[Rats] Benjamin Kaduk's Discuss on draft-ietf-rats-yang-tpm-charra-16: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 09 March 2022 05:57 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: rats@ietf.org
Delivered-To: rats@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A5EC93A1018; Tue, 8 Mar 2022 21:57:51 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-rats-yang-tpm-charra@ietf.org, rats-chairs@ietf.org, rats@ietf.org, ncamwing@cisco.com, nancy.winget@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.46.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <164680547164.27887.9180530675188101140@ietfa.amsl.com>
Date: Tue, 08 Mar 2022 21:57:51 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/fId5m-emy0hMkOtNtVdsvivrquc>
Subject: [Rats] Benjamin Kaduk's Discuss on draft-ietf-rats-yang-tpm-charra-16: (with DISCUSS and COMMENT)
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2022 05:57:52 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-rats-yang-tpm-charra-16: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-rats-yang-tpm-charra/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- (1) Section 2 references the "ietf-basic-remote-attestation YANG module", but that appears to be an older name for what got renamed to the "ietf-tpm-remote-attestation" module at time of WG adoption. (2) There are some issues with references, either pointing to the wrong document or to a draft version of a specification when there is a final version available. (2.1) The YANG reference stanza for "feature ima" (in the ietf-tpm-remote-attestation module) still refers to a draft version of the Canonical Event Log specification. (2.2) The YANG reference stanza for "grouping ima-event" (in the same module) does the same. (2.3) The PDF link in the description of "feature tpm20" (in the ietf-tcg-algs YANG module) appears to point to a draft version of the specification. Since the link is to a 2011 version, I trust that the final version is already available, and the fix is just to update the link. (2.4) The PDF link in the descriptions of all three "enum" values of "leaf type" in "container certificates" in the ietf-tpm-remote-attestation module points to a draft version of the TCG specification. (2.5) The PDF link in the description of "feature tpm20" in the ietf-tcg-algs YANG module points to a draft version of the TCG specification. (2.6) The description for "identity TPM_ALG_HMAC" in the ietf-tcg-algs YANG module points to RFC 2014 as one reference, but HMAC is RFC 2104. (2.7) The reference for [TPM2.0-Arch] links to a draft version of the TCG specification. (2.8) The reference for [TPM2.0-Key] links to a draft version of the TCG specification. (3) Some of the references don't seem to match up with their slugs -- e.g., [ima-log] seems to point to the TCB "canonical event log format" and [netequip-boot-log] (and the YANG reference stanza for "feature netequip_boot") points to what looks like a Linux IMA document. While the description in "grouping network-equipment-boot-event-log" does give some indication that [netequip-boot-log] is intended to be very similar to the IMA format, I don't think we can reasonably just directly reference the IMA spec and call it [netequip-boot-log] without some additional clarification either in the reference entry or where it is used. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 2.1.1.1 * 'TPMs': Indicates that multiple TPMs on the device can support remote attestation. This feature is applicable in cases where multiple line cards are present, each with its own TPM. It sounds like this is intending to emphasize "TPMs" as opposed to "TPM" singular; making the plural 's' have semantic value seems to risk confusion, and perhaps a "multi-tpm" feature name would be less risk-prone. Section 2.1.1.5 Container 'rats-support-structures': This houses the set of information relating to a device's TPM(s). Container 'tpms': Provides configuration and operational details for each supported TPM, including the tpm-firmware-version, PCRs which I believe that in the current YANG module, "tpms" is a child of "rats-support-structures" (along with "compute-nodes" and "attester-supported-algos"), which does not really seem very commensurate with the prose summary here. +--rw tpms +--rw tpm* [name] [...] +--rw firmware-version identityref +--rw tpm12-hash-algo? identityref +--rw tpm12-pcrs* pcr +--rw tpm20-pcr-bank* [tpm20-hash-algo] It's fairly surprising that the firmware-version is writable, and I'm not really sure what it means to have the set of pcrs be writable, either. Section 2.1.1.6 typedef pcr { type uint8 { range "0..31"; } description "Valid index number for a PCR. At this point 0-31 is viable."; That's a fairly surprising description to see in a Proposed Standard. If we are not sure that the range restriction will always be valid, should we be enforcing it as part of the module? typedef compute-node-ref { type leafref { path "/tpm:rats-support-structures/tpm:compute-nodes" + "/tpm:compute-node/tpm:node-name"; } description "This type is used to reference a hardware node. It is quite possible this leafref will eventually point to another YANG module's node."; Similarly here, I might expect the statement to be a caution to the reader that they need to handle the case where it points to another YANG module's node, rather than "it is quite possible" that such an eventuality might occur. grouping tpm20-hash-algo { [...] default "taa:TPM_ALG_SHA256"; description "The hash scheme that is used to hash a TPM1.2 PCR. This must be one of those supported by a platform."; Is this description with "TPM1.2" really correct in the "tpm20-hash-algo" grouping? default "taa:TPM_ALG_SHA1"; description "The hash scheme that is used to hash a TPM1.2 PCR. This MUST be one of those supported by a platform. This assumes that an algorithm other than SHA1 can be supported on some TPM1.2 cryptoprocessor variant."; What exactly assumes that? Use of a non-default value, perhaps? grouping nonce { description "A random number intended to be used once to show freshness and to allow the detection of replay attacks."; "Show freshness" makes sense and seems intuitive. Detecting replay attacks seems like it would require some additional infrastructure (a "replay cache", perhaps, ideally with some time-based aging out), about which we say nothing. Is this replay protection expected to be part of the TPM chip itself, or on the composite device hosting the YANG server, or somewhere else entirely? It seems a bit disingenuous to suggest that such functionality is possible while providing no pointers at all for how to achieve it. grouping tpm12-pcr-selection { description "A Verifier can request one or more PCR values using its individually created Attestation Key Certificate (AC). The corresponding selection filter is represented in this grouping. Requesting a PCR value that is not in scope of the AC used, detailed exposure via error msg should be avoided."; This last sentence seems to be missing a few words that are vital to the meaning. grouping tpm12-pcr-selection { [...] leaf-list pcr-index { [...] description "The numbers/indexes of the PCRs. At the moment this is limited to 32. In addition, any selection of PCRs MUST verify that (A similar comment as above regarding "at the moment" and future-proofing what goes into a Proposed Standard.) grouping tpm20-pcr-selection { [...] list tpm20-pcr-selection { unique "tpm20-hash-algo"; I confess to being only a YANG amateur, but am not really sure why the "unique" qualifier is preferable to the "key" one in this case (and several others later on, but I'll just mention this one). grouping tpm-name { description "A unique TPM on a device."; leaf name { type string; description "Unique system generated name for a TPM on a device."; If it's system-generated would that imply config false? uses node-uptime; list unsigned-pcr-values { description [...] significant processing. There should never be a result where an unsigned PCR value is actually that that within a quote. If there is a difference, a signed result which has been verified from retrieved logs is considered definitive."; I'm not sure I understand this part -- is there a missing negation in the first sentence? grouping boot-event-log { description "Defines a specific instance of an event log entry and corresponding to the information used to extend the PCR"; leaf event-number { type uint32; description "Unique event number of this event"; Should we mention what scope the uniqueness is within? (At only 32 bits it cannot be globally unique.) leaf pcr-index { type pcr; description "Defines the PCR index that this event extended"; } Why is this not mandatory? leaf-list event-data { type uint8; description "The event data size determined by event-size"; Is there some missing punctuation or something here? Otherwise the focus on size seems strange, given that there is a separate "leaf event-size". (Also, why is a leaf-list of uint8 better than "type binary"?) grouping ima-event { description "Defines an hash log extend event for IMA measurements"; reference "ima-log: https://www.trustedcomputinggroup.org/wp-content/uploads/ TCG_IWG_CEL_v1_r0p30_13feb2021.pdf Section 4.3"; Is section 4.3 the best section to reference? I only see specifics about, e.g., the hash algorithm being encoded as a string later on, circa §5.1.6. leaf filename-hint { type string; description "File that was measured"; Is this just the file name, a full path, either, ...? leaf signature { type binary; description "The file signature"; Both this description and the reference for ima-event seem pretty sparse on what the signature actually covers. rpc tpm20-challenge-response-attestation { if-feature "taa:tpm20"; description "This RPC accepts the input for TSS TPM 2.0 commands of the managed device. ComponentIndex from the hardware manager YANG module to refer to dedicated TPM in composite devices, e.g. smart NICs, is still a TODO."; I would prefer to not see "is still a TODO" in a Proposed Standard. "Out of the scope of this specification" is seen much more often (though in some sense it conveys much the same meaning...) container compute-nodes { [...] list compute-node { key "node-id"; If we're going to use "leaf node-name" for leafrefs, does that require a uniqueness constraint on "node-name" here? container tpms { [...] leaf path { type string; config false; description "Path to a unique TPM on a device. This can change across reboots."; Is this a ... device-tree path? Surely it is not a filesystem path, right? leaf firmware-version { type identityref { base taa:cryptoprocessor; } mandatory true; description "Identifies the cryptoprocessor API set supported. This is automatically configured by the device and should not be changed."; (Per my previous comment on the tree diagram, "should not be changed" strongly implies that it should be "config false" to me. When might that not be the case?) container attester-supported-algos { description "Identifies which TPM algorithms are available for use on an attesting platform."; [...] Just to confirm I'm reading this properly: the lists herein are not scoped to specific TPM instances, but are rather global to the entire composite device; the "when" constraints just say that each leaf-list is only present if there are any TPMs of the corresponding TPM version present but do not otherwise limit the scope of applicability for the algorithms in question? That seems rather surprising, especially if one considers a scenario where there are multiple line cards on a given device and one could be hot-replaced to a newer model with a TPM that supports more algorithms. But perhaps I'm missing something. Section 2.1.2.2 3. Specific algorithm types: Each algorithm type defines what cryptographic functions may be supported, and on which type of API specification. It is not required that an implementation of a specific TPM will support all algorithm types. The contents of each specific algorithm mirrors what is in Table 3 of [TCG-Algos]. This phrasing implies a strong sense of consistency between the two documents. I did not attempt to perform a rigorous verification of each element between the two documents, but I hope someone has done so. Section 2.1.2.3 contact "WG Web: <https://datatracker.ietf.org/wg/rats/> WG List: <mailto:rats@ietf.org> Author: Eric Voit <mailto:evoit@cisco.com>"; Just to confirm: it's correct for Eric to be the only listed author for this module (vs ietf-tpm-remote-attestation, that includes what appears to be the whole author list of the I-D)? identity signing { description "A TCG recognized signing algorithm"; reference "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 2"; I understand a desire to remain consistent with what the TCG says, but would we consider mentioning that this also includes symmetric crypto "signing" operations? identity method { description "A TCG recognized method such as a mask generation function."; Perhaps we want "cryptographic method" here, in light of the way the TCG spec frames things. identity TPM_ALG_XOR { if-feature "tpm12 or tpm20"; base tpm12; base tpm20; base hash; base symmetric; I didn't see in the TCG Algorithm Registry Rev1.32 doc that indicated that the "XOR encryption algorithm" derived from a hash. Please confirm that "base hash" is correct. identity TPM_ALG_SYMCIPHER { if-feature "tpm20"; base tpm20; description "Object type for a symmetric block cipher"; reference "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and TCG TPM 2.0 library specification. ALG_ID: 0x0025"; Is the lack of "base symmetric" correct? (The algorithm registry doc seems to list is as an "object" as well as symmetric.) Also, I guess this is a tolerable place to ask why the "AES" alg is specific to TPM 1.2. I found mention of (e.g.) "AES128" in at least one TPM 2.0 spec, so presumably I'm just missing how those algorithms are represented in the TPM 2.0 model (and why symmetric ciphers are treated differently than the different output lengths of the SHA2 and SHA3 family of hash functions, which do get individual algorithm identities in this YAND module). Perhaps they use this TPM_ALG_SYMCIPHER! Section 4 The YANG security considerations template has a section about readable data nodes that are considered sensitive. Does that apply to any of the nodes in the modules defined by this document? Container '/rats-support-structures/attester-supported-algos': 'tpm1 2-asymmetric-signing', 'tpm12-hash', 'tpm20-asymmetric-signing', and 'tpm20-hash'. All could be populated with algorithms that are not supported by the underlying physical TPM installed by the equipment vendor. We should say what the impact of that configuration would be at runtime. Container: '/rats-support-structures/tpms': 'name': Although shown as 'rw', it is system generated. Therefore it should not be Why is it shown as 'rw', then? Also, separately, if we're going to keep 'firmware-version' as writable, there seems to be some consideration there, as telling a TPM 2.0-only chip to use TPM 1.2 is going to be a DoS. 'certificates': It is possible to provision a certificate which does not correspond to an Attestation Identity Key (AIK) within the TPM 1.2, or an Attestation Key (AK) within the TPM 2.0 respectively. Could we have a sentence about the runtime impact of such a misconfiguration? RPC 'tpm12-challenge-response-attestation': It must be verified that [...] RPC 'tpm20-challenge-response-attestation': It must be verified that Must be verified by whom? In order to achieve what property? Section 6.1 [ISO-IEC-9797-2] "Message Authentication Codes (MACs) - ISO/IEC 9797-2:2011", n.d., <https://www.iso.org/standard/51618.html>. Following the link indicates that there's a 2021 revision available; do we need the older version specifically? NITS Section 2.1.1.1 * 'TPMs': Indicates that multiple TPMs on the device can support remote attestation. This feature is applicable in cases where multiple line cards are present, each with its own TPM. An "e.g." or "for example" seems appropriate here. Section 2.1.1.6 description "Name of one or more unique TPMs on a device. If this object exists, a selection should pull only the objects related to these TPM(s). If it does not exist, all qualifying TPMs that are 'hardware-based' equals true on the device are selected."; I think s/are/have/ would make sense. grouping tpm20-attestation { description "Contains an instance of TPM2 style signed cryptoprocessor measurements. It is supplemented by unsigned Attester information."; leaf TPMS_QUOTE_INFO { type binary; mandatory true; description "A hash of the latest PCR values (and the hash algorithm used) which have been returned from a Verifier for the selected PCRs and Hash Algorithms."; reference "TPM2.0-Structures: https://www.trustedcomputinggroup.org/wp-content/uploads/ TPM-Rev-2.0-Part-2-Structures-01.38.pdf Section 10.12.1"; The reference appeears to include two sections marked 10.12.1(!), though clearly we do not want the one entitled "introduction". leaf filedata-hash { type binary; description "Hash of filedata"; It is perhaps banal, but mentioning that the interpretation is controlled by the filedata-hash-algorithm might be useful. rpc tpm12-challenge-response-attestation { [...] input { container tpm12-attestation-challenge { [...] leaf-list certificate-name { if-feature "tpm:tpms"; type certificate-name-ref; must "/tpm:rats-support-structures/tpm:tpms" + "/tpm:tpm[tpm:firmware-version='taa:tpm12']" + "/tpm:certificates/" + "/tpm:certificate[name=current()]" { error-message "Not an available TPM1.2 AIK certificate."; This is the first instance of "AIK" in the document (it does not appear in the prose until the security considerations). Perhaps it should get mentioned in the Introduction as another term inported from TPM2.0-key? rpc tpm20-challenge-response-attestation { if-feature "taa:tpm20"; description "This RPC accepts the input for TSS TPM 2.0 commands of the managed device. ComponentIndex from the hardware manager YANG module to refer to dedicated TPM in composite devices, e.g. smart NICs, is still a TODO."; The second sentence seems to be missing a verb. output { list tpm20-attestation-response { unique "certificate-name"; description "The binary output of TPM2b_Quote in one TPM chip of the node which identified by node-id. [...] Does "chip" imply hardware chip, which is perhaps more specific than the introductory materials indicated to be the scope of applicability? container rats-support-structures { container compute-nodes { if-feature "tpm:tpms"; description "Holds the set device subsystems/components in this composite device that support TPM operations."; "set of" leaf status { type enumeration { enum operational { value 0; description "The TPM currently is currently running normally and is ready to accept and process TPM quotes."; reference "TPM2.0-Arch: TPM-Rev-2.0-Part-1-Architecture-01.07-2014-03-13.pdf Section 12"; Huh, why is this not an https URI? container certificates { description "The TPM's certificates, including EK certificates and AK certificates."; While we're expanded LAK and IAK previously, we haven't expanded just "AK" itself yet. Section 2.1.2.3 organization "IETF RATS Working Group"; Do we want to use the same spelling as in the ietf-tpm-remote-attestation module? identity tpm12 { if-feature "tpm12"; base cryptoprocessor; description "Supportable by a TPM1.2."; reference "TPM1.2-Structures: https://trustedcomputinggroup.org/wp-content/uploads/ TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf TPM_ALGORITHM_ID values, page 18"; We referenced it as section 4.8 (vs page 18) for the YANG "feature" stanza. identity tpm20 { if-feature "tpm20"; base cryptoprocessor; description "Supportable by a TPM2."; reference "TPM2.0-Structures: https://trustedcomputinggroup.org/wp-content/uploads/ TPM-Rev-2.0-Part-2-Structures-01.38.pdf The TCG Algorithm Registry. Table 9"; Is table 9 the right reference? identity TPM_ALG_SM4 { if-feature "tpm20"; base tpm20; base symmetric; description "SM4 symmetric block cipher"; reference "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3. ALG_ID: 0x0013"; Isn't SM4 an ISO standard now as well? identity TPM_ALG_RSASSA { if-feature "tpm20"; base tpm20; base asymmetric; base signing; description "Signature algorithm defined in section 8.2 (RSASSAPKCS1-v1_5)"; reference "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and RFC 8017. ALG_ID: 0x0014"; } identity TPM_ALG_RSAES { if-feature "tpm20"; base tpm20; base asymmetric; base encryption_mode; description "Signature algorithm defined in section 7.2 (RSAES-PKCS1-v1_5)"; I think you need to say what document the section numbers are from, since two references are listed in the reference stanza. identity TPM_ALG_ECDH { if-feature "tpm20"; base tpm20; base asymmetric; base method; description "Secret sharing using ECC"; reference "TCG-Algos:TCG Algorithm Registry Rev1.32 Table 3 and NIST SP800-56A and RFC 7748. ALG_ID: 0x0019"; RFC 7748 is specific to the so-called "CFRG curves"; is it really the right reference for generic ECDH?
- [Rats] Benjamin Kaduk's Discuss on draft-ietf-rat… Benjamin Kaduk via Datatracker
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Eric Voit (evoit)
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Henk Birkholz
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Eric Voit (evoit)
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Eric Voit (evoit)
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Henk Birkholz
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Rats] Benjamin Kaduk's Discuss on draft-ietf… Henk Birkholz