Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify use creating and verifying TPM attestation statements. #2193
base: main
Are you sure you want to change the base?
Clarify use creating and verifying TPM attestation statements. #2193
Changes from 6 commits
8d690aa
e51255d
4d5c9ea
73435ba
96e5e07
1314870
21d38c0
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest changing "will also match" to "MUST also match", thereby making this normative and an error if the RP detects that the hash algorithm is different in these two locations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By making this a note, this is an informative statement so not sure if we can make this normative. This clarification, in fact, is what I believe is the source of the original concern that there was a possibility these would be different, when, in fact, the TPM never changes the algorithm. Making this check a MUST alludes that the TPM might return these different. That said, as the algId in the Name is not protected it is possible for software (local or in transit) to change it but the worse case would be a DOS attack (unless someone finds a pre-image attack). With that said, I'm open to the suggestion if you still believe that's needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem I have with lowercase "will also match" is that it's suggestive, without providing guidance to the RP as to what to do if its observed that the values are not the same in both locations. I'm not going to die on this hill though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does the RP determine if the fields are valid or not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The content of these fields is determined by which TPM hierarchy the AK is in. (tl;dr: If the AK is in the Endorsement hierarchy the fields are valid, if the AK is in the Storage hierarchy, the fields are random - this is for privacy reasons). To provide information about where the AK is may be a privacy concern so this is not provided in the protocol. The properties of the AK (including whether to even trust it) are out of scope for this protocol and it would be up to the RP to know that out of band.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest changing "SHOULD NOT" to "MUST NOT" for privacy preserving reasons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree MUST NOT would be my preference. However, my concern with MUST NOT is if there are any existing implementation that followed the original wording, MUST NOT would make those existing implementations (if >0) non-compliant which would not be their fault. I'm OK with the guidance of the WG on this.