--- 1/draft-ietf-rats-yang-tpm-charra-09.txt 2021-08-12 03:13:11.978613383 -0700 +++ 2/draft-ietf-rats-yang-tpm-charra-10.txt 2021-08-12 03:13:12.070615697 -0700 @@ -1,30 +1,30 @@ RATS Working Group H. Birkholz Internet-Draft M. Eckel Intended status: Standards Track Fraunhofer SIT -Expires: 27 January 2022 S. Bhandari +Expires: 13 February 2022 S. Bhandari ThoughtSpot E. Voit B. Sulzen Cisco L. Xia Huawei T. Laffey HPE G. Fedorkow Juniper - 26 July 2021 + 12 August 2021 A YANG Data Model for Challenge-Response-based Remote Attestation Procedures using TPMs - draft-ietf-rats-yang-tpm-charra-09 + draft-ietf-rats-yang-tpm-charra-10 Abstract This document defines YANG RPCs and a small number of configuration nodes required to retrieve attestation evidence about integrity measurements from a device, following the operational context defined in TPM-based Network Device Remote Integrity Verification. Complementary measurement logs are also provided by the YANG RPCs, originating from one or more roots of trust for measurement (RTMs). The module defined requires at least one TPM 1.2 or TPM 2.0 as well @@ -38,21 +38,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 27 January 2022. + This Internet-Draft will expire on 13 February 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -439,21 +439,21 @@ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2021-05-11 { + revision 2021-08-11 { description "Initial version"; reference "draft-ietf-rats-yang-tpm-charra"; } /*****************/ /* Features */ /*****************/ @@ -606,39 +606,35 @@ grouping tpm12-pcr-selection { description "A Verifier can request one or more PCR values using its individually created Attestation Key Certificate (AC). The corresponding selection filter is represented in this grouping. Requesting a PCR value that is not in scope of the AC used, detailed exposure via error msg should be avoided."; leaf-list pcr-index { type pcr; - must '/tpm:rats-support-structures/tpm:tpms' - + '/tpm:tpm[name = current()] and ' - + '/tpm:rats-support-structures/tpm:tpms' - + '/tpm:tpm[tpm12-pcrs = current()]' { - error-message "Acquiring this PCR index is not supported"; - } description "The numbers/indexes of the PCRs. At the moment this is limited - to 32."; + to 32. In addition, any selection of PCRs MUST verify that + the set of PCRs requested are a subset the set of PCRs + exposed by in the leaf-list /tpm:rats-support-structures + /tpm:tpms/tpm:tpm[name=current()]/tpm:tpm12-pcrs"; } } grouping tpm20-pcr-selection { description "A Verifier can acquire one or more PCR values, which are hashed together in a TPM2B_DIGEST coming from the TPM2. The selection list of desired PCRs and the Hash Algorithm is represented in this grouping."; - list tpm20-pcr-selection { unique "tpm20-hash-algo"; description "Specifies the list of PCRs and Hash Algorithms that can be returned within a TPM2B_DIGEST."; reference "https://www.trustedcomputinggroup.org/wp-content/uploads/ TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7"; uses tpm20-hash-algo; leaf-list pcr-index { @@ -644,21 +640,26 @@ leaf-list pcr-index { type pcr; must '/tpm:rats-support-structures/tpm:tpms' + '/tpm:tpm[name = current()] and ' + '/tpm:rats-support-structures/tpm:tpms/tpm:tpm' + '/tpm:tpm20-pcr-bank[pcr-index = current()]' { error-message "Acquiring this PCR index is not supported"; } description "The numbers of the PCRs that which are being tracked - with a hash based on the tpm20-hash-algo."; + with a hash based on the tpm20-hash-algo. In addition, + any selection of PCRs MUST verify that the set of PCRs + requested are a subset the set of PCR indexes exposed + within /tpm:rats-support-structures/tpm:tpms + /tpm:tpm[name=current()]/tpm:tpm20-pcr-bank + /tpm:pcr-index"; } } } grouping certificate-name-ref { description "Identifies a certificate in a keystore."; leaf certificate-name { type certificate-name-ref; mandatory true; @@ -2317,23 +2317,23 @@ Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote Attestation Procedures Architecture", Work in Progress, Internet-Draft, draft-ietf-rats-architecture- 12, 23 April 2021, . [I-D.ietf-rats-tpm-based-network-device-attest] Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM- based Network Device Remote Integrity Verification", Work in Progress, Internet-Draft, draft-ietf-rats-tpm-based- - network-device-attest-07, 10 June 2021, + network-device-attest-08, 26 July 2021, . + based-network-device-attest-08.txt>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, . @@ -2363,23 +2363,23 @@ TCG, ., "TPM 2.0 Keys for Device Identity and Attestation, Rev10", 14 April 2021, . 7.2. Informative References [I-D.ietf-rats-reference-interaction-models] Birkholz, H., Eckel, M., Pan, W., and E. Voit, "Reference Interaction Models for Remote Attestation Procedures", Work in Progress, Internet-Draft, draft-ietf-rats- - reference-interaction-models-03, 12 July 2021, + reference-interaction-models-04, 26 July 2021, . + reference-interaction-models-04.txt>. [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, .