Re: [Rats] Orthogonal: UUID? (was RE: Some new comments for CHARRA YANG module)

"Panwei (William)" <william.panwei@huawei.com> Tue, 18 August 2020 08:35 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCA4D3A0770; Tue, 18 Aug 2020 01:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ABv8khxSYKq3; Tue, 18 Aug 2020 01:35:32 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEBE33A076F; Tue, 18 Aug 2020 01:35:31 -0700 (PDT)
Received: from lhreml704-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 3E2EB404BE8079E722DE; Tue, 18 Aug 2020 09:35:29 +0100 (IST)
Received: from nkgeml704-chm.china.huawei.com (10.98.57.158) by lhreml704-chm.china.huawei.com (10.201.108.53) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Tue, 18 Aug 2020 09:35:28 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml704-chm.china.huawei.com (10.98.57.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Tue, 18 Aug 2020 16:35:25 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Tue, 18 Aug 2020 16:35:25 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>
CC: "rats@ietf.org" <rats@ietf.org>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
Thread-Topic: Orthogonal: UUID? (was RE: Some new comments for CHARRA YANG module)
Thread-Index: AdZycLCFh7nlxgpkQEGyeEIa+yDQWgCyQwhQ
Date: Tue, 18 Aug 2020 08:35:25 +0000
Message-ID: <6d651f96f7d04f43a5cbb6d2ce8fbbc3@huawei.com>
References: <BL0PR11MB312275D009055A74A688C083A1400@BL0PR11MB3122.namprd11.prod.outlook.com>
In-Reply-To: <BL0PR11MB312275D009055A74A688C083A1400@BL0PR11MB3122.namprd11.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.52.173.17]
Content-Type: multipart/alternative; boundary="_000_6d651f96f7d04f43a5cbb6d2ce8fbbc3huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/YMz6jPQNXgqAoT8gMFKNa9EeG_A>
Subject: Re: [Rats] Orthogonal: UUID? (was RE: Some new comments for CHARRA YANG module)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 08:35:34 -0000

Hi Eric,

Thanks for asking, but I'm afraid that the UUID structures weren't introduced by us Huawei. And we don't use UUIDs, so we don't object to drop them from the model.


Regards & Thanks!

Wei Pan


From: Eric Voit (evoit) [mailto:evoit@cisco.com]
Sent: Saturday, August 15, 2020 3:26 AM
To: Panwei (William) <william.panwei@huawei.com>om>; Shwetha Bhandari (shwethab) <shwethab@cisco.com>
Cc: rats@ietf.org; draft-ietf-rats-yang-tpm-charra@ietf.org
Subject: Orthogonal: UUID? (was RE: Some new comments for CHARRA YANG module)


Hi Wei Pan,



Just slightly related to the question you asked previously, I have a question on the model/tree you sent back (in-line...)



> From: Panwei, August 14, 2020 6:01 AM

> To: Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>>; Shwetha Bhandari (shwethab)

>

> Hi Eric,

>

> Thanks for your reply, please see inline.

>

> Regards & Thanks!

> Wei Pan

>

> From: Eric Voit (evoit) [mailto:evoit@cisco.com]

> Sent: Thursday, August 13, 2020 10:32 PM

> To: Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>>; Shwetha Bhandari

> (shwethab) <shwethab@cisco.com<mailto:shwethab@cisco.com>>

> Cc: rats@ietf.org<mailto:rats@ietf.org>; draft-ietf-rats-yang-tpm-charra@ietf.org<mailto:draft-ietf-rats-yang-tpm-charra@ietf.org>

> Subject: RE: Some new comments for CHARRA YANG module

>

> Hi Wei Pan,

>

> From: Panwei (William), August 13, 2020 8:29 AM Hi Eric,

>

>

> 2. The styles of challenge input for TPM1.2 and TPM2.0 are different.

>       +---x tpm20-challenge-response-attestation {TPM20}?

>       |  +---w input

>       |  |  +---w tpm20-attestation-challenge

>       |  |     +---w nonce-value          binary

>       |  |     +---w challenge-objects* []

>       |  |        +---w pcr-list* [TPM2_Algo]

>       |  |        |  +---w TPM2_Algo        identityref

>       |  |        |  +---w pcr-index*       tpm:pcr

>       |  |        +---w TPM2_Algo?          identityref

>       |  |        +---w (key-identifier)?

>       |  |        |  +--:(public-key)

>       |  |        |  |  +---w pub-key-id?   binary

>       |  |        |  +--:(uuid)

>       |  |        |     +---w uuid-value?   binary

>       |  |        +---w tpm-name*           string

> In the TPM2.0 challenge input, the nonce is put aside and the challenge-objects

> is a list. So you can challenge for different pcr-lists of different TPMs in one

> challenge input.

>       +---x tpm12-challenge-response-attestation {TPM12}?

>       |  +---w input

>       |  |  +---w tpm1-attestation-challenge

>       |  |     +---w pcr-index*              pcr

>       |  |     +---w nonce-value             binary

>       |  |     +---w TPM12_Algo?             identityref

>       |  |     +---w (key-identifier)?

>       |  |     |  +--:(public-key)

>       |  |     |  |  +---w pub-key-id?       binary

>       |  |     |  +--:(TSS_UUID)

>       |  |     |     +---w TSS_UUID-value

>       |  |     |        +---w ulTimeLow?       uint32

>       |  |     |        +---w usTimeMid?       uint16

>       |  |     |        +---w usTimeHigh?      uint16

>       |  |     |        +---w bClockSeqHigh?   uint8

>       |  |     |        +---w bClockSeqLow?    uint8

>       |  |     |        +---w rgbNode*         uint8



UUID is represented differently in the TPM1.2 and TPM2 models.   In fact in the TPM1.2 modeling has the UUID broken into constituent parts, none of which are mandatory where other UUID parts exist.  Shwetha told me that the UUID structures originally came from Huawei.    A few questions:



(1) UUID only appears in RPCs.  It doesn't appear in the datanodes.   Nor does UUID appear in draft-ietf-netconf-keystore.  As a result it is hard to see how it might correspond to a key, at least in an IETF YANG ecosystem.  Is support for UUID really essential?   Why?



(2) Assuming you really want UUIDs, I am hoping the datatypes can be reconciled between TPM1.2 and TPM2 RPCs.    Is there reason you wouldn't just use the uuid YANG typedef of RFC6991 for both?



(3) Assuming you really want UUIDs, you need to propose how a UUID might relate to keys within the IETF ecosystem of YANG models.



BTW: If you don't need UUIDs, we could always drop them from the model.  (Leaving them to vendor specific augmentations if necessary.)



Thanks,

Eric



>       |  |     +---w add-version?            boolean

>       |  |     +---w tpm-name*               string