Versions Compared

Old Version 60

changes.mady.by.user Hari C S

Saved on

compared with

New Version Current

changes.mady.by.user GopiKrishna Kodali

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Implement recommendations of TCG Remote Attestation Protocol TAP - with EVE as the attester and EVC as the verifier. i.e. use TPM to measure the booting sequence using Platform Configuration Registers (PCR)
  2. On top of the TCG solution, propose a mechanism for self-locking:  Seal the decryption key for the encrypted volumes using PCRs (for self-locking during offline/tampered conditions).  This is done to address unique operational requirements of EVE at the Edge.
  3. Escrow of Save the encrypted  volume key with the Controller during the upgrade.

...

  1. Fetches certificates used by EVC. e.g. X.509 certificate chain used in signing AuthContainers.  If EVC is not reachable, goes with the cached copy of the certificates.
  2. Tries to retrieve UUID provisioned in the EVC for this EVE instance. If EVC is not reachable, goes with the cached copy of the UUID last received from EVC.
  3. Attempts to unseal the key in TPM. If unsuccessful, waits for encrypted Volume Storage Key from EVC, published post-attestation by EVC through configuration response.
  4. Whenever HTTP Error 403 is received from EVC, starts a new attestation cycle with EVC:
    1. First EVE requests EVC for a nonce to include to include in the PCR quote, as a freshness proof.
    2. Interacts with TPM Mgr to prepare PCR quote with this nonce value as user-data.
    3. Then, it generates a random value to propose as the Integrity-Token. 
    4. Finally sends attestation request with the following fields:
      1.  The new Integrity-Token value
      2. PCR Quote
      3. TPM Event Log
      4. Image version (EVE and Firmware)
  5. Whenever attestation response is successful, populates the Integrity-Token (included in the EVC's reply to attestation request), in a memory mapped file (not on the disk). Since Integrity-Token is volatile, when the device reboots, this automatically triggers re-attestation.
  6. If attestation fails, attestation is re-attempted periodically. 
  7. Configuration is requested in periodic intervals, with the Integrity-Token(or without that, which will trigger error 403). 
  8. If config response contains attestation error (i.e. HTTP error 403), triggers attestation request immediately.
  9. Even if attestation is successful, EVC can choose to invalidate Integrity-Token periodically (say every few hours), to re-trigger attestation.  Since Integrity-Token is invalidated, next config request from EVE will receive the same HTTP 403 error code in this case, which will re-trigger attestation.

...

Since EVE must present PCR quotes in both the cases (otherwise config request will fail with Error 403), EVC can examine PCR quote to see if it matches with PCR quote of the EVE version it thinks EVE should be running presently.  In other words, for EVC to differentiate between approved vs unapproved image version,  one must mark the supported EVE image versions as "approved" by entering their  corresponding measurements values expected in the TCG measurement sequence (since multiple values can be extended to a single PCR).  With the help of this "list of approved measurements" , EVC can co-relate the entries in TPM EventLog to confirm if the boot chain with the modified software image is trusted and expected.  It is possible that a rogue software might, after reboot, not send any config request at all, and still trying to access the contents on the disk, like credentials, sensor feed data, etc from the Edge Container Volumes.  But the decryption key for accessing these encrypted volumes (the Volume Storage Key), is not stored anywhere in memory or on disk, but rather it is sealed with the PCR values of the previous software version. The only other way to get access to this key is from EVC, but EVC will share this key only on successful attestation.  Through such "escrow" mechanism, a backup of encryped material, the EVC ensures that only approved EVE images can access the protected resources like Edge Container Volumes. Since PCR quote is always generated with a nonce given by EVC from time to time, this provides freshness proof for the quote, and a rogue software can not copy PCR quote from a supported EVE version and pretend that it is the latest quote.

...