idnits 2.17.1 

draft-birkholz-rats-tuda-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** There is 1 instance of too long lines in the document, the longest one
     being 9 characters in excess of 72.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (March 12, 2019) is 1862 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Missing Reference: 'AIK-Cert' is mentioned on line 3046, but not defined

  == Missing Reference: 'TSA-Cert' is mentioned on line 3046, but not defined

  == Outdated reference: A later version (-08) exists of
     draft-ietf-cbor-cddl-07

  == Outdated reference: A later version (-17) exists of
     draft-ietf-core-comi-04

  == Outdated reference: A later version (-24) exists of
     draft-ietf-sacm-coswid-08

  -- Obsolete informational reference (is this intentional?): RFC 7049
     (Obsoleted by RFC 8949)

  -- Obsolete informational reference (is this intentional?): RFC 7230
     (Obsoleted by RFC 9110, RFC 9112)

  -- Obsolete informational reference (is this intentional?): RFC 7320
     (Obsoleted by RFC 8820)

  -- Obsolete informational reference (is this intentional?): RFC 7540
     (Obsoleted by RFC 9113)


     Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 6 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                           A. Fuchs
3	Internet-Draft                                               H. Birkholz
4	Intended status: Informational                            Fraunhofer SIT
5	Expires: September 13, 2019                                  I. McDonald
6	                                                          High North Inc
7	                                                              C. Bormann
8	                                                 Universitaet Bremen TZI
9	                                                          March 12, 2019

11	                 Time-Based Uni-Directional Attestation
12	                      draft-birkholz-rats-tuda-00

14	Abstract

16	   This memo documents the method and bindings used to conduct time-
17	   based uni-directional attestation between distinguishable endpoints
18	   over the network.

20	Status of This Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at https://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on September 13, 2019.

37	Copyright Notice

39	   Copyright (c) 2019 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (https://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	Table of Contents

54	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
55	     1.1.  Remote Attestation  . . . . . . . . . . . . . . . . . . .   4
56	     1.2.  Evidence Creation . . . . . . . . . . . . . . . . . . . .   5
57	     1.3.  Evidence Appraisal  . . . . . . . . . . . . . . . . . . .   5
58	     1.4.  Activities and Actions  . . . . . . . . . . . . . . . . .   5
59	     1.5.  Attestation and Verification  . . . . . . . . . . . . . .   6
60	     1.6.  Information Elements and Conveyance . . . . . . . . . . .   6
61	     1.7.  TUDA Objectives . . . . . . . . . . . . . . . . . . . . .   7
62	     1.8.  Hardware Dependencies . . . . . . . . . . . . . . . . . .   7
63	     1.9.  Requirements Notation . . . . . . . . . . . . . . . . . .   7
64	   2.  TUDA Core Concept . . . . . . . . . . . . . . . . . . . . . .   8
65	   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   9
66	     3.1.  Universal Terms . . . . . . . . . . . . . . . . . . . . .   9
67	     3.2.  Roles . . . . . . . . . . . . . . . . . . . . . . . . . .  10
68	       3.2.1.  General Types . . . . . . . . . . . . . . . . . . . .  11
69	       3.2.2.  RoT specific terms  . . . . . . . . . . . . . . . . .  11
70	     3.3.  Certificates  . . . . . . . . . . . . . . . . . . . . . .  11
71	   4.  Time-Based Uni-Directional Attestation  . . . . . . . . . . .  11
72	     4.1.  TUDA Information Elements Update Cycles . . . . . . . . .  13
73	   5.  Sync Base Protocol  . . . . . . . . . . . . . . . . . . . . .  15
74	   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  16
75	   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  16
76	   8.  Change Log  . . . . . . . . . . . . . . . . . . . . . . . . .  16
77	   9.  Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  17
78	   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  17
79	     10.1.  Normative References . . . . . . . . . . . . . . . . . .  17
80	     10.2.  Informative References . . . . . . . . . . . . . . . . .  17
81	   Appendix A.  REST Realization . . . . . . . . . . . . . . . . . .  21
82	   Appendix B.  SNMP Realization . . . . . . . . . . . . . . . . . .  21
83	     B.1.  Structure of TUDA MIB . . . . . . . . . . . . . . . . . .  22
84	       B.1.1.  Cycle Index . . . . . . . . . . . . . . . . . . . . .  22
85	       B.1.2.  Instance Index  . . . . . . . . . . . . . . . . . . .  22
86	       B.1.3.  Fragment Index  . . . . . . . . . . . . . . . . . . .  22
87	     B.2.  Relationship to Host Resources MIB  . . . . . . . . . . .  23
88	     B.3.  Relationship to Entity MIB  . . . . . . . . . . . . . . .  23
89	     B.4.  Relationship to Other MIBs  . . . . . . . . . . . . . . .  23
90	     B.5.  Definition of TUDA MIB  . . . . . . . . . . . . . . . . .  23
91	   Appendix C.  YANG Realization . . . . . . . . . . . . . . . . . .  39
92	   Appendix D.  Realization with TPM functions . . . . . . . . . . .  54
93	     D.1.  TPM Functions . . . . . . . . . . . . . . . . . . . . . .  54
94	       D.1.1.  Tick-Session and Tick-Stamp . . . . . . . . . . . . .  54
95	       D.1.2.  Platform Configuration Registers (PCRs) . . . . . . .  55
96	       D.1.3.  PCR restricted Keys . . . . . . . . . . . . . . . . .  55
97	       D.1.4.  CertifyInfo . . . . . . . . . . . . . . . . . . . . .  56
98	     D.2.  IE Generation Procedures for TPM 1.2  . . . . . . . . . .  56
99	       D.2.1.  AIK and AIK Certificate . . . . . . . . . . . . . . .  56
100	       D.2.2.  Synchronization Token . . . . . . . . . . . . . . . .  57
101	       D.2.3.  RestrictionInfo . . . . . . . . . . . . . . . . . . .  59
102	       D.2.4.  Measurement Log . . . . . . . . . . . . . . . . . . .  61
103	       D.2.5.  Implicit Attestation  . . . . . . . . . . . . . . . .  62
104	       D.2.6.  Attestation Verification Approach . . . . . . . . . .  63
105	     D.3.  IE Generation Procedures for TPM 2.0  . . . . . . . . . .  65
106	       D.3.1.  AIK and AIK Certificate . . . . . . . . . . . . . . .  65
107	       D.3.2.  Synchronization Token . . . . . . . . . . . . . . . .  66
108	       D.3.3.  Measurement Log . . . . . . . . . . . . . . . . . . .  66
109	       D.3.4.  Explicit time-based Attestation . . . . . . . . . . .  67
110	       D.3.5.  Sync Proof  . . . . . . . . . . . . . . . . . . . . .  67
111	   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  68
112	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  68

114	1.  Introduction

116	   Remote attestation (RA) describes the attempt to determine and
117	   appraise properties, such as integrity and trustworthiness, of an
118	   endpoint -- the Attestor -- over a network to another endpoint -- the
119	   Verifier -- without direct access.  Typically, this kind of appraisal
120	   is based on integrity measurements of software components right
121	   before they are loaded as software instances on the Attestor.  In
122	   general, attestation procedures are utilizing a hardware root of
123	   trust (RoT).  The TUDA protocol family uses hash values of all
124	   started software components that are stored (extended into) a Trust-
125	   Anchor (the RoT) implemented as a Hardware Security Module (e.g. a
126	   Trusted Platform Module or similar) and are reported via a signature
127	   over those measurements.

129	   This draft introduces the concept of including the exchange of
130	   evidence -- created via a hardware RoT containing a shielded secret
131	   that is inaccessible to the user -- in order to increase the
132	   confidence in a communication peer that is supposed to be a Trusted
133	   System [RFC4949].  In consequence, this document introduces the term
134	   forward authenticity.

136	   Forward Authenticity (FA):  A property of secure communication
137	      protocols, in which later compromise of the long-term keys of a
138	      data origin does not compromise past authentication of data from
139	      that origin. FA is achieved by timely recording of assessments of
140	      the authenticity from entities (via "audit logs" during "audit
141	      sessions") that are authorized for this purpose, in a time frame
142	      much shorter than that expected for the compromise of the long-
143	      term keys.

145	   Forward Authenticity enables new level of guarantee and can be
146	   included in the basically every protocol, such as ssh, router
147	   advertisements, link layer neighbor discover, or even ICMP echo.

149	1.1.  Remote Attestation

151	   In essence, remote attestation (RA) is composed of three activities.
152	   The following definitions are derived from the definitions presented
153	   in [PRIRA] and [TCGGLOSS].

155	   Attestation:  The creation of one ore more claims about the
156	      properties of an Attestor, such that the claims can be used as
157	      evidence.

159	   Conveyance:  The transfer of evidence from the Attestor to the
160	      Verifier via an interconnect.

162	   Verification:  The appraisal of evidence by evaluating it against
163	      declarative guidance.

165	   With TUDA, the claims that compose the evidence are signatures over
166	   trustworthy integrity measurements created by leveraging a hardware
167	   RoT.  The evidence is appraised via corresponding signatures over
168	   reference integrity measurements (RIM, represented, for example via
169	   [I-D.ietf-sacm-coswid]).

171	   Protocols that facilitate Trust-Anchor based signatures in order to
172	   provide RATS are usually bi-directional challenge/response protocols,
173	   such as the Platform Trust Service protocol [PTS] or CAVES [PRIRA],
174	   where one entity sends a challenge that is included inside the
175	   response to prove the recentness -- the freshness (see fresh in
176	   [RFC4949]) -- of the attestation information.  The corresponding
177	   interaction model tightly couples the three activities of creating,
178	   transferring and appraising evidence.

180	   The Time-Based Uni-directional Attestation family of protocols --
181	   TUDA -- described in this document can decouple the three activities
182	   RATS are composed of.  As a result, TUDA provides additional
183	   capabilities, such as:

185	   o  remote attestation for Attestors that might not always be able to
186	      reach the Internet by enabling the verification of past states,

188	   o  secure audit logs by combining the evidence created via TUDA with
189	      integrity measurement logs that represent a detailed record of
190	      corresponding past states,

192	   o  an uni-directional interaction model that can traverse "diode-
193	      like" network security functions (NSF) or can be leveraged in
194	      RESTful architectures (e.g.  CoAP [RFC7252]), analogously.

196	1.2.  Evidence Creation

198	   TUDA is a family of protocols that bundles results from specific
199	   attestation activities.  The attestation activities of TUDA are based
200	   on a hardware Root of Trust that provides the following capabilities:

202	   o  Platform Configuration Registers (PCR) that store measurements
203	      consecutively (corresponding terminology: "to extend a PCR") and
204	      represent the chain of measurements as a single measurement value
205	      ("PCR value"),

207	   o  Restricted Signing Keys (RSK) that can only be accessed, if a
208	      specific signature about measurements can be provided as
209	      authentication, and

211	   o  a dedicated source of (relative) time, e.g. a tick counter.

213	1.3.  Evidence Appraisal

215	   To appraise the evidence created by an Attestor, the Verifier
216	   requires corresponding Reference Integrity Measurements (RIM).
217	   Typically, a set of RIM are bundled in a RIM-Manifest (RIMM).  The
218	   scope of a manifest encompasses, e.g., a platform, a device, a
219	   computing context, or a virtualised function.  In order to be
220	   comparable, the hashing algorithms used by the Attestor to create the
221	   integrity measurements have to match the hashing algorithms used to
222	   create the corresponding RIM that are used by the Verifier to
223	   appraise the integrity evidence.

225	1.4.  Activities and Actions

227	   Depending on the platform (i.e. one or more computing contexts
228	   including a dedicated hardware RoT), a generic RA activity results in
229	   platform-specific actions that have to be conducted.  In consequence,
230	   there are multiple specific operations and data models (defining the
231	   input and output of operations).  Hence, specific actions are are not
232	   covered by this document.  Instead, the requirements on operations
233	   and the information elements that are the input and output to these
234	   operations are illustrated using pseudo code in Appendix C and D.

236	1.5.  Attestation and Verification

238	   Both the attestation and the verification activity of TUDA also
239	   require a trusted Time Stamp Authority (TSA) as an additional third
240	   party next to the Attestor and the Verifier.  The protocol uses a
241	   Time Stamp Authority based on [RFC3161].  The combination of the
242	   local source of time provided by the hardware RoT (located on the
243	   Attestor) and the Time Stamp Tokens provided by the TSA (to both the
244	   Attestor and the Verifier) enable the attestation and verification of
245	   an appropriate freshness of the evidence conveyed by the Attestor --
246	   without requiring a challenge/response interaction model that uses a
247	   nonce to ensure the freshness.

249	   Typically, the verification activity requires declarative guidance
250	   (representing desired or compliant endpoint characteristics in the
251	   form of RIM, see above) to appraise the individual integrity
252	   measurements the conveyed evidence is composed on.  The acquisition
253	   or representation (data models) of declarative guidance as well as
254	   the corresponding evaluation methods are out of the scope of this
255	   document.

257	1.6.  Information Elements and Conveyance

259	   TUDA defines a set of information elements (IE) that are created and
260	   stored on the Attestor and are intended to be transferred to the
261	   Verifier in order to enable appraisal.  Each TUDA IE:

263	   o  is encoded in the Concise Binary Object Representation (CBOR
264	      [RFC7049]) to minimize the volume of data in motion.  In this
265	      document, the composition of the CBOR data items that represent IE
266	      is described using the Concise Data Definition Language, CDDL
267	      [I-D.ietf-cbor-cddl]

269	   o  that requires a certain freshness is only created/updated when
270	      out-dated, which reduces the overall resources required from the
271	      Attestor, including the utilization of the hardware root of trust.
272	      The IE that have to be created are determined by their age or by
273	      specific state changes on the Attestor (e.g. state changes due to
274	      a reboot-cycle)

276	   o  is only transferred when required, which reduces the amount of
277	      data in motion necessary to conduct remote attestation
278	      significantly.  Only IE that have changed since their last
279	      conveyance have to be transferred

281	   o  that requires a certain freshness can be reused for multiple
282	      remote attestation procedures in the limits of its corresponding
283	      freshness-window, further reducing the load imposed on the
284	      Attestor and its corresponding hardware RoT.

286	1.7.  TUDA Objectives

288	   The Time-Based Uni-directional Attestation family of protocols is
289	   designed to:

291	   o  increase the confidence in authentication and authorization
292	      procedures,

294	   o  address the requirements of constrained-node networks,

296	   o  support interaction models that do not maintain connection-state
297	      over time, such as REST architectures [REST],

299	   o  be able to leverage existing management interfaces, such as SNMP
300	      [RFC3411].  RESTCONF [RFC8040] or CoMI [I-D.ietf-core-comi] -- and
301	      corresponding bindings,

303	   o  support broadcast and multicast schemes (e.g.  [IEEE1609]),

305	   o  be able to cope with temporary loss of connectivity, and to

307	   o  provide trustworthy audit logs of past endpoint states.

309	1.8.  Hardware Dependencies

311	   The binding of the attestation scheme used by TUDA to generate the
312	   TUDA IE is specific to the methods provided by the hardware RoT used
313	   (see above).  In this document,expositional text and pseudo-code that
314	   is provided as a reference to instantiate the TUDA IE is based on TPM
315	   1.2 and TPM 2.0 operations.  The corresponding TPM commands are
316	   specified in [TPM12] and [TPM2].  The references to TPM commands and
317	   corresponding pseudo-code only serve as guidance to enable a better
318	   understanding of the attestation scheme and is intended to encourage
319	   the use of any appropriate hardware RoT or equivalent set of
320	   functions available to a CPU or Trusted Execution Environment [TEE].

322	1.9.  Requirements Notation

324	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
325	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
326	   "OPTIONAL" in this document are to be interpreted as described in RFC
327	   2119, BCP 14 [RFC2119].

329	2.  TUDA Core Concept

331	   There are significant differences between conventional bi-directional
332	   attestation and TUDA regarding both the information elements conveyed
333	   between Attestor and Verifier and the time-frame, in which an
334	   attestation can be considered to be fresh (and therefore
335	   trustworthy).

337	   In general, remote attestation using a bi-directional communication
338	   scheme includes sending a nonce-challenge within a signed attestation
339	   token.  Using the TPM 1.2 as an example, a corresponding nonce-
340	   challenge would be included within the signature created by the
341	   TPM_Quote command in order to prove the freshness of the attestation
342	   response, see e.g.  [PTS].

344	   In contrast, the TUDA protocol uses the combined output of
345	   TPM_CertifyInfo and TPM_TickStampBlob.  The former provides a proof
346	   about the platform's state by creating evidence that a certain key is
347	   bound to that state.  The latter provides proof that the platform was
348	   in the specified state by using the bound key in a time operation.
349	   This combination enables a time-based attestation scheme.  The
350	   approach is based on the concepts introduced in [SCALE] and
351	   [SFKE2008].

353	   Each TUDA IE has an individual time-frame, in which it is considered
354	   to be fresh (and therefore trustworthy).  In consequence, each TUDA
355	   IE that composes data in motion is based on different methods of
356	   creation.

358	   The freshness properties of a challenge-response based protocol
359	   define the point-of-time of attestation between:

361	   o  the time of transmission of the nonce, and

363	   o  the reception of the corresponding response.

365	   Given the time-based attestation scheme, the freshness property of
366	   TUDA is equivalent to that of bi-directional challenge response
367	   attestation, if the point-in-time of attestation lies between:

369	   o  the transmission of a TUDA time-synchronization token, and

371	   o  the typical round-trip time between the Verifier and the Attestor.

373	   The accuracy of this time-frame is defined by two factors:

375	   o  the time-synchronization between the Attestor and the TSA.  The
376	      time between the two tickstamps acquired via the hardware RoT
377	      define the scope of the maximum drift ("left" and "right" in
378	      respect to the timeline) to the TSA timestamp, and

380	   o  the drift of clocks included in the hardware RoT.

382	   Since the conveyance of TUDA evidence does not rely upon a Verifier
383	   provided value (i.e. the nonce), the security guarantees of the
384	   protocol only incorporate the TSA and the hardware RoT.  In
385	   consequence, TUDA evidence can even serve as proof of integrity in
386	   audit logs with precise point-in-time guarantees, in contrast to
387	   classical attestations.

389	   Appendix A contains guidance on how to utilize a REST architecture.

391	   Appendix B contains guidance on how to create an SNMP binding and a
392	   corresponding TUDA-MIB.

394	   Appendix C contains a corresponding YANG module that supports both
395	   RESTCONF and CoMI.

397	   Appendix D.2 contains a realization of TUDA using TPM 1.2 primitives.

399	   Appendix D.3 contains a realization of TUDA using TPM 2.0 primitives.

401	3.  Terminology

403	   This document introduces roles, information elements and types
404	   required to conduct TUDA and uses terminology (e.g. specific
405	   certificate names) typically seen in the context of attestation or
406	   hardware security modules.

408	3.1.  Universal Terms

410	   Attestation Identity Key (AIK):  a special purpose signature
411	      (therefore asymmetric) key that supports identity related
412	      operations.  The private portion of the key pair is maintained
413	      confidential to the entity via appropriate measures (that have an
414	      impact on the scope of confidence).  The public portion of the key
415	      pair may be included in AIK credentials that provide a claim about
416	      the entity.

418	   Claim:  A piece of information asserted about a subject [RFC4949].  A
419	      claim is represented as a name/value pair consisting of a Claim
420	      Name and a Claim Value [RFC7519].

422	      In the context of SACM, a claim is also specialized as an
423	      attribute/value pair that is intended to be related to a statement
424	      [I-D.ietf-sacm-terminology].

426	   Endpoint Attestation:  the creation of evidence on the Attestor that
427	      provides proof of a set of the endpoints's integrity measurements.
428	      This is done by digitally signing a set of PCRs using an AIK
429	      shielded by the hardware RoT.

431	   Endpoint Characteristics:  the context, composition, configuration,
432	      state, and behavior of an endpoint.

434	   Evidence:  a trustworthy set of claims about an endpoint's
435	      characteristics.

437	   Identity:  a set of claims that is intended to be related to an
438	      entity.

440	   Integrity Measurements:  Metrics of endpoint characteristics (i.e.
441	      composition, configuration and state) that affect the confidence
442	      in the trustworthiness of an endpoint.  Digests of integrity
443	      measurements can be stored in shielded locations (i.e.  PCR of a
444	      TPM).

446	   Reference Integrity Measurements:  Signed measurements about the
447	      characteristics of an endpoint's characteristics that are provided
448	      by a vendor and are intended to be used as declarative guidance
449	      [I-D.ietf-sacm-terminology] (e.g. a signed CoSWID).

451	   Trustworthy:  the qualities of an endpoint that guarantee a specific
452	      behavior and/or endpoint characteristics defined by declarative
453	      guidance.  Analogously, trustworthiness is the quality of being
454	      trustworthy with respect to declarative guidance.  Trustworthiness
455	      is not an absolute property but defined with respect to an entity,
456	      corresponding declarative guidance, and has a scope of confidence.

458	      Trustworthy Endpoint: an endpoint that guarantees trustworthy
459	      behavior and/or composition (with respect to certain declarative
460	      guidance and a scope of confidence).

462	      Trustworthy Statement: evidence that is trustworthy conveyed by an
463	      endpoint that is not necessarily trustworthy.

465	3.2.  Roles

467	   Attestor:  the endpoint that is the subject of the attestation to
468	      another endpoint.

470	   Verifier:  the endpoint that consumes the attestation of another
471	      endpoint to conduct a verification.

473	   TSA:  a Time Stamp Authority [RFC3161]

475	3.2.1.  General Types

477	   Byte:  the now customary synonym for octet

479	   Cert:  an X.509 certificate represented as a byte-string

481	3.2.2.  RoT specific terms

483	   PCR:  a Platform Configuration Register that is part of a hardware
484	      root of trust and is used to securely store and report
485	      measurements about security posture

487	   PCR-Hash:  a hash value of the security posture measurements stored
488	      in a TPM PCR (e.g. regarding running software instances)
489	      represented as a byte-string

491	3.3.  Certificates

493	   TSA-CA:  the Certificate Authority that provides the certificate for
494	      the TSA represented as a Cert

496	   AIK-CA:  the Certificate Authority that provides the certificate for
497	      the attestation identity key of the TPM.  This is the client
498	      platform credential for this protocol.  It is a placeholder for a
499	      specific CA and AIK-Cert is a placeholder for the corresponding
500	      certificate, depending on what protocol was used.  The specific
501	      protocols are out of scope for this document, see also
502	      [AIK-Enrollment] and [IEEE802.1AR].

504	4.  Time-Based Uni-Directional Attestation

506	   A Time-Based Uni-Directional Attestation (TUDA) consists of the
507	   following seven information elements.  They are used to gain
508	   assurance of the Attestor's platform configuration at a certain point
509	   in time:

511	   TSA Certificate:  The certificate of the Time Stamp Authority that is
512	      used in a subsequent synchronization protocol token.  This
513	      certificate is signed by the TSA-CA.

515	   AIK Certificate:  A certificate about the Attestation Identity Key
516	      (AIK) used.  This may or may not also be an [IEEE802.1AR] IDevID
517	      or LDevID, depending on their setting of the corresponding
518	      identity property.  ([AIK-Credential], [AIK-Enrollment]; see
519	      Appendix D.2.1.)

521	   Synchronization Token:  The reference for attestations are the
522	      relative timestanps provided by the hardware RoT.  In order to put
523	      attestations into relation with a Real Time Clock (RTC), it is
524	      necessary to provide a cryptographic synchronization between these
525	      trusted relative timestamps and the regular RTC that is a hardware
526	      component of the Attestor.  To do so, a synchronization protocol
527	      is run with a Time Stamp Authority (TSA).

529	   Restriction Info:  The attestation relies on the capability of the
530	      hardware RoT to operate on restricted keys.  Whenever the PCR
531	      values for the machine to be attested change, a new restricted key
532	      is created that can only be operated as long as the PCRs remain in
533	      their current state.

535	      In order to prove to the Verifier that this restricted temporary
536	      key actually has these properties and also to provide the PCR
537	      value that it is restricted, the corresponding signing
538	      capabilities of the hardware RoT are used.  It creates a signed
539	      certificate using the AIK about the newly created restricted key.

541	   Measurement Log:  Similarly to regular attestations, the Verifier
542	      needs a way to reconstruct the PCRs' values in order to estimate
543	      the trustworthiness of the device.  As such, a list of those
544	      elements that were extended into the PCRs is reported.  Note
545	      though that for certain environments, this step may be optional if
546	      a list of valid PCR configurations (in the form of RIM available
547	      to the Verifier) exists and no measurement log is required.

549	   Implicit Attestation:  The actual attestation is then based upon a
550	      signed timestamp provided by the hardware RoT using the restricted
551	      temporary key that was certified in the steps above.  The signed
552	      timestamp provides evidence that at this point in time (with
553	      respect to the relative time of the hardware RoT) a certain
554	      configuration existed (namely the PCR values associated with the
555	      restricted key).  Together with the synchronization token this
556	      timestamp represented in relative time can then be related to the
557	      real-time clock.

559	   Concise SWID tags:  As an option to better assess the trustworthiness
560	      of an Attestor, a Verifier can request the reference hashes (RIM,
561	      which are often referred to as golden measurements) of all started
562	      software components to compare them with the entries in the
563	      measurement log.  References hashes regarding installed (and
564	      therefore running) software can be provided by the manufacturer
565	      via SWID tags.  SWID tags are provided by the Attestor using the
566	      Concise SWID representation [I-D.ietf-sacm-coswid] and bundled
567	      into a CBOR array (a RIM Manifest).  Ideally, the reference hashes
568	      include a signature created by the manufacturer of the software to
569	      prove their integrity.

571	   These information elements could be sent en bloc, but it is
572	   recommended to retrieve them separately to save bandwidth, since
573	   these elements have different update cycles.  In most cases,
574	   retransmitting all seven information elements would result in
575	   unnecessary redundancy.

577	   Furthermore, in some scenarios it might be feasible not to store all
578	   elements on the Attestor endpoint, but instead they could be
579	   retrieved from another location or be pre-deployed to the Verifier.
580	   It is also feasible to only store public keys on the Verifier and
581	   skip the whole certificate provisioning completely in order to save
582	   bandwidth and computation time for certificate verification.

584	4.1.  TUDA Information Elements Update Cycles

586	   An endpoint can be in various states and have various information
587	   associated with it during its life cycle.  For TUDA, a subset of the
588	   states (which can include associated information) that an endpoint
589	   and its hardware root of trust can be in, is important to the
590	   attestation process.  States can be:

592	   o  persistent, even after a hard reboot.  This includes certificates
593	      that are associated with the endpoint itself or with services it
594	      relies on.

596	   o  volatile to a degree, because they change at the beginning of each
597	      boot cycle.  This includes the capability of a hardware RoT to
598	      provide relative time which provides the basis for the
599	      synchronization token and implicit attestation--and which can
600	      reset after an endpoint is powered off.

602	   o  very volatile, because they change during an uptime cycle (the
603	      period of time an endpoint is powered on, starting with its boot).
604	      This includes the content of PCRs of a hardware RoT and thereby
605	      also the PCR-restricted signing keys used for attestation.

607	   Depending on this "lifetime of state", data has to be transported
608	   over the wire, or not.  E.g. information that does not change due to
609	   a reboot typically has to be transported only once between the
610	   Attestor and the Verifier.

612	   There are three kinds of events that require a renewed attestation:

614	   o  The Attestor completes a boot-cycle

616	   o  A relevant PCR changes

618	   o  Too much time has passed since the last attestation statement
619	   The third event listed above is variable per application use case and
620	   also depends on the precision of the clock included in the hardware
621	   RoT.  For usage scenarios, in which the device would periodically
622	   push information to be used in an audit-log, a time-frame of
623	   approximately one update per minute should be sufficient in most
624	   cases.  For those usage scenarios, where Verifiers request (pull) a
625	   fresh attestation statement, an implementation could use the hardware
626	   RoT continuously to always present the most freshly created results.
627	   To save some utilization of the hardware RoT for other purposes,
628	   however, a time-frame of once per ten seconds is recommended, which
629	   would typically leave about 80% of utilization for other
630	   applications.

632	   Attestor                                                 Verifier
633	      |                                                         |
634	    Boot                                                        |
635	      |                                                         |
636	    Create Sync-Token                                           |
637	      |                                                         |
638	    Create Restricted Key                                       |
639	    Certify Restricted Key                                      |
640	      |                                                         |
641	      | AIK-Cert ---------------------------------------------> |
642	      | Sync-Token -------------------------------------------> |
643	      | Certify-Info -----------------------------------------> |
644	      | Measurement Log --------------------------------------> |
645	      | Attestation ------------------------------------------> |
646	      |                                           Verify Attestation
647	      |                                                         |
648	      |       <Time Passed>                                     |
649	      |                                                         |
650	      | Attestation ------------------------------------------> |
651	      |                                           Verify Attestation
652	      |                                                         |
653	      |       <Time Passed>                                     |
654	      |                                                         |
655	    PCR-Change                                                  |
656	      |                                                         |
657	    Create Restricted Key                                       |
658	    Certify Restricted Key                                      |
659	      |                                                         |
660	      | Certify-Info -----------------------------------------> |
661	      | Measurement Log --------------------------------------> |
662	      | Attestation ------------------------------------------> |
663	      |                                           Verify Attestation
664	      |                                                         |
665	    Boot                                                        |
666	      |                                                         |

668	    Create Sync-Token                                           |
669	      |                                                         |
670	    Create Restricted Key                                       |
671	    Certify Restricted Key                                      |
672	      |                                                         |
673	      | Sync-Token -------------------------------------------> |
674	      | Certify-Info -----------------------------------------> |
675	      | Measurement Log --------------------------------------> |
676	      | Attestation ------------------------------------------> |
677	      |                                           Verify Attestation
678	      |                                                         |
679	      |       <Time Passed>                                     |
680	      |                                                         |
681	      | Attestation ------------------------------------------> |
682	      |                                           Verify Attestation
683	      |                                                         |

685	                   Figure 1: Example sequence of events

687	5.  Sync Base Protocol

689	   The uni-directional approach of TUDA requires evidence on how the TPM
690	   time represented in ticks (relative time since boot of the TPM)
691	   relates to the standard time provided by the TSA.  The Sync Base
692	   Protocol (SBP) creates evidence that binds the TPM tick time to the
693	   TSA timestamp.  The binding information is used by and conveyed via
694	   the Sync Token (TUDA IE).  There are three actions required to create
695	   the content of a Sync Token:

697	   o  At a given point in time (called "left"), a signed tickstamp
698	      counter value is acquired from the hardware RoT.  The hash of
699	      counter and signature is used as a nonce in the request directed
700	      at the TSA.

702	   o  The corresponding response includes a data-structure incorporating
703	      the trusted timestamp token and its signature created by the TSA.

705	   o  At the point-in-time the response arrives (called "right"), a
706	      signed tickstamp counter value is acquired from the hardware RoT
707	      again, using a hash of the signed TSA timestamp as a nonce.

709	   The three time-related values -- the relative timestamps provided by
710	   the hardware RoT ("left" and "right") and the TSA timestamp -- and
711	   their corresponding signatures are aggregated in order to create a
712	   corresponding Sync Token to be used as a TUDA Information Element
713	   that can be conveyed as evidence to a Verifier.

715	   The drift of a clock incorporated in the hardware RoT that drives the
716	   increments of the tick counter constitutes one of the triggers that
717	   can initiate a TUDA Information Element Update Cycle in respect to
718	   the freshness of the available Sync Token.

720	   content TBD

722	6.  IANA Considerations

724	   This memo includes requests to IANA, including registrations for
725	   media type definitions.

727	   TBD

729	7.  Security Considerations

731	   There are Security Considerations.  TBD

733	8.  Change Log

735	   Changes from version 04 to I2NSF related document version 00: *
736	   Refactored main document to be more technology agnostic * Added first
737	   draft of procedures for TPM 2.0 * Improved content consistency and
738	   structure of all sections

740	   Changes from version 03 to version 04:

742	   o  Refactoring of Introduction, intend, scope and audience

744	   o  Added first draft of Sync Base Prootoll section illustrated
745	      background for interaction with TSA

747	   o  Added YANG module

749	   o  Added missing changelog entry

751	   Changes from version 02 to version 03:

753	   o  Moved base concept out of Introduction

755	   o  First refactoring of Introduction and Concept

757	   o  First restructuring of Appendices and improved references

759	   Changes from version 01 to version 02:

761	   o  Restructuring of Introduction, highlighting conceptual
762	      prerequisites

764	   o  Restructuring of Concept to better illustrate differences to hand-
765	      shake based attestation and deciding factors regarding freshness
766	      properties

768	   o  Subsection structure added to Terminology

770	   o  Clarification of descriptions of approach (these were the FIXMEs)

772	   o  Correction of RestrictionInfo structure: Added missing signature
773	      member

775	   Changes from version 00 to version 01:

777	   Major update to the SNMP MIB and added a table for the Concise SWID
778	   profile Reference Hashes that provides additional information to be
779	   compared with the measurement logs.

781	9.  Contributors

783	   TBD

785	10.  References

787	10.1.  Normative References

789	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
790	              Requirement Levels", BCP 14, RFC 2119,
791	              DOI 10.17487/RFC2119, March 1997,
792	              <https://www.rfc-editor.org/info/rfc2119>.

794	10.2.  Informative References

796	   [AIK-Credential]
797	              TCG Infrastructure Working Group, "TCG Credential
798	              Profile", 2007, <https://www.trustedcomputinggroup.org/wp-
799	              content/uploads/IWG-Credential_Profiles_V1_R1_14.pdf>.

801	   [AIK-Enrollment]
802	              TCG Infrastructure Working Group, "A CMC Profile for AIK
803	              Certificate Enrollment", 2011,
804	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
805	              IWG_CMC_Profile_Cert_Enrollment_v1_r7.pdf>.

807	   [I-D.ietf-cbor-cddl]
808	              Birkholz, H., Vigano, C., and C. Bormann, "Concise data
809	              definition language (CDDL): a notational convention to
810	              express CBOR and JSON data structures", draft-ietf-cbor-
811	              cddl-07 (work in progress), February 2019.

813	   [I-D.ietf-core-comi]
814	              Veillette, M., Stok, P., Pelov, A., and A. Bierman, "CoAP
815	              Management Interface", draft-ietf-core-comi-04 (work in
816	              progress), November 2018.

818	   [I-D.ietf-sacm-coswid]
819	              Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
820	              Waltermire, "Concise Software Identifiers", draft-ietf-
821	              sacm-coswid-08 (work in progress), November 2018.

823	   [I-D.ietf-sacm-terminology]
824	              Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N., and
825	              A. Montville, "Security Automation and Continuous
826	              Monitoring (SACM) Terminology", draft-ietf-sacm-
827	              terminology-16 (work in progress), December 2018.

829	   [IEEE1609]
830	              IEEE Computer Society, "1609.4-2016 - IEEE Standard for
831	              Wireless Access in Vehicular Environments (WAVE) -- Multi-
832	              Channel Operation", IEEE Std 1609.4, 2016.

834	   [IEEE802.1AR]
835	              IEEE Computer Society, "802.1AR-2009 - IEEE Standard for
836	              Local and metropolitan area networks - Secure Device
837	              Identity", IEEE Std 802.1AR, 2009.

839	   [PRIRA]    Coker, G., Guttman, J., Loscocco, P., Herzog, A., Millen,
840	              J., O'Hanlon, B., Ramsdell, J., Segall, A., Sheehy, J.,
841	              and B. Sniffen, "Principles of Remote Attestation",
842	              Springer International Journal of Information Security,
843	              Vol. 10, pp. 63-81, DOI 10.1007/s10207-011-0124-7, April
844	              2011.

846	   [PTS]      TCG TNC Working Group, "TCG Attestation PTS Protocol
847	              Binding to TNC IF-M", 2011,
848	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
849	              IFM_PTS_v1_0_r28.pdf>.

851	   [REST]     Fielding, R., "Architectural Styles and the Design of
852	              Network-based Software Architectures", Ph.D. Dissertation,
853	              University of California, Irvine, 2000,
854	              <http://www.ics.uci.edu/~fielding/pubs/dissertation/
855	              fielding_dissertation.pdf>.

857	   [RFC1213]  McCloghrie, K. and M. Rose, "Management Information Base
858	              for Network Management of TCP/IP-based internets: MIB-II",
859	              STD 17, RFC 1213, DOI 10.17487/RFC1213, March 1991,
860	              <https://www.rfc-editor.org/info/rfc1213>.

862	   [RFC2790]  Waldbusser, S. and P. Grillo, "Host Resources MIB",
863	              RFC 2790, DOI 10.17487/RFC2790, March 2000,
864	              <https://www.rfc-editor.org/info/rfc2790>.

866	   [RFC3161]  Adams, C., Cain, P., Pinkas, D., and R. Zuccherato,
867	              "Internet X.509 Public Key Infrastructure Time-Stamp
868	              Protocol (TSP)", RFC 3161, DOI 10.17487/RFC3161, August
869	              2001, <https://www.rfc-editor.org/info/rfc3161>.

871	   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
872	              Architecture for Describing Simple Network Management
873	              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
874	              DOI 10.17487/RFC3411, December 2002,
875	              <https://www.rfc-editor.org/info/rfc3411>.

877	   [RFC3418]  Presuhn, R., Ed., "Management Information Base (MIB) for
878	              the Simple Network Management Protocol (SNMP)", STD 62,
879	              RFC 3418, DOI 10.17487/RFC3418, December 2002,
880	              <https://www.rfc-editor.org/info/rfc3418>.

882	   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
883	              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
884	              <https://www.rfc-editor.org/info/rfc4949>.

886	   [RFC6690]  Shelby, Z., "Constrained RESTful Environments (CoRE) Link
887	              Format", RFC 6690, DOI 10.17487/RFC6690, August 2012,
888	              <https://www.rfc-editor.org/info/rfc6690>.

890	   [RFC6933]  Bierman, A., Romascanu, D., Quittek, J., and M.
891	              Chandramouli, "Entity MIB (Version 4)", RFC 6933,
892	              DOI 10.17487/RFC6933, May 2013,
893	              <https://www.rfc-editor.org/info/rfc6933>.

895	   [RFC7049]  Bormann, C. and P. Hoffman, "Concise Binary Object
896	              Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
897	              October 2013, <https://www.rfc-editor.org/info/rfc7049>.

899	   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
900	              Protocol (HTTP/1.1): Message Syntax and Routing",
901	              RFC 7230, DOI 10.17487/RFC7230, June 2014,
902	              <https://www.rfc-editor.org/info/rfc7230>.

904	   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
905	              Application Protocol (CoAP)", RFC 7252,
906	              DOI 10.17487/RFC7252, June 2014,
907	              <https://www.rfc-editor.org/info/rfc7252>.

909	   [RFC7320]  Nottingham, M., "URI Design and Ownership", BCP 190,
910	              RFC 7320, DOI 10.17487/RFC7320, July 2014,
911	              <https://www.rfc-editor.org/info/rfc7320>.

913	   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
914	              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
915	              <https://www.rfc-editor.org/info/rfc7519>.

917	   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
918	              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
919	              DOI 10.17487/RFC7540, May 2015,
920	              <https://www.rfc-editor.org/info/rfc7540>.

922	   [RFC8040]  Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
923	              Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
924	              <https://www.rfc-editor.org/info/rfc8040>.

926	   [SCALE]    Fuchs, A., "Improving Scalability for Remote Attestation",
927	              Master Thesis (Diplomarbeit), Technische Universitaet
928	              Darmstadt, Germany, 2008.

930	   [SFKE2008]
931	              Stumpf, F., Fuchs, A., Katzenbeisser, S., and C. Eckert,
932	              "Improving the scalability of platform attestation",
933	              ACM Proceedings of the 3rd ACM workshop on Scalable
934	              trusted computing - STC '08 , page 1-10,
935	              DOI 10.1145/1456455.1456457, 2008.

937	   [STD62]    "Internet Standard 62", STD 62, RFCs 3411 to 3418,
938	              December 2002.

940	   [TCGGLOSS]
941	              TCG, "TCG Glossary", 2012,
942	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
943	              TCG_Glossary_Board-Approved_12.13.2012.pdf>.

945	   [TEE]      Global Platform, "TEE System Architecture v1.1,
946	              GPD_SPE_009", 2017.

948	   [TPM12]    "Information technology -- Trusted Platform Module -- Part
949	              1: Overview", ISO/IEC 11889-1, 2009.

951	   [TPM2]     "Trusted Platform Module Library Specification, Family
952	              2.0, Level 00, Revision 01.16 ed., Trusted Computing
953	              Group", 2014.

955	Appendix A.  REST Realization

957	   Each of the seven data items is defined as a media type (Section 6).
958	   Representations of resources for each of these media types can be
959	   retrieved from URIs that are defined by the respective servers
960	   [RFC7320].  As can be derived from the URI, the actual retrieval is
961	   via one of the HTTPs ([RFC7230], [RFC7540]) or CoAP [RFC7252].  How a
962	   client obtains these URIs is dependent on the application; e.g., CoRE
963	   Web links [RFC6690] can be used to obtain the relevant URIs from the
964	   self-description of a server, or they could be prescribed by a
965	   RESTCONF data model [RFC8040].

967	Appendix B.  SNMP Realization

969	   SNMPv3 [STD62] [RFC3411] is widely available on computers and also
970	   constrained devices.  To transport the TUDA information elements, an
971	   SNMP MIB is defined below which encodes each of the seven TUDA
972	   information elements into a table.  Each row in a table contains a
973	   single read-only columnar SNMP object of datatype OCTET-STRING.  The
974	   values of a set of rows in each table can be concatenated to
975	   reconstitute a CBOR-encoded TUDA information element.  The Verifier
976	   can retrieve the values for each CBOR fragment by using SNMP GetNext
977	   requests to "walk" each table and can decode each of the CBOR-encoded
978	   data items based on the corresponding CDDL [I-D.ietf-cbor-cddl]
979	   definition.

981	   Design Principles:

983	   1.  Over time, TUDA attestation values age and should no longer be
984	       used.  Every table in the TUDA MIB has a primary index with the
985	       value of a separate scalar cycle counter object that
986	       disambiguates the transition from one attestation cycle to the
987	       next.

989	   2.  Over time, the measurement log information (for example) may grow
990	       large.  Therefore, read-only cycle counter scalar objects in all
991	       TUDA MIB object groups facilitate more efficient access with SNMP
992	       GetNext requests.

994	   3.  Notifications are supported by an SNMP trap definition with all
995	       of the cycle counters as bindings, to alert a Verifier that a new
996	       attestation cycle has occurred (e.g., synchronization data,
997	       measurement log, etc. have been updated by adding new rows and
998	       possibly deleting old rows).

1000	B.1.  Structure of TUDA MIB

1002	   The following table summarizes the object groups, tables and their
1003	   indexes, and conformance requirements for the TUDA MIB:

1005	   |-------------|-------|----------|----------|----------|
1006	   | Group/Table | Cycle | Instance | Fragment | Required |
1007	   |-------------|-------|----------|----------|----------|
1008	   | General     |       |          |          | x        |
1009	   | AIKCert     | x     | x        | x        |          |
1010	   | TSACert     | x     | x        | x        |          |
1011	   | SyncToken   | x     |          | x        | x        |
1012	   | Restrict    | x     |          |          | x        |
1013	   | Measure     | x     | x        |          |          |
1014	   | VerifyToken | x     |          |          | x        |
1015	   | SWIDTag     | x     | x        | x        |          |
1016	   |-------------|-------|----------|----------|----------|

1018	B.1.1.  Cycle Index

1020	   A tudaV1<Group>CycleIndex is the:

1022	   1.  first index of a row (element instance or element fragment) in
1023	       the tudaV1<Group>Table;

1025	   2.  identifier of an update cycle on the table, when rows were added
1026	       and/or deleted from the table (bounded by tudaV1<Group>Cycles);
1027	       and

1029	   3.  binding in the tudaV1TrapV2Cycles notification for directed
1030	       polling.

1032	B.1.2.  Instance Index

1034	   A tudaV1<Group>InstanceIndex is the:

1036	   1.  second index of a row (element instance or element fragment) in
1037	       the tudaV1<Group>Table; except for

1039	   2.  a row in the tudaV1SyncTokenTable (that has only one instance per
1040	       cycle).

1042	B.1.3.  Fragment Index

1044	   A tudaV1<Group>FragmentIndex is the:

1046	   1.  last index of a row (always an element fragment) in the
1047	       tudaV1<Group>Table; and

1049	   2.  accomodation for SNMP transport mapping restrictions for large
1050	       string elements that require fragmentation.

1052	B.2.  Relationship to Host Resources MIB

1054	   The General group in the TUDA MIB is analogous to the System group in
1055	   the Host Resources MIB [RFC2790] and provides context information for
1056	   the TUDA attestation process.

1058	   The Verify Token group in the TUDA MIB is analogous to the Device
1059	   group in the Host MIB and represents the verifiable state of a TPM
1060	   device and its associated system.

1062	   The SWID Tag group (containing a Concise SWID reference hash profile
1063	   [I-D.ietf-sacm-coswid]) in the TUDA MIB is analogous to the Software
1064	   Installed and Software Running groups in the Host Resources MIB
1065	   [RFC2790].

1067	B.3.  Relationship to Entity MIB

1069	   The General group in the TUDA MIB is analogous to the Entity General
1070	   group in the Entity MIB v4 [RFC6933] and provides context information
1071	   for the TUDA attestation process.

1073	   The SWID Tag group in the TUDA MIB is analogous to the Entity Logical
1074	   group in the Entity MIB v4 [RFC6933].

1076	B.4.  Relationship to Other MIBs

1078	   The General group in the TUDA MIB is analogous to the System group in
1079	   MIB-II [RFC1213] and the System group in the SNMPv2 MIB [RFC3418] and
1080	   provides context information for the TUDA attestation process.

1082	B.5.  Definition of TUDA MIB

1084	   <CODE BEGINS>
1085	   TUDA-V1-ATTESTATION-MIB DEFINITIONS ::= BEGIN

1087	   IMPORTS
1088	       MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32,
1089	       enterprises, NOTIFICATION-TYPE
1090	           FROM SNMPv2-SMI                 -- RFC 2578
1091	       MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
1092	           FROM SNMPv2-CONF                -- RFC 2580
1093	       SnmpAdminString
1094	           FROM SNMP-FRAMEWORK-MIB;        -- RFC 3411

1096	   tudaV1MIB MODULE-IDENTITY
1097	       LAST-UPDATED    "201903120000Z" --  12 March 2019
1098	       ORGANIZATION
1099	           "Fraunhofer SIT"
1100	       CONTACT-INFO
1101	           "Andreas Fuchs
1102	           Fraunhofer Institute for Secure Information Technology
1103	           Email: andreas.fuchs@sit.fraunhofer.de

1105	           Henk Birkholz
1106	           Fraunhofer Institute for Secure Information Technology
1107	           Email: henk.birkholz@sit.fraunhofer.de

1109	           Ira E McDonald
1110	           High North Inc
1111	           Email: blueroofmusic@gmail.com

1113	           Carsten Bormann
1114	           Universitaet Bremen TZI
1115	           Email: cabo@tzi.org"

1117	       DESCRIPTION
1118	           "The MIB module for monitoring of time-based unidirectional
1119	           attestation information from a network endpoint system,
1120	           based on the Trusted Computing Group TPM 1.2 definition.

1122	           Copyright (C) High North Inc (2019)."

1124	       REVISION "201903120000Z" -- 12 March 2019
1125	       DESCRIPTION
1126	           "Eighth version, published as draft-birkholz-rats-tuda-00."

1128	       REVISION "201805030000Z" -- 03 May 2018
1129	       DESCRIPTION
1130	           "Seventh version, published as draft-birkholz-i2nsf-tuda-03."

1132	       REVISION "201805020000Z" -- 02 May 2018
1133	       DESCRIPTION
1134	           "Sixth version, published as draft-birkholz-i2nsf-tuda-02."

1136	       REVISION "201710300000Z" -- 30 October 2017
1137	       DESCRIPTION
1138	           "Fifth version, published as draft-birkholz-i2nsf-tuda-01."

1140	       REVISION "201701090000Z" -- 09 January 2017
1141	       DESCRIPTION
1142	           "Fourth version, published as draft-birkholz-i2nsf-tuda-00."

1144	       REVISION "201607080000Z" -- 08 July 2016
1145	       DESCRIPTION
1146	           "Third version, published as draft-birkholz-tuda-02."

1148	       REVISION "201603210000Z" -- 21 March 2016
1149	       DESCRIPTION
1150	           "Second version, published as draft-birkholz-tuda-01."

1152	       REVISION "201510180000Z" -- 18 October 2015
1153	       DESCRIPTION
1154	           "Initial version, published as draft-birkholz-tuda-00."

1156	           ::= { enterprises fraunhofersit(21616) mibs(1) tudaV1MIB(1) }

1158	   tudaV1MIBNotifications      OBJECT IDENTIFIER ::= { tudaV1MIB 0 }
1159	   tudaV1MIBObjects            OBJECT IDENTIFIER ::= { tudaV1MIB 1 }
1160	   tudaV1MIBConformance        OBJECT IDENTIFIER ::= { tudaV1MIB 2 }

1162	   --
1163	   --  General
1164	   --
1165	   tudaV1General           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 1 }

1167	   tudaV1GeneralCycles OBJECT-TYPE
1168	       SYNTAX      Counter32
1169	       MAX-ACCESS  read-only
1170	       STATUS      current
1171	       DESCRIPTION
1172	           "Count of TUDA update cycles that have occurred, i.e.,
1173	           sum of all the individual group cycle counters.

1175	           DEFVAL intentionally omitted - counter object."
1176	       ::= { tudaV1General 1 }

1178	   tudaV1GeneralVersionInfo OBJECT-TYPE
1179	       SYNTAX      SnmpAdminString (SIZE(0..255))
1180	       MAX-ACCESS  read-only
1181	       STATUS      current
1182	       DESCRIPTION
1183	           "Version information for TUDA MIB, e.g., specific release
1184	           version of TPM 1.2 base specification and release version
1185	           of TPM 1.2 errata specification and manufacturer and model
1186	           TPM module itself."
1187	       DEFVAL      { "" }
1188	       ::= { tudaV1General 2 }

1190	   --
1191	   --  AIK Cert
1192	   --
1193	   tudaV1AIKCert           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 2 }

1195	   tudaV1AIKCertCycles OBJECT-TYPE
1196	       SYNTAX      Counter32
1197	       MAX-ACCESS  read-only
1198	       STATUS      current
1199	       DESCRIPTION
1200	           "Count of AIK Certificate chain update cycles that have
1201	           occurred.

1203	           DEFVAL intentionally omitted - counter object."
1204	       ::= { tudaV1AIKCert 1 }

1206	   tudaV1AIKCertTable OBJECT-TYPE
1207	       SYNTAX      SEQUENCE OF TudaV1AIKCertEntry
1208	       MAX-ACCESS  not-accessible
1209	       STATUS      current
1210	       DESCRIPTION
1211	           "A table of fragments of AIK Certificate data."
1212	       ::= { tudaV1AIKCert 2 }

1214	   tudaV1AIKCertEntry OBJECT-TYPE
1215	       SYNTAX      TudaV1AIKCertEntry
1216	       MAX-ACCESS  not-accessible
1217	       STATUS      current
1218	       DESCRIPTION
1219	           "An entry for one fragment of AIK Certificate data."
1220	       INDEX       { tudaV1AIKCertCycleIndex,
1221	                     tudaV1AIKCertInstanceIndex,
1222	                     tudaV1AIKCertFragmentIndex }
1223	       ::= { tudaV1AIKCertTable 1 }

1225	   TudaV1AIKCertEntry ::=
1226	       SEQUENCE {
1227	           tudaV1AIKCertCycleIndex         Integer32,
1228	           tudaV1AIKCertInstanceIndex      Integer32,
1229	           tudaV1AIKCertFragmentIndex      Integer32,
1230	           tudaV1AIKCertData               OCTET STRING
1231	       }

1233	   tudaV1AIKCertCycleIndex OBJECT-TYPE
1234	       SYNTAX      Integer32 (1..2147483647)
1235	       MAX-ACCESS  not-accessible
1236	       STATUS      current
1237	       DESCRIPTION
1238	           "High-order index of this AIK Certificate fragment.
1239	           Index of an AIK Certificate chain update cycle that has
1240	           occurred (bounded by the value of tudaV1AIKCertCycles).

1242	           DEFVAL intentionally omitted - index object."
1243	       ::= { tudaV1AIKCertEntry 1 }

1245	   tudaV1AIKCertInstanceIndex OBJECT-TYPE
1246	       SYNTAX      Integer32 (1..2147483647)
1247	       MAX-ACCESS  not-accessible
1248	       STATUS      current
1249	       DESCRIPTION
1250	           "Middle index of this AIK Certificate fragment.
1251	           Ordinal of this AIK Certificate in this chain, where the AIK
1252	           Certificate itself has an ordinal of '1' and higher ordinals
1253	           go *up* the certificate chain to the Root CA.

1255	           DEFVAL intentionally omitted - index object."
1256	       ::= { tudaV1AIKCertEntry 2 }

1258	   tudaV1AIKCertFragmentIndex OBJECT-TYPE
1259	       SYNTAX      Integer32 (1..2147483647)
1260	       MAX-ACCESS  not-accessible
1261	       STATUS      current
1262	       DESCRIPTION
1263	           "Low-order index of this AIK Certificate fragment.

1265	           DEFVAL intentionally omitted - index object."
1266	       ::= { tudaV1AIKCertEntry 3 }

1268	   tudaV1AIKCertData OBJECT-TYPE
1269	       SYNTAX      OCTET STRING (SIZE(0..1024))
1270	       MAX-ACCESS  read-only
1271	       STATUS      current
1272	       DESCRIPTION
1273	           "A fragment of CBOR encoded AIK Certificate data."
1274	       DEFVAL      { "" }
1275	       ::= { tudaV1AIKCertEntry 4 }

1277	   --
1278	   --  TSA Cert
1279	   --
1280	   tudaV1TSACert           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 3 }

1282	   tudaV1TSACertCycles OBJECT-TYPE
1283	       SYNTAX      Counter32
1284	       MAX-ACCESS  read-only
1285	       STATUS      current
1286	       DESCRIPTION
1287	           "Count of TSA Certificate chain update cycles that have
1288	           occurred.

1290	           DEFVAL intentionally omitted - counter object."
1291	       ::= { tudaV1TSACert 1 }

1293	   tudaV1TSACertTable OBJECT-TYPE
1294	       SYNTAX      SEQUENCE OF TudaV1TSACertEntry
1295	       MAX-ACCESS  not-accessible
1296	       STATUS      current
1297	       DESCRIPTION
1298	           "A table of fragments of TSA Certificate data."
1299	       ::= { tudaV1TSACert 2 }

1301	   tudaV1TSACertEntry OBJECT-TYPE
1302	       SYNTAX      TudaV1TSACertEntry
1303	       MAX-ACCESS  not-accessible
1304	       STATUS      current
1305	       DESCRIPTION
1306	           "An entry for one fragment of TSA Certificate data."
1307	       INDEX       { tudaV1TSACertCycleIndex,
1308	                     tudaV1TSACertInstanceIndex,
1309	                     tudaV1TSACertFragmentIndex }
1310	       ::= { tudaV1TSACertTable 1 }

1312	   TudaV1TSACertEntry ::=
1313	       SEQUENCE {
1314	           tudaV1TSACertCycleIndex         Integer32,
1315	           tudaV1TSACertInstanceIndex      Integer32,
1316	           tudaV1TSACertFragmentIndex      Integer32,
1317	           tudaV1TSACertData               OCTET STRING
1318	       }

1320	   tudaV1TSACertCycleIndex OBJECT-TYPE
1321	       SYNTAX      Integer32 (1..2147483647)
1322	       MAX-ACCESS  not-accessible
1323	       STATUS      current
1324	       DESCRIPTION
1325	           "High-order index of this TSA Certificate fragment.
1326	           Index of a TSA Certificate chain update cycle that has
1327	           occurred (bounded by the value of tudaV1TSACertCycles).

1329	           DEFVAL intentionally omitted - index object."
1330	       ::= { tudaV1TSACertEntry 1 }

1332	   tudaV1TSACertInstanceIndex OBJECT-TYPE
1333	       SYNTAX      Integer32 (1..2147483647)
1334	       MAX-ACCESS  not-accessible
1335	       STATUS      current
1336	       DESCRIPTION
1337	           "Middle index of this TSA Certificate fragment.

1339	           Ordinal of this TSA Certificate in this chain, where the TSA
1340	           Certificate itself has an ordinal of '1' and higher ordinals
1341	           go *up* the certificate chain to the Root CA.

1343	           DEFVAL intentionally omitted - index object."
1344	       ::= { tudaV1TSACertEntry 2 }

1346	   tudaV1TSACertFragmentIndex OBJECT-TYPE
1347	       SYNTAX      Integer32 (1..2147483647)
1348	       MAX-ACCESS  not-accessible
1349	       STATUS      current
1350	       DESCRIPTION
1351	           "Low-order index of this TSA Certificate fragment.

1353	           DEFVAL intentionally omitted - index object."
1354	       ::= { tudaV1TSACertEntry 3 }

1356	   tudaV1TSACertData OBJECT-TYPE
1357	       SYNTAX      OCTET STRING (SIZE(0..1024))
1358	       MAX-ACCESS  read-only
1359	       STATUS      current
1360	       DESCRIPTION
1361	           "A fragment of CBOR encoded TSA Certificate data."
1362	       DEFVAL      { "" }
1363	       ::= { tudaV1TSACertEntry 4 }

1365	   --
1366	   --  Sync Token
1367	   --
1368	   tudaV1SyncToken         OBJECT IDENTIFIER ::= { tudaV1MIBObjects 4 }

1370	   tudaV1SyncTokenCycles OBJECT-TYPE
1371	       SYNTAX      Counter32
1372	       MAX-ACCESS  read-only
1373	       STATUS      current
1374	       DESCRIPTION
1375	           "Count of Sync Token update cycles that have
1376	           occurred.

1378	           DEFVAL intentionally omitted - counter object."
1379	       ::= { tudaV1SyncToken 1 }

1381	   tudaV1SyncTokenInstances OBJECT-TYPE
1382	       SYNTAX      Counter32
1383	       MAX-ACCESS  read-only
1384	       STATUS      current
1385	       DESCRIPTION
1386	           "Count of Sync Token instance entries that have
1387	           been recorded (some entries MAY have been pruned).

1389	           DEFVAL intentionally omitted - counter object."
1390	       ::= { tudaV1SyncToken 2 }

1392	   tudaV1SyncTokenTable OBJECT-TYPE
1393	       SYNTAX      SEQUENCE OF TudaV1SyncTokenEntry
1394	       MAX-ACCESS  not-accessible
1395	       STATUS      current
1396	       DESCRIPTION
1397	           "A table of fragments of Sync Token data."
1398	       ::= { tudaV1SyncToken 3 }

1400	   tudaV1SyncTokenEntry OBJECT-TYPE
1401	       SYNTAX      TudaV1SyncTokenEntry
1402	       MAX-ACCESS  not-accessible
1403	       STATUS      current
1404	       DESCRIPTION
1405	           "An entry for one fragment of Sync Token data."
1406	       INDEX       { tudaV1SyncTokenCycleIndex,
1407	                     tudaV1SyncTokenInstanceIndex,
1408	                     tudaV1SyncTokenFragmentIndex }
1409	       ::= { tudaV1SyncTokenTable 1 }

1411	   TudaV1SyncTokenEntry ::=
1412	       SEQUENCE {
1413	           tudaV1SyncTokenCycleIndex       Integer32,
1414	           tudaV1SyncTokenInstanceIndex    Integer32,
1415	           tudaV1SyncTokenFragmentIndex    Integer32,
1416	           tudaV1SyncTokenData             OCTET STRING
1417	       }

1419	   tudaV1SyncTokenCycleIndex OBJECT-TYPE
1420	       SYNTAX      Integer32 (1..2147483647)
1421	       MAX-ACCESS  not-accessible
1422	       STATUS      current
1423	       DESCRIPTION
1424	           "High-order index of this Sync Token fragment.
1425	           Index of a Sync Token update cycle that has
1426	           occurred (bounded by the value of tudaV1SyncTokenCycles).

1428	           DEFVAL intentionally omitted - index object."
1429	       ::= { tudaV1SyncTokenEntry 1 }

1431	   tudaV1SyncTokenInstanceIndex OBJECT-TYPE
1432	       SYNTAX      Integer32 (1..2147483647)
1433	       MAX-ACCESS  not-accessible
1434	       STATUS      current
1435	       DESCRIPTION
1436	           "Middle index of this Sync Token fragment.
1437	           Ordinal of this instance of Sync Token data
1438	           (NOT bounded by the value of tudaV1SyncTokenInstances).

1440	           DEFVAL intentionally omitted - index object."
1441	       ::= { tudaV1SyncTokenEntry 2 }

1443	   tudaV1SyncTokenFragmentIndex OBJECT-TYPE
1444	       SYNTAX      Integer32 (1..2147483647)
1445	       MAX-ACCESS  not-accessible
1446	       STATUS      current
1447	       DESCRIPTION
1448	           "Low-order index of this Sync Token fragment.

1450	           DEFVAL intentionally omitted - index object."
1451	       ::= { tudaV1SyncTokenEntry 3 }

1453	   tudaV1SyncTokenData OBJECT-TYPE
1454	       SYNTAX      OCTET STRING (SIZE(0..1024))
1455	       MAX-ACCESS  read-only
1456	       STATUS      current
1457	       DESCRIPTION
1458	           "A fragment of CBOR encoded Sync Token data."
1459	       DEFVAL      { "" }
1460	       ::= { tudaV1SyncTokenEntry 4 }

1462	   --
1463	   --  Restriction Info
1464	   --
1465	   tudaV1Restrict          OBJECT IDENTIFIER ::= { tudaV1MIBObjects 5 }

1467	   tudaV1RestrictCycles OBJECT-TYPE
1468	       SYNTAX      Counter32
1469	       MAX-ACCESS  read-only
1470	       STATUS      current
1471	       DESCRIPTION
1472	           "Count of Restriction Info update cycles that have
1473	           occurred.

1475	           DEFVAL intentionally omitted - counter object."
1476	       ::= { tudaV1Restrict 1 }

1478	   tudaV1RestrictTable OBJECT-TYPE
1479	       SYNTAX      SEQUENCE OF TudaV1RestrictEntry
1480	       MAX-ACCESS  not-accessible
1481	       STATUS      current
1482	       DESCRIPTION
1483	           "A table of instances of Restriction Info data."
1484	       ::= { tudaV1Restrict 2 }

1486	   tudaV1RestrictEntry OBJECT-TYPE
1487	       SYNTAX      TudaV1RestrictEntry
1488	       MAX-ACCESS  not-accessible
1489	       STATUS      current
1490	       DESCRIPTION
1491	           "An entry for one instance of Restriction Info data."
1492	       INDEX       { tudaV1RestrictCycleIndex }
1493	       ::= { tudaV1RestrictTable 1 }

1495	   TudaV1RestrictEntry ::=
1496	       SEQUENCE {
1497	           tudaV1RestrictCycleIndex        Integer32,
1498	           tudaV1RestrictData              OCTET STRING
1499	       }

1501	   tudaV1RestrictCycleIndex OBJECT-TYPE
1502	       SYNTAX      Integer32 (1..2147483647)
1503	       MAX-ACCESS  not-accessible
1504	       STATUS      current
1505	       DESCRIPTION
1506	           "Index of this Restriction Info entry.
1507	           Index of a Restriction Info update cycle that has
1508	           occurred (bounded by the value of tudaV1RestrictCycles).

1510	           DEFVAL intentionally omitted - index object."
1511	       ::= { tudaV1RestrictEntry 1 }

1513	   tudaV1RestrictData OBJECT-TYPE
1514	       SYNTAX      OCTET STRING (SIZE(0..1024))
1515	       MAX-ACCESS  read-only
1516	       STATUS      current
1517	       DESCRIPTION
1518	           "An instance of CBOR encoded Restriction Info data."
1519	       DEFVAL      { "" }
1520	       ::= { tudaV1RestrictEntry 2 }

1522	   --
1523	   --  Measurement Log
1524	   --
1525	   tudaV1Measure           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 6 }

1527	   tudaV1MeasureCycles OBJECT-TYPE
1528	       SYNTAX      Counter32
1529	       MAX-ACCESS  read-only
1530	       STATUS      current
1531	       DESCRIPTION
1532	           "Count of Measurement Log update cycles that have
1533	           occurred.

1535	           DEFVAL intentionally omitted - counter object."
1536	       ::= { tudaV1Measure 1 }

1538	   tudaV1MeasureInstances OBJECT-TYPE
1539	       SYNTAX      Counter32
1540	       MAX-ACCESS  read-only
1541	       STATUS      current
1542	       DESCRIPTION
1543	           "Count of Measurement Log instance entries that have
1544	           been recorded (some entries MAY have been pruned).

1546	           DEFVAL intentionally omitted - counter object."
1547	       ::= { tudaV1Measure 2 }

1549	   tudaV1MeasureTable OBJECT-TYPE
1550	       SYNTAX      SEQUENCE OF TudaV1MeasureEntry
1551	       MAX-ACCESS  not-accessible
1552	       STATUS      current
1553	       DESCRIPTION
1554	           "A table of instances of Measurement Log data."
1555	       ::= { tudaV1Measure 3 }

1557	   tudaV1MeasureEntry OBJECT-TYPE
1558	       SYNTAX      TudaV1MeasureEntry
1559	       MAX-ACCESS  not-accessible
1560	       STATUS      current
1561	       DESCRIPTION
1562	           "An entry for one instance of Measurement Log data."
1563	       INDEX       { tudaV1MeasureCycleIndex,
1564	                     tudaV1MeasureInstanceIndex }
1565	       ::= { tudaV1MeasureTable 1 }

1567	   TudaV1MeasureEntry ::=
1568	       SEQUENCE {
1569	           tudaV1MeasureCycleIndex         Integer32,
1570	           tudaV1MeasureInstanceIndex      Integer32,
1571	           tudaV1MeasureData               OCTET STRING
1572	       }

1574	   tudaV1MeasureCycleIndex OBJECT-TYPE
1575	       SYNTAX      Integer32 (1..2147483647)
1576	       MAX-ACCESS  not-accessible
1577	       STATUS      current
1578	       DESCRIPTION
1579	           "High-order index of this Measurement Log entry.
1580	           Index of a Measurement Log update cycle that has
1581	           occurred (bounded by the value of tudaV1MeasureCycles).

1583	           DEFVAL intentionally omitted - index object."
1584	       ::= { tudaV1MeasureEntry 1 }

1586	   tudaV1MeasureInstanceIndex OBJECT-TYPE
1587	       SYNTAX      Integer32 (1..2147483647)
1588	       MAX-ACCESS  not-accessible
1589	       STATUS      current
1590	       DESCRIPTION
1591	           "Low-order index of this Measurement Log entry.
1592	           Ordinal of this instance of Measurement Log data
1593	           (NOT bounded by the value of tudaV1MeasureInstances).

1595	           DEFVAL intentionally omitted - index object."
1596	       ::= { tudaV1MeasureEntry 2 }

1598	   tudaV1MeasureData OBJECT-TYPE
1599	       SYNTAX      OCTET STRING (SIZE(0..1024))
1600	       MAX-ACCESS  read-only
1601	       STATUS      current
1602	       DESCRIPTION
1603	           "A instance of CBOR encoded Measurement Log data."
1604	       DEFVAL      { "" }
1605	       ::= { tudaV1MeasureEntry 3 }

1607	   --
1608	   --  Verify Token
1609	   --
1610	   tudaV1VerifyToken       OBJECT IDENTIFIER ::= { tudaV1MIBObjects 7 }

1612	   tudaV1VerifyTokenCycles OBJECT-TYPE
1613	       SYNTAX      Counter32
1614	       MAX-ACCESS  read-only
1615	       STATUS      current
1616	       DESCRIPTION
1617	           "Count of Verify Token update cycles that have
1618	           occurred.

1620	           DEFVAL intentionally omitted - counter object."
1621	       ::= { tudaV1VerifyToken 1 }

1623	   tudaV1VerifyTokenTable OBJECT-TYPE
1624	       SYNTAX      SEQUENCE OF TudaV1VerifyTokenEntry
1625	       MAX-ACCESS  not-accessible
1626	       STATUS      current
1627	       DESCRIPTION
1628	           "A table of instances of Verify Token data."
1629	       ::= { tudaV1VerifyToken 2 }

1631	   tudaV1VerifyTokenEntry OBJECT-TYPE
1632	       SYNTAX      TudaV1VerifyTokenEntry
1633	       MAX-ACCESS  not-accessible
1634	       STATUS      current
1635	       DESCRIPTION
1636	           "An entry for one instance of Verify Token data."
1637	       INDEX       { tudaV1VerifyTokenCycleIndex }
1638	       ::= { tudaV1VerifyTokenTable 1 }

1640	   TudaV1VerifyTokenEntry ::=
1641	       SEQUENCE {
1642	           tudaV1VerifyTokenCycleIndex     Integer32,
1643	           tudaV1VerifyTokenData           OCTET STRING
1644	       }

1646	   tudaV1VerifyTokenCycleIndex OBJECT-TYPE
1647	       SYNTAX      Integer32 (1..2147483647)
1648	       MAX-ACCESS  not-accessible
1649	       STATUS      current
1650	       DESCRIPTION
1651	           "Index of this instance of Verify Token data.
1652	           Index of a Verify Token update cycle that has
1653	           occurred (bounded by the value of tudaV1VerifyTokenCycles).

1655	           DEFVAL intentionally omitted - index object."
1656	       ::= { tudaV1VerifyTokenEntry 1 }

1658	   tudaV1VerifyTokenData OBJECT-TYPE
1659	       SYNTAX      OCTET STRING (SIZE(0..1024))
1660	       MAX-ACCESS  read-only
1661	       STATUS      current
1662	       DESCRIPTION
1663	           "A instance of CBOR encoded Verify Token data."
1664	       DEFVAL      { "" }
1665	       ::= { tudaV1VerifyTokenEntry 2 }

1667	   --
1668	   --  SWID Tag
1669	   --
1670	   tudaV1SWIDTag           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 8 }

1672	   tudaV1SWIDTagCycles OBJECT-TYPE
1673	       SYNTAX      Counter32
1674	       MAX-ACCESS  read-only
1675	       STATUS      current
1676	       DESCRIPTION
1677	           "Count of SWID Tag update cycles that have occurred.

1679	           DEFVAL intentionally omitted - counter object."
1680	       ::= { tudaV1SWIDTag 1 }

1682	   tudaV1SWIDTagTable OBJECT-TYPE
1683	       SYNTAX      SEQUENCE OF TudaV1SWIDTagEntry
1684	       MAX-ACCESS  not-accessible
1685	       STATUS      current
1686	       DESCRIPTION
1687	           "A table of fragments of SWID Tag data."
1688	       ::= { tudaV1SWIDTag 2 }

1690	   tudaV1SWIDTagEntry OBJECT-TYPE
1691	       SYNTAX      TudaV1SWIDTagEntry
1692	       MAX-ACCESS  not-accessible
1693	       STATUS      current
1694	       DESCRIPTION
1695	           "An entry for one fragment of SWID Tag data."
1696	       INDEX       { tudaV1SWIDTagCycleIndex,
1697	                     tudaV1SWIDTagInstanceIndex,
1698	                     tudaV1SWIDTagFragmentIndex }
1699	       ::= { tudaV1SWIDTagTable 1 }

1701	   TudaV1SWIDTagEntry ::=
1702	       SEQUENCE {
1703	           tudaV1SWIDTagCycleIndex         Integer32,
1704	           tudaV1SWIDTagInstanceIndex      Integer32,
1705	           tudaV1SWIDTagFragmentIndex      Integer32,
1706	           tudaV1SWIDTagData               OCTET STRING
1707	       }

1709	   tudaV1SWIDTagCycleIndex OBJECT-TYPE
1710	       SYNTAX      Integer32 (1..2147483647)
1711	       MAX-ACCESS  not-accessible
1712	       STATUS      current
1713	       DESCRIPTION
1714	           "High-order index of this SWID Tag fragment.
1715	           Index of an SWID Tag update cycle that has
1716	           occurred (bounded by the value of tudaV1SWIDTagCycles).

1718	           DEFVAL intentionally omitted - index object."
1719	       ::= { tudaV1SWIDTagEntry 1 }

1721	   tudaV1SWIDTagInstanceIndex OBJECT-TYPE
1722	       SYNTAX      Integer32 (1..2147483647)
1723	       MAX-ACCESS  not-accessible
1724	       STATUS      current
1725	       DESCRIPTION
1726	           "Middle index of this SWID Tag fragment.
1727	           Ordinal of this SWID Tag instance in this update cycle.

1729	           DEFVAL intentionally omitted - index object."
1730	       ::= { tudaV1SWIDTagEntry 2 }

1732	   tudaV1SWIDTagFragmentIndex OBJECT-TYPE
1733	       SYNTAX      Integer32 (1..2147483647)
1734	       MAX-ACCESS  not-accessible
1735	       STATUS      current
1736	       DESCRIPTION
1737	           "Low-order index of this SWID Tag fragment.

1739	           DEFVAL intentionally omitted - index object."
1740	       ::= { tudaV1SWIDTagEntry 3 }

1742	   tudaV1SWIDTagData OBJECT-TYPE
1743	       SYNTAX      OCTET STRING (SIZE(0..1024))
1744	       MAX-ACCESS  read-only
1745	       STATUS      current
1746	       DESCRIPTION
1747	           "A fragment of CBOR encoded SWID Tag data."
1748	       DEFVAL      { "" }
1749	       ::= { tudaV1SWIDTagEntry 4 }

1751	   --
1752	   --  Trap Cycles
1753	   --
1754	   tudaV1TrapV2Cycles NOTIFICATION-TYPE
1755	       OBJECTS {
1756	           tudaV1GeneralCycles,
1757	           tudaV1AIKCertCycles,
1758	           tudaV1TSACertCycles,
1759	           tudaV1SyncTokenCycles,
1760	           tudaV1SyncTokenInstances,
1761	           tudaV1RestrictCycles,
1762	           tudaV1MeasureCycles,
1763	           tudaV1MeasureInstances,
1764	           tudaV1VerifyTokenCycles,
1765	           tudaV1SWIDTagCycles
1766	       }
1767	       STATUS  current
1768	       DESCRIPTION
1769	           "This trap is sent when the value of any cycle or instance
1770	           counter changes (i.e., one or more tables are updated).

1772	           Note:  The value of sysUpTime in IETF MIB-II (RFC 1213) is
1773	           always included in SNMPv2 traps, per RFC 3416."
1774	       ::= { tudaV1MIBNotifications 1 }

1776	   --
1777	   --  Conformance Information
1778	   --
1779	   tudaV1Compliances           OBJECT IDENTIFIER
1780	       ::= { tudaV1MIBConformance 1 }

1782	   tudaV1ObjectGroups          OBJECT IDENTIFIER
1783	       ::= { tudaV1MIBConformance 2 }

1785	   tudaV1NotificationGroups    OBJECT IDENTIFIER
1786	       ::= { tudaV1MIBConformance 3 }

1788	   --
1789	   --  Compliance Statements
1790	   --
1791	   tudaV1BasicCompliance MODULE-COMPLIANCE
1792	       STATUS  current
1793	       DESCRIPTION
1794	           "An implementation that complies with this module MUST
1795	           implement all of the objects defined in the mandatory
1796	           group tudaV1BasicGroup."
1797	       MODULE  -- this module
1798	       MANDATORY-GROUPS { tudaV1BasicGroup }

1800	       GROUP   tudaV1OptionalGroup
1801	       DESCRIPTION
1802	           "The optional TUDA MIB objects.
1803	           An implementation MAY implement this group."

1805	       GROUP   tudaV1TrapGroup
1806	       DESCRIPTION
1807	           "The TUDA MIB traps.
1808	           An implementation SHOULD implement this group."
1809	       ::= { tudaV1Compliances 1 }

1811	   --
1812	   --  Compliance Groups
1813	   --
1814	   tudaV1BasicGroup OBJECT-GROUP
1815	       OBJECTS {
1816	           tudaV1GeneralCycles,
1817	           tudaV1GeneralVersionInfo,
1818	           tudaV1SyncTokenCycles,
1819	           tudaV1SyncTokenInstances,
1820	           tudaV1SyncTokenData,
1821	           tudaV1RestrictCycles,
1822	           tudaV1RestrictData,
1823	           tudaV1VerifyTokenCycles,
1824	           tudaV1VerifyTokenData
1825	       }
1826	       STATUS  current
1827	       DESCRIPTION
1828	           "The basic mandatory TUDA MIB objects."
1829	       ::= { tudaV1ObjectGroups 1 }

1831	   tudaV1OptionalGroup OBJECT-GROUP
1832	       OBJECTS {
1833	           tudaV1AIKCertCycles,
1834	           tudaV1AIKCertData,
1835	           tudaV1TSACertCycles,
1836	           tudaV1TSACertData,
1837	           tudaV1MeasureCycles,
1838	           tudaV1MeasureInstances,
1839	           tudaV1MeasureData,
1840	           tudaV1SWIDTagCycles,
1841	           tudaV1SWIDTagData
1842	       }
1843	       STATUS  current
1844	       DESCRIPTION
1845	           "The optional TUDA MIB objects."
1846	       ::= { tudaV1ObjectGroups 2 }

1848	   tudaV1TrapGroup NOTIFICATION-GROUP
1849	       NOTIFICATIONS { tudaV1TrapV2Cycles }
1850	       STATUS      current
1851	       DESCRIPTION
1852	           "The recommended TUDA MIB traps - notifications."
1853	       ::= { tudaV1NotificationGroups 1 }

1855	   END
1856	   <CODE ENDS>

1858	Appendix C.  YANG Realization

1860	<CODE BEGINS>
1861	module TUDA-V1-ATTESTATION-MIB {

1863	  namespace "urn:ietf:params:xml:ns:yang:smiv2:TUDA-V1-ATTESTATION-MIB";
1864	  prefix "tuda-v1";
1865	  import SNMP-FRAMEWORK-MIB { prefix "snmp-framework"; }
1866	  import yang-types         { prefix "yang"; }

1868	  organization
1869	   "Fraunhofer SIT";

1871	  contact
1872	   "Andreas Fuchs
1873	    Fraunhofer Institute for Secure Information Technology
1874	    Email: andreas.fuchs@sit.fraunhofer.de

1876	    Henk Birkholz
1877	    Fraunhofer Institute for Secure Information Technology
1878	    Email: henk.birkholz@sit.fraunhofer.de

1880	    Ira E McDonald
1881	    High North Inc
1882	    Email: blueroofmusic@gmail.com

1884	    Carsten Bormann
1885	    Universitaet Bremen TZI
1886	    Email: cabo@tzi.org";

1888	  description
1889	   "The MIB module for monitoring of time-based unidirectional
1890	    attestation information from a network endpoint system,
1891	    based on the Trusted Computing Group TPM 1.2 definition.

1893	    Copyright (C) High North Inc (2017).";

1895	  revision "2017-10-30" {
1896	    description
1897	     "Fifth version, published as draft-birkholz-tuda-04.";
1898	    reference
1899	     "draft-birkholz-tuda-04";
1900	  }
1901	  revision "2017-01-09" {
1902	    description
1903	     "Fourth version, published as draft-birkholz-tuda-03.";
1904	    reference
1905	     "draft-birkholz-tuda-03";
1906	  }
1907	  revision "2016-07-08" {
1908	    description
1909	     "Third version, published as draft-birkholz-tuda-02.";
1910	    reference
1911	     "draft-birkholz-tuda-02";
1912	  }
1913	  revision "2016-03-21" {
1914	    description
1915	     "Second version, published as draft-birkholz-tuda-01.";
1916	    reference
1917	     "draft-birkholz-tuda-01";
1918	  }
1919	  revision "2015-10-18" {
1920	    description
1921	     "Initial version, published as draft-birkholz-tuda-00.";
1922	    reference
1923	     "draft-birkholz-tuda-00";
1924	  }

1926	  container tudaV1General {
1927	  description
1928	    "TBD";

1930	    leaf tudaV1GeneralCycles {
1931	      type yang:counter32;
1932	      config false;
1933	      description
1934	       "Count of TUDA update cycles that have occurred, i.e.,
1935	        sum of all the individual group cycle counters.

1937	        DEFVAL intentionally omitted - counter object.";
1938	    }

1940	    leaf tudaV1GeneralVersionInfo {
1941	      type snmp-framework:SnmpAdminString {
1942	        length "0..255";
1943	      }
1944	      config false;
1945	      description
1946	       "Version information for TUDA MIB, e.g., specific release
1947	        version of TPM 1.2 base specification and release version
1948	        of TPM 1.2 errata specification and manufacturer and model
1949	        TPM module itself.";
1950	    }
1951	  }

1953	  container tudaV1AIKCert {
1954	  description
1955	    "TBD";

1957	    leaf tudaV1AIKCertCycles {
1958	      type yang:counter32;
1959	      config false;
1960	      description
1961	       "Count of AIK Certificate chain update cycles that have
1962	        occurred.

1964	        DEFVAL intentionally omitted - counter object.";
1965	    }

1967	    /* XXX table comments here XXX */

1969	    list tudaV1AIKCertEntry {

1971	      key "tudaV1AIKCertCycleIndex tudaV1AIKCertInstanceIndex
1972	           tudaV1AIKCertFragmentIndex";
1973	        config false;
1974	      description
1975	       "An entry for one fragment of AIK Certificate data.";

1977	      leaf tudaV1AIKCertCycleIndex {
1978	        type int32 {
1979	          range "1..2147483647";
1980	        }
1981	        config false;
1982	        description
1983	         "High-order index of this AIK Certificate fragment.
1984	          Index of an AIK Certificate chain update cycle that has
1985	          occurred (bounded by the value of tudaV1AIKCertCycles).

1987	          DEFVAL intentionally omitted - index object.";
1988	      }

1990	      leaf tudaV1AIKCertInstanceIndex {
1991	        type int32 {
1992	          range "1..2147483647";
1993	        }
1994	        config false;
1995	        description
1996	         "Middle index of this AIK Certificate fragment.
1997	          Ordinal of this AIK Certificate in this chain, where the AIK
1998	          Certificate itself has an ordinal of '1' and higher ordinals
1999	          go *up* the certificate chain to the Root CA.

2001	          DEFVAL intentionally omitted - index object.";
2002	      }

2004	      leaf tudaV1AIKCertFragmentIndex {
2005	        type int32 {
2006	          range "1..2147483647";

2008	        }
2009	        config false;
2010	        description
2011	         "Low-order index of this AIK Certificate fragment.

2013	          DEFVAL intentionally omitted - index object.";
2014	      }

2016	      leaf tudaV1AIKCertData {
2017	        type binary {
2018	          length "0..1024";
2019	        }
2020	        config false;
2021	        description
2022	         "A fragment of CBOR encoded AIK Certificate data.";
2023	      }
2024	    }
2025	  }

2027	  container tudaV1TSACert {
2028	  description
2029	    "TBD";

2031	    leaf tudaV1TSACertCycles {
2032	      type yang:counter32;
2033	      config false;
2034	      description
2035	       "Count of TSA Certificate chain update cycles that have
2036	        occurred.

2038	        DEFVAL intentionally omitted - counter object.";
2039	    }

2041	    /* XXX table comments here XXX */

2043	    list tudaV1TSACertEntry {

2045	      key "tudaV1TSACertCycleIndex tudaV1TSACertInstanceIndex
2046	           tudaV1TSACertFragmentIndex";
2047	      config false;
2048	      description
2049	       "An entry for one fragment of TSA Certificate data.";

2051	      leaf tudaV1TSACertCycleIndex {
2052	        type int32 {
2053	          range "1..2147483647";

2055	        }
2056	        config false;
2057	        description
2058	         "High-order index of this TSA Certificate fragment.
2059	          Index of a TSA Certificate chain update cycle that has
2060	          occurred (bounded by the value of tudaV1TSACertCycles).

2062	          DEFVAL intentionally omitted - index object.";
2063	      }

2065	      leaf tudaV1TSACertInstanceIndex {
2066	        type int32 {
2067	          range "1..2147483647";
2068	        }
2069	        config false;
2070	        description
2071	         "Middle index of this TSA Certificate fragment.
2072	          Ordinal of this TSA Certificate in this chain, where the TSA
2073	          Certificate itself has an ordinal of '1' and higher ordinals
2074	          go *up* the certificate chain to the Root CA.

2076	          DEFVAL intentionally omitted - index object.";
2077	      }

2079	      leaf tudaV1TSACertFragmentIndex {
2080	        type int32 {
2081	          range "1..2147483647";
2082	        }
2083	        config false;
2084	        description
2085	         "Low-order index of this TSA Certificate fragment.

2087	          DEFVAL intentionally omitted - index object.";
2088	      }

2090	      leaf tudaV1TSACertData {
2091	        type binary {
2092	          length "0..1024";
2093	        }
2094	        config false;
2095	        description
2096	         "A fragment of CBOR encoded TSA Certificate data.";
2097	      }
2098	    }
2099	  }

2101	  container tudaV1SyncToken {
2102	  description
2103	    "TBD";

2105	    leaf tudaV1SyncTokenCycles {
2106	      type yang:counter32;
2107	      config false;
2108	      description
2109	       "Count of Sync Token update cycles that have
2110	        occurred.

2112	        DEFVAL intentionally omitted - counter object.";
2113	    }

2115	    leaf tudaV1SyncTokenInstances {
2116	      type yang:counter32;
2117	      config false;
2118	      description
2119	       "Count of Sync Token instance entries that have
2120	        been recorded (some entries MAY have been pruned).

2122	        DEFVAL intentionally omitted - counter object.";
2123	    }

2125	    list tudaV1SyncTokenEntry {

2127	      key "tudaV1SyncTokenCycleIndex
2128	           tudaV1SyncTokenInstanceIndex
2129	           tudaV1SyncTokenFragmentIndex";
2130	      config false;
2131	      description
2132	       "An entry for one fragment of Sync Token data.";

2134	      leaf tudaV1SyncTokenCycleIndex {
2135	        type int32 {
2136	          range "1..2147483647";
2137	        }
2138	        config false;
2139	        description
2140	         "High-order index of this Sync Token fragment.
2141	          Index of a Sync Token update cycle that has
2142	          occurred (bounded by the value of tudaV1SyncTokenCycles).

2144	          DEFVAL intentionally omitted - index object.";
2145	      }

2147	      leaf tudaV1SyncTokenInstanceIndex {
2148	        type int32 {
2149	          range "1..2147483647";

2151	        }
2152	        config false;
2153	        description
2154	         "Middle index of this Sync Token fragment.
2155	          Ordinal of this instance of Sync Token data
2156	          (NOT bounded by the value of tudaV1SyncTokenInstances).

2158	          DEFVAL intentionally omitted - index object.";
2159	      }

2161	      leaf tudaV1SyncTokenFragmentIndex {
2162	        type int32 {
2163	          range "1..2147483647";
2164	        }
2165	        config false;
2166	        description
2167	         "Low-order index of this Sync Token fragment.

2169	          DEFVAL intentionally omitted - index object.";
2170	      }

2172	      leaf tudaV1SyncTokenData {
2173	        type binary {
2174	          length "0..1024";
2175	        }
2176	        config false;
2177	        description
2178	         "A fragment of CBOR encoded Sync Token data.";
2179	      }
2180	    }
2181	  }

2183	  container tudaV1Restrict {
2184	  description
2185	    "TBD";

2187	    leaf tudaV1RestrictCycles {
2188	      type yang:counter32;
2189	      config false;
2190	      description
2191	       "Count of Restriction Info update cycles that have
2192	        occurred.

2194	        DEFVAL intentionally omitted - counter object.";
2195	    }

2197	    /* XXX table comments here XXX */
2198	    list tudaV1RestrictEntry {

2200	      key "tudaV1RestrictCycleIndex";
2201	      config false;
2202	      description
2203	       "An entry for one instance of Restriction Info data.";

2205	      leaf tudaV1RestrictCycleIndex {
2206	        type int32 {
2207	          range "1..2147483647";
2208	        }
2209	        config false;
2210	        description
2211	         "Index of this Restriction Info entry.
2212	          Index of a Restriction Info update cycle that has
2213	          occurred (bounded by the value of tudaV1RestrictCycles).

2215	          DEFVAL intentionally omitted - index object.";
2216	      }

2218	      leaf tudaV1RestrictData {
2219	        type binary {
2220	          length "0..1024";
2221	        }
2222	        config false;
2223	        description
2224	         "An instance of CBOR encoded Restriction Info data.";
2225	      }
2226	    }
2227	  }

2229	  container tudaV1Measure {
2230	  description
2231	    "TBD";

2233	    leaf tudaV1MeasureCycles {
2234	      type yang:counter32;
2235	      config false;
2236	      description
2237	       "Count of Measurement Log update cycles that have
2238	        occurred.

2240	        DEFVAL intentionally omitted - counter object.";
2241	    }

2243	    leaf tudaV1MeasureInstances {
2244	      type yang:counter32;
2245	      config false;
2246	      description
2247	       "Count of Measurement Log instance entries that have
2248	        been recorded (some entries MAY have been pruned).

2250	        DEFVAL intentionally omitted - counter object.";
2251	    }

2253	    list tudaV1MeasureEntry {

2255	      key "tudaV1MeasureCycleIndex tudaV1MeasureInstanceIndex";
2256	      config false;
2257	      description
2258	       "An entry for one instance of Measurement Log data.";

2260	      leaf tudaV1MeasureCycleIndex {
2261	        type int32 {
2262	          range "1..2147483647";
2263	        }
2264	        config false;
2265	        description
2266	         "High-order index of this Measurement Log entry.
2267	          Index of a Measurement Log update cycle that has
2268	          occurred (bounded by the value of tudaV1MeasureCycles).

2270	          DEFVAL intentionally omitted - index object.";
2271	      }

2273	      leaf tudaV1MeasureInstanceIndex {
2274	        type int32 {
2275	          range "1..2147483647";
2276	        }
2277	        config false;
2278	        description
2279	         "Low-order index of this Measurement Log entry.
2280	          Ordinal of this instance of Measurement Log data
2281	          (NOT bounded by the value of tudaV1MeasureInstances).

2283	          DEFVAL intentionally omitted - index object.";
2284	      }

2286	      leaf tudaV1MeasureData {
2287	        type binary {
2288	          length "0..1024";
2289	        }
2290	        config false;
2291	        description
2292	         "A instance of CBOR encoded Measurement Log data.";
2293	      }
2294	    }
2295	  }

2297	  container tudaV1VerifyToken {
2298	  description
2299	    "TBD";

2301	    leaf tudaV1VerifyTokenCycles {
2302	      type yang:counter32;
2303	      config false;
2304	      description
2305	       "Count of Verify Token update cycles that have
2306	        occurred.

2308	        DEFVAL intentionally omitted - counter object.";
2309	    }

2311	    /* XXX table comments here XXX */

2313	    list tudaV1VerifyTokenEntry {

2315	      key "tudaV1VerifyTokenCycleIndex";
2316	      config false;
2317	      description
2318	       "An entry for one instance of Verify Token data.";

2320	      leaf tudaV1VerifyTokenCycleIndex {
2321	        type int32 {
2322	          range "1..2147483647";
2323	        }
2324	        config false;
2325	        description
2326	         "Index of this instance of Verify Token data.
2327	          Index of a Verify Token update cycle that has
2328	          occurred (bounded by the value of tudaV1VerifyTokenCycles).

2330	          DEFVAL intentionally omitted - index object.";
2331	      }

2333	      leaf tudaV1VerifyTokenData {
2334	        type binary {
2335	          length "0..1024";
2336	        }
2337	        config false;
2338	        description
2339	         "A instanc-V1-ATTESTATION-MIB.yang
2340	      }
2341	    }
2342	  }

2344	  container tudaV1SWIDTag {
2345	  description
2346	    "see CoSWID and YANG SIWD module for now"

2348	    leaf tudaV1SWIDTagCycles {
2349	      type yang:counter32;
2350	      config false;
2351	      description
2352	       "Count of SWID Tag update cycles that have occurred.

2354	        DEFVAL intentionally omitted - counter object.";
2355	    }

2357	    list tudaV1SWIDTagEntry {

2359	      key "tudaV1SWIDTagCycleIndex tudaV1SWIDTagInstanceIndex
2360	           tudaV1SWIDTagFragmentIndex";
2361	      config false;
2362	      description
2363	       "An entry for one fragment of SWID Tag data.";

2365	      leaf tudaV1SWIDTagCycleIndex {
2366	        type int32 {
2367	          range "1..2147483647";
2368	        }
2369	        config false;
2370	        description
2371	         "High-order index of this SWID Tag fragment.
2372	          Index of an SWID Tag update cycle that has
2373	          occurred (bounded by the value of tudaV1SWIDTagCycles).

2375	          DEFVAL intentionally omitted - index object.";
2376	      }

2378	      leaf tudaV1SWIDTagInstanceIndex {
2379	        type int32 {
2380	          range "1..2147483647";
2381	        }
2382	        config false;
2383	        description
2384	         "Middle index of this SWID Tag fragment.

2386	          Ordinal of this SWID Tag instance in this update cycle.

2388	          DEFVAL intentionally omitted - index object.";
2389	      }

2391	      leaf tudaV1SWIDTagFragmentIndex {
2392	        type int32 {
2393	          range "1..2147483647";
2394	        }
2395	        config false;
2396	        description
2397	         "Low-order index of this SWID Tag fragment.

2399	          DEFVAL intentionally omitted - index object.";
2400	      }

2402	      leaf tudaV1SWIDTagData {
2403	        type binary {
2404	          length "0..1024";
2405	        }
2406	        config false;
2407	        description
2408	         "A fragment of CBOR encoded SWID Tag data.";
2409	      }
2410	    }
2411	  }

2413	  notification tudaV1TrapV2Cycles {
2414	    description
2415	     "This trap is sent when the value of any cycle or instance
2416	      counter changes (i.e., one or more tables are updated).

2418	      Note:  The value of sysUpTime in IETF MIB-II (RFC 1213) is
2419	      always included in SNMPv2 traps, per RFC 3416.";

2421	    container tudaV1TrapV2Cycles-tudaV1GeneralCycles {
2422	      description
2423	       "TPD"
2424	      leaf tudaV1GeneralCycles {
2425	        type yang:counter32;
2426	        description
2427	         "Count of TUDA update cycles that have occurred, i.e.,
2428	          sum of all the individual group cycle counters.

2430	          DEFVAL intentionally omitted - counter object.";
2431	      }
2432	    }
2433	    container tudaV1TrapV2Cycles-tudaV1AIKCertCycles {
2434	      description
2435	       "TPD"
2436	      leaf tudaV1AIKCertCycles {
2437	        type yang:counter32;
2438	        description
2439	         "Count of AIK Certificate chain update cycles that have
2440	          occurred.

2442	          DEFVAL intentionally omitted - counter object.";
2443	      }
2444	    }

2446	    container tudaV1TrapV2Cycles-tudaV1TSACertCycles {
2447	      description
2448	       "TPD"
2449	      leaf tudaV1TSACertCycles {
2450	        type yang:counter32;
2451	        description
2452	         "Count of TSA Certificate chain update cycles that have
2453	          occurred.

2455	          DEFVAL intentionally omitted - counter object.";
2456	      }
2457	    }

2459	    container tudaV1TrapV2Cycles-tudaV1SyncTokenCycles {
2460	      description
2461	       "TPD"
2462	      leaf tudaV1SyncTokenCycles {
2463	        type yang:counter32;
2464	        description
2465	         "Count of Sync Token update cycles that have
2466	          occurred.

2468	          DEFVAL intentionally omitted - counter object.";
2469	      }
2470	    }

2472	    container tudaV1TrapV2Cycles-tudaV1SyncTokenInstances {
2473	      description
2474	       "TPD"
2475	      leaf tudaV1SyncTokenInstances {
2476	        type yang:counter32;
2477	        description
2478	         "Count of Sync Token instance entries that have
2479	          been recorded (some entries MAY have been pruned).

2481	          DEFVAL intentionally omitted - counter object.";
2482	      }
2483	    }

2485	    container tudaV1TrapV2Cycles-tudaV1RestrictCycles {
2486	      description
2487	       "TPD"
2488	      leaf tudaV1RestrictCycles {
2489	        type yang:counter32;
2490	        description
2491	         "Count of Restriction Info update cycles that have
2492	          occurred.

2494	          DEFVAL intentionally omitted - counter object.";
2495	      }
2496	    }

2498	    container tudaV1TrapV2Cycles-tudaV1MeasureCycles {
2499	      description
2500	       "TPD"
2501	      leaf tudaV1MeasureCycles {
2502	        type yang:counter32;
2503	        description
2504	         "Count of Measurement Log update cycles that have
2505	          occurred.

2507	          DEFVAL intentionally omitted - counter object.";
2508	      }
2509	    }

2511	    container tudaV1TrapV2Cycles-tudaV1MeasureInstances {
2512	      description
2513	       "TPD"
2514	      leaf tudaV1MeasureInstances {
2515	        type yang:counter32;
2516	        description
2517	         "Count of Measurement Log instance entries that have
2518	          been recorded (some entries MAY have been pruned).

2520	          DEFVAL intentionally omitted - counter object.";
2521	      }
2522	    }

2524	    container tudaV1TrapV2Cycles-tudaV1VerifyTokenCycles {
2525	      description
2526	       "TPD"
2527	      leaf tudaV1VerifyTokenCycles {
2528	        type yang:counter32;
2529	        description
2530	         "Count of Verify Token update cycles that have
2531	          occurred.

2533	          DEFVAL intentionally omitted - counter object.";
2534	      }
2535	    }

2537	    container tudaV1TrapV2Cycles-tudaV1SWIDTagCycles {
2538	      description
2539	       "TPD"
2540	      leaf tudaV1SWIDTagCycles {
2541	        type yang:counter32;
2542	        description
2543	         "Count of SWID Tag update cycles that have occurred.

2545	          DEFVAL intentionally omitted - counter object.";
2546	      }
2547	    }

2549	  }
2550	}
2551	<CODE ENDS>

2553	Appendix D.  Realization with TPM functions

2555	D.1.  TPM Functions

2557	   The following TPM structures, resources and functions are used within
2558	   this approach.  They are based upon the TPM specifications [TPM12]
2559	   and [TPM2].

2561	D.1.1.  Tick-Session and Tick-Stamp

2563	   On every boot, the TPM initializes a new Tick-Session.  Such a tick-
2564	   session consists of a nonce that is randomly created upon each boot
2565	   to identify the current boot-cycle - the phase between boot-time of
2566	   the device and shutdown or power-off - and prevent replaying of old
2567	   tick-session values.  The TPM uses its internal entropy source that
2568	   guarantees virtually no collisions of the nonce values between two of
2569	   such boot cycles.

2571	   It further includes an internal timer that is being initialize to
2572	   Zero on each reboot.  From this point on, the TPM increments this
2573	   timer continuously based upon its internal secure clocking
2574	   information until the device is powered down or set to sleep.  By its
2575	   hardware design, the TPM will detect attacks on any of those
2576	   properties.

2578	   The TPM offers the function TPM_TickStampBlob, which allows the TPM
2579	   to create a signature over the current tick-session and two
2580	   externally provided input values.  These input values are designed to
2581	   serve as a nonce and as payload data to be included in a
2582	   TickStampBlob: TickstampBlob := sig(TPM-key, currentTicks || nonce ||
2583	   externalData).

2585	   As a result, one is able to proof that at a certain point in time
2586	   (relative to the tick-session) after the provisioning of a certain
2587	   nonce, some certain externalData was known and provided to the TPM.
2588	   If an approach however requires no input values or only one input
2589	   value (such as the use in this document) the input values can be set
2590	   to well-known value.  The convention used within TCG specifications
2591	   and within this document is to use twenty bytes of zero
2592	   h'0000000000000000000000000000000000000000' as well-known value.

2594	D.1.2.  Platform Configuration Registers (PCRs)

2596	   The TPM is a secure cryptoprocessor that provides the ability to
2597	   store measurements and metrics about an endpoint's configuration and
2598	   state in a secure, tamper-proof environment.  Each of these security
2599	   relevant metrics can be stored in a volatile Platform Configuration
2600	   Register (PCR) inside the TPM.  These measurements can be conducted
2601	   at any point in time, ranging from an initial BIOS boot-up sequence
2602	   to measurements taken after hundreds of hours of uptime.

2604	   The initial measurement is triggered by the Platforms so-called pre-
2605	   BIOS or ROM-code.  It will conduct a measurement of the first
2606	   loadable pieces of code; i.e.\ the BIOS.  The BIOS will in turn
2607	   measure its Option ROMs and the BootLoader, which measures the OS-
2608	   Kernel, which in turn measures its applications.  This describes a
2609	   so-called measurement chain.  This typically gets recorded in a so-
2610	   called measurement log, such that the values of the PCRs can be
2611	   reconstructed from the individual measurements for validation.

2613	   Via its PCRs, a TPM provides a Root of Trust that can, for example,
2614	   support secure boot or remote attestation.  The attestation of an
2615	   endpoint's identity or security posture is based on the content of an
2616	   TPM's PCRs (platform integrity measurements).

2618	D.1.3.  PCR restricted Keys

2620	   Every key inside the TPM can be restricted in such a way that it can
2621	   only be used if a certain set of PCRs are in a predetermined state.
2622	   For key creation the desired state for PCRs are defined via the
2623	   PCRInfo field inside the keyInfo parameter.  Whenever an operation
2624	   using this key is performed, the TPM first checks whether the PCRs
2625	   are in the correct state.  Otherwise the operation is denied by the
2626	   TPM.

2628	D.1.4.  CertifyInfo

2630	   The TPM offers a command to certify the properties of a key by means
2631	   of a signature using another key.  This includes especially the
2632	   keyInfo which in turn includes the PCRInfo information used during
2633	   key creation.  This way, a third party can be assured about the fact
2634	   that a key is only usable if the PCRs are in a certain state.

2636	D.2.  IE Generation Procedures for TPM 1.2

2638	D.2.1.  AIK and AIK Certificate

2640	   Attestations are based upon a cryptographic signature performed by
2641	   the TPM using a so-called Attestation Identity Key (AIK).  An AIK has
2642	   the properties that it cannot be exported from a TPM and is used for
2643	   attestations.  Trust in the AIK is established by an X.509
2644	   Certificate emitted by a Certificate Authority.  The AIK certificate
2645	   is either provided directly or via a so-called PrivacyCA
2646	   [AIK-Enrollment].

2648	   This element consists of the AIK certificate that includes the AIK's
2649	   public key used during verification as well as the certificate chain
2650	   up to the Root CA for validation of the AIK certificate itself.

2652	   TUDA-Cert = [AIK-Cert, TSA-Cert]; maybe split into two for SNMP
2653	   AIK-Cert = Cert
2654	   TSA-Cert = Cert

2656	                    Figure 2: TUDA-Cert element in CDDL

2658	   The TSA-Cert is a standard certificate of the TSA.

2660	   The AIK-Cert may be provisioned in a secure environment using
2661	   standard means or it may follow the PrivacyCA protocols.  Figure 3
2662	   gives a rough sketch of this protocol.  See [AIK-Enrollment] for more
2663	   information.

2665	   The X.509 Certificate is built from the AIK public key and the
2666	   corresponding PKCS #7 certificate chain, as shown in Figure 3.

2668	   Required TPM functions:

2670	   | create_AIK_Cert(...) = {
2671	   |   AIK = TPM_MakeIdentity()
2672	   |   IdReq = CollateIdentityRequest(AIK,EK)
2673	   |   IdRes = Call(AIK-CA, IdReq)
2674	   |   AIK-Cert = TPM_ActivateIdentity(AIK, IdRes)
2675	   | }
2676	   |
2677	   | /* Alternative */
2678	   |
2679	   | create_AIK_Cert(...) = {
2680	   |   AIK = TPM_CreateWrapKey(Identity)
2681	   |   AIK-Cert = Call(AIK-CA, AIK.pubkey)
2682	   | }

2684	                 Figure 3: Creating the TUDA-Cert element

2686	D.2.2.  Synchronization Token

2688	   The reference for Attestations are the Tick-Sessions of the TPM.  In
2689	   order to put Attestations into relation with a Real Time Clock (RTC),
2690	   it is necessary to provide a cryptographic synchronization between
2691	   the tick session and the RTC.  To do so, a synchronization protocol
2692	   is run with a Time Stamp Authority (TSA) that consists of three
2693	   steps:

2695	   o  The TPM creates a TickStampBlob using the AIK

2697	   o  This TickstampBlob is used as nonce to the Timestamp of the TSA

2699	   o  Another TickStampBlob with the AIK is created using the TSA's
2700	      Timestamp a nonce

2702	   The first TickStampBlob is called "left" and the second "right" in a
2703	   reference to their position on a time-axis.

2705	   These three elements, with the TSA's certificate factored out, form
2706	   the synchronization token
2707	   TUDA-Synctoken = [
2708	     left: TickStampBlob-Output,
2709	     timestamp: TimeStampToken,
2710	     right: TickStampBlob-Output,
2711	   ]

2713	   TimeStampToken = bytes ; RFC 3161

2715	   TickStampBlob-Output = [
2716	     currentTicks: TPM-CURRENT-TICKS,
2717	     sig: bytes,
2718	   ]

2720	   TPM-CURRENT-TICKS = [
2721	     currentTicks: uint
2722	     ? (
2723	       tickRate: uint
2724	       tickNonce: TPM-NONCE
2725	     )
2726	   ]
2727	   ; Note that TickStampBlob-Output "right" can omit the values for
2728	   ;   tickRate and tickNonce since they are the same as in "left"

2730	   TPM-NONCE = bytes .size 20

2732	                    Figure 4: TUDA-Sync element in CDDL

2734	   Required TPM functions:

2736	   | dummyDigest = h'0000000000000000000000000000000000000000'
2737	   | dummyNonce = dummyDigest
2738	   |
2739	   | create_sync_token(AIKHandle, TSA) = {
2740	   |   ts_left = TPM_TickStampBlob(
2741	   |       keyHandle = AIK_Handle,      /*TPM_KEY_HANDLE*/
2742	   |       antiReplay = dummyNonce,     /*TPM_NONCE*/
2743	   |       digestToStamp = dummyDigest  /*TPM_DIGEST*/)
2744	   |
2745	   |   ts = TSA_Timestamp(TSA, nonce = hash(ts_left))
2746	   |
2747	   |   ts_right = TPM_TickStampBlob(
2748	   |       keyHandle = AIK_Handle,      /*TPM_KEY_HANDLE*/
2749	   |       antiReplay = dummyNonce,     /*TPM_NONCE*/
2750	   |       digestToStamp = hash(ts))    /*TPM_DIGEST*/
2751	   |
2752	   |   TUDA-SyncToken = [[ts_left.ticks, ts_left.sig], ts,
2753	   |                     [ts_right.ticks.currentTicks, ts_right.sig]]
2754	   |   /* Note: skip the nonce and tickRate field for ts_right.ticks */
2755	   | }

2757	                 Figure 5: Creating the Sync-Token element

2759	D.2.3.  RestrictionInfo

2761	   The attestation relies on the capability of the TPM to operate on
2762	   restricted keys.  Whenever the PCR values for the machine to be
2763	   attested change, a new restricted key is created that can only be
2764	   operated as long as the PCRs remain in their current state.

2766	   In order to prove to the Verifier that this restricted temporary key
2767	   actually has these properties and also to provide the PCR value that
2768	   it is restricted, the TPM command TPM_CertifyInfo is used.  It
2769	   creates a signed certificate using the AIK about the newly created
2770	   restricted key.

2772	   This token is formed from the list of:

2774	   o  PCR list,

2776	   o  the newly created restricted public key, and

2778	   o  the certificate.

2780	 TUDA-RestrictionInfo = [Composite,
2781	                         restrictedKey_Pub: Pubkey,
2782	                         CertifyInfo]

2784	 PCRSelection = bytes .size (2..4) ; used as bit string

2786	 Composite = [
2787	   bitmask: PCRSelection,
2788	   values: [*PCR-Hash],
2789	 ]

2791	 Pubkey = bytes ; may be extended to COSE pubkeys

2793	 CertifyInfo = [
2794	   TPM-CERTIFY-INFO,
2795	   sig: bytes,
2796	 ]

2798	 TPM-CERTIFY-INFO = [
2799	   ; we don't encode TPM-STRUCT-VER:
2800	   ; these are 4 bytes always equal to h'01010000'
2801	   keyUsage: uint, ; 4byte? 2byte?
2802	   keyFlags: bytes .size 4, ; 4byte
2803	   authDataUsage: uint, ; 1byte (enum)
2804	   algorithmParms: TPM-KEY-PARMS,
2805	   pubkeyDigest: Hash,
2806	   ; we don't encode TPM-NONCE data, which is 20 bytes, all zero
2807	   parentPCRStatus: bool,
2808	   ; no need to encode pcrinfosize
2809	   pcrinfo: TPM-PCR-INFO,        ; we have exactly one
2810	 ]

2812	 TPM-PCR-INFO = [
2813	     pcrSelection: PCRSelection; /* TPM_PCR_SELECTION */
2814	     digestAtRelease: PCR-Hash;  /* TPM_COMPOSITE_HASH */
2815	     digestAtCreation: PCR-Hash; /* TPM_COMPOSITE_HASH */
2816	 ]

2818	 TPM-KEY-PARMS = [
2819	   ; algorithmID: uint, ; <= 4 bytes -- not encoded, constant for TPM1.2
2820	   encScheme: uint, ; <= 2 bytes
2821	   sigScheme: uint, ; <= 2 bytes
2822	   parms: TPM-RSA-KEY-PARMS,
2823	 ]

2825	 TPM-RSA-KEY-PARMS = [
2826	   ; "size of the RSA key in bits":
2827	   keyLength: uint
2828	   ; "number of prime factors used by this RSA key":
2829	   numPrimes: uint
2830	   ; "This SHALL be the size of the exponent":
2831	   exponentSize: null / uint / biguint
2832	   ; "If the key is using the default exponent then the exponentSize
2833	   ; MUST be 0" -> we represent this case as null
2834	 ]

2836	                    Figure 6: TUDA-Key element in CDDL

2838	   Required TPM functions:

2840	   | dummyDigest = h'0000000000000000000000000000000000000000'
2841	   | dummyNonce = dummyDigest
2842	   |
2843	   | create_Composite
2844	   |
2845	   | create_restrictedKey_Pub(pcrsel) = {
2846	   |   PCRInfo = {pcrSelection = pcrsel,
2847	   |              digestAtRelease = hash(currentValues(pcrSelection))
2848	   |              digestAtCreation = dummyDigest}
2849	   |   / * PCRInfo is a TPM_PCR_INFO and thus also a TPM_KEY */
2850	   |
2851	   |   wk = TPM_CreateWrapKey(keyInfo = PCRInfo)
2852	   |   wk.keyInfo.pubKey
2853	   | }
2854	   |
2855	   | create_TPM-Certify-Info = {
2856	   |   CertifyInfo = TPM_CertifyKey(
2857	   |       certHandle = AIK,          /* TPM_KEY_HANDLE */
2858	   |       keyHandle = wk,            /* TPM_KEY_HANDLE */
2859	   |       antiReply = dummyNonce)    /* TPM_NONCE */
2860	   |
2861	   |   CertifyInfo.strip()
2862	   |   /* Remove those values that are not needed */
2863	   | }

2865	                       Figure 7: Creating the pubkey

2867	D.2.4.  Measurement Log

2869	   Similarly to regular attestations, the Verifier needs a way to
2870	   reconstruct the PCRs' values in order to estimate the trustworthiness
2871	   of the device.  As such, a list of those elements that were extended
2872	   into the PCRs is reported.  Note though that for certain
2873	   environments, this step may be optional if a list of valid PCR
2874	   configurations exists and no measurement log is required.

2876	   TUDA-Measurement-Log = [*PCR-Event]
2877	   PCR-Event = [
2878	     type: PCR-Event-Type,
2879	     pcr: uint,
2880	     template-hash: PCR-Hash,
2881	     filedata-hash: tagged-hash,
2882	     pathname: text; called filename-hint in ima (non-ng)
2883	   ]

2885	   PCR-Event-Type = &(
2886	     bios: 0
2887	     ima: 1
2888	     ima-ng: 2
2889	   )

2891	   ; might want to make use of COSE registry here
2892	   ; however, that might never define a value for sha1
2893	   tagged-hash /= [sha1: 0, bytes .size 20]
2894	   tagged-hash /= [sha256: 1, bytes .size 32]

2896	D.2.5.  Implicit Attestation

2898	   The actual attestation is then based upon a TickStampBlob using the
2899	   restricted temporary key that was certified in the steps above.  The
2900	   TPM-Tickstamp is executed and thereby provides evidence that at this
2901	   point in time (with respect to the TPM internal tick-session) a
2902	   certain configuration existed (namely the PCR values associated with
2903	   the restricted key).  Together with the synchronization token this
2904	   tick-related timing can then be related to the real-time clock.

2906	   This element consists only of the TPM_TickStampBlock with no nonce.

2908	   TUDA-Verifytoken = TickStampBlob-Output

2910	                   Figure 8: TUDA-Verify element in CDDL

2912	   Required TPM functions:

2914	   | imp_att = TPM_TickStampBlob(
2915	   |     keyHandle = restrictedKey_Handle,     /*TPM_KEY_HANDLE*/
2916	   |     antiReplay = dummyNonce,              /*TPM_NONCE*/
2917	   |     digestToStamp = dummyDigest)          /*TPM_DIGEST*/
2918	   |
2919	   | VerifyToken = imp_att

2921	                    Figure 9: Creating the Verify Token

2923	D.2.6.  Attestation Verification Approach

2925	   The seven TUDA information elements transport the essential content
2926	   that is required to enable verification of the attestation statement
2927	   at the Verifier.  The following listings illustrate the verification
2928	   algorithm to be used at the Verifier in pseudocode.  The pseudocode
2929	   provided covers the entire verification task.  If only a subset of
2930	   TUDA elements changed (see Section 4.1), only the corresponding code
2931	   listings need to be re-executed.

2933	   | TSA_pub = verifyCert(TSA-CA, Cert.TSA-Cert)
2934	   | AIK_pub = verifyCert(AIK-CA, Cert.AIK-Cert)

2936	                  Figure 10: Verification of Certificates

2938	  | ts_left = Synctoken.left
2939	  | ts_right = Synctoken.right
2940	  |
2941	  | /* Reconstruct ts_right's omitted values; Alternatively assert == */
2942	  | ts_right.currentTicks.tickRate = ts_left.currentTicks.tickRate
2943	  | ts_right.currentTicks.tickNonce = ts_left.currentTicks.tickNonce
2944	  |
2945	  | ticks_left = ts_left.currentTicks
2946	  | ticks_right = ts_right.currentTicks
2947	  |
2948	  | /* Verify Signatures */
2949	  | verifySig(AIK_pub, dummyNonce || dummyDigest || ticks_left)
2950	  | verifySig(TSA_pub, hash(ts_left) || timestamp.time)
2951	  | verifySig(AIK_pub, dummyNonce || hash(timestamp) || ticks_right)
2952	  |
2953	  | delta_left = timestamp.time -
2954	  |     ticks_left.currentTicks * ticks_left.tickRate / 1000
2955	  |
2956	  | delta_right = timestamp.time -
2957	  |     ticks_right.currentTicks * ticks_right.tickRate / 1000

2959	             Figure 11: Verification of Synchronization Token

2961	   | compositeHash = hash_init()
2962	   | for value in Composite.values:
2963	   |     hash_update(compositeHash, value)
2964	   | compositeHash = hash_finish(compositeHash)
2965	   |
2966	   | certInfo = reconstruct_static(TPM-CERTIFY-INFO)
2967	   |
2968	   | assert(Composite.bitmask == ExpectedPCRBitmask)
2969	   | assert(certInfo.pcrinfo.PCRSelection == Composite.bitmask)
2970	   | assert(certInfo.pcrinfo.digestAtRelease == compositeHash)
2971	   | assert(certInfo.pubkeyDigest == hash(restrictedKey_Pub))
2972	   |
2973	   | verifySig(AIK_pub, dummyNonce || certInfo)

2975	                Figure 12: Verification of Restriction Info

2977	   | for event in Measurement-Log:
2978	   |     if event.pcr not in ExpectedPCRBitmask:
2979	   |         continue
2980	   |     if event.type == BIOS:
2981	   |         assert_whitelist-bios(event.pcr, event.template-hash)
2982	   |     if event.type == ima:
2983	   |         assert(event.pcr == 10)
2984	   |         assert_whitelist(event.pathname, event.filedata-hash)
2985	   |         assert(event.template-hash ==
2986	   |                hash(event.pathname || event.filedata-hash))
2987	   |     if event.type == ima-ng:
2988	   |         assert(event.pcr == 10)
2989	   |         assert_whitelist-ng(event.pathname, event.filedata-hash)
2990	   |         assert(event.template-hash ==
2991	   |                hash(event.pathname || event.filedata-hash))
2992	   |
2993	   |     virtPCR[event.pcr] = hash_extend(virtPCR[event.pcr],
2994	   |                                      event.template-hash)
2995	   |
2996	   | for pcr in ExpectedPCRBitmask:
2997	   |     assert(virtPCR[pcr] == Composite.values[i++]

2999	                Figure 13: Verification of Measurement Log

3001	  | ts = Verifytoken
3002	  |
3003	  | /* Reconstruct ts's omitted values; Alternatively assert == */
3004	  | ts.currentTicks.tickRate = ts_left.currentTicks.tickRate
3005	  | ts.currentTicks.tickNonce = ts_left.currentTicks.tickNonce
3006	  |
3007	  | verifySig(restrictedKey_pub, dummyNonce || dummyDigest || ts)
3008	  |
3009	  | ticks = ts.currentTicks
3010	  |
3011	  | time_left = delta_right + ticks.currentTicks * ticks.tickRate / 1000
3012	  | time_right = delta_left + ticks.currentTicks * ticks.tickRate / 1000
3013	  |
3014	  | [time_left, time_right]

3016	               Figure 14: Verification of Attestation Token

3018	D.3.  IE Generation Procedures for TPM 2.0

3020	   The pseudo code below includes general operations that are conducted
3021	   as specific TPM commands:

3023	   o  hash() : description TBD

3025	   o  sig() : description TBD

3027	   o  X.509-Certificate() : description TBD

3029	   These represent the output structure of that command in the form of a
3030	   byte string value.

3032	D.3.1.  AIK and AIK Certificate

3034	   Attestations are based upon a cryptographic signature performed by
3035	   the TPM using a so-called Attestation Identity Key (AIK).  An AIK has
3036	   the properties that it cannot be exported from a TPM and is used for
3037	   attestations.  Trust in the AIK is established by an X.509
3038	   Certificate emitted by a Certificate Authority.  The AIK certificate
3039	   is either provided directly or via a so-called PrivacyCA
3040	   [AIK-Enrollment].

3042	   This element consists of the AIK certificate that includes the AIK's
3043	   public key used during verification as well as the certificate chain
3044	   up to the Root CA for validation of the AIK certificate itself.

3046	   TUDA-Cert = [AIK-Cert, TSA-Cert]; maybe split into two for SNMP
3047	   AIK-Certificate = X.509-Certificate(AIK-Key,Restricted-Flag)
3048	   TSA-Certificate = X.509-Certificate(TSA-Key, TSA-Flag)

3050	                 Figure 15: TUDA-Cert element for TPM 2.0

3052	D.3.2.  Synchronization Token

3054	   The synchronization token uses a different TPM command, TPM2
3055	   GetTime() instead of TPM TickStampBlob().  The TPM2 GetTime() command
3056	   contains the clock and time information of the TPM.  The clock
3057	   information is the equivalent of TUDA v1's tickSession information.

3059	   TUDA-SyncToken = [
3060	     left_GetTime = sig(AIK-Key,
3061	                        TimeInfo = [
3062	                          time,
3063	                          resetCount,
3064	                          restartCount
3065	                        ]
3066	                       ),
3067	     middle_TimeStamp = sig(TSA-Key,
3068	                            hash(left_TickStampBlob),
3069	                            UTC-localtime
3070	                           ),
3071	     right_TickStampBlob = sig(AIK-Key,
3072	                               hash(middle_TimeStamp),
3073	                               TimeInfo = [
3074	                                 time,
3075	                                 resetCount,
3076	                                 restartCount
3077	                               ]
3078	                              )
3079	   ]

3081	                 Figure 16: TUDA-Sync element for TPM 2.0

3083	D.3.3.  Measurement Log

3085	   The creation procedure is identical to Appendix D.2.4.

3087	   Measurement-Log = [
3088	     * [ EventName,
3089	         PCR-Num,
3090	         Event-Hash ]
3091	   ]

3093	                  Figure 17: TUDA-Log element for TPM 2.0

3095	D.3.4.  Explicit time-based Attestation

3097	   The TUDA attestation token consists of the result of TPM2_Quote() or
3098	   a set of TPM2_PCR_READ followed by a TPM2_GetSessionAuditDigest.  It
3099	   proves that -- at a certain point-in-time with respect to the TPM's
3100	   internal clock -- a certain configuration of PCRs was present, as
3101	   denoted in the keys restriction information.

3103	TUDA-AttestationToken = TUDA-AttestationToken_quote / TUDA-AttestationToken_audit

3105	TUDA-AttestationToken_quote = sig(AIK-Key,
3106	                                  TimeInfo = [
3107	                                    time,
3108	                                    resetCount,
3109	                                    restartCount
3110	                                  ],
3111	                                  PCR-Selection = [ * PCR],
3112	                                  PCR-Digest := PCRDigest
3113	                                 )

3115	TUDA-AttestationToken_audit = sig(AIK-key,
3116	                                  TimeInfo = [
3117	                                    time,
3118	                                    resetCount,
3119	                                    restartCount
3120	                                  ],
3121	                                  Session-Digest := PCRDigest
3122	                                 )

3124	                Figure 18: TUDA-Attest element for TPM 2.0

3126	D.3.5.  Sync Proof

3128	   In order to proof to the Verifier that the TPM's clock was not 'fast-
3129	   forwarded' the result of a TPM2_GetTime() is sent after the TUDA-
3130	   AttestationToken.

3132	   TUDA-SyncProof = sig(AIK-Key,
3133	                        TimeInfo = [
3134	                          time,
3135	                          resetCount,
3136	                          restartCount
3137	                        ]
3138	                       ),

3140	                 Figure 19: TUDA-Proof element for TPM 2.0

3142	Acknowledgements

3144	Authors' Addresses

3146	   Andreas Fuchs
3147	   Fraunhofer Institute for Secure Information Technology
3148	   Rheinstrasse 75
3149	   Darmstadt  64295
3150	   Germany

3152	   Email: andreas.fuchs@sit.fraunhofer.de

3154	   Henk Birkholz
3155	   Fraunhofer Institute for Secure Information Technology
3156	   Rheinstrasse 75
3157	   Darmstadt  64295
3158	   Germany

3160	   Email: henk.birkholz@sit.fraunhofer.de

3162	   Ira E McDonald
3163	   High North Inc
3164	   PO Box 221
3165	   Grand Marais  49839
3166	   US

3168	   Email: blueroofmusic@gmail.com

3170	   Carsten Bormann
3171	   Universitaet Bremen TZI
3172	   Bibliothekstr. 1
3173	   Bremen  D-28359
3174	   Germany

3176	   Phone: +49-421-218-63921
3177	   Email: cabo@tzi.org