[Rats] Follow-up to AD review of draft-ietf-rats-tpm-based-network-device-attest-08
Roman Danyliw <rdd@cert.org> Thu, 04 November 2021 21:55 UTC
Return-Path: <rdd@cert.org>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6735B3A0C57 for <rats@ietfa.amsl.com>; Thu, 4 Nov 2021 14:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAC2FiR1oHJ1 for <rats@ietfa.amsl.com>; Thu, 4 Nov 2021 14:55:33 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0139.outbound.protection.office365.us [23.103.208.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A18DA3A0C58 for <rats@ietf.org>; Thu, 4 Nov 2021 14:55:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=z6py2F36IHqdWvI6s01lztEsK1aLTIhW8Kja267SdJt1jU0Hj3Z5Jep5HYor72+sUCXQBuuXG+UsI/ozWhe3SDRHzVU7Sy0ctHoC/HajTZmEcf88vW9o0Wc0AR54tDDzp7lmRmRRQFDbzfTE4wCKczgj91f7+c0LilqctKfHBOMTgd1h8j9fjnu6oxSivnrfr/cWHQSA14sa+vtCUvMiYXNis/SwMUo21bhdX7/AuuhL+mUkg2o2QEkM71KWi8ckkUnrT9E7F0exHEoqrfoyHdEK9hCpf9Zm5I5KT35skMNf47NqtaDVXaTaINAcQCVRFmAS0Cy6EBsBtvTUwgCvbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=D4dxZfLhEfw7catlu9mQcBXzday/OZBcf90bnexBZcw=; b=Mvq85htjHlOYAwO3924N7MMe2L+I+oBIIfCawxfSgnMYpnaiqIzqlEodWb9sXACdzLVvkoUudr+9qiMzrUJQkdO+T3n37Ocr946EtTCcmowNS6XRqdLQKHAHLwM5lVz4Zy3HSRHSgDosU2BAsqJ0LIsptR5/zTQZOc4FQc7/2jFjUozbQZHBhfzv+pdknS3uIDY2/2+QoIC5yxyrKqo6bGmhRX43J2g3NAdegxPcLIOhYtl+YIE5I8bhDI/rDcVZWCtAvIg1Yejn4Hr6zmAypM4RHZUNzFxY7V8UrCT7VRjhPDnXFwChRN+Vugrg0AYHgoOkV0XtR+RX/8IkvSzvYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D4dxZfLhEfw7catlu9mQcBXzday/OZBcf90bnexBZcw=; b=GTpHtidtmqaF6znZq8fmPdQYDuny40EJrifGZFmvLiwksBvQN+aO8ls7Zf5g/yMKei/WgljLev1TC8zGEYNx6gxduwrJwahatxBfbDDbNZp9AiZruTDjGhU2nQIGFtsxo5bgMyYshRD8qE1czxJbkv/fC5CSIG0Z3yitMn4vrBY=
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:134::12) by BN1P110MB0771.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:133::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Thu, 4 Nov 2021 21:55:25 +0000
Received: from BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f]) by BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM ([fe80::4463:48d1:9769:567f%6]) with mapi id 15.20.4649.017; Thu, 4 Nov 2021 21:55:25 +0000
From: Roman Danyliw <rdd@cert.org>
To: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Follow-up to AD review of draft-ietf-rats-tpm-based-network-device-attest-08
Thread-Index: AdfRxTqrbTnBnnS2Tti705s+2wjGsQ==
Date: Thu, 04 Nov 2021 21:55:25 +0000
Message-ID: <BN1P110MB093971A3C9074E157DD64C3FDC8D9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 01470ed6-abdc-4585-c403-08d99fddceef
x-ms-traffictypediagnostic: BN1P110MB0771:
x-microsoft-antispam-prvs: <BN1P110MB0771DF007BCAE219CF341E7ADC8D9@BN1P110MB0771.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QS3nhIbscwllfkyT0+pkW+Er4wJdWRmxNPHtbk60PATcJNt8Eof7iNzdNEyYOlFE7TtxeDwd7api2kW6xISPLTcb6KtPuLIFrIZ/esqgRYd/cEx7t467PPvQeP4CJchOY6UuIT9ocwe7pzOu0eCZBlSzF8kQnL1U3t4jpa7nUWHedzaCfoxUEwfPAhadWIt4qN3D19bsk1/1tJAJErC/DfnZ11efpSj9zfbLCYrELsxKI/BAd32nV5wSENq+4XUoUNolZmpaOPay//M7R0rF2UNjNjm60wy0jwNPW3fKLEwaF2Vr9DgF0Oy9R++i50PQUYPjqAbUe4WfZZY6EU88qRrVwoTLKTwt9FoqyEVdvo1VBrSdKKwwVecvVIhz9CPWJIkiS38EXtGg6/FwnshR+6qvYy48zwIRXkOu34ShobFZD8e4KHonxAm3Y1DVAGwQpibQdAdu0fPb1mApJwWsQIo42QjEJOMR854PBCdK/3uVCLfuV+CR5bGvA9ZpLJC2ZDPeJibtQVkn8EOmgpOrN+qi6dM2L+QS1Lw2DXCsln79Mg/1AnbjOtlE6+zRHK9zjR4+8XtzBOFsAbbuJKIF9xoUYcVmskF8A5UAY6I+VIjvTBJ0uwHzoU91dJlGT/9R3NRCU+xzjLFhT/tWVOxSOyX44B6rjzBepc17MjZ5265bX5xxZ7X5xiFiH4rJVuQCya18ySGN54WGy2LtOfLPVww3VbL3xtd4Cv9ezC/0DEI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(122000001)(38070700005)(83380400001)(186003)(52536014)(66946007)(8676002)(76116006)(55016002)(9686003)(64756008)(66556008)(66446008)(38100700002)(33656002)(86362001)(7696005)(66476007)(6506007)(498600001)(71200400001)(8936002)(82960400001)(5660300002)(966005)(6916009)(2906002)(15398625002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rSfUlDgSgsPSWxoG4GVgTgVsP1va1DnFr4GIF2lmfBzt+rAWbkkJIzD4PWqOL8LquAO5jt0qgK7V6cUY3O/GTLJte8mnss51qOFmlFutMjOrqsKCmCJJuoKUEjwldjqQLthx88gaASC/WHFhxzr3MvaIRaP5t4P+E33FjIhGv6pAqBd9Iyk14Xt7sReR7Vl4GJn+pwmsoKx7tr67/Bcc4wjuD4fU/gSrJfW/7mewy1U+2w+Km8QJbbQEpdMJE9aUEdYi3f+Dcj9XRXs/s1iHKlHFjlBackVt4PEE/1amcxI9BFehNj1B+kFTJH1UNp+d0w4pV7ftzpGTRkKlOQSLRISzS4wu1PzoRybpkQ/IfhGeJSC/WAKp6btgf/lPAgskzL8pjiz4sa2uJgmO5w/Qg7gfdMKeIDGbQQ87CukcSIKkqIIO2gv3aQD+RCkumzEz/skIPoAD2BuR3pLKOzAYa3CFCqeqnZTJ4dkSwVaaLwT8DAXfBkRzLuX69OmJhGfpiFKiVHGvZdvEeEMml9QfYsU6oL7/OY77/7LS+liyEhULCi6MSgpB3imBBk6tzBw6cPrfenshDw/Fh8Lx03Xx76wG8vY+dxEhFTH4jbP+1gGYPL0g09IwfE1nAstFya3cjJuRjsFhg757amn1ChMLXeRa++52G2+IcGB9+rfwpKUlVW9IKh+3sDF56YiN1wUb3lWpejGqkyUOCXYDADt4wJO8h3CtA37w24bKIA1bcw+6cStUO6kUSg3vNtIxBZfp039AX474nnKPyh8WXyZ9bgjsUPmKbvRgo1/EpMZ7Pu8=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 01470ed6-abdc-4585-c403-08d99fddceef
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2021 21:55:25.7114 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0771
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/1OVe1X54RI3ssQM5sC2x_VegD6I>
Subject: [Rats] Follow-up to AD review of draft-ietf-rats-tpm-based-network-device-attest-08
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Nov 2021 21:55:38 -0000
Hi! When I performed my AD review on draft-ietf-rats-tpm-based-network-device-attest (https://mailarchive.ietf.org/arch/msg/rats/RuBQhogqh3EuleeyDY13eiSfiAU/), I had only selectively read draft-ietf-rats-yang-tpm-charra. With the benefit of detailed read, I have the following additional comments on draft-ietf-rats-tpm-based-network-device-attest-08 Given that Section 3.2.1 says, "Retrieval of Log Evidence SHOULD be done via log interfaces specified in [I-D.ietf-rats-yang-tpm-charra]", should the two documents be aligned as described below? ** Per the specific aligned text above, what kind of solution would not conform to the log interfaces in charra and how would this lead to an interoperable RIV solution? Should this say MUST? ** Section 2.3 2. For devices using UEFI and Linux, measurements of firmware and bootable modules SHOULD be taken according to TCG PC Client [PC-Client-BIOS-TPM-1.2] or [PC-Client-BIOS-TPM-2.0], and Linux IMA [IMA] -- should references here line up exactly with the references used in charra BIOS and IMA features? ** Section 2.4.2 There are multiple event log formats which may be supported as viable formats of Evidence between the Attester and Verifier: * IMA Event log file exports [IMA] * TCG UEFI BIOS event log (TCG EFI Platform Specification for TPM Family 1.1 or 1.2, Section 7) [EFI-TPM] * TCG Canonical Event Log [Canonical-Event-Log] Attesters which use UEFI BIOS and Linux SHOULD use TCG Canonical Event Log [Canonical-Event-Log] and TCG UEFI BIOS event log [EFI-TPM], although the CHARRA YANG model [I-D.ietf-rats-yang-tpm-charra] has no dependence on the format of the log. -- Is saying that charra has no dependence on the format of the log accurate. It appears that charra is particular about what log formats it will accept. From ietf-tpm-remote-attestation@2021-05-11.yang, it appears to be only: (1) feature bios ==> "https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf, Section 9.4.5.2"; (2) feature ima ==> "https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_CEL_v1_r0p30_13feb2021.pdf Section 4.3"; -- Is there a mismatch between how this document thinks of the UEFI BIOS event logs and that of the charra draft? Here [EFI-TPM] is: [EFI-TPM] Trusted Computing Group, "TCG EFI Platform Specification for TPM Family 1.1 or 1.2, Specification Version 1.22, Revision 15", January 2014, <https://trustedcomputinggroup.org/resource/tcg-efi- platform-specification/>. draft-ietf-rats-yang-tpm-charra defines it as: https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf, Section 9.4.5.2 -- Is it a problem that this document is seems to generically support [Canonical-Event-Log] but draft-ietf-rats-yang-tpm-charra seems to restrict it's support to only Section 4.3 of that reference (around IMA)? -- Are IMA log file exports compatible with [Canonical-Event-Log]? -- The [IMA] reference definition seems to have a typo in it. Regards, Roman
- [Rats] Follow-up to AD review of draft-ietf-rats-… Roman Danyliw