Re: [Last-Call] Last Call: <draft-ietf-rats-yang-tpm-charra-12.txt> (A YANG Data Model for Challenge-Response-based Remote Attestation Procedures using TPMs) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Tom,

> From: tom petch, Friday, February 11, 2022 5:37 AM
> 
> Eric
> 
> I had a look at the references in -13 (why? OCD??:-( and see some
potential
> glitches.
> 
> YANG import need a reference to the RFC else it is unclear which version
is
> intended

References added in the githib version.  As with the other email, a new v14
should be posted shortly.
 
> YANG has
> PC-Client-EFI-TPM-1.2:
>            https://trustedcomputinggroup.org/wp-content/uploads/
>            PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf
>            Section 9.4.5.2";
> I-D has
> PC-Client-EFI-TPM-1.2]
>            <https://trustedcomputinggroup.org/resource/tcg-efi-
>            platform-specification/>.
> which is not the same

Fixed to a single bios-log reference.

> TPM2.0-Key:           N
> the title looks a bit odd in I-D reference but that may be tools
>    TCG, ., "TPM 2.0 Keys for Device Identity and Attestation,
> 
> 
> RFC2014 I do not see in I-D references

Fixed
 
> I see IEEE Std 1363a-2004 and IEEE 1363a-2004 I think the former better

'Std' added to the YANG reference field.
 
> I see ISO/IEC 10118-3  and ISO/IEC 10118-3:2018.
> I think the latter better

Removed the ":2018" to be consistent throughout the document.  The 2018 part
is highlighted in the actual normative reference.
 
> YANG has
> TCG-Algos:TCG Algorithm Registry Rev1.32
>
http://trustedcomputinggroup.org/resource/tcg-algorithm-registry/
>           TCG-_Algorithm_Registry_r1p32_pub";
> 
> The I-D has
>                <https://trustedcomputinggroup.org/wp-content/uploads/TCG-
>                _Algorithm_Registry_r1p32_pub.pdf>.
> which is not the same (I find the use of '-_' unusual but realise that
that is what
> the TCG specify).

Made the YANG model the I.D reference.
 
> YANG has
> TPM Main Part 2 TPM Structures
>      https://trustedcomputinggroup.org/wp-content/uploads/
>      TPM-main-1.2-Rev94-part-2.pdf";
> which I struggle to see in the I-D.  Is it [TPM1.2-Structures]
>                "TPM Main Part 2 TPM Structures", n.d.,
>                <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
>                Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf>.

Yes, one is a later revision of the document.  I changed the YANG references
to the later revision.
https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Str
uctures_v1.2_rev116_01032011.pdf

Thanks again,
Eric

> Tom Petch
> 
> 
> On 28/01/2022 20:56, Eric Voit (evoit) wrote:
> > Hi Tom,
> > Hi Henk,
> >
> > Tom: from your other thread, the requested references from the YANG
model
> > have been updated throughout the document as requested.   We will post a
> new
> > version as soon as the other topics below are covered to your
satisfaction.
> >
> > Henk: there is one change I hope you can help with.  Search on **Henk.
> >
> >> From: tom petch, January 19, 2022 6:24 AM
> >>
> >> These comments are separate from my previous comments on references
> >> in the YANG modules.  That said,
> >>
> >> 'import' in YANG module must have a YANG reference clause which must
> >> be a Normative Reference in the I-D Reference.
> >
> > This has been updated as part of references fix from your other email.
> > And new text inserted prior to each YANG model describes the embedded
> > references from the draft's Normative list.
> >
> >> ietf-hardware must has a prefix of 'hw' as per RFC8348  throughout
> >> the I-D
> >
> > Change made.
> >
> >> /http:datatracker/https:/datatracker/
> >> in both modules
> >
> > Change made.
> >
> >>          reference
> >>            "draft-ietf-rats-yang-tpm-charra";
> >> perhaps
> >>          reference
> >>            "RFC XXXX: A YANG Data Model for Challenge-Response-based
> >> Remote Attestation Procedures using TPMs";
> >
> > Change made.
> >
> >>        identity attested_event_log_type {
> >>          description
> >>            "Base identity allowing categorization of the reasons why
> >> and
> > /and/an/ ?
> >
> > Change made.
> >
> >>          leaf TPMS_QUOTE_INFO {
> >> most YANG identifiers have been changed to lower case; should this one
be?
> >
> > Multiple review discussions have driven this to be upper case because
> > there is a 1:1 correspondence with an identical object defined by TCG.
> >
> >>        grouping boot-event-log {
> >> could do with more explanation and/or references for this.
> >
> > I made the group description:
> >        "Defines a specific instance of an event log entry
> >         and corresponding to the information used to
> >         extended the PCR";
> >
> > e.g. are there
> >> semantics for the uint32 event-type?
> >
> > ** Henk, can you improve this ietf-tpm-remote-attestation.yang leaf
> > description with a reference:
> >
> >      leaf event-type {
> >          type uint32;
> >          description
> >            "log event type";
> >      }
> >
> >> Security Considerations mention the use of NACM; should the RPC have
> >> a default deny-all?
> >
> > Added "with a default setting of deny-all".
> >
> >>              leaf physical-index {
> >> should this reference the YANG RFC8348 rather than the SMI equivalent?
> >
> > It could.  The initial requirement was driven by someone who wanted to
> > allow operations to make an easy mapping to corresponding Entity MIB
> > data they currently used.  In the end the populated info will be the
same.
> >
> >>              leaf manufacturer {
> >> these are often modelled as Privat Enterprise Numbers as registered
> >> with
> > IANA -
> >> see e.g. draft-ietf-dots-telemetry
> >
> > This could be done.  Nobody in the WG suggested a purpose for
> > leveraging a mechanized list of values here.  I expect the major use
> > would be for manual debugging / manual checking if something went
> > wrong.  Certainly a formal list could be maintained.  It just didn't
seem
> important yet.
> >
> >>          reference
> >>            "RFC XXXX: tbd";
> >> as above
> >
> > Updated.
> >
> >>        identity tpm20 {
> >>          if-feature "tpm12";
> >> looks odd - if correct then worth an explanatory note
> >
> > Fixed.
> >
> > Eric
> >
> >> Tom Petch
> >>
> >> On 14/01/2022 16:16, The IESG wrote:
> >>>
> >>> The IESG has received a request from the Remote ATtestation
> >>> ProcedureS WG
> >>> (rats) to consider the following document: - 'A YANG Data Model for
> >>> Challenge-Response-based Remote Attestation
> >>>      Procedures using TPMs'
> >>>     <draft-ietf-rats-yang-tpm-charra-12.txt> as Proposed Standard
> >>>
> >>> The IESG plans to make a decision in the next few weeks, and
> >>> solicits final comments on this action. Please send substantive
> >>> comments to the last-call@xxxxxxxx mailing lists by 2022-01-28.
> >>> Exceptionally, comments may be sent to iesg@xxxxxxxx instead. In
> >>> either case, please retain the beginning of the Subject line to allow
> automated sorting.
> >>>
> >>> Abstract
> >>>
> >>>
> >>>      This document defines YANG RPCs and a small number of
configuration
> >>>      nodes required to retrieve attestation evidence about integrity
> >>>      measurements from a device, following the operational context
> > defined
> >>>      in TPM-based Network Device Remote Integrity Verification.
> >>>      Complementary measurement logs are also provided by the YANG
RPCs,
> >>>      originating from one or more roots of trust for measurement
(RTMs).
> >>>      The module defined requires at least one TPM 1.2 or TPM 2.0 as
well
> >>>      as a corresponding TPM Software Stack (TSS), included in the
device
> >>>      components of the composite device the YANG server is running on.
> >>>
> >>>
> >>>
> >>>
> >>> The file can be obtained via
> >>> https://datatracker.ietf.org/doc/draft-ietf-rats-yang-tpm-charra/
> >>>
> >>>
> >>>
> >>> No IPR declarations have been submitted directly on this I-D.
> >>>
> >>>
> >>> The document contains these normative downward references.
> >>> See RFC 3967 for additional information:
> >>>       draft-ietf-rats-tpm-based-network-device-attest: TPM-based
> >>> Network
> >> Device Remote Integrity Verification (None - Internet Engineering
> >> Task
> > Force
> >> (IETF))
> >>>       draft-ietf-rats-architecture: Remote Attestation Procedures
> >>> Architecture (None - Internet Engineering Task Force (IETF))
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> IETF-Announce mailing list
> >>> IETF-Announce@xxxxxxxx
> >>> https://www.ietf.org/mailman/listinfo/ietf-announce
> >>> .
> >>>

<<attachment: smime.p7s>>

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux