RFE: ZeroTrust XIoT Remote Device Attestation

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

https://smallstep.com/certificates

Apache License 2.0

6.34k stars 415 forks source link

RFE: ZeroTrust XIoT Remote Device Attestation #1439

Closed mmaymann closed 1 year ago

mmaymann commented 1 year ago

TPM 802.1x EAP-TLS X.509:

MUD: EAP -> ITAM -> XIoTType ACL creation/approval -> provisioning
SBOM: TNC SoH -> ITAM -> continuous lightweight vulnerability scanning -> proactive remediation actions
XIoTType checks (CaptivePortal guest, firmware version, OS version, firewall enabled, antivirus enabled, ...)

https://github.com/sonic-net/SONiC/issues/1362

tashian commented 1 year ago

Hi! I'm on the Smallstep team. Thanks for opening an issue.

Could you please elaborate on your use case, and the functionality you think step-ca would need to meet it?

I belive it's possible to use step-ca to issue EAP-TLS certificates for Linux, with TPM-stored private keys, by using step-kms-plugin and wpa_supplicant's PKCS 11 support + TPM2 tools.

But, your particular application sounds a bit more involved.

mmaymann commented 1 year ago

Hi Carl, Thanks for your reply :)

The functionality I wish to achieve is remote device attestation (2.):

Manufacturer produces the device (with TPM) and forwards the ownership to company via Fido Device Onboard
Company validates device via remote attestation (KeyLime|Akri) could to my knowledge be used for this through EAP) including any custom checks (MUD, SBOM, firmware version, OS version, firewall enabled, antivirus enabled,...). As far as I know, need to create a new TPM cert for each check (step-by-step based trust) ? Would we need Smallstep for this or would FDO|KeyLime|Akri be able to do this ?
Company provisions validated devices to their desired state

I have given my GoldenPath version of a XIoT Zero-Conf|Trust|Touch target architecture directly from network devices. Suggestions/enhancements would be highly appreciated :)

Thanks in advance :)

tashian commented 1 year ago

Our software can support leveraging TPM attestation certificates as part of a PKI strategy that requires strong device identity. If you need EAP-TLS X.509 client certificates that identify a device to the network, you may want to set up a Smallstep CA that devices can enroll with.

If I'm understanding correctly, it sounds like you're also looking for remote boot attestation and integrity monitoring features, which is not really our sweet spot. For that, I think you will need signed TPM PCR quotes to attest some of the things you want to know about a system's state. Keylime may be a better fit for that component. I haven't looked closely at it in a while, but I think it can help you get remote attestations that the system is in a good runtime state.

mmaymann commented 1 year ago

Hi Carl, Thanks again for your reply :) It seems TPM PCR is the thing I need to query maybe using Spiffe/Spire? I have created a ticket for them https://github.com/spiffe/spire/issues/4281 Thanks for your help :)