-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authority baselines and authority delegation (was authorized-by appears to be a security flaw) #244
Comments
I think one way to address unsoundness is to remove authorized-by from measurement-map and add an optional ‘authorities’ entry to ‘stateful-environment-record’. |
This isn't the intended semantics of We think AEs are not likely to need this, so it is excluded from Evidence. But it is reasonable that X could be applied to RVs or Endorsements. The suggested change: would have the same semantics as
In both structures, the authority is used as a matching condition that determines if B did in fact assert X. In the case above, authority and environment-map are the matching condition, and environment-map and measurement-map are the addition (which is added under the authority of the RIM signer - A). An internal representation is supposed to keep track of the dynamic that A says B says X. I don't think the current internal representation using ECTs is sufficient to represent this dynamic. We could modify ECT so that there is an outer authority. I'll use
By defining a nested ECT:
Policy can be changed to:
This would allow expressions such as:
It would be interpreted as: A says [ B says (x0, x1) ] As a policy, it is applied after all the inputs are processed, including an input that includes: B says (x0, x1) If an RP has policy that says A is trusted, but is silent about B. Then the statement asserted by A (that B says (x0, x1)) would evaluate to true and be eligible as a matching condition for attestation results. Something to consider is whether it makes sense to restrict transitive trust statements like A says B says X to policy statements or if these should still be supported by Endorsements and RV statements. More complex transitive trust statements such as: If downstream suppliers beyond the first supplier need to be authorized, the originator (A) can do something like: If we see value in restricting transitive trust statements to policies, then we might consider a new triple: This approach might have some beneficial flexibility such as allowing statements like "A says B says -any-" by:
where the absence of We wouldn't want to complicate RV and Endorsement with such semantics IMO. |
I'm not so much asking for a hearsay triple as I am confused by the intended semantics. I can propose some words to make the role of This makes me wonder if we accept cycles or if we reject them.
or
Both seem like valid interpretations, but a simple fixed point calculation would not collapse the co-dependence, and thus rejection is easier to implement. I can also see resolving bounded length cycles by having primary endorsement keys and hedged-n-levels endorsement keys to stratify the trust relationship. I'd thus err on the side of rejection for simplicity. Regarding
This doesn't match the words in the document, which is simply that the ACS ends up saying "both A and B say X", unless you have some order dependence in the authorized-by codepoint processing, which I don't see any evidence of. Sure, you might only say "A says X only if B says X" in your CoRIM, but that relationship is lost and irrelevant unless we add hearsay triples (which I don't want). |
In a sidebar with Thomas, he suggested defining a new triple for doing authority delegation as a way to compare and contrast current use of Authority is delegated using a triple.
Since ECT is a common building block (used in above example) but is intended as an internal representation. I'll define External ECT (EECT) as follows:
If the acs-conditions are met, the delegation record is applied. I don't think it makes sense to put delegations in the ACS since they are policy statements rather than actual Attester state. Note that this CDDL is an external representation. An internal representation of delegations may require a different structure than an ECT. Possibly, a nested ECT as defined above A delegation record describes what is delegated:
|
Thanks @nedmsmith for putting forward a proposal. The statement we need to model is, I think, the following:
Where:
This allows us to say things like:
etc. In CDDL, this could be expressed as:
Morphing it into a triple shape is a matter of rearranging and grouping things, but I believe the highlighted types are the core ones. In particular, it looks like we need |
Stepping back from just how the wildcarding is supposed to be expressed, I want to make sure I understand the concept. What’s the theory of operation?
is that about right? If some CoRIM measurement-map/authority (say, B) is compared against, it’s that CoRIM’s issuer (C) that wants the ECT to be signed by B. But integrator (I) signed a delegation that B can delegate to D for anything. Let’s say D signs the corim that would otherwise match that C wants. If we have a list of all ects in the ACS that match without considering authority, we then need to check delegations. D is allowed to sign for B if you trust I to provide delegations. So now the C-signed corim triple gets added to the ACS with authorities C(if you trust I), B(if you trust I), and D. The delegated authority becomes infectious for anything that depends on the authority to match, until you get first-hand knowledge that oh, B actually signed the data first hand, and now we need to backtrack to all the provisional assignments to make them direct authorities? Probably the verifier would want to ensure that I is certainly trusted to assign delegations as a matter of a priori policy to remove this complicated provisional authority tracking. Does this pass our litmus tests?
Vertical integration I would say specialized versions of a linux distribution can delegate pcrs 0-10,12-15 to the main distribution while they sign their own measurements for higher pcrs. That’s not expressible with the proposed syntax since it’s too coarse to limit to specific integrity registers. Say it were. S: special version authority So pcrs are messy. Lets say we have signed CELRs instead and some policy for safely rearranging them for the verifier to then add an ECT that measured boot passes a TPM integration policy. However it’s do e, it’s not the most important thing. Say we allow delegating delegations but only within the scope of what has been delegated. Does S authorize the firmware measurement? S let D authorize it as if it were S. D let G authorize as if it were D (which is also as S), G let H authorize it as if it were G (which is also as D and then S), etc with cascading authority additions. So S authorizes the firmware. That test failed with the current proposal. What about test 2? I’ll edit this later when I’m not getting pulled away. |
I tried working out test 2 and it's not worth sharing. I confused myself with the It does appear that test 2 would pass if you allow every delegated authority to sign any pcr index value, but that's generally not what I'd want to express. |
I don't think it's appropriate at all for X to sign a document that Y is the one that actually authorized the claims. There is no signature by Y. This is a clear spoofing problem. Even if the Verifier is supposedly forwarding an authorization that it had previously seen by including it in the CoRIM, I don't think that Y has delegated that authority to the Verifier. The Verifier would need to use a "hearsay" claim that it had already shown that Y authorized the claim.
The text was updated successfully, but these errors were encountered: