Re: [Rats] TPM1.2 Quote1 vs Quote2
"Eric Voit (evoit)" <evoit@cisco.com> Wed, 09 December 2020 22:23 UTC
Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 663583A138C for <rats@ietfa.amsl.com>; Wed, 9 Dec 2020 14:23:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.9
X-Spam-Level:
X-Spam-Status: No, score=-11.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ZgoztYsn; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=ZK7YSZkW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cnhD269rO0Yk for <rats@ietfa.amsl.com>; Wed, 9 Dec 2020 14:23:24 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1AFC3A12BD for <rats@ietf.org>; Wed, 9 Dec 2020 14:23:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=59378; q=dns/txt; s=iport; t=1607552602; x=1608762202; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dqEsNEoNxIlz3XV4T1ylFT/onipjwOltbTGnvYmc3W8=; b=ZgoztYsnqrsmpBhAMi4XvkSJhlnXLRqy07mKdVfYyLYob3TYJPcIu8S+ 1KdOyBWh6tjOHq+T1NZmp2sQNd8fvls+BPK5kVDGGZwcHeP0fFZ6g2qmy 9VnySbdbT+LAkiqKLl5QDeJG7Pco0Fpv42YhJRkWL+fmoNG2xfWTTMOeI U=;
X-Files: image001.gif, smime.p7s : 105, 3975
IronPort-PHdr: 9a23:MZ0B0hZhuSnIlAlZA4bGxHX/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el21QaZD4fG7fNchvCQta38CiQM4peE5XYFdpEEFxoIkt4fkAFoBsmZQVb6I/jnY21ffoxCWVZp8mv9PR1TH8DzNF/PpHyq4CRUHBjjZkJ5I+3vEdvUiMK6n+m555zUZVBOgzywKbN/JRm7t0PfrM4T1IBjMa02jBDOpyhF
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DABQCqTdFf/5hdJa1KFQMcAQEBAQEBBwEBEgEBBAQBAUCBT4EjLykoB3UOHy4vLgqHfAONYgOHapEfgUKBEQNUBAcBAQEKAQIBASMKAgQBAYE0gxYCgX8CJTgTAgMBAQsBAQUBAQECAQYEcYVhDIVyAQEBAQMFAQwTCAESAQEiBw4BDwIBCA4DAwEBAQYBAgsNAQYHAhUBBQkMFAkIAgQOBAEGAgYLCYI5TIF+VwMfDwEOoiUCgTyIaXSBNIMEAQEFhUYYggkHAwaBOIFTgSGFL4R6JhuBQT+BVIJVPoF6YwKBGiscFQkBFRGDA4IsgWkaQwGBCxwQH2UtKwsTNDCPVQoPikiBHQuaKIFlCoJ0hFqCZgKBXJJGgySPfI8Xkg6MepFIHIQzAgQCBAUCDgEBBYFtI4FXcBU7gmlQFwINjiEJAhiDTopYdDcCBgoBAQMJfIccLYEGAYEQAQE
X-IronPort-AV: E=Sophos;i="5.78,407,1599523200"; d="gif'147?p7s'147?scan'147,208,217,147";a="837424183"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Dec 2020 22:23:19 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B9MNLhL029257 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 9 Dec 2020 22:23:21 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 9 Dec 2020 16:23:21 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 9 Dec 2020 16:23:20 -0600
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 9 Dec 2020 16:23:20 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IgtpezTXDtq+gMKGFu7qkf3Ar+YXc6L22Kpz4mMdW/4Jf48+L7JBcb3I8p7AautRJTaeKgFpzLUYmEpewoWnDI3kJC2o5k4CZnW+JVgS9CLu3q26a5LOzPU+5iB3j5RwX1cNl4vYCFOvW5PVK9/Jthjs1HGG18tqFnOaez2Iu2Hil8j2ddqXEHcuJJg1VBEtf0bH/j7FH9kg62Y6VJVfep1Bwj33Vsg2wVDAerNkwwz5uJ7fVlSInbZHlRr0PwyftfDfHkFUZYeG5oufnQ3/l2GfH5L66vWjTRWEgrBK+PF4ZBTZqPhD0dGu4RvKLfZbNwxrj1HyGYz6vq9YIQOMeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tTLlTurEMJXtr6DkoHT0ifo44dbsfSjnLSFcySa7hhc=; b=C8X6WjS/EibXzJyGZENOLLBxUP75UavvGi3duDELu6u4IOD6JnMlyynEPMgNqlHF14DVzdx25Y5UlVfUhLoliVAsDNqQXawcPg4sfaYRnAGqMPcDhHTTUZDgiZEbWWhqiFL5a3w+6duqSps2+buYIsYN1CWrLapJIcBZhCP0B2Zs8c2ykcFvT5ASLt3GJxDYtZbGTHpu9TTSfA88/uA3RCg7v3CrNz3eDF5Nb60vmQQ6ywVarUsyals/ZBojTlJQhC+ea1kPWhtlwiiHauhcjTpzuBX1Ivu2HRJCF0kTNz5CY8wzwaPRPKN73+lA4+e0UgluZPMNuDqqCgpd4oGUpQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tTLlTurEMJXtr6DkoHT0ifo44dbsfSjnLSFcySa7hhc=; b=ZK7YSZkWOWxXN4cQN4jjjM23DfeThdNb7TuIglyIHGwtnrTJ+cNV9tJZDkPbbBHSH6FOaU4DQddEFC7z4/vsyEqdaUOGUbrfnXLRsiEzKQfQpaSOLtje80qvEcE+pdJ0rbfoEtDjDVpB7Rj98tsqR9ntuoUaLsPGXym1wnh/j/E=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by BL0PR11MB2977.namprd11.prod.outlook.com (2603:10b6:208:7d::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13; Wed, 9 Dec 2020 22:23:18 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::9851:12ed:f9df:af4f]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::9851:12ed:f9df:af4f%7]) with mapi id 15.20.3632.023; Wed, 9 Dec 2020 22:23:18 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Guy Fedorkow <gfedorkow@juniper.net>
CC: "rats@ietf.org" <rats@ietf.org>, "Laffey, Tom (HPE Aruba)" <tom.laffey@hpe.com>, "jmfitz2@cyber.nsa.gov" <jmfitz2@cyber.nsa.gov>, "Birkholz, Henk" <henk.birkholz@sit.fraunhofer.de>
Thread-Topic: TPM1.2 Quote1 vs Quote2
Thread-Index: AdbCm2jOLs88dJVfQYikXUfBF5dwowADZmcAAADW9HAAAGp3gAAAEu9AAAA3zFACkRAywABVHtCQAAM4/ZA=
Date: Wed, 09 Dec 2020 22:23:18 +0000
Message-ID: <BL0PR11MB3122E0CA577A0037B3171077A1CC0@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <BLAPR05MB7378554A5B808955C2A1C815BAFB0@BLAPR05MB7378.namprd05.prod.outlook.com> <OF535A2E6C.4768CCCD-ON0025862A.0075D1CA-8525862A.00762289@notes.na.collabserv.com> <BLAPR05MB73780336AEC73A40A56046C5BAFB0@BLAPR05MB7378.namprd05.prod.outlook.com> <OF7614AD72.3F8756A0-ON0025862A.00793099-8525862A.00796D1B@notes.na.collabserv.com> <AT5PR8401MB1041726445ECA408E3EA0C9881FB0@AT5PR8401MB1041.NAMPRD84.PROD.OUTLOOK.COM> <BL0PR11MB3122685ED4B1E57A3ADC9121A1FB0@BL0PR11MB3122.namprd11.prod.outlook.com> <BL0PR11MB312208224D954A2155A0432BA1CD0@BL0PR11MB3122.namprd11.prod.outlook.com> <BLAPR05MB7378E1316CC45C50CD9EED52BACC0@BLAPR05MB7378.namprd05.prod.outlook.com>
In-Reply-To: <BLAPR05MB7378E1316CC45C50CD9EED52BACC0@BLAPR05MB7378.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-12-09T17:03:27Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=1f0a8dd9-63e3-4417-ab8f-b2e06101c3e7; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
authentication-results: juniper.net; dkim=none (message not signed) header.d=none;juniper.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [108.18.114.139]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d2037b18-e7f4-4608-2533-08d89c9107bf
x-ms-traffictypediagnostic: BL0PR11MB2977:
x-microsoft-antispam-prvs: <BL0PR11MB2977DFD027799BAAA77A5B6BA1CC0@BL0PR11MB2977.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tAsQVl+yRQEM+VXMmE20CnVzCEVk6BvuVaGwdT2VrChebtIg7Gf43N23T5qxOoA4+5rbi73aWfZo7QMolMaUvniL3UOToww9CMcrJLEsgqV3MBa2ldVugI+rrTEm2i8mFCS7EBXGtj3bQuy5ZZUxRjjE2+RDyi3meMj5ySZ5hqXecvuHTqlwxyrnQ9lCH3sqyom8XJoiwPbHVAfRYXht0/NZAyBtJOBnq8FPfL6ZPqBzLGAxP3EMmGb3S5Q4nuMJGFdoZxpd4PUt59IUma0C7He0jNbr+z+0IBouPPDO2YObzOkp6jG3uc5FEdaMSV8qbAWtlcqJHbPxFzr5kbqK42FVfnfZBmYXtIP4slffbK/rgGF1CqkDQ5cDDaCtZyv4/YR22XtdEPBV1lSDYyX+KQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(376002)(396003)(39860400002)(346002)(366004)(2906002)(4326008)(55016002)(66946007)(66476007)(66556008)(8676002)(966005)(53546011)(478600001)(66446008)(71200400001)(6506007)(66616009)(64756008)(99936003)(5660300002)(7696005)(186003)(316002)(9686003)(8936002)(26005)(86362001)(6916009)(54906003)(76116006)(33656002)(66574015)(83380400001)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: AFjhrKUF+CO5aJLQe1GuzsSzfKl5qk6F0tVcAbS8vpxfT/f9eptlXZFI+9bC+EzOsvQ8KZskOQrLTZSlbNQbdEj/+A2goQo3cGxk4/cIDkjCNyD0DZE4AAI0uN4jebBi40RRRI1WfM61hzYODOFAjvOcNBjdF7mQOfnypznpbB0Pmdq7jpLU2RS3BEAhtoyAH+FXRBH3KhBWGdI8HArzayOR5xpCj/XgwZzya+27sNuApgDvRvbbdFnrIk/vnwibQI/fXB5S4A44iYVh/OrfL9OKpfJI7PGvaY4d2BvHFE17RJhtdUsLuKi+QKJGgbZ74/o5atYMqCSbUgoE+eNBxvW982Zbs5FyYVgJe4D3EOzGHUvq8eh3/eGmeQRieh0AjD1AuMuoRfVJCRDuklCC0L46ChHGxHWerSipaYviG0oFcSD0PXADeW295tIFG6HRWDlGStMLosGyJvTSNkiQJcCCQGlLwuDQpLhH4LVdvbr+oajmwS7yikjiM7LMb18bBOGhLXtHDx3OgUp/ev+C/V4nERDEZSJ45UkBNkUMBzUVIr49NCmyk0IvD44+7bp/LUrWmgsMgPJ/rOeBubgjP9ferwdopklviSvsyOvpYvd/zr4RUtWpYNqeYRmAw+uIH7YMKJx8nOluOXZE8MLgBztNh+xDnSq9y0Jql9m9pWZgoPr62jOJ+gluWSuzbJuhyKmhDEc/U5X+tJTs+Lq4DASdZybzN4gbVhunchbwtEnKwPBlRIS5eh/dsrZWFAIna1yB2MeShnR7GAMPuwZOKUVXJLzmPqsWVmkNiiX7G9TxlDWbCEfN23+b4xJyiycg9YJWlAsQrLaqsrFlOHFHidMRqnQOBseP/EViGyew5sXOLajLj+Z+Gplhcd/+Rt2pBavSc8Lm1OFFA7yGEmFdrSiYzMtqoe0yx1s79/lJ8El4uoIcEESlSzJm7cTHMkKrp30dyAQ6DUzE3A1/d6eU4NAlqPY6KdM/xmVth4CrewM=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_009B_01D6CE4F.F8690A20"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d2037b18-e7f4-4608-2533-08d89c9107bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2020 22:23:18.5464 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eyRmTGhilDPYf0f54wg6YCQxF+Wv3zNLH/OX2phuRt9YxzQchhTjcl3CAUhHKEkb
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB2977
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/EXi4Onsy7idq0rTViI1dXo_GSsM>
Subject: Re: [Rats] TPM1.2 Quote1 vs Quote2
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2020 22:23:30 -0000
Thanks Guy, A change request which pulls out TPM1.2 Quote1 from the YANG model has been posted at: https://github.com/ietf-rats-wg/basic-yang-module/pull/24 (Of course Quote2 remains.) I just re-read the TCG's TPM1.2 commands, rev116. And based on the pull request, below is what I think the YANG structure should include. (This will mirror what is currently done with the TPM2 structures.) +---x tpm12-challenge-response-attestation {taa:TPM12}? +--ro output +--ro tpm12-attestation-response* [] +--ro certificate-name? certificate-name-ref +--ro up-time? uint32 +--ro TPM_QUOTE2 Thoughts on why these simplifications have been proposed are as follows: (1) Added "TPM_QUOTE2" structure, with a reference to TPM Main Part 3 Commands, Section 16.5. (We might as well send the whole thing coming out as the TPM_RESULT as there is not a significant savings in bytes from fields which will never change.) (2) Removed: "version", "locality-at-release" and "TPM_PCR_COMPOSITE", "signature-size", and "signature". These are all elements already contained within TPM_QUOTE2. And we have to parse that TPM1.2 provided structure anyway to verify the enclosed signature. This way we are not redundantly transporting and exposing these elements. Nor will YANG being seen as trying to redefine them. (3) Removed: "node-id" & "node-physical-index" as these can be acquired from YANG datastore read against "compute-nodes" using "certificate-name". If there are no objections, I believe this can be merged. It would still be great to see if a TPM1.2 expert can validate the thinking here. Eric From: Guy Fedorkow <gfedorkow@juniper.net> Sent: Wednesday, December 9, 2020 12:03 PM To: Eric Voit (evoit) <evoit@cisco.com> Cc: jmfitz2@cyber.nsa.gov; rats@ietf.org; Laffey, Tom (HPE Aruba) <tom.laffey@hpe.com> Subject: RE: TPM1.2 Quote1 vs Quote2 Hi Eric, I'm in favor of removing support for Quote1, although I think keeping Quote2 for TPM1.2 in the model is still important. Thanks /guy Juniper Business Use Only From: Eric Voit (evoit) <evoit@cisco.com <mailto:evoit@cisco.com> > Sent: Monday, December 7, 2020 7:09 PM To: Laffey, Tom (HPE Aruba) <tom.laffey@hpe.com <mailto:tom.laffey@hpe.com> >; Kenneth Goldman <kgoldman@us.ibm.com <mailto:kgoldman@us.ibm.com> >; Guy Fedorkow <gfedorkow@juniper.net <mailto:gfedorkow@juniper.net> > Cc: Bill Sulzen (bsulzen) <bsulzen@cisco.com <mailto:bsulzen@cisco.com> >; Graeme Proudler <graeme@gproudler.plus.com <mailto:graeme@gproudler.plus.com> >; jmfitz2@cyber.nsa.gov <mailto:jmfitz2@cyber.nsa.gov> Subject: RE: TPM1.2 Quote1 vs Quote2 I have removed all the structures needed to support just TPM1.2 Quote1 from the YANG model. There was a significant reduction in YANG model size, which is goodness. Does anyone have an issue if I post a new version of Charra which only supports Quote2? The proposed model is attached. And the tree is below. Eric module: ietf-tpm-remote-attestation +--rw rats-support-structures +--rw compute-nodes! | +--ro compute-node* [node-id] | +--ro node-id string | +--ro node-physical-index? int32 {ietfhw:entity-mib}? | +--ro node-name? string | +--ro node-location? string +--rw tpms | +--rw tpm* [tpm-name] | +--rw tpm-name string | +--ro hardware-based? boolean | +--ro tpm-physical-index? int32 {ietfhw:entity-mib}? | +--ro tpm-path? string | +--ro compute-node compute-node-ref | +--ro tpm-manufacturer? string | +--rw tpm-firmware-version identityref | +--rw TPM12-hash-algo? identityref | +--rw TPM12-pcrs* pcr | +--rw tpm20-pcr-bank* [TPM20-hash-algo] | | +--rw TPM20-hash-algo identityref | | +--rw pcr-index* tpm:pcr | +--ro tpm-status enumeration | +--rw certificates | +--rw certificate* [certificate-name] | +--rw certificate-name string | +--rw certificate-keystore-ref? leafref | +--rw certificate-type? enumeration +--rw attester-supported-algos +--rw tpm12-asymmetric-signing* identityref {taa:TPM12}? +--rw tpm12-hash* identityref {taa:TPM12}? +--rw tpm20-asymmetric-signing* identityref {taa:TPM20}? +--rw tpm20-hash* identityref {taa:TPM20}? rpcs: +---x tpm12-challenge-response-attestation {taa:TPM12}? | +---w input | | +---w tpm12-attestation-challenge | | +---w pcr-index* pcr | | +---w nonce-value binary | | +---w certificate-name* certificate-name-ref | +--ro output | +--ro tpm12-attestation-response* [] | +--ro certificate-name? certificate-name-ref | +--ro up-time? uint32 | +--ro node-id? string | +--ro node-physical-index? int32 {ietfhw:entity-mib}? | +--ro locality-at-release? uint8 | +--ro TPM_PCR_COMPOSITE* [] | | +--ro pcr-index* pcr | | +--ro value-size? uint32 | | +--ro tpm12-pcr-value* binary | +--ro signature-size? uint32 | +--ro signature? binary +---x tpm20-challenge-response-attestation {taa:TPM20}? | +---w input | | +---w tpm20-attestation-challenge | | +---w nonce-value binary | | +---w tpm20-pcr-selection* [] | | | +---w TPM20-hash-algo? identityref | | | +---w pcr-index* tpm:pcr | | +---w certificate-name* certificate-name-ref | +--ro output | +--ro tpm20-attestation-response* [] | +--ro certificate-name? certificate-name-ref | +--ro TPMS_QUOTE_INFO binary | +--ro quote-signature? binary | +--ro up-time? uint32 | +--ro node-id? string | +--ro node-physical-index? int32 {ietfhw:entity-mib}? | +--ro unsigned-pcr-values* [] | +--ro TPM20-hash-algo? identityref | +--ro pcr-values* [pcr-index] | +--ro pcr-index pcr | +--ro pcr-value? binary +---x log-retrieval +---w input | +---w log-selector* [] | | +---w tpm-name* string | | +---w (index-type)? | | | +--:(last-entry) | | | | +---w last-entry-value? binary | | | +--:(index) | | | | +---w last-index-number? uint64 | | | +--:(timestamp) | | | +---w timestamp? yang:date-and-time | | +---w log-entry-quantity? uint16 | +---w log-type identityref +--ro output +--ro system-event-logs +--ro node-data* [] +--ro tpm-name? string +--ro up-time? uint32 +--ro log-result +--ro (attested_event_log_type) +--:(bios) | +--ro bios-event-logs | +--ro bios-event-entry* [event-number] | +--ro event-number uint32 | +--ro event-type? uint32 | +--ro pcr-index? pcr | +--ro digest-list* [] | | +--ro hash-algo? identityref | | +--ro digest* binary | +--ro event-size? uint32 | +--ro event-data* uint8 +--:(ima) | +--ro ima-event-logs | +--ro ima-event-entry* [event-number] | +--ro event-number uint64 | +--ro ima-template? string | +--ro filename-hint? string | +--ro filedata-hash? binary | +--ro filedata-hash-algorithm? string | +--ro template-hash-algorithm? string | +--ro template-hash? binary | +--ro pcr-index? pcr | +--ro signature? binary +--:(netequip_boot) +--ro boot-event-logs +--ro boot-event-entry* [event-number] +--ro event-number uint64 +--ro filename-hint? string +--ro filedata-hash? binary +--ro filedata-hash-algorithm? string +--ro file-version? string +--ro file-type? string +--ro pcr-index? pcr From: Eric Voit (evoit) Sent: Tuesday, November 24, 2020 5:17 PM To: Laffey, Tom (HPE Aruba) <tom.laffey@hpe.com <mailto:tom.laffey@hpe.com> >; Kenneth Goldman <kgoldman@us.ibm.com <mailto:kgoldman@us.ibm.com> >; Guy Fedorkow <gfedorkow@juniper.net <mailto:gfedorkow@juniper.net> > Cc: Bill Sulzen (bsulzen) <bsulzen@cisco.com <mailto:bsulzen@cisco.com> >; Graeme Proudler <graeme@gproudler.plus.com <mailto:graeme@gproudler.plus.com> >; jmfitz2@cyber.nsa.gov <mailto:jmfitz2@cyber.nsa.gov> Subject: RE: TPM1.2 Quote1 vs Quote2 Agree we cannot abandon TPM1.2. We will have router equipment which does this in place for many years. Also my understanding is that Cisco is good with just supporting Quote2. Eric From: Laffey, Tom (HPE Aruba) <tom.laffey@hpe.com <mailto:tom.laffey@hpe.com> > Sent: Tuesday, November 24, 2020 5:14 PM To: Kenneth Goldman <kgoldman@us.ibm.com <mailto:kgoldman@us.ibm.com> >; Guy Fedorkow <gfedorkow@juniper.net <mailto:gfedorkow@juniper.net> > Cc: Bill Sulzen (bsulzen) <bsulzen@cisco.com <mailto:bsulzen@cisco.com> >; Eric Voit (evoit) <evoit@cisco.com <mailto:evoit@cisco.com> >; Graeme Proudler <graeme@gproudler.plus.com <mailto:graeme@gproudler.plus.com> >; jmfitz2@cyber.nsa.gov <mailto:jmfitz2@cyber.nsa.gov> Subject: RE: TPM1.2 Quote1 vs Quote2 I don't think we can abandon TPM 1.2 just yet. Products in production with TPM 1.2 today will have to be supported for some more years to come. But yes, "not recommended for new designs" as they say. Tom From: Kenneth Goldman <kgoldman@us.ibm.com <mailto:kgoldman@us.ibm.com> > Sent: Tuesday, November 24, 2020 2:06 PM To: Guy Fedorkow <gfedorkow@juniper.net <mailto:gfedorkow@juniper.net> > Cc: Bill Sulzen (bsulzen) <bsulzen@cisco.com <mailto:bsulzen@cisco.com> >; Eric Voit (evoit) <evoit@cisco.com <mailto:evoit@cisco.com> >; Graeme Proudler <graeme@gproudler.plus.com <mailto:graeme@gproudler.plus.com> >; jmfitz2@cyber.nsa.gov <mailto:jmfitz2@cyber.nsa.gov> ; Laffey, Tom (HPE Aruba) <tom.laffey@hpe.com <mailto:tom.laffey@hpe.com> > Subject: RE: TPM1.2 Quote1 vs Quote2 -- Ken Goldman <mailto:kgoldman@us.ibm.com> kgoldman@us.ibm.com 914-945-2415 (862-2415) Guy Fedorkow ---11/24/2020 04:57:28 PM---Ken, which volume has the informative section? I could not miss reading it! As Tom asked, it's soun From: Guy Fedorkow < <mailto:gfedorkow@juniper.net> gfedorkow@juniper.net> To: Kenneth Goldman < <mailto:kgoldman@us.ibm.com> kgoldman@us.ibm.com> Cc: "Bill Sulzen (bsulzen)" < <mailto:bsulzen@cisco.com> bsulzen@cisco.com>, "Eric Voit (evoit)" < <mailto:evoit@cisco.com> evoit@cisco.com>, Graeme Proudler < <mailto:graeme@gproudler.plus.com> graeme@gproudler.plus.com>, " <mailto:jmfitz2@cyber.nsa.gov> jmfitz2@cyber.nsa.gov" < <mailto:jmfitz2@cyber.nsa.gov> jmfitz2@cyber.nsa.gov>, "Laffey, Tom (HPE Aruba)" < <mailto:tom.laffey@hpe.com> tom.laffey@hpe.com> Date: 11/24/2020 04:57 PM Subject: [EXTERNAL] RE: TPM1.2 Quote1 vs Quote2 _____ Ken, which volume has the informative section? I could not miss reading it! Part 3 under the quote2 command. As Tom asked, it's sounding like quote1 is there for compatibility, and Quote2 is what someone should use going forward. Going forward, use TPM 2.0. TPM 1.2 is really end of life. I with I could drop it from the IBM TSS, since it's just adds test time.
- Re: [Rats] TPM1.2 Quote1 vs Quote2 Guy Fedorkow
- Re: [Rats] TPM1.2 Quote1 vs Quote2 Eric Voit (evoit)