[Rats] Some new comments for CHARRA YANG module
"Panwei (William)" <william.panwei@huawei.com> Thu, 13 August 2020 12:28 UTC
Return-Path: <william.panwei@huawei.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCD2D3A0BDF; Thu, 13 Aug 2020 05:28:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2kqkqxG2AqeI; Thu, 13 Aug 2020 05:28:47 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D89A53A0BE9; Thu, 13 Aug 2020 05:28:46 -0700 (PDT)
Received: from lhreml727-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id C6C3F58051951C0DB629; Thu, 13 Aug 2020 13:28:44 +0100 (IST)
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by lhreml727-chm.china.huawei.com (10.201.108.78) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 13 Aug 2020 13:28:44 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml705-chm.china.huawei.com (10.98.57.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 13 Aug 2020 20:28:41 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Thu, 13 Aug 2020 20:28:41 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>
CC: "rats@ietf.org" <rats@ietf.org>, "draft-ietf-rats-yang-tpm-charra@ietf.org" <draft-ietf-rats-yang-tpm-charra@ietf.org>
Thread-Topic: Some new comments for CHARRA YANG module
Thread-Index: AdZxbUUfWQ8kKtvDQNubGicd9eCWvQ==
Date: Thu, 13 Aug 2020 12:28:41 +0000
Message-ID: <300450dd9780421aa1b9f5afa88261fc@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.120.6]
Content-Type: multipart/alternative; boundary="_000_300450dd9780421aa1b9f5afa88261fchuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/eXumVIfcQGEh2_JymRJriL3N97M>
Subject: [Rats] Some new comments for CHARRA YANG module
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 12:28:49 -0000
Hi Eric,
In modifying the YANG module, I have some new comments about the module.
1. Do we still need the basic-trust-establishment now? It provides the function of retrieving the certificates of TPM2.0. But I think now the certificates can be get from the rats-support-structure and ietf-keystore.
2. The styles of challenge input for TPM1.2 and TPM2.0 are different.
+---x tpm20-challenge-response-attestation {TPM20}?
| +---w input
| | +---w tpm20-attestation-challenge
| | +---w nonce-value binary
| | +---w challenge-objects* []
| | +---w pcr-list* [TPM2_Algo]
| | | +---w TPM2_Algo identityref
| | | +---w pcr-index* tpm:pcr
| | +---w TPM2_Algo? identityref
| | +---w (key-identifier)?
| | | +--:(public-key)
| | | | +---w pub-key-id? binary
| | | +--:(uuid)
| | | +---w uuid-value? binary
| | +---w tpm-name* string
In the TPM2.0 challenge input, the nonce is put aside and the challenge-objects is a list. So you can challenge for different pcr-lists of different TPMs in one challenge input.
+---x tpm12-challenge-response-attestation {TPM12}?
| +---w input
| | +---w tpm1-attestation-challenge
| | +---w pcr-index* pcr
| | +---w nonce-value binary
| | +---w TPM12_Algo? identityref
| | +---w (key-identifier)?
| | | +--:(public-key)
| | | | +---w pub-key-id? binary
| | | +--:(TSS_UUID)
| | | +---w TSS_UUID-value
| | | +---w ulTimeLow? uint32
| | | +---w usTimeMid? uint16
| | | +---w usTimeHigh? uint16
| | | +---w bClockSeqHigh? uint8
| | | +---w bClockSeqLow? uint8
| | | +---w rgbNode* uint8
| | +---w add-version? boolean
| | +---w tpm-name* string
In the TPM1.2 challenge input, if you want to challenge for different pcr-indexs of different TPMs, you need to construct multiple challenge inputs with different nonce values.
I think it's better to change the style of TPM1.2 to the same one of TPM2.0.
3. In the log-retrieval part, the input uses tpm-name as the identifier, but the output uses certificate-name. The certificate-name isn't used in the log-result, should we also use tpm-name as the identifier of output?
Regards & Thanks!
Wei Pan
- [Rats] Some new comments for CHARRA YANG module Panwei (William)
- Re: [Rats] Some new comments for CHARRA YANG modu… Eric Voit (evoit)
- Re: [Rats] Some new comments for CHARRA YANG modu… Panwei (William)