[RFC v4] Remote attestation PTA #5010
Conversation
Add a Python script to dump the information contained in the header of a TA file (*.ta). One use case is to extract struct shdr::hash, which is returned by the attestation PTA to be added in a later commit. Signed-off-by: Jerome Forissier <jerome@forissier.org>
jforissier
force-pushed
the
attestation-4
branch
from
1947449
to
861e265
Compare
…pc.c tee_svc_storage_create_filename_dfh() is only used in core/tee/tee_fs_rpc.c, so move it there and make it static. Fundamentally, this function is needed when CFG_REE_FS=y but the whole file core/tee/tee_svc_storage.c (which is the current location of this function) essentially defines the storage syscalls for TAs and is therefore not needed when CFG_WITH_USER_TA=n. If we want to later be able to exclude it from the build while still providing secure storage to kernel code, the function has to move. Signed-off-by: Jerome Forissier <jerome@forissier.org>
core/tee/fs_htree.c is used when CFG_REE_FS=y, and is also used by the test PTA core/pta/tests/fs_htree.c. Rather than make the implementation depend on the test (CFG_TEE_CORE_EMBED_INTERNAL_TESTS), do the opposite. Signed-off-by: Jerome Forissier <jerome@forissier.org>
Adds _CFG_WITH_SECURE_STORAGE set to 'y' when at least one secure storage backend is enabled. Signed-off-by: Jerome Forissier <jerome@forissier.org>
Some files which are currently guarded with CFG_WITH_USER_TA should be guarded with _CFG_WITH_SECURE_STORAGE. This will allow the use of secure storage from kernel code when CFG_WITH_USER_TA=n. Signed-off-by: Jerome Forissier <jerome@forissier.org>
Add a PTA to perform remote attestation of user space TAs. Enabled with CFG_ATTESTATION_PTA=y. This feature allows a client application to request a measurement of any Trusted Application or TA shared library installed on the device. The CA generates a random nonce and sends it to the attestation Pseudo TA, along with the UUID of the TA to be measured. The measurement is the TA hash found in the TA header (struct shdr::hash). It is hashed once more together with the nonce, then the resulting digest is signed using a private key that is generated by the PTA upon the first invocation. The key is persistent (written into secure storage). A command can be used by the client to retrieve the public key; the private key never leaves the TEE. This command would typically be invoked only during device provisioning so that the key pair is generated and the public key is returned in a trusted environment. Signed-off-by: Jerome Forissier <jerome@forissier.org>
jforissier
force-pushed
the
attestation-4
branch
from
861e265
to
ff2f97b
Compare
Can you elaborate the use-case where it would be beneficial? AFAICS, if we just return the hash found in the TA header then we can also return the verified signature found in the TA header. I am not sure what OP-TEE core is attesting in this case and why there is any need to add a new attestation key to suffice this purpose only. |
With a per-device key and a new signature on each call we can authenticate the device as well as make sure the measurement is fresh. If the PTA were to return the TA signature, a malicious actor could intercept the communication before it reaches the PTA and return stale data. Let's consider the definition of attestation found at https://graphene.readthedocs.io/en/latest/attestation.html: "Broadly speaking, attestation is a mechanism for a remote user to verify that the application runs on a real hardware in an up-to-date TEE with the expected initial state."
|
|
Thanks @jforissier for insights into the use-case but now I am confused whether you are trying to attest the whole TEE or only a particular TA. AFAIU, the current implementation ensures to remote entity that this PTA have access to attestation key without any assurance about if the PTA (or TEE as a whole) itself is genuine or compromised. IMO, "up-to-date TEE with the expected initial state" phrase is critical here.
We need to provide signed hash for TEE's initial state as well. IMO, the hash of in-memory pages would be more robust for both TEE and TA. |
Only a particular TA at this point.
Yes, I agree the integrity of the TEE is critical, and a prerequisite to trusting the attestation mechanism for the TAs.
Yes, that shouldn't be too difficult, I will think about it.
I don't disagree ;-) although not a silver bullet either. For example, if an entity performs remote attestation for a TA that is able to load libraries dynamically, the moment when the measurement is made is very important since a library is part of the measurement only after it is loaded obviously. There is a related discussion in a paper titled Establishing Mutually Trusted Channels for Remote Sensing |
The moment for measurement should be after a session to a TA is opened. AFAIK, all the dynamic libraries should be loaded as part of open session. And in case of TEE core measurement, it shouldn't be a problem.
I am not sure if we can call the current TA measurement to be done "at load time" since we are just fetching TA from REE-FS, measuring it and then close reference without loading it into secure RAM. And the other aspect being if the current TA measurement would provide any value for: "... long-running TAs, like those collecting sensing data over long periods of time, which may run for days without being rebooted/reverified." mentioned in section 4.3. |
Most of the time yes, but not if the TA use the
Right. |
Although, I would generally prefer to load dynamic libraries via Also, we can share UUIDs of TA and loaded libraries as measurement metadata. |
Well, more difficult than I initially thought, because |
can we use the measurements passed by the firmware which loads TEE here ? Right now TF-A passes the measurements in form of TPM based TCG specific eventlog but it should be easy to construct some mechanism by which the firmware which loads the TEE can pass it's own measurement and TEE's measurement securely to TEE which can be then added in this quote being constructed. |
| TEE_Result res = TEE_SUCCESS; | ||
|
|
||
| if (!key) { | ||
| res = load_key(); |
There was a problem hiding this comment.
Should a provision be added to provide an option to get a key here in platform defined way. So platforms can choose to generate the key internally and export the public key our or have the ability to import their own attestation key protected by some platform specific key.
For eg, I remember in #4011
they talked about having
- platform specific key (called endorsement key)
- Attestation data [ which had the encrypted private attestation key in it]
The attestation key was obtained after decrypting this attestation data.
TPM attestation also talks about different ways of provisioning attestation keys. https://tpm2-software.github.io/tpm2-tss/getting-started/2019/12/18/Remote-Attestation.html
So having a provision here to allow platform to get their own key somehow during provisioning process may be useful.
There was a problem hiding this comment.
Agreed, some flexibility can easily be added for instance with weak functions. I'd rather wait until a use case is clarified so that we can define a suitable interface.
| return res; | ||
| return sign_digest(out + TEE_SHA256_HASH_SIZE, | ||
| out_sz - TEE_SHA256_HASH_SIZE, digest); | ||
| } |
There was a problem hiding this comment.
IIUC there are usually 3 steps in attestation
- Provisioning the attestation key -> one time step -> the key can be generated as proposed here or can be imported in platform specific way
- generating a quote
- Signing the quote
Should there be some provision to
- add system measurements in the quote (TF-A today passes measurements in fom of TPM understandable eventlog to TEE, platforms can choose to use that or some other way of getting these measurements). These measurements passed by TF-A would include TEE measurements also as it is the one which loads the TEE
- provide a function to get ta hash and let generation of quote be a weak function where we show a possible way to generate this quote and leave an option for platform to construct their own quote with received nonce.
|
Hi @ruchi393,
I think there are basic differences in how we are trying to propose a remote attestation of Trusted Applications. Let me try to elaborate here. There are basically two categories for root of trust for measurement, following are definition quotes from this paper:
AFAIU from @jforissier current implementation and references to https://graphene.readthedocs.io/en/latest/attestation.html, it is the DRTM we are targeting currently. @jforissier, feel free to correct me if I am missing something. So for DRTM, we need to provide signed runtime or load time hashes of the entity that we are trying to attest. In our case its the TA but to attest it we need to prove that the attesting entity (TEE core) is genuine or not. That would require signed runtime or load time hash of attesting entity as well. |
Sorry, but I am not sure if I understand how SRTM and DRTM are related with content of the quote. IIUC, there has to be an agreement between attester and verifier on what the content of the quote would be. Quote should help prove that attesting entity and the hardware it is running on is genuine. If we are considering load time hash here, the loader of TEE is TF-A, so we may use the hash passed by TF-A/loading entity. ( I am not saying we have to use the TPM eventlog, it can be in much simpler format. Basically have a provision where firmware which loads the TEE also passes it's hash to TEE) |
AFAIK, the basic difference with respect to quote contents is whether its made up of hashes which are measured as an aggregated hash once during boot time (SRTM) or measured at runtime when requested (DRTM).
I guess there is some confusion as I have used load time. By load time I just meant measurement of TAs during loading. But the overall idea behind DRTM is that the measurement should be fresh. IOW, TAs should be measured when requested. And same hold true for TEE as well. |
|
@ruchi393 @b49020 thanks for the comments so far. I agree that providing a runtime measurement is more valuable than a boot time one, so I plan to re-introduce the TA page hashing from v2. |
Agree, if we talk in terms of PTA (part of TEE) compromises then that may cause attestation key to be leaked as well which can lead to MITM attacks. But IMO, adding runtime TEE measurement is still worthwhile thing at-least to reduce attack surface. |
|
@jforissier I think it would also be better to document all these remote attestation design considerations for future reference. |
|
This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
Differences with v3:
The hashing method is unchanged: the PTA still returns the hash found in the TA header as in RFC v3. For simplicity I have chosen not to re-introduce the in-memory hashing found in RFC v1 and v2 which I think addresses a slightly different use case. It could easily be done if needed.