draft-ietf-rats-yang-tpm-charra-11.txt   draft-ietf-rats-yang-tpm-charra-12.txt 
RATS Working Group H. Birkholz RATS Working Group H. Birkholz
Internet-Draft M. Eckel Internet-Draft M. Eckel
Intended status: Standards Track Fraunhofer SIT Intended status: Standards Track Fraunhofer SIT
Expires: 27 February 2022 S. Bhandari Expires: 18 July 2022 S. Bhandari
ThoughtSpot ThoughtSpot
E. Voit E. Voit
B. Sulzen B. Sulzen
Cisco Cisco
L. Xia L. Xia
Huawei Huawei
T. Laffey T. Laffey
HPE HPE
G. Fedorkow G. Fedorkow
Juniper Juniper
26 August 2021 14 January 2022
A YANG Data Model for Challenge-Response-based Remote Attestation A YANG Data Model for Challenge-Response-based Remote Attestation
Procedures using TPMs Procedures using TPMs
draft-ietf-rats-yang-tpm-charra-11 draft-ietf-rats-yang-tpm-charra-12
Abstract Abstract
This document defines YANG RPCs and a small number of configuration This document defines YANG RPCs and a small number of configuration
nodes required to retrieve attestation evidence about integrity nodes required to retrieve attestation evidence about integrity
measurements from a device, following the operational context defined measurements from a device, following the operational context defined
in TPM-based Network Device Remote Integrity Verification. in TPM-based Network Device Remote Integrity Verification.
Complementary measurement logs are also provided by the YANG RPCs, Complementary measurement logs are also provided by the YANG RPCs,
originating from one or more roots of trust for measurement (RTMs). originating from one or more roots of trust for measurement (RTMs).
The module defined requires at least one TPM 1.2 or TPM 2.0 as well The module defined requires at least one TPM 1.2 or TPM 2.0 as well
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 27 February 2022. This Internet-Draft will expire on 18 July 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3
2. The YANG Module for Basic Remote Attestation Procedures . . . 4 2. The YANG Module for Basic Remote Attestation Procedures . . . 3
2.1. YANG Modules . . . . . . . . . . . . . . . . . . . . . . 4 2.1. YANG Modules . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1. 'ietf-tpm-remote-attestation' . . . . . . . . . . . . 4 2.1.1. 'ietf-tpm-remote-attestation' . . . . . . . . . . . . 3
2.1.2. 'ietf-tcg-algs' . . . . . . . . . . . . . . . . . . . 33 2.1.2. 'ietf-tcg-algs' . . . . . . . . . . . . . . . . . . . 32
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47
4. Security Considerations . . . . . . . . . . . . . . . . . . . 49 4. Security Considerations . . . . . . . . . . . . . . . . . . . 48
5. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 50 5. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 50
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.1. Normative References . . . . . . . . . . . . . . . . . . 51 6.1. Normative References . . . . . . . . . . . . . . . . . . 51
6.2. Informative References . . . . . . . . . . . . . . . . . 53 6.2. Informative References . . . . . . . . . . . . . . . . . 53
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54
1. Introduction 1. Introduction
This document is based on the general terminology defined in the This document is based on the general terminology defined in the
[I-D.ietf-rats-architecture] and uses the operational context defined [I-D.ietf-rats-architecture] and uses the operational context defined
in [I-D.ietf-rats-tpm-based-network-device-attest] as well as the in [I-D.ietf-rats-tpm-based-network-device-attest] as well as the
interaction model and information elements defined in interaction model and information elements defined in
[I-D.ietf-rats-reference-interaction-models]. The currently [I-D.ietf-rats-reference-interaction-models]. The currently
supported hardware security modules (HSMs) are the Trusted Platform supported hardware security modules (HSMs) are the Trusted Platform
Modules (TPMs) [TPM1.2] and [TPM2.0] as specified by the Trusted Modules (TPMs) [TPM1.2] and [TPM2.0] as specified by the Trusted
skipping to change at page 4, line 15 skipping to change at page 3, line 31
2. The YANG Module for Basic Remote Attestation Procedures 2. The YANG Module for Basic Remote Attestation Procedures
One or more TPMs MUST be embedded in a Composite Device that provides One or more TPMs MUST be embedded in a Composite Device that provides
attestation evidence via the YANG module defined in this document. attestation evidence via the YANG module defined in this document.
The ietf-basic-remote-attestation YANG module enables a composite The ietf-basic-remote-attestation YANG module enables a composite
device to take on the role of an Attester, in accordance with the device to take on the role of an Attester, in accordance with the
Remote Attestation Procedures (RATS) architecture Remote Attestation Procedures (RATS) architecture
[I-D.ietf-rats-architecture], and the corresponding challenge- [I-D.ietf-rats-architecture], and the corresponding challenge-
response interaction model defined in the response interaction model defined in the
[I-D.ietf-rats-reference-interaction-models] document. A fresh nonce [I-D.ietf-rats-reference-interaction-models] document. A fresh nonce
with an appropriate amount of entropy MUST be supplied by the YANG with an appropriate amount of entropy [NIST-915121] MUST be supplied
client in order to enable a proof-of-freshness with respect to the by the YANG client in order to enable a proof-of-freshness with
attestation Evidence provided by the Attester running the YANG respect to the attestation Evidence provided by the Attester running
datastore. Further, this nonce is used to prevent replay attacks. the YANG datastore. Further, this nonce is used to prevent replay
The functions of this YANG module are restricted to 0-1 TPMs per attacks. The method for communicating the relationship of each
hardware component. individual TPM to specific measured component within the Composite
Device is out of the scope of this document.
2.1. YANG Modules 2.1. YANG Modules
In this section the several YANG modules are defined. In this section the several YANG modules are defined.
2.1.1. 'ietf-tpm-remote-attestation' 2.1.1. 'ietf-tpm-remote-attestation'
This YANG module imports modules from [RFC6991], [RFC8348], This YANG module imports modules from [RFC6991], [RFC8348],
[I-D.ietf-netconf-keystore], and "ietf-tcg-algs.yang" [I-D.ietf-netconf-keystore], and ietf-tcg-algs.yang Section 2.1.2.3.
Section 2.1.2.3.
2.1.1.1. Features 2.1.1.1. Features
This module supports the following features: This module supports the following features:
* 'TPMs': Indicates that multiple TPMs on the device can support * 'TPMs': Indicates that multiple TPMs on the device can support
remote attestation. This feature is applicable in cases where remote attestation. This feature is applicable in cases where
multiple line cards are present, each with its own TPM. multiple line cards are present, each with its own TPM.
* 'bios': Indicates that the device supports the retrieval of BIOS/ * 'bios': Indicates that the device supports the retrieval of BIOS/
UEFI event logs. UEFI event logs. [bios-log]
* 'ima': Indicates that the device supports the retrieval of event * 'ima': Indicates that the device supports the retrieval of event
logs from the Linux Integrity Measurement Architecture (IMA). logs from the Linux Integrity Measurement Architecture (IMA).
[ima-log]
* 'netequip_boot': Indicates that the device supports the retrieval * 'netequip_boot': Indicates that the device supports the retrieval
of netequip boot event logs. of netequip boot event logs. [netequip-boot-log]
2.1.1.2. Identities 2.1.1.2. Identities
This module supports the following types of attestation event logs: This module supports the following types of attestation event logs:
'bios', 'ima', and 'netequip_boot'. 'bios', 'ima', and 'netequip_boot'.
2.1.1.3. Remote Procedure Calls (RPCs) 2.1.1.3. Remote Procedure Calls (RPCs)
In the following, RPCs for both TPM 1.2 and TPM 2.0 attestation In the following, RPCs for both TPM 1.2 and TPM 2.0 attestation
procedures are defined. procedures are defined.
skipping to change at page 7, line 17 skipping to change at page 6, line 17
xmlns="urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation"> xmlns="urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation">
<certificate-name> <certificate-name>
(identifier of a TPM signature key with which the Verifier is (identifier of a TPM signature key with which the Verifier is
supposed to sign the attestation data) supposed to sign the attestation data)
</certificate-name> </certificate-name>
<nonce> <nonce>
0xe041307208d9f78f5b1bbecd19e2d152ad49de2fc5a7d8dbf769f6b8ffdeab9 0xe041307208d9f78f5b1bbecd19e2d152ad49de2fc5a7d8dbf769f6b8ffdeab9
</nonce> </nonce>
<tpm20-pcr-selection> <tpm20-pcr-selection>
<tpm20-hash-algo <tpm20-hash-algo
xmlns:taa="urn:ietf:params:xml:ns:yang:ietf-tcg-algs"> xmlns="urn:ietf:params:xml:ns:yang:ietf-tcg-algs">
taa:TPM_ALG_SHA256 TPM_ALG_SHA256
</tpm20-hash-algo> </tpm20-hash-algo>
<pcr-index>0</pcr-index> <pcr-index>0</pcr-index>
<pcr-index>1</pcr-index> <pcr-index>1</pcr-index>
<pcr-index>2</pcr-index> <pcr-index>2</pcr-index>
<pcr-index>3</pcr-index> <pcr-index>3</pcr-index>
<pcr-index>4</pcr-index> <pcr-index>4</pcr-index>
<pcr-index>5</pcr-index> <pcr-index>5</pcr-index>
<pcr-index>6</pcr-index> <pcr-index>6</pcr-index>
<pcr-index>7</pcr-index> <pcr-index>7</pcr-index>
</tpm20-pcr-selection> </tpm20-pcr-selection>
</tpm20-challenge-response-attestation> </tpm20-challenge-response-attestation>
</rpc> </rpc>
A successful response could be formatted as follows: A successful response could be formatted as follows:
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<tpm20-attestation-response <tpm20-attestation-response
xmlns="urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation"> xmlns="urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation">
<certificate-name <certificate-name
xmlns:ks=urn:ietf:params:xml:ns:yang:ietf-keystore> xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
ks:(instance of Certificate name in the Keystore) (instance of Certificate name in the Keystore)
</certificate-name> </certificate-name>
<attestation-data> <attestation-data>
(raw attestation data, i.e. the TPM quote; this includes (raw attestation data, i.e. the TPM quote; this includes
a composite digest of requested PCRs, the nonce, a composite digest of requested PCRs, the nonce,
and TPM 2.0 time information.) and TPM 2.0 time information.)
</attestation-data> </attestation-data>
<quote-signature> <quote-signature>
(signature over attestation-data using the TPM key (signature over attestation-data using the TPM key
identified by sig-key-id) identified by sig-key-id)
</quote-signature> </quote-signature>
skipping to change at page 12, line 12 skipping to change at page 11, line 12
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2021-08-11 { revision 2021-11-16 {
description description
"Initial version"; "Initial version";
reference reference
"draft-ietf-rats-yang-tpm-charra"; "draft-ietf-rats-yang-tpm-charra";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
skipping to change at page 12, line 35 skipping to change at page 11, line 35
"The device supports the remote attestation of multiple "The device supports the remote attestation of multiple
TPM based cryptoprocessors."; TPM based cryptoprocessors.";
} }
feature bios { feature bios {
description description
"The device supports the bios logs."; "The device supports the bios logs.";
reference reference
"https://trustedcomputinggroup.org/wp-content/uploads/ "https://trustedcomputinggroup.org/wp-content/uploads/
PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf
Section 9.4.5.2"; Section 9.4.5.2 and
https://trustedcomputinggroup.org/resource/
tcg-efi-platform-specification/ Version 1.22, Revision 15";
} }
feature ima { feature ima {
description description
"The device supports Integrity Measurement Architecture logs."; "The device supports Integrity Measurement Architecture logs.
Many variants of IMA logs exist in the deployment. Each encodes
the log entry contents as the specific measurements which get
hashed into a PCRs as Evidence. See the reference below for
one example of such an encoding.";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "https://www.trustedcomputinggroup.org/wp-content/uploads/
TCG_IWG_CEL_v1_r0p30_13feb2021.pdf Section 4.3"; TCG_IWG_CEL_v1_r0p30_13feb2021.pdf Section 4.3";
} }
feature netequip_boot { feature netequip_boot {
description description
"The device supports the netequip_boot logs."; "The device supports the netequip_boot logs.";
reference
"https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy";
} }
/*****************/ /*****************/
/* Typedefs */ /* Typedefs */
/*****************/ /*****************/
typedef pcr { typedef pcr {
type uint8 { type uint8 {
range "0..31"; range "0..31";
} }
skipping to change at page 15, line 20 skipping to change at page 14, line 28
description description
"A random number intended to be used once to show freshness "A random number intended to be used once to show freshness
and to allow the detection of replay attacks."; and to allow the detection of replay attacks.";
leaf nonce-value { leaf nonce-value {
type binary; type binary;
mandatory true; mandatory true;
description description
"A cryptographically generated random number which should "A cryptographically generated random number which should
not be predictable prior to its issuance from a random not be predictable prior to its issuance from a random
number generation function. The random number MUST be number generation function. The random number MUST be
derived from an entropy source external to the Attester."; derived from an entropy source external to the Attester.
Note that a nonce sent into a TPM will typically be 160 or 256
binary digits long. (This is 20 or 32 bytes.) So if fewer
binary are sent, this nonce object will be padded
with leading zeros any in Quotes returned from the TPM.
Additionally if more bytes are sent, the nonce will be trimmed
to the most significant binary digits.";
} }
} }
grouping tpm12-pcr-selection { grouping tpm12-pcr-selection {
description description
"A Verifier can request one or more PCR values using its "A Verifier can request one or more PCR values using its
individually created Attestation Key Certificate (AC). individually created Attestation Key Certificate (AC).
The corresponding selection filter is represented in this The corresponding selection filter is represented in this
grouping. grouping.
Requesting a PCR value that is not in scope of the AC used, Requesting a PCR value that is not in scope of the AC used,
skipping to change at page 17, line 40 skipping to change at page 17, line 7
measurements. It is supplemented by unsigned Attester measurements. It is supplemented by unsigned Attester
information."; information.";
uses node-uptime; uses node-uptime;
leaf TPM_QUOTE2 { leaf TPM_QUOTE2 {
type binary; type binary;
description description
"Result of a TPM1.2 Quote2 operation. This includes PCRs, "Result of a TPM1.2 Quote2 operation. This includes PCRs,
signatures, locality, the provided nonce and other data which signatures, locality, the provided nonce and other data which
can be further parsed to appraise the Attester."; can be further parsed to appraise the Attester.";
reference reference
"TPM1.2 commands rev116 July 2007, Section 16.5"; "TPM1.2 commands rev116 July 2007, Section 16.5
https://trustedcomputinggroup.org/wp-content/uploads
/TPM-Main-Part-3-Commands_v1.2_rev116_01032011.pdf";
} }
} }
grouping tpm20-attestation { grouping tpm20-attestation {
description description
"Contains an instance of TPM2 style signed cryptoprocessor "Contains an instance of TPM2 style signed cryptoprocessor
measurements. It is supplemented by unsigned Attester measurements. It is supplemented by unsigned Attester
information."; information.";
leaf TPMS_QUOTE_INFO { leaf TPMS_QUOTE_INFO {
type binary; type binary;
skipping to change at page 18, line 38 skipping to change at page 18, line 7
necessarily make it easy for a Verifier to appraise just the necessarily make it easy for a Verifier to appraise just the
minimum set of PCR information which has changed since the last minimum set of PCR information which has changed since the last
received TPM2B_DIGEST. Put another way, why should a Verifier received TPM2B_DIGEST. Put another way, why should a Verifier
reconstruct the proper value of all PCR Quotes when only a reconstruct the proper value of all PCR Quotes when only a
single PCR has changed? single PCR has changed?
To help this happen, if the Attester does know specific PCR To help this happen, if the Attester does know specific PCR
values, the Attester can provide these individual values via values, the Attester can provide these individual values via
'unsigned-pcr-values'. By comparing this information to the 'unsigned-pcr-values'. By comparing this information to the
what has previously been validated, it is possible for a what has previously been validated, it is possible for a
Verifier to confirm the Attester's signature while eliminating Verifier to confirm the Attester's signature while eliminating
significant processing."; significant processing. There should never be a result where
an unsigned PCR value is actually that that within a quote.
If there is a difference, a signed result which has been
verified from retrieved logs is considered definitive.";
uses tpm20-hash-algo; uses tpm20-hash-algo;
list pcr-values { list pcr-values {
key "pcr-index"; key "pcr-index";
description description
"List of one PCR bank."; "List of one PCR bank.";
leaf pcr-index { leaf pcr-index {
type pcr; type pcr;
description description
"PCR index number."; "PCR index number.";
} }
skipping to change at page 33, line 44 skipping to change at page 33, line 10
3. *Specific algorithm types*: Each algorithm type defines what 3. *Specific algorithm types*: Each algorithm type defines what
cryptographic functions may be supported, and on which type of cryptographic functions may be supported, and on which type of
API specification. It is not required that an implementation of API specification. It is not required that an implementation of
a specific TPM will support all algorithm types. The contents of a specific TPM will support all algorithm types. The contents of
each specific algorithm mirrors what is in Table 3 of each specific algorithm mirrors what is in Table 3 of
[TCG-Algos]. [TCG-Algos].
2.1.2.3. YANG Module 2.1.2.3. YANG Module
<CODE BEGINS> file "ietf-tcg-algs@2021-05-11.yang" <CODE BEGINS> file "ietf-tcg-algs@2021-11-05.yang"
module ietf-tcg-algs { module ietf-tcg-algs {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tcg-algs"; namespace "urn:ietf:params:xml:ns:yang:ietf-tcg-algs";
prefix taa; prefix taa;
organization organization
"IETF RATS Working Group"; "IETF RATS Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/rats/> "WG Web: <http://datatracker.ietf.org/wg/rats/>
skipping to change at page 34, line 31 skipping to change at page 33, line 45
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2021-05-11 { revision 2021-11-05 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: tbd"; "RFC XXXX: tbd";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
feature tpm12 { feature tpm12 {
description description
"This feature indicates algorithm support for the TPM 1.2 API "This feature indicates algorithm support for the TPM 1.2 API
as per TPM-main-1.2-Rev94-part-2, Section 4.8."; as per Section 4.8 of TPM Main Part 2 TPM Structures
https://trustedcomputinggroup.org/wp-content/uploads/
TPM-main-1.2-Rev94-part-2.pdf";
} }
feature tpm20 { feature tpm20 {
description description
"This feature indicates algorithm support for the TPM 2.0 API "This feature indicates algorithm support for the TPM 2.0 API
as per TPM-Rev-2.0-Part-1-Architecture-01.38 Section 11.4."; as per Section 11.4 of Trusted Platform Module Library
Part 1: Architecture
https://trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-1-Architecture-01.38.pdf";
} }
/*****************/ /*****************/
/* Identities */ /* Identities */
/*****************/ /*****************/
/* There needs to be collasping/verification of some of the identity
types between the various algorithm types listed below */
identity asymmetric { identity asymmetric {
description description
"A TCG recognized asymmetric algorithm with a public and "A TCG recognized asymmetric algorithm with a public and
private key."; private key.";
reference reference
"http://trustedcomputinggroup.org/resource/tcg-algorithm-registry/ "TCG Algorithm Registry Revision 01.32 Table 2
TCG_Algorithm_Registry_r1p32_pub Table 2"; http://trustedcomputinggroup.org/resource/tcg-algorithm-registry/
TCG-_Algorithm_Registry_r1p32_pub";
} }
identity symmetric { identity symmetric {
description description
"A TCG recognized symmetric algorithm with only a private key."; "A TCG recognized symmetric algorithm with only a private key.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 2"; "TCG Algorithm Registry Revision 01.32 Table 2";
} }
identity hash { identity hash {
description description
"A TCG recognized hash algorithm that compresses input data to "A TCG recognized hash algorithm that compresses input data to
a digest value or indicates a method that uses a hash."; a digest value or indicates a method that uses a hash.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 2"; "TCG Algorithm Registry Revision 01.32 Table 2";
} }
identity signing { identity signing {
description description
"A TCG recognized signing algorithm"; "A TCG recognized signing algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 2"; "TCG Algorithm Registry Revision 01.32 Table 2";
} }
identity anonymous_signing { identity anonymous_signing {
description description
"A TCG recognized anonymous signing algorithm."; "A TCG recognized anonymous signing algorithm.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 2"; "TCG Algorithm Registry Revision 01.32 Table 2";
} }
identity encryption_mode { identity encryption_mode {
description description
"A TCG recognized encryption mode."; "A TCG recognized encryption mode.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 2"; "TCG Algorithm Registry Revision 01.32 Table 2";
} }
identity method { identity method {
description description
"A TCG recognized method such as a mask generation function."; "A TCG recognized method such as a mask generation function.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 2"; "TCG Algorithm Registry Revision 01.32 Table 2";
} }
identity object_type { identity object_type {
description description
"A TCG recognized object type."; "A TCG recognized object type.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 2"; "TCG Algorithm Registry Revision 01.32 Table 2";
} }
identity cryptoprocessor { identity cryptoprocessor {
description description
"Base identity identifying a crytoprocessor."; "Base identity identifying a crytoprocessor.";
} }
identity tpm12 { identity tpm12 {
if-feature "tpm12"; if-feature "tpm12";
base cryptoprocessor; base cryptoprocessor;
skipping to change at page 37, line 8 skipping to change at page 36, line 29
identity TPM_ALG_RSA { identity TPM_ALG_RSA {
if-feature "tpm12 or tpm20"; if-feature "tpm12 or tpm20";
base tpm12; base tpm12;
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base object_type; base object_type;
description description
"RSA algorithm"; "RSA algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
RFC 8017. ALG_ID: 0x0001"; RFC 8017. ALG_ID: 0x0001";
} }
identity TPM_ALG_TDES { identity TPM_ALG_TDES {
if-feature "tpm12"; if-feature "tpm12";
base tpm12; base tpm12;
base symmetric; base symmetric;
description description
"Block cipher with various key sizes (Triple Data Encryption "Block cipher with various key sizes (Triple Data Encryption
Algorithm, commonly called Triple Data Encryption Standard) Algorithm, commonly called Triple Data Encryption Standard)
Note: was banned in TPM1.2 v94"; Note: was banned in TPM1.2 v94";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 18033-3. ALG_ID: 0x0003"; ISO/IEC 18033-3. ALG_ID: 0x0003";
} }
identity TPM_ALG_SHA1 { identity TPM_ALG_SHA1 {
if-feature "tpm12 or tpm20"; if-feature "tpm12 or tpm20";
base hash; base hash;
base tpm12; base tpm12;
base tpm20; base tpm20;
description description
"SHA1 algorithm - Deprecated due to insufficient cryptographic "SHA1 algorithm - Deprecated due to insufficient cryptographic
protection. However it is still useful for hash algorithms protection. However it is still useful for hash algorithms
where protection is not required."; where protection is not required.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10118-3. ALG_ID: 0x0004"; ISO/IEC 10118-3. ALG_ID: 0x0004";
} }
identity TPM_ALG_HMAC { identity TPM_ALG_HMAC {
if-feature "tpm12 or tpm20"; if-feature "tpm12 or tpm20";
base tpm12; base tpm12;
base tpm20; base tpm20;
base hash; base hash;
base signing; base signing;
description description
"Hash Message Authentication Code (HMAC) algorithm"; "Hash Message Authentication Code (HMAC) algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3, "TCG Algorithm Registry Revision 01.32 Table 3,
ISO/IEC 9797-2 and RFC2014. ALG_ID: 0x0005"; ISO/IEC 9797-2 and RFC2014. ALG_ID: 0x0005";
} }
identity TPM_ALG_AES { identity TPM_ALG_AES {
if-feature "tpm12"; if-feature "tpm12";
base tpm12; base tpm12;
base symmetric; base symmetric;
description description
"The AES algorithm with various key sizes"; "The AES algorithm with various key sizes";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 18033-3. ALG_ID: 0x0006"; ISO/IEC 18033-3. ALG_ID: 0x0006";
} }
identity TPM_ALG_MGF1 { identity TPM_ALG_MGF1 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base method; base method;
description description
"hash-based mask-generation function"; "hash-based mask-generation function";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3, "TCG Algorithm Registry Revision 01.32 Table 3,
IEEE Std 1363-2000 and IEEE Std 1363a -2004. IEEE Std 1363-2000 and IEEE Std 1363a-2004.
ALG_ID: 0x0007"; ALG_ID: 0x0007";
} }
identity TPM_ALG_KEYEDHASH { identity TPM_ALG_KEYEDHASH {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base object_type; base object_type;
description description
"An encryption or signing algorithm using a keyed hash. These "An encryption or signing algorithm using a keyed hash. These
may use XOR for encryption or an HMAC for signing and may may use XOR for encryption or an HMAC for signing and may
also refer to a data object that is neither signing nor also refer to a data object that is neither signing nor
encrypting."; encrypting.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
TCG TPM 2.0 library specification. . ALG_ID: 0x0008"; TCG TPM 2.0 library specification. ALG_ID: 0x0008";
} }
identity TPM_ALG_XOR { identity TPM_ALG_XOR {
if-feature "tpm12 or tpm20"; if-feature "tpm12 or tpm20";
base tpm12; base tpm12;
base tpm20; base tpm20;
base hash; base hash;
base symmetric; base symmetric;
description description
"The XOR encryption algorithm."; "The XOR encryption algorithm.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
TCG TPM 2.0 library specification. ALG_ID: 0x000A"; TCG TPM 2.0 library specification. ALG_ID: 0x000A";
} }
identity TPM_ALG_SHA256 { identity TPM_ALG_SHA256 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 256 algorithm"; "The SHA 256 algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10118-3. ALG_ID: 0x000B"; ISO/IEC 10118-3. ALG_ID: 0x000B";
} }
identity TPM_ALG_SHA384 { identity TPM_ALG_SHA384 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 384 algorithm"; "The SHA 384 algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10118-3. ALG_ID: 0x000C"; ISO/IEC 10118-3. ALG_ID: 0x000C";
} }
identity TPM_ALG_SHA512 { identity TPM_ALG_SHA512 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 512 algorithm"; "The SHA 512 algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10118-3. ALG_ID: 0x000D"; ISO/IEC 10118-3. ALG_ID: 0x000D";
} }
identity TPM_ALG_NULL { identity TPM_ALG_NULL {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
description description
"NULL algorithm"; "NULL algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
TCG TPM 2.0 library specification. ALG_ID: 0x0010"; TCG TPM 2.0 library specification. ALG_ID: 0x0010";
} }
identity TPM_ALG_SM3_256 { identity TPM_ALG_SM3_256 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SM3 hash algorithm."; "The SM3 hash algorithm.";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
GM/T 0004-2012 - SM3_256. ALG_ID: 0x0012"; ISO/IEC 10118-3:2018. ALG_ID: 0x0012";
} }
identity TPM_ALG_SM4 { identity TPM_ALG_SM4 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
description description
"SM4 symmetric block cipher"; "SM4 symmetric block cipher";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
GB/T 32907-2016. ALG_ID: 0x0013"; GB/T 32907-2016. ALG_ID: 0x0013";
} }
identity TPM_ALG_RSASSA { identity TPM_ALG_RSASSA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Signature algorithm defined in section 8.2 (RSASSAPKCS1-v1_5)"; "Signature algorithm defined in section 8.2 (RSASSAPKCS1-v1_5)";
skipping to change at page 40, line 32 skipping to change at page 40, line 4
GB/T 32907-2016. ALG_ID: 0x0013"; GB/T 32907-2016. ALG_ID: 0x0013";
} }
identity TPM_ALG_RSASSA { identity TPM_ALG_RSASSA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Signature algorithm defined in section 8.2 (RSASSAPKCS1-v1_5)"; "Signature algorithm defined in section 8.2 (RSASSAPKCS1-v1_5)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and RFC 8017. "TCG Algorithm Registry Revision 01.32 Table 3 and RFC 8017.
ALG_ID: 0x0014"; ALG_ID: 0x0014";
} }
identity TPM_ALG_RSAES { identity TPM_ALG_RSAES {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base encryption_mode; base encryption_mode;
description description
"Signature algorithm defined in section 7.2 (RSAES-PKCS1-v1_5)"; "Signature algorithm defined in section 7.2 (RSAES-PKCS1-v1_5)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and RFC 8017 "TCG Algorithm Registry Revision 01.32 Table 3 and RFC 8017
ALG_ID: 0x0015"; ALG_ID: 0x0015";
} }
identity TPM_ALG_RSAPSS { identity TPM_ALG_RSAPSS {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Padding algorithm defined in section 8.1 (RSASSA PSS)"; "Padding algorithm defined in section 8.1 (RSASSA PSS)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and RFC 8017. "TCG Algorithm Registry Revision 01.32 Table 3 and RFC 8017.
ALG_ID: 0x0016"; ALG_ID: 0x0016";
} }
identity TPM_ALG_OAEP { identity TPM_ALG_OAEP {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base encryption_mode; base encryption_mode;
description description
"Padding algorithm defined in section 7.1 (RSASSA OAEP)"; "Padding algorithm defined in section 7.1 (RSASSA OAEP)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and RFC 8017. "TCG Algorithm Registry Revision 01.32 Table 3 and RFC 8017.
ALG_ID: 0x0017"; ALG_ID: 0x0017";
} }
identity TPM_ALG_ECDSA { identity TPM_ALG_ECDSA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Signature algorithm using elliptic curve cryptography (ECC)"; "Signature algorithm using elliptic curve cryptography (ECC)";
skipping to change at page 41, line 32 skipping to change at page 41, line 4
ALG_ID: 0x0017"; ALG_ID: 0x0017";
} }
identity TPM_ALG_ECDSA { identity TPM_ALG_ECDSA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Signature algorithm using elliptic curve cryptography (ECC)"; "Signature algorithm using elliptic curve cryptography (ECC)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 14888-3. ALG_ID: 0x0018"; ISO/IEC 14888-3. ALG_ID: 0x0018";
} }
identity TPM_ALG_ECDH { identity TPM_ALG_ECDH {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base method; base method;
description description
"Secret sharing using ECC"; "Secret sharing using ECC";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-56A and RFC 7748. ALG_ID: 0x0019"; NIST SP800-56A and RFC 7748. ALG_ID: 0x0019";
} }
identity TPM_ALG_ECDAA { identity TPM_ALG_ECDAA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
base anonymous_signing; base anonymous_signing;
description description
"Elliptic-curve based anonymous signing scheme"; "Elliptic-curve based anonymous signing scheme";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
TCG TPM 2.0 library specification. ALG_ID: 0x001A"; TCG TPM 2.0 library specification. ALG_ID: 0x001A";
} }
identity TPM_ALG_SM2 { identity TPM_ALG_SM2 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
base method; base method;
description description
"SM2 - depending on context, either an elliptic-curve based, "SM2 - depending on context, either an elliptic-curve based,
signature algorithm, an encryption scheme, or a key exchange signature algorithm, an encryption scheme, or a key exchange
protocol"; protocol";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
A GM/T 0003.1-2012, GM/T 0003.2-2012, GM/T 0003.3-2012, GB/T 32918.1-2016, GB/T 32918.2-2016, GB/T 32918.3-2016, GB/T
GM/T 0003.5-2012 SM2. ALG_ID: 0x001B"; 32918.4-2016, GB/T 32918.5-2017. ALG_ID: 0x001B";
} }
identity TPM_ALG_ECSCHNORR { identity TPM_ALG_ECSCHNORR {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Elliptic-curve based Schnorr signature"; "Elliptic-curve based Schnorr signature";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
TCG TPM 2.0 library specification. ALG_ID: 0x001C"; TCG TPM 2.0 library specification. ALG_ID: 0x001C";
} }
identity TPM_ALG_ECMQV { identity TPM_ALG_ECMQV {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base method; base method;
description description
"Two-phase elliptic-curve key"; "Two-phase elliptic-curve key";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-56A. ALG_ID: 0x001D"; NIST SP800-56A. ALG_ID: 0x001D";
} }
identity TPM_ALG_KDF1_SP800_56A { identity TPM_ALG_KDF1_SP800_56A {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base method; base method;
description description
"Concatenation key derivation function"; "Concatenation key derivation function";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-56A (approved alternative1) section 5.8.1. NIST SP800-56A (approved alternative1) section 5.8.1.
ALG_ID: 0x0020"; ALG_ID: 0x0020";
} }
identity TPM_ALG_KDF2 { identity TPM_ALG_KDF2 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base method; base method;
description description
"Key derivation function"; "Key derivation function";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
IEEE 1363a-2004 KDF2 section 13.2. ALG_ID: 0x0021"; IEEE 1363a-2004 KDF2 section 13.2. ALG_ID: 0x0021";
} }
identity TPM_ALG_KDF1_SP800_108 { identity TPM_ALG_KDF1_SP800_108 {
base TPM_ALG_KDF2; base TPM_ALG_KDF2;
description description
"A key derivation method"; "A key derivation method";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-108 - Section 5.1 KDF. ALG_ID: 0x0022"; NIST SP800-108 - Section 5.1 KDF. ALG_ID: 0x0022";
} }
identity TPM_ALG_ECC { identity TPM_ALG_ECC {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base object_type; base object_type;
description description
"Prime field ECC"; "Prime field ECC";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 15946-1. ALG_ID: 0x0023"; ISO/IEC 15946-1. ALG_ID: 0x0023";
} }
identity TPM_ALG_SYMCIPHER { identity TPM_ALG_SYMCIPHER {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
description description
"Object type for a symmetric block cipher"; "Object type for a symmetric block cipher";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
TCG TPM 2.0 library specification. ALG_ID: 0x0025"; TCG TPM 2.0 library specification. ALG_ID: 0x0025";
} }
identity TPM_ALG_CAMELLIA { identity TPM_ALG_CAMELLIA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
description description
"The Camellia algorithm"; "The Camellia algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 18033-3. ALG_ID: 0x0026"; ISO/IEC 18033-3. ALG_ID: 0x0026";
} }
identity TPM_ALG_SHA3_256 { identity TPM_ALG_SHA3_256 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"ISO/IEC 10118-3 - the SHA 256 algorithm"; "ISO/IEC 10118-3 - the SHA 256 algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST PUB FIPS 202. ALG_ID: 0x0027"; NIST PUB FIPS 202. ALG_ID: 0x0027";
} }
identity TPM_ALG_SHA3_384 { identity TPM_ALG_SHA3_384 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 384 algorithm"; "The SHA 384 algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST PUB FIPS 202. ALG_ID: 0x0028"; NIST PUB FIPS 202. ALG_ID: 0x0028";
} }
identity TPM_ALG_SHA3_512 { identity TPM_ALG_SHA3_512 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 512 algorithm"; "The SHA 512 algorithm";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST PUB FIPS 202. ALG_ID: 0x0029"; NIST PUB FIPS 202. ALG_ID: 0x0029";
} }
identity TPM_ALG_CMAC { identity TPM_ALG_CMAC {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
description description
"block Cipher-based Message Authentication Code (CMAC)"; "block Cipher-based Message Authentication Code (CMAC)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 9797-1:2011 Algorithm 5. ALG_ID: 0x003F"; ISO/IEC 9797-1:2011 Algorithm 5. ALG_ID: 0x003F";
} }
identity TPM_ALG_CTR { identity TPM_ALG_CTR {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Counter mode"; "Counter mode";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0040"; ISO/IEC 10116. ALG_ID: 0x0040";
} }
identity TPM_ALG_OFB { identity TPM_ALG_OFB {
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Output Feedback mode"; "Output Feedback mode";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0041"; ISO/IEC 10116. ALG_ID: 0x0041";
} }
identity TPM_ALG_CBC { identity TPM_ALG_CBC {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Cipher Block Chaining mode"; "Cipher Block Chaining mode";
skipping to change at page 46, line 4 skipping to change at page 45, line 25
ISO/IEC 10116. ALG_ID: 0x0041"; ISO/IEC 10116. ALG_ID: 0x0041";
} }
identity TPM_ALG_CBC { identity TPM_ALG_CBC {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Cipher Block Chaining mode"; "Cipher Block Chaining mode";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0042"; ISO/IEC 10116. ALG_ID: 0x0042";
} }
identity TPM_ALG_CFB { identity TPM_ALG_CFB {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Cipher Feedback mode"; "Cipher Feedback mode";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0043"; ISO/IEC 10116. ALG_ID: 0x0043";
} }
identity TPM_ALG_ECB { identity TPM_ALG_ECB {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Electronic Codebook mode"; "Electronic Codebook mode";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0044"; ISO/IEC 10116. ALG_ID: 0x0044";
} }
identity TPM_ALG_CCM { identity TPM_ALG_CCM {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"Counter with Cipher Block Chaining-Message Authentication "Counter with Cipher Block Chaining-Message Authentication
skipping to change at page 46, line 44 skipping to change at page 46, line 17
identity TPM_ALG_CCM { identity TPM_ALG_CCM {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"Counter with Cipher Block Chaining-Message Authentication "Counter with Cipher Block Chaining-Message Authentication
Code (CCM)"; Code (CCM)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-38C. ALG_ID: 0x0050"; NIST SP800-38C. ALG_ID: 0x0050";
} }
identity TPM_ALG_GCM { identity TPM_ALG_GCM {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"Galois/Counter Mode (GCM)"; "Galois/Counter Mode (GCM)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-38D. ALG_ID: 0x0051"; NIST SP800-38D. ALG_ID: 0x0051";
} }
identity TPM_ALG_KW { identity TPM_ALG_KW {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"AES Key Wrap (KW)"; "AES Key Wrap (KW)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-38F. ALG_ID: 0x0052"; NIST SP800-38F. ALG_ID: 0x0052";
} }
identity TPM_ALG_KWP { identity TPM_ALG_KWP {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"AES Key Wrap with Padding (KWP)"; "AES Key Wrap with Padding (KWP)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-38F. ALG_ID: 0x0053"; NIST SP800-38F. ALG_ID: 0x0053";
} }
identity TPM_ALG_EAX { identity TPM_ALG_EAX {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"Authenticated-Encryption Mode"; "Authenticated-Encryption Mode";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
NIST SP800-38F. ALG_ID: 0x0054"; NIST SP800-38F. ALG_ID: 0x0054";
} }
identity TPM_ALG_EDDSA { identity TPM_ALG_EDDSA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Edwards-curve Digital Signature Algorithm (PureEdDSA)"; "Edwards-curve Digital Signature Algorithm (PureEdDSA)";
reference reference
"TCG_Algorithm_Registry_r1p32_pub Table 3 and "TCG Algorithm Registry Revision 01.32 Table 3 and
RFC 8032. ALG_ID: 0x0060"; RFC 8032. ALG_ID: 0x0060";
} }
} }
<CODE ENDS> <CODE ENDS>
Note that not all cryptographic functions are required for use by Note that not all cryptographic functions are required for use by
"ietf-tpm-remote-attestation.yang". However the full definition of ietf-tpm-remote-attestation.yang. However the full definition of
Table 3 of [TCG-Algos] will allow use by additional YANG Table 3 of [TCG-Algos] will allow use by additional YANG
specifications. specifications.
3. IANA Considerations 3. IANA Considerations
This document registers the following namespace URIs in the "ns" This document registers the following namespace URIs in the "ns"
class of the IETF XML Registry [IANA.xml-registry] as per [RFC3688]: class of the IETF XML Registry [IANA.xml-registry] as per [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation URI: urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation
skipping to change at page 49, line 15 skipping to change at page 48, line 36
Name: ietf-tcg-algs Name: ietf-tcg-algs
Namespace: urn:ietf:params:xml:ns:yang:ietf-tcg-algs Namespace: urn:ietf:params:xml:ns:yang:ietf-tcg-algs
Prefix: taa Prefix: taa
Reference: draft-ietf-rats-yang-tpm-charra (RFC form) Reference: draft-ietf-rats-yang-tpm-charra (RFC form)
4. Security Considerations 4. Security Considerations
The YANG module specified in this document defines a schema for data The YANG module ietf-tpm-remote-attestation.yang specified in this
that is designed to be accessed via network management protocols such document defines a schema for data that is designed to be accessed
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer via network management protocols such as NETCONF [RFC6241] or
is the secure transport layer, and the mandatory-to-implement secure RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer layer, and the mandatory-to-implement secure transport is Secure
is HTTPS, and the mandatory-to-implement secure transport is TLS Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
[RFC8446]. mandatory-to-implement secure transport is TLS [RFC8446].
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., _config true_, which is the writable/creatable/deletable (i.e., _config true_, which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., _edit-config_) in some network environments. Write operations (e.g., _edit-config_)
to these data nodes without proper protection can have a negative to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes effect on network operations. These are the subtrees and data nodes
as well as their sensitivity/vulnerability: as well as their sensitivity/vulnerability:
Container '/rats-support-structures/attester-supported-algos': 'tpm1 Container '/rats-support-structures/attester-supported-algos': 'tpm1
skipping to change at page 50, line 4 skipping to change at page 49, line 24
'tpm20-pcr-bank': It is possible to configure PCRs for extraction 'tpm20-pcr-bank': It is possible to configure PCRs for extraction
which are not being extended by system software. This could which are not being extended by system software. This could
unnecessarily use TPM resources. unnecessarily use TPM resources.
'certificates': It is possible to provision a certificate which 'certificates': It is possible to provision a certificate which
does not correspond to an Attestation Identity Key (AIK) within does not correspond to an Attestation Identity Key (AIK) within
the TPM 1.2, or an Attestation Key (AK) within the TPM 2.0 the TPM 1.2, or an Attestation Key (AK) within the TPM 2.0
respectively. respectively.
RPC 'tpm12-challenge-response-attestation': It must be verified that RPC 'tpm12-challenge-response-attestation': It must be verified that
the certificate is for an active AIK, i. e. the certificate the certificate is for an active AIK, i.e., the certificate
provided is able to support Attestation on the targeted TPM 1.2. provided is able to support Attestation on the targeted TPM 1.2.
RPC 'tpm20-challenge-response-attestation': It must be verified that RPC 'tpm20-challenge-response-attestation': It must be verified that
the certificate is for an active AK, i. e. the certificate the certificate is for an active AK, i.e., the quote signature
provided is able to support Attestation on the targeted TPM 2.0. associated with RPC response has been generated by an entity
legitimately able to perform Attestation on the targeted TPM 2.0.
RPC 'log-retrieval': Pulling lots of logs can chew up system RPC 'log-retrieval': Requesting a large volume of logs from the
resources. attester could require significant system resources and create a
denial of service.
Information collected through the RPCs above could reveal that
specific versions of software and configurations of endpoints that
could identify vulnerabilities on those systems. Therefore RPCs
should be protected by NACM [RFC8341] to limit the extraction of
attestation data by only authorized Verifiers.
For the YANG module ietf-tcg-algs.yang, please use care when
selecting specific algorithms. The introductory section of
[TCG-Algos] highlights that some algorithms should be considered
legacy, and recommends implementers and adopters diligently evaluate
available information such as governmental, industrial, and academic
research before selecting an algorithm for use.
5. Change Log 5. Change Log
Changes from version 08 to version 09: Changes from version 08 to version 09:
* AD Review comments
Changes from version 08 to version 09:
* Minor formatting tweaks for shepherd. IANA registered. * Minor formatting tweaks for shepherd. IANA registered.
Changes from version 05 to version 06: Changes from version 05 to version 06:
* More YANG Dr comments covered * More YANG Dr comments covered
Changes from version 04 to version 05: Changes from version 04 to version 05:
* YANG Dr comments covered * YANG Dr comments covered
skipping to change at page 51, line 37 skipping to change at page 51, line 31
* Relabeled name to tpm_name * Relabeled name to tpm_name
* Removed event-string in last-entry * Removed event-string in last-entry
6. References 6. References
6.1. Normative References 6.1. Normative References
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K., "A YANG Data Model for a Keystore", Work in Watsen, K., "A YANG Data Model for a Keystore", Work in
Progress, Internet-Draft, draft-ietf-netconf-keystore-22, Progress, Internet-Draft, draft-ietf-netconf-keystore-23,
18 May 2021, <https://www.ietf.org/archive/id/draft-ietf- 14 December 2021, <https://www.ietf.org/archive/id/draft-
netconf-keystore-22.txt>. ietf-netconf-keystore-23.txt>.
[I-D.ietf-rats-architecture] [I-D.ietf-rats-architecture]
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote Attestation Procedures Architecture", Work W. Pan, "Remote Attestation Procedures Architecture", Work
in Progress, Internet-Draft, draft-ietf-rats-architecture- in Progress, Internet-Draft, draft-ietf-rats-architecture-
12, 23 April 2021, <https://www.ietf.org/archive/id/draft- 14, 9 December 2021, <https://www.ietf.org/archive/id/
ietf-rats-architecture-12.txt>. draft-ietf-rats-architecture-14.txt>.
[I-D.ietf-rats-tpm-based-network-device-attest] [I-D.ietf-rats-tpm-based-network-device-attest]
Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM- Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM-
based Network Device Remote Integrity Verification", Work based Network Device Remote Integrity Verification", Work
in Progress, Internet-Draft, draft-ietf-rats-tpm-based- in Progress, Internet-Draft, draft-ietf-rats-tpm-based-
network-device-attest-08, 26 July 2021, network-device-attest-10, 30 December 2021,
<https://www.ietf.org/archive/id/draft-ietf-rats-tpm- <https://www.ietf.org/archive/id/draft-ietf-rats-tpm-
based-network-device-attest-08.txt>. based-network-device-attest-10.txt>.
[IANA.xml-registry] [IANA.xml-registry]
IANA, "IETF XML Registry", IANA, "IETF XML Registry",
<http://www.iana.org/assignments/xml-registry>. <http://www.iana.org/assignments/xml-registry>.
[IANA.yang-parameters] [IANA.yang-parameters]
IANA, "YANG Parameters", IANA, "YANG Parameters",
<http://www.iana.org/assignments/yang-parameters>. <http://www.iana.org/assignments/yang-parameters>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at page 52, line 30 skipping to change at page 52, line 27
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8348] Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A [RFC8348] Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A
YANG Data Model for Hardware Management", RFC 8348, YANG Data Model for Hardware Management", RFC 8348,
DOI 10.17487/RFC8348, March 2018, DOI 10.17487/RFC8348, March 2018,
<https://www.rfc-editor.org/info/rfc8348>. <https://www.rfc-editor.org/info/rfc8348>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[TCG-Algos] [TCG-Algos]
"TCG_Algorithm_Registry_r1p32_pub", n.d., "TCG_Algorithm_Registry_r1p32_pub", n.d.,
<https://trustedcomputinggroup.org/resource/tcg-algorithm- <https://trustedcomputinggroup.org/resource/tcg-algorithm-
registry/>. registry/>.
[TPM1.2] TCG, ., "TPM 1.2 Main Specification", 2 October 2003, [TPM1.2] TCG, ., "TPM 1.2 Main Specification", 2 October 2003,
<https://trustedcomputinggroup.org/resource/tpm-main- <https://trustedcomputinggroup.org/resource/tpm-main-
specification/>. specification/>.
[TPM2.0] TCG, ., "TPM 2.0 Library Specification", 15 March 2013, [TPM2.0] TCG, ., "TPM 2.0 Library Specification", 15 March 2013,
<https://trustedcomputinggroup.org/resource/tpm-library- <https://trustedcomputinggroup.org/resource/tpm-library-
specification/>. specification/>.
[TPM2.0-Key] [TPM2.0-Key]
TCG, ., "TPM 2.0 Keys for Device Identity and Attestation, TCG, ., "TPM 2.0 Keys for Device Identity and Attestation,
Rev10", 14 April 2021, <https://trustedcomputinggroup.org/ Rev10", 14 April 2021, <https://trustedcomputinggroup.org/
wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf>. wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf>.
6.2. Informative References 6.2. Informative References
[bios-log] "TCG PC Client Platform Firmware Profile Specification,
Section 9.4.5.2", n.d.,
<https://trustedcomputinggroup.org/wp-content/uploads/PC-C
lientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf
>.
[I-D.ietf-rats-reference-interaction-models] [I-D.ietf-rats-reference-interaction-models]
Birkholz, H., Eckel, M., Pan, W., and E. Voit, "Reference Birkholz, H., Eckel, M., Pan, W., and E. Voit, "Reference
Interaction Models for Remote Attestation Procedures", Interaction Models for Remote Attestation Procedures",
Work in Progress, Internet-Draft, draft-ietf-rats- Work in Progress, Internet-Draft, draft-ietf-rats-
reference-interaction-models-04, 26 July 2021, reference-interaction-models-04, 26 July 2021,
<https://www.ietf.org/archive/id/draft-ietf-rats- <https://www.ietf.org/archive/id/draft-ietf-rats-
reference-interaction-models-04.txt>. reference-interaction-models-04.txt>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [ima-log] "Canonical Event Log Format, Section 4.3", n.d.,
and A. Bierman, Ed., "Network Configuration Protocol <https://www.trustedcomputinggroup.org/wp-content/uploads/
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, TCG_IWG_CEL_v1_r0p30_13feb2021.pdf>.
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [netequip-boot-log]
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, "IMA Policy Kernel Documentation", n.d.,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.kernel.org/doc/Documentation/ABI/testing/
ima_policy>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [NIST-915121]
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, "True Randomness Can't be Left to Chance: Why entropy is
<https://www.rfc-editor.org/info/rfc8040>. important for information security", n.d.,
<https://tsapps.nist.gov/publication/
get_pdf.cfm?pub_id=915121>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [PC-Client-EFI-TPM-1.2]
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Trusted Computing Group, "TCG EFI Platform Specification
<https://www.rfc-editor.org/info/rfc8446>. for TPM Family 1.1 or 1.2, Specification Version 1.22,
Revision 15", 1 January 2014,
<https://trustedcomputinggroup.org/resource/tcg-efi-
platform-specification/>.
Authors' Addresses Authors' Addresses
Henk Birkholz Henk Birkholz
Fraunhofer SIT Fraunhofer SIT
Rheinstrasse 75 Rheinstrasse 75
64295 Darmstadt 64295 Darmstadt
Germany Germany
Email: henk.birkholz@sit.fraunhofer.de Email: henk.birkholz@sit.fraunhofer.de
 End of changes. 111 change blocks. 
139 lines changed or deleted 218 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/