Re: [Rats] Some new comments for CHARRA YANG module

"Eric Voit (evoit)" <evoit@cisco.com> Thu, 13 August 2020 14:32 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D19AC3A0C7E; Thu, 13 Aug 2020 07:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=iQYE2V2S; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=m0cBD9gh
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nPlN88fRTALO; Thu, 13 Aug 2020 07:32:30 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6328A3A0C7B; Thu, 13 Aug 2020 07:32:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=30986; q=dns/txt; s=iport; t=1597329150; x=1598538750; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Kde4f2KtaFNjvxeWkvOEwUgpRZmuqFUtfZpkpdWq9IU=; b=iQYE2V2SeVr8ojrsFoclXXB9S75i8pS1Er1/cNTsRwU3iS+E7rZW4hUP E8bfvyxCf7ny/Ys9jHYc8rK0rASNODBPoWAZKNDMJw4WPWs4Xgrc2xJ+g LISjkiFRn24lQxTkF4QbWnG0zFl0p4uxhbJwLvVXdK12cwlU0u3dtnzEv c=;
X-Files: smime.p7s : 3975
IronPort-PHdr: =?us-ascii?q?9a23=3Aso9r0x0AtNjtL/wLsmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxWGu6dtkVbWUISd4PVB2KLasKHlDGoH55vJ8HUPa4dFWB?= =?us-ascii?q?JNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YkhIEdnzZhvZpXjhpTIXEw?= =?us-ascii?q?/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CnAADRTTVf/5FdJa1fHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgTgFAQELAYEiL1EHcCstLywKh3IDjVmHXpEJgS6BJQNVBAc?= =?us-ascii?q?BAQEJAwEBLQIEAQGBNYMXAoJAAiQ2Bw4CAwEBCwEBBQEBAQIBBgRthVwMhXE?= =?us-ascii?q?BAQEEEhsTAQE3AQ8CAQgVIw4CMCUBAQQBDQ0GFIMFgX5NAx8PAacOAoE5iGF?= =?us-ascii?q?0gTSDAQEBBYUdGIIHBwmBOAGBUoEeiiAagUE/gVSCHy4+hBUqg0iCLY9gNYl?= =?us-ascii?q?xgRmbDQqCYoQ4glyTKaAVkjSbDIQqAgQCBAUCDgEBBYFaBS6BV3AVO4JpUBc?= =?us-ascii?q?CDY4fDBeDTopWdDcCBgoBAQMJfI1ngTQBgRABAQ?=
X-IronPort-AV: E=Sophos;i="5.76,308,1592870400"; d="p7s'?scan'208,217";a="811381303"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Aug 2020 14:32:28 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 07DEWSu7002158 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 13 Aug 2020 14:32:28 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 13 Aug 2020 09:32:28 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 13 Aug 2020 09:32:28 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 13 Aug 2020 10:32:27 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QBh0cCjXoYFQBepIXbxlmOld/NRoKz1FNlWA7a/jrjXmJmWsvmTyK6L1DuRGhR6Zso3V6FmJ+tS+m4V5EDHcTg2SqmL9YM2UwpInTPGMf0f0hxsMC1EGyT/tdyle1tUH5troQTF8MJQoONe6hWgnk69q6tSp+GNY0kwxaYkIIDsBOK2ZJK1covQY5tfu1m5iN6aVgv4Lr3HEJAUGNqutUKslnmtz3yzZRAa4zCu/og6Gx0igYUGncSiFUVpTdIxRHSFPFycSQzTXqxCDnCzWIQhKXmoSx5BMlExwUmD3hXiTTrKRKlYTocX23ZFyMhE0Eu/ZGswcHnrot1Fp2LGxVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AqPi3b0XZkoGHnXze/cYLbP984b0p6QwGcbtgN/+zOI=; b=mKFNXNyF3CWbu8eU2iLHQEACnbOS3tB561GoKr675M8ueXwOvW+RKTZ2B0h0txdu8Nc6bXeT0CD/H0r8sYICglbsT4dYoCyVHjilo773eOzqwMKi9rsshCW/rnV7nGdcmRDd7kAJMHBEh1meS0vhQ4t5aP+7WrBehVF0+BdJNv39IQbln+f2EdGbgXxV3O5g94WX3DNMEXCo9NeOfAuB5WQhW0I0X1PVt5AqYtvDKw3BjBOt7HxDu4g31xNrL0KhFQUwFR2nQcu/JjOYjOBzvKazRTnCG502LrFEzn6FfQCX8oWFXQpPf4jGRrrdVzLDc/+2+9v8kOFgyM+MrUVHNw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AqPi3b0XZkoGHnXze/cYLbP984b0p6QwGcbtgN/+zOI=; b=m0cBD9ghMw/rZk0A89CUDLu2EMmZduBfuaQFkZQnba75o2zhFFVHpuGhOXDUJLSBxBP+X3JsiAmiKV4VGwlCCApwfg3Cme0lCsN8QM+lElLGxJr5bJWivRMPRyzpDTxrzIx4L0YKb7oiFiE3vhhmhP/OBz8DZ5TagcLas9iWxXM=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by BL0PR11MB3316.namprd11.prod.outlook.com (2603:10b6:208:68::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.18; Thu, 13 Aug 2020 14:32:27 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::fcd5:b07d:e935:8956]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::fcd5:b07d:e935:8956%7]) with mapi id 15.20.3283.016; Thu, 13 Aug 2020 14:32:27 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Panwei (William)" <william.panwei@huawei.com>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>
CC: "rats@ietf.org" <rats@ietf.org>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
Thread-Topic: Some new comments for CHARRA YANG module
Thread-Index: AdZxbUUfWQ8kKtvDQNubGicd9eCWvQABoeIQ
Date: Thu, 13 Aug 2020 14:32:26 +0000
Message-ID: <BL0PR11MB31228AFC5C808ADE027B12F5A1430@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <300450dd9780421aa1b9f5afa88261fc@huawei.com>
In-Reply-To: <300450dd9780421aa1b9f5afa88261fc@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ad795ae2-706a-4ab8-def2-08d83f95b3c8
x-ms-traffictypediagnostic: BL0PR11MB3316:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BL0PR11MB3316C3D90AA460A43A644802A1430@BL0PR11MB3316.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eXs/gR9kTGDe/zCfLPqq+XPpxyObKl5XqAD9H0iYPlrjQjmfh8dl9ODgN0lrAfM5aaQOpR0pDD0lihz3hZaNoEbrCXj4QSYzikykokPNEPYBTgvJhKlVTmKOR4jBkXwQIJtYiJ8r6fgEfR+OSaDNIBkOty30NoDfAiMQRpPSvAdIllR/kFHfgpiN9wA/WnalrQH4uf+kWiJe4Rw/UiZGp6komiQMaFQBszQSao7LEV+P2vLsxgm7cCRFwurdWZwBgn1lpeUdLr37QJpHegB1KR4YNN32MJz3Dw+iOZSlEgRH9PJBaNiXUqwBDJHfUJ7m/C0L4Tu/CyBsgZ50v8boeg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39860400002)(366004)(376002)(396003)(136003)(86362001)(33656002)(99936003)(76116006)(7696005)(9686003)(71200400001)(6636002)(316002)(26005)(66616009)(66446008)(64756008)(66556008)(66476007)(66946007)(186003)(478600001)(83380400001)(5660300002)(8936002)(110136005)(4326008)(54906003)(6506007)(8676002)(55016002)(2906002)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: gdcoAA4/UXMoOpJASNFqM7C0rli3lWrRij2dQtW4BDbof/WzRUqdUQwGNBoV0nvVNxFp7cmrQ0jAGFLay9WieeR7P2Lo9tBFj7Nw3DW1LF5atEKPoAW1MLRtwqFM2l/saR9JIkkJnu7J6tRNu89dkU8yg+UBGOuHM01Jpgyj1mJ2GC2D+Gf9EEIPI4p8dlU+hUxSA3BTmmKxBwiEUFu3n1EpSE/2byr4B/rJp8DBnuQHy9ljCF8PaOOFtFcfBmsX7/xk1OG9iT3MUk+LCGRs4KemMJ2gqEg1Y3AKsOtbcCHx2pxSn9Wal3aHCghKDfBaCI7mjnYP53Am+vAEWBFQ5iLeUS4NWo5etL4j/W2jOp4Xkp/kyMzDMOQ+aIF35iJx7Fz1A9GF47o5diq0yLcMahNTF0rLu6R31+W4m2/N7OCGC5xfhNo4+5n8c6mowa67zoPwAY0hQvfZUWU0xuGzbdfsH2/yagfACSQhJLwY1FP6IbtZT9Qu4vMmCoPmrSvZy/mkCg9VuLN0N2cEMUPw2zob7kfyknhf4Z9R0tdDHo6aTDMtb1ULc7TZ6ns5IzfLGUlV//6rF/hkcckRb7CejCY9iF9owaLCu3QTYYZdac9K1qIpkOuNp1jBBtsRy3GLwR0hEi/wkA/jPZ2kI953HQ==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0316_01D6715B.BAFDDBD0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ad795ae2-706a-4ab8-def2-08d83f95b3c8
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2020 14:32:26.9936 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MhfO5Pd/pFFoJQYDdik4JbBamBWxxQFko0weq5JFlA/36hAl+YawRyzBwbXTMqOK
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3316
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/L-wM05QmV4KqTLV4RYDXThFl2oA>
Subject: Re: [Rats] Some new comments for CHARRA YANG module
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 14:32:33 -0000

Hi Wei Pan,

 

From: Panwei (William), August 13, 2020 8:29 AM



Hi Eric,

 

In modifying the YANG module, I have some new comments about the module.

1. Do we still need the basic-trust-establishment now? It provides the
function of retrieving the certificates of TPM2.0. But I think now the
certificates can be get from the rats-support-structure and ietf-keystore.

 

<eric> I can go either way on this.   This RPC could provide some
simplifications for TPMs.  Adding Shwetha to the thread to see if there is
sufficient differentiation from draft-ietf-netconf-keystore-17 (and its
extended family of documents) to justify this RFC.

 

2. The styles of challenge input for TPM1.2 and TPM2.0 are different.

      +---x tpm20-challenge-response-attestation {TPM20}?

      |  +---w input

      |  |  +---w tpm20-attestation-challenge

      |  |     +---w nonce-value          binary

      |  |     +---w challenge-objects* []

      |  |        +---w pcr-list* [TPM2_Algo]

      |  |        |  +---w TPM2_Algo        identityref

      |  |        |  +---w pcr-index*       tpm:pcr

      |  |        +---w TPM2_Algo?          identityref

      |  |        +---w (key-identifier)?

      |  |        |  +--:(public-key)

      |  |        |  |  +---w pub-key-id?   binary

      |  |        |  +--:(uuid)

      |  |        |     +---w uuid-value?   binary

      |  |        +---w tpm-name*           string

In the TPM2.0 challenge input, the nonce is put aside and the
challenge-objects is a list. So you can challenge for different pcr-lists of
different TPMs in one challenge input.

      +---x tpm12-challenge-response-attestation {TPM12}?

      |  +---w input

      |  |  +---w tpm1-attestation-challenge

      |  |     +---w pcr-index*              pcr

      |  |     +---w nonce-value             binary

      |  |     +---w TPM12_Algo?             identityref

      |  |     +---w (key-identifier)?

      |  |     |  +--:(public-key)

      |  |     |  |  +---w pub-key-id?       binary

      |  |     |  +--:(TSS_UUID)

      |  |     |     +---w TSS_UUID-value

      |  |     |        +---w ulTimeLow?       uint32

      |  |     |        +---w usTimeMid?       uint16

      |  |     |        +---w usTimeHigh?      uint16

      |  |     |        +---w bClockSeqHigh?   uint8

      |  |     |        +---w bClockSeqLow?    uint8

      |  |     |        +---w rgbNode*         uint8

      |  |     +---w add-version?            boolean

      |  |     +---w tpm-name*               string

In the TPM1.2 challenge input, if you want to challenge for different
pcr-indexs of different TPMs, you need to construct multiple challenge
inputs with different nonce values.

 

<eric>  This is true.  The question I have is for multiple TPM1.2 line
cards, whether you ever would really need to have a single query which hits
different PCRs.  If yes, then we need the flexibility you are asking.  If
no, the restrictions will simplify the code needed to handle the RPC.  (Note
that for TPM2.0 we already need the extra complexity as groups of PCRs are
hashed together.)

 

I think it's better to change the style of TPM1.2 to the same one of TPM2.0.

 

<eric>  If you or others have a business need to have a single query which
targets different PCRs from different line cards, I would agree.  Do you
really have this?  If yes (or even no), are you willing to create some more
XPATH statements which can limit the options so that the exposure of this
flexibility doesn't drive code developers to supporting unneeded variants?

 

3. In the log-retrieval part, the input uses tpm-name as the identifier, but
the output uses certificate-name. The certificate-name isn't used in the
log-result, should we also use tpm-name as the identifier of output?

 

<eric> My initial thinking was that perhaps a certificate upgrade has
occurred between the last log-retrieval and the current one.  As the
existing RPC would notify with the new certificate-name, this could save a
step.  However the logs are not really tied to a certificate name, so I will
make the change to <tpm-name>.

 

Eric

 

Regards & Thanks!

Wei Pan