--- 1/draft-ietf-rats-yang-tpm-charra-20.txt 2022-05-18 08:13:15.018467183 -0700 +++ 2/draft-ietf-rats-yang-tpm-charra-21.txt 2022-05-18 08:13:15.126469923 -0700 @@ -10,21 +10,21 @@ L. Xia Huawei T. Laffey HPE G. Fedorkow Juniper 18 May 2022 A YANG Data Model for Challenge-Response-based Remote Attestation Procedures using TPMs - draft-ietf-rats-yang-tpm-charra-20 + draft-ietf-rats-yang-tpm-charra-21 Abstract This document defines YANG RPCs and a few configuration nodes required to retrieve attestation evidence about integrity measurements from a device, following the operational context defined in TPM-based Network Device Remote Integrity Verification. Complementary measurement logs are also provided by the YANG RPCs, originating from one or more roots of trust for measurement (RTMs). The module defined requires at least one TPM 1.2 or TPM 2.0 as well @@ -400,21 +400,21 @@ specific TPM to identify to which 'compute-node' it belongs. +--rw compute-nodes {tpm:mtpm}? +--ro compute-node* [node-id] +--ro node-id string +--ro node-physical-index? int32 {hw:entity-mib}? +--ro node-name? string +--ro node-location? string 2.1.1.6. YANG Module - file "ietf-tpm-remote-attestation@2022-05-13.yang" + file "ietf-tpm-remote-attestation@2022-05-17.yang" module ietf-tpm-remote-attestation { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation"; prefix tpm; import ietf-yang-types { prefix yang; } import ietf-hardware { prefix hw; @@ -457,21 +457,21 @@ This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-05-13 { + revision 2022-05-17 { description "Initial version"; reference "RFC XXXX: A YANG Data Model for Challenge-Response-based Remote Attestation Procedures using TPMs"; } /*****************/ /* Features */ /*****************/ @@ -1315,41 +1315,41 @@ base taa:cryptoprocessor; } mandatory true; description "Identifies the cryptoprocessor API set supported. This is automatically configured by the device and should not be changed."; } uses tpm12-hash-algo { - if-feature "taa:tpm12"; when "derived-from-or-self(firmware-version, 'taa:tpm12')"; + if-feature "taa:tpm12"; refine "tpm12-hash-algo" { description "The hash algorithm overwrites the default used for PCRs on this TPM1.2 compliant cryptoprocessor."; } } leaf-list tpm12-pcrs { - if-feature "taa:tpm12"; when "derived-from-or-self(../firmware-version, 'taa:tpm12')"; + if-feature "taa:tpm12"; type pcr; description "The PCRs which may be extracted from this TPM1.2 compliant cryptoprocessor."; } list tpm20-pcr-bank { - if-feature "taa:tpm20"; when "derived-from-or-self(../firmware-version, 'taa:tpm20')"; + if-feature "taa:tpm20"; key "tpm20-hash-algo"; description "Specifies the list of PCRs that may be extracted for a specific Hash Algorithm on this TPM2 compliant cryptoprocessor. A bank is a set of PCRs which are extended using a particular hash algorithm."; reference "TPM2.0-Structures: https://www.trustedcomputinggroup.org/wp-content/uploads/ TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7"; @@ -1467,53 +1467,53 @@ } } } } container attester-supported-algos { description "Identifies which TPM algorithms are available for use on an attesting platform."; leaf-list tpm12-asymmetric-signing { - if-feature "taa:tpm12"; when "../../tpm:tpms" + "/tpm:tpm[tpm:firmware-version='taa:tpm12']"; + if-feature "taa:tpm12"; type identityref { base taa:asymmetric; } description "Platform Supported TPM12 asymmetric algorithms."; } leaf-list tpm12-hash { - if-feature "taa:tpm12"; when "../../tpm:tpms" + "/tpm:tpm[tpm:firmware-version='taa:tpm12']"; + if-feature "taa:tpm12"; type identityref { base taa:hash; } description "Platform supported TPM12 hash algorithms."; } leaf-list tpm20-asymmetric-signing { - if-feature "taa:tpm20"; when "../../tpm:tpms" + "/tpm:tpm[tpm:firmware-version='taa:tpm20']"; + if-feature "taa:tpm20"; type identityref { base taa:asymmetric; } description "Platform Supported TPM20 asymmetric algorithms."; } leaf-list tpm20-hash { - if-feature "taa:tpm20"; when "../../tpm:tpms" + "/tpm:tpm[tpm:firmware-version='taa:tpm20']"; + if-feature "taa:tpm20"; type identityref { base taa:hash; } description "Platform supported TPM20 hash algorithms."; } } } }