IETF Logo Mail Archive

Re: [Rats] do not address yang warnings by making nodes writable

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 05 March 2021 15:52 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1372D3A2708 for <rats@ietfa.amsl.com>; Fri, 5 Mar 2021 07:52:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mkJQjWgttVl for <rats@ietfa.amsl.com>; Fri, 5 Mar 2021 07:52:49 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60087.outbound.protection.outlook.com [40.107.6.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49A6C3A2706 for <rats@ietf.org>; Fri, 5 Mar 2021 07:52:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cGpTVw5eW0tKZyBpVpKDk4REuhOA6Vt+cgOyVCJPsxXQs7c+530BCiQ5MKTpAL/5RnWTvHEMTd/oJhchxXYpaQfttj9WchTqr9WOYsqSO1m/Bz2tojUEsZuQ+9aGO+tSkK20aNJWioesMVxjAjjMphqeXDvUnm1ugfz0H1yvyvcOKAgE1eDW+WQJhnEZnKNmCKS+rImCdVXCESfY5cUEjtOrxKJPcSYcjNzdklmdQVfQQuv6QLdQQmAFXF6tLux592OYeq8Hb9+pGXIAXidE24wYmAp00w8DC8mHrRkYiRRnpR48JC0yshxVHIwNhj1LLgLobEE2YwimmY3wSs4bHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mCsVqcj5GAs8UAZlqH/5874gsQ5YZVmG2wNxppAQyzw=; b=fulDUeVsQO9qwmZa2EjI2UEhiY3PzyfxUn6kQkSMMGbkFRLzYKia2tB2+zuPvRWt9xLMzs7+79hAujAZ4OeYFHK4ziFVyqWMGiUooBtz9CHeycrsIons7LhLsufLj/gmz8ulYiXl2r2EQ9Tp4aYbmXhnJbeuuKJoyTmr1VRiYVGS1TQM6IazNwCEEktvcR/4B2+xITWslNuMZuzW4ixakLtiodMdtC+tr+au4bqV2G9VaS5bHt+Ra549vPof3/yWm4lk7oIr4sgiQChValqwEXKPKJKHEQYJhO8QlHoS09rgX2BW+X27oYczKawXr939EPQCFsns8PZkONSYHhbuDQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mCsVqcj5GAs8UAZlqH/5874gsQ5YZVmG2wNxppAQyzw=; b=oE2yGaZ8h9OIUyWqQzRPzcBZeFD6y5FATDtIvF44s0zWSEwn0FepNlRXJB1fyh+96Z74u0KmVg0B4yFnkIoV7C0hVJWj5hQFJfodG27b1SM0azzPOUvHR6v6JFP8NvKC6HEThbApQO7DB+DE+O1QALh+4u7fObgBCDoFXjhdJ8c=
Authentication-Results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM4P190MB0193.EURP190.PROD.OUTLOOK.COM (2603:10a6:200:62::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Fri, 5 Mar 2021 15:52:46 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e8a2:9886:8dfa:41c6]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e8a2:9886:8dfa:41c6%4]) with mapi id 15.20.3912.022; Fri, 5 Mar 2021 15:52:46 +0000
Date: Fri, 05 Mar 2021 16:52:45 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: "Eric Voit (evoit)" <evoit@cisco.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Message-ID: <20210305155245.p23ab4isvpn2vxdo@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: "Eric Voit (evoit)" <evoit@cisco.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
References: <20210219131122.4b3qt7kgapmgv3ax@anna.jacobs.jacobs-university.de> <17694.1613745400@localhost> <20210219160103.26mds5wtenqtfbct@anna.jacobs.jacobs-university.de> <BL0PR11MB312290AB0F53053548E1D43DA1849@BL0PR11MB3122.namprd11.prod.outlook.com> <20210305111144.ptkqpler3rjmgx6i@anna.jacobs.jacobs-university.de> <BL0PR11MB3122D8926C5143368F4C77C5A1969@BL0PR11MB3122.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <BL0PR11MB3122D8926C5143368F4C77C5A1969@BL0PR11MB3122.namprd11.prod.outlook.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: FRYP281CA0007.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10::17) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by FRYP281CA0007.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.13 via Frontend Transport; Fri, 5 Mar 2021 15:52:46 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 39e6a583-6fb9-4364-8a34-08d8dfeeb864
X-MS-TrafficTypeDiagnostic: AM4P190MB0193:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM4P190MB0193C1BF735E00EDA87D23CEDE969@AM4P190MB0193.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Wk/548CbT2nI+/6J19pb9GkvPYOe2GdMiEuFjR/wX8ZuhwBJdTMYsaJg9OcXs+hq2dNaBsGo1c60p11MEQIt6sS/Evwj8DdVpeCLxrNPZ/GRpm2ErykqWYjPNd+CUfkaSJvH6booQTot0GBz8LvJgxW0bfHtfh8wPLw5zvcmQHQ0gBGojRL+MWtZ+7TkuDI8n+VyDpPJBnwUFmlow4f1oY++zUj64MTDHbmnQjewhhqNr/PxjfGEndXEKpSE+tgISmqBrUw7d4Udtnjo2H73toF44hyNdSBLGJbY4zv7zZvoAYx9rxDoiUL+pUzsGp1zO4RPTiTZB+6QbVxbFuPwpMym0x+Djcon92E9uzDsz3qoh1H2Xm3kcUxur9RfrqrkaPY/qG99PLnC6T+3EhiQfGEmYyD1zjxLZU5+FMdTuBYtb2/6A2nE4g+2LLMnv92JnCnPEWcbdQidwfTZt/aVea213j+8eWtuZNUPohJO+3dqNhAZG7L+yw+SpbZE6xol7FpHVjwDWSTgLp8oYKz5aGno7EdjNu7eLqwJxX6GBOX23S15PbcJZQrGyJec5IEItI5CUpIVlHo1OoBYOUZVqB7gcbl5wLO6u+LO/FZPk68=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(396003)(39840400004)(136003)(366004)(376002)(54906003)(6486002)(53546011)(66556008)(316002)(786003)(86362001)(66476007)(83380400001)(26005)(966005)(3450700001)(66574015)(5660300002)(66946007)(186003)(1076003)(6496006)(956004)(52116002)(8676002)(2906002)(16526019)(478600001)(4326008)(6916009)(8936002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: CxhO8yttnIGXeeXt6m6/BS/CPA1dIzAmZKDtlQhjZSnEbPM7xPdvT6dMCfYpAEZtMpF98bSyUEWwrNrLPG7fsieHjGRGVO4Tp+6ohsPLLuJhvZHNsQPo0jSGfRUuqe9VkWFf+LTIZ3UIibZ12y8/pxjbFfm8xUPPn03ItuVmRdpMWbzozwK9lNq9nN15r7uYPyVtAceew+WmbANMDqANtWBXRfIm37JdIn6W9zGkjNC+YgiNKnoA9Wkyp0jXpSVzy4EBoqJr+tZPpdtb4qcMESVEyLhMFtKACiJEQSpwdh7J5yR9WiHtUtWNVteoAP21y/izP61ozD0WQvK/iQ/s6bTgllPTEWes2i9+rvSixgrWnKLAW97Qh2OJrEHt23sTZoUFNtU6/MQQFTxSy+4WTRAgA1iqEV8blyUQInfUQGdJzmvehUCYYkJJL7rk9clzU1bmZukil4HTBvZNla8EmtxVg+VfQbBKjWcbudihlNMAh46r9f7Bzfa/P9/GSikdZTciJAKnAlVWgi1igqAM0RZpjaFUX0hDMK0oFh1RyVgFM75/QJt5nLtnJHBGl73iYZYkRQ5wUdR0PNUvID4+hcXBTt3TgZNf7B8puHJJhlINouLLumyPUgQi3AJ6ACBhiEynP1aWqjDxLMBwReb+VIbp5dR9pwpbQVsmGhgVPeSzY/pK9/dmlwWWEtRgeptAmOvYCSk9Oel8lHo6SDcw07rlua2W9Bt2T5B/0kDVfY8DtjJkgJm0Vs0v+1ZOqoHqkL3Qnwe0Cq9ynezO/mcMZxHX4dVDmGBGvrMcRBQm1JUUUO9mLWcAuzZsUCSDN+kCBRlyYaDrRApaLLMgCcMFs5+Y1Wd+ZCtcrnoV0055IiogfrJfFwDX/3dFBbG4a2/rTa4PxmGSCNAE1ERBj9AIY/7VZfiFhyPXy+P7WeeSLhHoyPIstgNv5DhYkJFxv6Uubh8iXrBEiwXU9/StpYSlrsBe6RtzdclDyHqnu/ZYbNNcbENlP8Q55yDvduktAzUICYEe1bOOcLSRm98A/g+a5rsmuhJLoFDOE+AN5J46tPYU/WIZmSHhC8FtA3ekOsjXVi3c0Vf+peOwgwEgKyMPQ/AqS4deQJvGebyqgqt1wR9SK9zfpuqBQl8rKnw98OLrXy+0jJ7ECivPgRiDF0JwpADnm3sRbnQcS/LaCTh9KpyJQloEsZ3x4P5SBRY/UHp6SkT9c8pCuy6EGxWmxfxAgWwH7T5BD4bV250XTsTYxbXcQYuo0Qf+IIVfUch8UGhTmyH/9Umg+2JPNa7aLary7mzto8LVMtXSOivUVbr9GZK2lpKZhJi9BZVyGHIc/4Ud
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 39e6a583-6fb9-4364-8a34-08d8dfeeb864
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2021 15:52:46.3046 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: /8OgN+jS0W/wMUMRHhl8Bccj65sDybLGJmHN3LZYocK5Rp0dvHbY30PXee9mdfVlVqDnCGuf43bgVj7sJybvjoLgEkoF2r89qTwWlIpBN0A=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P190MB0193
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/vBD_fxShMzDBabddnjqnjHbv7fw>
Subject: Re: [Rats] do not address yang warnings by making nodes writable
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 15:52:52 -0000

On Fri, Mar 05, 2021 at 03:42:54PM +0000, Eric Voit (evoit) wrote:
> Hi Juergen,
> 
> Where you say "this config applies to TPMs version X", we are accomplishing
> a similar function via when statements,  E.g.:
> 
>         uses TPM12-hash-algo {
>           when "tpm-firmware-version = 'taa:tpm12'";
> 
> It is possible to place what is currently within these 'when' statement to
> instead be within the descriptions.  But using 'when' statements seemed a
> more robust approach.

Except you had a broken config true node.
 
> Based on our discussion, I can adjust that description of "leaf
> tpm-firmware-version" to:     "Identifies the cryptoprocessor API set
> supported.  This is automatically configured by the device and should not be
> changed."   This will eliminate the earlier text about a YANG warning and
> NMDA.  Is this a reasonable approach?

Overwriting YANG semantics is not what you want. Perhaps you actually
want to use a YANG feature to make parts of the model conditional to a
feature indicating different TPM versions. Of, you already have an
if-feature. It might well be that I do not understand what you are
trying to achieve.

/js

> Thanks,
> Eric
> 
> > -----Original Message-----
> > From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
> > Sent: Friday, March 5, 2021 6:12 AM
> > To: Eric Voit (evoit) <evoit@cisco.com>
> > Cc: Michael Richardson <mcr+ietf@sandelman.ca>; rats@ietf.org
> > Subject: Re: [Rats] do not address yang warnings by making nodes writable
> > 
> > Eric,
> > 
> > I think you want to configure that "this config applies to TPMs version
> X", i.e.,
> > you configure the version that needs to match the TPMs version so that
> your
> > config can apply, you are of course not configuring the TPM's version
> (that
> > would require a TPM configuration model but as you write, for many TPMs
> this
> > will be by design not configurable).
> > 
> > For network interfaces, we do the same: You write down the configuration
> of a
> > network interface and we expect that the configuration only gets applied
> if a
> > matching network interface is actually present. (This is basically where
> the
> > difference between intended configuration and applied configuration comes
> > into play.)
> > 
> > /js
> > 
> > On Fri, Feb 19, 2021 at 04:35:32PM +0000, Eric Voit (evoit) wrote:
> > > Hi Juergen,
> > >
> > > > From: Juergen Schoenwaelder, February 19, 2021 11:01 AM
> > > >
> > > > I do not know what the purpose of the MUST statements is since I did
> > > > not
> > > dig
> > > > deeper but it could be that config is only applied to TPMs where the
> > > configured
> > > > version matches the version of the TPM. This would then require to
> > > configure
> > > > the version, much like we allow to provision interface configs even
> > > > if
> > > there is
> > > > (currently) no matching interfaces.
> > > >
> > > > It could also be that the WG does not want to allow something to be
> > > configured
> > > > for a TPM version that does (currently) not exist. Even in that
> > > > case, you
> > > would
> > > > have to convey the TPM version as part of the config and then have
> > > > logic defined in description statements that such config snippets
> > > > are to be
> > > rejected
> > > > (instead of being not applied).
> > >
> > > This is closer to the purpose.
> > >
> > > The TPM is a hardware device* which will follow an API defined in
> another
> > > standards body.   The TPM has firmware which will not be configured
> through
> > > YANG model.  It is conceivable that new TPM firmware versions will be
> > > exposed, so ENUMs cannot be used.   It is this firmware version which
> will
> > > allow other relevant configuration operations to be applied.
> > >
> > > So you cannot change the configuration datastore for this object (as it
> is
> > > read internally).   But you also can't make the object as "config
> false", as
> > > other configurable items depend on it.  If there is a proper way to
> > > document such a relationship, it would be great to update the model so
> that
> > the
> > > relationship does not require the text currently in the description.
> Any
> > > suggestions?
> > >
> > > * There are also such things as Virtual TPMs.  This model is intending
> > > to frame YANG structures which can be reused should others want to build
> for
> > > these as well.   But that is out-of-scope here.
> > >
> > > Thanks,
> > > Eric
> > >
> > > > My point is that saying a leaf is rw config, it is expected to be
> > > > used for validation, but it is not expected to be there is not
> working.
> > > >
> > > > Personally, I prefer config that can be provisioned but may not be
> > > > applied
> > > if it
> > > > does not match the resources (currently) available.
> > > > Yes, this requires to check for possible differences between applied
> > > > and provisioned (aka running) config but the opposite gets you into
> > > > situation
> > > where a
> > > > hardware component failures leads to an invalid config and you are
> > > > either bricked or in a mode hard to understand.
> > > >
> > > > /js
> > > >
> > > > On Fri, Feb 19, 2021 at 09:36:40AM -0500, Michael Richardson wrote:
> > > > >
> > > > > Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> > > > >     > I doubt that this is a proper solution as you now have to
> > > configure the
> > > > >     > tpm-firmware-version. If you cannot configure this (as the
> > > description
> > > > >     > says), then the MUST may always be false, i.e, once you
> > > > > implement
> > > this,
> > > > >     > you will see that this does not work.
> > > > >
> > > > > I am not clueful about XPATH forcing "rw"... is there another
> solution?
> > > > >
> > > > > --
> > > > > Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT
> consulting
> > > )
> > > > >            Sandelman Software Works Inc, Ottawa and Worldwide
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > > > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > > > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> > > >
> > > > _______________________________________________
> > > > RATS mailing list
> > > > RATS@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/rats
> > 
> > 
> > 
> > --
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>



-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email