《Systemization of Knowledge - Attestation in Confidential Computing.pdf》由会员分享,可在线阅读,更多相关《Systemization of Knowledge - Attestation in Confidential Computing.pdf(48页珍藏版)》请在三个皮匠报告上搜索。
1、Systemization of Knowledge:Attestation inConfidential ComputingSecuritySystemization of Knowledge:Attestation inConfidential ComputingMuhammad Usama Sardar,Research Associate,TU DresdenJoint work with Thomas Fossati,Arm Ltd.and Simon Frost,Arm Ltd.Outline1Problem Statement2Contributions3SummaryAttes
2、tation in CCRelying PartyAttesterAttestation requestAttestation in CCRelying PartyAttesterAttestation requestEvidenceAttestation in CCRelying PartyAttesterAttestation requestEvidenceData or secretsProblem StatementHolistic view of attestationProblem StatementHolistic view of attestationTEE-agnostic
3、attestation architectureProblem StatementHolistic view of attestationTEE-agnostic attestation architectureMappings to attestation architectureProblem StatementHolistic view of attestationTEE-agnostic attestation architectureMappings to attestation architectureFormal specsOutline1Problem Statement2Co
4、ntributionsHolistic ViewTEE-agnostic ArchitectureMappingsFormal SpecsDesign and Security Issues:TDXDesign and Security Issues:SCONE3SummaryOutline2ContributionsHolistic ViewTEE-agnostic ArchitectureMappingsFormal SpecsDesign and Security Issues:TDXDesign and Security Issues:SCONEHolistic View of Att
5、estationTrustworthy OperationsAttestation ProtocolInitializationProvisioningIncreasing frequencyOutline2ContributionsHolistic ViewTEE-agnostic ArchitectureMappingsFormal SpecsDesign and Security Issues:TDXDesign and Security Issues:SCONEAttestation ArchitectureLimitations of RATS(RFC 9334):cannot ex
6、presslocal attestationanonymous attestationErrata submitted for RATSOur proposed TEE-agnostic architectureEndorserReferenceValues ProviderVerifier OwnerVerifierEvidenceEndorsementsReference ValuesAppraisal Policy for EvidenceRelying PartyOwnerRelying Party Appraisal Policy for Attestation ResultsAtt
7、estation ResultsAttestation RequestAttestation ChallengeGeneration of EvidenceAppraisal of EvidenceAppraisal of Attestation ResultsAttesterLegendSupply Chain RolesAdministrative RolesMain RolesIdentity SupplierIdentityAttestation ArchitectureLimitations of RATS(RFC 9334):cannot expresslocal attestat
8、ionanonymous attestationErrata submitted for RATSOur proposed TEE-agnostic architectureEndorserReferenceValues ProviderVerifier OwnerVerifierEvidenceEndorsementsReference ValuesAppraisal Policy for EvidenceRelying PartyOwnerRelying Party Appraisal Policy for Attestation ResultsAttestation ResultsAtt
9、estation RequestAttestation ChallengeGeneration of EvidenceAppraisal of EvidenceAppraisal of Attestation ResultsAttesterLegendSupply Chain RolesAdministrative RolesMain RolesIdentity SupplierIdentityAttestation ArchitectureLimitations of RATS(RFC 9334):cannot expresslocal attestationanonymous attest
10、ationErrata submitted for RATSOur proposed TEE-agnostic architectureEndorserReferenceValues ProviderVerifier OwnerVerifierEvidenceEndorsementsReference ValuesAppraisal Policy for EvidenceRelying PartyOwnerRelying Party Appraisal Policy for Attestation ResultsAttestation ResultsAttestation RequestAtt
11、estation ChallengeGeneration of EvidenceAppraisal of EvidenceAppraisal of Attestation ResultsAttesterLegendSupply Chain RolesAdministrative RolesMain RolesIdentity SupplierIdentityAttestation ArchitectureLimitations of RATS(RFC 9334):cannot expresslocal attestationanonymous attestationErrata submitt
12、ed for RATSOur proposed TEE-agnostic architectureEndorserReferenceValues ProviderVerifier OwnerVerifierEvidenceEndorsementsReference ValuesAppraisal Policy for EvidenceRelying PartyOwnerRelying Party Appraisal Policy for Attestation ResultsAttestation ResultsAttestation RequestAttestation ChallengeG
13、eneration of EvidenceAppraisal of EvidenceAppraisal of Attestation ResultsAttesterLegendSupply Chain RolesAdministrative RolesMain RolesIdentity SupplierIdentityAttestation ArchitectureLimitations of RATS(RFC 9334):cannot expresslocal attestationanonymous attestationErrata submitted for RATSOur prop
14、osed TEE-agnostic architectureEndorserReferenceValues ProviderVerifier OwnerVerifierEvidenceEndorsementsReference ValuesAppraisal Policy for EvidenceRelying PartyOwnerRelying Party Appraisal Policy for Attestation ResultsAttestation ResultsAttestation RequestAttestation ChallengeGeneration of Eviden
15、ceAppraisal of EvidenceAppraisal of Attestation ResultsAttesterLegendSupply Chain RolesAdministrative RolesMain RolesIdentity SupplierIdentityOutline2ContributionsHolistic ViewTEE-agnostic ArchitectureMappingsFormal SpecsDesign and Security Issues:TDXDesign and Security Issues:SCONEMain Groups for A
16、ttestationVendor solutions(Intel SGX,Intel TDX,AMD SEV-SNP,IBM PEF,.)Architecture lead solutions(Arm CCA,RISC-V,.)Frameworks(SCONE,Gramine,MAA,Veraison,.)Overview of Related WorkRelated workArchitectureMapping to group 1Mapping to group 2Mapping to group 3IETF RATSCo-developed with DICENoNoNoM en et
17、rey et al.Use RATSInaccurate for SGXNoNoNiemi et al.Adapted from RATSVery high level for SGXHigh level summary for CCANoOverview of Related WorkRelated workArchitectureMapping to group 1Mapping to group 2Mapping to group 3IETF RATSCo-developed with DICENoNoNoM en etrey et al.Use RATSInaccurate for S
18、GXNoNoNiemi et al.Adapted from RATSVery high level for SGXHigh level summary for CCANoOverview of Related WorkRelated workArchitectureMapping to group 1Mapping to group 2Mapping to group 3IETF RATSCo-developed with DICENoNoNoM en etrey et al.Use RATSInaccurate for SGXNoNoNiemi et al.Adapted from RAT
19、SVery high level for SGXHigh level summary for CCANoOverview of Related WorkRelated workArchitectureMapping to group 1Mapping to group 2Mapping to group 3IETF RATSCo-developed with DICENoNoNoM en etrey et al.Use RATSInaccurate for SGXNoNoNiemi et al.Adapted from RATSVery high level for SGXHigh level
20、 summary for CCANoOverview of Related WorkRelated workArchitectureMapping to group 1Mapping to group 2Mapping to group 3IETF RATSCo-developed with DICENoNoNoM en etrey et al.Use RATSInaccurate for SGXNoNoNiemi et al.Adapted from RATSVery high level for SGXHigh level summary for CCANoArm CCA Attestat
21、ion Architecture OverviewRealm instance(RIM,REM)RAKRMMAttesting EnvironmentTarget EnvironmentRealm AttesterMonitor Security Domain(System Boot State,CCAParameters,pub(RAK)CPAKHESAttesting EnvironmentTarget EnvironmentPlatform AttesterPlatform EvidenceBindingVerifier(Platform Evidence,Realm Evidence)
22、Remote EvidenceOutline2ContributionsHolistic ViewTEE-agnostic ArchitectureMappingsFormal SpecsDesign and Security Issues:TDXDesign and Security Issues:SCONEArm CCA Evidence GenerationRAKRMMPrepare Realm claims-set including challenge and pub(RAK)Sign claims-set using RAK to form Realm EvidenceAttest
23、ation Request including challengeRMMRealmPlatform Evidence,Realm EvidencechallengePlatform Evidence,Realm EvidenceRealmVerifierpub(CPAK)VerifierFormal Analysis in ProVerifAssumptionsVerifier has preconfigured pub(CPAK)for signature verificationSecure channel between HES and RMM to transport the RAK
24、key pairAuthentication of Platform and Realm Evidencequery data:bitstring;event(accepted(data)=inj-event(sent(data).(1)Outline2ContributionsHolistic ViewTEE-agnostic ArchitectureMappingsFormal SpecsDesign and Security Issues:TDXDesign and Security Issues:SCONEClaimed TCBRoot CAcertPCK processorCA ce
25、rtPCK certAK certTD QuoteRoot CAPCKprocessor CAPCETD QETDpub(IRK)pub(PCAK)pub(AK)pub(PCK)pub(TDK)VOVOVOVOVOAKPCKPCAKIRKPCKAKTDKPCAKIRKRoot CACRLPCK processorCA CRLIRKPCAKLegendEntity on Intel key serverEntity on platformX.509 certscustom format cert-like structureCRLsVOVOTCB FixedFigure:OldFigure:Up
26、datedOutline2ContributionsHolistic ViewTEE-agnostic ArchitectureMappingsFormal SpecsDesign and Security Issues:TDXDesign and Security Issues:SCONELA vs.RAPlatform 1(Attester)Platform 2iiiCAS verifies App enclave(Platform 1)remotelySCONE CLI(Platform 3)verifies CAS remotelyPlatform 3(Relying Party)Ma
27、y not have TEE(Verifier)AKAKCPU HW and FWMAC KeysCPU HW and FWMAC KeysPCKPCKPCEPCEEKApp/Service CASiii4321iiSCONE CLIPlatform 4(CAS Owner)Administrative owner of CAS instance1324iSCONE CLI(Platform 4)verifies CAS remotelyiiiDCAP QEDCAP QESCONE RuntimeRKISV SVNIntel root CA certSCONE RuntimeREPORT3QE
28、 REPORT1Quote4AK cert2SCONE CLIPhases of SCONE AttestationInitializationAttestation ProtocolMRSIGNER and ISVPRODIDOutline1Problem Statement2ContributionsHolistic ViewTEE-agnostic ArchitectureMappingsFormal SpecsDesign and Security Issues:TDXDesign and Security Issues:SCONE3SummaryChallengesca.1500 p
29、ages of specs of TDXChallengesca.1500 pages of specs of TDXInherits specs from SGX(SDM alone ca.5000 pages)Challengesca.1500 pages of specs of TDXInherits specs from SGX(SDM alone ca.5000 pages)Specs in natural languageChallengesca.1500 pages of specs of TDXInherits specs from SGX(SDM alone ca.5000
30、pages)Specs in natural languageClosed-source nature of SCONETake-homeTowards TEE-agnostic verification infrastructure for transparency andinteroperabilityTDX:how do we precisely express trust boundaries?SCONE:when do we say that something is attested?Lots of work required for precise specification a
31、nd standardization forunderstanding underlying assumptionsIntegration with TLS(RA-TLS)Integration with vTPMTake-homeTowards TEE-agnostic verification infrastructure for transparency andinteroperabilityTDX:how do we precisely express trust boundaries?SCONE:when do we say that something is attested?Lo
32、ts of work required for precise specification and standardization forunderstanding underlying assumptionsIntegration with TLS(RA-TLS)Integration with vTPMTake-homeTowards TEE-agnostic verification infrastructure for transparency andinteroperabilityTDX:how do we precisely express trust boundaries?SCO
33、NE:when do we say that something is attested?Lots of work required for precise specification and standardization forunderstanding underlying assumptionsIntegration with TLS(RA-TLS)Integration with vTPMTake-homeTowards TEE-agnostic verification infrastructure for transparency andinteroperabilityTDX:h
34、ow do we precisely express trust boundaries?SCONE:when do we say that something is attested?Lots of work required for precise specification and standardization forunderstanding underlying assumptionsIntegration with TLS(RA-TLS)Integration with vTPMTake-homeTowards TEE-agnostic verification infrastru
35、cture for transparency andinteroperabilityTDX:how do we precisely express trust boundaries?SCONE:when do we say that something is attested?Lots of work required for precise specification and standardization forunderstanding underlying assumptionsIntegration with TLS(RA-TLS)Integration with vTPMTake-
36、homeTowards TEE-agnostic verification infrastructure for transparency andinteroperabilityTDX:how do we precisely express trust boundaries?SCONE:when do we say that something is attested?Lots of work required for precise specification and standardization forunderstanding underlying assumptionsIntegration with TLS(RA-TLS)Integration with vTPMCall to ActionSpecify your protocols used in OCP projects using presentedarchitecture and proposed formalismAdditional information:link here