Re: [Rats] yang tpm defining a datastore?

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 19 February 2021 17:19 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BAC03A14CC for <rats@ietfa.amsl.com>; Fri, 19 Feb 2021 09:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yNFH4QM2vYU3 for <rats@ietfa.amsl.com>; Fri, 19 Feb 2021 09:19:21 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130049.outbound.protection.outlook.com [40.107.13.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A40F83A145C for <rats@ietf.org>; Fri, 19 Feb 2021 09:18:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jUDjNXYyE4Is7NRrCCwHk4LCBI+qsXlpZIUIUgKFjh/oc4OuJuULUPDGbKsRMmR3+U8e6QKHsZg/T5QsO8zrUiQNw2nrtwAWfjRy0dBZ4uZctsCAFuOngCq2vMPhBlShi+7vfwJlnEplPSngXW2kV4Wv/CmyUsARHtS6nZeoxXPl9oH3rW+kb6dFECr9p50a/IUG05bthvT8Cnfv0nvUVMPWKsOa7LfD4PBphgRcUWI+e5LrdK+ddigBhV1pcgs7zk0clpLyWnZKod/ntJjnoN2lkIaLjhx7B5FYgQaJFfBYJKt8ieuF9IYrBmIOysyv+YpFZchvGtf9U/M36B/bqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FFSMaUxlra3jobYa/Zwia6ErYQmjBwj+LDTNcxN5aaE=; b=MjGGk7myW6VpuQ4mRp/KoGXec+IkYXSMNNUACXhw/54QuCpYGPP75l3ocvY5lDGK3CqhM6sueoo4sPxfD5qxZtO3RBpGZTeSvPgyZ8E6LMlIW1CEqjWyVFmiJDhmGkf7OcEfQiV0sbac9TtbovEe0C39Sy4tjzZX7VebyFDnRt90/7ZpSlYT6nXakLcQwJ3lH5iKdgL8RftfI2JrOIvQJTGLOs0Fvp9y0u/w17gcVjrGrAyIvNQH0DzbEoEkJL/qT4KbYzHoGPbOuGBI8wNF6JZWWqgf9WzMVVbDcfigwsok74+ad8/GusFc0DzHmJN3B5an8Mb3AOdOE21nwBgRXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FFSMaUxlra3jobYa/Zwia6ErYQmjBwj+LDTNcxN5aaE=; b=Z25bRPHXtSoSIf5PDVnNG5rZv03lmcRbdacfRYAMpiJwMlKrq5h0Rkiq9zLwGzNRbXK1HMOOwsFDjZNZUV51GN/h8s/S82UuYa4MzejmSt4hfmKcQDF+mTZsQqCBXA1log22dFWnRNAegpOZTDtw4//M9MBViaqnGMU7VnsGbVU=
Authentication-Results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM4P190MB0020.EURP190.PROD.OUTLOOK.COM (2603:10a6:200:61::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.29; Fri, 19 Feb 2021 17:18:54 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::1ce1:49e3:3e54:804d]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::1ce1:49e3:3e54:804d%5]) with mapi id 15.20.3868.029; Fri, 19 Feb 2021 17:18:54 +0000
Date: Fri, 19 Feb 2021 18:18:54 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: "Eric Voit (evoit)" <evoit@cisco.com>
Cc: "rats@ietf.org" <rats@ietf.org>
Message-ID: <20210219171854.g3q4mbyqzk3smuf5@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: "Eric Voit (evoit)" <evoit@cisco.com>, "rats@ietf.org" <rats@ietf.org>
References: <20210219132137.otltbtrhbew7yb6r@anna.jacobs.jacobs-university.de> <BL0PR11MB312212DDD7BAB9CA89739BBDA1849@BL0PR11MB3122.namprd11.prod.outlook.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BL0PR11MB312212DDD7BAB9CA89739BBDA1849@BL0PR11MB3122.namprd11.prod.outlook.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: AM0PR02CA0117.eurprd02.prod.outlook.com (2603:10a6:20b:28c::14) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by AM0PR02CA0117.eurprd02.prod.outlook.com (2603:10a6:20b:28c::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.27 via Frontend Transport; Fri, 19 Feb 2021 17:18:54 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7a7a4f15-e5bf-47c4-ac7c-08d8d4fa6f53
X-MS-TrafficTypeDiagnostic: AM4P190MB0020:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM4P190MB00204E46B0B7DE99DCF3ACE5DE849@AM4P190MB0020.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ahYrMln1BIAsVkPtP44WAMcmddLxFb+KZNlkmJmiKOGjli6aWAdwUmfn5MAL5kfY4I3RHtuHvvHNZOyrs6ftfvb96knqf7x1krttfgsX5rSz1o9hupTRg9XHXz4x+CrNfkOLrfxLh/i0DHVHjxLj50CV1Fl8ah3VCdIV9kevoHrZ+DzZTGm4cl4tkvfF4IJLBiq3MF8a+ZnuopLde42GAdg9uAU1S+SVMxyeeuD3j24HlpY2ZRBHwbAB3HQ+I8si3vToG5UBdhQtlmEgzDG0Gwov7WXMAQf9QKLUkQKikB3Sadp+kDJVgsslt41wgcp9kFcwJ8r1FShS12K5AhPiGgjaxKxnRnKkkItbJ/6cjkdL9GgNuCSl+ARiuHzWN7MJ1Ks1EJk1YfeMseI0yLCOSz9vBEg9yZ8Kt6iJC6nie+LsgeYfQC5F9o1X5uHmpjFOqZIIjay2iW/98//qd5SLw2pQZEKLJucX0Cwa8VKiH6I3SP4r5UgPLZCx1+C66zPfuyXlS+tVNZPshCXbqRbV7jEkruGLOIbHlr1yjBF0Bk8R1h37AP1HYhpbyIirRZnB7dA0JqDiC2XmGbKcV44EMysknWCViQNEevNucUTkUne8hu4/zKzaO/B0OwhulkdTmBTffqhaNzka6X4zB8PSig==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(39850400004)(396003)(346002)(366004)(136003)(8936002)(8676002)(16526019)(6916009)(186003)(83380400001)(3450700001)(52116002)(86362001)(66476007)(2906002)(66556008)(66946007)(6496006)(4326008)(6486002)(26005)(1076003)(478600001)(966005)(5660300002)(956004)(83080400002)(316002)(786003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?trc+Aq0Ep4g8SW1FD4M7wC6CZ9mlQr7F/jhu4H7rkZRIE6gk6M+3OnEQXcAT?= =?us-ascii?Q?VtBkp0ni+GlLV+zDMmvS93dPgHFTOMbj19gxh2UE7ccUrE3Yp2eN73hZj5JX?= =?us-ascii?Q?198xVkZmTcXhMJhDqMgB3c9+IVMcT/gnzOX8LCSY+co+Ub03jtbMGb1B4Kbd?= =?us-ascii?Q?DZAHpGNiVm3FfJsSgBhEyNoIxUWYvwp24pOppPKk9PlxCTfEuBJdcYSntBY6?= =?us-ascii?Q?+miszb7DVaS01vmBaSoCB9iF7r0S3m6prLHqk9cQixxHGpmkbbx3v3+wQyyH?= =?us-ascii?Q?z987jYNTsjQIl6PSaUM5dtQO5diK6G19QoEOFkEYajCXupWHV5Zs1ow4wAv+?= =?us-ascii?Q?M0x6K96X5LFSd1sfMYbvmJQfaN9TM3RBSjTIwOxdtxkwEbCb+xrSm/lAEOED?= =?us-ascii?Q?KSYVSgZssVWjq32XT7FHzTYJUVR5jypSPZIUqjAJW+ktYEJbqbxy7QBhTs/Z?= =?us-ascii?Q?9o4SXyeEHnJFY2rfKNxUx/gtZkD3QSIHN9DQ/SsF3VlpoPTaxNNojGzq/DJ+?= =?us-ascii?Q?xTmyfn6nQylBosqjhQV0yiaNVAxjmE91hXdIKyxEtyS2MhpnIVapg4AfWvY4?= =?us-ascii?Q?MB6KlRF6DsA7ajHgxXWVgrWGAEJBdAgmOmDUGJZsvQ7M6pZY2Qv3Az5Honr5?= =?us-ascii?Q?YFgX0UEVg/Rbpz3m6cs2sV7xmt0nNe1hYxFl2rX2xeORcVK9baViT+x48pC0?= =?us-ascii?Q?iAHNDFR3KVF6+d8CkFxzPdIaX4w4kpGGVyLjpClAhgQ+LD3aoDLFC5PWQm6w?= =?us-ascii?Q?wheFcfFnf3IMjg5xrc+YwqZHSs8SHLDjmCQZE60fjodpCGyL2/b0DNws4P9W?= =?us-ascii?Q?TsIQVhrhXua4MPHMkze4qdC29VHURLkmq6hALYARK6HbKNyUw2nZR0l2/IdZ?= =?us-ascii?Q?A+0jOJQpRuspeD70OBI/RjI1KoWXAYn8B0G/HGJva8STYK8puBTqjtL9e0eT?= =?us-ascii?Q?1GK8kAnMjZwwGw4nNwTlPUNPD7TZId6Y+odJPt3IK48RX0gvSY2Zw1dBfUS+?= =?us-ascii?Q?Fiuie4xQPfCZLJsBRaoIwuApnDlCI5Bob72ZQSiKr4xq9EGkv26VHXhFVmuq?= =?us-ascii?Q?IRG9zMdVAcJdFRt+cV0aw5mGXWWpFuuKLmZFxUnHwMawzqDfD+FB/ahdEU+O?= =?us-ascii?Q?b1sHuloayXK51zmJ4sAR7IUpXTngEmQ/zN3DrpJQXIWhY470T3i/idnOOW7+?= =?us-ascii?Q?3blm57gU72dlHMCBXaqJQMbnmMUEaAt1LQktBBG8xqGWogs1bx6odMJD4/xu?= =?us-ascii?Q?ciaxYldCu7ITFBjui8zgOumw7KZv2SyLqyOOH+WxkqV4pyIqbWh1kvGu3foH?= =?us-ascii?Q?zjNkXM3yv3E+o8fMdec/+Eiz?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 7a7a4f15-e5bf-47c4-ac7c-08d8d4fa6f53
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Feb 2021 17:18:54.8597 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: L5GD+t8Gm6M3BTvktbMqh8j3txZ8bZSrABMQDd5l0majJ5NdmByMy8OElxmtdNOfqMHBrfZ0aGk5Iytl72tCw/r+PXSC/v1kF+KxT5PwvL0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P190MB0020
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/kvuYaG2O-Ib5wmNO7-f6LoZ9dms>
Subject: Re: [Rats] yang tpm defining a datastore?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 17:19:29 -0000

The text in the I-D makes me believe you are defining configuration,
not a new datastore. I assume you talk about the server side (which I
assume to be the attester) and you want to configure that certain
attestation requests are rejected. If so, this is all regular
configuration and not a new datastore. (But it might also be that I do
not understand things right. But defining a new datastore is most
likely now whay you want to do.)

Note that not everything must be defined using XPATH. What is
important here is likely that it is well defined how the server reacts
and which failure code it returns if there is a mismatch.

/js

On Fri, Feb 19, 2021 at 04:47:41PM +0000, Eric Voit (evoit) wrote:
> Hi Juergen,
> 
> > Juergen Schoenwaelder, February 19, 2021 8:22 AM
> > 
> > draft-ietf-rats-yang-tpm-charra-05 says:
> > 
> >    This document defines a YANG RPC and a minimal datastore required to
> >    retrieve attestation evidence about integrity measurements from a
> >    device following the operational context defined in TPM-based Network
> >    Device Remote Integrity Verification.
> > 
> > Does it define a datastore? To me, it seems the document defines a data
> model
> > but not a datastore.
> 
> There is a small datastore within this model.  Section 2.1.1.6:
> 
>    container <attester-supported-algos> - Identifies which TCG
>    algorithms are available for use the Attesting platform.  This allows
>    an operator to limit algorithms available for use by RPCs to just a
>    desired set from the universe of all allowed by TCG.
> 
>    +--rw attester-supported-algos
>       +--rw tpm12-asymmetric-signing*   identityref {taa:TPM12}?
>       +--rw tpm12-hash*                 identityref {taa:TPM12}?
>       +--rw tpm20-asymmetric-signing*   identityref {taa:TPM20}?
>       +--rw tpm20-hash*                 identityref {taa:TPM20}?
> 
> It is these populated nodes where we could really use your help.   Basically
> there are XPATH statements embedded in the model which are intended to
> enforce that RPCs only use the <attester-supported-algos>.  I.e., the RPCs
> will only accept values which the operator says are available from the
> platform.   
> 
> Would you be willing to help us ensure these are correct?
> 
> Thanks,
> Eric
> 
>  
> >    [I-D.ietf-rats-reference-interaction-models] document.  A fresh nonce
> >    with an appropriate amount of entropy MUST be supplied by the YANG
> >    client in order to enable a proof-of-freshness with respect to the
> >    attestation evidence provided by the attester running the YANG
> >    datastore.
> > 
> > The "YANG datastore"?
> > 
> >   container rats-support-structures {
> >     description
> >       "The datastore definition enabling verifiers or relying
> >        parties to discover the information necessary to use the
> >        remote attestation RPCs appropriately.";
> > 
> > I guess this is all just sloppy wording, it does not seem like you are
> defining a
> > datastore. Note that a schema element like a container can be instantiated
> in
> > several datastores, not just one.
> > 
> > /js
> > 
> > --
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> > 
> > _______________________________________________
> > RATS mailing list
> > RATS@ietf.org
> > https://www.ietf.org/mailman/listinfo/rats



-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>