-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attest-key-triple validation needed for ae construction? #314
Comments
This might be too constraining since it is reasonable for an Attester to disclose the existence of a key without it being used. For example, an HSM could have several keys that are protected by the HSM but doesn't use all of them when producing Evidence. |
SPDM defines something called a "transcript" which is something like a signed block that can be taken out of the channel context to be used to verify the integrity of offline measurements. They could be forwarded to a proxy to verify etc. This seems a bit like an IETF "token" but the spec isn't written that way. |
The TCG binding spec anticipates that a transcript can be used. |
Do we have any plan for normative language about attest-key-triple and how its use is meant to bind an evidence-signing key to an environment? |
By "bind" do you mean some form of proof-of-possession? |
No I mean more of a binding contract in the Verifier to not accept evidence from keys not associated with the environment the reference values are for. I want to make sure that if I’m not specifying authorized-by for my reference values, then the environment must be tied to the manufacturer RoT somehow |
The trust dependency triple is trying to model that. We've parked that discussion a while ago so we could do the refactoring and get more prose behind core features. Maybe it's time to revisit trust dependency triple. One of the open topics was whether or not the |
I'm afraid I don't follow that explanation. The RVP cannot say which exact keys the whole fleet that will run its signed firmware will have. We just know that the keys' certs should be issued by AMD's intermediate CA. |
Attest-key-triple can be encoded by AMD's KDS signing a VCEK certificate with extensions that identify the environment it's bound to. SEV-SNP Evidence can be interpreted as coming from a certain environment. |
There is no ACS / Appraisal context representation of attest-key-triple. I think we need to concretize the internal representation and its meaning. |
Reflecting rough consensus from the 2024-10-23 corim design team discussion:
Other considerations:
If there is a second key-list entry that has different authority, this can be modeled by using a second attest-key-triple-record. Note: to be consistent with measurement-map use of authorized-by we might want:
The semantics are that there could be multiple entities asserting the EKT, meaning multiple signers of the evidence / reference triples. In practice, this seems unlikely, but it isn't much overhead if added.
|
If we're dropping the need for RVPs to specify the attester authority, we ought to mention in Phase 1 that Evidence can only be transformed an ECT about environment E only if the evidence was signed by a key bound to E with an attest-key-triple, no? It probably works differently for SPDM since the measurement is over an authenticated channel rather than signed, but unfortunately that detail is missing from the TCG document https://trustedcomputinggroup.org/wp-content/uploads/TCG-DICE-Concise-Evidence-Binding-for-SPDM-Version-1.0-Revision-54_pub.pdf
The text was updated successfully, but these errors were encountered: