stairCASE Measurement Architecture

Architecture

Ground Station

• seL4 instance running on ODROID
  • User Virtual Platform (UVP) on seL4 VMM
    • Linux instance on seL4 VM
      • User AM as Linux process
      • UxAS as Linux process
  • Platform AM as CAmkES component
• seL4 Attestation Manager (seL4AM)

Crude Architecture Figure

Whiteboard Architecture Image

Mission board

• Mission AM as dictated by mission board designers

Roots of Trust

• RoT for Measurement - UBOOT
• RoT for Reporting - place key
• RoT for Storage - ??

Places

Boot Measurement Story

1. UBOOT starts seL4IM and seL4. seL4IM hashes seL4 image and stores the measurement. seL4IM may be a part of UBOOT. UBOOT has a built-in SHA-256 capbility.
2. seL4 starts and measures Platform AM as a CAmkES component. seL4 stores the measurement.
3. seL4 starts and measures User Virtual Platform (UVP) as Linux VM. Makes the Platform AM aware of UVP. Platform AM measures UVP infrastructure and stores the measurement.
4. UVP Linux VM hashes and starts UVP AM.
5. UVP Linux VM hashes and starts UxAS groundstation. Makes UVP AM aware of UxAS. UVP AM measures UxAS.

• Mission AM - Appraisal only. Makes requests of ground station AMs and appraises results. No mutual attestation at this time, but could add later if desirable.
• seL4 AM - Hashes the seL4 instance at startup and performs runtime integrity measurement. This may conflate with what U-BOOT currently does. Note that UBOOT performs a signature check and does not currently measure the seL4 imagage. Potentially the root of trust for measurement.
• Platform AM - Hashes the UVP VM at startup and performs runtime integrity measurement. Is hashed as a part of the seL4IM measurement. Consider meta-measurer runnning as CAmkES component to ensure integrity. seLAM might do this as well.
• UVP AM - Hashes the UxAS instance at startup and performs runtime integrity measurement. Is hashed as a part of the Platform measurement. Serves as the interface to the attestation platform.

Boot Measurement Story

1. UBOOT starts seL4AM and seL4. seL4AM measures seL4 image and stores in TrustZone
2. seL4 starts Platform AM CAmkES component
3. seL4 starts User Virtual Platform (UVP) consisting of Linux and a RAMdisk. Makes the Platform AM aware of UVP and RAMDisk. Platform AM measures UVP:
   1. Hashes and starts the Linux kernel as VM
   2. Hashes and mounts RAMDisk
4. UVP VM starts UVP AM and UxAS from RAMDisk. Makes UVP AM aware of UxAS. UVP AM measures UxAS. RAMDisk hash ensures good UxAS and User AM

Runtime Measurement Story

1. seL4AM measures sel4 instance

2. seL4AM measures Platform AM (speculative)

3. Platform AM measures UVP VM

4. UVP VM

5. UVP AM measures UxAS groundstation and serves as interface to mission platform AM

6. Platform AM measures UVP Linux including UVP AM

7. seL4 AM mesures Platform AM and platform infrastructure

Appraisal Story

• Mission board is aware of the UVP AM and sends requests to it.
• UVP AM is aware of Platform AM and seL4IM and sends requests to them as required by Mission Board requests
• Two kinds of attestation requests
  • Shallow attestation requests invoke UVP AM to measure the application and local platform
  • Deep attestation requests invoke UVP AM to make requests of Platform AM and seL4IM

Open Questions

• RoT for Storage - where can we put measurements and keys that provides confidentiality and integrity?
  • TrustZone proto-TPM - Need to jack with TrustZone. Possibly store first measurement here and use CAmkES component for the rest.
  • CAmkES component - Need to store measurements prior to seL4 start
• Hosting and running KIMs - what will our KIMs be and how will they function?
  • LKIM for UVP AM

Odds and Ends

• UBOOT can hash images
• UBOOT runs through TrustZone in some way that we need to understand
• seL4 VMM can start with 2 VMs
  • one is an OS Kernel
  • one is typically a RAM Disk
• New boot structure
  • start the kernel
  • mount the ramdisk
  • start the user apps from the ramdisk