draft-ietf-rats-yang-tpm-charra-18.txt   draft-ietf-rats-yang-tpm-charra-19.txt 
RATS Working Group H. Birkholz RATS Working Group H. Birkholz
Internet-Draft M. Eckel Internet-Draft M. Eckel
Intended status: Standards Track Fraunhofer SIT Intended status: Standards Track Fraunhofer SIT
Expires: 21 September 2022 S. Bhandari Expires: 17 October 2022 S. Bhandari
ThoughtSpot ThoughtSpot
E. Voit E. Voit
B. Sulzen B. Sulzen
Cisco Cisco
L. Xia L. Xia
Huawei Huawei
T. Laffey T. Laffey
HPE HPE
G. Fedorkow G. Fedorkow
Juniper Juniper
20 March 2022 15 April 2022
A YANG Data Model for Challenge-Response-based Remote Attestation A YANG Data Model for Challenge-Response-based Remote Attestation
Procedures using TPMs Procedures using TPMs
draft-ietf-rats-yang-tpm-charra-18 draft-ietf-rats-yang-tpm-charra-19
Abstract Abstract
This document defines YANG RPCs and a few configuration nodes This document defines YANG RPCs and a few configuration nodes
required to retrieve attestation evidence about integrity required to retrieve attestation evidence about integrity
measurements from a device, following the operational context defined measurements from a device, following the operational context defined
in TPM-based Network Device Remote Integrity Verification. in TPM-based Network Device Remote Integrity Verification.
Complementary measurement logs are also provided by the YANG RPCs, Complementary measurement logs are also provided by the YANG RPCs,
originating from one or more roots of trust for measurement (RTMs). originating from one or more roots of trust for measurement (RTMs).
The module defined requires at least one TPM 1.2 or TPM 2.0 as well The module defined requires at least one TPM 1.2 or TPM 2.0 as well
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 21 September 2022. This Internet-Draft will expire on 17 October 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 36 skipping to change at page 2, line 36
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3
2. The YANG Module for Basic Remote Attestation Procedures . . . 3 2. The YANG Module for Basic Remote Attestation Procedures . . . 3
2.1. YANG Modules . . . . . . . . . . . . . . . . . . . . . . 3 2.1. YANG Modules . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1. 'ietf-tpm-remote-attestation' . . . . . . . . . . . . 4 2.1.1. 'ietf-tpm-remote-attestation' . . . . . . . . . . . . 4
2.1.2. 'ietf-tcg-algs' . . . . . . . . . . . . . . . . . . . 33 2.1.2. 'ietf-tcg-algs' . . . . . . . . . . . . . . . . . . . 33
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
4. Security Considerations . . . . . . . . . . . . . . . . . . . 49 4. Security Considerations . . . . . . . . . . . . . . . . . . . 49
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 50 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1. Normative References . . . . . . . . . . . . . . . . . . 51 5.1. Normative References . . . . . . . . . . . . . . . . . . 51
5.2. Informative References . . . . . . . . . . . . . . . . . 55 5.2. Informative References . . . . . . . . . . . . . . . . . 56
Appendix A. Integrity Measurement Architecture (IMA) . . . . . . 56 Appendix A. Integrity Measurement Architecture (IMA) . . . . . . 56
Appendix B. IMA for Network Equipment Boot Logs . . . . . . . . 57 Appendix B. IMA for Network Equipment Boot Logs . . . . . . . . 57
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58
1. Introduction 1. Introduction
This document is based on the general terminology defined in the This document is based on the general terminology defined in the
[I-D.ietf-rats-architecture] and uses the operational context defined [I-D.ietf-rats-architecture] and uses the operational context defined
in [I-D.ietf-rats-tpm-based-network-device-attest] as well as the in [I-D.ietf-rats-tpm-based-network-device-attest] as well as the
interaction model and information elements defined in interaction model and information elements defined in
skipping to change at page 10, line 4 skipping to change at page 10, line 4
specific TPM to identify to which 'compute-node' it belongs. specific TPM to identify to which 'compute-node' it belongs.
+--rw compute-nodes {tpm:mtpm}? +--rw compute-nodes {tpm:mtpm}?
+--ro compute-node* [node-id] +--ro compute-node* [node-id]
+--ro node-id string +--ro node-id string
+--ro node-physical-index? int32 {hw:entity-mib}? +--ro node-physical-index? int32 {hw:entity-mib}?
+--ro node-name? string +--ro node-name? string
+--ro node-location? string +--ro node-location? string
2.1.1.6. YANG Module 2.1.1.6. YANG Module
<CODE BEGINS> file "ietf-tpm-remote-attestation@2022-03-15.yang" <CODE BEGINS> file "ietf-tpm-remote-attestation@2022-03-23.yang"
module ietf-tpm-remote-attestation { module ietf-tpm-remote-attestation {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation"; namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation";
prefix tpm; prefix tpm;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-hardware { import ietf-hardware {
prefix hw; prefix hw;
skipping to change at page 11, line 13 skipping to change at page 11, line 13
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as 'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here."; they appear in all capitals, as shown here.";
revision 2022-03-18 { revision 2022-03-23 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: A YANG Data Model for Challenge-Response-based Remote "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote
Attestation Procedures using TPMs"; Attestation Procedures using TPMs";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
skipping to change at page 12, line 12 skipping to change at page 12, line 12
https://www.trustedcomputinggroup.org/wp-content/uploads/ https://www.trustedcomputinggroup.org/wp-content/uploads/
TCG_IWG_CEL_v1_r0p41_pub.pdf Section 5.1.6"; TCG_IWG_CEL_v1_r0p41_pub.pdf Section 5.1.6";
} }
feature netequip_boot { feature netequip_boot {
description description
"The device supports the netequip_boot logs."; "The device supports the netequip_boot logs.";
reference reference
"netequip-boot-log: "netequip-boot-log:
RFC AAAA Appendix B"; RFC XXXX Appendix B";
} }
/*****************/ /*****************/
/* Typedefs */ /* Typedefs */
/*****************/ /*****************/
typedef pcr { typedef pcr {
type uint8 { type uint8 {
range "0..31"; range "0..31";
} }
skipping to change at page 13, line 44 skipping to change at page 13, line 44
"The cryptographic algorithm used to hash the TPM2 PCRs. This "The cryptographic algorithm used to hash the TPM2 PCRs. This
must be from the list of platform supported options."; must be from the list of platform supported options.";
leaf tpm20-hash-algo { leaf tpm20-hash-algo {
type identityref { type identityref {
base taa:hash; base taa:hash;
} }
must '. = /tpm:rats-support-structures' must '. = /tpm:rats-support-structures'
+ '/tpm:attester-supported-algos/tpm:tpm20-hash' { + '/tpm:attester-supported-algos/tpm:tpm20-hash' {
error-message "This platform does not support tpm20-hash-algo"; error-message "This platform does not support tpm20-hash-algo";
} }
default "taa:TPM_ALG_SHA256";
description description
"The hash scheme that is used to hash a TPM2.0 PCR. This "The hash scheme that is used to hash a TPM2.0 PCR. This
must be one of those supported by a platform."; must be one of those supported by a platform.
Where this object does not appear, the default value of
'taa:TPM_ALG_SHA256' will apply.";
} }
} }
grouping tpm12-hash-algo { grouping tpm12-hash-algo {
description description
"The cryptographic algorithm used to hash the TPM1.2 PCRs."; "The cryptographic algorithm used to hash the TPM1.2 PCRs.";
leaf tpm12-hash-algo { leaf tpm12-hash-algo {
type identityref { type identityref {
base taa:hash; base taa:hash;
} }
must '. = /tpm:rats-support-structures' must '. = /tpm:rats-support-structures'
+ '/tpm:attester-supported-algos/tpm:tpm12-hash' { + '/tpm:attester-supported-algos/tpm:tpm12-hash' {
error-message "This platform does not support tpm12-hash-algo"; error-message "This platform does not support tpm12-hash-algo";
skipping to change at page 14, line 14 skipping to change at page 14, line 15
description description
"The cryptographic algorithm used to hash the TPM1.2 PCRs."; "The cryptographic algorithm used to hash the TPM1.2 PCRs.";
leaf tpm12-hash-algo { leaf tpm12-hash-algo {
type identityref { type identityref {
base taa:hash; base taa:hash;
} }
must '. = /tpm:rats-support-structures' must '. = /tpm:rats-support-structures'
+ '/tpm:attester-supported-algos/tpm:tpm12-hash' { + '/tpm:attester-supported-algos/tpm:tpm12-hash' {
error-message "This platform does not support tpm12-hash-algo"; error-message "This platform does not support tpm12-hash-algo";
} }
default "taa:TPM_ALG_SHA1";
description description
"The hash scheme that is used to hash a TPM1.2 PCR. This "The hash scheme that is used to hash a TPM1.2 PCR. This
MUST be one of those supported by a platform."; MUST be one of those supported by a platform.
Where this object does not appear, the default value of
'taa:TPM_ALG_SHA1' will apply.";
} }
} }
grouping nonce { grouping nonce {
description description
"A random number intended to guarantee freshness and for use "A random number intended to guarantee freshness and for use
as part of a replay-detection mechanism."; as part of a replay-detection mechanism.";
leaf nonce-value { leaf nonce-value {
type binary; type binary;
mandatory true; mandatory true;
skipping to change at page 19, line 44 skipping to change at page 19, line 45
} }
} }
leaf event-size { leaf event-size {
type uint32; type uint32;
description description
"Size of the event data"; "Size of the event data";
} }
leaf-list event-data { leaf-list event-data {
type binary; type binary;
description description
"The event data size determined by event-size. For more "The event data. This is a binary structure
see "; of size 'event-size'. For more on what
might be recorded within this object
see [bios-log] Section 9 which details
viable events which might be recorded.";
} }
} }
grouping bios-event-log { grouping bios-event-log {
description description
"Measurement log created by the BIOS/UEFI."; "Measurement log created by the BIOS/UEFI.";
list bios-event-entry { list bios-event-entry {
key "event-number"; key "event-number";
description description
"Ordered list of TCG described event log "Ordered list of TCG described event log
that extended the PCRs in the order they that extended the PCRs in the order they
were logged"; were logged";
uses boot-event-log; uses boot-event-log;
skipping to change at page 20, line 37 skipping to change at page 20, line 41
} }
leaf ima-template { leaf ima-template {
type string; type string;
description description
"Name of the template used for event logs "Name of the template used for event logs
for e.g. ima, ima-ng, ima-sig"; for e.g. ima, ima-ng, ima-sig";
} }
leaf filename-hint { leaf filename-hint {
type string; type string;
description description
"File that was measured"; "File name (including the path) that was measured.";
} }
leaf filedata-hash { leaf filedata-hash {
type binary; type binary;
description description
"Hash of filedata as updated based upon the "Hash of filedata as updated based upon the
filedata-hash-algorithm"; filedata-hash-algorithm";
} }
leaf filedata-hash-algorithm { leaf filedata-hash-algorithm {
type string; type string;
description description
skipping to change at page 34, line 4 skipping to change at page 34, line 6
2. API specifications for TPM types: 'tpm12' and 'tpm20' 2. API specifications for TPM types: 'tpm12' and 'tpm20'
3. Specific algorithm types: Each algorithm type defines what 3. Specific algorithm types: Each algorithm type defines what
cryptographic functions may be supported, and on which type of cryptographic functions may be supported, and on which type of
API specification. It is not required that an implementation of API specification. It is not required that an implementation of
a specific TPM will support all algorithm types. The contents of a specific TPM will support all algorithm types. The contents of
each specific algorithm mirrors what is in Table 3 of each specific algorithm mirrors what is in Table 3 of
[TCG-Algos]. [TCG-Algos].
2.1.2.3. YANG Module 2.1.2.3. YANG Module
<CODE BEGINS> file "ietf-tcg-algs@2022-03-09.yang"
<CODE BEGINS> file "ietf-tcg-algs@2022-03-23.yang"
module ietf-tcg-algs { module ietf-tcg-algs {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tcg-algs"; namespace "urn:ietf:params:xml:ns:yang:ietf-tcg-algs";
prefix taa; prefix taa;
organization organization
"IETF RATS (Remote ATtestation procedureS) Working Group"; "IETF RATS (Remote ATtestation procedureS) Working Group";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/rats/> "WG Web: <https://datatracker.ietf.org/wg/rats/>
WG List: <mailto:rats@ietf.org> WG List: <mailto:rats@ietf.org>
Author: Eric Voit <mailto:evoit@cisco.com>"; Author: Eric Voit <mailto:evoit@cisco.com>";
description description
"This module defines identities for asymmetric algorithms. "This module defines identities for asymmetric algorithms.
Copyright (c) 2022 IETF Trust and the persons identified Copyright (c) 2022 IETF Trust and the persons identified as
as authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
itself for full legal notices. for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2022-03-09 { revision 2022-03-23 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: A YANG Data Model for Challenge-Response-based Remote "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote
Attestation Procedures using TPMs"; Attestation Procedures using TPMs";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
skipping to change at page 44, line 26 skipping to change at page 44, line 29
"Prime field ECC"; "Prime field ECC";
reference reference
"TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
ISO/IEC 15946-1. ALG_ID: 0x0023"; ISO/IEC 15946-1. ALG_ID: 0x0023";
} }
identity TPM_ALG_SYMCIPHER { identity TPM_ALG_SYMCIPHER {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
base symmetric; base symmetric;
base object_type;
description description
"Object type for a symmetric block cipher"; "Object type for a symmetric block cipher";
reference reference
"TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and
TCG TPM 2.0 library specification. ALG_ID: 0x0025"; TCG TPM 2.0 library specification. ALG_ID: 0x0025";
} }
identity TPM_ALG_CAMELLIA { identity TPM_ALG_CAMELLIA {
if-feature "tpm20"; if-feature "tpm20";
base tpm20; base tpm20;
skipping to change at page 51, line 38 skipping to change at page 51, line 48
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote Attestation Procedures Architecture", Work W. Pan, "Remote Attestation Procedures Architecture", Work
in Progress, Internet-Draft, draft-ietf-rats-architecture- in Progress, Internet-Draft, draft-ietf-rats-architecture-
15, 8 February 2022, <https://www.ietf.org/archive/id/ 15, 8 February 2022, <https://www.ietf.org/archive/id/
draft-ietf-rats-architecture-15.txt>. draft-ietf-rats-architecture-15.txt>.
[I-D.ietf-rats-tpm-based-network-device-attest] [I-D.ietf-rats-tpm-based-network-device-attest]
Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM- Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM-
based Network Device Remote Integrity Verification", Work based Network Device Remote Integrity Verification", Work
in Progress, Internet-Draft, draft-ietf-rats-tpm-based- in Progress, Internet-Draft, draft-ietf-rats-tpm-based-
network-device-attest-13, 1 March 2022, network-device-attest-14, 22 March 2022,
<https://www.ietf.org/archive/id/draft-ietf-rats-tpm- <https://www.ietf.org/archive/id/draft-ietf-rats-tpm-
based-network-device-attest-13.txt>. based-network-device-attest-14.txt>.
[IEEE-Std-1363-2000] [IEEE-Std-1363-2000]
"IEEE 1363-2000 - IEEE Standard Specifications for Public- "IEEE 1363-2000 - IEEE Standard Specifications for Public-
Key Cryptography", n.d., Key Cryptography", n.d.,
<https://standards.ieee.org/standard/1363-2000.html>. <https://standards.ieee.org/standard/1363-2000.html>.
[IEEE-Std-1363a-2004] [IEEE-Std-1363a-2004]
"1363a-2004 - IEEE Standard Specifications for Public-Key "1363a-2004 - IEEE Standard Specifications for Public-Key
Cryptography - Amendment 1: Additional Techniques", n.d., Cryptography - Amendment 1: Additional Techniques", n.d.,
<https://ieeexplore.ieee.org/document/1335427>. <https://ieeexplore.ieee.org/document/1335427>.
 End of changes. 26 change blocks. 
27 lines changed or deleted 34 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/