-
Notifications
You must be signed in to change notification settings - Fork 0
288 lines (257 loc) · 8.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
module ietf-tpm-remote-attestation-stream {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation-stream";
prefix tras;
import ietf-subscribed-notifications {
prefix sn;
reference
"RFC 8639: Subscription to YANG Notifications";
}
import ietf-tpm-remote-attestation {
prefix tpm;
reference
"draft-ietf-rats-yang-tpm-charra";
}
import ietf-yang-structure-ext {
prefix sx;
reference
"draft-ietf-netmod-yang-data-ext";
}
organization "IETF";
contact
"WG Web: <http://tools.ietf.org/wg/rats/>
WG List: <mailto:[email protected]>
Editor: Eric Voit
<mailto:[email protected]>";
description
"This module contains conceptual YANG specifications for
subscribing to attestation streams being generated from TPM chips.
Copyright (c) 2020 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2020-06-05 {
description
"Initial version.";
reference
"draft-birkholz-rats-network-device-subscription";
}
/*
* IDENTITIES
*/
identity pcr-unsubscribable {
base sn:establish-subscription-error;
description
"Requested PCR is subscribable by the Attester.";
}
/*
* Groupings
*/
grouping heartbeat {
description
"Allows an Attester to push verifiable, current TPM PCR values even
when there have been no recent changes to PCRs.";
leaf tpm20-subscription-heartbeat {
type uint16;
description
"Number of seconds before the Attestation stream should send a new
notification with a fresh quote. This allows confirmation
that the PCR values haven't changed since the last
tpm20-attestation.";
}
}
/*
* RPCs
*/
augment "/sn:establish-subscription/sn:input" {
when 'derived-from-or-self(sn:stream, "attestation")';
description
"This augmentation adds a nonce to as a subscription parameters
that apply specifically to datastore updates to RPC input.";
uses tpm:nonce;
leaf-list pcr-index {
type tpm:pcr;
min-elements 1;
description
"The numbers/indexes of the PCRs. This will act as a filter for the
subscription so that 'tpm-extend' notifications related to
non-requested PCRs will not be sent to a subscriber.";
}
}
/*
* NOTIFICATIONS
*/
notification tpm-extend {
description
"This notification indicates that a PCR has extended within a TPM based
cryptoprocessor. In less that 10 seconds, it should be followed with
either a tpm12-attestation or tpm20-attestation notification.";
uses tpm:tpm-name;
leaf pcr-index-changed {
type tpm:pcr;
mandatory true;
description
"The number of the PCR extended.";
}
list attested-event {
description
"A set of events which extended an Attester PCR. The sequence of
elements represented in list must match the sequence of events
placed into the TPM.";
container attested-event {
description
"An instance of an event which extended an Attester PCR";
leaf extended-with {
type binary;
mandatory true;
description
"Information extending the PCR.";
}
leaf event-type {
type identityref {
base tpm:attested-event-log-type;
}
description
"Indicates what kind of event happened the Attester thought was
worthy of recording in a PCR.";
}
anydata event-details {
description
"Any structure reference 'event-type' contains supporting
information which allows an Attester to evaluate the trust
implications.
Event details may be populated with YANG log structures defined
at the bottom of this module.";
}
}
}
}
notification tpm12-attestation {
if-feature "tpm:TPM12";
description
"Contains an instance of TPM1.2 style signed cryptoprocessor
measurements. It is supplemented by unsigned Attester information.";
uses tpm:tpm12-attestation;
}
notification tpm20-attestation {
if-feature "tpm:TPM20";
description
"Contains an instance of TPM2 style signed cryptoprocessor
measurements. It is supplemented by unsigned Attester information.";
uses tpm:tpm20-attestation;
}
/*
* DATA NODES
*/
augment "/tpm:rats-support-structures" {
description
"Defines platform wide 'attestation' stream subscription parameters.";
leaf marshalling-period {
config true;
type uint8;
default 5;
description
"The maximum number of seconds between the time an event extends a PCR,
and the 'tpm-extend' notification which reports it to a subscribed
Verifier. This period allows multiple extend operations bundled
together and handled as a group.";
}
leaf tpm12-subscribed-signature-scheme {
if-feature "tpm:TPM12";
type leafref {
path "../tpm:supported-algos";
/* a specific algorithm, need to check syntax */
}
description
"A single signature-scheme which will be used to sign the evidence
from a TPM 1.2. which is then placed onto the 'attestation' event
stream.";
}
leaf tpm20-subscribed-signature-scheme {
if-feature "tpm:TPM20";
type leafref {
path "../tpm:supported-algos";
/* a specific algorithm, need to check syntax */
}
description
"A single signature-scheme which will be used to sign the evidence
from a TPM 2.0. which is then placed onto the 'attestation' event
stream.";
}
uses heartbeat{
if-feature "tpm:TPM20";
}
}
augment "/tpm:rats-support-structures/tpm:tpms" {
description
"Allows the configuration 'attestation' stream parameters for a TPM.";
leaf leafref-to-keystore {
config true;
type string;
description
"needs to be replaced with Reference to keystore draft.";
}
choice subscribable {
config true;
description
"Indicates that the set of notifications which comprise the attestation
stream can be modified or tuned by a network adminsitrator.";
case tpm12-stream {
if-feature "tpm:TPM12";
description
"Configuration elements for a TPM1.2 event stream.";
leaf-list tpm12-pcr-index {
type tpm:pcr;
description
"The numbers/indexes of the PCRs which can be subscribed.";
}
}
case tpm20-stream {
if-feature "tpm:TPM20";
description
"Configuration elements for a TPM2.0 event stream.";
leaf-list tpm20-pcr-index {
type tpm:pcr;
description
"The numbers/indexes of the PCRs which can be subscribed.";
}
/* We need to decide if more than one hash-algo is subscribable */
}
}
}
/*
* STRUCTURES - these contain the schema of reportable event types
*/
sx:structure bios-event-log {
when 'derived-from(../event-type, "bios-event-log")';
description
"BIOS/UEFI event log format";
uses tpm:bios-event-log;
}
sx:structure ima-event-log {
when 'derived-from(../event-type, "ima-event-log")';
description
"IMA event log format";
uses tpm:ima-event-log;
}
}