...
Under normal circumstances, the Alias key-pair will be accessible to all clients running at the same exception level and runtime. That means that a an Alias key-pair accessible to the Linux kernel will be accessible to all kernel code. Likewise if it’s DICE is extended all the way to user space, the Alias keys would be exposed to everything running in userspace. Having said that, there are featuers features like AppArmor, SELinux etc that eventually can address that to some extent.
In short, having access to making the private key available to unauthenticated and unauthorized parties is problematic. But, we have to remember that the public key from the key-pair has been put into a certificate (Alias certificate), that in turn has been signed by the previous layer. This goes all the way back to the root of trust. I.e,. the certificate chain will ensure that this public key indeed belong to and comes from this particular device and manufacturer. If we imagine that we use the private Alias key to sign an attestation request, then the remote verifier will only be able to successfully verify that signature using the matching public key. Any other attempt to verify either a tampered signature or a signature made with another private key will fail.
But we still have the problem that if anyone can access this private key, then in theory an attacker could sign known good data and return that to an attestation request, while the attacker at the same time have modifier code and data elsewhere. What about encryption? It’s out of question since the private key is accessible to unauthorized parties.
For this reason we suggest that a TEE environment or similar, owns the last layers key-pair and that the TEE environment is responsible of responding to attestation requests.
...
| Priority | Description | Jira |
|---|
| 1 | Must have: | The Alias public key is used as input for the generation of the Alias key certificate. The Alias key certificate shall have a statistically unique serial number (see 7.3.2). Device ID private key is used to sign the Alias key certificate. The Alias key certificate should be handed over to BL3.1.
| |
| 2 | Nice to have: | | |
| 3 | Not in scope: | | |
...
| Priority | Description | Jira |
|---|
| 1 | Must have: | Alias Key is used as input for the generation of the Alias key certificate. Device ID Key is used as input for the generation of the Alias key certificate. The Alias key certificate should be handed over shall have a statistically unique serial number (see 7.3.2). The Alias key certificate should be handed over to BL2. The Device ID certificate should be handed over to BL2. The Device ID public key should be handed over to BL2.
| |
| 2 | Nice to have: | | |
| 3 | Not in scope: | | |
...
This objective is about making sure that U-Boot is capable of generating Alias key-pair and certificate.
Acceptance criteria:
U-boot shall be capable of creating the Alias-key pair and Alias certificate.
U-boot shall be able to transfer the Alias-key pair and Alias certificate to Grub, Linux or something similar.
| Priority | Description | Jira |
|---|
| 1 | Must have: | | |
| 2 | Nice to have: | | |
| 3 | Not in scope: | | |
\uD83D\uDDD3 Timeline
| Roadmap Planner |
|---|
| maplinks | |
|---|
| timeline | true |
|---|
| source | %7B%22title%22%3A%22Roadmap%20Planner%22%2C%22timeline%22%3A%7B%22startDate%22%3A%222023-08-31%2000%3A00%3A00%22%2C%22endDate%22%3A%222024-06-15%2000%3A00%3A00%22%2C%22displayOption%22%3A%22MONTH%22%7D%2C%22lanes%22%3A%5B%7B%22title%22%3A%22DICE%20PoC%22%2C%22color%22%3A%7B%22lane%22%3A%22%23d04437%22%2C%22bar%22%3A%22%23dc7369%22%2C%22text%22%3A%22%23ffffff%22%2C%22count%22%3A1%7D%2C%22bars%22%3A%5B%7B%22rowIndex%22%3A0%2C%22startDate%22%3A%222023-09-03%2022%3A35%3A54%22%2C%22id%22%3A%22631befe7-a104-4bfb-b957-68b76a530cd6%22%2C%22title%22%3A%22Req%23001%20-%20BL1%20DICE%22%2C%22description%22%3A%22%22%2C%22duration%22%3A0.9683562574257425%2C%22pageLink%22%3A%7B%7D%7D%2C%7B%22rowIndex%22%3A1%2C%22startDate%22%3A%222023-09-30%2023%3A17%3A27%22%2C%22id%22%3A%22dec67d39-8f20-492a-85e2-5c4791421824%22%2C%22title%22%3A%22Req%23002%20-%20BL2%20DeviceID%22%2C%22description%22%3A%22%22%2C%22duration%22%3A1.3840810099009901%2C%22pageLink%22%3A%7B%7D%7D%2C%7B%22rowIndex%22%3A2%2C%22startDate%22%3A%222023-10-16%2006%3A09%3A40%22%2C%22id%22%3A%2265bd6b34-5c88-42bd-ad3b-f5b7e386b4a0%22%2C%22title%22%3A%22Req%23003%20-%20BL2%20Alias%20Keypair%22%2C%22description%22%3A%22%22%2C%22duration%22%3A1.136700811881188%2C%22pageLink%22%3A%7B%7D%7D%2C%7B%22rowIndex%22%3A3%2C%22startDate%22%3A%222023-11-20%2005%3A19%3A14%22%2C%22id%22%3A%22f65e61f3-4bb0-4889-a5c3-c91d8197d4cb%22%2C%22title%22%3A%22Req%23004%20-%20Certificate%22%2C%22description%22%3A%22%22%2C%22duration%22%3A1%2C%22pageLink%22%3A%7B%7D%7D%5D%7D%2C%7B%22title%22%3A%22BL1.5%22%2C%22color%22%3A%7B%22lane%22%3A%22%23f6c342%22%2C%22bar%22%3A%22%23fadb8e%22%2C%22text%22%3A%22%23594300%22%2C%22count%22%3A1%7D%2C%22bars%22%3A%5B%7B%22rowIndex%22%3A0%2C%22startDate%22%3A%222023-12-21%2012%3A06%3A02%22%2C%22id%22%3A%225a97c107-0100-4f2b-8c01-e5138040b376%22%2C%22title%22%3A%22Req%23005%20-%20Create%20BL1%22%2C%22description%22%3A%22%22%2C%22duration%22%3A1%2C%22pageLink%22%3A%7B%7D%7D%5D%7D%2C%7B%22title%22%3A%22BL3.1%22%2C%22color%22%3A%7B%22lane%22%3A%22%233b7fc4%22%2C%22bar%22%3A%22%236c9fd3%22%2C%22text%22%3A%22%23ffffff%22%2C%22count%22%3A1%7D%2C%22bars%22%3A%5B%7B%22rowIndex%22%3A0%2C%22startDate%22%3A%222024-01-08%2014%3A46%3A37%22%2C%22id%22%3A%22e548c6e5-1886-4b3e-9190-98102042d544%22%2C%22title%22%3A%22Req%23006%20-%20BL3.1%20DICE%20support%22%2C%22description%22%3A%22%22%2C%22duration%22%3A1%2C%22pageLink%22%3A%7B%7D%7D%5D%7D%5D%2C%22markers%22%3A%5B%7B%22title%22%3A%22Marker%201%22%2C%22markerDate%22%3A%222018-10-05%2007%3A07%3A43%22%7D%2C%7B%22markerDate%22%3A%222019-03-15%2000%3A00%3A00%22%2C%22title%22%3A%22Marker%22%7D%5D%7D |
|---|
| pagelinks | |
|---|
| title | Roadmap%20Planner |
|---|
| hash | 5f67f747f2318089d0a127f43040a4a8 |
|---|
|
...