# Task 1 ## Information - A: application - AVK: application vendor key - OS: operating system - ID/IDOS: identifyier for running OS - IDOS = H(OS) - OSV: OS vendor - OSVK: OS vendor key - TRB: Tamper-resistant black box - PCR in TRB - TVK: TRB platform vendor key - EK: endorsement key - AIK: attestation identity key - CA: (privacy) certificate authority - CAK: CA key - OSrunningAuthK: authentication key - OSrunningConcK: encryption key ## Certificates - {"A v4.2", H(A)}AVKpriv - {"OS v3.1", H(OS)}OSKVpriv - {"good AIK", AIKpub}CAKpriv - {"good EK", EKpub}TVKpriv ## Approval of AIK - between TRB and CA, before any attestation using the AIK 1. TRB sends the AIKpub, EKpub to the CA 2. CA checks EK has been signed by TRV 3. CA sends back {{"good AIK", AIKpub}CAKpriv}EKpub ## Challenger/Verifier/Relying Party - knows: - AVKpub - OSVKpub - CAKpub - sends: - nonce ## Atester/Prover - {"A v2.3", H(A)}AVKpriv - {"OS v3.1", H(OS)=IDOS}OSVKpriv - {"good AIK", AIKpub}CAKpriv -> {PCR=H(OS)=IDOS, OSrunningAuthKpub, OSrunningConcKpub}AIKpriv -> {nonce, H(A)}OSrunningAuthKpriv # Task 2 - option 1: remote attestation - do remote attestation of software + game state - game server can then validate against a known-good game state - server needs to store the last valid hash of the game data to have a reference - option 2: sealed memory - use sealed memory to store the game state, such that only the unmodified game on an unmodified OS can unseal it - confidentiality: sealed against combination H(OS)+H(game) - integrity: TRB must check that sealed data has not been modified # Task 3 - verifier: A - attester: rest of TCB (TRB+OS, but not A) - but: impossible, because a running program cannot reason about its execution environment # Task 4 - is this a valid game? - certificate for game - console check that the game is a valid game based certificate and that means that we run official - is the game licensed (player paid for it)? - license key from software vendor - stored in sealed memory (only OS can key and check this key) - license key from software vendor - boot process: 1. firmware starts, loads the bootloader, start the bootloader, iff bootloader has been correctly signed by the vendor (public key known by firmware) 2. bootloader starts, loads the OS, start OS, iff OS has been correctly signed by the vendor (public key known by bootloader) 3. OS starts, loads the app, start app, iff app has been correctly signed by the vendor and check the validity of the license key (public key(s) known by OS) # Task 5 - similar to Task 4 regarding licensing - boot process: 1. firmware starts, loads the bootloader and registers its hash in the PCR, then starts the booloader 2. bootloader starts, loads the OS and registers its hash in the PCR, then starts the OS 3. OS starts, loads the app and registers its hash in the PCR, then starts the app - a) each console attests it bootloader, OS, and app; the other particpants have to accept the remote attestation - b) keep license key in sealed memory, but then it is bound to one specific bootlader, OS, and app version