--- 1/draft-ietf-rats-yang-tpm-charra-18.txt 2022-04-14 17:13:11.239429023 -0700 +++ 2/draft-ietf-rats-yang-tpm-charra-19.txt 2022-04-14 17:13:11.347431742 -0700 @@ -1,30 +1,30 @@ RATS Working Group H. Birkholz Internet-Draft M. Eckel Intended status: Standards Track Fraunhofer SIT -Expires: 21 September 2022 S. Bhandari +Expires: 17 October 2022 S. Bhandari ThoughtSpot E. Voit B. Sulzen Cisco L. Xia Huawei T. Laffey HPE G. Fedorkow Juniper - 20 March 2022 + 15 April 2022 A YANG Data Model for Challenge-Response-based Remote Attestation Procedures using TPMs - draft-ietf-rats-yang-tpm-charra-18 + draft-ietf-rats-yang-tpm-charra-19 Abstract This document defines YANG RPCs and a few configuration nodes required to retrieve attestation evidence about integrity measurements from a device, following the operational context defined in TPM-based Network Device Remote Integrity Verification. Complementary measurement logs are also provided by the YANG RPCs, originating from one or more roots of trust for measurement (RTMs). The module defined requires at least one TPM 1.2 or TPM 2.0 as well @@ -42,21 +42,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 21 September 2022. + This Internet-Draft will expire on 17 October 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -68,23 +68,23 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 2. The YANG Module for Basic Remote Attestation Procedures . . . 3 2.1. YANG Modules . . . . . . . . . . . . . . . . . . . . . . 3 2.1.1. 'ietf-tpm-remote-attestation' . . . . . . . . . . . . 4 2.1.2. 'ietf-tcg-algs' . . . . . . . . . . . . . . . . . . . 33 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 4. Security Considerations . . . . . . . . . . . . . . . . . . . 49 - 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 50 + 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 5.1. Normative References . . . . . . . . . . . . . . . . . . 51 - 5.2. Informative References . . . . . . . . . . . . . . . . . 55 + 5.2. Informative References . . . . . . . . . . . . . . . . . 56 Appendix A. Integrity Measurement Architecture (IMA) . . . . . . 56 Appendix B. IMA for Network Equipment Boot Logs . . . . . . . . 57 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 1. Introduction This document is based on the general terminology defined in the [I-D.ietf-rats-architecture] and uses the operational context defined in [I-D.ietf-rats-tpm-based-network-device-attest] as well as the interaction model and information elements defined in @@ -400,21 +400,21 @@ specific TPM to identify to which 'compute-node' it belongs. +--rw compute-nodes {tpm:mtpm}? +--ro compute-node* [node-id] +--ro node-id string +--ro node-physical-index? int32 {hw:entity-mib}? +--ro node-name? string +--ro node-location? string 2.1.1.6. YANG Module - file "ietf-tpm-remote-attestation@2022-03-15.yang" + file "ietf-tpm-remote-attestation@2022-03-23.yang" module ietf-tpm-remote-attestation { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation"; prefix tpm; import ietf-yang-types { prefix yang; } import ietf-hardware { prefix hw; @@ -457,21 +457,21 @@ This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-03-18 { + revision 2022-03-23 { description "Initial version"; reference "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote Attestation Procedures using TPMs"; } /*****************/ /* Features */ /*****************/ @@ -504,21 +504,21 @@ https://www.trustedcomputinggroup.org/wp-content/uploads/ TCG_IWG_CEL_v1_r0p41_pub.pdf Section 5.1.6"; } feature netequip_boot { description "The device supports the netequip_boot logs."; reference "netequip-boot-log: - RFC AAAA Appendix B"; + RFC XXXX Appendix B"; } /*****************/ /* Typedefs */ /*****************/ typedef pcr { type uint8 { range "0..31"; } @@ -584,27 +584,27 @@ "The cryptographic algorithm used to hash the TPM2 PCRs. This must be from the list of platform supported options."; leaf tpm20-hash-algo { type identityref { base taa:hash; } must '. = /tpm:rats-support-structures' + '/tpm:attester-supported-algos/tpm:tpm20-hash' { error-message "This platform does not support tpm20-hash-algo"; } - default "taa:TPM_ALG_SHA256"; description "The hash scheme that is used to hash a TPM2.0 PCR. This - must be one of those supported by a platform."; + must be one of those supported by a platform. + Where this object does not appear, the default value of + 'taa:TPM_ALG_SHA256' will apply."; } } - grouping tpm12-hash-algo { description "The cryptographic algorithm used to hash the TPM1.2 PCRs."; leaf tpm12-hash-algo { type identityref { base taa:hash; } must '. = /tpm:rats-support-structures' + '/tpm:attester-supported-algos/tpm:tpm12-hash' { error-message "This platform does not support tpm12-hash-algo"; @@ -602,24 +602,25 @@ description "The cryptographic algorithm used to hash the TPM1.2 PCRs."; leaf tpm12-hash-algo { type identityref { base taa:hash; } must '. = /tpm:rats-support-structures' + '/tpm:attester-supported-algos/tpm:tpm12-hash' { error-message "This platform does not support tpm12-hash-algo"; } - default "taa:TPM_ALG_SHA1"; description "The hash scheme that is used to hash a TPM1.2 PCR. This - MUST be one of those supported by a platform."; + MUST be one of those supported by a platform. + Where this object does not appear, the default value of + 'taa:TPM_ALG_SHA1' will apply."; } } grouping nonce { description "A random number intended to guarantee freshness and for use as part of a replay-detection mechanism."; leaf nonce-value { type binary; mandatory true; @@ -873,25 +873,27 @@ } } leaf event-size { type uint32; description "Size of the event data"; } leaf-list event-data { type binary; description - "The event data size determined by event-size. For more - see "; + "The event data. This is a binary structure + of size 'event-size'. For more on what + might be recorded within this object + see [bios-log] Section 9 which details + viable events which might be recorded."; } } - grouping bios-event-log { description "Measurement log created by the BIOS/UEFI."; list bios-event-entry { key "event-number"; description "Ordered list of TCG described event log that extended the PCRs in the order they were logged"; uses boot-event-log; @@ -915,21 +917,21 @@ } leaf ima-template { type string; description "Name of the template used for event logs for e.g. ima, ima-ng, ima-sig"; } leaf filename-hint { type string; description - "File that was measured"; + "File name (including the path) that was measured."; } leaf filedata-hash { type binary; description "Hash of filedata as updated based upon the filedata-hash-algorithm"; } leaf filedata-hash-algorithm { type string; description @@ -1552,54 +1555,57 @@ 2. API specifications for TPM types: 'tpm12' and 'tpm20' 3. Specific algorithm types: Each algorithm type defines what cryptographic functions may be supported, and on which type of API specification. It is not required that an implementation of a specific TPM will support all algorithm types. The contents of each specific algorithm mirrors what is in Table 3 of [TCG-Algos]. 2.1.2.3. YANG Module - file "ietf-tcg-algs@2022-03-09.yang" + + file "ietf-tcg-algs@2022-03-23.yang" module ietf-tcg-algs { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-tcg-algs"; prefix taa; organization "IETF RATS (Remote ATtestation procedureS) Working Group"; contact "WG Web: WG List: Author: Eric Voit "; description "This module defines identities for asymmetric algorithms. - Copyright (c) 2022 IETF Trust and the persons identified - as authors of the code. All rights reserved. + Copyright (c) 2022 IETF Trust and the persons identified as + authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified + subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). + This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices. + (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself + for full legal notices. + The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-03-09 { + revision 2022-03-23 { description "Initial version"; reference "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote Attestation Procedures using TPMs"; } /*****************/ /* Features */ /*****************/ @@ -2055,20 +2059,21 @@ "Prime field ECC"; reference "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and ISO/IEC 15946-1. ALG_ID: 0x0023"; } identity TPM_ALG_SYMCIPHER { if-feature "tpm20"; base tpm20; base symmetric; + base object_type; description "Object type for a symmetric block cipher"; reference "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and TCG TPM 2.0 library specification. ALG_ID: 0x0025"; } identity TPM_ALG_CAMELLIA { if-feature "tpm20"; base tpm20; @@ -2403,23 +2411,23 @@ Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote Attestation Procedures Architecture", Work in Progress, Internet-Draft, draft-ietf-rats-architecture- 15, 8 February 2022, . [I-D.ietf-rats-tpm-based-network-device-attest] Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM- based Network Device Remote Integrity Verification", Work in Progress, Internet-Draft, draft-ietf-rats-tpm-based- - network-device-attest-13, 1 March 2022, + network-device-attest-14, 22 March 2022, . + based-network-device-attest-14.txt>. [IEEE-Std-1363-2000] "IEEE 1363-2000 - IEEE Standard Specifications for Public- Key Cryptography", n.d., . [IEEE-Std-1363a-2004] "1363a-2004 - IEEE Standard Specifications for Public-Key Cryptography - Amendment 1: Additional Techniques", n.d., .