From 4fe1bc9d798e126d13319697baaf2012e03fa257 Mon Sep 17 00:00:00 2001 From: Kyle Hogan Date: Tue, 21 Feb 2023 10:35:07 -0500 Subject: [PATCH 1/9] adding TEE to threat model --- threat-model/readme.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/threat-model/readme.md b/threat-model/readme.md index d629fe6..72a724a 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -213,6 +213,28 @@ TODO #### 1.9.2 Mitigations TODO +### 1.10 TEE + +TEEs are hardware supported environments for computations that isolate associated processes from other processed on the host machine. TEEs are intended to provide confidentiality, integrity, and authenticity for computations against a, possibly malicious, operator of the host machine. + +#### 1.10.1 Assets + +1. Private attestation/identity key(s) embedded in TEEs by the manufacturer of the TEE. The TEE must maintain confidentiality for the attestation/identity key(s) in order to maintain authenticity of the TEE. That is, if the confidentiality of attestation/identity key(s) is compromised, then a TEE may be impersonated and not provide the expected guarantees. +2. The computation to be performed. This computation must be correct in that it produces the expected output on given input data and does not leak any input data outside of the TEE. This computation if part of the trusted code/computing base and the TEE cannot provide confidentiality for a computation that directly or indirectly reveals information about its inputs. The TEE is designed to provide integrity for the computation in that it will execute the attested computation as specified. Integrity is based on trust in the manufacturer constructing the TEE hardware according to specification and in integrity checking for any interactions with the host system, e.g. via memory. +3. Confidential inputs/outputs of the computation. + +#### 1.10.2 Capabilities + +1. Generate a signature, or "attestation", on the computation using the private attestation/identity key. +2. Execute the computation as specified with integrity and confidentiality against other processes and the operator. +3. Maintain a confidential and integrity checked communication channel between the TEE and the owner of the computation. + +#### 1.10.3 Mitigations + +1. Confidentiality of attestation/identity key: the TEE's private key(s) should never be accessible from outside the TEE and any operations involving them must be performed obliviously (independently of the key) to avoid leaking bits of the key via side channels. +3. Integrity of computation: any TEE assets leaving the TEE, e.g. to DRAM, must be integrity checked by the TEE upon return. This includes the initial inputs and final output of the computation over its communication channel with the computation owner. +4. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the communication channel and resistance to side channel leakage (see 1.9 on TEE operators) +5. Authenticity of the computation: guaranteed based on confidentiality of the attestation/identity key. ### 1.10 TEE Manufacturers From bc02a86143669b4f973439467c64e80b79b70ae3 Mon Sep 17 00:00:00 2001 From: kylehogan Date: Tue, 21 Feb 2023 20:03:52 -0500 Subject: [PATCH 2/9] Update threat-model/readme.md Co-authored-by: Martin Thomson --- threat-model/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threat-model/readme.md b/threat-model/readme.md index 72a724a..85b9a2a 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -220,7 +220,7 @@ TEEs are hardware supported environments for computations that isolate associate #### 1.10.1 Assets 1. Private attestation/identity key(s) embedded in TEEs by the manufacturer of the TEE. The TEE must maintain confidentiality for the attestation/identity key(s) in order to maintain authenticity of the TEE. That is, if the confidentiality of attestation/identity key(s) is compromised, then a TEE may be impersonated and not provide the expected guarantees. -2. The computation to be performed. This computation must be correct in that it produces the expected output on given input data and does not leak any input data outside of the TEE. This computation if part of the trusted code/computing base and the TEE cannot provide confidentiality for a computation that directly or indirectly reveals information about its inputs. The TEE is designed to provide integrity for the computation in that it will execute the attested computation as specified. Integrity is based on trust in the manufacturer constructing the TEE hardware according to specification and in integrity checking for any interactions with the host system, e.g. via memory. +2. The computation to be performed. This computation must be correct in that it produces the expected output on given input data and does not leak any input data outside of the TEE. This computation is part of the trusted code/computing base and the TEE cannot provide confidentiality if a computation directly or indirectly reveals information about its inputs. The TEE is designed to provide integrity for the computation in that it will execute the attested computation as specified. Integrity is based on trust in the manufacturer constructing the TEE hardware according to specification and in integrity checking for any interactions with the host system, e.g., via memory. 3. Confidential inputs/outputs of the computation. #### 1.10.2 Capabilities From 12499c8a8cd2d1df33f5e8090dc6f79856da8ad5 Mon Sep 17 00:00:00 2001 From: kylehogan Date: Tue, 21 Feb 2023 20:04:06 -0500 Subject: [PATCH 3/9] Update threat-model/readme.md Co-authored-by: Martin Thomson --- threat-model/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threat-model/readme.md b/threat-model/readme.md index 85b9a2a..aedcb7d 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -232,7 +232,7 @@ TEEs are hardware supported environments for computations that isolate associate #### 1.10.3 Mitigations 1. Confidentiality of attestation/identity key: the TEE's private key(s) should never be accessible from outside the TEE and any operations involving them must be performed obliviously (independently of the key) to avoid leaking bits of the key via side channels. -3. Integrity of computation: any TEE assets leaving the TEE, e.g. to DRAM, must be integrity checked by the TEE upon return. This includes the initial inputs and final output of the computation over its communication channel with the computation owner. +3. Integrity of computation: any TEE assets leaving the TEE, e.g., to DRAM, must be integrity checked by the TEE upon return. This includes the initial inputs and final output of the computation over its communication channel with the computation owner. 4. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the communication channel and resistance to side channel leakage (see 1.9 on TEE operators) 5. Authenticity of the computation: guaranteed based on confidentiality of the attestation/identity key. From 1fd2f0ebc9d9775a7eb5132bd15a3f45fe721057 Mon Sep 17 00:00:00 2001 From: kylehogan Date: Wed, 22 Feb 2023 13:28:33 -0500 Subject: [PATCH 4/9] Update threat-model/readme.md Co-authored-by: Martin Thomson --- threat-model/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threat-model/readme.md b/threat-model/readme.md index aedcb7d..c1772c1 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -233,7 +233,7 @@ TEEs are hardware supported environments for computations that isolate associate 1. Confidentiality of attestation/identity key: the TEE's private key(s) should never be accessible from outside the TEE and any operations involving them must be performed obliviously (independently of the key) to avoid leaking bits of the key via side channels. 3. Integrity of computation: any TEE assets leaving the TEE, e.g., to DRAM, must be integrity checked by the TEE upon return. This includes the initial inputs and final output of the computation over its communication channel with the computation owner. -4. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the communication channel and resistance to side channel leakage (see 1.9 on TEE operators) +4. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the communication channel and resistance to side channel leakage (the section on [TEE operators](#tee-operators) discusses side channels). 5. Authenticity of the computation: guaranteed based on confidentiality of the attestation/identity key. ### 1.10 TEE Manufacturers From 7901ca257c39ecbb09cef9752309986ae3b5c099 Mon Sep 17 00:00:00 2001 From: Kyle Hogan Date: Wed, 22 Feb 2023 13:34:30 -0500 Subject: [PATCH 5/9] section headings and confidentiality --- threat-model/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/threat-model/readme.md b/threat-model/readme.md index c1772c1..95ce134 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -213,7 +213,7 @@ TODO #### 1.9.2 Mitigations TODO -### 1.10 TEE +### 1.10 TEE TEEs are hardware supported environments for computations that isolate associated processes from other processed on the host machine. TEEs are intended to provide confidentiality, integrity, and authenticity for computations against a, possibly malicious, operator of the host machine. @@ -233,7 +233,7 @@ TEEs are hardware supported environments for computations that isolate associate 1. Confidentiality of attestation/identity key: the TEE's private key(s) should never be accessible from outside the TEE and any operations involving them must be performed obliviously (independently of the key) to avoid leaking bits of the key via side channels. 3. Integrity of computation: any TEE assets leaving the TEE, e.g., to DRAM, must be integrity checked by the TEE upon return. This includes the initial inputs and final output of the computation over its communication channel with the computation owner. -4. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the communication channel and resistance to side channel leakage (the section on [TEE operators](#tee-operators) discusses side channels). +4. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the TEE and communication channel and resistance to side channel leakage (the section on [TEE operators](#tee-operators) discusses side channels). Additionally, any TEE assets leaving the TEE, e.g., to DRAM, must be encrypted with a key known only to the TEE. 5. Authenticity of the computation: guaranteed based on confidentiality of the attestation/identity key. ### 1.10 TEE Manufacturers From afecea32fa8d53d4652af47b537f0aef3185c42d Mon Sep 17 00:00:00 2001 From: kylehogan Date: Wed, 22 Feb 2023 13:34:37 -0500 Subject: [PATCH 6/9] Update threat-model/readme.md Co-authored-by: Martin Thomson --- threat-model/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threat-model/readme.md b/threat-model/readme.md index c1772c1..b5aadb2 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -215,7 +215,7 @@ TODO ### 1.10 TEE -TEEs are hardware supported environments for computations that isolate associated processes from other processed on the host machine. TEEs are intended to provide confidentiality, integrity, and authenticity for computations against a, possibly malicious, operator of the host machine. +TEEs are hardware supported environments for computations that isolate associated processes from other processed on the host machine. TEEs are intended to provide confidentiality, integrity, and authenticity for computations against a possibly malicious operator of the host machine or - in a shared hosting environment - other users of the same host. #### 1.10.1 Assets From d1f352a218ef9c83badf6ee4d0e60c2fde6ebae5 Mon Sep 17 00:00:00 2001 From: Kyle Hogan Date: Wed, 22 Feb 2023 13:38:42 -0500 Subject: [PATCH 7/9] colocated --- threat-model/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threat-model/readme.md b/threat-model/readme.md index da9e537..cf00d4e 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -215,7 +215,7 @@ TODO ### 1.10 TEE -TEEs are hardware supported environments for computations that isolate associated processes from other processed on the host machine. TEEs are intended to provide confidentiality, integrity, and authenticity for computations against a possibly malicious operator of the host machine or - in a shared hosting environment - other users of the same host. +TEEs are hardware supported environments for computations that isolate associated processes from other processed on the host machine. TEEs are intended to provide confidentiality, integrity, and authenticity for computations against a possibly malicious operator of the host machine or, in a shared hosting environment, other users colocated on the same host. #### 1.10.1 Assets From 45e14b3d29a942524eb1c3c572c460f7d6a5d186 Mon Sep 17 00:00:00 2001 From: Kyle Hogan Date: Wed, 22 Feb 2023 15:15:29 -0500 Subject: [PATCH 8/9] numbering --- threat-model/readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/threat-model/readme.md b/threat-model/readme.md index cf00d4e..2b84fa1 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -232,9 +232,9 @@ TEEs are hardware supported environments for computations that isolate associate #### 1.10.3 Mitigations 1. Confidentiality of attestation/identity key: the TEE's private key(s) should never be accessible from outside the TEE and any operations involving them must be performed obliviously (independently of the key) to avoid leaking bits of the key via side channels. -3. Integrity of computation: any TEE assets leaving the TEE, e.g., to DRAM, must be integrity checked by the TEE upon return. This includes the initial inputs and final output of the computation over its communication channel with the computation owner. -4. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the TEE and communication channel and resistance to side channel leakage (the section on [TEE operators](#tee-operators) discusses side channels). Additionally, any TEE assets leaving the TEE, e.g., to DRAM, must be encrypted with a key known only to the TEE. -5. Authenticity of the computation: guaranteed based on confidentiality of the attestation/identity key. +2. Integrity of computation: any TEE assets leaving the TEE, e.g., to DRAM, must be integrity checked by the TEE upon return. This includes the initial inputs and final output of the computation over its communication channel with the computation owner. +3. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the TEE and communication channel and resistance to side channel leakage (the section on [TEE operators](#tee-operators) discusses side channels). Additionally, any TEE assets leaving the TEE, e.g., to DRAM, must be encrypted with a key known only to the TEE. +4. Authenticity of the computation: guaranteed based on confidentiality of the attestation/identity key. ### 1.10 TEE Manufacturers From 092a867ec95db5c434649103f71de9e6927c926f Mon Sep 17 00:00:00 2001 From: Erik Taubeneck Date: Wed, 10 Apr 2024 11:48:21 -0700 Subject: [PATCH 9/9] Update readme.md --- threat-model/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/threat-model/readme.md b/threat-model/readme.md index 2b84fa1..1e5f0d9 100644 --- a/threat-model/readme.md +++ b/threat-model/readme.md @@ -236,7 +236,7 @@ TEEs are hardware supported environments for computations that isolate associate 3. Confidentiality of computation and its inputs/outputs: guaranteed based on confidentiality of the key(s) associated with the TEE and communication channel and resistance to side channel leakage (the section on [TEE operators](#tee-operators) discusses side channels). Additionally, any TEE assets leaving the TEE, e.g., to DRAM, must be encrypted with a key known only to the TEE. 4. Authenticity of the computation: guaranteed based on confidentiality of the attestation/identity key. -### 1.10 TEE Manufacturers +### 1.10.4 TEE Manufacturers TEEs can provide "attestation" which verifies that the TEE is running in the expected state and running the expected code. These attestations are typically produced with an asymmetric key, where the private key is physically embedded into the TEE, and the public key is published via a system similar to a certificate authority.