3.2. Layered Attestation Environments
3.2. Layered Attestation Environments
By definition, the Attester role generates Evidence. An Attester may consist of one or more nested environments (layers). The bottom layer of an Attester has an Attesting Environment that is typically designed to be immutable or difficult to modify by malicious code. In order to appraise Evidence generated by an Attester, the Verifier needs to trust various layers, including the bottom Attesting Environment. Trust in the Attester's layers, including the bottom layer, can be established in various ways, as discussed in Section 7.4.
In layered attestation, Claims can be collected from or about each layer beginning with an initial layer. The corresponding Claims can be structured in a nested fashion that reflects the nesting of the Attester's layers. Normally, Claims are not self-asserted. Rather, a previous layer acts as the Attesting Environment for the next layer. Claims about an initial layer are typically asserted by an Endorser.
The example device illustrated in Figure 3 includes (A) a BIOS stored in read-only memory, (B) a bootloader, and (C) an operating system kernel.
.-------------. Endorsement for ROM
| Endorser +-----------------------.
'-------------' |
v
.-------------. Reference .----------.
| Reference | Values for | |
| Value +----------------->| Verifier |
| Provider(s) | ROM, bootloader, | |
'-------------' and kernel '----------'
^
.------------------------------------. |
| | |
| .---------------------------. | |
| | Kernel(C) | | |
| | | | | Layered
| | Target | | | Evidence
| | Environment | | | for
| '---------------+-----------' | | bootloader
| Collect | | | and
| Claims | | | kernel
| .---------------|-----------. | |
| | Bootloader(B) v | | |
| | .-----------. | | |
| | Target | Attesting | | | |
| | Environment |Environment+-----------'
| | | | | |
| | '-----------' | |
| | ^ | |
| '--------------+--|---------' |
| Collect | | Evidence for |
| Claims v | bootloader |
| .-----------------+---------. |
| | ROM(A) | |
| | | |
| | Attesting | |
| | Environment | |
| '---------------------------' |
| |
'------------------------------------'
Figure 3: Layered Attester
The first Attesting Environment (the ROM in this example) has to ensure the integrity of the bootloader (the first Target Environment). There are potentially multiple kernels to boot; the decision is up to the bootloader. Only a bootloader with intact integrity will make an appropriate decision. Therefore, the Claims relating to the integrity of the bootloader have to be measured securely. At this stage of the boot cycle of the device, the Claims collected typically cannot be composed into Evidence.
After the boot sequence is started, the BIOS conducts the most important and defining feature of layered attestation: the successfully measured bootloader now becomes (or contains) an Attesting Environment for the next layer. This procedure in layered attestation is sometimes called "staging". It is important that the bootloader not be able to alter any Claims about itself that were collected by the BIOS. This can be ensured having those Claims be either signed by the BIOS or stored in a tamper-proof manner by the BIOS.
Continuing with this example, the bootloader's Attesting Environment is now in charge of collecting Claims about the next Target Environment. In this example, it is the kernel to be booted. The final Evidence thus contains two sets of Claims: one set about the bootloader as measured and signed by the BIOS and another set of Claims about the kernel as measured and signed by the bootloader.
This example could be extended further by making the kernel become another Attesting Environment for an application as another Target Environment. This would result in a third set of Claims in the Evidence pertaining to that application.
The essence of this example is a cascade of staged environments. Each environment has the responsibility of measuring the next environment before the next environment is started. In general, the number of layers may vary by device or implementation, and an Attesting Environment might even have multiple Target Environments that it measures, rather than only one as shown by example in Figure 3.