Add consistency check of preloaded apps to tkey-verify?

[mchack-work]

In Castor we will have two preloaded apps:

• boot verifier
• fido2

The boot verifier's app digest will be guaranteed by the app's digest in firmware, but the app in slot 1, typically fido2, can be changed.

With the preloaded fido2 app we are planning to add hardware attestation. This means we have an easy way to check if the fido2 app is the correct app. Perhaps add to tkey-verify a way of doing CTAP hardware attestation?

Possibly think about about some form of attestation of other apps? How? If they use the combined measuered boot/verified boot it can perhaps be done by extracting the public key, digest and signature and ask the firmware to compute the digest over what's in slot 1? Can we fit that in a syscall?

[niels-moller]

It could be useful with some way to attest that a public key belongs to a particular app. Both for user and tkey owner to be sure what's really running. There could also be usecases where one want to prove that to others. E.g., say I claim that I deploy the sign-if-logged-app, sign stuff, and users expect that a monitor will see what I sign. But maybe I'm in fact using` just the plain signer app (or an arbitrary softkey). It would be useful if one could somehow verify that the public key I distribute to users correspond to an authentic tkey running the sign-if-logged-app, configured with a specific trust policy. Seems rather difficult to me, though.

[mchack-work]

Yes, it seems difficult, alright!

The FIDO2 hardware attestion comes close to it, at least, even if it doesn't go all the way. It provides cryptographic proof that the hardware has access to the vendor's private key for that model of hardware.

The proposal we have to implement it on the TKey is to distribute a vendor private key for that model with every TKey, encrypted by the fido2 app.

[niels-moller]

Yes, it seems difficult, alright!

Probably not feasible for the tkey, but perhaps more relevant for the thsm? One way to do it could be to have some kind of privileged register (somewhat analogous to a TPM PCR register) that firmware initializes with app hash when an app is loaded. And as long as that same app is running, it can add additional data to be hashed into that register. Next, we need a syscall or a special app that can get the authentic value of that register, and sign it with some key. And finally some way to bind that key to some measure of hardware authenticity. That signature would then tell a verifier that the hash was intentionally measured by a specific app binary running on a tkey.

The FIDO2 hardware attestion comes close to it, at least, even if it doesn't go all the way. It provides cryptographic proof that the hardware has access to the vendor's private key for that model of hardware.

The proposal we have to implement it on the TKey is to distribute a vendor private key for that model with every TKey, encrypted by the fido2 app.

And using the same vendor private key on many devices is for user privacy. I guess there will be similar concerns for any other attestation signing key.