[Rats] Reducing YANG output objects with the tpm12-challenge-response-attestation RPC
"Eric Voit (evoit)" <evoit@cisco.com> Wed, 07 October 2020 20:36 UTC
Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F7F3A135D; Wed, 7 Oct 2020 13:36:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Qlsw9Opc; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=Gv/u3Cee
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4lMcij0T82I; Wed, 7 Oct 2020 13:36:30 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D0C03A1357; Wed, 7 Oct 2020 13:36:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=23252; q=dns/txt; s=iport; t=1602102990; x=1603312590; h=from:to:cc:subject:date:message-id:mime-version; bh=0O2/vM0ssMTlVhga1/pZ72WfXHd3jMJTCfXhcpSFTMQ=; b=Qlsw9OpcC8XxynPJGomqhMoZa+IEvbXqWfw+iNH5mkO89yjb5SmxRasg /LbEl8Op9ooNTiY0KErPDFEgpBFW6QM1HpqH/juQWnximKuQvIiCD3vbV FI0tVAILVsANbudi4brLjShxzpK00scdfop3mhPEXPwreuBoa9pIwgA7+ w=;
X-Files: smime.p7s : 3975
IronPort-PHdr: 9a23:5Vb2ihT4NgKdrIaOEXwx+ROwntpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBNuJ6+9NlOfX9avnXD9I7ZWAtSUEd5pBH18AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7Sv3St4D9UERL6ZkJ5I+3vEdvUiMK6n+m555zUZVBOgzywKbN/JRm7t0PfrM4T1IBjMa02jBDOpyhF
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D2BwBxJn5f/5xdJa1gHQEBAQEJARIBBQUBQIFPgSMvIy4HcCwtLyyIAwOVW4wmggeCaIJTA1UEBwEBAQoDAQEnBgIEAQGESgKCBwIlOBMCAwEBCwEBBQEBAQIBBgRthVwMhXUCFBsTAQElEgERAVAwJgEEAQ0NBhSDBTiBRk0DHw8BDp4rAoE5iGF0gTQTgm4BAQWBNFEDgyAYggkHAwaBOIFTgR+GL4QSG4FBP4FUgh8ugjdjA4FgK4Mdgi2QIYpNgRmbVQqCaIRLgl+BVpIJoS2TGopwlSsCBAIEBQIOAQEFgWsjgVdwFYMkUBcCDY4fCwEXg06FFIUJATh0AhIjAgYKAQEDCXyLCC2CFwEB
X-IronPort-AV: E=Sophos;i="5.77,348,1596499200"; d="p7s'?scan'208,217";a="573911866"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Oct 2020 20:36:28 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 097KaSkN028708 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 7 Oct 2020 20:36:28 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 7 Oct 2020 15:36:28 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 7 Oct 2020 15:36:27 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 7 Oct 2020 15:36:27 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DwSwSaAosKznxHy36qk899X9ek2pWU2V2oNur2uQpRqUcyT1iDQJw31ox4/Mc32PikDitH1R9qzt726NHytZaY2kYBRQLDUzHJLPuHkevaOObs2WEnRB9Zex4kSpzxKLqLqP3I7A6/Cc6i6AnyasQ/p8ImdvThTLqkugcwfBtr5KBj+ftWlC0T0jjkstNLNUIGYTN6LPzUW+cR3DKA/XYwuhpCnMTZ2ywhxo+3yrH9EDBPfWy7BoDw3R9Ny3m4V1+iiDiWhuHntut3uQhm0cOagqsttUx6oCMr7V/wdeh212Gu8/ngrpDCPrrHa+ycJtszdev2dfZeGMmiQNKTfPxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dfjsyRoQsBp9+ddMXYuGnu2Qt+79BLPjbgALMoTfxwA=; b=mIpz3STbfs8hC95UbuiF2ZadevV+DUs0eNl7WdBmoHHuEcwJHTW6IJett9Y7P3PT2GL5KgwIz7U5SjIDHtfsxQPCdAIkoZLb3tRw5MKg74AKN6k1/xOgZhZjU3+BzJTxS6m/mpn+t09plFfuaYqy2XqThWVAjSQlNaFaQVXpSbDoHm/2HAuuKyBs4GYGDkjSPqNHLuFHmUxtCIcFvq88g0Xu229f73G/jm69YTGJ/IhF0fAz6d0pk1ZMeQT7tHukHEN5zWw1mCb2Dxu98DC3VMUwAE7RV1C9y2NAuxG0DQuwaPB+t/KXrBzFfvqPliADllxw17UfZqG8Kk4NGv4pGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dfjsyRoQsBp9+ddMXYuGnu2Qt+79BLPjbgALMoTfxwA=; b=Gv/u3CeeirY7aCGgxBc4FGwI2DwEPtrLkIsGXYlDSK+V847EwiojqXCapL6jDDMrvSEzD5fUMcdAuSmkg1G6S7hTO4ng+qTEedYMmTZEMrY75Qt7k6o0i849RWjCC5uUhnkQe4iuUV7JDTGOn1zTuKwmE92q53LrxDWG/vY/OJI=
Received: from BYAPR11MB3125.namprd11.prod.outlook.com (2603:10b6:a03:8e::32) by BYAPR11MB3782.namprd11.prod.outlook.com (2603:10b6:a03:fd::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.32; Wed, 7 Oct 2020 20:36:26 +0000
Received: from BYAPR11MB3125.namprd11.prod.outlook.com ([fe80::9d04:596a:9d5a:ca5b]) by BYAPR11MB3125.namprd11.prod.outlook.com ([fe80::9d04:596a:9d5a:ca5b%6]) with mapi id 15.20.3433.044; Wed, 7 Oct 2020 20:36:26 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Panwei (William)" <william.panwei@huawei.com>, "Birkholz, Henk" <henk.birkholz@sit.fraunhofer.de>, "Eckel, Michael" <michael.eckel@sit.fraunhofer.de>, Guy Fedorkow <gfedorkow@juniper.net>, "Laffey, Tom (HPE Aruba)" <tom.laffey@hpe.com>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
Thread-Topic: Reducing YANG output objects with the tpm12-challenge-response-attestation RPC
Thread-Index: Adac5ZonsmNnYPBmSvKhkjUhhfk9pg==
Date: Wed, 07 Oct 2020 20:36:26 +0000
Message-ID: <BYAPR11MB312522739A09FA46937D8F29A10A0@BYAPR11MB3125.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c4:1003::51]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 72f9ebf2-3d59-487e-cbb5-08d86b00a99a
x-ms-traffictypediagnostic: BYAPR11MB3782:
x-microsoft-antispam-prvs: <BYAPR11MB3782676EDABAE582134AD94FA10A0@BYAPR11MB3782.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lgljT4hsZM3+hUu1EtJGKsQB9u8aMe35jYmfbyc5KhVEM2PHoJA0fkWPlg2jNteTScPbCC7mSwr2FQ9nSitF/yh1rzZh4YxR17OzHskdymIXBGVyXDxP0WS81hW3sv756+pUsHdKA5+a58i3TRPbe6qxpMw+hlb4Eq48zr3RTwC39onSnzcw+gsq/yehLq0QWviz6msIUDoB+xa3otgBsquwQ05bcSNRxNyofdDb9Ew/Px7uZMuWDw/Km0og7HF8PTihf5fppbt9X6Zml/DMgw1ogk8t0qVf3vmzR2mnmj6rgegWSvR8H9+JTn87tnur/0KpdSxaDL4QAFn0AKfmwVz3MHv2lwF9K5mbwXE2SsmK6hUgi+y91YnE7VztZJmzaMlWq5wTRhOyo/pkk7ORPS0lzo6PJPkOZb3mWp/S+zV/df+4uxS9nLAh8Zq0XKaYORv0InR3LDDQZcVEOwrpTruTBmEfnWOI2F9Rnju5pvc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3125.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(136003)(346002)(376002)(396003)(39860400002)(86362001)(55016002)(52536014)(316002)(99936003)(54906003)(110136005)(5660300002)(76116006)(2906002)(7696005)(6506007)(33656002)(478600001)(186003)(966005)(8936002)(4326008)(166002)(83080400001)(83380400001)(66446008)(71200400001)(64756008)(66476007)(66556008)(66616009)(9686003)(66946007)(8676002)(43620500001)(15398625002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: eY3WYcFWem/ZMRCopoDNlB/ZZgZSDKwpS0gUXUEnTfVdrn/oY0QZExc/t7QSgTHsAxa0U4ZfABOb5G3AXbWn9iK37bPeYzxeugxCwpMnSSR+hkMxBznf7KAsaauPeb6yDjzpEzQ6H20OF4uNZC8tCvooC64boA536JtnQRR48K4+p69po0ia9rHFozCNUkZAkevL74gDKeUBzpFWdssS2q3Zsv1xkjCq8PJj7CxGhxVQcU3QpDiRTydYCfbY1TqT6viHFderZl3fSa6JHCWjSJ0oBG1DC1yjw23xRestiOahNUeFdYztZfdjnZR2Gh8vt22okLFseBMsk4DwTJuJP+wg/Mx2z8V8c9t2FFCFVi/AcCWJqeCcC3JcHQf0d2kfaQ5xvtZBKbOYvhcVo2LOqtHFDwCxZpw/010W4JOac8RTit1Vzz9M2x7FHdou7BdyCIe19CeQdyn00T5str4YhtTcGff6ItEM0yPSNfAwKQjHLgwe31TKcZNMGMqhEDIr8lCRzhgthG/NBCWAYCgaJ6xiVFVhNsEi9m8rohFXOMzGx4mKcM4bWWZROj8d857WLWtBo5Iie54W4IGItVb4Nl1z5h92po6RbzjBik+gK038Y9ObsotNbSwk+Xx64QubzUK8LDbex8aV3fr0hCpGQ6EQa4uslqYuV8F0AWmi1Mw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; boundary="----=_NextPart_000_1144_01D69CC7.F713E730"; protocol="application/x-pkcs7-signature"; micalg="SHA1"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3125.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 72f9ebf2-3d59-487e-cbb5-08d86b00a99a
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Oct 2020 20:36:26.0812 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Cv5dDKSafHxa76m1r2mnZi3gpt6umKNiBKFI1QrUjS5xpBYe5SiLjEDoZpvBaQWX
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3782
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/A83z_vYz6H60UY_TSC4TN-ZkwYU>
Subject: [Rats] Reducing YANG output objects with the tpm12-challenge-response-attestation RPC
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2020 20:36:33 -0000
I am hoping we can simplify what is in Charra's TPM1.2 quote into something similar to what is now in the TPM2.0 quote. Does anyone know who wrote the original TPM1.2 RPC for the Charra YANG module? If you did, can you chime in on the questions below? More specifics on the request: Right now in the tpm20-challenge-response-attestation RPC output are TPM protected objects enclosed within TPMS_QUOTE_INFO. Definition of TPMS_QUOTE_INFO Structure --------------------------------------------------------- typedef struct { TPML_PCR_SELECTION pcrSelect; TPM2B_DIGEST pcrDigest; } TPMS_QUOTE_INFO; See Table 115 - of https://trustedcomputinggroup.org/wp-content/uploads/TCG_TSS_Overview_Common _Structures_v0.9_r03_published.pdf The enclosed TPM2B_DIGEST is calculated across multiple PCRs. Having to verify across multiple PCRs does not necessarily make it easy for a Verifier to appraise just the minimum set of PCR information which has changed since the last received TPM2B_DIGEST. Put another way, why should a Verifier reconstruct the proper value of all PCR Quotes when only a single PCR has changed? To help this happen, if the Attester does know specific PCR values, the Attester can provide these individual values via "unsigned-pcr-values". By comparing this information to the what has previously been validated, it is possible for a Verifier to confirm the Attester's signature while eliminating significant processing. Additionally, processing where KGVs are exposed can be safely eliminated. This is a long way of asserting that there is not redundant TPM information carried in tpm20-challenge-response-attestation RPC response. This is a good thing. We should provide the same level of scrutiny to the TPM1.2 objects. We should eliminate redundant objects from the tpm12-challenge-response-attestation RPC. If we were to eliminate redundant objects from the TPM1.2 Quote Response, I am know that we can eliminate the following objects: * leaf major * leaf minor * leaf rev-Minor * leaf rev-Minor I also think we can eliminate the following: * fixed -- at this is a response to the RPC question * locality-at-release Looking beyond these obvious objects, I am wondering if there is anyone needing to differentiate between tpm12-quote1 and tpm12-quote2. As TPM1.2 is going to be phased out as equipment gets changed, it seems to make little sense to support both variants if both are not being actively championed by someone. In fact, I suspect that the YANG model can be updated so that it need not care about quote1 and quote2. Can whomever included both quote1 and quote2 articulate why the must be a market need to support both going forward? If we can eliminate either quote1 or quote2 specifics, I suspect we could use the exact same structure as part of the RPC response as was used for TPM2. It would look something like: + tpm12-challenge-response-attestation ... +--ro output +--ro tpm12-attestation-response* [] +--ro certificate-name? certificate-name-ref +--ro TPMS_QUOTE_INFO binary +--ro quote-signature? binary +--ro up-time? uint32 +--ro node-id? string +--ro node-physical-index? int32 {ietfhw:entity-mib}? +--ro unsigned-pcr-values* [] +--ro TPM20-hash-algo? identityref +--ro pcr-values* [pcr-index] +--ro pcr-index pcr +--ro pcr-value? binary I would love to get people's thoughts on what is above, and what might be mandatory to support in tpm12-challenge-response-attestation RPC output. Thanks, Eric Eric Voit Principal Engineer .:|:.:|:. Cisco Systems, Inc.
- [Rats] Reducing YANG output objects with the tpm1… Eric Voit (evoit)
- Re: [Rats] Reducing YANG output objects with the … Guy Fedorkow
- Re: [Rats] Reducing YANG output objects with the … Eric Voit (evoit)