Does "late launch"/"dynamic chain of trust" allow remote attestation?
Does "dynamic chain of trust" support remote attestation?
When a dynamic launch is used on an area of memory, specific PCR indexes in the TPM are used to used to record the state of that software. If these PCR indexes are included in the attestation request by the challenger, then that software would be attested to in the response. These PCR indexes are 17-22, as specified in the TCG's PCClient inplementation for BIOS spec, see page 30.
Does it provide way to attest to the code of the trusted module that was launched in this way, to a third party?
Intel's implementation of TXT support on Linux, tboot, has missed a detail, which they will hopefully fix soon. tboot doesn't expose the event log, which would show what software was extended into TPM PCRs as part of the TXT launch. This is a requirement for a remote challeneger to attest against dynamic launch PCRs, so at the moment, support isn't fully there. You can technically find the event log, but its not available in a TCG standard format, so all the common trusted computing tools that'd be used to parse it will not work ATM.
Yes.
You can see both functions as being really two separate things, i.e., DRTM (Dynamic Root of Trust for Measurement) is just another way to extend PCR values (17-22) (like SRTM) while Remote Attestation will take whatever PCR you wish to use (much like the SEAL operation). There’s no dependency or real link between those functionalities.
If you want more detail about the internals of DRTM and Remote Attestation I highly suggest reading Flicker’s project papers. Flicker use DRTM to prove to a 3rd party a particular D-MLE (Dynamic Measure Launch Environment) was executed. Short story: http://www.cs.unc.edu/~reiter/papers/2007/SP.pdf, Long story: https://web.archive.org/web/20151011011703/http://research.microsoft.com/pubs/138301/eurosys053-mccune-cr.pdf.
p.s. There seems to be an error in the long story where they say SRK (Storage Root Key) is created by the manufacturer while in reality it is created by the owner of the platform when he take ownership
. Hopefully, they didn't use the SRK to prove it's a real/physical TPM. Only the EK (Endorsement Key) can prove a TPM to be genuine.