Standardization and Open-source Implementation of Attested TLS for Confidential Computing

<h2>Summary</h2> <p>Attested TLS is a fundamental building block of confidential computing. We have defended our position (cf. <a href="https://datatracker.ietf.org/doc/bofreq-fossati-tls-exported-attestation-expat/">expat BoF</a>) to standardize the attested TLS protocols for confidential computing in the <a href="https://www.ietf.org/">IETF</a>, and a new Working Group named <a href="https://datatracker.ietf.org/wg/seat/about/">Secure Evidence and Attestation Transport (SEAT)</a> has been formed to exclusively tackle this specific problem. In this talk, we present the design choices for standardization of attested TLS, namely pre-handshake attestation, intra-handshake attestation, and post-handshake attestation. We present the journey of standardization effort showing replay, diversion and relay attacks on pre-handshake attestation and intra-handshake attestation (see <a href="https://www.researchgate.net/publication/398839141_Identity_Crisis_in_Confidential_Computing_Formal_Analysis_of_Attested_TLS">paper</a> and <a href="https://github.com/CCC-Attestation/formal-spec-id-crisis">formal proof</a>). We finally present the post-handshake attestation <a href="https://datatracker.ietf.org/doc/draft-fossati-seat-expat/">candidate draft</a> for standardization to gather feedback from the community, so that it can be accommodated in the standardization. </p> <h2>Technical details</h2> <p>We propose a specification that defines a method for two parties in a communication interaction to exchange Evidence and Attestation Results using exported authenticators, as defined in <a href="https://datatracker.ietf.org/doc/html/rfc9261">RFC9261</a>. Additionally, we introduce the cmw_attestation extension, which allows attestation credentials to be included directly in the Certificate message sent during the Exported Authenticator-based post-handshake authentication. The approach supports both the passport and background check models from the <a href="https://datatracker.ietf.org/doc/rfc9334/">RATS architecture</a> while ensuring that attestation remains bound to the underlying communication channel.</p> <h2>WiP Implementation</h2> <p><a href="https://github.com/tls-attestation/attestation-exported-authenticators">WiP Implementation</a> uses the <a href="https://github.com/veraison/rust-cmw">veraison/rust-cmw</a> implementation of <a href="https://datatracker.ietf.org/doc/draft-ietf-rats-msg-wrap/">RATS conceptual messages wrapper</a>. It includes a test which demonstrates using it with QUIC (for transport) and Intel TDX (as confidential compute platform): <a href="https://github.com/tls-attestation/attestation-exported-authenticators/blob/main/tests/quic_tdx.rs">tests/quic_tdx.rs</a>.</p> <h2>Useful links</h2> <ul> <li>IETF SEAT WG: https://datatracker.ietf.org/wg/seat/about/</li> <li>Subscribe to SEAT WG mailing list: https://mailman3.ietf.org/mailman3/lists/seat.ietf.org/</li> <li>Spec: https://datatracker.ietf.org/doc/draft-fossati-seat-expat/</li> <li>Proposed for adoption at CCC Attestation SIG: https://github.com/CCC-Attestation/governance/issues/20</li> </ul>