draft-ietf-rats-yang-tpm-charra-20.txt   draft-ietf-rats-yang-tpm-charra-21.txt 
skipping to change at page 1, line 21 skipping to change at page 1, line 21
L. Xia L. Xia
Huawei Huawei
T. Laffey T. Laffey
HPE HPE
G. Fedorkow G. Fedorkow
Juniper Juniper
18 May 2022 18 May 2022
A YANG Data Model for Challenge-Response-based Remote Attestation A YANG Data Model for Challenge-Response-based Remote Attestation
Procedures using TPMs Procedures using TPMs
draft-ietf-rats-yang-tpm-charra-20 draft-ietf-rats-yang-tpm-charra-21
Abstract Abstract
This document defines YANG RPCs and a few configuration nodes This document defines YANG RPCs and a few configuration nodes
required to retrieve attestation evidence about integrity required to retrieve attestation evidence about integrity
measurements from a device, following the operational context defined measurements from a device, following the operational context defined
in TPM-based Network Device Remote Integrity Verification. in TPM-based Network Device Remote Integrity Verification.
Complementary measurement logs are also provided by the YANG RPCs, Complementary measurement logs are also provided by the YANG RPCs,
originating from one or more roots of trust for measurement (RTMs). originating from one or more roots of trust for measurement (RTMs).
The module defined requires at least one TPM 1.2 or TPM 2.0 as well The module defined requires at least one TPM 1.2 or TPM 2.0 as well
skipping to change at page 10, line 4 skipping to change at page 10, line 4
specific TPM to identify to which 'compute-node' it belongs. specific TPM to identify to which 'compute-node' it belongs.
+--rw compute-nodes {tpm:mtpm}? +--rw compute-nodes {tpm:mtpm}?
+--ro compute-node* [node-id] +--ro compute-node* [node-id]
+--ro node-id string +--ro node-id string
+--ro node-physical-index? int32 {hw:entity-mib}? +--ro node-physical-index? int32 {hw:entity-mib}?
+--ro node-name? string +--ro node-name? string
+--ro node-location? string +--ro node-location? string
2.1.1.6. YANG Module 2.1.1.6. YANG Module
<CODE BEGINS> file "ietf-tpm-remote-attestation@2022-05-13.yang" <CODE BEGINS> file "ietf-tpm-remote-attestation@2022-05-17.yang"
module ietf-tpm-remote-attestation { module ietf-tpm-remote-attestation {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation"; namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation";
prefix tpm; prefix tpm;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-hardware { import ietf-hardware {
prefix hw; prefix hw;
skipping to change at page 11, line 13 skipping to change at page 11, line 13
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as 'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here."; they appear in all capitals, as shown here.";
revision 2022-05-13 { revision 2022-05-17 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: A YANG Data Model for Challenge-Response-based Remote "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote
Attestation Procedures using TPMs"; Attestation Procedures using TPMs";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
skipping to change at page 29, line 7 skipping to change at page 29, line 7
base taa:cryptoprocessor; base taa:cryptoprocessor;
} }
mandatory true; mandatory true;
description description
"Identifies the cryptoprocessor API set supported. This "Identifies the cryptoprocessor API set supported. This
is automatically configured by the device and should not is automatically configured by the device and should not
be changed."; be changed.";
} }
uses tpm12-hash-algo { uses tpm12-hash-algo {
if-feature "taa:tpm12";
when "derived-from-or-self(firmware-version, 'taa:tpm12')"; when "derived-from-or-self(firmware-version, 'taa:tpm12')";
if-feature "taa:tpm12";
refine "tpm12-hash-algo" { refine "tpm12-hash-algo" {
description description
"The hash algorithm overwrites the default used for PCRs "The hash algorithm overwrites the default used for PCRs
on this TPM1.2 compliant cryptoprocessor."; on this TPM1.2 compliant cryptoprocessor.";
} }
} }
leaf-list tpm12-pcrs { leaf-list tpm12-pcrs {
if-feature "taa:tpm12"; when
when
"derived-from-or-self(../firmware-version, 'taa:tpm12')"; "derived-from-or-self(../firmware-version, 'taa:tpm12')";
if-feature "taa:tpm12";
type pcr; type pcr;
description description
"The PCRs which may be extracted from this TPM1.2 "The PCRs which may be extracted from this TPM1.2
compliant cryptoprocessor."; compliant cryptoprocessor.";
} }
list tpm20-pcr-bank { list tpm20-pcr-bank {
if-feature "taa:tpm20"; when
when
"derived-from-or-self(../firmware-version, 'taa:tpm20')"; "derived-from-or-self(../firmware-version, 'taa:tpm20')";
if-feature "taa:tpm20";
key "tpm20-hash-algo"; key "tpm20-hash-algo";
description description
"Specifies the list of PCRs that may be extracted for "Specifies the list of PCRs that may be extracted for
a specific Hash Algorithm on this TPM2 compliant a specific Hash Algorithm on this TPM2 compliant
cryptoprocessor. A bank is a set of PCRs which are cryptoprocessor. A bank is a set of PCRs which are
extended using a particular hash algorithm."; extended using a particular hash algorithm.";
reference reference
"TPM2.0-Structures: "TPM2.0-Structures:
https://www.trustedcomputinggroup.org/wp-content/uploads/ https://www.trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7"; TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7";
skipping to change at page 32, line 14 skipping to change at page 32, line 14
} }
} }
} }
} }
container attester-supported-algos { container attester-supported-algos {
description description
"Identifies which TPM algorithms are available for use on an "Identifies which TPM algorithms are available for use on an
attesting platform."; attesting platform.";
leaf-list tpm12-asymmetric-signing { leaf-list tpm12-asymmetric-signing {
if-feature "taa:tpm12"; when "../../tpm:tpms"
when "../../tpm:tpms"
+ "/tpm:tpm[tpm:firmware-version='taa:tpm12']"; + "/tpm:tpm[tpm:firmware-version='taa:tpm12']";
if-feature "taa:tpm12";
type identityref { type identityref {
base taa:asymmetric; base taa:asymmetric;
} }
description description
"Platform Supported TPM12 asymmetric algorithms."; "Platform Supported TPM12 asymmetric algorithms.";
} }
leaf-list tpm12-hash { leaf-list tpm12-hash {
if-feature "taa:tpm12"; when "../../tpm:tpms"
when "../../tpm:tpms"
+ "/tpm:tpm[tpm:firmware-version='taa:tpm12']"; + "/tpm:tpm[tpm:firmware-version='taa:tpm12']";
if-feature "taa:tpm12";
type identityref { type identityref {
base taa:hash; base taa:hash;
} }
description description
"Platform supported TPM12 hash algorithms."; "Platform supported TPM12 hash algorithms.";
} }
leaf-list tpm20-asymmetric-signing { leaf-list tpm20-asymmetric-signing {
if-feature "taa:tpm20"; when "../../tpm:tpms"
when "../../tpm:tpms"
+ "/tpm:tpm[tpm:firmware-version='taa:tpm20']"; + "/tpm:tpm[tpm:firmware-version='taa:tpm20']";
if-feature "taa:tpm20";
type identityref { type identityref {
base taa:asymmetric; base taa:asymmetric;
} }
description description
"Platform Supported TPM20 asymmetric algorithms."; "Platform Supported TPM20 asymmetric algorithms.";
} }
leaf-list tpm20-hash { leaf-list tpm20-hash {
if-feature "taa:tpm20"; when "../../tpm:tpms"
when "../../tpm:tpms"
+ "/tpm:tpm[tpm:firmware-version='taa:tpm20']"; + "/tpm:tpm[tpm:firmware-version='taa:tpm20']";
if-feature "taa:tpm20";
type identityref { type identityref {
base taa:hash; base taa:hash;
} }
description description
"Platform supported TPM20 hash algorithms."; "Platform supported TPM20 hash algorithms.";
} }
} }
} }
} }
 End of changes. 17 change blocks. 
16 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/