IETF Logo Mail Archive

Re: [Rats] Review of draft-ietf-rats-yang-tpm-charra-21

"Tschofenig, Hannes" <hannes.tschofenig@siemens.com> Fri, 08 September 2023 11:47 UTC

Return-Path: <hannes.tschofenig@siemens.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBFD3C151062 for <rats@ietfa.amsl.com>; Fri, 8 Sep 2023 04:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fqXN08mnxA04 for <rats@ietfa.amsl.com>; Fri, 8 Sep 2023 04:47:22 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2086.outbound.protection.outlook.com [40.107.22.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4748C151064 for <rats@ietf.org>; Fri, 8 Sep 2023 04:47:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X2zmpqAdOF1/KKZFYJoutphm2ow/sKJulHmSVDofvzTGz1EZ+FHlAF8MU5rxZcmKl/A0e7Sp7C0+BW1j5N+laZeKOjegcdPWHpKPeCV6HCFpfgSW0kKPjfC60dmGa5koaO4PKKykhKjk4R0nOZEV8HCVIuEYcAJg+U2UhC8cTiHOdNPKoUUqWD5csW0qZBPtVYmpkM5HMgtwfi+tVWcKg3Od79R5Tem4lXYZSRJDUwSyJs05L9fF5g8/ZEijGHier+xsklK2UnsHB6bSjld80Wxj6A3Hqtb42ys4u6zNZMH04JcxybWUOripJuXAixVSn8BFxfUINPY613pcWdahzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=j0VQ0u3c4z5rrp0Ifpm1722WzbY9KEjAvwNALZccpY8=; b=ZLgnDxxJwAbGF/5vcSKyM+7gucE5ml3LZV71tfBkXuQrV4ooK8W4ab/WyiWj4g8L/mslu+miou5+5vzHK3g/DW9PJqcTU9O8k7fmnivfC6CDnLWSiVZIkX2ekshQQ5wUc7tZ01S7iAuxyi2jLlDmSknOlZIx2o+GX0kiweGIi66vYOZnmFEOtADliaKSmEF+JwzeokuepE4RVLOKvAtqpp6grZG5R1gDUtesk85mmj1EVZ5VBjal1as/FVqNCSLVZcm1BGqSXe36aFrgigmzindCR9uamNaIwB1DXQmAhycDDVc0l6rGcGOny5D39W2EEWfn+CioWVeUp928mUD0Mw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j0VQ0u3c4z5rrp0Ifpm1722WzbY9KEjAvwNALZccpY8=; b=Z4V5ocn6JTiyM8xERua3y6uoj4sp5oCby+Z5FIZxDpy6h2xPtUVGFQpqYs+bSVGo8NlJIKeJc5XYXWpIkzm1/N3egBn4t5mqbP7wNYFC7fO2fExKml9JbfcVriluwsF3bcgqrXjH8LcbI0wrg/xWoDDn7nsRwamXyhGF578RLjv3OoVMnpiQcwbjBxWFAt0P/aE4dq7gs2UPP/opZCfdlUf/Zh7vqrQ3UB+X+8EuJ2Thz/bv9oUof8EgS/3o0quv3oQKJYS/PBVEdW6LwgaQMIorklSCLQbkl4NiVMS6MvFb6YAfI5dSW+VBIIg9pyRr3q58CW1wLygmJztq9wdXrA==
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5ab::22) by DU0PR10MB5409.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:328::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6768.30; Fri, 8 Sep 2023 11:47:19 +0000
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::ab86:5707:9f3c:87dd]) by AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::ab86:5707:9f3c:87dd%4]) with mapi id 15.20.6768.029; Fri, 8 Sep 2023 11:47:19 +0000
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
To: "Eric Voit (evoit)" <evoit=40cisco.com@dmarc.ietf.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Review of draft-ietf-rats-yang-tpm-charra-21
Thread-Index: AQHZrYd+wtTC6EKB6UO11whJh8vU17AAOjMAgAAAbrCAEPp2IA==
Date: Fri, 08 Sep 2023 11:47:19 +0000
Message-ID: <AS8PR10MB742713E346E82C58878408F7EEEDA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
References: <77b488ab-c426-d9da-044e-0e081dddaa5d@gmx.net> <BL0PR11MB31227EB811559A075DA9EE2CA1E0A@BL0PR11MB3122.namprd11.prod.outlook.com> <BL0PR11MB312237798563299770BCFCEEA1E0A@BL0PR11MB3122.namprd11.prod.outlook.com>
In-Reply-To: <BL0PR11MB312237798563299770BCFCEEA1E0A@BL0PR11MB3122.namprd11.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=255ff0e1-7c78-411c-99b9-223a2ee27df9; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-09-08T11:31:57Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS8PR10MB7427:EE_|DU0PR10MB5409:EE_
x-ms-office365-filtering-correlation-id: 029cc828-ea9d-4e63-9bf6-08dbb0615b8e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: a0I/I2oGkQvAzlp5M6vXNFwUpLVtHSVPtx+lvtFBsLNQG7xMGNpniH4NeY/T7Kua5z6TM4jDPE9RCCNRn/E8BS4HOOLyUMMtazpMiFTrwXulocQtnQpCZFF2i25BnSCr8sur7/HxxrSfc6ytJ5rI+CpjmAUXZQytMcQVkbQY/oZiGTz+RRm3Gdcm1d+oIbDqSmQ/TXJiwV2jKc4jveatgWker2QBHZaAjgOtG1j/AQviAKiluz9eNn2reXjZs2XNjVA2t0VlscNogYMqcrYG84VF7002ZOnHGKfg2aGVBQU6JaqYkMWjeZdCIbNIS9cEA513q0WjmjeBwcpTOd4BEA04xAtSEv2t4GTOQ7/mI5FMh5vMUQ0QcLGTLknLG75QM4dfJOTVZ8EX6z0Gf4iGGWAUvMquI5QqtU963Mm4SiW9bwVB9YrcmQCR36thRTRaBDo7qghhhufnxyEYZRVA+3UZ3L/eYDWScFJII+Vk3OQTjDEhZrFY3MUjUm1s5owDKq+DMsaI/9B+hpTMADJaIVY6Svct9ALyP4WUZNzfs9j0+mHItQlw3CWz6PezyRz2+SdllzzRXhth9TB0VTfFhVOED9u/1KG2ngkdx1C1ST8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(346002)(366004)(396003)(136003)(376002)(39860400002)(1800799009)(186009)(451199024)(71200400001)(7696005)(6506007)(9686003)(45080400002)(478600001)(41300700001)(83380400001)(966005)(26005)(2906002)(66946007)(66476007)(316002)(64756008)(66446008)(66556008)(4326008)(76116006)(52536014)(110136005)(5660300002)(8936002)(8676002)(82960400001)(86362001)(33656002)(55016003)(38070700005)(38100700002)(122000001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IWtOuQK9uA6JkHTkCod2YTZqW/lTSwdPaDhB3ms2g6YJVYPoS/N2fmv/W3WOawLIo0WLxzX1+edvhLrO9x+XE2rYVpI+4EshyAnHrejztxBpmA2kE/HPwIlXdLGZMMWL3+JCodoVG3aZV/Bm17UDy/Ewr9BYh0EZ5AeBqpauZSXjnXsVbolt2kfVlr9cPR6Ic/upuF89PFW9r/WxAZkn+/MO1gGt5Peo6YJwtvLGbROJ5jvapSgDe1TZ/1FjELTTgqh1udGNhgC5v4Qwy62YQci9bWQGWO9sq+Ii6dXKts5Wmczq5QURMh/cgYerCHJOXg1RS2YyV7/VHzy42VbIwT45DXc3jc+oWNUwy8EA4pqCY4bb8Ypx4Ai+8jKPv5BNwEbdkz7/tNA8tUhzDxtOa7Nt5vSHf6tM3LhkTyrsdFhzo4hjydq6Q+zswaJGvgSAI0PBUzVu69IrrL1/GBII8W29H5VNf0grWVWd/gzfZcck/MHDW8pqL6/Pia7Ad69NFsphM6elN0Tcs/nIAlzBcygNG7ODbJMav9XlDkkzoU6shlwgxCC+jzNLLWkZ7zrWcu4GQQgxfPXwv024ZjtYDHfHDUQj0x+PmlXWkUWTDPgK+t2QQsz8LDGq+TudJL8e7lJUM1A/xT0xGpqC5Vhm9PjlgFrK2IkF8Ra4i1JNMIrFa+AYmSp33c/mjPOpcfpxCsipwBIhbzTUxzy4O3hcXY8D3TK2sK0GXN24uKPKUWz7QsTf+BEeH/6Fk0D4aRKOFF2QJFOMA/97+8yRUbQeJSW3glcrqskCGRTxQo1b/bONHM2MgUOekuMKNZmfvmCyhkqG3+Cyg9QsfpTu2XWaI3MHHsH6gA+9dM5XkiIaavaNddWy8FenkheYS8Sv3oE0NQrVm40OR4kyATbHNHovTMdS/yibRAh8A9PI2PLBsKFI/a+xY5g1siU9mBCIfdkZnQsKiaFCGtJFHPP0WAf2WHHOhM5k+gSimVvH4lKl8rRaNYcvl1ZNa41g4PJVUNnLJ9uqFV130RI2uFvsw/o522lRuJ8avOG4hC9qOFkjR/q6Cs/xydtLPwlEgsFlwdyEq0bwqonBGAbFUrMy0696loDy8sptCtE8w25gD16alNNNOiYvx6Fg9X0sQe/znri2idWu5qs1zKLS1Pocmjkltc8UwWr+vUogBE6SSJxZPoDTl+t3PbdUi+LTt8X8c+J1n3xooWyrWxEgUS6V+FFI63uEigcFyPoM0qYy6FsKIALAWa/mqzMRhsCIduAAvi/DYUbl1/U1qAs78ULkDoc8tLFQlJOaHO+XggdkVCWulfMqxlgVUX+zdUrUAPnsR24QctEjFMUypGT5ObxyccaR2nIBgioXrlYlEr+M/Hr6YGpqgTeSxmzUA7vS+9hAwHb3AHwrPCAScPzdF0XPCVCD3pkV3LhdJXqatNslzXlVvBGJ/yhFW0u4hXzWXTc02L8GHdnCxjDUudu40gCiA+vPOWYpJeODtk+nfAhhEdrJAXZ23CbT+TDsczszj55RrkxG83dk/y16xZr8p/ZolKy1xb3+TASYDLpG+3VBadDyNYA+spfGiU2YZp4fi/EQzHpXhR1AtLwfmo7ywsStxln5Wg==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 029cc828-ea9d-4e63-9bf6-08dbb0615b8e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2023 11:47:19.7111 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mKtpd/YOh0i+KwZEoCHudOHjxgUB3l7lDYEhyhTkOZMczLQULmIpgYf5GwNYut/R5mNMGHqAlyrOHQoORDX6ryQGJrddLFgQqf7dhSwvO8Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB5409
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/KuJO1vBlB57QT-dXhrzqEEuFE0s>
Subject: Re: [Rats] Review of draft-ietf-rats-yang-tpm-charra-21
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 11:47:27 -0000

Hi Eric,

a few additional remarks below.

> # Section 1
>
> rolling hash is the incorrect term for how PCR values are generated.
> See
> https://en.w/
> ikipedia.org%2Fwiki%2FRolling_hash&data=05%7C01%7Channes.tschofenig%40
> siemens.com%7C3242edddd4084109beee08dba7edfe77%7C38ae3bcd95794fd4addab
> 42e1495d55a%7C1%7C0%7C638288412848914945%7CUnknown%7CTWFpbGZsb3d8eyJWI
> joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=T%2FvLvBh7ZIyQ4NOW18K%2F7TrOgNramZLRZ0rWTfjqGDQ%3D&reserved=0 for a definition of how a rolling hash works. You would use a rolling hash in creating a transcript hash for TLS when you do not want to maintain a copy of the entire message exchange transcript.

Both are needed.  The sequential series of messages is recorded in the logs.
And the PCR (maintained in protected hardware) is the hash this sequential
series of entries.   It is this hash which allow you to verify the
completeness/accuracy of the log entries.


[Hannes] Thanks for the clarification.

> # Section 2 The YANG Module for Basic Remote Attestation Procedures
>
> What does "Basic" refer to? Is there a "sophisticated" or "advanced"
> version somewhere else? If not, omit the term "basic".

There are advanced versions.  For an example, see:
draft-voit-rats-trustworthy-path-routing
which is an instance of nested attestations as described in draft-ietf-rats-ar4si Section 3.2

[Hannes] A reader might not understand this distinction without this extra information.

> You write:
> "
> The method for communicating the relationship of each individual TPM
> to specific measured component within the Composite Device is out of
> the scope of this document.
> "
>
> Is this functionality described in some other document? If so, where
> is it described? If not, what is the implication: what am I unable to do?

You need an out-of-band provisioning mechanism which lets you know the type of cryptoprocessor, the equipment within which it sits, and its public key.
This document does not describe this because these elements of business context are inherited from the companion document:
draft-ietf-rats-tpm-based-network-device-attest

[Hannes] It could be useful for the reader to have a pointer to this other document.

> 2.1.1.3.2. 'tpm20-challenge-response-attestation'
>
> Example is not really an example. Here is a snippet:
>
>     <certificate-name
>         xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
>         (instance of Certificate name in the Keystore)
>     </certificate-name>
>
> Could you include an example with real values? Should be easy for you
> to copy-and-paste an example from one of your implementations. It
> would also be good to have examples for the other functionality as
> well. Readers, like me, like examples. In this specific case I am
> interested to see how the certificate identification looks like.

If you look at the authoritative YANG draft "draft-ietf-netconf-keystore"
instance data in Section 3 it would be "Manufacturer-Generated IDevID Cert"
which is less descriptive than what we have now.   This is because the
instance data is just a reference to the full set of key info described throughout "draft-ietf-netconf-keystore".  Trying to keep the documents as independent is traditional with yang models so that we don't have to worry about keeping instance data in synch across a large number of drafts.

[Hannes] Looking at the YANG draft "draft-ietf-netconf-keystore" I can see that the certificate-name is essentially a string without any structure.

> 2.1.1.5. Data Nodes
>
> You use the term "compute node" several times throughout the document
> but it is not defined. Is there a definition you can reference?

The compute node is defined in the YANG model, which itself references RFC6933

[Hannes] OK. I wasn't aware of this.

Thanks for responding to my comments.

Ciao
Hannes

v2.46.0 | Report a Bug | By Email | System Status