draft-ietf-rats-yang-tpm-charra-19.txt   draft-ietf-rats-yang-tpm-charra-20.txt 
RATS Working Group H. Birkholz RATS Working Group H. Birkholz
Internet-Draft M. Eckel Internet-Draft M. Eckel
Intended status: Standards Track Fraunhofer SIT Intended status: Standards Track Fraunhofer SIT
Expires: 17 October 2022 S. Bhandari Expires: 19 November 2022 S. Bhandari
ThoughtSpot ThoughtSpot
E. Voit E. Voit
B. Sulzen B. Sulzen
Cisco Cisco
L. Xia L. Xia
Huawei Huawei
T. Laffey T. Laffey
HPE HPE
G. Fedorkow G. Fedorkow
Juniper Juniper
15 April 2022 18 May 2022
A YANG Data Model for Challenge-Response-based Remote Attestation A YANG Data Model for Challenge-Response-based Remote Attestation
Procedures using TPMs Procedures using TPMs
draft-ietf-rats-yang-tpm-charra-19 draft-ietf-rats-yang-tpm-charra-20
Abstract Abstract
This document defines YANG RPCs and a few configuration nodes This document defines YANG RPCs and a few configuration nodes
required to retrieve attestation evidence about integrity required to retrieve attestation evidence about integrity
measurements from a device, following the operational context defined measurements from a device, following the operational context defined
in TPM-based Network Device Remote Integrity Verification. in TPM-based Network Device Remote Integrity Verification.
Complementary measurement logs are also provided by the YANG RPCs, Complementary measurement logs are also provided by the YANG RPCs,
originating from one or more roots of trust for measurement (RTMs). originating from one or more roots of trust for measurement (RTMs).
The module defined requires at least one TPM 1.2 or TPM 2.0 as well The module defined requires at least one TPM 1.2 or TPM 2.0 as well
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 17 October 2022. This Internet-Draft will expire on 19 November 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 9, line 14 skipping to change at page 9, line 14
+--rw tpms +--rw tpms
+--rw tpm* [name] +--rw tpm* [name]
+--rw name string +--rw name string
+--ro hardware-based boolean +--ro hardware-based boolean
+--ro physical-index? int32 {hw:entity-mib}? +--ro physical-index? int32 {hw:entity-mib}?
+--ro path? string +--ro path? string
+--ro compute-node compute-node-ref {tpm:mtpm}? +--ro compute-node compute-node-ref {tpm:mtpm}?
+--ro manufacturer? string +--ro manufacturer? string
+--rw firmware-version identityref +--rw firmware-version identityref
+--rw tpm12-hash-algo? identityref +--rw tpm12-hash-algo? identityref {taa:tpm12}?
+--rw tpm12-pcrs* pcr +--rw tpm12-pcrs* pcr
+--rw tpm20-pcr-bank* [tpm20-hash-algo] +--rw tpm20-pcr-bank* [tpm20-hash-algo] {taa:tpm20}?
| +--rw tpm20-hash-algo identityref | +--rw tpm20-hash-algo identityref
| +--rw pcr-index* tpm:pcr | +--rw pcr-index* tpm:pcr
+--ro status enumeration +--ro status enumeration
+--rw certificates +--rw certificates
+--rw certificate* [name] +--rw certificate* [name]
+--rw name string +--rw name string
+--rw keystore-ref? leafref {ks:asymmetric-keys}? +--rw keystore-ref? leafref {ks:asymmetric-keys}?
+--rw type? enumeration +--rw type? enumeration
container 'attester-supported-algos' - Identifies which TCG hash container 'attester-supported-algos' - Identifies which TCG hash
algorithms are available for use on the Attesting platform. An algorithms are available for use on the Attesting platform. An
operator will use this information to limit algorithms available for operator will use this information to limit algorithms available for
use by RPCs to just a desired set from the universe of all allowed use by RPCs to just a desired set from the universe of all allowed
hash algorithms by the TCG. hash algorithms by the TCG.
+--rw attester-supported-algos +--rw attester-supported-algos
+--rw tpm12-asymmetric-signing* identityref +--rw tpm12-asymmetric-signing* identityref {taa:tpm12}?
+--rw tpm12-hash* identityref +--rw tpm12-hash* identityref {taa:tpm12}?
+--rw tpm20-asymmetric-signing* identityref +--rw tpm20-asymmetric-signing* identityref {taa:tpm20}?
+--rw tpm20-hash* identityref +--rw tpm20-hash* identityref {taa:tpm20}?
container 'compute-nodes' - When there is more than one TPM container 'compute-nodes' - When there is more than one TPM
supported, this container maintains the set of information related to supported, this container maintains the set of information related to
the compute node associated with a specific TPM. This allows each the compute node associated with a specific TPM. This allows each
specific TPM to identify to which 'compute-node' it belongs. specific TPM to identify to which 'compute-node' it belongs.
+--rw compute-nodes {tpm:mtpm}? +--rw compute-nodes {tpm:mtpm}?
+--ro compute-node* [node-id] +--ro compute-node* [node-id]
+--ro node-id string +--ro node-id string
+--ro node-physical-index? int32 {hw:entity-mib}? +--ro node-physical-index? int32 {hw:entity-mib}?
+--ro node-name? string +--ro node-name? string
+--ro node-location? string +--ro node-location? string
2.1.1.6. YANG Module 2.1.1.6. YANG Module
<CODE BEGINS> file "ietf-tpm-remote-attestation@2022-03-23.yang" <CODE BEGINS> file "ietf-tpm-remote-attestation@2022-05-13.yang"
module ietf-tpm-remote-attestation { module ietf-tpm-remote-attestation {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation"; namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation";
prefix tpm; prefix tpm;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-hardware { import ietf-hardware {
prefix hw; prefix hw;
skipping to change at page 10, line 46 skipping to change at page 10, line 46
description description
"A YANG module to enable a TPM 1.2 and TPM 2.0 based "A YANG module to enable a TPM 1.2 and TPM 2.0 based
remote attestation procedure using a challenge-response remote attestation procedure using a challenge-response
interaction model and the TPM 1.2 and TPM 2.0 Quote interaction model and the TPM 1.2 and TPM 2.0 Quote
primitive operations. primitive operations.
Copyright (c) 2022 IETF Trust and the persons identified Copyright (c) 2022 IETF Trust and the persons identified
as authors of the code. All rights reserved. as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as 'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here."; they appear in all capitals, as shown here.";
revision 2022-03-23 { revision 2022-05-13 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: A YANG Data Model for Challenge-Response-based Remote "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote
Attestation Procedures using TPMs"; Attestation Procedures using TPMs";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
skipping to change at page 15, line 32 skipping to change at page 15, line 32
description description
"Specifies the list of PCRs and Hash Algorithms that can be "Specifies the list of PCRs and Hash Algorithms that can be
returned within a TPM2B_DIGEST."; returned within a TPM2B_DIGEST.";
reference reference
"TPM2.0-Structures: "TPM2.0-Structures:
https://www.trustedcomputinggroup.org/wp-content/uploads/ https://www.trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7"; TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7";
uses tpm20-hash-algo; uses tpm20-hash-algo;
leaf-list pcr-index { leaf-list pcr-index {
type pcr; type pcr;
must '/tpm:rats-support-structures/tpm:tpms'
+ '/tpm:tpm[name = current()]'
+ '/tpm:tpm20-pcr-bank[pcr-index = current()]' {
error-message "Acquiring this PCR index is not supported";
}
description description
"The numbers of the PCRs that which are being tracked "The numbers of the PCRs that which are being tracked
with a hash based on the tpm20-hash-algo. In addition, with a hash based on the tpm20-hash-algo. In addition,
any selection of PCRs MUST verify that the set of PCRs any selection of PCRs MUST verify that the set of PCRs
requested are a subset the set of PCR indexes exposed requested are a subset the set of PCR indexes selected
within /tpm:rats-support-structures/tpm:tpms are available for that specific TPM.";
/tpm:tpm[name=current()]/tpm:tpm20-pcr-bank
/tpm:pcr-index";
} }
} }
} }
grouping certificate-name-ref { grouping certificate-name-ref {
description description
"Identifies a certificate in a keystore."; "Identifies a certificate in a keystore.";
leaf certificate-name { leaf certificate-name {
type certificate-name-ref; type certificate-name-ref;
mandatory true; mandatory true;
description description
"Identifies a certificate in a keystore."; "Identifies a certificate in a keystore.";
} }
} }
grouping tpm-name { grouping tpm-name {
description description
"A unique TPM on a device."; "A unique TPM on a device.";
leaf name { leaf name {
type string; type string;
description description
"Unique system generated name for a TPM on a device."; "Unique system generated name for a TPM on a device.";
} }
} }
skipping to change at page 29, line 11 skipping to change at page 29, line 4
} }
leaf firmware-version { leaf firmware-version {
type identityref { type identityref {
base taa:cryptoprocessor; base taa:cryptoprocessor;
} }
mandatory true; mandatory true;
description description
"Identifies the cryptoprocessor API set supported. This "Identifies the cryptoprocessor API set supported. This
is automatically configured by the device and should not is automatically configured by the device and should not
be changed."; be changed.";
} }
uses tpm12-hash-algo { uses tpm12-hash-algo {
if-feature "taa:tpm12";
when "derived-from-or-self(firmware-version, 'taa:tpm12')"; when "derived-from-or-self(firmware-version, 'taa:tpm12')";
refine "tpm12-hash-algo" { refine "tpm12-hash-algo" {
description description
"The hash algorithm overwrites the default used for PCRs "The hash algorithm overwrites the default used for PCRs
on this TPM1.2 compliant cryptoprocessor."; on this TPM1.2 compliant cryptoprocessor.";
} }
} }
leaf-list tpm12-pcrs { leaf-list tpm12-pcrs {
when if-feature "taa:tpm12";
when
"derived-from-or-self(../firmware-version, 'taa:tpm12')"; "derived-from-or-self(../firmware-version, 'taa:tpm12')";
type pcr; type pcr;
description description
"The PCRs which may be extracted from this TPM1.2 "The PCRs which may be extracted from this TPM1.2
compliant cryptoprocessor."; compliant cryptoprocessor.";
} }
list tpm20-pcr-bank { list tpm20-pcr-bank {
when if-feature "taa:tpm20";
when
"derived-from-or-self(../firmware-version, 'taa:tpm20')"; "derived-from-or-self(../firmware-version, 'taa:tpm20')";
key "tpm20-hash-algo"; key "tpm20-hash-algo";
description description
"Specifies the list of PCRs that may be extracted for "Specifies the list of PCRs that may be extracted for
a specific Hash Algorithm on this TPM2 compliant a specific Hash Algorithm on this TPM2 compliant
cryptoprocessor. A bank is a set of PCRs which are cryptoprocessor. A bank is a set of PCRs which are
extended using a particular hash algorithm."; extended using a particular hash algorithm.";
reference reference
"TPM2.0-Structures: "TPM2.0-Structures:
https://www.trustedcomputinggroup.org/wp-content/uploads/ https://www.trustedcomputinggroup.org/wp-content/uploads/
skipping to change at page 32, line 8 skipping to change at page 32, line 4
https://trustedcomputinggroup.org/wp-content/ https://trustedcomputinggroup.org/wp-content/
uploads/TPM-2p0-Keys-for-Device-Identity- uploads/TPM-2p0-Keys-for-Device-Identity-
and-Attestation_v1_r12_pub10082021.pdf and-Attestation_v1_r12_pub10082021.pdf
Section 3.2"; Section 3.2";
} }
} }
description description
"Function supported by this certificate from within the "Function supported by this certificate from within the
TPM."; TPM.";
} }
} }
} }
} }
} }
container attester-supported-algos { container attester-supported-algos {
description description
"Identifies which TPM algorithms are available for use on an "Identifies which TPM algorithms are available for use on an
attesting platform."; attesting platform.";
leaf-list tpm12-asymmetric-signing { leaf-list tpm12-asymmetric-signing {
when "../../tpm:tpms" if-feature "taa:tpm12";
when "../../tpm:tpms"
+ "/tpm:tpm[tpm:firmware-version='taa:tpm12']"; + "/tpm:tpm[tpm:firmware-version='taa:tpm12']";
type identityref { type identityref {
base taa:asymmetric; base taa:asymmetric;
} }
description description
"Platform Supported TPM12 asymmetric algorithms."; "Platform Supported TPM12 asymmetric algorithms.";
} }
leaf-list tpm12-hash { leaf-list tpm12-hash {
when "../../tpm:tpms" if-feature "taa:tpm12";
when "../../tpm:tpms"
+ "/tpm:tpm[tpm:firmware-version='taa:tpm12']"; + "/tpm:tpm[tpm:firmware-version='taa:tpm12']";
type identityref { type identityref {
base taa:hash; base taa:hash;
} }
description description
"Platform supported TPM12 hash algorithms."; "Platform supported TPM12 hash algorithms.";
} }
leaf-list tpm20-asymmetric-signing { leaf-list tpm20-asymmetric-signing {
when "../../tpm:tpms" if-feature "taa:tpm20";
when "../../tpm:tpms"
+ "/tpm:tpm[tpm:firmware-version='taa:tpm20']"; + "/tpm:tpm[tpm:firmware-version='taa:tpm20']";
type identityref { type identityref {
base taa:asymmetric; base taa:asymmetric;
} }
description description
"Platform Supported TPM20 asymmetric algorithms."; "Platform Supported TPM20 asymmetric algorithms.";
} }
leaf-list tpm20-hash { leaf-list tpm20-hash {
when "../../tpm:tpms" if-feature "taa:tpm20";
when "../../tpm:tpms"
+ "/tpm:tpm[tpm:firmware-version='taa:tpm20']"; + "/tpm:tpm[tpm:firmware-version='taa:tpm20']";
type identityref { type identityref {
base taa:hash; base taa:hash;
} }
description description
"Platform supported TPM20 hash algorithms."; "Platform supported TPM20 hash algorithms.";
} }
} }
} }
skipping to change at page 55, line 14 skipping to change at page 55, line 14
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[TCG-Algos] [TCG-Algos]
"TCG Algorithm Registry", n.d., "TCG Algorithm Registry", n.d.,
<https://trustedcomputinggroup.org/wp-content/uploads/TCG- <https://trustedcomputinggroup.org/wp-content/uploads/TCG-
_Algorithm_Registry_r1p32_pub.pdf>. _Algorithm_Registry_r1p32_pub.pdf>.
[TPM1.2] TCG, ., "TPM 1.2 Main Specification", 2 October 2003, [TPM1.2] TCG, "TPM 1.2 Main Specification", 2 October 2003,
<https://trustedcomputinggroup.org/resource/tpm-main- <https://trustedcomputinggroup.org/resource/tpm-main-
specification/>. specification/>.
[TPM1.2-Commands] [TPM1.2-Commands]
"TPM Main Part 3 Commands", n.d., "TPM Main Part 3 Commands", n.d.,
<https://trustedcomputinggroup.org/wp-content/uploads/TPM- <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
Main-Part-3-Commands_v1.2_rev116_01032011.pdf>. Main-Part-3-Commands_v1.2_rev116_01032011.pdf>.
[TPM1.2-Structures] [TPM1.2-Structures]
"TPM Main Part 2 TPM Structures", n.d., "TPM Main Part 2 TPM Structures", n.d.,
<https://trustedcomputinggroup.org/wp-content/uploads/TPM- <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf>. Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf>.
[TPM2.0] TCG, ., "TPM 2.0 Library Specification", 15 March 2013, [TPM2.0] TCG, "TPM 2.0 Library Specification", 15 March 2013,
<https://trustedcomputinggroup.org/resource/tpm-library- <https://trustedcomputinggroup.org/resource/tpm-library-
specification/>. specification/>.
[TPM2.0-Arch] [TPM2.0-Arch]
"Trusted Platform Module Library - Part 1: Architecture", "Trusted Platform Module Library - Part 1: Architecture",
n.d., <https://trustedcomputinggroup.org/wp- n.d., <https://trustedcomputinggroup.org/wp-
content/uploads/ content/uploads/
TCG_TPM2_r1p59_Part1_Architecture_pub.pdf>. TCG_TPM2_r1p59_Part1_Architecture_pub.pdf>.
[TPM2.0-Key] [TPM2.0-Key]
TCG, ., "TPM 2.0 Keys for Device Identity and Attestation, TCG, "TPM 2.0 Keys for Device Identity and Attestation,
Rev12", 8 October 2021, Rev12", 8 October 2021,
<https://trustedcomputinggroup.org/wp-content/uploads/TPM- <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
2p0-Keys-for-Device-Identity-and- 2p0-Keys-for-Device-Identity-and-
Attestation_v1_r12_pub10082021.pdf>. Attestation_v1_r12_pub10082021.pdf>.
[TPM2.0-Structures] [TPM2.0-Structures]
"Trusted Platform Module Library - Part 2: Structures", "Trusted Platform Module Library - Part 2: Structures",
n.d., <https://trustedcomputinggroup.org/wp- n.d., <https://trustedcomputinggroup.org/wp-
content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>. content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf>.
 End of changes. 26 change blocks. 
33 lines changed or deleted 33 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/