draft-ietf-rats-yang-tpm-charra-12.txt   draft-ietf-rats-yang-tpm-charra-13.txt 
RATS Working Group H. Birkholz RATS Working Group H. Birkholz
Internet-Draft M. Eckel Internet-Draft M. Eckel
Intended status: Standards Track Fraunhofer SIT Intended status: Standards Track Fraunhofer SIT
Expires: 18 July 2022 S. Bhandari Expires: 6 August 2022 S. Bhandari
ThoughtSpot ThoughtSpot
E. Voit E. Voit
B. Sulzen B. Sulzen
Cisco Cisco
L. Xia L. Xia
Huawei Huawei
T. Laffey T. Laffey
HPE HPE
G. Fedorkow G. Fedorkow
Juniper Juniper
14 January 2022 2 February 2022
A YANG Data Model for Challenge-Response-based Remote Attestation A YANG Data Model for Challenge-Response-based Remote Attestation
Procedures using TPMs Procedures using TPMs
draft-ietf-rats-yang-tpm-charra-12 draft-ietf-rats-yang-tpm-charra-13
Abstract Abstract
This document defines YANG RPCs and a small number of configuration This document defines YANG RPCs and a small number of configuration
nodes required to retrieve attestation evidence about integrity nodes required to retrieve attestation evidence about integrity
measurements from a device, following the operational context defined measurements from a device, following the operational context defined
in TPM-based Network Device Remote Integrity Verification. in TPM-based Network Device Remote Integrity Verification.
Complementary measurement logs are also provided by the YANG RPCs, Complementary measurement logs are also provided by the YANG RPCs,
originating from one or more roots of trust for measurement (RTMs). originating from one or more roots of trust for measurement (RTMs).
The module defined requires at least one TPM 1.2 or TPM 2.0 as well The module defined requires at least one TPM 1.2 or TPM 2.0 as well
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 18 July 2022. This Internet-Draft will expire on 6 August 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 28 skipping to change at page 2, line 28
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3
2. The YANG Module for Basic Remote Attestation Procedures . . . 3 2. The YANG Module for Basic Remote Attestation Procedures . . . 3
2.1. YANG Modules . . . . . . . . . . . . . . . . . . . . . . 3 2.1. YANG Modules . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1. 'ietf-tpm-remote-attestation' . . . . . . . . . . . . 3 2.1.1. 'ietf-tpm-remote-attestation' . . . . . . . . . . . . 3
2.1.2. 'ietf-tcg-algs' . . . . . . . . . . . . . . . . . . . 32 2.1.2. 'ietf-tcg-algs' . . . . . . . . . . . . . . . . . . . 32
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
4. Security Considerations . . . . . . . . . . . . . . . . . . . 48 4. Security Considerations . . . . . . . . . . . . . . . . . . . 49
5. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 50 5. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 50
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.1. Normative References . . . . . . . . . . . . . . . . . . 51 6.1. Normative References . . . . . . . . . . . . . . . . . . 51
6.2. Informative References . . . . . . . . . . . . . . . . . 53 6.2. Informative References . . . . . . . . . . . . . . . . . 57
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57
1. Introduction 1. Introduction
This document is based on the general terminology defined in the This document is based on the general terminology defined in the
[I-D.ietf-rats-architecture] and uses the operational context defined [I-D.ietf-rats-architecture] and uses the operational context defined
in [I-D.ietf-rats-tpm-based-network-device-attest] as well as the in [I-D.ietf-rats-tpm-based-network-device-attest] as well as the
interaction model and information elements defined in interaction model and information elements defined in
[I-D.ietf-rats-reference-interaction-models]. The currently [I-D.ietf-rats-reference-interaction-models]. The currently
supported hardware security modules (HSMs) are the Trusted Platform supported hardware security modules (HSMs) are the Trusted Platform
Modules (TPMs) [TPM1.2] and [TPM2.0] as specified by the Trusted Modules (TPMs) [TPM1.2] and [TPM2.0] as specified by the Trusted
skipping to change at page 3, line 47 skipping to change at page 3, line 47
Device is out of the scope of this document. Device is out of the scope of this document.
2.1. YANG Modules 2.1. YANG Modules
In this section the several YANG modules are defined. In this section the several YANG modules are defined.
2.1.1. 'ietf-tpm-remote-attestation' 2.1.1. 'ietf-tpm-remote-attestation'
This YANG module imports modules from [RFC6991], [RFC8348], This YANG module imports modules from [RFC6991], [RFC8348],
[I-D.ietf-netconf-keystore], and ietf-tcg-algs.yang Section 2.1.2.3. [I-D.ietf-netconf-keystore], and ietf-tcg-algs.yang Section 2.1.2.3.
Additionally references are made to [RFC8032], [RFC8017], [RFC6933],
[TPM1.2-Commands], [TPM2.0-Arch], [TPM2.0-Structures], [TPM2.0-Key],
[TPM1.2-Structures], [PC-Client-EFI-TPM-1.2], [ima-log],
[BIOS-Log-Event-Type] and [netequip-boot-log].
2.1.1.1. Features 2.1.1.1. Features
This module supports the following features: This module supports the following features:
* 'TPMs': Indicates that multiple TPMs on the device can support * 'TPMs': Indicates that multiple TPMs on the device can support
remote attestation. This feature is applicable in cases where remote attestation. This feature is applicable in cases where
multiple line cards are present, each with its own TPM. multiple line cards are present, each with its own TPM.
* 'bios': Indicates that the device supports the retrieval of BIOS/ * 'bios': Indicates that the device supports the retrieval of BIOS/
skipping to change at page 9, line 9 skipping to change at page 9, line 9
may be quoted, certificates which are associated with that TPM, may be quoted, certificates which are associated with that TPM,
and the current operational status. Of note are the certificates and the current operational status. Of note are the certificates
which are associated with that TPM. As a certificate is which are associated with that TPM. As a certificate is
associated with a particular TPM attestation key, knowledge of the associated with a particular TPM attestation key, knowledge of the
certificate allows a specific TPM to be identified. certificate allows a specific TPM to be identified.
+--rw tpms +--rw tpms
+--rw tpm* [name] +--rw tpm* [name]
+--rw name string +--rw name string
+--ro hardware-based? boolean +--ro hardware-based? boolean
+--ro physical-index? int32 {ietfhw:entity-mib}? +--ro physical-index? int32 {hw:entity-mib}?
+--ro path? string +--ro path? string
+--ro compute-node compute-node-ref {tpm:tpms}? +--ro compute-node compute-node-ref {tpm:tpms}?
+--ro manufacturer? string +--ro manufacturer? string
+--rw firmware-version identityref +--rw firmware-version identityref
+--rw tpm12-hash-algo? identityref +--rw tpm12-hash-algo? identityref
+--rw tpm12-pcrs* pcr +--rw tpm12-pcrs* pcr
+--rw tpm20-pcr-bank* [tpm20-hash-algo] +--rw tpm20-pcr-bank* [tpm20-hash-algo]
| +--rw tpm20-hash-algo identityref | +--rw tpm20-hash-algo identityref
| +--rw pcr-index* tpm:pcr | +--rw pcr-index* tpm:pcr
+--ro status enumeration +--ro status enumeration
skipping to change at page 9, line 46 skipping to change at page 9, line 46
+--rw tpm20-hash* identityref +--rw tpm20-hash* identityref
container 'compute-nodes' - When there is more than one TPM container 'compute-nodes' - When there is more than one TPM
supported, this container maintains the set of information related to supported, this container maintains the set of information related to
the compute node associated with a specific TPM. This allows each the compute node associated with a specific TPM. This allows each
specific TPM to identify to which 'compute-node' it belongs. specific TPM to identify to which 'compute-node' it belongs.
+--rw compute-nodes {tpm:TPMs}? +--rw compute-nodes {tpm:TPMs}?
+--ro compute-node* [node-id] +--ro compute-node* [node-id]
+--ro node-id string +--ro node-id string
+--ro node-physical-index? int32 {ietfhw:entity-mib}? +--ro node-physical-index? int32 {hw:entity-mib}?
+--ro node-name? string +--ro node-name? string
+--ro node-location? string +--ro node-location? string
2.1.1.6. YANG Module 2.1.1.6. YANG Module
<CODE BEGINS> file "ietf-tpm-remote-attestation@2021-05-11.yang" <CODE BEGINS> file "ietf-tpm-remote-attestation@2022-11-16.yang"
module ietf-tpm-remote-attestation { module ietf-tpm-remote-attestation {
namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation"; namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation";
prefix tpm; prefix tpm;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-hardware { import ietf-hardware {
prefix ietfhw; prefix hw;
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
} }
import ietf-tcg-algs { import ietf-tcg-algs {
prefix taa; prefix taa;
} }
organization organization
"IETF RATS (Remote ATtestation procedureS) Working Group"; "IETF RATS (Remote ATtestation procedureS) Working Group";
contact contact
"WG Web : <http://datatracker.ietf.org/wg/rats/> "WG Web : <https://datatracker.ietf.org/wg/rats/>
WG List : <mailto:rats@ietf.org> WG List : <mailto:rats@ietf.org>
Author : Eric Voit <evoit@cisco.com> Author : Eric Voit <evoit@cisco.com>
Author : Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Author : Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Author : Michael Eckel <michael.eckel@sit.fraunhofer.de> Author : Michael Eckel <michael.eckel@sit.fraunhofer.de>
Author : Shwetha Bhandari <shwetha.bhandari@thoughtspot.com> Author : Shwetha Bhandari <shwetha.bhandari@thoughtspot.com>
Author : Bill Sulzen <bsulzen@cisco.com> Author : Bill Sulzen <bsulzen@cisco.com>
Author : Liang Xia (Frank) <frank.xialiang@huawei.com> Author : Liang Xia (Frank) <frank.xialiang@huawei.com>
Author : Tom Laffey <tom.laffey@hpe.com> Author : Tom Laffey <tom.laffey@hpe.com>
Author : Guy Fedorkow <gfedorkow@juniper.net>"; Author : Guy Fedorkow <gfedorkow@juniper.net>";
description description
skipping to change at page 11, line 12 skipping to change at page 11, line 12
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2021-11-16 { revision 2022-01-27 {
description description
"Initial version"; "Initial version";
reference reference
"draft-ietf-rats-yang-tpm-charra"; "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote
Attestation Procedures using TPMs";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
feature tpms { feature tpms {
description description
"The device supports the remote attestation of multiple "The device supports the remote attestation of multiple
TPM based cryptoprocessors."; TPM based cryptoprocessors.";
} }
feature bios { feature bios {
description description
"The device supports the bios logs."; "The device supports the bios logs.";
reference reference
"https://trustedcomputinggroup.org/wp-content/uploads/ "PC-Client-EFI-TPM-1.2:
https://trustedcomputinggroup.org/wp-content/uploads/
PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf
Section 9.4.5.2 and Section 9.4.5.2";
https://trustedcomputinggroup.org/resource/
tcg-efi-platform-specification/ Version 1.22, Revision 15";
} }
feature ima { feature ima {
description description
"The device supports Integrity Measurement Architecture logs. "The device supports Integrity Measurement Architecture logs.
Many variants of IMA logs exist in the deployment. Each encodes Many variants of IMA logs exist in the deployment. Each encodes
the log entry contents as the specific measurements which get the log entry contents as the specific measurements which get
hashed into a PCRs as Evidence. See the reference below for hashed into a PCRs as Evidence. See the reference below for
one example of such an encoding."; one example of such an encoding.";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "ima-log:
https://www.trustedcomputinggroup.org/wp-content/uploads/
TCG_IWG_CEL_v1_r0p30_13feb2021.pdf Section 4.3"; TCG_IWG_CEL_v1_r0p30_13feb2021.pdf Section 4.3";
} }
feature netequip_boot { feature netequip_boot {
description description
"The device supports the netequip_boot logs."; "The device supports the netequip_boot logs.";
reference reference
"https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy"; "netequip-boot-log:
https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy";
} }
/*****************/ /*****************/
/* Typedefs */ /* Typedefs */
/*****************/ /*****************/
typedef pcr { typedef pcr {
type uint8 { type uint8 {
range "0..31"; range "0..31";
} }
skipping to change at page 12, line 48 skipping to change at page 12, line 50
description description
"A type which allows identification of a TPM based certificate."; "A type which allows identification of a TPM based certificate.";
} }
/******************/ /******************/
/* Identities */ /* Identities */
/******************/ /******************/
identity attested_event_log_type { identity attested_event_log_type {
description description
"Base identity allowing categorization of the reasons why and "Base identity allowing categorization of the reasons why an
attested measurement has been taken on an Attester."; attested measurement has been taken on an Attester.";
} }
identity ima { identity ima {
base attested_event_log_type; base attested_event_log_type;
description description
"An event type recorded in IMA."; "An event type recorded in IMA.";
} }
identity bios { identity bios {
base attested_event_log_type; base attested_event_log_type;
description description
"An event type associated with BIOS/UEFI."; "An event type associated with BIOS/UEFI.";
skipping to change at page 15, line 22 skipping to change at page 15, line 24
"A Verifier can acquire one or more PCR values, which are hashed "A Verifier can acquire one or more PCR values, which are hashed
together in a TPM2B_DIGEST coming from the TPM2. The selection together in a TPM2B_DIGEST coming from the TPM2. The selection
list of desired PCRs and the Hash Algorithm is represented in list of desired PCRs and the Hash Algorithm is represented in
this grouping."; this grouping.";
list tpm20-pcr-selection { list tpm20-pcr-selection {
unique "tpm20-hash-algo"; unique "tpm20-hash-algo";
description description
"Specifies the list of PCRs and Hash Algorithms that can be "Specifies the list of PCRs and Hash Algorithms that can be
returned within a TPM2B_DIGEST."; returned within a TPM2B_DIGEST.";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "TPM2.0-Structures:
https://www.trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7"; TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7";
uses tpm20-hash-algo; uses tpm20-hash-algo;
leaf-list pcr-index { leaf-list pcr-index {
type pcr; type pcr;
must '/tpm:rats-support-structures/tpm:tpms' must '/tpm:rats-support-structures/tpm:tpms'
+ '/tpm:tpm[name = current()] and ' + '/tpm:tpm[name = current()] and '
+ '/tpm:rats-support-structures/tpm:tpms/tpm:tpm' + '/tpm:rats-support-structures/tpm:tpms/tpm:tpm'
+ '/tpm:tpm20-pcr-bank[pcr-index = current()]' { + '/tpm:tpm20-pcr-bank[pcr-index = current()]' {
error-message "Acquiring this PCR index is not supported"; error-message "Acquiring this PCR index is not supported";
} }
skipping to change at page 17, line 7 skipping to change at page 17, line 10
measurements. It is supplemented by unsigned Attester measurements. It is supplemented by unsigned Attester
information."; information.";
uses node-uptime; uses node-uptime;
leaf TPM_QUOTE2 { leaf TPM_QUOTE2 {
type binary; type binary;
description description
"Result of a TPM1.2 Quote2 operation. This includes PCRs, "Result of a TPM1.2 Quote2 operation. This includes PCRs,
signatures, locality, the provided nonce and other data which signatures, locality, the provided nonce and other data which
can be further parsed to appraise the Attester."; can be further parsed to appraise the Attester.";
reference reference
"TPM1.2 commands rev116 July 2007, Section 16.5 "TPM1.2-Commands:
https://trustedcomputinggroup.org/wp-content/uploads TPM1.2 commands rev116 July 2007, Section 16.5
/TPM-Main-Part-3-Commands_v1.2_rev116_01032011.pdf"; https://trustedcomputinggroup.org/wp-content/uploads
/TPM-Main-Part-3-Commands_v1.2_rev116_01032011.pdf";
} }
} }
grouping tpm20-attestation { grouping tpm20-attestation {
description description
"Contains an instance of TPM2 style signed cryptoprocessor "Contains an instance of TPM2 style signed cryptoprocessor
measurements. It is supplemented by unsigned Attester measurements. It is supplemented by unsigned Attester
information."; information.";
leaf TPMS_QUOTE_INFO { leaf TPMS_QUOTE_INFO {
type binary; type binary;
mandatory true; mandatory true;
description description
"A hash of the latest PCR values (and the hash algorithm used) "A hash of the latest PCR values (and the hash algorithm used)
which have been returned from a Verifier for the selected PCRs which have been returned from a Verifier for the selected PCRs
and Hash Algorithms."; and Hash Algorithms.";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "TPM2.0-Structures:
https://www.trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.12.1"; TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.12.1";
} }
leaf quote-signature { leaf quote-signature {
type binary; type binary;
description description
"Quote signature returned by TPM Quote. The signature was "Quote signature returned by TPM Quote. The signature was
generated using the key associated with the generated using the key associated with the
certificate 'name'."; certificate 'name'.";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "TPM2.0-Structures:
https://www.trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 11.2.1"; TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 11.2.1";
} }
uses node-uptime; uses node-uptime;
list unsigned-pcr-values { list unsigned-pcr-values {
description description
"PCR values in each PCR bank. This might appear redundant with "PCR values in each PCR bank. This might appear redundant with
the TPM2B_DIGEST, but that digest is calculated across multiple the TPM2B_DIGEST, but that digest is calculated across multiple
PCRs. Having to verify across multiple PCRs does not PCRs. Having to verify across multiple PCRs does not
necessarily make it easy for a Verifier to appraise just the necessarily make it easy for a Verifier to appraise just the
minimum set of PCR information which has changed since the last minimum set of PCR information which has changed since the last
skipping to change at page 18, line 26 skipping to change at page 18, line 32
leaf pcr-index { leaf pcr-index {
type pcr; type pcr;
description description
"PCR index number."; "PCR index number.";
} }
leaf pcr-value { leaf pcr-value {
type binary; type binary;
description description
"PCR value."; "PCR value.";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "TPM2.0-Structures:
https://www.trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7"; TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7";
} }
} }
} }
} }
grouping log-identifier { grouping log-identifier {
description description
"Identifier for type of log to be retrieved."; "Identifier for type of log to be retrieved.";
leaf log-type { leaf log-type {
type identityref { type identityref {
base attested_event_log_type; base attested_event_log_type;
} }
mandatory true; mandatory true;
description description
"The corresponding measurement log type identity."; "The corresponding measurement log type identity.";
} }
} }
grouping boot-event-log { grouping boot-event-log {
description description
"Defines an event log corresponding to the event that extended "Defines a specific instance of an event log entry
the PCR"; and corresponding to the information used to
extended the PCR";
leaf event-number { leaf event-number {
type uint32; type uint32;
description description
"Unique event number of this event"; "Unique event number of this event";
} }
leaf event-type { leaf event-type {
type uint32; type uint32;
description description
"log event type"; "BIOS Log Event Type:
https://trustedcomputinggroup.org/wp-content/uploads/
TCG_PCClient_PFP_r1p05_v23_pub.pdf Section 10.4.1";
} }
leaf pcr-index { leaf pcr-index {
type pcr; type pcr;
description description
"Defines the PCR index that this event extended"; "Defines the PCR index that this event extended";
} }
list digest-list { list digest-list {
description description
"Hash of event data"; "Hash of event data";
leaf hash-algo { leaf hash-algo {
skipping to change at page 20, line 13 skipping to change at page 20, line 23
"Ordered list of TCG described event log "Ordered list of TCG described event log
that extended the PCRs in the order they that extended the PCRs in the order they
were logged"; were logged";
uses boot-event-log; uses boot-event-log;
} }
} }
grouping ima-event { grouping ima-event {
description description
"Defines an hash log extend event for IMA measurements"; "Defines an hash log extend event for IMA measurements";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "ima-log:
https://www.trustedcomputinggroup.org/wp-content/uploads/
TCG_IWG_CEL_v1_r0p30_13feb2021.pdf Section 4.3"; TCG_IWG_CEL_v1_r0p30_13feb2021.pdf Section 4.3";
leaf event-number { leaf event-number {
type uint64; type uint64;
description description
"Unique number for this event for sequencing"; "Unique number for this event for sequencing";
} }
leaf ima-template { leaf ima-template {
type string; type string;
description description
"Name of the template used for event logs "Name of the template used for event logs
skipping to change at page 26, line 46 skipping to change at page 27, line 9
min-elements 2; min-elements 2;
description description
"A component within this composite device which "A component within this composite device which
supports TPM operations."; supports TPM operations.";
leaf node-id { leaf node-id {
type string; type string;
description description
"ID of the compute node, such as Board Serial Number."; "ID of the compute node, such as Board Serial Number.";
} }
leaf node-physical-index { leaf node-physical-index {
if-feature "ietfhw:entity-mib"; if-feature "hw:entity-mib";
type int32 { type int32 {
range "1..2147483647"; range "1..2147483647";
} }
config false; config false;
description description
"The entPhysicalIndex for the compute node."; "The entPhysicalIndex for the compute node.";
reference reference
"RFC 6933: Entity MIB (Version 4) - entPhysicalIndex"; "RFC 6933: Entity MIB (Version 4) - entPhysicalIndex";
} }
leaf node-name { leaf node-name {
skipping to change at page 27, line 38 skipping to change at page 27, line 49
can be conducted with."; can be conducted with.";
uses tpm-name; uses tpm-name;
leaf hardware-based { leaf hardware-based {
type boolean; type boolean;
config false; config false;
description description
"Answers the question: is this TPM is a hardware based "Answers the question: is this TPM is a hardware based
TPM?"; TPM?";
} }
leaf physical-index { leaf physical-index {
if-feature "ietfhw:entity-mib"; if-feature "hw:entity-mib";
type int32 { type int32 {
range "1..2147483647"; range "1..2147483647";
} }
config false; config false;
description description
"The entPhysicalIndex for the TPM."; "The entPhysicalIndex for the TPM.";
reference reference
"RFC 6933: Entity MIB (Version 4) - entPhysicalIndex"; "RFC 6933: Entity MIB (Version 4) - entPhysicalIndex";
} }
leaf path { leaf path {
type string; type string;
config false; config false;
skipping to change at page 29, line 7 skipping to change at page 29, line 18
} }
list tpm20-pcr-bank { list tpm20-pcr-bank {
when "../firmware-version = 'taa:tpm20'"; when "../firmware-version = 'taa:tpm20'";
key "tpm20-hash-algo"; key "tpm20-hash-algo";
description description
"Specifies the list of PCRs that may be extracted for "Specifies the list of PCRs that may be extracted for
a specific Hash Algorithm on this TPM2 compliant a specific Hash Algorithm on this TPM2 compliant
cryptoprocessor. A bank is a set of PCRs which are cryptoprocessor. A bank is a set of PCRs which are
extended using a particular hash algorithm."; extended using a particular hash algorithm.";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "TPM2.0-Structures:
https://www.trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7"; TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7";
leaf tpm20-hash-algo { leaf tpm20-hash-algo {
type identityref { type identityref {
base taa:hash; base taa:hash;
} }
must '/tpm:rats-support-structures' must '/tpm:rats-support-structures'
+ '/tpm:attester-supported-algos' + '/tpm:attester-supported-algos'
+ '/tpm:tpm20-hash' { + '/tpm:tpm20-hash' {
error-message error-message
"This platform does not support tpm20-hash-algo"; "This platform does not support tpm20-hash-algo";
skipping to change at page 29, line 37 skipping to change at page 29, line 49
} }
} }
leaf status { leaf status {
type enumeration { type enumeration {
enum operational { enum operational {
value 0; value 0;
description description
"The TPM currently is currently running normally and "The TPM currently is currently running normally and
is ready to accept and process TPM quotes."; is ready to accept and process TPM quotes.";
reference reference
"TPM-Rev-2.0-Part-1-Architecture-01.07-2014-03-13.pdf "TPM2.0-Arch:
TPM-Rev-2.0-Part-1-Architecture-01.07-2014-03-13.pdf
Section 12"; Section 12";
} }
enum non-operational { enum non-operational {
value 1; value 1;
description description
"TPM is in a state such as startup or shutdown which "TPM is in a state such as startup or shutdown which
precludes the processing of TPM quotes."; precludes the processing of TPM quotes.";
} }
} }
config false; config false;
mandatory true; mandatory true;
skipping to change at page 30, line 37 skipping to change at page 30, line 51
"A reference to a specific certificate of an "A reference to a specific certificate of an
asymmetric key in the Keystore."; asymmetric key in the Keystore.";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum endorsement-certificate { enum endorsement-certificate {
value 0; value 0;
description description
"Endorsement Key (EK) Certificate type."; "Endorsement Key (EK) Certificate type.";
reference reference
"https://trustedcomputinggroup.org/wp-content/ "TPM2.0-Key:
https://trustedcomputinggroup.org/wp-content/
uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf
Section 3.11"; Section 3.11";
} }
enum initial-attestation-certificate { enum initial-attestation-certificate {
value 1; value 1;
description description
"Initial Attestation key (IAK) Certificate type."; "Initial Attestation key (IAK) Certificate type.";
reference reference
"https://trustedcomputinggroup.org/wp-content/ "TPM2.0-Key:
https://trustedcomputinggroup.org/wp-content/
uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf
Section 3.2"; Section 3.2";
} }
enum local-attestation-certificate { enum local-attestation-certificate {
value 2; value 2;
description description
"Local Attestation Key (LAK) Certificate type."; "Local Attestation Key (LAK) Certificate type.";
reference reference
"https://trustedcomputinggroup.org/wp-content/ "TPM2.0-Key:
https://trustedcomputinggroup.org/wp-content/
uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf
Section 3.2"; Section 3.2";
} }
} }
description description
"Function supported by this certificate from within the "Function supported by this certificate from within the
TPM."; TPM.";
} }
} }
} }
skipping to change at page 32, line 21 skipping to change at page 32, line 38
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 1 Figure 1
2.1.2. 'ietf-tcg-algs' 2.1.2. 'ietf-tcg-algs'
Cryptographic algorithm types were initially included within -v14 This document has encoded the TCG Algorithm definitions of
NETCONF's iana-crypto-types.yang. Unfortunately, all this content [TCG-Algos], revision 1.32. By including this full table as a
including the algorithms needed here failed to make the -v15 used separate YANG file within this document, it is possible for other
WGLC. As a result, this document has encoded the TCG Algorithm YANG models to leverage the contents of this model. Specific
definitions of [TCG-Algos], revision 1.32. By including this full references to [RFC7748], [ISO-IEC-9797-1], [ISO-IEC-9797-2],
table as a separate YANG file within this document, it is possible [ISO-IEC-10116], [ISO-IEC-10118-3], [ISO-IEC-14888-3],
for other YANG models to leverage the contents of this model. [ISO-IEC-15946-1], [ISO-IEC-18033-3], [IEEE-Std-1363-2000],
[IEEE-Std-1363a-2004], [NIST-PUB-FIPS-202], [NIST-SP800-38C],
[NIST-SP800-38D], [NIST-SP800-38F], [NIST-SP800-56A],
[NIST-SP800-108], [PC-Client-EFI-TPM-1.2], [ima-log], and
[netequip-boot-log] exist within the YANG Model.
2.1.2.1. Features 2.1.2.1. Features
There are two types of features supported: 'TPM12' and 'TPM20'. There are two types of features supported: 'TPM12' and 'TPM20'.
Support for either of these features indicates that a cryptoprocessor Support for either of these features indicates that a cryptoprocessor
supporting the corresponding type of TCG TPM API is present on an supporting the corresponding type of TCG TPM API is present on an
Attester. Most commonly, only one type of cryptoprocessor will be Attester. Most commonly, only one type of cryptoprocessor will be
available on an Attester. available on an Attester.
2.1.2.2. Identities 2.1.2.2. Identities
There are three types of identities in this model: There are three types of identities in this model:
1. *Cryptographic functions* supported by a TPM algorithm; these 1. Cryptographic functions supported by a TPM algorithm; these
include: 'asymmetric', 'symmetric', 'hash', 'signing', include: 'asymmetric', 'symmetric', 'hash', 'signing',
'anonymous_signing', 'encryption_mode', 'method', and 'anonymous_signing', 'encryption_mode', 'method', and
'object_type'. The definitions of each of these are in Table 2 'object_type'. The definitions of each of these are in Table 2
of [TCG-Algos]. of [TCG-Algos].
2. *API specifications* for TPMs: 'tpm12' and 'tpm20' 2. API specifications for TPMs: 'tpm12' and 'tpm20'
3. *Specific algorithm types*: Each algorithm type defines what 3. Specific algorithm types: Each algorithm type defines what
cryptographic functions may be supported, and on which type of cryptographic functions may be supported, and on which type of
API specification. It is not required that an implementation of API specification. It is not required that an implementation of
a specific TPM will support all algorithm types. The contents of a specific TPM will support all algorithm types. The contents of
each specific algorithm mirrors what is in Table 3 of each specific algorithm mirrors what is in Table 3 of
[TCG-Algos]. [TCG-Algos].
2.1.2.3. YANG Module 2.1.2.3. YANG Module
<CODE BEGINS> file "ietf-tcg-algs@2021-11-05.yang" <CODE BEGINS> file "ietf-tcg-algs@2022-01-27.yang"
module ietf-tcg-algs { module ietf-tcg-algs {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tcg-algs"; namespace "urn:ietf:params:xml:ns:yang:ietf-tcg-algs";
prefix taa; prefix taa;
organization organization
"IETF RATS Working Group"; "IETF RATS Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/rats/> "WG Web: <https://datatracker.ietf.org/wg/rats/>
WG List: <mailto:rats@ietf.org> WG List: <mailto:rats@ietf.org>
Author: Eric Voit <mailto:evoit@cisco.com>"; Author: Eric Voit <mailto:evoit@cisco.com>";
description description
"This module defines a identities for asymmetric algorithms. "This module defines a identities for asymmetric algorithms.
Copyright (c) 2021 IETF Trust and the persons identified Copyright (c) 2021 IETF Trust and the persons identified
as authors of the code. All rights reserved. as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
skipping to change at page 33, line 45 skipping to change at page 34, line 21
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2021-11-05 { revision 2022-01-27 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: tbd"; "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote
Attestation Procedures using TPMs";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
feature tpm12 { feature tpm12 {
description description
"This feature indicates algorithm support for the TPM 1.2 API "This feature indicates algorithm support for the TPM 1.2 API
as per Section 4.8 of TPM Main Part 2 TPM Structures as per Section 4.8 of TPM1.2-Structures:
TPM Main Part 2 TPM Structures
https://trustedcomputinggroup.org/wp-content/uploads/ https://trustedcomputinggroup.org/wp-content/uploads/
TPM-main-1.2-Rev94-part-2.pdf"; TPM-main-1.2-Rev94-part-2.pdf";
} }
feature tpm20 { feature tpm20 {
description description
"This feature indicates algorithm support for the TPM 2.0 API "This feature indicates algorithm support for the TPM 2.0 API
as per Section 11.4 of Trusted Platform Module Library as per Section 11.4 of Trusted Platform Module Library
Part 1: Architecture Part 1: Architecture. See TPM2.0-Arch:
https://trustedcomputinggroup.org/wp-content/uploads/ https://trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-1-Architecture-01.38.pdf"; TPM-Rev-2.0-Part-1-Architecture-01.07-2014-03-13.pdf";
} }
/*****************/ /*****************/
/* Identities */ /* Identities */
/*****************/ /*****************/
identity asymmetric { identity asymmetric {
description description
"A TCG recognized asymmetric algorithm with a public and "A TCG recognized asymmetric algorithm with a public and
private key."; private key.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 2 "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2,
http://trustedcomputinggroup.org/resource/tcg-algorithm-registry/ http://trustedcomputinggroup.org/resource/tcg-algorithm-registry/
TCG-_Algorithm_Registry_r1p32_pub"; TCG-_Algorithm_Registry_r1p32_pub";
} }
identity symmetric { identity symmetric {
description description
"A TCG recognized symmetric algorithm with only a private key."; "A TCG recognized symmetric algorithm with only a private key.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 2"; "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2";
} }
identity hash { identity hash {
description description
"A TCG recognized hash algorithm that compresses input data to "A TCG recognized hash algorithm that compresses input data to
a digest value or indicates a method that uses a hash."; a digest value or indicates a method that uses a hash.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 2"; "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2";
} }
identity signing { identity signing {
description description
"A TCG recognized signing algorithm"; "A TCG recognized signing algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 2"; "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2";
} }
identity anonymous_signing { identity anonymous_signing {
description description
"A TCG recognized anonymous signing algorithm."; "A TCG recognized anonymous signing algorithm.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 2"; "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2";
} }
identity encryption_mode { identity encryption_mode {
description description
"A TCG recognized encryption mode."; "A TCG recognized encryption mode.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 2"; "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2";
} }
identity method { identity method {
description description
"A TCG recognized method such as a mask generation function."; "A TCG recognized method such as a mask generation function.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 2"; "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2";
} }
identity object_type { identity object_type {
description description
"A TCG recognized object type."; "A TCG recognized object type.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 2"; "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2";
} }
identity cryptoprocessor { identity cryptoprocessor {
description description
"Base identity identifying a crytoprocessor."; "Base identity identifying a crytoprocessor.";
} }
identity tpm12 { identity tpm12 {
if-feature "tpm12"; if-feature "tpm12";
base cryptoprocessor; base cryptoprocessor;
skipping to change at page 36, line 4 skipping to change at page 36, line 28
identity cryptoprocessor { identity cryptoprocessor {
description description
"Base identity identifying a crytoprocessor."; "Base identity identifying a crytoprocessor.";
} }
identity tpm12 { identity tpm12 {
if-feature "tpm12"; if-feature "tpm12";
base cryptoprocessor; base cryptoprocessor;
description description
"Supportable by a TPM1.2."; "Supportable by a TPM1.2.";
reference reference
"TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf "TPM1.2-Structures:
https://trustedcomputinggroup.org/wp-content/uploads/
TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf
TPM_ALGORITHM_ID values, page 18"; TPM_ALGORITHM_ID values, page 18";
} }
identity tpm20 { identity tpm20 {
if-feature "tpm12"; if-feature "tpm20";
base cryptoprocessor; base cryptoprocessor;
description description
"Supportable by a TPM2."; "Supportable by a TPM2.";
reference reference
"TPM-Rev-2.0-Part-2-Structures-01.38.pdf "TPM2.0-Structures:
https://trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf
The TCG Algorithm Registry. Table 9"; The TCG Algorithm Registry. Table 9";
} }
identity TPM_ALG_RSA { identity TPM_ALG_RSA {
if-feature "tpm12 or tpm20"; if-feature "tpm12 or tpm20";
base tpm12; base tpm12;
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base object_type; base object_type;
description description
"RSA algorithm"; "RSA algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
RFC 8017. ALG_ID: 0x0001"; RFC 8017. ALG_ID: 0x0001";
} }
identity TPM_ALG_TDES { identity TPM_ALG_TDES {
if-feature "tpm12"; if-feature "tpm12";
base tpm12; base tpm12;
base symmetric; base symmetric;
description description
"Block cipher with various key sizes (Triple Data Encryption "Block cipher with various key sizes (Triple Data Encryption
Algorithm, commonly called Triple Data Encryption Standard) Algorithm, commonly called Triple Data Encryption Standard)
Note: was banned in TPM1.2 v94"; Note: was banned in TPM1.2 v94";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 18033-3. ALG_ID: 0x0003"; ISO/IEC 18033-3. ALG_ID: 0x0003";
} }
identity TPM_ALG_SHA1 { identity TPM_ALG_SHA1 {
if-feature "tpm12 or tpm20"; if-feature "tpm12 or tpm20";
base hash; base hash;
base tpm12; base tpm12;
base tpm20; base tpm20;
description description
"SHA1 algorithm - Deprecated due to insufficient cryptographic "SHA1 algorithm - Deprecated due to insufficient cryptographic
protection. However it is still useful for hash algorithms protection. However it is still useful for hash algorithms
where protection is not required."; where protection is not required.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10118-3. ALG_ID: 0x0004"; ISO/IEC 10118-3. ALG_ID: 0x0004";
} }
identity TPM_ALG_HMAC { identity TPM_ALG_HMAC {
if-feature "tpm12 or tpm20"; if-feature "tpm12 or tpm20";
base tpm12; base tpm12;
base tpm20; base tpm20;
base hash; base hash;
base signing; base signing;
description description
"Hash Message Authentication Code (HMAC) algorithm"; "Hash Message Authentication Code (HMAC) algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3, "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3,
ISO/IEC 9797-2 and RFC2014. ALG_ID: 0x0005"; ISO/IEC 9797-2 and RFC2014. ALG_ID: 0x0005";
} }
identity TPM_ALG_AES { identity TPM_ALG_AES {
if-feature "tpm12"; if-feature "tpm12";
base tpm12; base tpm12;
base symmetric; base symmetric;
description description
"The AES algorithm with various key sizes"; "The AES algorithm with various key sizes";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3,
ISO/IEC 18033-3. ALG_ID: 0x0006"; ISO/IEC 18033-3. ALG_ID: 0x0006";
} }
identity TPM_ALG_MGF1 { identity TPM_ALG_MGF1 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base method; base method;
description description
"hash-based mask-generation function"; "hash-based mask-generation function";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3, "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3,
IEEE Std 1363-2000 and IEEE Std 1363a-2004. IEEE Std 1363-2000 and IEEE Std 1363a-2004.
ALG_ID: 0x0007"; ALG_ID: 0x0007";
} }
identity TPM_ALG_KEYEDHASH { identity TPM_ALG_KEYEDHASH {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base object_type; base object_type;
description description
"An encryption or signing algorithm using a keyed hash. These "An encryption or signing algorithm using a keyed hash. These
may use XOR for encryption or an HMAC for signing and may may use XOR for encryption or an HMAC for signing and may
also refer to a data object that is neither signing nor also refer to a data object that is neither signing nor
encrypting."; encrypting.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3,
TCG TPM 2.0 library specification. ALG_ID: 0x0008"; ALG_ID: 0x0008";
} }
identity TPM_ALG_XOR { identity TPM_ALG_XOR {
if-feature "tpm12 or tpm20"; if-feature "tpm12 or tpm20";
base tpm12; base tpm12;
base tpm20; base tpm20;
base hash; base hash;
base symmetric; base symmetric;
description description
"The XOR encryption algorithm."; "The XOR encryption algorithm.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3.
TCG TPM 2.0 library specification. ALG_ID: 0x000A"; ALG_ID: 0x000A";
} }
identity TPM_ALG_SHA256 { identity TPM_ALG_SHA256 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 256 algorithm"; "The SHA 256 algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10118-3. ALG_ID: 0x000B"; ISO/IEC 10118-3. ALG_ID: 0x000B";
} }
identity TPM_ALG_SHA384 { identity TPM_ALG_SHA384 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 384 algorithm"; "The SHA 384 algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10118-3. ALG_ID: 0x000C"; ISO/IEC 10118-3. ALG_ID: 0x000C";
} }
identity TPM_ALG_SHA512 { identity TPM_ALG_SHA512 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 512 algorithm"; "The SHA 512 algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10118-3. ALG_ID: 0x000D"; ISO/IEC 10118-3. ALG_ID: 0x000D";
} }
identity TPM_ALG_NULL { identity TPM_ALG_NULL {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
description description
"NULL algorithm"; "NULL algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3.
TCG TPM 2.0 library specification. ALG_ID: 0x0010"; ALG_ID: 0x0010";
} }
identity TPM_ALG_SM3_256 { identity TPM_ALG_SM3_256 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SM3 hash algorithm."; "The SM3 hash algorithm.";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10118-3:2018. ALG_ID: 0x0012"; ISO/IEC 10118-3:2018. ALG_ID: 0x0012";
} }
identity TPM_ALG_SM4 { identity TPM_ALG_SM4 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
description description
"SM4 symmetric block cipher"; "SM4 symmetric block cipher";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3.
GB/T 32907-2016. ALG_ID: 0x0013"; ALG_ID: 0x0013";
} }
identity TPM_ALG_RSASSA { identity TPM_ALG_RSASSA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Signature algorithm defined in section 8.2 (RSASSAPKCS1-v1_5)"; "Signature algorithm defined in section 8.2 (RSASSAPKCS1-v1_5)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and RFC 8017. "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ALG_ID: 0x0014"; RFC 8017. ALG_ID: 0x0014";
} }
identity TPM_ALG_RSAES { identity TPM_ALG_RSAES {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base encryption_mode; base encryption_mode;
description description
"Signature algorithm defined in section 7.2 (RSAES-PKCS1-v1_5)"; "Signature algorithm defined in section 7.2 (RSAES-PKCS1-v1_5)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and RFC 8017 "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ALG_ID: 0x0015"; RFC 8017. ALG_ID: 0x0015";
} }
identity TPM_ALG_RSAPSS { identity TPM_ALG_RSAPSS {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Padding algorithm defined in section 8.1 (RSASSA PSS)"; "Padding algorithm defined in section 8.1 (RSASSA PSS)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and RFC 8017. "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ALG_ID: 0x0016"; RFC 8017. ALG_ID: 0x0016";
} }
identity TPM_ALG_OAEP { identity TPM_ALG_OAEP {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base encryption_mode; base encryption_mode;
description description
"Padding algorithm defined in section 7.1 (RSASSA OAEP)"; "Padding algorithm defined in section 7.1 (RSASSA OAEP)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and RFC 8017. "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ALG_ID: 0x0017"; RFC 8017. ALG_ID: 0x0017";
} }
identity TPM_ALG_ECDSA { identity TPM_ALG_ECDSA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Signature algorithm using elliptic curve cryptography (ECC)"; "Signature algorithm using elliptic curve cryptography (ECC)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 14888-3. ALG_ID: 0x0018"; ISO/IEC 14888-3. ALG_ID: 0x0018";
} }
identity TPM_ALG_ECDH { identity TPM_ALG_ECDH {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base method; base method;
description description
"Secret sharing using ECC"; "Secret sharing using ECC";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-56A and RFC 7748. ALG_ID: 0x0019"; NIST SP800-56A and RFC 7748. ALG_ID: 0x0019";
} }
identity TPM_ALG_ECDAA { identity TPM_ALG_ECDAA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
base anonymous_signing; base anonymous_signing;
description description
"Elliptic-curve based anonymous signing scheme"; "Elliptic-curve based anonymous signing scheme";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
TCG TPM 2.0 library specification. ALG_ID: 0x001A"; TCG TPM 2.0 library specification. ALG_ID: 0x001A";
} }
identity TPM_ALG_SM2 { identity TPM_ALG_SM2 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
base method; base method;
description description
"SM2 - depending on context, either an elliptic-curve based, "SM2 - depending on context, either an elliptic-curve based,
signature algorithm, an encryption scheme, or a key exchange signature algorithm, an encryption scheme, or a key exchange
protocol"; protocol";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3.
GB/T 32918.1-2016, GB/T 32918.2-2016, GB/T 32918.3-2016, GB/T ALG_ID: 0x001B";
32918.4-2016, GB/T 32918.5-2017. ALG_ID: 0x001B";
} }
identity TPM_ALG_ECSCHNORR { identity TPM_ALG_ECSCHNORR {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Elliptic-curve based Schnorr signature"; "Elliptic-curve based Schnorr signature";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3.
TCG TPM 2.0 library specification. ALG_ID: 0x001C"; ALG_ID: 0x001C";
} }
identity TPM_ALG_ECMQV { identity TPM_ALG_ECMQV {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base method; base method;
description description
"Two-phase elliptic-curve key"; "Two-phase elliptic-curve key";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-56A. ALG_ID: 0x001D"; NIST SP800-56A. ALG_ID: 0x001D";
} }
identity TPM_ALG_KDF1_SP800_56A { identity TPM_ALG_KDF1_SP800_56A {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base method; base method;
description description
"Concatenation key derivation function"; "Concatenation key derivation function";
reference reference
skipping to change at page 42, line 35 skipping to change at page 43, line 15
} }
identity TPM_ALG_KDF1_SP800_56A { identity TPM_ALG_KDF1_SP800_56A {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base method; base method;
description description
"Concatenation key derivation function"; "Concatenation key derivation function";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-56A (approved alternative1) section 5.8.1. NIST SP800-56A (approved alternative1) section 5.8.1.
ALG_ID: 0x0020"; ALG_ID: 0x0020";
} }
identity TPM_ALG_KDF2 { identity TPM_ALG_KDF2 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
base method; base method;
description description
"Key derivation function"; "Key derivation function";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
IEEE 1363a-2004 KDF2 section 13.2. ALG_ID: 0x0021"; IEEE 1363a-2004 KDF2 section 13.2. ALG_ID: 0x0021";
} }
identity TPM_ALG_KDF1_SP800_108 { identity TPM_ALG_KDF1_SP800_108 {
base TPM_ALG_KDF2; base TPM_ALG_KDF2;
description description
"A key derivation method"; "A key derivation method";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-108 - Section 5.1 KDF. ALG_ID: 0x0022"; NIST SP800-108 - Section 5.1 KDF. ALG_ID: 0x0022";
} }
identity TPM_ALG_ECC { identity TPM_ALG_ECC {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base object_type; base object_type;
description description
"Prime field ECC"; "Prime field ECC";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 15946-1. ALG_ID: 0x0023"; ISO/IEC 15946-1. ALG_ID: 0x0023";
} }
identity TPM_ALG_SYMCIPHER { identity TPM_ALG_SYMCIPHER {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
description description
"Object type for a symmetric block cipher"; "Object type for a symmetric block cipher";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
TCG TPM 2.0 library specification. ALG_ID: 0x0025"; TCG TPM 2.0 library specification. ALG_ID: 0x0025";
} }
identity TPM_ALG_CAMELLIA { identity TPM_ALG_CAMELLIA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
description description
"The Camellia algorithm"; "The Camellia algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 18033-3. ALG_ID: 0x0026"; ISO/IEC 18033-3. ALG_ID: 0x0026";
} }
identity TPM_ALG_SHA3_256 { identity TPM_ALG_SHA3_256 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"ISO/IEC 10118-3 - the SHA 256 algorithm"; "ISO/IEC 10118-3 - the SHA 256 algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST PUB FIPS 202. ALG_ID: 0x0027"; NIST PUB FIPS 202. ALG_ID: 0x0027";
} }
identity TPM_ALG_SHA3_384 { identity TPM_ALG_SHA3_384 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 384 algorithm"; "The SHA 384 algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST PUB FIPS 202. ALG_ID: 0x0028"; NIST PUB FIPS 202. ALG_ID: 0x0028";
} }
identity TPM_ALG_SHA3_512 { identity TPM_ALG_SHA3_512 {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base hash; base hash;
description description
"The SHA 512 algorithm"; "The SHA 512 algorithm";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST PUB FIPS 202. ALG_ID: 0x0029"; NIST PUB FIPS 202. ALG_ID: 0x0029";
} }
identity TPM_ALG_CMAC { identity TPM_ALG_CMAC {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
description description
"block Cipher-based Message Authentication Code (CMAC)"; "block Cipher-based Message Authentication Code (CMAC)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 9797-1:2011 Algorithm 5. ALG_ID: 0x003F"; ISO/IEC 9797-1:2011 Algorithm 5. ALG_ID: 0x003F";
} }
identity TPM_ALG_CTR { identity TPM_ALG_CTR {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Counter mode"; "Counter mode";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0040"; ISO/IEC 10116. ALG_ID: 0x0040";
} }
identity TPM_ALG_OFB { identity TPM_ALG_OFB {
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Output Feedback mode"; "Output Feedback mode";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0041"; ISO/IEC 10116. ALG_ID: 0x0041";
} }
identity TPM_ALG_CBC { identity TPM_ALG_CBC {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Cipher Block Chaining mode"; "Cipher Block Chaining mode";
skipping to change at page 45, line 25 skipping to change at page 46, line 4
ISO/IEC 10116. ALG_ID: 0x0041"; ISO/IEC 10116. ALG_ID: 0x0041";
} }
identity TPM_ALG_CBC { identity TPM_ALG_CBC {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Cipher Block Chaining mode"; "Cipher Block Chaining mode";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0042"; ISO/IEC 10116. ALG_ID: 0x0042";
} }
identity TPM_ALG_CFB { identity TPM_ALG_CFB {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Cipher Feedback mode"; "Cipher Feedback mode";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0043"; ISO/IEC 10116. ALG_ID: 0x0043";
} }
identity TPM_ALG_ECB { identity TPM_ALG_ECB {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base encryption_mode; base encryption_mode;
description description
"Electronic Codebook mode"; "Electronic Codebook mode";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 10116. ALG_ID: 0x0044"; ISO/IEC 10116. ALG_ID: 0x0044";
} }
identity TPM_ALG_CCM { identity TPM_ALG_CCM {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"Counter with Cipher Block Chaining-Message Authentication "Counter with Cipher Block Chaining-Message Authentication
skipping to change at page 46, line 17 skipping to change at page 46, line 44
identity TPM_ALG_CCM { identity TPM_ALG_CCM {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"Counter with Cipher Block Chaining-Message Authentication "Counter with Cipher Block Chaining-Message Authentication
Code (CCM)"; Code (CCM)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-38C. ALG_ID: 0x0050"; NIST SP800-38C. ALG_ID: 0x0050";
} }
identity TPM_ALG_GCM { identity TPM_ALG_GCM {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"Galois/Counter Mode (GCM)"; "Galois/Counter Mode (GCM)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-38D. ALG_ID: 0x0051"; NIST SP800-38D. ALG_ID: 0x0051";
} }
identity TPM_ALG_KW { identity TPM_ALG_KW {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"AES Key Wrap (KW)"; "AES Key Wrap (KW)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-38F. ALG_ID: 0x0052"; NIST SP800-38F. ALG_ID: 0x0052";
} }
identity TPM_ALG_KWP { identity TPM_ALG_KWP {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"AES Key Wrap with Padding (KWP)"; "AES Key Wrap with Padding (KWP)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-38F. ALG_ID: 0x0053"; NIST SP800-38F. ALG_ID: 0x0053";
} }
identity TPM_ALG_EAX { identity TPM_ALG_EAX {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base signing; base signing;
base encryption_mode; base encryption_mode;
description description
"Authenticated-Encryption Mode"; "Authenticated-Encryption Mode";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
NIST SP800-38F. ALG_ID: 0x0054"; NIST SP800-38F. ALG_ID: 0x0054";
} }
identity TPM_ALG_EDDSA { identity TPM_ALG_EDDSA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base asymmetric; base asymmetric;
base signing; base signing;
description description
"Edwards-curve Digital Signature Algorithm (PureEdDSA)"; "Edwards-curve Digital Signature Algorithm (PureEdDSA)";
reference reference
"TCG Algorithm Registry Revision 01.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
RFC 8032. ALG_ID: 0x0060"; RFC 8032. ALG_ID: 0x0060";
} }
} }
<CODE ENDS> <CODE ENDS>
Note that not all cryptographic functions are required for use by Note that not all cryptographic functions are required for use by
ietf-tpm-remote-attestation.yang. However the full definition of ietf-tpm-remote-attestation.yang. However the full definition of
Table 3 of [TCG-Algos] will allow use by additional YANG Table 3 of [TCG-Algos] will allow use by additional YANG
specifications. specifications.
3. IANA Considerations 3. IANA Considerations
This document registers the following namespace URIs in the "ns" This document registers the following namespace URIs in the
class of the IETF XML Registry [IANA.xml-registry] as per [RFC3688]: [IANA.xml-registry] as per [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation URI: urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-tcg-algs URI: urn:ietf:params:xml:ns:yang:ietf-tcg-algs
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document registers the following YANG modules in the "YANG This document registers the following YANG modules in the registry
Module Names" registry [IANA.yang-parameters] as per Section 14 of [IANA.yang-parameters] as per Section 14 of [RFC6020]:
[RFC6020]:
Name: ietf-tpm-remote-attestation Name: ietf-tpm-remote-attestation
Namespace: urn:ietf:params:xml:ns:yang:ietf-tpm-remote- Namespace: urn:ietf:params:xml:ns:yang:ietf-tpm-remote-
attestation attestation
Prefix: tpm Prefix: tpm
Reference: draft-ietf-rats-yang-tpm-charra (RFC form) Reference: draft-ietf-rats-yang-tpm-charra (RFC form)
skipping to change at page 49, line 39 skipping to change at page 50, line 17
associated with RPC response has been generated by an entity associated with RPC response has been generated by an entity
legitimately able to perform Attestation on the targeted TPM 2.0. legitimately able to perform Attestation on the targeted TPM 2.0.
RPC 'log-retrieval': Requesting a large volume of logs from the RPC 'log-retrieval': Requesting a large volume of logs from the
attester could require significant system resources and create a attester could require significant system resources and create a
denial of service. denial of service.
Information collected through the RPCs above could reveal that Information collected through the RPCs above could reveal that
specific versions of software and configurations of endpoints that specific versions of software and configurations of endpoints that
could identify vulnerabilities on those systems. Therefore RPCs could identify vulnerabilities on those systems. Therefore RPCs
should be protected by NACM [RFC8341] to limit the extraction of should be protected by NACM [RFC8341] with a default setting of deny-
attestation data by only authorized Verifiers. all to limit the extraction of attestation data by only authorized
Verifiers.
For the YANG module ietf-tcg-algs.yang, please use care when For the YANG module ietf-tcg-algs.yang, please use care when
selecting specific algorithms. The introductory section of selecting specific algorithms. The introductory section of
[TCG-Algos] highlights that some algorithms should be considered [TCG-Algos] highlights that some algorithms should be considered
legacy, and recommends implementers and adopters diligently evaluate legacy, and recommends implementers and adopters diligently evaluate
available information such as governmental, industrial, and academic available information such as governmental, industrial, and academic
research before selecting an algorithm for use. research before selecting an algorithm for use.
5. Change Log 5. Change Log
skipping to change at page 51, line 29 skipping to change at page 52, line 5
name to map it back to hardware inventory name to map it back to hardware inventory
* Relabeled name to tpm_name * Relabeled name to tpm_name
* Removed event-string in last-entry * Removed event-string in last-entry
6. References 6. References
6.1. Normative References 6.1. Normative References
[BIOS-Log-Event-Type]
"TCG PC Client Platform Firmware Profile Specification",
n.d., <https://trustedcomputinggroup.org/wp-
content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf>.
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K., "A YANG Data Model for a Keystore", Work in Watsen, K., "A YANG Data Model for a Keystore", Work in
Progress, Internet-Draft, draft-ietf-netconf-keystore-23, Progress, Internet-Draft, draft-ietf-netconf-keystore-23,
14 December 2021, <https://www.ietf.org/archive/id/draft- 14 December 2021, <https://www.ietf.org/archive/id/draft-
ietf-netconf-keystore-23.txt>. ietf-netconf-keystore-23.txt>.
[I-D.ietf-rats-architecture] [I-D.ietf-rats-architecture]
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote Attestation Procedures Architecture", Work W. Pan, "Remote Attestation Procedures Architecture", Work
in Progress, Internet-Draft, draft-ietf-rats-architecture- in Progress, Internet-Draft, draft-ietf-rats-architecture-
14, 9 December 2021, <https://www.ietf.org/archive/id/ 14, 9 December 2021, <https://www.ietf.org/archive/id/
draft-ietf-rats-architecture-14.txt>. draft-ietf-rats-architecture-14.txt>.
[I-D.ietf-rats-tpm-based-network-device-attest] [I-D.ietf-rats-tpm-based-network-device-attest]
Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM- Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM-
based Network Device Remote Integrity Verification", Work based Network Device Remote Integrity Verification", Work
in Progress, Internet-Draft, draft-ietf-rats-tpm-based- in Progress, Internet-Draft, draft-ietf-rats-tpm-based-
network-device-attest-10, 30 December 2021, network-device-attest-11, 29 January 2022,
<https://www.ietf.org/archive/id/draft-ietf-rats-tpm- <https://www.ietf.org/archive/id/draft-ietf-rats-tpm-
based-network-device-attest-10.txt>. based-network-device-attest-11.txt>.
[IANA.xml-registry] [IANA.xml-registry]
IANA, "IETF XML Registry", IANA, "IETF XML Registry",
<http://www.iana.org/assignments/xml-registry>. <http://www.iana.org/assignments/xml-registry>.
[IANA.yang-parameters] [IANA.yang-parameters]
IANA, "YANG Parameters", IANA, "YANG Parameters",
<http://www.iana.org/assignments/yang-parameters>. <http://www.iana.org/assignments/yang-parameters>.
[IEEE-Std-1363-2000]
"IEEE 1363-2000 - IEEE Standard Specifications for Public-
Key Cryptography", n.d.,
<https://standards.ieee.org/standard/1363-2000.html>.
[IEEE-Std-1363a-2004]
"1363a-2004 - IEEE Standard Specifications for Public-Key
Cryptography - Amendment 1: Additional Techniques", n.d.,
<https://ieeexplore.ieee.org/document/1335427>.
[ima-log] "Canonical Event Log Format, Section 4.3", n.d.,
<https://www.trustedcomputinggroup.org/wp-content/uploads/
TCG_IWG_CEL_v1_r0p30_13feb2021.pdf>.
[ISO-IEC-10116]
"ISO/IEC 10116:2017 - Information technology", n.d.,
<https://www.iso.org/standard/64575.html>.
[ISO-IEC-10118-3]
"Dedicated hash-functions - ISO/IEC 10118-3:2018", n.d.,
<https://www.iso.org/standard/67116.html>.
[ISO-IEC-14888-3]
"ISO/IEC 14888-3:2018 - Digital signatures with appendix",
n.d., <https://www.iso.org/standard/76382.html>.
[ISO-IEC-15946-1]
"ISO/IEC 15946-1:2016 - Information technology", n.d.,
<https://www.iso.org/standard/65480.html>.
[ISO-IEC-18033-3]
"ISO/IEC 18033-3:2010 - Encryption algorithms", n.d.,
<https://www.iso.org/standard/54531.html>.
[ISO-IEC-9797-1]
"Message Authentication Codes (MACs) - ISO/IEC
9797-1:2011", n.d.,
<https://www.iso.org/standard/50375.html>.
[ISO-IEC-9797-2]
"Message Authentication Codes (MACs) - ISO/IEC
9797-2:2011", n.d.,
<https://www.iso.org/standard/51618.html>.
[netequip-boot-log]
"IMA Policy Kernel Documentation", n.d.,
<https://www.kernel.org/doc/Documentation/ABI/testing/
ima_policy>.
[NIST-PUB-FIPS-202]
"SHA-3 Standard: Permutation-Based Hash and Extendable-
Output Functions", n.d.,
<https://csrc.nist.gov/publications/detail/fips/202/
final>.
[NIST-SP800-108]
"Recommendation for Key Derivation Using Pseudorandom
Functions", n.d.,
<https://nvlpubs.nist.gov/nistpubs/Legacy/SP/
nistspecialpublication800-108.pdf>.
[NIST-SP800-38C]
"Recommendation for Block Cipher Modes of Operation: the
CCM Mode for Authentication and Confidentiality", n.d.,
<https://csrc.nist.gov/publications/detail/sp/800-38c/
final>.
[NIST-SP800-38D]
"Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC", n.d.,
<https://csrc.nist.gov/publications/detail/sp/800-38d/
final>.
[NIST-SP800-38F]
"Recommendation for Block Cipher Modes of Operation:
Methods for Key Wrapping", n.d.,
<https://csrc.nist.gov/publications/detail/sp/800-38f/
final>.
[NIST-SP800-56A]
"Recommendation for Pair-Wise Key-Establishment Schemes
Using Discrete Logarithm Cryptography", n.d.,
<https://csrc.nist.gov/publications/detail/sp/800-56a/rev-
3/final>.
[PC-Client-EFI-TPM-1.2]
Trusted Computing Group, "TCG EFI Platform Specification
for TPM Family 1.1 or 1.2, Specification Version 1.22,
Revision 15", 1 January 2014,
<https://trustedcomputinggroup.org/resource/tcg-efi-
platform-specification/>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
skipping to change at page 52, line 36 skipping to change at page 55, line 14
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6933] Bierman, A., Romascanu, D., Quittek, J., and M.
Chandramouli, "Entity MIB (Version 4)", RFC 6933,
DOI 10.17487/RFC6933, May 2013,
<https://www.rfc-editor.org/info/rfc6933>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
skipping to change at page 53, line 15 skipping to change at page 56, line 15
[RFC8348] Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A [RFC8348] Bierman, A., Bjorklund, M., Dong, J., and D. Romascanu, "A
YANG Data Model for Hardware Management", RFC 8348, YANG Data Model for Hardware Management", RFC 8348,
DOI 10.17487/RFC8348, March 2018, DOI 10.17487/RFC8348, March 2018,
<https://www.rfc-editor.org/info/rfc8348>. <https://www.rfc-editor.org/info/rfc8348>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[TCG-Algos] [TCG-Algos]
"TCG_Algorithm_Registry_r1p32_pub", n.d., "TCG Algorithm Registry", n.d.,
<https://trustedcomputinggroup.org/resource/tcg-algorithm- <https://trustedcomputinggroup.org/wp-content/uploads/TCG-
registry/>. _Algorithm_Registry_r1p32_pub.pdf>.
[TPM1.2] TCG, ., "TPM 1.2 Main Specification", 2 October 2003, [TPM1.2] TCG, ., "TPM 1.2 Main Specification", 2 October 2003,
<https://trustedcomputinggroup.org/resource/tpm-main- <https://trustedcomputinggroup.org/resource/tpm-main-
specification/>. specification/>.
[TPM1.2-Commands]
"TPM Main Part 3 Commands", n.d.,
<https://trustedcomputinggroup.org/wp-content/uploads/TPM-
Main-Part-3-Commands_v1.2_rev116_01032011.pdf>.
[TPM1.2-Structures]
"TPM Main Part 2 TPM Structures", n.d.,
<https://trustedcomputinggroup.org/wp-content/uploads/TPM-
Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf>.
[TPM2.0] TCG, ., "TPM 2.0 Library Specification", 15 March 2013, [TPM2.0] TCG, ., "TPM 2.0 Library Specification", 15 March 2013,
<https://trustedcomputinggroup.org/resource/tpm-library- <https://trustedcomputinggroup.org/resource/tpm-library-
specification/>. specification/>.
[TPM2.0-Arch]
"Trusted Platform Module Library - Part 1: Architecture",
n.d., <https://trustedcomputinggroup.org/wp-
content/uploads/TPM-Rev-2.0-Part-1-Architecture-
01.07-2014-03-13.pdf>.
[TPM2.0-Key] [TPM2.0-Key]
TCG, ., "TPM 2.0 Keys for Device Identity and Attestation, TCG, ., "TPM 2.0 Keys for Device Identity and Attestation,
Rev10", 14 April 2021, <https://trustedcomputinggroup.org/ Rev10", 14 April 2021, <https://trustedcomputinggroup.org/
wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf>. wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf>.
[TPM2.0-Structures]
"Trusted Platform Module Library - Part 2: Structures",
n.d., <https://trustedcomputinggroup.org/wp-
content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>.
6.2. Informative References 6.2. Informative References
[bios-log] "TCG PC Client Platform Firmware Profile Specification, [bios-log] "TCG PC Client Platform Firmware Profile Specification,
Section 9.4.5.2", n.d., Section 9.4.5.2", n.d.,
<https://trustedcomputinggroup.org/wp-content/uploads/PC-C <https://trustedcomputinggroup.org/wp-content/uploads/PC-C
lientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf lientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf
>. >.
[I-D.ietf-rats-reference-interaction-models] [I-D.ietf-rats-reference-interaction-models]
Birkholz, H., Eckel, M., Pan, W., and E. Voit, "Reference Birkholz, H., Eckel, M., Pan, W., and E. Voit, "Reference
Interaction Models for Remote Attestation Procedures", Interaction Models for Remote Attestation Procedures",
Work in Progress, Internet-Draft, draft-ietf-rats- Work in Progress, Internet-Draft, draft-ietf-rats-
reference-interaction-models-04, 26 July 2021, reference-interaction-models-05, 26 January 2022,
<https://www.ietf.org/archive/id/draft-ietf-rats- <https://www.ietf.org/archive/id/draft-ietf-rats-
reference-interaction-models-04.txt>. reference-interaction-models-05.txt>.
[ima-log] "Canonical Event Log Format, Section 4.3", n.d.,
<https://www.trustedcomputinggroup.org/wp-content/uploads/
TCG_IWG_CEL_v1_r0p30_13feb2021.pdf>.
[netequip-boot-log]
"IMA Policy Kernel Documentation", n.d.,
<https://www.kernel.org/doc/Documentation/ABI/testing/
ima_policy>.
[NIST-915121] [NIST-915121]
"True Randomness Can't be Left to Chance: Why entropy is "True Randomness Can't be Left to Chance: Why entropy is
important for information security", n.d., important for information security", n.d.,
<https://tsapps.nist.gov/publication/ <https://tsapps.nist.gov/publication/
get_pdf.cfm?pub_id=915121>. get_pdf.cfm?pub_id=915121>.
[PC-Client-EFI-TPM-1.2]
Trusted Computing Group, "TCG EFI Platform Specification
for TPM Family 1.1 or 1.2, Specification Version 1.22,
Revision 15", 1 January 2014,
<https://trustedcomputinggroup.org/resource/tcg-efi-
platform-specification/>.
Authors' Addresses Authors' Addresses
Henk Birkholz Henk Birkholz
Fraunhofer SIT Fraunhofer SIT
Rheinstrasse 75 Rheinstrasse 75
64295 Darmstadt 64295 Darmstadt
Germany Germany
Email: henk.birkholz@sit.fraunhofer.de Email: henk.birkholz@sit.fraunhofer.de
 End of changes. 135 change blocks. 
163 lines changed or deleted 313 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/