Skip to main content

Trusted Execution Environment Provisioning (TEEP) Architecture
draft-ietf-teep-architecture-19

Yes

Paul Wouters

No Objection

John Scudder
(Alvaro Retana)
(Andrew Alston)
(Martin Duke)

Note: This ballot was opened for revision 18 and is now closed.

Paul Wouters
Yes
Éric Vyncke
Yes
Comment (2022-09-07 for -18) Sent
# Éric Vyncke, INT AD, comments for draft-ietf-teep-architecture-18
CC @evyncke

Thank you for the work put into this document. I really like the approach (except perhaps the role of TEEP broker).

Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education).

Please note that Ines Robles (iot dir) and Bob Halley (int dir) have also reviewed the I-D at my request (thank you both !). I would appreciate it if you considered their reviews as mine (including replying by email to their reviews):

* https://datatracker.ietf.org/doc/review-ietf-teep-architecture-18-iotdir-telechat-robles-2022-09-04/ (esp for her point about RFC 7228 classification)
* https://datatracker.ietf.org/doc/review-ietf-teep-architecture-18-intdir-telechat-halley-2022-08-27/ (esp for his point about section 4.1, thanks Ming for your reply)

Special thanks to Tiru Reddy for the *one-year old* shepherd's write-up including the WG consensus but missing the justification of the intended status. 

I hope that this review helps to improve the document,

Regards,

-éric

## COMMENTS

### Role of TEEP Broker

After reading the I-D, I am still a little unclear about the role of the TEEP Broker ? Is it simple a store/forward cache ? I.e., it does not authenticate to any party and does not have any access to any message? If so, it would be nice to say so early in the text (before section 5 when my own penny dropped) and perhaps rename it in 'TEEP relay'.

### Section 1
```
   In a system with multiple TEEs, this also means
   that code in one TEE cannot be read or tampered with by code in
   another TEE.
```
Should this rather be `code and data in one TEE` ?

To be honest, this is the first time I read 'Rich Execution Environment'; should there be some explanations (shorter than the one in the terminology section)? How different is it from the 'commodity operating system' (used in the paragraph above).

### Section 2 physical only ?

`Device: A physical piece of hardware`... I would have guessed that a TEE could exist in a virtual machine provided that the hypervisor offers the same 'physical' security as the HW. I.e., TA in the VM could be 'isolated' from other untrusted app in the same VM. See also section 3.4 and the cloud use case.

### Section 2 no TEE definition ?

A lot of terms are nicely and clearly defined, but 'TEE' itself is not defined.

### Section 2 only TA in TEE ?

The definition of 'TA' implies that it runs in a TEE, but are there only TA running in TEE ?

### Section 4.1 TEEP broker is not trusted ?

Should the TEEP broker itself run in a TEE ? Of course, this is chicken and egg...

### Section 4.1 CA

Nothing dramatic, but the role of a CA is explained in the text while there is no CA in fig 1

### Section 4.4.1 reference

Should there be an informative reference about SGX ?

### Section 4.5 wrong direction ?

Is the arrow (step 4) in the wrong direction as this is up to the TEEP broker to contact the TAM per previous text? or add a similar text as in step 3.

### Section 5.4 and constrained devices

As PKI cert chains can be very long, should there be some text about constrained devices/networks where several kBytes are too many ? Even if only to say 'TEEP is not usable on constrained networks/devices' ?

### Section 9.3

While I do not contest that REE can be compromised, I think that claiming `billions of compromised devices` is too many and should require a reference.

### Section trusting time

As PKI relies on correct time information and as some devices relies on NTP, GSM, GNSS, ... time information and as those can be spoofed, should there be a sub-section on time attack ? (this would be a DoS or allowing the use of an old - compromised - TA / trust anchor).


## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. 

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
Erik Kline
No Objection
Comment (2022-09-07 for -18) Sent
# Internet AD comments for {draft-ietf-teep-architecture-18}
CC @ekline

## Comments

* Thanks very much to Ines Robles for the IoT Directorate review.

  Please review the feedback at:

  https://datatracker.ietf.org/doc/review-ietf-teep-architecture-18-iotdir-telechat-robles-2022-09-04/
John Scudder
No Objection
Murray Kucherawy
No Objection
Comment (2022-09-08 for -18) Sent
My colleagues already did a pretty thorough job.  I've only a few things to add.

The shepherd writeup is over a year old.  It lists Ben Kaduk as the responsible AD.

In Section 4.1, it says "Figure 1 shows the main components in a typical device with an REE and a TEE."  Where's the REE?  Is it the "Device"?

"SGX" should be expanded on first use (Section 4.1), but it's actually expanded in Section 4.4.1.

Nits:

Use of capitalization is inconsistent.  For instance, "Device User" is capitalized when defined, but never again; meanwhile, "Personalization Data" is always capitalized.

Section 1:

* "TEEs use hardware enforcement combined with software protection to secure TAs and its data." -- s/its/their/

Section 2:

* "Device User" is never used outside of the "Terminology" section; is it needed?
Roman Danyliw
No Objection
Comment (2022-09-07 for -18) Sent
Thank you to Ben Schwartz for the SECDIR review. Please review his feedback.

** Section 1.
   The
   danger  of attacks on a system increases as the sensitivity of the
   applications or data on the device increases.  As an example,
   exposure of emails from a mail client is likely to be of concern to
   its owner, but a compromise of a banking application raises even
   greater concerns.

Based on the example, is it the “danger of attacks” or the “consequences of attacks”?

** Section 1. There are two different threat models implicitly described in this section.  The first paragraph seems outline the risk of multiple applications on the same devices and the complexity of those applications.  The fourth paragraph describes the threat of threat actors with physical access.  Are we talking about both?

** Section 3.1.  Is a “trusted user interface” something that needs to be defined?  Is it an example of a trusted TA?

** Section 3.3.
   A TEE can be the best way
   to implement such IoT security functions.

This seems like a strong but unsupported claim.  Consider something weaker.

** Section 4.4.
   Implementations must support encryption to
   preserve the confidentiality of such Personalization Data, which may
   potentially contain sensitive data.  Implementations must also
   support mechanisms for integrity protection of such Personalization
   Data.   

Please clarify what it means to “support encryption.”  Is this saying that all personalization data at rest must be encrypted?  No personalization data can be sent in the clear?

** Section 6.2
A TEEP Broker abstracts the message exchanges with a TEE in a device. 

What does it mean for the broker to “abstract” the message exchange?

** Section 7.  What is the relationship between the attestation process in Figure 6 and the conceptual message flow described in 6.2.1?

** Section 7.

   Different Verifiers may require different degrees of
   confidence in attestation proofs and not all attestations are
   acceptable to every verifier

Why is the first instance of “verifiers” a proper noun (capitalized) but the second is not?

** Section 9.  This section notes a few instances where a TEE should detect that something potentially suspect is happening.  How, if at all, should logging of this phenomenon occur?  How would someone managing devices become aware of it or be notified?

** Section 9.  From the SECDIR review:
==[ snip ]==
Nothing here seems to discuss attacks on the TEE's properties, and the
post-compromise implications of those attacks.  For example, if all instances
of a TA share a secret key, used for decrypting the Personalization Data, then
a single successful attack on a TEE is sufficient to decrypt all
Personalization Data (previous and future).  Given the prevalence of such
attacks (especially via hardware fault injection), it seems likely to be worth
mentioning. [1]
==[ snip ]==

** Section 9.1.  In the spirit of inclusive language, consider if there is an alternative term for “man-in-the-middle”.

** Section 9.1
   While a TEEP Broker broker can in effect make suggestions, it cannot
   decide or enforce what runs where.  

-- Editorial. s/Broker broker/Broker/

-- What suggestions can a Broker make?  Per Section 6.1, I thought the Broker only relayed messages between the Agent and the TAM.

** Section 9.3

   We have
   already seen examples of attacks on the public Internet with billions
   of compromised devices being used to mount DDoS attacks

Can a reference be provided for a single DDoS having billions of compromised devices as sources.

** Section 9.3.

   A compromised REE might also request initiating the full flow of
   installation of Trusted Components that are not necessary.  

With this technique, could a compromised RRE fill up all of the secure storage of a TEE preventing future legitimate installations from occurring?

** Section 9.7

  A TAM certificate usually has a moderate
   lifetime of 2 to 5 years

Is this a recommendation or an observation?  If the former, what is the basis of these numbers?

** Typos
-- Section 4.1.  Typo. s/Administators/Administrators/

-- Section 6. Typo. s/.././
Warren Kumari
No Objection
Comment (2022-09-07 for -18) Not sent
I have very little to add, other than noting that I find Use-Case and Architecture documents to be really helpful.
They help "set the stage" when reading a new set of document, or deploying a new technology. Thank you!
Zaheduzzaman Sarker
No Objection
Comment (2022-09-08 for -18) Not sent
Thanks for working on this specification. It was a good read for me. I will skip the nits but noted that "consensus boiler plate" entry is missing in the datatracker.
Alvaro Retana Former IESG member
No Objection
No Objection (for -18) Not sent

                            
Andrew Alston Former IESG member
No Objection
No Objection (for -18) Not sent

                            
Lars Eggert Former IESG member
No Objection
No Objection (2022-09-07 for -18) Sent
# GEN AD review of draft-ietf-teep-architecture-18

CC @larseggert

Thanks to Paul Kyzivat for the General Area Review Team (Gen-ART) review
(https://mailarchive.ietf.org/arch/msg/gen-art/_PQLgwbAxaVsfWgfg62QZHYYlYs).

## Comments

### Unclear consensus

The datatracker state does not indicate whether the consensus boilerplate
should be included in this document. The shepherd writeup makes it pretty
clear that it should, so please change the datatracker metadata for the
document?

### Inclusive language

Found terminology that should be reviewed for inclusivity; see
https://www.rfc-editor.org/part2/#inclusive_language for background and more
guidance:

 * Term `man`; alternatives might be `individual`, `people`, `person`
 * Terms `she` and `he`; alternatives might be `they`, `them`, `their`

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Typos

#### Section 4.1, paragraph 4
```
-       Administators may elect to use a TAM for remote administration of
+       Administrators may elect to use a TAM for remote administration of
+               +
```

#### Section 4.1, paragraph 5
```
-       Trusted Component Signers or Device Administators to use the TAM's
+       Trusted Component Signers or Device Administrators to use the TAM's
+                                                   +
```

#### Section 4.4.2, paragraph 1
```
-    a specific Untrused Application process lifetime as occurs in SGX.  A
+    a specific Untrusted Application process lifetime as occurs in SGX.  A
+                     +
```

#### Section 4.5, paragraph 8
```
-    via a TEEP Broker that faciliates communications between the TAM and
+    via a TEEP Broker that facilitates communications between the TAM and
+                                 +
```

### Boilerplate

Document still refers to the "Simplified BSD License", which was corrected in
the TLP on September 21, 2021. It should instead refer to the "Revised BSD
License".

### Grammar/style

#### Section 2, paragraph 8
```
ust resist modification against unauthorized insertion, deletion, and modifi
                                ^^^^^^^^^^^^
```
Do not mix variants of the same word ("unauthorized" and "unauthorised") within
a single text.

#### Section 4.5, paragraph 9
```
ed further in Section 5.3 below. Typically the same key TEE pair is used for
                                 ^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Typically".

#### Section 6.1, paragraph 1
```
. ProcessTeepMessage: A message arriving on an existing TEEP session, to be d
                                ^^^^^^^^^^^
```
The usual preposition after "arriving" is "at", not "on". Did you mean
"arriving at"?

#### Section 7, paragraph 1
```
s, from trusted app updates for smart phones and tablets to updates of code 
                                ^^^^^^^^^^^^
```
Nowadays, it's more common to write this as one word.

#### Section 9.1, paragraph 3
```
AM certificates might get compromised or its certificate might expire, or a T
                                     ^^^
```
Use a comma before "or" if it connects two independent clauses (unless they are
closely connected and short).

#### Section 9.1, paragraph 4
```
EE certificates might get compromised or its certificate might expire, or a T
                                     ^^^
```
Use a comma before "or" if it connects two independent clauses (unless they are
closely connected and short).

#### Section 9.3, paragraph 1
```
oked by a timer or other event. Furthermore the policy in the Verifier in an
                                ^^^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Furthermore".

#### Section 9.3, paragraph 3
```
 certificates are expected to be long lived, longer than the lifetime of a d
                                 ^^^^^^^^^^
```
This word is normally spelled with a hyphen.

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments
[IRT]: https://github.com/larseggert/ietf-reviewtool
Martin Duke Former IESG member
No Objection
No Objection (for -18) Not sent

                            
Robert Wilton Former IESG member
No Objection
No Objection (2022-09-06 for -18) Sent
Hi,

Thanks for this document, I found it pretty easy to read.

Minor level comments:

(1) p 17, sec 4.5.  Entity Relations

   At step 3, a user will go to an Application Store to download the
   Untrusted Application (where the arrow indicates the direction of
   data transfer).

I note that this diagram doesn't actually include the user, possibly consider changing "3. Install to 3. User Install"


(2) p 17, sec 4.5.  Entity Relations

   At step 4, since the Untrusted Application depends on the TA,
   installing the Untrusted Application will trigger TA installation via
   communication with a TAM.  The TEEP Agent will interact with the TAM
   via a TEEP Broker that faciliates communications between the TAM and
   the TEEP Agent.

I found this quite unclear from the diagram, it looked like the messaging is initiated from the TAM to the Device with the TEE.  I also found the time flow in this diagram to be somewhat unclear, since normally time flows downwards with sequence diagrams, but I wasn't convinced that was the case here.  E.g. TA -- 2b is lower than 3. Install.


(3) p 21, sec 5.4.  Scalability

   factory.  Likewise, new TAMs can join the ecosystem, providing they
   are issued a TAM certificate that chains to an existing root whereby
   existing TEEs will be allowed to be personalized by the TAM without
   requiring changes to the TEE itself.

It isn't clear to me what is meant by "personalized by the TAM".


(4) p 21, sec 5.5.  Message Security

   These messages are signed end-to-end between a TEEP Agent and a TAM.
   Confidentiality is provided by encrypting sensitive payloads (such as
   Personalization Data and attestation evidence), rather than
   encrypting the messages themselves.  Using encrypted payloads is
   important to ensure that only the targeted device TEE or TAM is able
   to decrypt and view the actual content.

It's not obvious to me why you would only encrypt the payload and not the messages themselves.  Is this so that 'routing information' is readily available or something else?


(5) p 23, sec 6.2.1.  TEEP Broker APIs

   The following conceptual APIs exist from a TEEP Broker to a TEEP
   Agent:

I'm slightly surprised that the conceptual TEEP Broker APIs are contained in this document when the other equivalent TEEP APIs are not.


(6) p 24, sec 6.2.2.  TEEP Broker Distribution

   The Broker installation is commonly carried out at OEM time.  A user
   can dynamically download and install a Broker on-demand.

It is unclear to me what is meant by "OEM time"?


(7) p 27, sec 9.  Security Considerations

I note that there is no security considerations for a compromised TEE.  Should this be considered, or is it the case that TEEs cannot be compromised?  Similarly, is a compromised TA something that should be considered here?



Nit level comments:

(8) p 3, sec 1.  Introduction

   *  An installer of an Untrusted Application that depends on a given
      TA wants to request installation of that TA in the device's TEE so
      that the Untrusted Application can complete, but the TEE needs to

Should this be "so that the installation of the Untrusted Application can complete?


(9) p 16, sec 4.4.2.  Example: Application Delivery Mechanisms in Arm TrustZone

   A trusted OS running in the TEE (e.g., OP-TEE) that supports loading
   and verifying signed TAs from an untrusted filesystem can, like SGX,
   use classic file distribution mechanisms.

I suggest expanding OP-TEE, it wasn't obvious to me what this was.

Thanks,
Rob