Trusted execution in the cloud


Demo 2 Complete

Demo 2 is in the books. Demo 2 adds explicit execution of an attestation protocol and interaction with the measurer. This demo continues to be naive, but uses an attestation protocol and returns an evidence package. The evidence package integrity is guaranteed and linked to the quote by the hash returned in the quote. The quote is used to evaluate the data and the data in turn used to evaluate the target system.

  1. Appraiser sends a request \(\langle D,n\rangle\) to an attestation agent for PCRs
    • \(D=[d_0,d_1,…,d_n]\) - desire evidence
    • \(n\) - nonce
  2. Attestation agent selects a protocol based on \(D\)
  3. Attestation agent executes the protocol
    • Gathers evidence, \(E\), from application
    • Creates an evidence package, \({\langle E,n\rangle}_{k^{-1}}\)
    • Creates a quote \(q=\langle\#\langle E,n\rangle,PCR\rangle_{k^{-1}}\)
  4. Attestation returns the quote and evidence
  5. Appraiser checks the returned quote and evidence
    • checks the signature of the quote
    • checks the evidence package using \(\#\langle E,n\rangle\)
    • checks \(n\)
    • checks \(E=[e_0,e_1,…,e_n]\)
  6. Provide an argument for correctness

The attestation protocol receives \(D\) from the appraiser and translates its components into calls the measurer to generate \(E\). The evidence package and quote are generated by individual protocol steps.

The demo is limited for several reasons:

  1. The signing key, \(k\) is not maintained by a TPM or vTPM
  2. The quote is not generated by a TPM or vTPM
  3. PCRs are dummy values
  4. The measurer is currently being simulated rather than called explicitly

The first three limitations will be eliminated in Demonstration 3 when we integrate a TPM. The last limitation is an operating system issue that will be resolved when we move from CentOS to Fedora in the next demonstration.

We are now working full time on Demonstration 3.