draft-ietf-rats-yang-tpm-charra-09.txt   draft-ietf-rats-yang-tpm-charra-10.txt 
RATS Working Group H. Birkholz RATS Working Group H. Birkholz
Internet-Draft M. Eckel Internet-Draft M. Eckel
Intended status: Standards Track Fraunhofer SIT Intended status: Standards Track Fraunhofer SIT
Expires: 27 January 2022 S. Bhandari Expires: 13 February 2022 S. Bhandari
ThoughtSpot ThoughtSpot
E. Voit E. Voit
B. Sulzen B. Sulzen
Cisco Cisco
L. Xia L. Xia
Huawei Huawei
T. Laffey T. Laffey
HPE HPE
G. Fedorkow G. Fedorkow
Juniper Juniper
26 July 2021 12 August 2021
A YANG Data Model for Challenge-Response-based Remote Attestation A YANG Data Model for Challenge-Response-based Remote Attestation
Procedures using TPMs Procedures using TPMs
draft-ietf-rats-yang-tpm-charra-09 draft-ietf-rats-yang-tpm-charra-10
Abstract Abstract
This document defines YANG RPCs and a small number of configuration This document defines YANG RPCs and a small number of configuration
nodes required to retrieve attestation evidence about integrity nodes required to retrieve attestation evidence about integrity
measurements from a device, following the operational context defined measurements from a device, following the operational context defined
in TPM-based Network Device Remote Integrity Verification. in TPM-based Network Device Remote Integrity Verification.
Complementary measurement logs are also provided by the YANG RPCs, Complementary measurement logs are also provided by the YANG RPCs,
originating from one or more roots of trust for measurement (RTMs). originating from one or more roots of trust for measurement (RTMs).
The module defined requires at least one TPM 1.2 or TPM 2.0 as well The module defined requires at least one TPM 1.2 or TPM 2.0 as well
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 27 January 2022. This Internet-Draft will expire on 13 February 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 11, line 12 skipping to change at page 11, line 12
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2021-05-11 { revision 2021-08-11 {
description description
"Initial version"; "Initial version";
reference reference
"draft-ietf-rats-yang-tpm-charra"; "draft-ietf-rats-yang-tpm-charra";
} }
/*****************/ /*****************/
/* Features */ /* Features */
/*****************/ /*****************/
skipping to change at page 14, line 34 skipping to change at page 14, line 34
grouping tpm12-pcr-selection { grouping tpm12-pcr-selection {
description description
"A Verifier can request one or more PCR values using its "A Verifier can request one or more PCR values using its
individually created Attestation Key Certificate (AC). individually created Attestation Key Certificate (AC).
The corresponding selection filter is represented in this The corresponding selection filter is represented in this
grouping. grouping.
Requesting a PCR value that is not in scope of the AC used, Requesting a PCR value that is not in scope of the AC used,
detailed exposure via error msg should be avoided."; detailed exposure via error msg should be avoided.";
leaf-list pcr-index { leaf-list pcr-index {
type pcr; type pcr;
must '/tpm:rats-support-structures/tpm:tpms'
+ '/tpm:tpm[name = current()] and '
+ '/tpm:rats-support-structures/tpm:tpms'
+ '/tpm:tpm[tpm12-pcrs = current()]' {
error-message "Acquiring this PCR index is not supported";
}
description description
"The numbers/indexes of the PCRs. At the moment this is limited "The numbers/indexes of the PCRs. At the moment this is limited
to 32."; to 32. In addition, any selection of PCRs MUST verify that
the set of PCRs requested are a subset the set of PCRs
exposed by in the leaf-list /tpm:rats-support-structures
/tpm:tpms/tpm:tpm[name=current()]/tpm:tpm12-pcrs";
} }
} }
grouping tpm20-pcr-selection { grouping tpm20-pcr-selection {
description description
"A Verifier can acquire one or more PCR values, which are hashed "A Verifier can acquire one or more PCR values, which are hashed
together in a TPM2B_DIGEST coming from the TPM2. The selection together in a TPM2B_DIGEST coming from the TPM2. The selection
list of desired PCRs and the Hash Algorithm is represented in list of desired PCRs and the Hash Algorithm is represented in
this grouping."; this grouping.";
list tpm20-pcr-selection { list tpm20-pcr-selection {
unique "tpm20-hash-algo"; unique "tpm20-hash-algo";
description description
"Specifies the list of PCRs and Hash Algorithms that can be "Specifies the list of PCRs and Hash Algorithms that can be
returned within a TPM2B_DIGEST."; returned within a TPM2B_DIGEST.";
reference reference
"https://www.trustedcomputinggroup.org/wp-content/uploads/ "https://www.trustedcomputinggroup.org/wp-content/uploads/
TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7"; TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.9.7";
uses tpm20-hash-algo; uses tpm20-hash-algo;
leaf-list pcr-index { leaf-list pcr-index {
skipping to change at page 15, line 24 skipping to change at page 15, line 20
leaf-list pcr-index { leaf-list pcr-index {
type pcr; type pcr;
must '/tpm:rats-support-structures/tpm:tpms' must '/tpm:rats-support-structures/tpm:tpms'
+ '/tpm:tpm[name = current()] and ' + '/tpm:tpm[name = current()] and '
+ '/tpm:rats-support-structures/tpm:tpms/tpm:tpm' + '/tpm:rats-support-structures/tpm:tpms/tpm:tpm'
+ '/tpm:tpm20-pcr-bank[pcr-index = current()]' { + '/tpm:tpm20-pcr-bank[pcr-index = current()]' {
error-message "Acquiring this PCR index is not supported"; error-message "Acquiring this PCR index is not supported";
} }
description description
"The numbers of the PCRs that which are being tracked "The numbers of the PCRs that which are being tracked
with a hash based on the tpm20-hash-algo."; with a hash based on the tpm20-hash-algo. In addition,
any selection of PCRs MUST verify that the set of PCRs
requested are a subset the set of PCR indexes exposed
within /tpm:rats-support-structures/tpm:tpms
/tpm:tpm[name=current()]/tpm:tpm20-pcr-bank
/tpm:pcr-index";
} }
} }
} }
grouping certificate-name-ref { grouping certificate-name-ref {
description description
"Identifies a certificate in a keystore."; "Identifies a certificate in a keystore.";
leaf certificate-name { leaf certificate-name {
type certificate-name-ref; type certificate-name-ref;
mandatory true; mandatory true;
skipping to change at page 50, line 22 skipping to change at page 50, line 22
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote Attestation Procedures Architecture", Work W. Pan, "Remote Attestation Procedures Architecture", Work
in Progress, Internet-Draft, draft-ietf-rats-architecture- in Progress, Internet-Draft, draft-ietf-rats-architecture-
12, 23 April 2021, <https://www.ietf.org/archive/id/draft- 12, 23 April 2021, <https://www.ietf.org/archive/id/draft-
ietf-rats-architecture-12.txt>. ietf-rats-architecture-12.txt>.
[I-D.ietf-rats-tpm-based-network-device-attest] [I-D.ietf-rats-tpm-based-network-device-attest]
Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM- Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "TPM-
based Network Device Remote Integrity Verification", Work based Network Device Remote Integrity Verification", Work
in Progress, Internet-Draft, draft-ietf-rats-tpm-based- in Progress, Internet-Draft, draft-ietf-rats-tpm-based-
network-device-attest-07, 10 June 2021, network-device-attest-08, 26 July 2021,
<https://www.ietf.org/archive/id/draft-ietf-rats-tpm- <https://www.ietf.org/archive/id/draft-ietf-rats-tpm-
based-network-device-attest-07.txt>. based-network-device-attest-08.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
skipping to change at page 51, line 20 skipping to change at page 51, line 20
TCG, ., "TPM 2.0 Keys for Device Identity and Attestation, TCG, ., "TPM 2.0 Keys for Device Identity and Attestation,
Rev10", 14 April 2021, <https://trustedcomputinggroup.org/ Rev10", 14 April 2021, <https://trustedcomputinggroup.org/
wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf>. wp-content/uploads/TCG_IWG_DevID_v1r2_02dec2020.pdf>.
7.2. Informative References 7.2. Informative References
[I-D.ietf-rats-reference-interaction-models] [I-D.ietf-rats-reference-interaction-models]
Birkholz, H., Eckel, M., Pan, W., and E. Voit, "Reference Birkholz, H., Eckel, M., Pan, W., and E. Voit, "Reference
Interaction Models for Remote Attestation Procedures", Interaction Models for Remote Attestation Procedures",
Work in Progress, Internet-Draft, draft-ietf-rats- Work in Progress, Internet-Draft, draft-ietf-rats-
reference-interaction-models-03, 12 July 2021, reference-interaction-models-04, 26 July 2021,
<https://www.ietf.org/archive/id/draft-ietf-rats- <https://www.ietf.org/archive/id/draft-ietf-rats-
reference-interaction-models-03.txt>. reference-interaction-models-04.txt>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
 End of changes. 13 change blocks. 
18 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/