TBD H. Birkholz
Internet-Draft Fraunhofer SIT
Intended status: Standards Track M. Eckel
Expires: September 13, 2019 Huawei
S. Bhandari
B. Sulzen
E. Voit
Cisco
G. Fedorkow
Juniper
March 12, 2019
YANG Module for Basic Challenge-Response-based Remote Attestation
Procedures
draft-birkholz-rats-basic-yang-module-00
Abstract
This document defines a YANG RPC and a minimal datastore tree
required to retrieve attestation evidence about integrity
measurements from a composite device with one or more roots of trust
for reporting. Complementary measurement logs are also provided by
the YANG RPC originating from one or more roots of trust of
measurement. The module defined requires a TPM 2.0 and corresponding
Trusted Software Stack included in the device components of the
composite device the YANG server is running on.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2019.
Birkholz, et al. Expires September 13, 2019 [Page 1]
Internet-Draft BRAT March 2019
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3
2. The YANG Module for Basic Remote Attestation Procedures . . . 3
2.1. Tree format . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Raw Format . . . . . . . . . . . . . . . . . . . . . . . 6
3. IANA considerations . . . . . . . . . . . . . . . . . . . . . 20
4. Security Considerations . . . . . . . . . . . . . . . . . . . 20
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 20
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. Normative References . . . . . . . . . . . . . . . . . . 21
7.2. Informative References . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction
This document is based on the terminology defined in the
[I-D.birkholz-attestation-terminology] and uses the interaction model
and information elements defined in the
[I-D.birkholz-reference-ra-interaction-model] document. The
currently supported hardware security module (HWM) - sometimes also
referred to as an embedded secure element(eSE) - is the Trusted
Platform Module (TPM) 2.0 specified by the Trusted Computing Group
(TCG). One ore more TPM 2.0 embedded in the components of a
composite device - sometimes also referred to as an aggregate device
- are required in order to use the YANG module defined in this
document. A TPM 2.0 is used as a root of trust for reporting (RTR)
in order to retrieve attestation evidence from a composite device.
Additionally, it is used as a root of trust for measurement (RTM) in
order to provide event logs - sometimes also referred to as
measurement logs.
Birkholz, et al. Expires September 13, 2019 [Page 2]
Internet-Draft BRAT March 2019
1.1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119, BCP 14 [RFC2119].
2. The YANG Module for Basic Remote Attestation Procedures
One or more TPM 2.0 MUST be embedded in the composite device that is
providing attestation evidence via the YANG module defined in this
document. The ietf-basic-remote-attestation YANG module enables a
composite device to take on the role of Claimant and Attester in
accordance with the Remote Attestation Procedures (RATS) architecture
[I-D.birkholz-attestation-terminology] and the corresponding
challenge-response interaction model defined in the
[I-D.birkholz-reference-ra-interaction-model] document. A fresh
nonce with an appropriate amount of entropy MUST be supplied by the
YANG client in order to enable a proof-of-freshness with respect to
the attestation evidence provided by the attester running the YANG
datastore. The functions of this YANG module are restricted to 0-1
TPM 2.0 per hardware component.
2.1. Tree format
<CODE BEGINS>
module: ietf-basic-remote-attestation
+--ro rats-support-structures
+--ro supported-algos* uint16
+--ro tpms* [tpm_name]
| +--ro tpm_name string
| +--ro tpm-physical-index? int32 {ietfhw:entity-mib}?
+--ro compute-nodes* [node-name]
| +--ro node-name string
| +--ro node-physical-index? int32 {ietfhw:entity-mib}?
+--ro endorsement-certificates
+--ro certificate* [tpm_name]
+--ro tpm_name string
+--ro tpm-physical-index? int32 {ietfhw:entity-mib}?
+--ro endorsement-certificate binary
rpcs:
+---x tpm2-challenge-response-attestation
| +---w input
| | +---w tpm2-attestation-challenge
| | | +---w pcr-list* []
| | | | +---w pcr
| | | | +---w pcr-indices* uint8
Birkholz, et al. Expires September 13, 2019 [Page 3]
Internet-Draft BRAT March 2019
| | | | +---w (algo-registry-type)
| | | | +--:(tcg)
| | | | | +---w tcg-hash-algo-id? uint16
| | | | +--:(ietf)
| | | | +---w ietf-ni-hash-algo-id? uint8
| | | +---w nonce-value binary
| | | +---w (signature-identifier-type)
| | | | +--:(TPM_ALG_ID)
| | | | | +---w TPM_ALG_ID-value? uint16
| | | | +--:(COSE_Algorithm)
| | | | +---w COSE_Algorithm-value? int32
| | | +---w (key-identifier)?
| | | +--:(public-key)
| | | | +---w pub-key-id? binary
| | | +--:(uuid)
| | | +---w uuid-value? binary
| | +---w tpm_name? string
| | +---w tpm-physical-index? int32 {ietfhw:entity-mib}?
| +--ro output
| +--ro tpm2-attestation-response* [tpm_name]
| +--ro tpm_name string
| +--ro tpm-physical-index? int32 {ietfhw:entity-mib}?
| +--ro up-time? uint32
| +--ro node-name? string
| +--ro node-physical-index? int32 {ietfhw:entity-mib}?
| +--ro tpms-attest
| | +--ro pcrdigest? binary
| | +--ro tpms-attest-result? binary
| | +--ro tpms-attest-result-length? uint32
| +--ro tpmt-signature? binary
+---x basic-trust-establishment
| +---w input
| | +---w nonce-value binary
| | +---w (signature-identifier-type)
| | | +--:(TPM_ALG_ID)
| | | | +---w TPM_ALG_ID-value? uint16
| | | +--:(COSE_Algorithm)
| | | +---w COSE_Algorithm-value? int32
| | +---w tpm_name? string
| | +---w tpm-physical-index? int32 {ietfhw:entity-mib}?
| | +---w certificate-name? string
| +--ro output
| +--ro attestation-certificates* [tpm_name]
| +--ro tpm_name string
| +--ro tpm-physical-index? int32 {ietfhw:entity-mib}?
| +--ro up-time? uint32
| +--ro node-name? string
| +--ro node-physical-index? int32 {ietfhw:entity-mib}?
Birkholz, et al. Expires September 13, 2019 [Page 4]
Internet-Draft BRAT March 2019
| +--ro certificate-name? string
| +--ro attestation-certificate? ietfct:end-entity-cert-cms
| +--ro (key-identifier)?
| +--:(public-key)
| | +--ro pub-key-id? binary
| +--:(uuid)
| +--ro uuid-value? binary
+---x log-retrieval
+---w input
| +---w log-selector* [node-name]
| | +---w node-name string
| | +---w node-physical-index? int32 {ietfhw:entity-mib}?
| | +---w (index-type)?
| | +--:(last-entry)
| | | +---w last-entry-value? binary
| | +--:(index)
| | | +---w index-number? uint64
| | +--:(timestamp)
| | +---w timestamp? yang:date-and-time
| +---w log-type identityref
| +---w pcr-list* []
| | +---w pcr
| | +---w pcr-indices* uint8
| | +---w (algo-registry-type)
| | +--:(tcg)
| | | +---w tcg-hash-algo-id? uint16
| | +--:(ietf)
| | +---w ietf-ni-hash-algo-id? uint8
| +---w log-entry-quantity? uint16
+--ro output
+--ro system-event-logs
+--ro node-data* [node-name]
+--ro node-name string
+--ro node-physical-index? int32 {ietfhw:entity-mib}?
+--ro up-time? uint32
+--ro tpm-updated* [tpm_name]
| +--ro tpm_name string
| +--ro tpm-physical-index? int32 {ietfhw:entity-mib}?
+--ro log-result
+--ro (log-type)
+--:(bios)
| +--ro bios-event-logs
| +--ro bios-event-entry* [event-number]
| +--ro event-number uint32
| +--ro event-type? uint32
| +--ro pcr-index? uint16
| +--ro digest-list* []
| | +--ro (algo-registry-type)
Birkholz, et al. Expires September 13, 2019 [Page 5]
Internet-Draft BRAT March 2019
| | | +--:(tcg)
| | | | +--ro tcg-hash-algo-id? uint16
| | | +--:(ietf)
| | | +--ro ietf-ni-hash-algo-id? uint8
| | +--ro digest* binary
| +--ro event-size? uint32
| +--ro event-data* uint8
+--:(ima)
+--ro ima-event-logs
+--ro ima-event-entry* [event-number]
+--ro event-number uint64
+--ro ima-template? string
+--ro filename-hint? string
+--ro filedata-hash? binary
+--ro template-hash-algorithm? string
+--ro template-hash? binary
+--ro pcr-index? uint16
+--ro signature? binary
<CODE ENDS>
2.2. Raw Format
<CODE BEGINS>
module ietf-basic-remote-attestation {
namespace "urn:ietf:params:xml:ns:yang:ietf-basic-remote-attestation";
prefix "yang-brat";
import ietf-yang-types {
prefix yang;
}
import ietf-hardware {
prefix ietfhw;
}
import ietf-crypto-types {
prefix ietfct;
}
organization
"Fraunhofer SIT";
contact
"Henk Birkholz
Fraunhofer Institute for Secure Information Technology
Email: henk.birkholz@sit.fraunhofer.de";
description
"A YANG module to enable a TPM 2.0 based remote attestation
procedure.
Copyright (C) Fraunhofer SIT (2018).";
revision "2018-06-15" {
Birkholz, et al. Expires September 13, 2019 [Page 6]
Internet-Draft BRAT March 2019
description
"Initial version";
reference
"draft-birkholz-yang-basic-remote-attestation";
}
grouping hash-algo {
description
"A selector for the hashing algorithm";
choice algo-registry-type {
mandatory true;
description
"Unfortunately, both IETF and TCG have registries here.
Choose your weapon wisely.";
case tcg {
description
"you chose the east door, the tcg space opens up to
you.";
leaf tcg-hash-algo-id {
type uint16;
description
"This is an index referencing the TCG Algorithm
Registry based on TPM_ALG_ID.";
}
}
case ietf {
description
"you chose the west door, the ietf space opens up to
you.";
leaf ietf-ni-hash-algo-id {
type uint8;
description
"This is an index referencing the Named Information
Hash Algorithm Registry.";
}
}
}
}
grouping hash {
description
"The hash value including hash-algo identifer";
list hash-digests {
description
"The list of hashes.";
container hash-digest {
description
"A hash value based on a hash algorithm registered by an
Birkholz, et al. Expires September 13, 2019 [Page 7]
Internet-Draft BRAT March 2019
SDO.";
uses hash-algo;
leaf hash-value {
type binary;
description
"The binary representaion of the hash value.";
}
}
}
}
grouping nonce {
description
"A nonce to show freshness and counter replays.";
leaf nonce-value {
type binary;
mandatory true;
description
"This nonce SHOULD be generated via a registered
cryptographic-strength algorithm. In consequence, the length
of the nonce depends on the hash algorithm used. The algorithm
used in this case is independent from the hash algorithm used to
create the hash-value in the response of the attestor.";
}
}
grouping pcr-selection {
description
"A Verifier can request one or more PCR values uses its
individually created AC. The corresponding selection filter is
represented in this grouping. Requesting a PCR value that is not in
scope of the AC used, detailed exposure via error msg should be
avoided.";
list pcr-list {
description
"For each PCR in this list an individual list of banks (hash-algo)
can be requested. It depends on the datastore, if every bank in
this grouping is included per PCR (crude), or if each requested
bank set is returned for each PCR individually (elegant).";
container pcr {
description
"The composite of a PCR number and corresponding bank numbers.";
leaf-list pcr-indices {
type uint8;
description
"The number of the PCR. At the moment this is limited
32";
}
Birkholz, et al. Expires September 13, 2019 [Page 8]
Internet-Draft BRAT March 2019
uses hash-algo;
}
}
}
grouping pcr-selector {
description
"A Verifier can request the generation of an attestation
certificate (a signed public attestation key
(non-migratable, tpm-resident) wrt one or more PCR values.
The corresponding creation input is represented in this grouping.
Requesting a PCR value that is not supported results in an error,
detailed exposure via error msg should be avoided.";
list pcr-list {
description
"For each PCR in this list an individual hash-algo can be
requested.";
container pcr {
description
"The composite of a PCR number and corresponding bank numbers.";
leaf-list pcr-index {
type uint8;
description
"The numbers of the PCRs that are associated with
the created key. At the moment the highest number is 32";
}
uses hash-algo;
}
}
}
grouping signature-scheme {
description
"The signature scheme used to sign the evidence.";
choice signature-identifier-type {
mandatory true;
description
"There are multiple ways to reference a signature type.
This used to select the signature algo to sign the quote
information response.";
case TPM_ALG_ID {
description
"This references the indices of table 9 in the TPM 2.0 structure specification.";
leaf TPM_ALG_ID-value {
type uint16;
description
"The TPM Algo ID.";
}
Birkholz, et al. Expires September 13, 2019 [Page 9]
Internet-Draft BRAT March 2019
}
case COSE_Algorithm {
description
"This references the IANA COSE Algorithms Registry indices. Every index of this
registry to be used must be mapable to a TPM_ALG_ID value.";
leaf COSE_Algorithm-value {
type int32;
description
"The TPM Algo ID.";
}
}
}
}
grouping attestation-key-identifier {
description
"A selector for a suitable key identifier.";
choice key-identifier {
description
"Identifier for the attestation key to use for signing
attestation evidence.";
case public-key {
leaf pub-key-id {
type binary;
description
"The value of the identifier for the public key.";
}
}
case uuid {
description
"Use a YANG agent generated (and maintained) attestation
key UUID.";
leaf uuid-value {
type binary;
description
"The UUID identifying the corresponding public key.";
}
}
}
}
grouping tpm-name {
description
"In a system with multiple-TPMs get the data from a specific TPM
identified by the name and physical-index.";
leaf tpm_name {
type string;
description
Birkholz, et al. Expires September 13, 2019 [Page 10]
Internet-Draft BRAT March 2019
"Name of the TPM or All";
}
leaf tpm-physical-index {
if-feature ietfhw:entity-mib;
type int32 {
range "1..2147483647";
}
config false;
description
"The entPhysicalIndex for the TPM.";
reference
"RFC 6933: Entity MIB (Version 4) - entPhysicalIndex";
}
}
grouping compute-node {
description
"In a distributed system with multiple compute nodes
this is the node identified by name and physical-index.";
leaf node-name {
type string;
description
"Name of the compute node or All";
}
leaf node-physical-index {
if-feature ietfhw:entity-mib;
type int32 {
range "1..2147483647";
}
config false;
description
"The entPhysicalIndex for the compute node.";
reference
"RFC 6933: Entity MIB (Version 4) - entPhysicalIndex";
}
}
grouping node-uptime {
description
"Uptime in seconds of the node.";
leaf up-time {
type uint32;
description
"Uptime in seconds of this node reporting its data";
}
}
identity log-type {
description
"The type of logs available.";
}
Birkholz, et al. Expires September 13, 2019 [Page 11]
Internet-Draft BRAT March 2019
identity bios {
base log-type;
description
"Measurement log created by the BIOS/UEFI.";
}
identity ima {
base log-type;
description
"Measurement log created by IMA.";
}
grouping log-identifier {
description
"Identifier for type of log to be retrieved.";
leaf log-type {
type identityref {
base log-type;
}
mandatory true;
description
"The corresponding measurement log type identity.";
}
}
grouping boot-event-log {
description
"Defines an event log corresponding to the event that extended the PCR";
leaf event-number {
type uint32;
description
"Unique event number of this event";
}
leaf event-type {
type uint32;
description
"log event type";
}
leaf pcr-index {
type uint16;
description
"Defines the PCR index that this event extended";
}
list digest-list {
description "Hash of event data";
uses hash-algo;
leaf-list digest {
Birkholz, et al. Expires September 13, 2019 [Page 12]
Internet-Draft BRAT March 2019
type binary;
description
"The hash of the event data";
}
}
leaf event-size {
type uint32;
description
"Size of the event data";
}
leaf-list event-data {
type uint8;
description
"the event data size determined by event-size";
}
}
grouping ima-event {
description
"Defines an hash log extend event for IMA measurements";
leaf event-number {
type uint64;
description
"Unique number for this event for sequencing";
}
leaf ima-template {
type string;
description
"Name of the template used for event logs
for e.g. ima, ima-ng";
}
leaf filename-hint {
type string;
description
"File that was measured";
}
leaf filedata-hash {
type binary;
description
"Hash of filedata";
}
leaf template-hash-algorithm {
type string;
description
"Algorithm used for template-hash";
}
leaf template-hash {
type binary;
Birkholz, et al. Expires September 13, 2019 [Page 13]
Internet-Draft BRAT March 2019
description
" hash(filedata-hash, filename-hint)";
}
leaf pcr-index {
type uint16;
description
"Defines the PCR index that this event extended";
}
leaf signature {
type binary;
description
"The file signature";
}
}
grouping bios-event-log {
description
"Measurement log created by the BIOS/UEFI.";
list bios-event-entry {
key event-number;
description
"Ordered list of TCG described event log
that extended the PCRs in the order they
were logged";
uses boot-event-log;
}
}
grouping ima-event-log {
list ima-event-entry {
key event-number;
description
"Ordered list of ima event logs by event-number";
uses ima-event;
}
description
"Measurement log created by IMA.";
}
grouping event-logs {
description
"A selector for the log and its type.";
choice log-type {
mandatory true;
description
"Event log type determines the event logs content.";
case bios {
Birkholz, et al. Expires September 13, 2019 [Page 14]
Internet-Draft BRAT March 2019
description
"BIOS/UEFI event logs";
container bios-event-logs {
description
"This is an index referencing the TCG Algorithm
Registry based on TPM_ALG_ID.";
uses bios-event-log;
}
}
case ima {
description
"IMA event logs";
container ima-event-logs {
description
"This is an index referencing the TCG Algorithm
Registry based on TPM_ALG_ID.";
uses ima-event-log;
}
}
}
}
rpc tpm2-challenge-response-attestation {
description
"This RPC accepts the input for TSS commands of the managed device.
ComponentIndex from the hardware manager YANG module to refer to
dedicated TPM in composite devices, e.g. smart NICs, is still a
TODO.";
input {
container tpm2-attestation-challenge {
description
"This container includes every information element defined
in the reference challenge-response interaction model for
remote attestation. Corresponding values are based on
TPM 2.0 structure definitions";
uses pcr-selection;
uses nonce;
uses signature-scheme;
uses attestation-key-identifier;
}
uses tpm-name;
}
output {
list tpm2-attestation-response {
key tpm_name;
description
"The binary output of TPM2b_Quote. An TPMS_ATTEST structure
Birkholz, et al. Expires September 13, 2019 [Page 15]
Internet-Draft BRAT March 2019
including a length, encapsulated in a signature";
uses tpm-name;
uses node-uptime;
uses compute-node;
container tpms-attest {
leaf pcrdigest {
type binary;
description
"split out value of TPMS_QUOTE_INFO for convenience";
}
leaf tpms-attest-result {
type binary;
description
"The complete TPM generate structure including signature.";
}
leaf tpms-attest-result-length {
type uint32;
description
"Length of attest result provided by the TPM structure.";
}
description
"A composite of value and length and list of selected
pcrs (original name: [type]attested)";
}
leaf tpmt-signature {
type binary;
description
"Split out value of the signature for convenience. TODO: check for length values that complent binary value data node leafs.";
}
}
}
}
rpc basic-trust-establishment {
description
"This RPC creates a tpm-resident, non-migratable key to be used
in TPM_Quote commands, an attestation certificate.";
input {
uses nonce;
uses signature-scheme;
uses tpm-name;
leaf certificate-name {
type string;
description
"An arbitrary name for the identity certificate chain requested.";
}
}
output {
Birkholz, et al. Expires September 13, 2019 [Page 16]
Internet-Draft BRAT March 2019
list attestation-certificates {
key tpm_name;
description
"Attestation Certificate data from a TPM identified by the TPM name";
uses tpm-name;
uses node-uptime;
uses compute-node;
leaf certificate-name {
type string;
description
"An arbitrary name for this identity certificate or certificate chain.";
}
leaf attestation-certificate {
description
"The binary signed certificate chain data for this identity certificate.";
type ietfct:end-entity-cert-cms;
}
uses attestation-key-identifier;
}
}
}
rpc log-retrieval {
description
"Logs Entries are either identified via indices or via providing
the last line received. The number of lines returned can be limited.
The type of log is a choice that can be
augmented.";
input {
list log-selector {
key node-name;
description
"Selection of log entries to be reported.";
uses compute-node;
choice index-type {
description
"Last log entry received, log index number, or timestamp.";
case last-entry {
description
"The last entry of the log already retrieved.";
leaf last-entry-value {
description
"Content of an log event which matches 1:1 with a
unique event record contained within the log. Log
entries subsequent to this will be passed to the
requestor. Note: if log entry values are not unique,
this MUST return an error.";
Birkholz, et al. Expires September 13, 2019 [Page 17]
Internet-Draft BRAT March 2019
type binary;
}
}
case index {
description
"Numeric index of the last log entry retrieved, or zero.";
leaf index-number {
description
"The numeric index number of a log entry. Zero means
to start at the beginning of the log. Entries
subsequent to this will be passed to the
requestor.";
type uint64;
}
}
case timestamp {
leaf timestamp {
type yang:date-and-time;
description
"Timestamp from which to start the extraction. The next
log entry subsequent to this timestamp is to be sent.";
}
description
"Timestamp from which to start the extraction.";
}
}
}
uses log-identifier;
uses pcr-selection;
leaf log-entry-quantity {
type uint16;
description
"The number of log entries to be returned. If omitted, it
means all of them.";
}
}
output {
container system-event-logs {
description
"The requested data of the measurement event logs";
list node-data {
key node-name;
description
"Event logs of a node in a distributed system
identified by the node name";
uses compute-node;
uses node-uptime;
list tpm-updated {
Birkholz, et al. Expires September 13, 2019 [Page 18]
Internet-Draft BRAT March 2019
key tpm_name;
description
"TPM these events may have recorded data in";
uses tpm-name;
}
container log-result {
description
"The requested entries of the corresponding log.";
uses event-logs;
}
}
}
}
}
container rats-support-structures {
leaf-list supported-algos {
type uint16;
description
"Supported TPM_ALG_ID values for the TPM in question.
Will include ComponentIndex soon.";
}
list tpms {
key tpm_name;
uses tpm-name;
description
"A list of TPMs in this composite
device that rats can be conducted with.";
}
list compute-nodes {
key node-name;
uses compute-node;
description
"A list names of hardware components in this composite
device that rats can be conducted with.";
}
container endorsement-certificates {
list certificate {
key tpm_name;
uses tpm-name;
description
"The TPM's endorsement-certificate.";
leaf endorsement-certificate {
type binary;
mandatory true;
description
"The signed pulic endorsement key (EK) and corresponding claims
(EK Certificate). In a TPM 2.0 the EK Certificate resides in a
well-defined NVRAM location by the TPM vednor.";
Birkholz, et al. Expires September 13, 2019 [Page 19]
Internet-Draft BRAT March 2019
}
}
description
"Basic information elements to enable RATS.";
}
config false;
}
}
<CODE ENDS>
3. IANA considerations
This document will include requests to IANA:
To be defined yet.
4. Security Considerations
There are always some.
5. Acknowledgements
Not yet.
6. Change Log
Changes from version 00 to version 01:
o Addressed author's comments
o Extended complementary details about attestation-certificates
o Relabeled chunk-size to log-entry-quantity
o Relabeled location with compute-node or tpm-name where appropriate
o Added a valid entity-mib physical-index to compute-node and tpm-
name to map it back to hardware inventory
o Relabeled name to tpm_name
o Removed event-string in last-entry
7. References
Birkholz, et al. Expires September 13, 2019 [Page 20]
Internet-Draft BRAT March 2019
7.1. Normative References
[I-D.birkholz-reference-ra-interaction-model]
Birkholz, H. and M. Eckel, "Reference Interaction Model
for Challenge-Response-based Remote Attestation", draft-
birkholz-reference-ra-interaction-model-01 (work in
progress), January 2019.
[I-D.ietf-netconf-crypto-types]
Watsen, K. and H. Wang, "Common YANG Data Types for
Cryptography", draft-ietf-netconf-crypto-types-05 (work in
progress), March 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
7.2. Informative References
[I-D.birkholz-attestation-terminology]
Birkholz, H., Wiseman, M., and H. Tschofenig, "Reference
Terminology for Remote Attestation Procedures", draft-
birkholz-attestation-terminology-02 (work in progress),
July 2018.
Authors' Addresses
Henk Birkholz
Fraunhofer SIT
Rheinstrasse 75
Darmstadt 64295
Germany
Email: henk.birkholz@sit.fraunhofer.de
Michael Eckel
Huawei Technologies
Feldbergstrasse 78
Darmstadt 64293
Germany
Email: michael.eckel@huawei.com
Birkholz, et al. Expires September 13, 2019 [Page 21]
Internet-Draft BRAT March 2019
Shwetha Bhandari
Cisco Systems
Email: shwethab@cisco.com
Bill Sulzen
Cisco Systems
Email: bsulzen@cisco.com
Eric Voit
Cisco Systems
Email: evoit@cisco.com
Guy C. Fedorkow
Juniper Networks
10 Technology Park Drive
Westford, Massachusetts 01886
Email: gfedorkow@juniper.de
Birkholz, et al. Expires September 13, 2019 [Page 22]