]> Taxonomy of Composite Attesters Sandelman Software Works
mcr+ietf@sandelman.ca
Fraunhofer SIT
henk.birkholz@ietf.contact
Arm
yogesh.deshpande@arm.com
Linaro
thomas.fossati@linaro.org
Internet RATS Working Group Internet-Draft This document clarifies and extends the meaning of Composite Attester from RFC9334. A system of annotated diagram components is defined as a small language to explain the different ways that components can interact to form composites. These diagram components are then used to define a few popular classes of composites. About This Document Status information for this document may be found at . Discussion of this document takes place on the rats Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction This document clarifies and extends the meaning of Composite Attester from . A system of anotated diagram components are defined to allow relationships to be expressed consistently. These diagram components are then used to describe a number of classes of Composite Attester which are being seen in the nascent Remote Attestation industry. These classes are representative, but are not intended to be complete: more complexity, more layers and more sub-components are always possible. The aim is to describe the Composite Attester topology in a way that helps understanding the resulting Evidence composition that flows from the Attesting Environment(s), to the Verifier(s). Additionally, there is a need for freshness artifacts is flow in the opposite direction, and in Composite Remote Attestation, the amount of freshness and origin of the freshness needs to be understood.
Caveats of Current Definition says:
A composite device is an entity composed of multiple sub-entities such that its trustworthiness has to be determined by the appraisal of all these sub-entities. Each sub-entity has at least one Attesting Environment collecting the Claims from at least one Target Environment. Then, this sub-entity generates Evidence about its trustworthiness; therefore, each sub- entity can be called an "Attester". Among all the Attesters, there may be only some that have the ability to communicate with the Verifier while others do not.
In this description, it was left vague as to whether or not each Attesting Environment signs the Evidence that it generates, and whether or not the Evidence is evaluated by a Verifier operated by the Lead Attester, or if it's passed by the Lead Attester along with the Evidence from the Lead Target Environment.
Terminology
Lead Attester:
This term is from RFC9334, and includes the (Lead) Attesting Environment, and the (Lead) Target Environment.
Target Environment:
This term is from RFC9334, this refers to the environment for which Evidence is gathered.
Attesting Environment:
This term is from RFC9334, this refers to the thing which gathers the Evidence.
Component:
This is the pieces which are attached to the Lead Attester. There are one to many of these, typically each with their own application specific processor.
Component Evidence:
This is the Evidence that is collected by the Component Attesting Environment about the Component Target Environment.
Component Attesting Environment:
This term is new, and refers to an Attesting Environment residing inside a component of the whole.
Component Target Environment:
This term is new, and refers to an environment for which Evidence is collected.
Local Verifier:
When an Attesting Environment appraises Evidence from another Attesting Environment, then it operates as a Local Verifier. Mere examination of the signature on the Evidence (perhaps using a local credential) is not appraisal.
Local Validation:
in some classes, Evidence is passed around, and must remain integral.  Local Validation involves checking the authenticity of the end-point. This could involve a signature, or require physical security of that end-point.
Verifier le petit:
(Or, "Le Petit Verificateur"). This is the Verifier that examines the Component Evidence. This may treat the Lead Attester as a component.
Verifier le grand:
(Or, "Le Grand Verificateur"). This is the Verifier that examines the arrangement and relationships between Components.
Notation System This notation system is used in subsequent examples to compose more complex system. The notations presented here should be considered in analogy to atoms in Chemistry, with the composed class examples below, to be molecules. (Alternatively, the notations here are Baryons and Leptons in the Standard Model of Physics, with examples being atoms of the periodic table) This process was developed when it was realized that the set of classes that could be formed via Composition was unbounded, and so any attempt to enumerate them all would never end.
Nodes
Conveyer A Conveyer is a system component that produces or relays Conceptual Messages. It is represented by a rectangular shape with rounded corners. The following sections describe specialised types of Conveyors.
Attester An Attester is a special kind of Conveyer which produces Evidence. TE AK Internally, it is composed of an Attesting Environment, identified by the attestation key (AK), and a Target Environment (TE), i.e., the Trusted Computing Base (TCB) measured by the Attester. An Attester exposes the following Interface (see ):
Direction Name Description Mandatory
IN Nonce Fixed size parameter (typically 32 or 64 bytes) used to bind the produced Evidence to a randomly selected parameter chosen by the caller. Y
IN UserData Typically a variable-size parameter that allows the binding of arbitrary application data (e.g., an authentication key held by a confidential computing workload) to the attestation Evidence. N
IN ClaimsSelection A parameter that allows the user to select which claims should appear in the Evidence. The format is attester-specific (e.g., PCR selection for TPM-like attesters) N
OUT Evidence The Evidence signed by the AK. It contains either the full set of claims or a subset thereof, as well as the nonce supplied by the caller and any user data. Y
OUT OtherData Related Conceptual Messages, such as Attestation Results, Endorsement, etc. N
Connectors
Interface An Interface is connected to a Node (such as an Attester) and outputs a RATS Conceptual Messages. It is represented by a T-shaped connector. An Interface has a name and some input and output parameters. Input and output parameters are defined by their name and type. A ? signals an optional parameter. TODO: align this with Attester's interface description.
Depends-on The Depends-on connector describes a chain of trust between two adjacent Attesters within a layered attester arrangement. Examples of such an arrangement include DICE and Arm CCA in delegated mode. It is represented by an arrow connector pointing from the dependent node to the dependent node, i.e. from the "higher" to the "lower" component in the chain of trust. B depends-on A
Router TBD
Trusted HW path TBD - it may be an implementation detail rather than a conceptual relation between attesters.
Collection (Bus) A Collection connector describes the collection of Conceptual Messages. Binder A B A lead Attester is responsible for the binding function. A binder is one of:
  • Signature of the lead Attester
  • Projection
The signature of the lead Attester can bind over a broadcast nonce. A Projection is described as a topo-sorted set of (src, dst) tuples.
Example of Notation System
CCA Delegated RSI ABI (nonce[64]) TE: wkl Realm AK: RAK depends-on TE: RMM Platform AK: CPAK
Class 0 API TE: TE AK: LAK Or API TE: <> <> AK: LAK TE: VGA TE: SCSI AK: <> AK: <> | .---------------. +---------+----->| <> | | AK: LAK | '-+-----------+-' '---------' | | .--+------. .--+-------. | TE: VGA | | TE: SCSI | +---------+ +----------+ | AK: <> | | AK: <> | '---------' '----------' ]]>
Class 1 API TE: A Binding=? AK: LAK TE: B TE: C AK: BK AK: CK | Binding=? | | AK: LAK | '-+-----------+-' '---------' | | .--+------. .--+-------. | TE: B | | TE: C | +---------+ +----------+ | AK: BK | | AK: CK | '---------' '----------' ]]> Notes:
  1. A seems to have both lead and "normal" attester functionality
  2. Binding between collection entries is unspecified
  3. is CMW signed or not?
Questions:
  1. scope of LAK: the signing key over the collection CMW, or signing key over Target A, or both?
Class 2 Verifier B RP Conveyer C A Binding=? TE: <> AK: LAK +--+ B | .---------+-. | | '-' | RP +----+ +-----------+ | | .-. | Conveyer | '---->+--+ C | '-----+-----' .-. | '-' | | A | | '+' | | -+- -+- ^ ^ | | .-+-----------+-. | Binding=? | '------+--------' | .--+-------. | TE: <> | +----------+ | AK: LAK | '--+-------' | -+- ]]> Questions and notes are the same as Class 1. Besides, there are further questions:
  1. a question whether a lead attester is in front of B and C
  2. a question about unnecessary conflation of RP/Verifier and Lead attester -- they probably need to be modelled as separate entities
Composite Attesters Examples (EDNOTE: the diagrams in this section will get rewritten using the notation system abover)
Class 0 Composite Attester In this first, somewhat degenerate scenario, the Lead Attester has access to the entire memory/environment of all of the components. Examples of situations like this include classic PCI-buses, ISA-buses, VME, S100/IEEE 696-1983. In these situations, secondary components might not boot on their own. (It might even be that the lead environment (the chassis) will place code into RAM for these systems, with no ROM at all) In this case, it is possible for the Lead Attesting Environment to collect Claims about each of the components without the components having to have their own Attesting Environment. There is no Verifier le petit, since there are no components that can create Evidence other than the Lead Attester. At this Class, all of these components can be considered part of the same system. In the classic PCI or ISA environment, the components are hard drive interfaces, video interfaces, and network interfaces. For many such systems considering the system to be a composite is unncessary additional complexity. The benefit of applying the composite mechanism in this case is that it is no longer necessary to consider the exhaustive combinatorics of all possible components being attached to the lead attester. It is, for instance, already the case the reference values for a target environment may change depending upon how much memory is installed in the target environment. In this degenerate, or Class 0 Composite Attester, the Claims gathered about the components would be included in the Lead Attester's signed Evidence (such as an EAT), as sub-components in UCCS form . The signature from the Lead Attester applies to all the Claims, but the Verifier can evaluate each component separately.
Class 0 Composite Attester Verifier Target Environ Evidence includes: VGA SCSI - SHA256(VGArom) rom rom - SHA256(SCSIrom) - SHA256(boot rom) Claims Collect Claims Attesting Environment Chassis | Environment | | | '-------------' | | | '----------------------Chassis--------------------' ]]>
However, more modern buses like PCIe, InfiniBand, Thunderbolt, DisplayPort, USB, Firewire and others do not provided direct electrical access to target component system memory. While some seem to be very high speed serialized versions of the old I/O buses, there is a network-like protocol, and non-trivial deserialization occurs at each end. That implies that there can be mutable firmware in each component which mitigates access. That firmware itself might not be trustworthy. If it can even be seen by the Lead Attester, the mitigation mechanism can present whatever view the Lead Attester expects to see. So, a system with such interfaces would be a Class 1.
Class 1 Composite Attester In this Class, each component or slot has its own Attesting Environment and hence produces its own signed Evidence. RFC 9334 gives the following example:
For example, a carrier-grade router consists of a chassis and multiple slots. The trustworthiness of the router depends on all its slots' trustworthiness. Each slot has an Attesting Environment, such as a TEE, collecting the Claims of its boot process, after which it generates Evidence from the Claims.
The Lead Attester simply relays the Evidence along with its own:
Among these slots, only a "main" slot can communicate with the Verifier while other slots cannot. However, other slots can communicate with the main slot by the links between them inside the router. The main slot collects the Evidence of other slots, produces the final Evidence of the whole router, and conveys the final Evidence to the Verifier. Therefore, the router is a composite device, each slot is an Attester, and the main slot is the lead Attester.
Note that the Lead Attester does not evaluate the Evidence, and does not run its own Verifier.
Class 1 Composite Attester Verifier Evidence-Collection CMW Target A 1: CMW(Evidence(Attester A) Environ 2: Evidence(Attester B) 3: Evidence(Attester C)) Collect Claims Evidence B Attester B Attesting Environment Attester C Attester A Evidence C Lead Attester Composite Device | Environment | | .--------------. | | | '-------------' |<------------| Attester C | | | | Attester A | Evidence C | | | | '-----------Lead Attester----------' '--------------' | | | .---------------------------Composite Device---------------------------. ]]>
This diagram is intended to be identical to Figure 4 of , but has been stretched out to allow the relationship to other classes to be clearer.
Class 2 Composite/Hybrid Attester In this scenario, the Components relay their Evidence to the Lead Attester. The Lead Attester operates a Verifier itself. It evaluates the Components' Evidence against Reference Values, Endorsements, etc. producing Attestation Results These Attestation Results (or their selectively disclosed version: SD-CWT/SD-JWT) are then included as part of the Lead Attester's Evidence to it's remote Verifier, using the RATS Concise Message Wrapper (CMW) Also the Lead Attester's Verifier can be a target environment, whose claims can be reported in Lead Attester Evidence. This ensures that the remote Verifier can fully trust the verification done by Lead Attester.
Class 2 Composite Attester Lead Verifier Evidence-Collection CMW Target A 1: CMW(Evidence(Attester A), Environ 2: AR(Attester B) 3: AR(Attester C)) Collect Claims Attesting Environment + RP Attester A Evidence B Attester B AR(Attester B) AR(Attester C) Chassis Attester C Component Evidence C Verifier Chassis A | Environment | | | | | | + RP | | | | | Attester A '-------------' | Evidence B .------------. | | | ^ | .------------| Attester B | | | | | | | '------------' | | | | | | | | | AR(Attester B)| | | | | | AR(Attester C)| | |<---. | | | .-------------. | | | .------------. | | | | Chassis | | | '-------| Attester C | | | | | Component |<----'Evidence C '------------' | | | | Verifier | | | | | '-------------' | | | '-----------------------------------' | '-----------------------------Chassis A---------------------------------' ]]>
The Verifier's signing credentials may be part of the same Attesting Environment as the Evidence signing credential used by the Lead Attesting environment. Or they could be in a different environment, such as in a different TEE.
Class 3B Composite Background-Check Attester In this scenario, the Components relay their Evidence to the Lead Attester. The Lead Attester does not operates a Verifier itself. Instead, the Lead Attester, conveys the Evidence to the Lead Verifier along with it's own Evidence. The Component Evidence is not placed within the Lead Attester's Evidence (DEBATE). The Lead Attester needs to communicate how each component is attached, and that would be within its Evidence.
Class 3B Composite Background-check Attester Lead Component Verifier Verifier Evidence-Collection CMW Target A 1: CMW(Evidence(Attester A), Environ 2. Evidence(Attester B) 3: Evidence(Attester C)) Collect Claims Attesting Evidence B Environment Attester B Attester A Evidence C Attester C Chassis A | Environment | |<--------------| Attester B | | | | '-------------' | '------------' | | | | | | | Attester A | Evidence C .------------. | | | |<--------------| Attester C | | | '------------------------------------' '------------' | '-----------------------------Chassis A---------------------------------' ]]>
The Lead Verifier, acting a Relying Party, connects to Component Verifiers capable of evaluating the Component Evidence, retrieving Attestation Results from those Verifiers as part of evaluating the Lead Attester. This case is similar to Class 1, however the integration of the component attestation results in Class 1 is not included in the Evidence, while in this case, it is.
Class 3P Composite Passport-Model Attester In this scenario, the Components relay their Evidence to the Lead Attester. The Lead Attester does not operates a Verifier itself. Instead, the Lead Attester, acting as a Presenter (term To-Be-Defined), connects to an appropriate Verifier, in passport mode. It retrieves an Attestation Result from the Verifier, which it then includes within the Evidence that the Lead Attester produces. The Lead Attester's Verifier considers the Components during it's assessment. It needs to consider if the component has been assessed by a Verifier it trusts, if the component is appropriately connected to the Lead Attester, and if there are an appropriate number of such components.
Class 3P Composite Password Attester Lead Verifier Evidence-Collection CMW 1: CMW(Evidence(Attester A), Target A 2: AR(Attester B) Environ 3: AR(Attester C)) Collect Claims Evidence B Attester B Attesting Environment Evidence C Attester C Attester A Chassis A Evidence-> <- Results Component B,C Verifier(s) | Environment | | Evidence C .------------. | | | '-------------' |<---------------| Attester C | | | | | '------------' | | | Attester A | | | '------------------------------------' | '-------------------------------Chassis A------------------------------' ^ | | | | Evidence-> | <- Results .---------------. | Component B,C | | Verifier(s) | '---------------' ]]>
For instance, when accessing a vehicle such as a car, where each tire is it's own component, then a car with three wheels is not trusthworthy. Most cars should have four wheels. A car with five wheels might be acceptable, if at least one wheel is installed into the "spare" holder. (And, it may be of concern if the spare is flat, but the car can still be operated) A more typical digital use case would involve a main CPU with a number of attached specialized intelligent components that contain their own firmware, such as Graphical Processors (GPU), Network Processors (NPU).
Class 4 Dual Composite Attester In certain systems, it is possible to have two independent Attesting Environments in an Attester to collect claims about a single Target Environment. In such cases, one of the Attesting Environment, acts as a Primary, while the other acts as a Secondary Attesting Environment. The two Attesting Environments will have a fixed and collaborative structure where each can be responsible for a subset of Evidence. Because of the collaborative structure it may be arranged that either of the Attesting Environment can present Evidence collected by the other (but this is deployment specific).
Class 4 Composite (Dual) Attester Verifier Evidence-Collection CMW Target A 1: CMW(EAT(Target A)) Environ Collect Claims Attesting 2 Attesting 1 Environment Environment Partial Evidence (signed) | Environment | '-------------' | | '-------------' ^ | | | | | | | | | | '-----Partial -----' | | Evidence | | (signed) | | | | | '-------------------------------------------------------' ]]>
Example of one such system is a CPU system of a desktop from a Vendor X, which has its built in Attesting Environment, integrated into a product Y which requires a mandatory TPM support. (EDIT: This example to be clarified) There is an assumption that the Attesting Environment 1 (AE1) "trusts" Attesting Environment 2 (AE2), which means that AE2 has to verify the signature from AE1, otherwise AE2 can become a "signing fool". This verification can be based upon a local credential. In such situations one can anchor the Roots of Trust of Vendor X's CPU Attestation using a secondary Attesting Environment with the TPM Attestation. Alternatively, generate a TPM Quote and anchor it to Root of Trust of CPU Attestation based of Vendor X's Attesting Environment. A Verifier/RP may decide to direct the Attestation Request to an AE of choice to reflect the relevant subset of Evidence required for trust asssessment.
Class 5 Mixed Composite Attester As soon as there is more than one Component, it is reasonable that the different Components interact with the Lead Attester in different ways. A Mixed Composite Attester would have a components that come from different classes. This is not a class itself, but a class of classes. Degenerately, all previous classes can be considered mixes of one, but such a trivial category does not help discussionn. Except that adding/moving/replacing Components in the field can change things, so some system architectures will need to always consider themselves to be Mixed Composite Attesters, even if when shipped, they might be degenerate instances.
Attestation Results as Evidence In cases 2, 3B and 3P Attestation Results are included as Evidence. This results in a Verifier that must evaluate these results. It must be able to validate the signatures on the Evidence. This creates stacked Remote Attestation. This is very much different and distinct from Layered Attestation. Layered Attestion produces a single set of Evidence, with claims about different layers.
Privacy Considerations YYY
Security Considerations ZZZ
Nonce Architecture In all classes other than the class 0 and class 1, there are cases that multiple (local or external) Verifiers exist in the system. To address the conflict between different nonces generated by different Verifiers, there are possible candidate solutions as follows
  • Using one unique nonce from one external Verifier: This Verifier initiates the attestation progress and other Verifiers use the same nonce to challenge their corresponding Attesters. To ensure the integrity of the nonce, this nonce SHOULD be signed by this initial Verifier.
  • Each Verifier uses their own nonce: The Evidence in such a case is the mixing of certain Evidences and Attestation Result-as-Evidences. The receiver of the Attestation Results (the Attester) can apply the technique in to ensure the freshness of the Attestation Result-as-Evidences.
IANA Considerations
Acknowledgements Jun Zhang contributed the terms "Le Petit" and "Le Grand" to qualify Verifier, the original thought for Class 5 Composite Atteser and the description of the Nonce architecture.
Changelog
References Normative References Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Remote ATtestation procedureS (RATS) Architecture In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. RATS Conceptual Messages Wrapper (CMW) Fraunhofer SIT Independent Linaro University of Applied Sciences Bonn-Rhein-Sieg Google LLC The Conceptual Messages introduced by the RATS architecture (RFC 9334) are protocol-agnostic data units that are conveyed between RATS roles during remote attestation procedures. Conceptual Messages describe the meaning and function of such data units within RATS data flows without specifying a wire format, encoding, transport mechanism, or processing details. The initial set of Conceptual Messages is defined in Section 8 of RFC 9334 and includes Evidence, Attestation Results, Endorsements, Reference Values, and Appraisal Policies. This document introduces the Conceptual Message Wrapper (CMW) that provides a common structure to encapsulate these messages. It defines a dedicated CBOR tag, corresponding JSON Web Token (JWT) and CBOR Web Token (CWT) claims, and an X.509 extension. This allows CMWs to be used in CBOR-based protocols, web APIs using JWTs and CWTs, and PKIX artifacts like X.509 certificates. Additionally, the draft defines a media type and a CoAP content format to transport CMWs over protocols like HTTP, MIME, and CoAP. The goal is to improve the interoperability and flexibility of remote attestation protocols. Introducing a shared message format such as CMW enables consistent support for different attestation message types, evolving message serialization formats without breaking compatibility, and avoiding the need to redefine how messages are handled within each protocol. Informative References DICE Layering Architecture Trusted Computing Group Arm's Confidential Compute Architecture Reference Attestation Token Arm Limited Linaro Mediatek Inc The Arm Confidential Compute Architecture (CCA) is series of hardware and software innovations that enhance Arm’s support for Confidential Computing for large, compute-intensive workloads. Devices that implement CCA can produce attestation tokens as described in this memo, which are the basis for trustworthiness assessment of the Confidential Compute environment. This document specifies the CCA attestation token structure and semantics. The CCA attestation token is a profile of the Entity Attestation Token (EAT). This specification describes what claims are used in an attestation token generated by CCA compliant systems, how these claims get serialized to the wire, and how they are cryptographically protected. This informational document is published as an independent submission to improve interoperability with Arm's architecture. It is not a standard nor a product of the IETF. A Concise Binary Object Representation (CBOR) Tag for Unprotected CBOR Web Token Claims Sets (UCCS) This document defines the Unprotected CWT Claims Set (UCCS), a data format for representing a CBOR Web Token (CWT) Claims Set without protecting it by a signature, Message Authentication Code (MAC), or encryption. UCCS enables the use of CWT claims in environments where protection is provided by other means, such as secure communication channels or trusted execution environments. This specification defines a CBOR tag for UCCS and describes the UCCS format, its encoding, and its processing considerations. It also discusses security implications of using unprotected claims sets.