github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/Doc/attestation.txt

github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/Doc/attestation.txt (about)

     1  Statement := [ data, hash_alg, hash, time, exp ]
     2  Attestation := [ type, sstmt, sig, quote, cert ]
     3  
     4  Policy signing key = Kroot
     5  . = missing
     6  
     7  I'm assuming the use of WhitelistAuth, not RootAuth.
     8  
     9  --------
    10  
    11  attest_to_aik calls AttestByRoot which uses Kroot to generate:
    12  
    13    a0 = [type=ROOT,
    14          sstmt=ser([data=aik,
    15                     hash_alg=.,
    16                     hash=.,
    17                     time=when,
    18                     exp=later]),
    19          sig=KeyczarSign(sstmt, Kroot),
    20          quote=.,
    21          cert=.]
    22  
    23  The meaning of ROOT attestation a0 is:
    24  
    25    s0 = "ROOT says _aik_ is a trustworthy system notbefore _when_ notafter _exp_"
    26    where: _aik_ = a0.sstmt.data = aik
    27           _when_ = a0.sstmt.time
    28           _exp_ = a0.sstmt.exp
    29  
    30  Note: I say "trustworthy system" here, rather than "trustworthy tpm". See below.
    31  
    32  Given a0, before we should believe s0, we should check:
    33    KeyczarVerify(a0.sstmt, Kroot) // properly signed by policy key
    34    a0.time <= now <= a0.exp // not expired
    35  
    36  If those conditions hold, then:
    37  
    38    TaoAuth::VerifyAttestation(a0) returns a0.sstmt.data = aik
    39  
    40  --------
    41  
    42  LinuxTao w/ signing key Ktao calls TPMTaoChildChannel which uses TPM to create:
    43  
    44    a1 = [type=TPM_1_2_QUOTE,
    45          sstmt=ser([data=Ktao,
    46                     hash_alg="TPM1.2 Quote",
    47                     hash=.,
    48                     time=when,
    49                     exp=later]),
    50          sig=TpmWierdSign([Ktao, pcrs], aik),
    51          quote=pcrs,
    52          cert=a0]
    53  
    54  Note: The timestamps on a1 are taken from LinuxTao. So the TPM isn't limiting
    55  the attestion, only LinuxTao is putting a time limit on this.
    56  
    57  The meaning of TPM_1_2_QUOTE attestation a1 is:
    58    s1 = "_aik_ says (_linux_ says its key is _k_ notbefore _when_ notafter _exp_)"
    59    where: _aik_ = VerifiyAttestation(a1.cert) = VerifyAttesataion(a0)
    60           _linux_ = a1.quote = pcrs
    61           _k_ = a1.sstmt.data = Ktao
    62           _when_ = a1.sstmt.time
    63           _exp_ = a1.sstmt.exp
    64  
    65  Given a1, before we should believe s1, we should check:
    66    VerifyAttestation(a1.cert=a0) // this tpm is trustworty in this domain
    67    TpmWierdVerify([a1.sstmt.data, a1.quote], _aik_) // properly signed by this tpm
    68    a1.time <= now <= a1.exp // not expired
    69    CheckAuthorization(a1) // checks if pcrs are on the whitelist for this domain
    70  
    71  If those conditions hold, then:
    72  
    73    TaoAuth::VerifyAttestation(a1) returns a1.sstmt.data = Ktao
    74  
    75  --------
    76  
    77  LinuxTao w/ signing key Ktao sends attestations a0 and a1 to TCCA, which does the above
    78  checks to conclude s0 and s1. Given s0 and s1, TCCA makes a logical deduction
    79  then produces:
    80  
    81    a1b = [type=ROOT,
    82          sstmt=ser([data=Ktao,
    83                     hash_alg="TPM1.2 Quote",
    84                     hash=.,
    85                     time=when,
    86                     exp=later]),
    87          sig=KeyczarSign(sstmt, Kroot),
    88          quote=.,
    89          cert=.]
    90  
    91  Note: The timestamps on a1b are copied directly from a1. So TCCA isn't limiting
    92  the attestion, only the original LinuxTao is putting a time limit on this. Seems
    93  kind of risky that LinuxTao can request arbitrary timestamps and TCCA will
    94  happily sign them.
    95  
    96  Note also that the pcrs are completely omitted.
    97  
    98  The meaning of ROOT attestation a1b (following the same pattern as for a0) is:
    99    s1b = "ROOT says _k_ is a trustworthy system notbefore _when_ notafter _exp_"
   100    where: _k_ = a1b.sstmt.data = Ktao
   101           _when_ = a1b.sstmt.time
   102           _exp_ = a1b.sstmt.exp
   103  
   104  Note: I need to say "trustworthy system" here, not "trustworthy tpm". See above.
   105  
   106  Given a1b, before we should believe s1b, we should check:
   107    KeyczarVerify(a1b.sstmt, Kroot) // properly signed by policy key
   108    a0.time <= now <= a0.exp // not expired
   109  
   110  If those conditions hold, then:
   111  
   112    TaoAuth::VerifyAttestation(a1b) returns a1b.sstmt.data = Ktao
   113  
   114  --------
   115  
   116  CloudServer w/ signing key Ksrv and program hash H calls LinuxTao::Attest(H, S).
   117  I'm not positive what S is here, I assume it is a self-signed x509 cert
   118  describing its own public key Ksrv. In any case, LinuxTao checks to make sure H
   119  is actually one of its own running children, then generates:
   120  
   121    a2 = [type=INTERMEDIATE,
   122          sstmt=ser([data=x509(Ksrv),
   123                     hash_alg="SHA256",
   124                     hash=H,
   125                     time=when,
   126                     exp=later]),
   127          sig=KeyczarSign(sstmt, Ktao),
   128          quote=.,
   129          cert=a1b (alternatively, a1a if not using tcca)]
   130  
   131  The meaning of INTERMEDIATE attestation a2 is:
   132  
   133    s2 = "_linux_ says (_pgm_ says its key is _k_) notbefore _when_ notafter _exp_"
   134    where: _linux_ = VerifiyAttestation(a2.cert) = VerifyAttesataion(a1b) = Ktao
   135           _pgm_ = a2.sstmt.hash = H
   136           _k_ = a2.sstmt.data = x509(srv)
   137           _when_ = a2.sstmt.time
   138           _exp_ = a2.sstmt.exp
   139  
   140  Given a1, before we should believe s2, we should check:
   141    VerifyAttestation(a2.cert=a1b) // this linux tao is trustworty in this domain
   142    KeyczarVerify(a2.sstmt.data, _linux_) // properly signed by this linux tao
   143    a2.time <= now <= a2.exp // not expired
   144    CheckAuthorization(a2) // checks if H is on the whitelist for this domain
   145  
   146  If those conditions hold, then:
   147  
   148    TaoAuth::VerifyAttestation(a2) returns a2.sstmt.data = x509(Ksrv)
   149  
   150  I suppose CloudServer could also go to TCC with a1b and a2 to get a condensed
   151  cert in the same way that LinuxTao did, but I don't think the code currently
   152  does that.
   153  
   154  --------
   155  
   156  Comments:
   157  
   158  It seems that the intended meaning of an attestation is always
   159  
   160    "The following key is owned by some trustworthy system and is to be trusted
   161    for signing additional attestations"
   162  
   163    Where "some trustworthy system" means 
   164    "either a tpm that was OK'ed by the policy, 
   165    or a linux system running on such a tpm with pcrs in a state that was OK'ed by the policy,
   166    or a hosted program runnning on such a linux system with hash that was OK'ed by the policy"
   167  
   168  First issue: The checking and logical deduction seems really liberal. It seems
   169  that an attested hosted program has exactly the same powers as an attested linux
   170  tao. For example, I don't see anything that prevents a hosted program from
   171  issuing the same kinds of attestations that the linux tao does, meaning that a
   172  hosted program on the whitelist can impersonate any other name on the whitelist.
   173  Similarly, CloudClients can impersonate CloudServers by just issuing their own
   174  attestations binding the server hash to their own keys.
   175  
   176  Second issue: Actually, it seems to me that program names are *never* used,
   177  except when LinuxTao wants to decide whether to start a given hosted program.