Re: [Rats] Reducing YANG output objects with the tpm12-challenge-response-attestation RPC

Guy Fedorkow <gfedorkow@juniper.net> Fri, 09 October 2020 12:34 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 155723A0EF2; Fri, 9 Oct 2020 05:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.296
X-Spam-Level:
X-Spam-Status: No, score=-3.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=NHdEoa/L; dkim=pass (1024-bit key) header.d=juniper.net header.b=k9JfCdhQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kw5erbJaHl3B; Fri, 9 Oct 2020 05:34:49 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A9A33A0EED; Fri, 9 Oct 2020 05:34:48 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 099CXUYG008456; Fri, 9 Oct 2020 05:34:30 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=dJmxvUawnRZq7AYzA4wjbFPs7+R/qOUJZ0uqadpNI1o=; b=NHdEoa/LBD5+94hALb3BIZ7VPqX62evlwW6fr0Ak9A+TXtyagz1r7fbxqP+HFg5rCSC7 QzoAF/n0DLt7G9cgJewIJqm++wZZSVbInTd+PN7EAq+m/SnQplNCpdQxRbxx1FiWxbMZ epDqvjMmPLe8hk7caZm2+1SIf1Pl4VsucMFeA6ad3Z8j5tyaZxzGNTcsz+bYgu6aziDX kLjLpNoO4UPOW+CFdsPwunCkBJiLACbtDOnsEraoccxJOL/kp2s4RD473xqSqwG5gCOB ig6a0898MsigvArf0tv+VZL7B8gNFfnQG0ZJSqDr/vXiH0/CM2e80KwQ0JkykVNT2sz9 IA==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by mx0a-00273201.pphosted.com with ESMTP id 3429mm17k8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 09 Oct 2020 05:34:30 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lz9YYhJ3mktKIk6+yEcn/5LgFVjtv3izC+c3q6tP8MKwwLorVz5Fzz6f1kx7Pbn15u884IZ5CvA9MrLlBgZiqt75t7CJB0WbwRSEz5UQPVgQvqbCcxlYsftoCrDsGScbRAlXE9AMoB5/Gb0g/+QRtJ8m7yGEyraL7wgV3gLXJsBwyc3gG0pAjwFCyNauJQ9On1TLsFDWN1IdU6HLFetCSOQCeiusiGfv61U21b1UgpaxDqH48aHUMBpQsdOjDdOQdFFs0XZYYoOlwiIFjo/EjwQ1XBGHe0p7hxhtMIgCMRHEUPmnWIdQhBccjgp3IerKGl7gOTLZPulo8PrBUKeCww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dJmxvUawnRZq7AYzA4wjbFPs7+R/qOUJZ0uqadpNI1o=; b=mqqu+RHvJ+51JBER44Fbro38mK5s2CuOhNLksLl3Gpjxdl1QYXBW6R7IESvqxWOZTrlKaqzjwNwh1IXSv1/hH7zv3YWq7jdLhM8imLjPmym4MeSj2/Ai2yjXskLLpwkqwE3hvE4q2/aSj6ujZ4/Z+kkUPficQF/C/XHSqyDR8EUYSfn/46ELi22aQeGdtasp5z21mzlbjfaGX1/VWjlBohg/xsKG5yp9Jmx1xz0gIaOLbPIQ3zFC5kOFX+RnFm8NhNbpZrBhcBd2Nxd0HL8IHovMWDpJxrNIg8gRxIYJx5C6tS8o/aRDUNdXb4P4qMEE7MTB6JA7a7u+bFipNw0zQQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dJmxvUawnRZq7AYzA4wjbFPs7+R/qOUJZ0uqadpNI1o=; b=k9JfCdhQwY7BafnsfwF7p3NedP/GZEvdYpmFadWsnvQYW+sPZu/WiajekA6p2sQdG/cGK5BOiBFaXZZX3G4nFJZXhg8+vw2mqnA72YvgztJpoMwm4mwT9J7FNgcjiri/RebCgjRgpuSOumsosA2+nsStpPKjNz4o5zfQNR3nWKA=
Received: from BLAPR05MB7378.namprd05.prod.outlook.com (2603:10b6:208:298::10) by MN2PR05MB7165.namprd05.prod.outlook.com (2603:10b6:208:18b::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.13; Fri, 9 Oct 2020 12:34:27 +0000
Received: from BLAPR05MB7378.namprd05.prod.outlook.com ([fe80::ed9a:1675:208f:4600]) by BLAPR05MB7378.namprd05.prod.outlook.com ([fe80::ed9a:1675:208f:4600%4]) with mapi id 15.20.3477.011; Fri, 9 Oct 2020 12:34:27 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: "Eric Voit (evoit)" <evoit=40cisco.com@dmarc.ietf.org>
CC: "rats@ietf.org" <rats@ietf.org>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>, Puru Kulkarni <puruk@juniper.net>, William Bellingrath <wbellingrath@juniper.net>, "Panwei (William)" <william.panwei@huawei.com>, "Birkholz, Henk" <henk.birkholz@sit.fraunhofer.de>, "Eckel, Michael" <michael.eckel@sit.fraunhofer.de>, "Laffey, Tom (HPE Aruba)" <tom.laffey@hpe.com>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>
Thread-Topic: Reducing YANG output objects with the tpm12-challenge-response-attestation RPC
Thread-Index: Adac5ZonsmNnYPBmSvKhkjUhhfk9pgBUi8jw
Date: Fri, 9 Oct 2020 12:34:27 +0000
Message-ID: <BLAPR05MB7378320B18D303CAD8E41970BA080@BLAPR05MB7378.namprd05.prod.outlook.com>
References: <BYAPR11MB312522739A09FA46937D8F29A10A0@BYAPR11MB3125.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB312522739A09FA46937D8F29A10A0@BYAPR11MB3125.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-10-09T12:34:25Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=e4e2e2a8-03b2-418e-9127-5aec8bf4cc1c; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none; dmarc.ietf.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [24.61.11.4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: d7c53622-edde-4ebe-bbab-08d86c4fa972
x-ms-traffictypediagnostic: MN2PR05MB7165:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR05MB71659694B754E6006D7EC520BA080@MN2PR05MB7165.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 55MHPxd7Vkv/3S4O5pz9bzql5iRQRCxgMd4D0eIgIUACAI/eHQY851LmHnAmSd9G3E6RuhBuOGEOOIA0e3Up1hMcJC9d4knDi4brZc96F9DJ9ktB4v7v+qtqF1mPGfX8o4QFuNt8cUMcVcHbr0+SPrp+/YCJGrIc57Si6oGYY8Bl8bmhVeal6DXjGMTQauGTb7JRZnsRJep2CsRARG7uEzfxVM9l7mFRwXN3MiM1evkJTPvTkUuVPgpZ09oL1mxlHjEGcJNhLOoNogPcTnQ7oh8WITGIYlw/dE1jxYhq4hVYCca9z5uZuZOqUT4q2i0Far77jdwvvQqLFceGSFgZyleoX+z0Of067k5FujuGP9R4dh0yrh8Z6VIDJrSS8KeV8/Lr6GFG0gJfZb2ZRWAg+RzH4sMMvJnDJNVNevhb08i5bnwmhyafOvYlcTWaopXwz/0ScnEPmDzui1zLCcNFAvDamVvDvxSPLpNt0NQA5Qo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR05MB7378.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(366004)(396003)(39860400002)(33656002)(6506007)(53546011)(55016002)(76116006)(8936002)(9686003)(71200400001)(2906002)(52536014)(83080400001)(83380400001)(54906003)(166002)(4326008)(7696005)(26005)(316002)(5660300002)(9326002)(8676002)(86362001)(186003)(66446008)(64756008)(966005)(478600001)(66946007)(66556008)(66476007)(15398625002)(43620500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 0nttsTWq4K6EjG7gubcxlgN6k69/Inu47F1NRcn4AYXh04rfRlcWxne+0EvrVSnqNTdJGspQ2imLiSBB9MgmPZlAEvks6x+cNLlZ3BSunuElBtCaxWRR3yNtn5K+EfgXjL8PYNrwEH7U5G+dtXOFempy9ERhxtCwtrMwksD+BKhZ9XvhV/JndjJ0DyJYIPWvxLOIHZ5XgxzTS8ho/cEldvtjmJOnNZxZTWZAGIxbvlHyHXQChUN7ROONii4Soj05UXwtSkhZnDuuwcF6YO0dXtUavgOm4K+VbW/rD8dsl1X1TOtZU81iQo5kVF1TeoM62sljAWKO43T6fgN7Tj9PQAKk2ikvHIFkQ6cs9fiH0Clm65iELeejDBlN5RIMoRxC0bnuF31LIxaCNwuefNgI29IXAedx35/sSllIW0ND9nFIv6SQhbUhtnko9mvxJB4HH23fD6i7OY6SlheUOLaMamSIA4BJspAFgQM2hD0F1dywHUDzFyNd+Yi7nqQqG5ZoK38SWfEt7sd+ay0kbjVkyuLv3ZiZbrTulvsqH5hPVRFqU6vUw9O0ez/ZBgZoXmTWXGTFz8UDyP/iebytVWpj/ktqqDdZn4UBUyA/ZLI50n9MKqJCIflpJZfhCzwrGuHs33j0vfyPNcf+YsS82lZQPA==
Content-Type: multipart/alternative; boundary="_000_BLAPR05MB7378320B18D303CAD8E41970BA080BLAPR05MB7378namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR05MB7378.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d7c53622-edde-4ebe-bbab-08d86c4fa972
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2020 12:34:27.2178 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XeYK74xQItFnOP8cphy7qwj1yIUvx6u2n/H5U8RxSA35KU2sXS2hK54V2Yf9m9JmOm2dgqOUvMEud3tJsRnPng==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB7165
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-10-09_06:2020-10-09, 2020-10-09 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 adultscore=0 malwarescore=0 suspectscore=0 phishscore=0 clxscore=1011 impostorscore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010090089
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/P_YPyKv2Sj1BrxC1ApSn6QhR7Yg>
X-Mailman-Approved-At: Fri, 09 Oct 2020 05:37:39 -0700
Subject: Re: [Rats] Reducing YANG output objects with the tpm12-challenge-response-attestation RPC
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 12:34:51 -0000

Hi Eric,
  We have a lot of TPM1.2's out there - I'd be reluctant to obsolete them to save a paragraph in the YANG model...
As to the structure of the model; Tom Laffey is probably the world's expert (sorry Tom), but I'll find an internal reviewer for an informed opinion.
Thanks
/guy




Juniper Business Use Only
From: RATS <rats-bounces@ietf.org> On Behalf Of Eric Voit (evoit)
Sent: Wednesday, October 7, 2020 4:36 PM
To: Panwei (William) <william.panwei@huawei.com>om>; Birkholz, Henk <henk.birkholz@sit.fraunhofer.de>de>; Eckel, Michael <michael.eckel@sit.fraunhofer.de>de>; Guy Fedorkow <gfedorkow@juniper.net>et>; Laffey, Tom (HPE Aruba) <tom.laffey@hpe.com>om>; frank.xialiang@huawei.com
Cc: rats@ietf.org; draft-ietf-rats-yang-tpm-charra@ietf.org
Subject: [Rats] Reducing YANG output objects with the tpm12-challenge-response-attestation RPC

[External Email. Be cautious of content]

I am hoping we can simplify what is in Charra's TPM1.2 quote into something similar to what is now in the TPM2.0 quote.    Does anyone know who wrote the original TPM1.2 RPC for the Charra YANG module?   If you did, can you chime in on the questions below?

More specifics on the request:
Right now in the tpm20-challenge-response-attestation RPC output are TPM protected objects enclosed within TPMS_QUOTE_INFO.

Definition of TPMS_QUOTE_INFO Structure
---------------------------------------------------------
typedef struct {
    TPML_PCR_SELECTION pcrSelect;
    TPM2B_DIGEST pcrDigest; }
TPMS_QUOTE_INFO;

See Table 115 - of
https://trustedcomputinggroup.org/wp-content/uploads/TCG_TSS_Overview_Common_Structures_v0.9_r03_published.pdf

The enclosed TPM2B_DIGEST is calculated across multiple PCRs.  Having to verify across multiple PCRs does not necessarily make it easy for a Verifier to appraise just the minimum set of PCR information which has changed since the last received TPM2B_DIGEST.  Put another way, why should a Verifier reconstruct the proper value of all PCR Quotes when only a single PCR has changed?

To help this happen, if the Attester does know specific PCR values, the Attester can provide these individual values via "unsigned-pcr-values".   By comparing this information to the what has previously been validated, it is possible for a Verifier to confirm the Attester's signature while eliminating significant processing.  Additionally, processing where KGVs are exposed can be safely eliminated.

This is a long way of asserting that there is not redundant TPM information carried in tpm20-challenge-response-attestation RPC response.   This is a good thing.

We should provide the same level of scrutiny to the TPM1.2 objects.  We should eliminate redundant objects from the tpm12-challenge-response-attestation RPC.

If we were to eliminate redundant objects from the TPM1.2 Quote Response, I am know that we can eliminate the following objects:

  *   leaf major
  *   leaf minor
  *   leaf rev-Minor
  *   leaf rev-Minor

I also think we can eliminate the following:

  *   fixed  -- at this is a response to the RPC question
  *   locality-at-release

Looking beyond these obvious objects, I am wondering if there is anyone needing to differentiate between tpm12-quote1 and tpm12-quote2.   As TPM1.2 is going to be phased out as equipment gets changed, it seems to make little sense to support both variants if both are not being actively championed by someone.  In fact, I suspect that the YANG model can be updated so that it need not care about quote1 and quote2.   Can whomever included both quote1 and quote2 articulate why the must be a market need to support both going forward?

If we can eliminate either quote1 or quote2 specifics, I suspect we could use the exact same structure as part of the RPC response as was used for TPM2.   It would look something like:

  + tpm12-challenge-response-attestation
    ...
         +--ro output
            +--ro tpm12-attestation-response* []
               +--ro certificate-name?      certificate-name-ref
               +--ro TPMS_QUOTE_INFO        binary
               +--ro quote-signature?       binary
               +--ro up-time?               uint32
               +--ro node-id?               string
               +--ro node-physical-index?   int32 {ietfhw:entity-mib}?
               +--ro unsigned-pcr-values* []
                  +--ro TPM20-hash-algo?   identityref
                  +--ro pcr-values* [pcr-index]
                     +--ro pcr-index    pcr
                     +--ro pcr-value?   binary

I would love to get people's thoughts on what is above, and what might be mandatory to support in tpm12-challenge-response-attestation RPC output.

Thanks,
Eric


Eric Voit
Principal Engineer
.:|:.:|:. Cisco Systems, Inc.