-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathietf-tpm-remote-attestation-stream@2026-04-10.yang
More file actions
324 lines (299 loc) · 9.68 KB
/
ietf-tpm-remote-attestation-stream@2026-04-10.yang
File metadata and controls
324 lines (299 loc) · 9.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
module ietf-tpm-remote-attestation-stream {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-tpm-remote-attestation-stream";
prefix tras;
import ietf-subscribed-notifications {
prefix sn;
reference
"RFC 8639: Subscription to YANG Notifications";
}
import ietf-tpm-remote-attestation {
prefix tpm;
reference
"draft-ietf-rats-yang-tpm-charra";
}
import ietf-tcg-algs {
prefix taa;
}
organization "IETF";
contact
"WG Web: <http://tools.ietf.org/wg/rats/>
WG List: <mailto:rats@ietf.org>
Editor: Eric Voit
<mailto:evoit@cisco.com>";
description
"This module contains YANG specification for subscribing
to attestation streams which contain events that have
been generated by TPM chips or equivalent hardware
implementations that include the protected capabilities
as provided by TPMs.
Copyright (c) 2024 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.";
revision 2024-07-06 {
description
"Initial version.";
reference
"draft-ietf-rats-network-device-subscription";
}
/*
* IDENTITIES
*/
identity pcr-unsubscribable {
base sn:establish-subscription-error;
description
"Requested PCR is unsubscribable by the Attester.";
}
/*
* Groupings
*/
grouping heartbeat {
description
"Allows an Attester to push verifiable, current TPM PCR values
even when there have been no recent changes to PCRs.";
leaf tpm20-subscription-heartbeat {
type uint16;
units "seconds";
description
"Number of seconds before the Attestation stream should send
a new notification with a fresh quote. This allows
confirmation that the PCR values haven't changed since the
last tpm20-attestation.";
}
}
/*
* RPCs
*/
augment "/sn:establish-subscription/sn:input" {
when 'derived-from-or-self(sn:stream, "attestation")';
description
"This augmentation adds a nonce to the subscription parameters
that apply specifically to datastore updates to RPC input.";
uses tpm:nonce;
leaf-list pcr-index {
type tpm:pcr;
min-elements 1;
description
"The numbers/indexes of the PCRs. This will act as a filter
for the subscription so that 'tpm-extend' notifications
related to non-requested PCRs will not be sent to a
subscriber.";
}
}
/*
* NOTIFICATIONS
*/
notification pcr-extend {
description
"This notification indicates that one or more PCRs have been
extended within a TPM based cryptoprocessor. In less than the
'marshalling-period', it MUST be followed with either a
corresponding tpm12-attestation or tpm20-attestation
notification which exposes the result of the PCRs updated.";
uses tpm:certificate-name-ref;
leaf-list pcr-index-changed {
type tpm:pcr;
min-elements 1;
description
"The number of each PCR extended. This list MUST contain the
set of PCRs descibed within the event log details. This leaf
can be derived from the list of attested events, but exposing
it here allows for easy filtering of the notifications of
interest to a verifier.";
}
list attested-event {
description
"A set of events which extended an Attester PCR. The
sequence of elements represented in list must match the
sequence of events placed into the TPM's PCR.";
container attested-event {
description
"An instance of an event which extended an Attester PCR";
leaf extended-with {
type binary;
mandatory true;
description
"Information extending the PCR.";
}
choice event-details {
description
"Contains the event happened the Attester thought
was worthy of recording in a PCR.
choices are of types defined by the identityref
base tpm:attested_event_log_type";
case bios-event-log {
if-feature "tpm:bios";
description
"BIOS/UEFI event log format";
uses tpm:bios-event-log;
}
case ima-event-log {
if-feature "tpm:ima";
description
"IMA event log format";
uses tpm:ima-event-log;
}
case netequip-boot-event-log {
if-feature "tpm:netequip_boot";
description
"IMA event log format";
uses tpm:network-equipment-boot-event-log;
}
}
}
}
}
notification tpm12-attestation {
if-feature "taa:tpm12";
description
"Contains an instance of TPM1.2 style signed cryptoprocessor
measurements. It is supplemented by unsigned Attester
information.";
leaf certificate-name {
type tpm:certificate-name-ref;
mandatory true;
description
"Allows a TPM quote to be associated with a certificate.";
}
uses tpm:tpm12-attestation;
uses tpm:tpm12-hash-algo;
list unsigned-pcr-values {
description
"Allows notifications to be filtered by PCR number or
PCR value based on via YANG related mechanisms such as PATH.
This is done without requiring the filtering structure to be
applied against TCG structured data.";
leaf-list pcr-index {
type tpm:pcr;
min-elements 1;
description
"PCR index number.";
}
leaf-list pcr-value {
type binary;
description
"PCR value in a sequence which matches to the
'pcr-index'.";
}
}
}
notification tpm20-attestation {
if-feature "taa:tpm20";
description
"Contains an instance of TPM2 style signed cryptoprocessor
measurements. It is supplemented by unsigned Attester
information.";
leaf certificate-name {
type tpm:certificate-name-ref;
mandatory true;
description
"Allows a TPM quote to be associated with a certificate.";
}
uses tpm:tpm20-attestation {
description
"Provides the attestation info. Also ensures PCRs can be
XPATH filtered by refining the unsigned data so that it
appears.";
refine unsigned-pcr-values {
min-elements 1;
}
refine unsigned-pcr-values/pcr-values {
min-elements 1;
}
}
}
/*
* DATA NODES
*/
augment "/tpm:rats-support-structures" {
description
"Defines platform wide 'attestation' stream subscription
parameters.";
leaf marshalling-period {
type uint8;
default 5;
description
"The maximum number of seconds between the time an event
extends a PCR, and the 'tpm-extend' notification which
reports it to a subscribed Verifier. This period allows
multiple extend operations bundled together and handled as a
group.";
}
leaf tpm12-subscribed-signature-scheme {
if-feature "taa:tpm12";
type leafref {
path "../tpm:attester-supported-algos" +
"/tpm:tpm12-asymmetric-signing";
}
description
"A single signature-scheme which will be used to sign the
evidence from a TPM 1.2. which is then placed onto the
'attestation' event stream.";
}
leaf tpm20-subscribed-signature-scheme {
if-feature "taa:tpm20";
type leafref {
path "../tpm:attester-supported-algos" +
"/tpm:tpm20-asymmetric-signing";
}
description
"A single signature-scheme which will be used to sign the
evidence from a TPM 2.0. which is then placed onto the
'attestation' event stream.";
}
uses heartbeat{
if-feature "taa:tpm20";
}
}
augment "/tpm:rats-support-structures/tpm:tpms" {
description
"Allows the configuration 'attestation' stream parameters for a
TPM.";
leaf subscription-aik {
type tpm:certificate-name-ref;
description
"Identifies the certificate-name associated with the
notifications in the 'attestation' stream.";
}
choice subscribable {
config true;
description
"Indicates that the set of notifications which comprise the
'attestation' event stream can be modified or tuned by a
network administrator.";
case tpm12-stream {
if-feature "taa:tpm12";
description
"Configuration elements for a TPM1.2 event stream.";
uses tpm:tpm12-hash-algo;
leaf-list tpm12-pcr-index {
type tpm:pcr;
description
"The numbers/indexes of the PCRs which can be
subscribed.";
}
}
case tpm20-stream {
if-feature "taa:tpm20";
description
"Configuration elements for a TPM2.0 event stream.";
uses tpm:tpm20-hash-algo;
leaf-list tpm20-pcr-index {
type tpm:pcr;
description
"The numbers/indexes of the PCRs which can be
subscribed.";
}
}
}
}
}