA certificate list into devices 6. TEEP Broker A TEE and TAs do not generally have the capability to communicate to the outside of the hosting device. For example, GlobalPlatform [GPTEE] specifies one such architecture. This calls for a software module in the REE world to handle the network communication. Each Client Application in the REE might carry this communication functionality but such functionality must also interact with the TEE - for the message exchange. The TEE interaction will vary according to - different TEEs. In order for a Client Application to transparently - support different TEEs, it is imperative to have a common interface - for a Client Application to invoke for exchanging messages with TEEs. + for the message exchange. + The TEE interaction will vary according to different TEEs. In order + for a Client Application to transparently support different TEEs, it + is imperative to have a common interface for a Client Application to + invoke for exchanging messages with TEEs. A shared agent comes to meet this need. An agent is an application running in the REE of the device or an SDK that facilitates communication between a TAM and a TEE. It also provides interfaces - for TAM SDK or Client Applications to query and trigger TA - installation that the application needs to use. + for Client Applications to query and trigger TA installation that the + application needs to use. - This interface for Client Applications may be commonly an OS service - call for an REE OS. A Client Application interacts with a TAM, and - turns around to pass messages received from TAM to agent. + It isn't always that a Client Application directly calls such an + agent to interact with a TEE. A REE Application Installer might + carry out TEE and TAM interaction to install all required TAs that a + Client Application depends. A Client Application may have a metadata + file that describes the TAs it depends on and the associated TAM that + each TA installation goes to use. The REE Application Installer can + inspect the application metadata file and installs TAs on behalf of + the Client Application without requiring the Client Application to + run first. - In all cases, a Client Application needs to be able to identify an - agent that it can use. + This interface for Client Applications or Application Installers may + be commonly an OS service call for an REE OS. A Client Application + or an Application Installer interacts with the device TEE and the + TAMs. 6.1. Role of the Agent An agent abstracts the message exchanges with the TEE in a device. - The input data is originated from a TAM to which a Client Application - connects. A Client Application may also directly call an Agent for - some TA query functions. + The input data is originated from a TAM or the first initialization + call to trigger a TA installation. The agent may internally process a message from a TAM. At least, it needs to know where to route a message, e.g., TEE instance. It does not need to process or verify message content. The agent returns TEE / TFW generated response messages to the caller. The agent is not expected to handle any network connection with an application or TAM. The agent only needs to return an agent error message if the TEE is @@ -1015,86 +1248,334 @@ Multiple independent agent providers can be used as long as they have standard interface to a Client Application or TAM SDK. Only one agent is expected in a device. TAM providers are generally expected to provide an SDK for SP applications to interact with an agent for the TAM and TEE interaction. 7. Attestation -7.1. Attestation Hierarchy + Attestation is the process through which one entity (an attestor) + presents a series of claims to another entity (a verifier), and + provides sufficient proof that the claims are true. Different + verifiers may have different standards for attestation proofs and not + all attestations are acceptable to every verifier. TEEP attestations + are based upon the use of an asymmetric key pair under the control of + the TEE to create digital signatures across a well-defined claim set. + + In TEEP, the primary purpose of an attestation is to allow a device + to prove to TAMs and SPs that a TEE in the device has particular + properities, was built by a particular manufacturer, or is executing + a particular TA. Other claims are possible; this architecture + specification does not limit the attestation claims, but defines a + minimal set of claims required for TEEP to operate properly. + Extensions to these claims are possible, but are not defined in the + TEEP specifications. Other standards or groups may define the format + and semantics of extended claims. The TEEP specification defines the + claims format such that these extended claims may be easily included + in a TEEP attestation message. + + As of the writing of this specification, device and TEE attestations + have not been standardized across the market. Different devices, + manufacturers, and TEEs support different attestation algorithms and + mechanisms. In order for TEEP to be inclusive, the attestation + format shall allow for both proprietary attestation signatures, as + well as a standardized form of attestation signature. Either form of + attesation signature may be applied to a set of TEEP claims, and both + forms of attestation shall be considered conformant with TEEP. + However, it should be recognized that not all TAMs or SPs may be able + to process all proprietary forms of attestations. All TAMs and SPs + MUST be able to process the TEEP standard attestation format and + attached signature. + + The attestation formats and mechanisms described and mandated by TEEP + shall convey a particular set of cryptographic properties based on + minimal assumptions. The cryptographic properties are conveyed by + the attestation; however the assumptions are not conveyed within the + attestation itself. + + The assumptions which may apply to an attestation have to do with the + quality of the attestation and the quality and security provided by + the TEE, the device, the manufacturer, or others involved in the + device or TEE ecosystem. Some of the assumptions that might apply to + an attestations include (this may not be a comprehensive list): + + - Assumptions regarding the security measures a manufacturer takes + when provisioning keys into devices/TEEs; + + - Assumptions regarding what hardware and software components have + access to the Attestation keys of the TEE; + + - Assumptions related to the source or local verification of claims + within an attestation prior to a TEE signing a set of claims; + + - Assumptions regarding the level of protection afforded to + attestation keys against exfiltration, modification, and side + channel attacks; + + - Assumptions regarding the limitations of use applied to TEE + Attestation keys; + + - Assumptions regarding the processes in place to discover or detect + TEE breeches; and + + - Assumptions regarding the revocation and recovery process of TEE + attestation keys. + + TAMs and SPs must be comfortable with the assumptions that are + inherently part of any attestation they accept. Alternatively, any + TAM or SP may choose not to accept an attestation generated from a + particular manufacturer or device's TEE based on the inherent + assumptions. The choice and policy decisions are left up to the + particular TAM/SP. + + Some TAMs or SPs may require additional claims in order to properly + authorize a device or TEE. These additional claims may help clear up + any assumptions for which the TAM/SP wants to alleviate. The + specific format for these additional claims are outside the scope of + this specification, but the OTrP protocol SHALL allow these + additional claims to be included in the attestation messages. + + The following sub-sections define the cryptographic properties + conveyed by the TEEP attestation, the basic set of TEEP claims + required in a TEEP attestation, the TEEP attestation flow between the + TAM the device TEE, and some implementation examples of how an + attestation key may be realized in a real TEEP device. + +7.1. Attestation Cryptographic Properties + + The attestation constructed by TEEP must convey certain cryptographic + properties from the attestor to the verifier; in the case of TEEP, + the attestation must convey properties from the device to the TAM + and/or SP. The properties required by TEEP include: + + - Non-repudiation, Unique Proof of Source - the cryptographic + digital signature across the attestation, and optionally along + with information in the attestion itself SHALL uniquely identify a + specific TEE in a specific device. + + - Integrity of claims - the cryptographic digital signature across + the attestation SHALL cover the entire attesation including all + meta data and all the claims in the attestation, ensuring that the + attestation has not be modified since the TEE signed the + attestation. + + Standard public key algorithms such as RSA and ECDSA digital + signatures convey these properties. Group public key algorithms such + as EPID can also convey these properties, if the attestation includes + a unique device identifier and an identifier for the TEE. Other + cryptographic operations used in other attestation schemes may also + convey these properties. + + The TEEP standard attestation format SHALL use one of the following + digital signature formats: + + - RSA-2048 with SHA-256 or SHA-384 in RSASSA-PKCS1-v1_5 or PSS + format + + - RSA-3072 with SHA-256 or SHA-384 in RSASSA-PKCS1-v1_5 or PSS + format + + - ECDSA-256 using NIST P256 curve using SHA-256 + + - ECDSA-384 using NIST P384 curve using SHA-384 + + - HashEdDSA using Ed25519 with SHA-512 (Ed25519ph in RFC8032) and + context="TEEP Attestation" + + - EdDSA using Ed448 with SHAK256 (Ed448ph in RFC8032) and + context="TEEP Attestation" + + All TAMs and SPs MUST be able to accept attestations using these + algorithms, contingent on their acceptance of the assumptions implied + by the attestations. + +7.2. TEEP Attestation Structure + + For a TEEP attestation to be useful, it must contain an information + set allowing the TAM and/or SP to assess the attestation and make a + related security policy decision. The structure of the TEEP + attestation is shown in the diagram below. + + +------(Signed By)-----------+ + | | + /--------------------------\ V + +---------------+-------------+--------------------------+ + | Attestation | The | The | + | Header | Claims | Attestation Signature(s) | + +---------------+-------------+--------------------------+ + | + | + +------------+--(Contains)------+-----------------+--------------+ + | | | | | + V V V V V + +-------------+ +-------------+ +----------+ +-----------------+ +------------+ + | Device | | TEE | | | | Action or | | Additional | + | Identifying | | Identifying | | Liveness | | Operation | | or optional| + | Info | | Info | | Proof | | Specific claims | | Claims | + +-------------+ +-------------+ +----------+ +-----------------+ +------------+ + + Figure 8: Structure of TEEP Attestation + + The Attestation Header SHALL identify the "Attestation Type" and the + "Attestation Signature Type" along with an "Attestation Format + Version Number." The "Attestation Type" identifies the minimal set + of claims that MUST be included in the attestation; this is an + identifier for a profile that defines the claims that should be + included in the attestation as part of the "Action or Operation + Specific Claims." The "Attestation Signature Type" identifies the + type of attestation signature that is attached. The type of + attestation signature SHALL be one of the standard signatures types + identified by an IANA number, a proprietary signature type identified + by an IANA number, or the generic "Proprietary Signature" with an + accompanying proprietary identifier. Not all TAMs may be able to + process proprietary signatures. + + The claims in the attestation are set of mandatory and optional + claims. The claims themselves SHALL be defined in an attestation + claims dictionary. See the next section on TEEP Attestation Claims. + + Claims are grouped in profiles under an identifier (Attestation + Type), however all attestations require a minimal set of claims which + includes: + + - Device Identifying Info: TEEP attestations must uniquely identify + a device to the TAM and SP. This identifier allows the TAM/SP to + provide services unique to the device, such as managing installed + TAs, and providing subscriptions to services, and locating device- + specific keying material to communicate wiht or authenticate the + device. Additionally, device manufacturer information must be + provided to provide better universal uniqueness qualities without + requiring globally unique identifiers for all devices. + + - TEE Identifying info: The type of TEE that generated this + attestation must be identified. Standard TEE types are identified + by an IANA number, but also must include version identification + information such as the hardware, firmware, and software version + of the TEE, as applicable by the TEE type. Structure to the + version number is required.TEE manufacturer information for the + TEE is required in order to disambiguate the same TEE type created + by different manufacturers and resolve potential assumptions + around manufacturer provisioning, keying and support for the TEE. + + - Liveness Proof: a claim that includes liveness information SHALL + be included which may be a large nonce or may be a timestamp and + short nonce. + + - Action Specific Claims: Certain attestation types shall include + specific claims. For example an attestation from a specific TA + shall include a measurement, version and signing public key for + the TA. + + - Additional Claims: (Optional - May be empty set) A TAM or SP may + require specific additional claims in order to address potential + assumptions, such as the requirement that a device's REE performed + a secure boot, or that the device is not currenlty in a debug or + non-productions state. A TAM may require a device to provide a + device health attestation that may include some claims or + measurements about the REE. These claims are TAM specific. + +7.3. TEEP Attestation Claims + + TEEP requires a set of attestation claims that provide sufficient + evidence to the TAM and/or SP that the device and its TEE meet + certain minimal requirements. Because attestation formats are not + yet broadly standardized across the industry, standardization work is + currently ongoing, and it is expected that extensions to the + attestation claims will be required as new TEEs and devices are + created, the set of attestation claims required by TEEP SHALL be + defined in an IANA registry. That registry SHALL be defined in the + OTrP protocol with sufficient elements to address basic TEEP claims, + expected new standard claims (for example from + https://www.ietf.org/id/draft-mandyam-eat-01.txt), and proprietary + claim sets. + +7.4. TEEP Attestation Flow + + Attesations are required in TEEP under the following flows: + + - When a TEE responds with device state information (dsi) to the TAM + or SP, including a "GetDeviceState" response, "InstallTA" + response, etc. + + - When a new key pair is generated for a TA-to-TAM or TA-to-SP + communication, the keypair must be covered by an attestation, + including "CreateSecurityDomain" response, "UpdateSecurityDomain" + response, etc. + +7.5. Attestation Key Example The attestation hierarchy and seed required for TAM protocol operation must be built into the device at manufacture. Additional TEEs can be added post-manufacture using the scheme proposed, but it is outside of the current scope of this document to detail that. It should be noted that the attestation scheme described is based on signatures. The only decryption that may take place is through the use of a bootloader key. A boot module generated attestation can be optional where the starting point of device attestation can be at TEE certificates. A TAM can define its policies on what kinds of TEE it trusts if TFW attestation is not included during the TEE attestation. -7.1.1. Attestation Hierarchy Establishment: Manufacture +7.5.1. Attestation Hierarchy Establishment: Manufacture During manufacture the following steps are required: 1. A device-specific TFW key pair and certificate are burnt into the device. This key pair will be used for signing operations performed by the boot module. 2. TEE images are loaded and include a TEE instance-specific key pair and certificate. The key pair and certificate are included in the image and covered by the code signing hash. 3. The process for TEE images is repeated for any subordinate TEEs, which are additional TEEs after the root TEE that some devices have. -7.1.2. Attestation Hierarchy Establishment: Device Boot +7.5.2. Attestation Hierarchy Establishment: Device Boot During device boot the following steps are required: 1. The boot module releases the TFW private key by decrypting it with the bootloader key. 2. The boot module verifies the code-signing signature of the active TEE and places its TEE public key into a signing buffer, along with its identifier for later access. For a TEE non-compliant to this architecture, the boot module leaves the TEE public key field blank. 3. The boot module signs the signing buffer with the TFW private key. 4. Each active TEE performs the same operation as the boot module, building up their own signed buffer containing subordinate TEE information. -7.1.3. Attestation Hierarchy Establishment: TAM +7.5.3. Attestation Hierarchy Establishment: TAM Before a TAM can begin operation in the marketplace, it must obtain a TAM certificate from a CA that is registered in the trust store of devices. In this way, the TEE can check the intermediate and root CA and verify that it trusts this TAM to perform operations on the TEE. 8. Algorithm and Attestation Agility RFC 7696 [RFC7696] outlines the requirements to migrate from one mandatory-to-implement algorithm suite to another over time. This feature is also known as crypto agility. Protocol evolution is greatly simplified when crypto agility is already considered during - the design of the protocol. In the case of Open Trust Protocol + the design of the protocol. In the case of the Open Trust Protocol (OTrP) the diverse range of use cases, from trusted app updates for smart phones and tablets to updates of code on higher-end IoT devices, creates the need for different mandatory-to-implement algorithms already from the start. Crypto agility in the OTrP concerns the use of symmetric as well as asymmetric algorithms. Symmetric algorithms are used for encryption of content whereas the asymmetric algorithms are mostly used for signing messages. @@ -1174,24 +1655,24 @@ certificate, or revoked TAM certificate. Since OCSP stapling includes signature generation time, certificate validity dates are compared to the current time. 9.7. Certificate Renewal TFW and TEE device certificates are expected to be long lived, longer than the lifetime of a device. A TAM certificate usually has a moderate lifetime of 2 to 5 years. A TAM should get renewed or rekeyed certificates. The root CA certificates for a TAM, which are - embedded into the trust anchor store in a device, should have long - lifetimes that don't require device trust anchor update. On the + embedded into the Trust Anchor store in a device, should have long + lifetimes that don't require device Trust Anchor update. On the other hand, it is imperative that OEMs or device providers plan for - support of trust anchor update in their shipped devices. + support of Trust Anchor update in their shipped devices. 10. IANA Considerations This document does not require actions by IANA. 11. Acknowledgements The authors thank Dave Thaler for his very thorough review and many important suggestions. Most content of this document is split from a previously combined OTrP protocol document @@ -1215,21 +1696,25 @@ 12.2. Informative References [GPTEE] Global Platform, "GlobalPlatform Device Technology: TEE System Architecture, v1.1", Global Platform GPD_SPE_009, January 2017, . [I-D.ietf-teep-opentrustprotocol] Pei, M., Atyeo, A., Cook, N., Yoo, M., and H. Tschofenig, "The Open Trust Protocol (OTrP)", draft-ietf-teep- - opentrustprotocol-01 (work in progress), July 2018. + opentrustprotocol-02 (work in progress), October 2018. + + [RFC6024] Reddy, R. and C. Wallace, "Trust Anchor Management + Requirements", RFC 6024, DOI 10.17487/RFC6024, October + 2010, . [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms", BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, . Appendix A. History RFC EDITOR: PLEASE REMOVE THIS SECTION