Internet-Draft | EAT Measured Component | June 2024 |
Frost, et al. | Expires 13 December 2024 | [Page] |
- Workgroup:
- Remote ATtestation ProcedureS
- Internet-Draft:
- draft-fft-rats-eat-measured-component-03
- Published:
- Intended Status:
- Standards Track
- Expires:
EAT Measured Component
Abstract
A measured component is a measurable object of an attester's target environment, that is, an object whose state can be sampled and digested. Examples of measured components include the invariant part of firmware that is loaded in memory at startup time, a run-time integrity check, a file system object, or a CPU register.¶
This document defines a "measured component" format that can be used with the EAT Measurements
claim.¶
Discussion Venues
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Remote ATtestation ProcedureS Working Group mailing list (rats@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/rats/.¶
Source for this draft and an issue tracker can be found at https://github.com/thomas-fossati/draft-fft-rats-eat-measured-component.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 13 December 2024.¶
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1. Introduction
Section 4.2.16 of [I-D.ietf-rats-eat] defines a Measurements
claim that:¶
-
"[c]ontains descriptions, lists, evidence or measurements of the software that exists on the entity or any other measurable subsystem of the entity."¶
This claim allows for different measurement formats, each identified by a different CoAP Content-Format (Section 12.3 of [RFC7252]). Currently, the only specified format is CoSWID of type "evidence", as per Section 2.9.4 of [RFC9393].¶
This document introduces a "measured component" format that can be used with the EAT Measurements
claim in addition to or as an alternative to CoSWID.¶
The term "measured component" refers to any measurable object on a target environment, that is, an object whose state can be sampled and digested. This includes, for example: the invariant part of a firmware component that is loaded in memory at startup time, a run-time integrity check (RTIC), a file system object, or a CPU register.¶
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In this document, CDDL [RFC8610] [RFC9165] [I-D.ietf-cbor-cddl-modules] [I-D.ietf-cbor-cddl-more-control] is used to describe the data formats.¶
3. Information Model
A "measured component" information element includes the digest of the component's sampled state along with metadata that helps in identifying the component. Optionally, any entities responsible for signing the installed component can also be specified.¶
The information model of a "measured component" is described in Table 1.¶
IE | Description | Requirement Level |
---|---|---|
Component Name | The name given to the measured component. It is important that this name remains consistent across different releases to allow for better tracking of the same measured item across updates. When combined with a consistent versioning scheme, it enables better signaling from the appraisal procedure to the relying parties. | REQUIRED |
Component Version | A value representing the specific release or development version of the measured component. Using Semantic Versioning is RECOMMENDED. | OPTIONAL |
Digest Value | Hash of the measured component. | REQUIRED |
Digest Algorithm | Hash algorithm used to compute the Digest Value. | REQUIRED |
Signers | One or more unique identifiers of entities signing the measured component. | OPTIONAL |
4. Data Model
The data model is inspired by the "PSA software component" claim (Section 4.4.1 of [I-D.tschofenig-rats-psa-token]), which has been refactored to take into account the recommendations about new EAT claims design in Appendix E of [I-D.ietf-rats-eat].¶
4.1. The measured-component
Data Item
;# import digest from RFCYYYY as corim measured-component = [ id: component-id measurement: corim.digest ? signers: [ + signer-type ] ]¶
id
-
The measured component identifier encoded according to the format described in Section 4.1.1.¶
measurement
-
Digest value and algorithm, encoded using CoRIM digest format (Section 1.3.8 of [I-D.ietf-rats-corim]).¶
signers
-
One or more signing entities, see Section 4.1.2.¶
4.1.1. Component Identifier
;# import sw-version-type from RFCXXXX as eat component-id = [ name: text ? version: eat.sw-version-type ]¶
name
-
A string that provides a human readable identifier for the component in question. Format and adopted conventions depend on the component type.¶
version
-
A compound
version
data item that reuses encoding and semantics of [I-D.ietf-rats-eat]sw-version-type
.¶
4.1.2. Signer
A signer is an entity that digitally signs the measured component. For example, as in UEFI Secure Boot [UEFI2] and Arm Trusted Board Boot [TBBR-CLIENT]. A signer is associated with a public key. It could be an X.509 certificate, a raw public key, a public key thumbprint, or some other identifier that can be uniquely associated with the signing entity. In some cases, multiple parties may need to sign a component to indicate their endorsement or approval. This could include roles such as a firmware update system, fleet owner, or third-party auditor. The specific purpose of each signature may depend on the deployment, and the order of signers within the array could indicate meaning.¶
If an EAT profile (Section 6 of [I-D.ietf-rats-eat]) uses measured components, it MUST specify whether the signers
field is used.
If it is used, the profile MUST also specify what each of the entries in the signers
array represents, and how to interpret the corresponding signer-type
.¶
signer-type = bytes¶
4.2. EAT measurements-format
Extensions
The CDDL in Figure 1 extends the $measurements-body-cbor
and $measurements-body-json
EAT sockets to add support for measured-component
s to the Measurements
claim.¶
Each socket is extended with two new types: a "native" representation that is used when measured-component
and the EAT have the same serialization (e.g., they are both CBOR), and a "tunnel" representation that is used when the serializations differ.¶
4.3. measurements-format
for CBOR EAT
The entries in Table 2 are the allowed content-type
/ content-format
pairs when the measured-component
is carried in a CBOR EAT.¶
Note the use of the "native" and "tunnel" formats from Figure 1, and how the associated CoAP Content-Format is used to describe the original serialization.¶
content-type (CoAP C-F equivalent) | content-format |
---|---|
application/measured-component+cbor
|
mc-cbor
|
application/measured-component+json
|
tstr .b64u mc-json
|
4.4. measurements-format
for JSON EAT
Table 3 is the equivalent of Table 2 for JSON-serialized EAT.¶
content-type (CoAP C-F equivalent) | content-format |
---|---|
application/measured-component+json
|
mc-json
|
application/measured-component+cbor
|
tstr .b64u mc-cbor
|
5. Examples
(The examples are CBOR only. JSON examples will be added in a future version of this document.)¶
The example in Figure 2 is a measured component with all the fields populated.¶
The example in Figure 3 is the same measured component as above but used as the format of a measurements
claim in a EAT claims-set.¶
Note that the example uses a CoAP Content-Format value from the experimental range (65000), which will change to the value assigned by IANA for the application/measured-component+cbor
Content-Format.¶
Note also that the array contains only one measured component, but additional entries could be added if the measured TCB is made of multiple, individually measured components.¶
6. Security and Privacy Considerations
The Name and Version of a component could provide an attacker with detailed information about the running software and configuration settings of the device. This information could also expose private details regarding the device. The stability requirement for the component's Name could potentially enable tracking.¶
7. IANA Considerations
RFC Editor: replace "RFCthis" with the RFC number assigned to this document.¶
7.1. Media Types Registrations
IANA is requested to add the following media types to the "Media Types" registry [IANA.media-types].¶
Name | Template | Reference |
---|---|---|
mc+cbor
|
application/measured-component+cbor
|
RFCthis |
mc+json
|
application/measured-component+json
|
RFCthis |
7.1.1. application/measured-component+cbor
- Type name:
-
application¶
- Subtype name:
-
measured-component+cbor¶
- Required parameters:
-
n/a¶
- Optional parameters:
-
n/a¶
- Encoding considerations:
-
binary (CBOR)¶
- Security considerations:
- Interoperability considerations:
-
n/a¶
- Published specification:
-
RFCthis¶
- Applications that use this media type:
-
Attesters, Verifiers and Relying Parties¶
- Fragment identifier considerations:
-
The syntax and semantics of fragment identifiers are as specified for "application/cbor". (No fragment identification syntax is currently defined for "application/cbor".)¶
- Person & email address to contact for further information:
-
RATS WG mailing list (rats@ietf.org)¶
- Intended usage:
-
COMMON¶
- Restrictions on usage:
-
none¶
- Author/Change controller:
-
IETF¶
- Provisional registration:
-
no¶
7.1.2. application/measured-component+json
- Type name:
-
application¶
- Subtype name:
-
measured-component+json¶
- Required parameters:
-
n/a¶
- Optional parameters:
-
n/a¶
- Encoding considerations:
-
binary (JSON is UTF-8-encoded text)¶
- Security considerations:
- Interoperability considerations:
-
n/a¶
- Published specification:
-
RFCthis¶
- Applications that use this media type:
-
Attesters, Verifiers and Relying Parties¶
- Fragment identifier considerations:
-
The syntax and semantics of fragment identifiers are as specified for "application/json". (No fragment identification syntax is currently defined for "application/json".)¶
- Person & email address to contact for further information:
-
RATS WG mailing list (rats@ietf.org)¶
- Intended usage:
-
COMMON¶
- Restrictions on usage:
-
none¶
- Author/Change controller:
-
IETF¶
- Provisional registration:
-
no¶
7.2. Measured Component Content-Format Registrations
IANA is requested to register two Content-Format numbers in the "CoAP Content-Formats" sub-registry, within the "Constrained RESTful Environments (CoRE) Parameters" Registry [IANA.core-parameters], as follows:¶
Content-Type | Content Coding | ID | Reference |
---|---|---|---|
application/measured-component+cbor | - | TBD1 | RFCthis |
application/measured-component+json | - | TBD2 | RFCthis |
8. References
8.1. Normative References
- [I-D.ietf-cbor-cddl-modules]
- Bormann, C. and B. Moran, "CDDL Module Structure", Work in Progress, Internet-Draft, draft-ietf-cbor-cddl-modules-02, , <https://datatracker.ietf.org/doc/html/draft-ietf-cbor-cddl-modules-02>.
- [I-D.ietf-cbor-cddl-more-control]
- Bormann, C., "More Control Operators for CDDL", Work in Progress, Internet-Draft, draft-ietf-cbor-cddl-more-control-04, , <https://datatracker.ietf.org/doc/html/draft-ietf-cbor-cddl-more-control-04>.
- [I-D.ietf-rats-corim]
- Birkholz, H., Fossati, T., Deshpande, Y., Smith, N., and W. Pan, "Concise Reference Integrity Manifest", Work in Progress, Internet-Draft, draft-ietf-rats-corim-04, , <https://datatracker.ietf.org/doc/html/draft-ietf-rats-corim-04>.
- [I-D.ietf-rats-eat]
- Lundblade, L., Mandyam, G., O'Donoghue, J., and C. Wallace, "The Entity Attestation Token (EAT)", Work in Progress, Internet-Draft, draft-ietf-rats-eat-27, , <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-27>.
- [IANA.core-parameters]
- IANA, "Constrained RESTful Environments (CoRE) Parameters", <http://www.iana.org/assignments/core-parameters>.
- [IANA.media-types]
- IANA, "Media Types", <http://www.iana.org/assignments/media-types>.
- [RFC2119]
- Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
- [RFC7252]
- Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, , <https://www.rfc-editor.org/rfc/rfc7252>.
- [RFC8174]
- Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
- [RFC8610]
- Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, , <https://www.rfc-editor.org/rfc/rfc8610>.
- [RFC9165]
- Bormann, C., "Additional Control Operators for the Concise Data Definition Language (CDDL)", RFC 9165, DOI 10.17487/RFC9165, , <https://www.rfc-editor.org/rfc/rfc9165>.
8.2. Informative References
- [I-D.tschofenig-rats-psa-token]
- Tschofenig, H., Frost, S., Brossard, M., Shaw, A. L., and T. Fossati, "Arm's Platform Security Architecture (PSA) Attestation Token", Work in Progress, Internet-Draft, draft-tschofenig-rats-psa-token-22, , <https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-22>.
- [RFC9393]
- Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. Waltermire, "Concise Software Identification Tags", RFC 9393, DOI 10.17487/RFC9393, , <https://www.rfc-editor.org/rfc/rfc9393>.
- [TBBR-CLIENT]
- Arm Ltd, "Trusted Board Boot Requirements Client (TBBR-CLIENT) Armv8-A", ARM DEN0006D, , <https://developer.arm.com/documentation/den0006>.
- [UEFI2]
- UEFI Forum, Inc., "Unified Extensible Firmware Interface (UEFI) Specification", , <https://uefi.org/sites/default/files/resources/UEFI_Spec_2_10_Aug29.pdf>.
Appendix A. Open Issues
The list of currently open issues for this documents can be found at https://github.com/thomas-fossati/draft-fft-rats-eat-measured-component/issues.¶
Note to RFC Editor: please remove before publication.¶
Acknowledgments
The authors would like to thank Carl Wallace, Carsten Bormann, Giridhar Mandyam and Laurence Lundblade for providing comments, reviews and suggestions that greatly improved this document.¶