Re: [Rats] yang tpm defining a datastore?
"Eric Voit (evoit)" <evoit@cisco.com> Fri, 19 February 2021 17:43 UTC
Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 857823A12A9 for <rats@ietfa.amsl.com>; Fri, 19 Feb 2021 09:43:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=DLQTsRws; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=XnK4s0Ug
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgK1wq4Hf_qF for <rats@ietfa.amsl.com>; Fri, 19 Feb 2021 09:43:22 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB9323A1267 for <rats@ietf.org>; Fri, 19 Feb 2021 09:43:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10101; q=dns/txt; s=iport; t=1613756599; x=1614966199; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=7CKPXRcT6CMY1mPX6Q30laO1TvHGXzTXPgHchm0Sf3U=; b=DLQTsRwsut0unPV1Ueloe6shTjF8PjNdeUP1Jl0SaCJFcrowJrXztUlG o1mdlbb4qYRXSNh5kTW7ovc8FNEVeq/zJHwfSz2Ew1ycsEP6mhhmwbnyn BqE0846ZPQv5duOMD7RB1nSLtJ+XzrfxlfmeLzApfpwutXVUERQLRR4TZ M=;
X-Files: smime.p7s : 3975
X-IPAS-Result: A0BYAwCt9y9gmIYNJK1fAx4BAQsSDECDIlF9LC42MQqHfwOODgOBBZgZglMDVAQHAQEBCgMBAR0LCgIEAQGETQKCDAIlOBMCAwEBAQMCAwEBAQEFAQEBAgEGBBQBAQEBAQEBAYY2DYZEAQEBAwEBAT4BASwLAQQJAgIBCA4CCC4CGQwLJQIEDgUIBoJdAYF+VwMOEQ8BDqNlAooldIE0gwQBAQaFHhiCCwcDBgWBM4FTgSOKSxYQHIFBQYERQ4IiBy4+gl0BAYE3EBoVCiaDA4Irgy4EDRA2W4EoCwqRIIJEiU6BcppdCoJ7gRuDTYJqiG2Lc4MxoA+WUJsrgT2DGAICAgIEBQIOAQEGgWshgVlwFTuCaVAXAg2OHwsOCYNNM4RhhUVzNwIGCgEBAwl8iFSBNAGBDgEB
IronPort-PHdr: 9a23:/D8dixSx2WJyzeMwoUXHarK9Edpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBtWJ6ftPjODN9r3mWHIN+42ArGFEfJEfHxMGiMBDmQsmDYbFDEDgN/flYmQ8G9gKT15q+Xy3cC03UMbzblHfuDu+uDgVHBisNwN+Ie7uX5PUjtq6zfuz54yVbwgbzDa4aKl5eROxqwiZv8IKgIxkf6A2zBaswDNIdu1ayHkuK0iUmkP359y7+9ho9CEDtg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,189,1610409600"; d="p7s'?scan'208";a="667397154"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Feb 2021 17:43:18 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 11JHhIFt023535 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 19 Feb 2021 17:43:18 GMT
Received: from xfe-rcd-004.cisco.com (173.37.227.252) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 19 Feb 2021 11:43:17 -0600
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Fri, 19 Feb 2021 11:43:17 -0600
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 19 Feb 2021 12:43:17 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lBfZHrdKzWQohFVAOmH5JINcWPMX1RGnRXkJ+DGyEho3dh0bCitxztXRLv4pQS4LqCY4MVmLnbxCz1tYJD3kvDxa65mWY/UmXu8xB3WByd8PjPAY2NWVwr8pYjohkJc86T2H4n6pNqDRvCs4zSprP6jvDGBbIoVsFQAva6v0NbmnAUOv6PBv4MDnRbQ06a3zyFhxNpLWjPkLLX5VNTavLunIazOEQzUn5iKn7bixiIQs3IZWWmXGc21dxkhzbXAZdwLgJVg9JJKO6O2xIiLjTUjZyVarUlhIFexsD+fM1GNgWWv564/KkUZEfb6JSbPOe1juTZ5vALzkLUrkRc7oxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VrNAI/wXBiTlkvgScVMz/zQ2wXfr0Cd+raLvZZA4gmc=; b=KEd66gdHIDX+zyGLZQylmY/V24N7suYRSN4zAteEN6G+JPobeAZyy4GdGH88peJ+uyZAv7J8klNA65EZ7MrHPS6b8GBgktpBqEbHn3ooW7HTeAuqjpH+ccU1eq6rO0LFtvtjHqWYgY3kxPqMjnCHq3kI8QHoLy6b152ZugCXJJaUFkmZYTDWETGD1oQ980pv1nYc+1tcxtsuHmQ9ds2a6y1J8C2jgXp+Cwib16eyG5X3+JH7UNb/Qq+SyZMgcGtd8TTg9UHr6qg6ShrD7LVpfVVExO/gkOWoBj+8DVUDmQp9sABBH0lec8VQAbP4YglxNA3imObjSGYnLalguaRAxQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VrNAI/wXBiTlkvgScVMz/zQ2wXfr0Cd+raLvZZA4gmc=; b=XnK4s0UgMN/meyj7wSA0JPEP1+N310T57qHZaWVSSgqSKr94uHA3QbdBaWy2IgR4+Hgei6AEUxSTbqseysKPeG3vOSv1+ZSKbHSNzdB+W3vqTS91QnZp88gxvk2fwkbZujWGTYJ9s8+RLHwMC80yr8Ad/lNmMXnRMdosVQeY+cw=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by BL0PR11MB2881.namprd11.prod.outlook.com (2603:10b6:208:7e::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.27; Fri, 19 Feb 2021 17:43:16 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::88f5:c7e1:3338:cecf]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::88f5:c7e1:3338:cecf%3]) with mapi id 15.20.3846.042; Fri, 19 Feb 2021 17:43:16 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "rats@ietf.org" <rats@ietf.org>, Mahesh Jethanandani <mjethanandani@gmail.com>
Thread-Topic: [Rats] yang tpm defining a datastore?
Thread-Index: AQHXBsI080pm17Ze4kiDl3Il8j/WdapfrQYwgAAMDgCAAASGAA==
Date: Fri, 19 Feb 2021 17:43:16 +0000
Message-ID: <BL0PR11MB312297E446663B10949EC934A1849@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <20210219132137.otltbtrhbew7yb6r@anna.jacobs.jacobs-university.de> <BL0PR11MB312212DDD7BAB9CA89739BBDA1849@BL0PR11MB3122.namprd11.prod.outlook.com> <20210219171854.g3q4mbyqzk3smuf5@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210219171854.g3q4mbyqzk3smuf5@anna.jacobs.jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: jacobs-university.de; dkim=none (message not signed) header.d=none;jacobs-university.de; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [108.18.141.61]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fbc1f4ca-f14a-459d-bbd4-08d8d4fdd6c3
x-ms-traffictypediagnostic: BL0PR11MB2881:
x-microsoft-antispam-prvs: <BL0PR11MB2881E8826A0C6B59922EF8CDA1849@BL0PR11MB2881.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LrSTvDYrGGyub+nUzNu/Ea5ZPGdxYJ1vHUmmVdz3X7w0BZSmG16M5SoTrhwz0HMYSDlT+jOTnHY87Oqa0aZNzZr6jlqvl+zk6GuRf1414srpGWjK7iTkVmEDvQi8ZIwT/f0tUC5Uhx5xBVncxnN9Enp89BH+94XOlpORYSnvx/TT0mPywmdXLt3Y5YR08fW7wnrGhiGciXSsyw1yD1Y9s9zWUvAPEnOjEDNGciFFvqvwYEUbo08dmVeAXCzul8gung8eWE4xjzGNb6myoyb5Y4lhLujxHzq6AtIV3g2yj5vv8qrhmAu+Qo+jmyF+j2t6n7FwadOCVyPWGWBYFuP3VIEz2Aj9bGNSZdTj5pdeZYbzGO1Rj9qCFeG0uTemo+wl2fcoKrK8PutGU9rD6yq+H1117Km9oLnwYifyFB0J8Rx1rXqtlfgjsLJxYuqfjHFuaZq0DuGDEsbLln9J5QTO+1BoyNFtUAP97zV8ISvG1g1EbkG+itx6T0QeO66QfFSOfDTt7h4sPIAGuj9mD+UB/PYJfKfTySOlgfgUVxyjQsUrY1LzipFEs8XrFNKmJTHYRA30aGH70RHjrdoZ6e3ghO9+QxFVauklSJHur7qm+FXIqijxLHeDPiKsJvf/URZAQNK8lRmjC64TVzJ4gHFciQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(396003)(346002)(136003)(366004)(39860400002)(316002)(83380400001)(55016002)(99936003)(33656002)(6506007)(478600001)(71200400001)(54906003)(52536014)(8676002)(66616009)(5660300002)(2906002)(66556008)(7696005)(64756008)(66476007)(6916009)(76116006)(4326008)(83080400002)(966005)(66446008)(8936002)(86362001)(66946007)(26005)(9686003)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: XUKrpicn0HKl3n9RbWYT41so22S4K35uqN5A/ICCWbXRqBrodQQDbJ0hosR4QXKzagTrImixp3YWpLn8Z35pXHDTjhG9T2N8bjH6vvRsmn3was1xB6t9QilZa9I7GVeavmi8R386DnudyzRsXTk+klcrTDkW05fc8s5fqDTaK1s+belkOenVQLoZGOdKqEucngWWQbr07ZI1V8GOGhTxVopy9Hsg1B0RsrPiYMnY0vAdaOosyGmpc0x4cv6FLxyR5YFmgxsYdb83kJnLVP5FMxuGKw0v0y7CvYEvKKhebXzumO/kJASieVAyQNeQisFtOAMCpLRHmsGcCo0rYvpfc3nYFsXlZvE0Mrg7gXlrTvHlZG5Mwg9+G5pJsDtCE90U6DATjBfkP2Y87RvmaEikty1fwYwksJmEAclKhWJFQfJr1+dfOSPAzpZaIdDZCw9CAQWUz8Bd6HdYFM1WjtKAN2clwlJPHPW8YGCc6SfNSTVTc1XcktYVLROawderQ84LokZrm9/X7rZM3+BXBmjC2yts7iekOpoG71mOv2hGY/JiJ6b6Sm1toNR3SsneU6kjdqZuO5UdxbHjtYVIU4L//w17LnrwZeKmEVAF6TQ8RVKplAW/hOmewusAltiq4Xi1Md+bE+ebGeZddJ/IZFlXrmkMVH5mx7+r+GWgJEAqS8x8nsVauUaHE7ev8LZX6OlmtW1yBSuzlWgFeAb53XOXdE238nPGOZqPXNQV/s3YVHRgl7w2oLQFb7zx3NfdmcPJNvVUY7UG02b8IBoagaZJu99iZ9lZtrHxX/jT7NN/Nu1Dlasjki3wXT5SQ2TEj1o0Zc30kudqC/mR4s0w9okHo7c2HgbgfxHJKt9QMbh9Ku/XFmhPOHkr4EAeodgsyUE8rTWrLp5txUiEQz2Z44YBuEO6YPrcPot4rriPYKWxoVEnY4VpSWngSvdbupLpa7t8IRpUwBllcufk7s2amidwESx+N4mfBsfZ+XgA3IpUItTM/WenM389HPsACQogpcB5aaUiAqxVbBtgAbc/SfepRSyHr44dC5genALm4vFi5/Ve/RNQLxAXU5DEhYJZ1bLTM6J9Oheg/5FXkDWORYbWq2UedfJnI6cEdJTwHIcdiHn0es+2/HLsNpQZJ6Cq8624SUvXLZIkX7GkEoC/0dzZINbmkYKRdB6wibGndeRbzqNL5trdN0bCF8APhKMuE/IS5zygKg092HBHuxDVlySKqTJ+5Yt46p+TC6Gbw8rst8qT44C5xkwSp9bvu/tC1ZRFnNqGymfiv/BMhbMuc/rW0FlCpOc9wH/A++zyBDY0Ez8BjuVTC2+q7ReYhZVNVt3m
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_02BD_01D706BC.CA2C2CF0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fbc1f4ca-f14a-459d-bbd4-08d8d4fdd6c3
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2021 17:43:16.6772 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XczIrRpMfd0MIqo29ntQgrUghu2rThd8TseGpS8xtQHCJNi6G6JHHJL0EaTpshpC
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB2881
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/CRp2rCze-U69eSdQg6bljjnS7_0>
Subject: Re: [Rats] yang tpm defining a datastore?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 17:43:31 -0000
> The text in the I-D makes me believe you are defining configuration, not a
new
> datastore. I assume you talk about the server side (which I assume to be
the
> attester) and you want to configure that certain attestation requests are
> rejected. If so, this is all regular configuration and not a new
datastore. (But it
> might also be that I do not understand things right. But defining a new
datastore
> is most likely now whay you want to do.)
It is true that there is not a completely new datastore. The draft intends
to say new managed objects within the configuration datastore. I will
update the text.
> Note that not everything must be defined using XPATH. What is important
here
> is likely that it is well defined how the server reacts and which failure
code it
> returns if there is a mismatch.
Having less XPATH would ease the complexity of the model. When this goes to
WGLC, we can close with the YANG Doctors on what must be covered.
Eric
> /js
>
> On Fri, Feb 19, 2021 at 04:47:41PM +0000, Eric Voit (evoit) wrote:
> > Hi Juergen,
> >
> > > Juergen Schoenwaelder, February 19, 2021 8:22 AM
> > >
> > > draft-ietf-rats-yang-tpm-charra-05 says:
> > >
> > > This document defines a YANG RPC and a minimal datastore required
to
> > > retrieve attestation evidence about integrity measurements from a
> > > device following the operational context defined in TPM-based
Network
> > > Device Remote Integrity Verification.
> > >
> > > Does it define a datastore? To me, it seems the document defines a
> > > data
> > model
> > > but not a datastore.
> >
> > There is a small datastore within this model. Section 2.1.1.6:
> >
> > container <attester-supported-algos> - Identifies which TCG
> > algorithms are available for use the Attesting platform. This allows
> > an operator to limit algorithms available for use by RPCs to just a
> > desired set from the universe of all allowed by TCG.
> >
> > +--rw attester-supported-algos
> > +--rw tpm12-asymmetric-signing* identityref {taa:TPM12}?
> > +--rw tpm12-hash* identityref {taa:TPM12}?
> > +--rw tpm20-asymmetric-signing* identityref {taa:TPM20}?
> > +--rw tpm20-hash* identityref {taa:TPM20}?
> >
> > It is these populated nodes where we could really use your help.
Basically
> > there are XPATH statements embedded in the model which are intended to
> > enforce that RPCs only use the <attester-supported-algos>. I.e., the
> > RPCs will only accept values which the operator says are available from
the
> > platform.
> >
> > Would you be willing to help us ensure these are correct?
> >
> > Thanks,
> > Eric
> >
> >
> > > [I-D.ietf-rats-reference-interaction-models] document. A fresh
nonce
> > > with an appropriate amount of entropy MUST be supplied by the YANG
> > > client in order to enable a proof-of-freshness with respect to the
> > > attestation evidence provided by the attester running the YANG
> > > datastore.
> > >
> > > The "YANG datastore"?
> > >
> > > container rats-support-structures {
> > > description
> > > "The datastore definition enabling verifiers or relying
> > > parties to discover the information necessary to use the
> > > remote attestation RPCs appropriately.";
> > >
> > > I guess this is all just sloppy wording, it does not seem like you
> > > are
> > defining a
> > > datastore. Note that a schema element like a container can be
> > > instantiated
> > in
> > > several datastores, not just one.
> > >
> > > /js
> > >
> > > --
> > > Juergen Schoenwaelder Jacobs University Bremen gGmbH
> > > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
> > > Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
> > >
> > > _______________________________________________
> > > RATS mailing list
> > > RATS@ietf.org
> > > https://www.ietf.org/mailman/listinfo/rats
>
>
>
> --
> Juergen Schoenwaelder Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
> Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
- [Rats] yang tpm defining a datastore? Juergen Schoenwaelder
- Re: [Rats] yang tpm defining a datastore? Eric Voit (evoit)
- Re: [Rats] yang tpm defining a datastore? Juergen Schoenwaelder
- Re: [Rats] yang tpm defining a datastore? Eric Voit (evoit)