Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added TPM verification clarifications #966

Closed
wants to merge 1 commit into from
Closed

Added TPM verification clarifications #966

wants to merge 1 commit into from

Conversation

yackermann
Copy link
Contributor

@yackermann yackermann commented Jun 22, 2018

Ref #929


Preview | Diff

@yackermann
Copy link
Contributor Author

cc @akshayku

@yackermann
Copy link
Contributor Author

cc @apowers313

@yackermann
Copy link
Contributor Author

Ref #950

Copy link
Contributor

@equalsJeffH equalsJeffH left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for clarifying this stuff @herrjemand -- just a few rough edges to polish it seems.

- Note that the remaining fields in the "Standard Attestation Structure" [[TPMv2-Part1]]
section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored.
These fields MAY be used as an input to risk engines.

If |x5c| is present, this indicates that the attestation type is not [=ECDAA=]. In this case:
- Verify the |sig| is a valid signature over |certInfo| using the attestation public key in |x5c| with the
algorithm specified in |alg|.
- Verify certificate chain in |x5c| against attestationRootCertificates in Metadata Statement specified by AAGUID in authData.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should have this match how we elsewhere mention the metadata service.
suggest:

- If the prior step was successful, obtain a list of acceptable 
trust anchors (attestation root certificates) for the [=AttCA=] 
attestation type and attestation statement format `tpm`, from 
a trusted source or from policy. For example, the FIDO 
Metadata Service [[FIDOMetadataService]] provides one 
way to obtain such information, using the 
<code>[=aaguid=]</code> in the 
<code>[=attestedCredentialData=]</code> in |authenticatorData|.
- Verify certificate chain in |x5c| against the trust anchors 
obtained in the prior step.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

scratch the above, see below.

@@ -3430,15 +3430,16 @@ engine.
- Verify that `extraData` is set to the hash of |attToBeSigned| using the hash algorithm employed in "alg".
- Verify that `attested` contains a `TPMS_CERTIFY_INFO` structure as specified in [[TPMv2-Part2]] section 10.12.3,
whose `name` field contains a valid Name for |pubArea|,
as computed using the algorithm in the `nameAlg` field of |pubArea| using the procedure specified in [[TPMv2-Part1]]
section 16.
as computed by concatinating algorithm identifier from the signauture algorithm(for RS256 it's sha256) specified in TPM_ALG_ID, with hash of the `pubArea` field as specified in [[TPMv2-Part1]] section 16.
Copy link
Contributor

@equalsJeffH equalsJeffH Jun 25, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm thinking we do not want to get into this much detail since it is already spec'd in the TPM specs. Suggest doing only this:

as computed using the hash algorithm identified by the value of the 
`nameAlg` field of |pubArea| and using the procedure specified in 
section 16 of [[TPMv2-Part1]]. 

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@equalsJeffH Navigating TPM specs is a hell. So I think we should be slightly more specific in this example

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @equalsJeffH here. Duplicating instructions risks getting them wrong in subtle ways, and I think that risk outweighs the small possible convenience gain.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that the TPM specs are difficult to decipher -- i spent a ton of time yesterday trying to figure out how the nameAlg field works, and am not sure my interpretation is correct -- hence not wanting to bake errornous interp into webauthn, as @emlun notes.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also agree - the TPM specs are difficult, so let's not add to confusion by potentially getting it different here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BradL-Msft Are other changes in this PR OK?

as computed using the algorithm in the `nameAlg` field of |pubArea| using the procedure specified in [[TPMv2-Part1]]
section 16.
as computed by concatinating algorithm identifier from the signauture algorithm(for RS256 it's sha256) specified in TPM_ALG_ID, with hash of the `pubArea` field as specified in [[TPMv2-Part1]] section 16.
- Verify that `pubArea` contains TPMU_PUBLIC_ID that is set to newly generate public key as specified in [[TPMv2-Part2]] section 12.2.3.2.
Copy link
Contributor

@equalsJeffH equalsJeffH Jun 25, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

newly generate -> the newly generated
as specified in [[TPMv2-Part2]] section 12.2.3.2 -> as specified in sections 12.2.3.2 and 12.2.4 of [[TPMv2-Part2]].

@equalsJeffH
Copy link
Contributor

is this intended to fix issue #929 ? I'm not sure what you mean by "ref #950" and "ref #929" ?

Copy link
Member

@emlun emlun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for writing this up, but I agree with @equalsJeffH that it's probably best to not include all of it.

- Note that the remaining fields in the "Standard Attestation Structure" [[TPMv2-Part1]]
section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored.
These fields MAY be used as an input to risk engines.

If |x5c| is present, this indicates that the attestation type is not [=ECDAA=]. In this case:
- Verify the |sig| is a valid signature over |certInfo| using the attestation public key in |x5c| with the
algorithm specified in |alg|.
- Verify certificate chain in |x5c| against attestationRootCertificates in Metadata Statement specified by AAGUID in authData.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd argue this is already covered by steps 15 and 16 in §7.1. Relying Party Operations: Registering a new credential, and doesn't need to be repeated here.

Copy link
Contributor

@equalsJeffH equalsJeffH Jun 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perhaps steps 15 and 16 in §7.1. Relying Party Operations: Registering a new credential can be appropriately referenced here -- we can add anchors to individual steps if we wish -- see step 13 in S 6.2.3.

@@ -3430,15 +3430,16 @@ engine.
- Verify that `extraData` is set to the hash of |attToBeSigned| using the hash algorithm employed in "alg".
- Verify that `attested` contains a `TPMS_CERTIFY_INFO` structure as specified in [[TPMv2-Part2]] section 10.12.3,
whose `name` field contains a valid Name for |pubArea|,
as computed using the algorithm in the `nameAlg` field of |pubArea| using the procedure specified in [[TPMv2-Part1]]
section 16.
as computed by concatinating algorithm identifier from the signauture algorithm(for RS256 it's sha256) specified in TPM_ALG_ID, with hash of the `pubArea` field as specified in [[TPMv2-Part1]] section 16.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @equalsJeffH here. Duplicating instructions risks getting them wrong in subtle ways, and I think that risk outweighs the small possible convenience gain.

as computed using the algorithm in the `nameAlg` field of |pubArea| using the procedure specified in [[TPMv2-Part1]]
section 16.
as computed by concatinating algorithm identifier from the signauture algorithm(for RS256 it's sha256) specified in TPM_ALG_ID, with hash of the `pubArea` field as specified in [[TPMv2-Part1]] section 16.
- Verify that `pubArea` contains TPMU_PUBLIC_ID that is set to newly generate public key as specified in [[TPMv2-Part2]] section 12.2.3.2.
- Note that the remaining fields in the "Standard Attestation Structure" [[TPMv2-Part1]]
section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored.
These fields MAY be used as an input to risk engines.

If |x5c| is present, this indicates that the attestation type is not [=ECDAA=]. In this case:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perhaps this ought to be rewritten as:
If |x5c| is present, the attestation type is [=AttCA=].

..?

@apowers313
Copy link
Contributor

For anyone else that wants to play along from home, here is some help understanding TPM. I'll probably stick these in a blog post or something in the near future:

tpm-decode.txt

certinfo

pubarea

@nadalin nadalin added this to the REC milestone Jun 27, 2018
@nadalin nadalin modified the milestones: REC, PropRec, L2-WD-00 Jun 27, 2018
@nadalin nadalin modified the milestones: L2-WD-00, L2-WD-01 Feb 13, 2019
@equalsJeffH
Copy link
Contributor

Note: issue #950 is closed -- at least a portion of what this PR is trying to accomplish was addressed in PR #952.

This seems to be a "nice to have" sort of spec-polishing, I suggest we keep it open. I marked it as low priority.

@akshayku akshayku self-requested a review May 29, 2019 19:14
@equalsJeffH equalsJeffH assigned akshayku and unassigned akshayku May 29, 2019
@jafisher-microsoft jafisher-microsoft self-assigned this Jun 19, 2019
@nadalin nadalin modified the milestones: L2-WD-02, L2-WD-03 Aug 28, 2019
@akshayku
Copy link
Contributor

akshayku commented Jun 3, 2020

After more talking internally, it looks like we don't want to duplicate things that are already in TPM specs. Which has a risk of going out of sync. If TPM specs are hard to read, that should be solved somewhere else.

I would propose to close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants