[Rats] Reducing YANG output objects with the tpm12-challenge-response-attestation RPC

"Eric Voit (evoit)" <evoit@cisco.com> Wed, 07 October 2020 20:36 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F7F3A135D; Wed, 7 Oct 2020 13:36:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Qlsw9Opc; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=Gv/u3Cee
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4lMcij0T82I; Wed, 7 Oct 2020 13:36:30 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D0C03A1357; Wed, 7 Oct 2020 13:36:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=23252; q=dns/txt; s=iport; t=1602102990; x=1603312590; h=from:to:cc:subject:date:message-id:mime-version; bh=0O2/vM0ssMTlVhga1/pZ72WfXHd3jMJTCfXhcpSFTMQ=; b=Qlsw9OpcC8XxynPJGomqhMoZa+IEvbXqWfw+iNH5mkO89yjb5SmxRasg /LbEl8Op9ooNTiY0KErPDFEgpBFW6QM1HpqH/juQWnximKuQvIiCD3vbV FI0tVAILVsANbudi4brLjShxzpK00scdfop3mhPEXPwreuBoa9pIwgA7+ w=;
X-Files: smime.p7s : 3975
IronPort-PHdr: 9a23:5Vb2ihT4NgKdrIaOEXwx+ROwntpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBNuJ6+9NlOfX9avnXD9I7ZWAtSUEd5pBH18AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7Sv3St4D9UERL6ZkJ5I+3vEdvUiMK6n+m555zUZVBOgzywKbN/JRm7t0PfrM4T1IBjMa02jBDOpyhF
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D2BwBxJn5f/5xdJa1gHQEBAQEJARIBBQUBQIFPgSMvIy4HcCwtLyyIAwOVW4wmggeCaIJTA1UEBwEBAQoDAQEnBgIEAQGESgKCBwIlOBMCAwEBCwEBBQEBAQIBBgRthVwMhXUCFBsTAQElEgERAVAwJgEEAQ0NBhSDBTiBRk0DHw8BDp4rAoE5iGF0gTQTgm4BAQWBNFEDgyAYggkHAwaBOIFTgR+GL4QSG4FBP4FUgh8ugjdjA4FgK4Mdgi2QIYpNgRmbVQqCaIRLgl+BVpIJoS2TGopwlSsCBAIEBQIOAQEFgWsjgVdwFYMkUBcCDY4fCwEXg06FFIUJATh0AhIjAgYKAQEDCXyLCC2CFwEB
X-IronPort-AV: E=Sophos;i="5.77,348,1596499200"; d="p7s'?scan'208,217";a="573911866"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Oct 2020 20:36:28 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 097KaSkN028708 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 7 Oct 2020 20:36:28 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 7 Oct 2020 15:36:28 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 7 Oct 2020 15:36:27 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 7 Oct 2020 15:36:27 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DwSwSaAosKznxHy36qk899X9ek2pWU2V2oNur2uQpRqUcyT1iDQJw31ox4/Mc32PikDitH1R9qzt726NHytZaY2kYBRQLDUzHJLPuHkevaOObs2WEnRB9Zex4kSpzxKLqLqP3I7A6/Cc6i6AnyasQ/p8ImdvThTLqkugcwfBtr5KBj+ftWlC0T0jjkstNLNUIGYTN6LPzUW+cR3DKA/XYwuhpCnMTZ2ywhxo+3yrH9EDBPfWy7BoDw3R9Ny3m4V1+iiDiWhuHntut3uQhm0cOagqsttUx6oCMr7V/wdeh212Gu8/ngrpDCPrrHa+ycJtszdev2dfZeGMmiQNKTfPxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dfjsyRoQsBp9+ddMXYuGnu2Qt+79BLPjbgALMoTfxwA=; b=mIpz3STbfs8hC95UbuiF2ZadevV+DUs0eNl7WdBmoHHuEcwJHTW6IJett9Y7P3PT2GL5KgwIz7U5SjIDHtfsxQPCdAIkoZLb3tRw5MKg74AKN6k1/xOgZhZjU3+BzJTxS6m/mpn+t09plFfuaYqy2XqThWVAjSQlNaFaQVXpSbDoHm/2HAuuKyBs4GYGDkjSPqNHLuFHmUxtCIcFvq88g0Xu229f73G/jm69YTGJ/IhF0fAz6d0pk1ZMeQT7tHukHEN5zWw1mCb2Dxu98DC3VMUwAE7RV1C9y2NAuxG0DQuwaPB+t/KXrBzFfvqPliADllxw17UfZqG8Kk4NGv4pGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dfjsyRoQsBp9+ddMXYuGnu2Qt+79BLPjbgALMoTfxwA=; b=Gv/u3CeeirY7aCGgxBc4FGwI2DwEPtrLkIsGXYlDSK+V847EwiojqXCapL6jDDMrvSEzD5fUMcdAuSmkg1G6S7hTO4ng+qTEedYMmTZEMrY75Qt7k6o0i849RWjCC5uUhnkQe4iuUV7JDTGOn1zTuKwmE92q53LrxDWG/vY/OJI=
Received: from BYAPR11MB3125.namprd11.prod.outlook.com (2603:10b6:a03:8e::32) by BYAPR11MB3782.namprd11.prod.outlook.com (2603:10b6:a03:fd::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.32; Wed, 7 Oct 2020 20:36:26 +0000
Received: from BYAPR11MB3125.namprd11.prod.outlook.com ([fe80::9d04:596a:9d5a:ca5b]) by BYAPR11MB3125.namprd11.prod.outlook.com ([fe80::9d04:596a:9d5a:ca5b%6]) with mapi id 15.20.3433.044; Wed, 7 Oct 2020 20:36:26 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Panwei (William)" <william.panwei@huawei.com>, "Birkholz, Henk" <henk.birkholz@sit.fraunhofer.de>, "Eckel, Michael" <michael.eckel@sit.fraunhofer.de>, Guy Fedorkow <gfedorkow@juniper.net>, "Laffey, Tom (HPE Aruba)" <tom.laffey@hpe.com>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
Thread-Topic: Reducing YANG output objects with the tpm12-challenge-response-attestation RPC
Thread-Index: Adac5ZonsmNnYPBmSvKhkjUhhfk9pg==
Date: Wed, 07 Oct 2020 20:36:26 +0000
Message-ID: <BYAPR11MB312522739A09FA46937D8F29A10A0@BYAPR11MB3125.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c4:1003::51]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 72f9ebf2-3d59-487e-cbb5-08d86b00a99a
x-ms-traffictypediagnostic: BYAPR11MB3782:
x-microsoft-antispam-prvs: <BYAPR11MB3782676EDABAE582134AD94FA10A0@BYAPR11MB3782.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lgljT4hsZM3+hUu1EtJGKsQB9u8aMe35jYmfbyc5KhVEM2PHoJA0fkWPlg2jNteTScPbCC7mSwr2FQ9nSitF/yh1rzZh4YxR17OzHskdymIXBGVyXDxP0WS81hW3sv756+pUsHdKA5+a58i3TRPbe6qxpMw+hlb4Eq48zr3RTwC39onSnzcw+gsq/yehLq0QWviz6msIUDoB+xa3otgBsquwQ05bcSNRxNyofdDb9Ew/Px7uZMuWDw/Km0og7HF8PTihf5fppbt9X6Zml/DMgw1ogk8t0qVf3vmzR2mnmj6rgegWSvR8H9+JTn87tnur/0KpdSxaDL4QAFn0AKfmwVz3MHv2lwF9K5mbwXE2SsmK6hUgi+y91YnE7VztZJmzaMlWq5wTRhOyo/pkk7ORPS0lzo6PJPkOZb3mWp/S+zV/df+4uxS9nLAh8Zq0XKaYORv0InR3LDDQZcVEOwrpTruTBmEfnWOI2F9Rnju5pvc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3125.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(136003)(346002)(376002)(396003)(39860400002)(86362001)(55016002)(52536014)(316002)(99936003)(54906003)(110136005)(5660300002)(76116006)(2906002)(7696005)(6506007)(33656002)(478600001)(186003)(966005)(8936002)(4326008)(166002)(83080400001)(83380400001)(66446008)(71200400001)(64756008)(66476007)(66556008)(66616009)(9686003)(66946007)(8676002)(43620500001)(15398625002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: eY3WYcFWem/ZMRCopoDNlB/ZZgZSDKwpS0gUXUEnTfVdrn/oY0QZExc/t7QSgTHsAxa0U4ZfABOb5G3AXbWn9iK37bPeYzxeugxCwpMnSSR+hkMxBznf7KAsaauPeb6yDjzpEzQ6H20OF4uNZC8tCvooC64boA536JtnQRR48K4+p69po0ia9rHFozCNUkZAkevL74gDKeUBzpFWdssS2q3Zsv1xkjCq8PJj7CxGhxVQcU3QpDiRTydYCfbY1TqT6viHFderZl3fSa6JHCWjSJ0oBG1DC1yjw23xRestiOahNUeFdYztZfdjnZR2Gh8vt22okLFseBMsk4DwTJuJP+wg/Mx2z8V8c9t2FFCFVi/AcCWJqeCcC3JcHQf0d2kfaQ5xvtZBKbOYvhcVo2LOqtHFDwCxZpw/010W4JOac8RTit1Vzz9M2x7FHdou7BdyCIe19CeQdyn00T5str4YhtTcGff6ItEM0yPSNfAwKQjHLgwe31TKcZNMGMqhEDIr8lCRzhgthG/NBCWAYCgaJ6xiVFVhNsEi9m8rohFXOMzGx4mKcM4bWWZROj8d857WLWtBo5Iie54W4IGItVb4Nl1z5h92po6RbzjBik+gK038Y9ObsotNbSwk+Xx64QubzUK8LDbex8aV3fr0hCpGQ6EQa4uslqYuV8F0AWmi1Mw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; boundary="----=_NextPart_000_1144_01D69CC7.F713E730"; protocol="application/x-pkcs7-signature"; micalg="SHA1"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3125.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 72f9ebf2-3d59-487e-cbb5-08d86b00a99a
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Oct 2020 20:36:26.0812 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Cv5dDKSafHxa76m1r2mnZi3gpt6umKNiBKFI1QrUjS5xpBYe5SiLjEDoZpvBaQWX
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3782
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/A83z_vYz6H60UY_TSC4TN-ZkwYU>
Subject: [Rats] Reducing YANG output objects with the tpm12-challenge-response-attestation RPC
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2020 20:36:33 -0000

I am hoping we can simplify what is in Charra's TPM1.2 quote into something
similar to what is now in the TPM2.0 quote.    Does anyone know who wrote
the original TPM1.2 RPC for the Charra YANG module?   If you did, can you
chime in on the questions below?

 

More specifics on the request:

Right now in the tpm20-challenge-response-attestation RPC output are TPM
protected objects enclosed within TPMS_QUOTE_INFO.  

 


Definition of TPMS_QUOTE_INFO Structure

--------------------------------------------------------- 

typedef struct { 

    TPML_PCR_SELECTION pcrSelect; 

    TPM2B_DIGEST pcrDigest; } 

TPMS_QUOTE_INFO;

 

See Table 115 - of 

https://trustedcomputinggroup.org/wp-content/uploads/TCG_TSS_Overview_Common
_Structures_v0.9_r03_published.pdf

 

The enclosed TPM2B_DIGEST is calculated across multiple PCRs.  Having to
verify across multiple PCRs does not necessarily make it easy for a Verifier
to appraise just the minimum set of PCR information which has changed since
the last received TPM2B_DIGEST.  Put another way, why should a Verifier
reconstruct the proper value of all PCR Quotes when only a single PCR has
changed?  

 

To help this happen, if the Attester does know specific PCR values, the
Attester can provide these individual values via "unsigned-pcr-values".   By
comparing this information to the what has previously been validated, it is
possible for a Verifier to confirm the Attester's signature while
eliminating significant processing.  Additionally, processing where KGVs are
exposed can be safely eliminated.

 

This is a long way of asserting that there is not redundant TPM information
carried in tpm20-challenge-response-attestation RPC response.   This is a
good thing.

 

We should provide the same level of scrutiny to the TPM1.2 objects.  We
should eliminate redundant objects from the
tpm12-challenge-response-attestation RPC.

 

If we were to eliminate redundant objects from the TPM1.2 Quote Response, I
am know that we can eliminate the following objects:

*	leaf major
*	leaf minor
*	leaf rev-Minor
*	leaf rev-Minor

 

I also think we can eliminate the following:

*	fixed  -- at this is a response to the RPC question
*	locality-at-release

 

Looking beyond these obvious objects, I am wondering if there is anyone
needing to differentiate between tpm12-quote1 and tpm12-quote2.   As TPM1.2
is going to be phased out as equipment gets changed, it seems to make little
sense to support both variants if both are not being actively championed by
someone.  In fact, I suspect that the YANG model can be updated so that it
need not care about quote1 and quote2.   Can whomever included both quote1
and quote2 articulate why the must be a market need to support both going
forward?   

 

If we can eliminate either quote1 or quote2 specifics, I suspect we could
use the exact same structure as part of the RPC response as was used for
TPM2.   It would look something like:

 

  + tpm12-challenge-response-attestation

    ...

         +--ro output

            +--ro tpm12-attestation-response* []

               +--ro certificate-name?      certificate-name-ref

               +--ro TPMS_QUOTE_INFO        binary

               +--ro quote-signature?       binary

               +--ro up-time?               uint32

               +--ro node-id?               string

               +--ro node-physical-index?   int32 {ietfhw:entity-mib}?

               +--ro unsigned-pcr-values* []

                  +--ro TPM20-hash-algo?   identityref

                  +--ro pcr-values* [pcr-index]

                     +--ro pcr-index    pcr

                     +--ro pcr-value?   binary

 

I would love to get people's thoughts on what is above, and what might be
mandatory to support in tpm12-challenge-response-attestation RPC output.

 

Thanks,

Eric

 

 

Eric Voit 

Principal Engineer

.:|:.:|:. Cisco Systems, Inc.