Re: [Rats] yang tpm defining a datastore?

"Eric Voit (evoit)" <evoit@cisco.com> Fri, 19 February 2021 16:47 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC4EB3A1178 for <rats@ietfa.amsl.com>; Fri, 19 Feb 2021 08:47:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.602
X-Spam-Level:
X-Spam-Status: No, score=-9.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Ogyuwc47; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=ErOW2CwR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OR4yHvk14tNf for <rats@ietfa.amsl.com>; Fri, 19 Feb 2021 08:47:46 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E14C13A1172 for <rats@ietf.org>; Fri, 19 Feb 2021 08:47:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8513; q=dns/txt; s=iport; t=1613753265; x=1614962865; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=kpvFqYUHQt7JOL/uaBAoebX1WX65XaiG0j44jQKQ45Q=; b=Ogyuwc47/UicbpbPHmSd1vs9+UURm8n/SRUp6ySvjapyk9SqfixGkN++ TcpDTQtiBpRXcu2ht+CAnjQpi+q8fyktsFZfYubxj8WkAXeAr0wRwYUAC iI9mNMAzNFXDSDYHYJnyIaW5n1P4IVARFL8wOf08q70/Z3hnQtcvRqAEV A=;
X-Files: smime.p7s : 3975
X-IPAS-Result: =?us-ascii?q?A0BVAwCI6i9gmIQNJK1fA4EJgyJRfSwuNjEKh38Djg0Dm?= =?us-ascii?q?R6CUwNUBAcBAQEKAwEBHQsKAgQBAYRNAoIMAiU4EwIDAQEBAwIDAQEBAQUBA?= =?us-ascii?q?QECAQYEFAEBAQEBAQEBhjYNhkQBAQEDAQEBPgEBLAwECQICAQgOAjYCGQwLJ?= =?us-ascii?q?QIEARIIBoJdAYF+VwMOEQ8BDqNkAooldIE0gwQBAQaFIhiCCwcDBgWBM4FTg?= =?us-ascii?q?SOKSxYQHIFBQYERQ4IpLj6CXQEBgTcqFQomgwOCK4MuBA1GW4EoCwqdMpxPC?= =?us-ascii?q?oJ7gRuDTYJqiG2Lc6NAlEeecYMYAgICAgQFAg4BAQaBayGBWXAVO4JpUBcCD?= =?us-ascii?q?Y4qDgmDTTOEYYVFczcCBgoBAQMJfIhUgTQBgQ4BAQ?=
IronPort-PHdr: =?us-ascii?q?9a23=3AUC/3ih2Y4fiIDMbtsmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxWEtadvhVTOV56e9vRFlefMqKH8SCoM7MXJvHMDdclKUB?= =?us-ascii?q?kIwYUTkhc7CcGIQUv8MLbxbiM8EcgDMT0t/3yyPUVPXsqrYVrUry6w5DUVEA?= =?us-ascii?q?66KAx0OOnvAY/OnoK72rP695jaeQ4dgj27bPt7Jwm3qgOEsM4QjO4AYqY8wx?= =?us-ascii?q?fEuD1GYeNTkGhpPlmU2R3745S9?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,189,1610409600"; d="p7s'?scan'208";a="650040174"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Feb 2021 16:47:44 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 11JGlYJJ032564 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 19 Feb 2021 16:47:44 GMT
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 19 Feb 2021 10:47:43 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Fri, 19 Feb 2021 10:47:42 -0600
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 19 Feb 2021 11:47:42 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CCI0unhhyTQmun88lphohj54dN4QeSyoyH9xdoTnbTuLpewbTf6nzwf6EyPWjPsDTLvykiBGSOUKDwNh64E2opMNFGoxNmuU/PWcv5ZIV0XYP270i9qrpMIgj8jG0kinftcDv7L7VSzXAsK71j21ivYAcLLWl+caxfDWq0txhFQSgfDIjU+B5OgvUyAQxmUohO017nPkPG2P+l1Ty7JDBSmaq7vTdsDXX92puSL1a/N2gAK2VXMlwcgq6Wbie3qdvzlKfBNt5bx934hiEtQlzJCWCZUrz+K8XrtqDTNhQFyMBq237P8n88UGSFNmTEtn0/do9VW/o39if4q9qVvvfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=24JqQosNpg+oF4h/oDprUqQsQwmESAPJRmvGn5KoLXY=; b=SlhtIbwhwQwTiq6/tus1oZP+CerwfMefOuIc8AUAZKrXBFhsuMpFSl/Mr+lU71v5IDR2HVX1LwLOltN0p5lyOUU+6ClQA4B+M3g/RSb20lMwwGR79p0jGCBTihh9I4lPSVM1fi+V8PkxuSANyH2uoBAyaLTp3ZTakLCixKG9Dz+RREOlsxzWPBdxabWZJiS9SdubdttpvzB4klnFGdqLwu4PWk6PI0XlgMhBBtp+KCdwCFB+onh7hoX7USk0fYbX51rQ01vzsyYFXc4S5C3SLo9KhgFkbHNSt5I/bNbkqo1wZfKmQeKwV0SLyvJk5f7OJpp4CjB3jpURkoJabFTRyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=24JqQosNpg+oF4h/oDprUqQsQwmESAPJRmvGn5KoLXY=; b=ErOW2CwRp6xJhz7gFe5LagWMTwDd64lkFyGaO7RiHJaclVsY1CH6t74lRzjfKSMcJrurzyJADiwjp0qet0xxZlhJdS5okg633vvQWn4tcYAKpvjWx+3Q+VW5EYS5NxjTtyesoEYieNugo4ypirNeG4jv/gkbQsOEQhgEbcbtKMI=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4176.namprd11.prod.outlook.com (2603:10b6:208:13b::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.29; Fri, 19 Feb 2021 16:47:41 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::88f5:c7e1:3338:cecf]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::88f5:c7e1:3338:cecf%3]) with mapi id 15.20.3846.042; Fri, 19 Feb 2021 16:47:41 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] yang tpm defining a datastore?
Thread-Index: AQHXBsI080pm17Ze4kiDl3Il8j/WdapfrQYw
Date: Fri, 19 Feb 2021 16:47:41 +0000
Message-ID: <BL0PR11MB312212DDD7BAB9CA89739BBDA1849@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <20210219132137.otltbtrhbew7yb6r@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210219132137.otltbtrhbew7yb6r@anna.jacobs.jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: jacobs-university.de; dkim=none (message not signed) header.d=none;jacobs-university.de; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [108.18.141.61]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 049700d3-6184-497e-a36d-08d8d4f612cd
x-ms-traffictypediagnostic: MN2PR11MB4176:
x-microsoft-antispam-prvs: <MN2PR11MB4176AA241826BE29F3DED9F2A1849@MN2PR11MB4176.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Peq8UJKbAo7gNXsjTv7FUMA7KJxzOM7072Gqrq4XcxFIDJOipss/ldWpcIDbIKxE7jmcvBf8mjwqYD8oGfGgja7ZZ9wm0msvw2PnKaMfK4657tHjKp6cZIyQDVB7y32eaKElulNCa0i7DQbzAjMFc3YQGgbuY3q2uXRg4gKSmQ3iFaSLIEprgwbws0rgOLqxMjsokE9BZ9UMKa9qxAOhj/DJuXQpciygFQHL3wMVPbykZhiN77Wu9jzEJyZyBWAnjhiPqWf5Pp+ch2k3O06vTJTHrcCyMU9FWxlzmQ5T9KyUyRYtBnuK3DZJtASN/y0mm39RQSMyCPkUROhnVnfSMicdimJ+B6WqGnksyTXUJEDU7pri0rD+rCUW7dWBsq1+d3cVJdj8Zcd9SDxhkaRpC8/mFtRlSnsIVVGVf2fVSrxZAlIYR4ZSlVvi1cAG6Z+wtzp5+I0B7kpYZs2BbijYG70AoAceyYCqObS6okVe0jiSrzeFPYKXkZf2HG/jOvb3cYWHCdIt+Hsp81uAZWWz+J2xNmFHxPeEvlt7iBYsmLW/Y6ize0lVtgIS3Mw9X8cu4aU3wY1beIorOjKFueUDgClt1PpsnXlOJqlLE1tkivEsqddhBSLAwLtT64zBAdfIURz4mlpMzW5F5nqqqBjqsQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(136003)(396003)(376002)(366004)(39860400002)(83380400001)(186003)(966005)(2906002)(33656002)(71200400001)(55016002)(9686003)(86362001)(8936002)(316002)(52536014)(5660300002)(110136005)(66616009)(99936003)(66946007)(6506007)(66476007)(66446008)(7696005)(8676002)(64756008)(66556008)(83080400002)(26005)(478600001)(76116006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?nOK3Ss03v+19DNjMbFiK0h01oefQvMsfl8u9x8R4jn42cAfNTWPu12/rgUaO?= =?us-ascii?Q?Ot1kQYKdCQxNg6VVI7fa2LJZJjTzuGNTvO1czFTurfV/eZOeW8OVpiXsrO9P?= =?us-ascii?Q?sYly5HA/xVmGiDLc2XJ8X/t4thi+F/x0z69ktW8lGlM/pK0sAFZcgo0RUG3C?= =?us-ascii?Q?FQcYTOy56gh/SDNghtQGQcqqo5969NSYTrZbxyAkJTYwH2STdjSPPQsQ5PEq?= =?us-ascii?Q?0NZ2VSTr9Cxst8jq5dY+0vds68mRlIGv1o78qDj/xsA2z6m1Al9LjbUHnDj4?= =?us-ascii?Q?SudiWMlj6ZerGfbuiyeAaXsfvbIUacvJG/5C09u6ZowNdLQIOt1aDh31HLHI?= =?us-ascii?Q?PPl7zyy5111i2ftnKYORPxeGYcNdUfnWPRPJXB+jQZXDqYXCoDo1+mcrwRDU?= =?us-ascii?Q?mMD8fF4hgoS2qCSKKUzE8Hkqh6SOo0KfJ7FswfuYVN2wc2LUUzFA04MgVo7+?= =?us-ascii?Q?sbZcfDtL8fpUSQEiWqMf/lGvyCYZB3DZqP85TTFUZADDOU4IIWYTJ5wV2TaB?= =?us-ascii?Q?5CEEn/t4wOTbCLAOWvrnplRYrTMOKx8ila48p+YRPW7JSe8BpEvEHn6nckbW?= =?us-ascii?Q?XBl+7oGuKJ8dj5+QYb7XjJa5oNTefD4m5vsEa4EGO3hxEP/xBmXqo4/HGXsu?= =?us-ascii?Q?RjKkAw9jXw36GLr78SP0A0swesEAORyGAszTJZgu+VYsFFIEPFTf+Gmr/ydt?= =?us-ascii?Q?4DAvLdf6PS1LAIaJJk4JiPW+17HvL5/oA/BL9dyvC2QBfffYB8R/ML46PwQZ?= =?us-ascii?Q?YfOJ8FWlGiztE5+U1vW7p91yEU0pXukHah2IA/2tNlArmoLO59KDyIkrR7Cy?= =?us-ascii?Q?4PBiLIb9qGwDi3lQoXmKf4CdUY/KXZJY1DG5jxXZUAta29+recC6hviFPo3b?= =?us-ascii?Q?/7MyfR8J3kK1PDTiq3fQnQRoiVT8ZUlVAhJCjfnSgQ93GLDn+urlMFPYSJUB?= =?us-ascii?Q?9FTLCFUzsKg8yC0KpI+t8Bhc0E12KfcayfYWGL3sQpMDiwCWK5lPiMXo39pI?= =?us-ascii?Q?D5WXDHSSC1PLRMyLOF9IcrAVmhSepJjuD5izxe3XDm+3PNu98K0oTIb5ARVR?= =?us-ascii?Q?Lpukebh542MUFl5WVgnEh8k7v44qSQUoFADoeEJYKvwQVSDCph2GuJK/NMep?= =?us-ascii?Q?3Gj9YjotTfY80gSwOXQxzygi6b5dOf1/ygR+eaWH6AM67EfWEU8X/mm8Fxic?= =?us-ascii?Q?CY5BEw/UuJPJMdoSjsO4Lwj/SqB3butYRHQLTUPYFNTUJmQUc41VfqCYxQbR?= =?us-ascii?Q?Hmou8mG1VOujLSJwiogSndUrzsAn77PCUkRQXPJ+VNzLdqF7fIALV4izVqF6?= =?us-ascii?Q?vQKDkslpFFT7U3+Ak6SycWLp?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0265_01D706B5.060A3B20"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 049700d3-6184-497e-a36d-08d8d4f612cd
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2021 16:47:41.4555 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3IncXQ9ayQ0DiKCx6ppkcvO2jRdSplrcddqs1tXEQ2qKGE/VzSGDKPjM4Lx28of+
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4176
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/FSFgMeHsf7vREbsJ_xy_JtiMr2k>
Subject: Re: [Rats] yang tpm defining a datastore?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 16:47:48 -0000

Hi Juergen,

> Juergen Schoenwaelder, February 19, 2021 8:22 AM
> 
> draft-ietf-rats-yang-tpm-charra-05 says:
> 
>    This document defines a YANG RPC and a minimal datastore required to
>    retrieve attestation evidence about integrity measurements from a
>    device following the operational context defined in TPM-based Network
>    Device Remote Integrity Verification.
> 
> Does it define a datastore? To me, it seems the document defines a data
model
> but not a datastore.

There is a small datastore within this model.  Section 2.1.1.6:

   container <attester-supported-algos> - Identifies which TCG
   algorithms are available for use the Attesting platform.  This allows
   an operator to limit algorithms available for use by RPCs to just a
   desired set from the universe of all allowed by TCG.

   +--rw attester-supported-algos
      +--rw tpm12-asymmetric-signing*   identityref {taa:TPM12}?
      +--rw tpm12-hash*                 identityref {taa:TPM12}?
      +--rw tpm20-asymmetric-signing*   identityref {taa:TPM20}?
      +--rw tpm20-hash*                 identityref {taa:TPM20}?

It is these populated nodes where we could really use your help.   Basically
there are XPATH statements embedded in the model which are intended to
enforce that RPCs only use the <attester-supported-algos>.  I.e., the RPCs
will only accept values which the operator says are available from the
platform.   

Would you be willing to help us ensure these are correct?

Thanks,
Eric

 
>    [I-D.ietf-rats-reference-interaction-models] document.  A fresh nonce
>    with an appropriate amount of entropy MUST be supplied by the YANG
>    client in order to enable a proof-of-freshness with respect to the
>    attestation evidence provided by the attester running the YANG
>    datastore.
> 
> The "YANG datastore"?
> 
>   container rats-support-structures {
>     description
>       "The datastore definition enabling verifiers or relying
>        parties to discover the information necessary to use the
>        remote attestation RPCs appropriately.";
> 
> I guess this is all just sloppy wording, it does not seem like you are
defining a
> datastore. Note that a schema element like a container can be instantiated
in
> several datastores, not just one.
> 
> /js
> 
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> 
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats