-
Notifications
You must be signed in to change notification settings - Fork 0
166 lines (143 loc) · 4.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
module ietf-rats-attestation-results-vector {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-rats-attestation-results-vector";
prefix arv;
import ietf-yang-types {
prefix yang;
}
organization "IETF";
contact
"WG Web: <http://tools.ietf.org/wg/rats/>
WG List: <mailto:[email protected]>
Editor: Eric Voit
<mailto:[email protected]>";
description
"This module contains conceptual YANG specifications for
subscribing to attestation streams being generated from TPM chips.
Copyright (c) 2020 IETF Trust and the persons identified as authors
of the code. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, is permitted pursuant to, and subject to the license
terms contained in, the Simplified BSD License set forth in Section
4.c of the IETF Trust's Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices.";
revision 2020-06-03 {
description
"Initial version.";
reference
"draft-voit-rats-trusted-path-routing";
}
/*
* IDENTITIES
*/
identity trustworthiness-level {
description
"Base identity for a verifier assessed trustworthiness level.";
}
identity trustworthiness-pass {
description
"Identity for a verifier assessed trustworthiness pass.";
}
identity trustworthiness-fail {
description
"Base identity for a verifier assessed trustworthiness fail.";
}
identity boot-verified {
base trustworthiness-pass;
description
"A Verifier has assessed an Attester as Boot Integrity Verified.";
}
identity boot-verification-fail {
base trustworthiness-fail;
description
"A Verifier has assessed an Attester has failed its Boot Integrity
verification.";
}
identity hw-authentic {
base trustworthiness-pass;
description
"A Verifier has assessed an Attester as having authentic hardware.";
}
identity fw-authentic {
base trustworthiness-pass;
description
"A Verifier has assessed an Attester as having authentic firmware.";
}
identity hw-verification-fail {
base trustworthiness-fail;
description
"A Verifier has assessed an Attester has failed its hardware or
firmware verification.";
}
identity identity-verified {
base trustworthiness-pass;
description
"A Verifier has assessed and verified an Attester's unique identity.";
}
identity identity-fail {
base trustworthiness-fail;
description
"A Verifier has been unable to assess or verify an Attester's unique
identity";
}
identity files-verified {
base trustworthiness-pass;
description
"A Verifier has assessed an Attester's file system, and asserts that
it recognizes relevant files.";
}
identity file-blacklisted {
base trustworthiness-fail;
description
"A Verifier has found a file on an Attester which should not be
present.";
}
/*
* DATA NODES
*/
container attestation-results {
presence
"An attestation Verifier has appraised the security posture of the
device, and returned the results within this container.";
description
"Containes the latest Verifier appraisal of an Attester.";
leaf-list trustworthiness-vector {
type identityref {
base trustworthiness-level;
}
ordered-by system;
description
"One or more Trustworthiness Levels assigned which expose the
Verifiers evaluation of the Evidence associated with the
'tpmt-signature'.";
}
leaf timestamp {
type yang:date-and-time;
mandatory true;
description
"The timestamp of the Verifier's appraisal.";
}
leaf tpmt-signature {
type binary;
description
"Must match a recent tpmt-signature sent in a notification to
a Verifier. This allows correlation of the Attestation Results to
a recent PCR change.";
}
leaf verifier-signature {
type binary;
mandatory true;
description
"Signature of the Verifier across all the current objects in the
attestation-results container.";
}
leaf verifier-signature-key-name {
type binary;
description
"Name of the key the Verifier used to sign the results.";
}
}
}