idnits 2.17.1 

draft-birkholz-rats-tuda-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** There is 1 instance of too long lines in the document, the longest one
     being 9 characters in excess of 72.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (September 12, 2019) is 1680 days in the past.  Is
     this intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'AIK-Cert' is mentioned on line 3183, but not defined

  == Missing Reference: 'TSA-Cert' is mentioned on line 3183, but not defined

  == Outdated reference: A later version (-03) exists of
     draft-birkholz-rats-architecture-01

  == Outdated reference: A later version (-03) exists of
     draft-birkholz-rats-reference-interaction-model-01

  == Outdated reference: A later version (-17) exists of
     draft-ietf-core-comi-07

  == Outdated reference: A later version (-24) exists of
     draft-ietf-sacm-coswid-12

  -- Obsolete informational reference (is this intentional?): RFC 7049
     (Obsoleted by RFC 8949)

  -- Obsolete informational reference (is this intentional?): RFC 7230
     (Obsoleted by RFC 9110, RFC 9112)

  -- Obsolete informational reference (is this intentional?): RFC 7320
     (Obsoleted by RFC 8820)

  -- Obsolete informational reference (is this intentional?): RFC 7540
     (Obsoleted by RFC 9113)


     Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 6 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	RATS Working Group                                              A. Fuchs
3	Internet-Draft                                               H. Birkholz
4	Intended status: Standards Track                          Fraunhofer SIT
5	Expires: March 15, 2020                                      I. McDonald
6	                                                          High North Inc
7	                                                              C. Bormann
8	                                                 Universitaet Bremen TZI
9	                                                      September 12, 2019

11	                 Time-Based Uni-Directional Attestation
12	                      draft-birkholz-rats-tuda-01

14	Abstract

16	   This documents defines the method and bindings used to conduct Time-
17	   based Uni-Directional Attestation (TUDA) between two RATS (Remote
18	   ATtestation procedureS) Principals over the Internet.  TUDA does not
19	   require a challenge-response handshake and thereby does not rely on
20	   the conveyance of a nonce to prove freshness of remote attestation
21	   Evidence.  Conversely, TUDA enables the creation of Secure Audit Logs
22	   that can constitute Evidence about current and past operational
23	   states of an Attester.  As a prerequisite for TUDA, every RATS
24	   Principal requires access to a trusted and synchronized time-source.
25	   Per default, in TUDA this is a Time Stamp Authority (TSA) issuing
26	   signed Time Stamp Tokens (TST).

28	Status of This Memo

30	   This Internet-Draft is submitted in full conformance with the
31	   provisions of BCP 78 and BCP 79.

33	   Internet-Drafts are working documents of the Internet Engineering
34	   Task Force (IETF).  Note that other groups may also distribute
35	   working documents as Internet-Drafts.  The list of current Internet-
36	   Drafts is at https://datatracker.ietf.org/drafts/current/.

38	   Internet-Drafts are draft documents valid for a maximum of six months
39	   and may be updated, replaced, or obsoleted by other documents at any
40	   time.  It is inappropriate to use Internet-Drafts as reference
41	   material or to cite them other than as "work in progress."

43	   This Internet-Draft will expire on March 15, 2020.

45	Copyright Notice

47	   Copyright (c) 2019 IETF Trust and the persons identified as the
48	   document authors.  All rights reserved.

50	   This document is subject to BCP 78 and the IETF Trust's Legal
51	   Provisions Relating to IETF Documents
52	   (https://trustee.ietf.org/license-info) in effect on the date of
53	   publication of this document.  Please review these documents
54	   carefully, as they describe your rights and restrictions with respect
55	   to this document.  Code Components extracted from this document must
56	   include Simplified BSD License text as described in Section 4.e of
57	   the Trust Legal Provisions and are provided without warranty as
58	   described in the Simplified BSD License.

60	Table of Contents

62	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
63	     1.1.  Requirements Notation . . . . . . . . . . . . . . . . . .   4
64	     1.2.  Evidence  . . . . . . . . . . . . . . . . . . . . . . . .   4
65	     1.3.  Creating Evidence about Software Component Integrity  . .   5
66	       1.3.1.  Data Items  . . . . . . . . . . . . . . . . . . . . .   5
67	       1.3.2.  System Components . . . . . . . . . . . . . . . . . .   5
68	       1.3.3.  Operations  . . . . . . . . . . . . . . . . . . . . .   6
69	     1.4.  Remote Attestation Principles . . . . . . . . . . . . . .   6
70	     1.5.  System Component Requirements . . . . . . . . . . . . . .   7
71	     1.6.  Evidence Appraisal  . . . . . . . . . . . . . . . . . . .   7
72	     1.7.  Activities and Actions  . . . . . . . . . . . . . . . . .   8
73	     1.8.  Attestation and Verification  . . . . . . . . . . . . . .   8
74	     1.9.  Information Elements and Conveyance . . . . . . . . . . .   8
75	     1.10. TUDA Objectives . . . . . . . . . . . . . . . . . . . . .   9
76	     1.11. Hardware Dependencies . . . . . . . . . . . . . . . . . .  10
77	   2.  TUDA Core Concept . . . . . . . . . . . . . . . . . . . . . .  10
78	   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .  11
79	     3.1.  Universal Terms . . . . . . . . . . . . . . . . . . . . .  11
80	     3.2.  Roles . . . . . . . . . . . . . . . . . . . . . . . . . .  13
81	       3.2.1.  General Types . . . . . . . . . . . . . . . . . . . .  13
82	       3.2.2.  RoT specific terms  . . . . . . . . . . . . . . . . .  13
83	     3.3.  Certificates  . . . . . . . . . . . . . . . . . . . . . .  13
84	   4.  Time-Based Uni-Directional Attestation  . . . . . . . . . . .  13
85	     4.1.  TUDA Information Elements Update Cycles . . . . . . . . .  15
86	   5.  Sync Base Protocol  . . . . . . . . . . . . . . . . . . . . .  17
87	   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  18
88	   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  18
89	   8.  Change Log  . . . . . . . . . . . . . . . . . . . . . . . . .  18
90	   9.  Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  19
91	   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  19
92	     10.1.  Normative References . . . . . . . . . . . . . . . . . .  19
93	     10.2.  Informative References . . . . . . . . . . . . . . . . .  20
94	   Appendix A.  REST Realization . . . . . . . . . . . . . . . . . .  24
95	   Appendix B.  SNMP Realization . . . . . . . . . . . . . . . . . .  24
96	     B.1.  Structure of TUDA MIB . . . . . . . . . . . . . . . . . .  25
97	       B.1.1.  Cycle Index . . . . . . . . . . . . . . . . . . . . .  25
98	       B.1.2.  Instance Index  . . . . . . . . . . . . . . . . . . .  25
99	       B.1.3.  Fragment Index  . . . . . . . . . . . . . . . . . . .  25
100	     B.2.  Relationship to Host Resources MIB  . . . . . . . . . . .  26
101	     B.3.  Relationship to Entity MIB  . . . . . . . . . . . . . . .  26
102	     B.4.  Relationship to Other MIBs  . . . . . . . . . . . . . . .  26
103	     B.5.  Definition of TUDA MIB  . . . . . . . . . . . . . . . . .  26
104	   Appendix C.  YANG Realization . . . . . . . . . . . . . . . . . .  42
105	   Appendix D.  Realization with TPM functions . . . . . . . . . . .  57
106	     D.1.  TPM Functions . . . . . . . . . . . . . . . . . . . . . .  57
107	       D.1.1.  Tick-Session and Tick-Stamp . . . . . . . . . . . . .  57
108	       D.1.2.  Platform Configuration Registers (PCRs) . . . . . . .  58
109	       D.1.3.  PCR restricted Keys . . . . . . . . . . . . . . . . .  58
110	       D.1.4.  CertifyInfo . . . . . . . . . . . . . . . . . . . . .  59
111	     D.2.  IE Generation Procedures for TPM 1.2  . . . . . . . . . .  59
112	       D.2.1.  AIK and AIK Certificate . . . . . . . . . . . . . . .  59
113	       D.2.2.  Synchronization Token . . . . . . . . . . . . . . . .  60
114	       D.2.3.  RestrictionInfo . . . . . . . . . . . . . . . . . . .  62
115	       D.2.4.  Measurement Log . . . . . . . . . . . . . . . . . . .  64
116	       D.2.5.  Implicit Attestation  . . . . . . . . . . . . . . . .  65
117	       D.2.6.  Attestation Verification Approach . . . . . . . . . .  66
118	     D.3.  IE Generation Procedures for TPM 2.0  . . . . . . . . . .  68
119	       D.3.1.  AIK and AIK Certificate . . . . . . . . . . . . . . .  68
120	       D.3.2.  Synchronization Token . . . . . . . . . . . . . . . .  69
121	       D.3.3.  Measurement Log . . . . . . . . . . . . . . . . . . .  69
122	       D.3.4.  Explicit time-based Attestation . . . . . . . . . . .  70
123	       D.3.5.  Sync Proof  . . . . . . . . . . . . . . . . . . . . .  70
124	   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  71
125	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  71

127	1.  Introduction

129	   Remote ATtestation procedureS (RATS) describe the attempt to
130	   determine and appraise properties, such as integrity and
131	   trustworthiness, of a communication partner - the Attester - over the
132	   Internet to another communication parter - the Verifier - without
133	   direct access.  TUDA uses the architectural constituents of the RATS
134	   Architecture [I-D.birkholz-rats-architecture] that defines the Roles
135	   Attester and Verifier in detail.  The RATS Architecture also defines
136	   Role Messages.  TUDA creates and conveys a specific type of Role
137	   Message called Evidence, a composition of trustwrthiness Claims
138	   provided by an Attester and consumed by a Verifier (potentially
139	   relayed by another RATS Role that is a Relying Party).  TUDA - in
140	   contrast to traditional bi-directional challenge-response protocols

142	   [I-D.birkholz-rats-reference-interaction-model] - enables a uni-
143	   directional conveyance of attestation Evidence that allows for
144	   providing attestation information without solicitation (e.g. as
145	   beacons or push data via YANG Push [RFC8641], [RFC8640], [RFC8639]).

147	   As a result, this document introduces the term Forward Authenticity.

149	   Forward Authenticity (FA):  A property of secure communication
150	      protocols, in which later compromise of the long-term keys of a
151	      data origin does not compromise past authentication of data from
152	      that origin.  FA is achieved by timely recording of assessments of
153	      the authenticity from system components (via "audit logs" during
154	      "audit sessions") that are authorized for this purpose and
155	      trustworthy (e.g via endorsed roots of trust), in a time frame
156	      much shorter than that expected for the compromise of the long-
157	      term keys.

159	      Forward Authenticity enables new levels of assurance and can be
160	      included in basically every protocol, such as ssh, YANG Push,
161	      router advertisements, link layer neighbor discovery, or even ICMP
162	      echo.

164	1.1.  Requirements Notation

166	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
167	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
168	   "OPTIONAL" in this document are to be interpreted as described in
169	   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
170	   capitals, as shown here.

172	1.2.  Evidence

174	   Remote attestation Evidence is basically a set of trustworthiness
175	   claims (assertions about the Attester and its system characteristics
176	   including security posture and protection characteristics) that are
177	   accompanied by a proof of their veracity - typically a signature
178	   based on shielded, private and potentially restricted key material.
179	   As key material alone is typically not self-descriptive with respect
180	   to its intended use (its semantics), the remote attestation Evidence
181	   created via TUDA is accompanied by two kinds of certificates that are
182	   cryptographically associated with a Trust Anchor (TA) [RFC4949] via a
183	   certification path:

185	   o  an Attestation Key (AK) Certificate (AK-Cert) that represents the
186	      attestation provenance of the created Evidence, and

188	   o  an Endorsement Key (EK) Certificate (EK-Cert) that represents the
189	      protection characteristics of the system components the AK is
190	      stored in.

192	   If a Verifier decides to trust both the TA of an AK-Cert and an EK-
193	   Cert presented by an Attester - and the included assertions about the
194	   system characteristics describing the Attester, the attestation
195	   Evidence created via TUDA by the Attester is considered believable.
196	   Ultimately, believable Evidence is appraised by a Verifier in order
197	   to assess the trustworthiness of the corresponding Attester.

199	1.3.  Creating Evidence about Software Component Integrity

201	   The TUDA protocol mechanism uses hash values of all started software
202	   components as a basis to provide and create Evidence about the
203	   integrity of the software components of an Attester.  This section
204	   defines the processed data items, the required system components, and
205	   corresponding operations to enable the creation of Evidence about
206	   software component integrity for TUDA.

208	1.3.1.  Data Items

210	   The hash value of a software component created before it is executed
211	   is referred to as a "measurement" in the remainder of this document.
212	   Measurements are chained using a rolling hash function.  Each
213	   measurement added to the sequence of all measurements results in a
214	   new current hash value that is referred to as a "digest" in the
215	   remainder of this document.

217	1.3.2.  System Components

219	   The function to store these measurements via a rolling hash function
220	   is provided by a root of trust for storage - a system component that
221	   MUST be a component of the attester.

223	   With respect to the boot sequence of an Attester, the very first
224	   measurements of software components (e.g. the BIOS, or a sometimes a
225	   bootloader) have to be conducted by a root of trust for measurement
226	   that is implemented in hardware and MUST be a system component of the
227	   Attester.

229	   All measurements retained in the root of trust for measurements are
230	   handed over to the root of trust for storage when it becomes
231	   available during the boot procedure of the Attester.  During that
232	   hand-over the sequence of measurements retained in the root of trust
233	   for measurement are processed by the rolling hash function of the
234	   root of trust for storage.

236	   The function of retrieving the current output value of the rolling
237	   hash function, including a signature to provide a proof of veracity,
238	   is provided by a root of trust for reporting and MUST be a system
239	   component of the Attester.

241	   Typically, a root of trust for storage and a root of trust for
242	   reporting are tightly coupled.  Analogously, a root of trust for
243	   measurement is typically independent from the root of trust for
244	   storage, but has to be able to interact with root of trust for
245	   storage at some point of the boot sequence of the Attester to hand
246	   over the retained measurements.

248	1.3.3.  Operations

250	   The operation of processing a measurement and adding it to the
251	   sequence of measurements via the rolling hash function is called
252	   "extend" and is provided by the root of trust for storage.

254	   The operation of retrieving the current available hash value that is
255	   the result of the rolling hash function including a signature based
256	   on an Attestation Key is called "quote" and is provided by the
257	   corresponding root of trust for reporting.

259	1.4.  Remote Attestation Principles

261	   In essence, RATS are composed of three base activities.  The
262	   following definitions are derived from the definitions presented in
263	   [PRIRA] and [TCGGLOSS], and are a simplified summary of the RATS
264	   Architecture relevant for TUDA.  The complete RATS Architecture and
265	   every corresponding constituent, message and interaction is defined
266	   in [I-D.birkholz-rats-architecture].

268	   Attestation:  The creation of one ore more claims about the
269	      trustworthiness properties of an Attester, such that the claims
270	      can be used as Evidence.

272	   Conveyance:  The transfer of Evidence from the Attester to the
273	      Verifier via an interconnect.

275	   Verification:  The appraisal of Evidence by evaluating it against
276	      known-good-values (a type of declarative guidance).

278	   With TUDA, the claims that compose the evidence are signatures over
279	   trustworthy integrity measurements created by leveraging roots of
280	   trust.  The evidence is appraised via corresponding signatures over
281	   reference integrity measurements (RIM, represented, for example via
282	   [I-D.ietf-sacm-coswid]).

284	   Protocols that facilitate Trust-Anchor based signatures in order to
285	   provide RATS are usually bi-directional challenge/response protocols,
286	   such as the Platform Trust Service protocol [PTS] or CAVES [PRIRA],
287	   where one entity sends a challenge that is included inside the
288	   response to prove the recentness - the freshness (see fresh in
289	   [RFC4949]) - of the attestation information.  The corresponding
290	   interaction model tightly couples the three activities of creating,
291	   transferring and appraising evidence.

293	   The Time-Based Uni-directional Attestation family of protocols - TUDA
294	   - described in this document can decouple the three activities RATS
295	   are composed of.  As a result, TUDA provides additional capabilities,
296	   such as:

298	   o  remote attestation for Attesters that might not always be able to
299	      reach the Internet by enabling the verification of past states,

301	   o  secure audit logs by combining the evidence created via TUDA with
302	      integrity measurement logs that represent a detailed record of
303	      corresponding past states,

305	   o  an uni-directional interaction model that can traverse "diode-
306	      like" network security functions (NSF) or can be leveraged in
307	      RESTful architectures (e.g.  CoAP [RFC7252]), analogously.

309	1.5.  System Component Requirements

311	   TUDA is a family of protocols that bundles results from specific
312	   attestation activities.  The attestation activities of TUDA are based
313	   on a hardware roots of trust that provides the following
314	   capabilities:

316	   o  Platform Configuration Registers (PCR) that can extend
317	      measurements consecutively and represent the sequence of
318	      measurements as a single digest,

320	   o  Restricted Signing Keys (RSK) that can only be accessed, if a
321	      specific signature about a set of measurements can be provided as
322	      authentication, and

324	   o  a dedicated source of (relative) time, e.g. a tick counter (a tick
325	      being a specific time interval, for example 10 ms).

327	1.6.  Evidence Appraisal

329	   To appraise the evidence created by an Attester, the Verifier
330	   requires corresponding Reference Integrity Measurements (RIM).
331	   Typical set of RIMs are required to assess the integrity of an
332	   Attester.  These sets are called RIM Bundles.  The scope of a RIM
333	   Bundle encompasses, e.g., a platform, a device, a computing context,
334	   or a virtualised function.  In order to be comparable, the hashing
335	   algorithms used by the Attester to create the integrity measurements
336	   have to match the hashing algorithms used to create the corresponding
337	   RIM that are used by the Verifier to appraise the attestation
338	   Evidence about software component integrity.

340	1.7.  Activities and Actions

342	   Depending on the platform (i.e. one or more computing contexts
343	   including a dedicated hardware RoT), a generic RA activity results in
344	   platform-specific actions that have to be conducted.  In consequence,
345	   there are multiple specific operations and data models (defining the
346	   input and output of operations).  Hence, specific actions are are not
347	   covered by this document.  Instead, the requirements on operations
348	   and the information elements that are the input and output to these
349	   operations are illustrated using pseudo code in Appendix C and D.

351	1.8.  Attestation and Verification

353	   Both the attestation and the verification activity of TUDA also
354	   require a trusted Time Stamp Authority (TSA) as an additional third
355	   party next to the Attester and the Verifier.  The protocol uses a
356	   Time Stamp Authority based on [RFC3161].  The combination of the
357	   local source of time provided by the hardware RoT (located on the
358	   Attester) and the Time Stamp Tokens provided by the TSA (to both the
359	   Attester and the Verifier) enable the attestation and verification of
360	   an appropriate freshness of the evidence conveyed by the Attester --
361	   without requiring a challenge/response interaction model that uses a
362	   nonce to ensure the freshness.

364	   Typically, the verification activity requires declarative guidance
365	   (representing desired or compliant endpoint characteristics in the
366	   form of RIM, see above) to appraise the individual integrity
367	   measurements the conveyed evidence is composed on.  The acquisition
368	   or representation (data models) of declarative guidance as well as
369	   the corresponding evaluation methods are out of the scope of this
370	   document.

372	1.9.  Information Elements and Conveyance

374	   TUDA defines a set of information elements (IE) that are created and
375	   stored on the Attester and are intended to be transferred to the
376	   Verifier in order to enable appraisal.  Each TUDA IE:

378	   o  is encoded in the Concise Binary Object Representation (CBOR
379	      [RFC7049]) to minimize the volume of data in motion.  In this
380	      document, the composition of the CBOR data items that represent IE
381	      is described using the Concise Data Definition Language, CDDL
382	      [RFC8610]

384	   o  that requires a certain freshness is only created/updated when
385	      out-dated, which reduces the overall resources required from the
386	      Attester, including the utilization of the hardware root of trust.
387	      The IE that have to be created are determined by their age or by
388	      specific state changes on the Attester (e.g. state changes due to
389	      a reboot-cycle)

391	   o  is only transferred when required, which reduces the amount of
392	      data in motion necessary to conduct remote attestation
393	      significantly.  Only IE that have changed since their last
394	      conveyance have to be transferred

396	   o  that requires a certain freshness can be reused for multiple
397	      remote attestation procedures in the limits of its corresponding
398	      freshness-window, further reducing the load imposed on the
399	      Attester and its corresponding hardware RoT.

401	1.10.  TUDA Objectives

403	   The Time-Based Uni-directional Attestation family of protocols is
404	   designed to:

406	   o  increase the confidence in authentication and authorization
407	      procedures,

409	   o  address the requirements of constrained-node networks,

411	   o  support interaction models that do not maintain connection-state
412	      over time, such as REST architectures [REST],

414	   o  be able to leverage existing management interfaces, such as SNMP
415	      [RFC3411].  RESTCONF [RFC8040] or CoMI [I-D.ietf-core-comi] -- and
416	      corresponding bindings,

418	   o  support broadcast and multicast schemes (e.g.  [IEEE1609]),

420	   o  be able to cope with temporary loss of connectivity, and to

422	   o  provide trustworthy audit logs of past endpoint states.

424	1.11.  Hardware Dependencies

426	   The binding of the attestation scheme used by TUDA to generate the
427	   TUDA IE is specific to the methods provided by the hardware RoT used
428	   (see above).  In this document,expositional text and pseudo-code that
429	   is provided as a reference to instantiate the TUDA IE is based on TPM
430	   1.2 and TPM 2.0 operations.  The corresponding TPM commands are
431	   specified in [TPM12] and [TPM2].  The references to TPM commands and
432	   corresponding pseudo-code only serve as guidance to enable a better
433	   understanding of the attestation scheme and is intended to encourage
434	   the use of any appropriate hardware RoT or equivalent set of
435	   functions available to a CPU or Trusted Execution Environment [TEE].

437	2.  TUDA Core Concept

439	   There are significant differences between conventional bi-directional
440	   attestation and TUDA regarding both the information elements conveyed
441	   between Attester and Verifier and the time-frame, in which an
442	   attestation can be considered to be fresh (and therefore
443	   trustworthy).

445	   In general, remote attestation using a bi-directional communication
446	   scheme includes sending a nonce-challenge within a signed attestation
447	   token.  Using the TPM 1.2 as an example, a corresponding nonce-
448	   challenge would be included within the signature created by the
449	   TPM_Quote command in order to prove the freshness of the attestation
450	   response, see e.g.  [PTS].

452	   In contrast, the TUDA protocol uses the combined output of
453	   TPM_CertifyInfo and TPM_TickStampBlob.  The former provides a proof
454	   about the platform's state by creating evidence that a certain key is
455	   bound to that state.  The latter provides proof that the platform was
456	   in the specified state by using the bound key in a time operation.
457	   This combination enables a time-based attestation scheme.  The
458	   approach is based on the concepts introduced in [SCALE] and
459	   [SFKE2008].

461	   Each TUDA IE has an individual time-frame, in which it is considered
462	   to be fresh (and therefore trustworthy).  In consequence, each TUDA
463	   IE that composes data in motion is based on different methods of
464	   creation.

466	   The freshness properties of a challenge-response based protocol
467	   define the point-of-time of attestation between:

469	   o  the time of transmission of the nonce, and

471	   o  the reception of the corresponding response.

473	   Given the time-based attestation scheme, the freshness property of
474	   TUDA is equivalent to that of bi-directional challenge response
475	   attestation, if the point-in-time of attestation lies between:

477	   o  the transmission of a TUDA time-synchronization token, and

479	   o  the typical round-trip time between the Verifier and the Attester.

481	   The accuracy of this time-frame is defined by two factors:

483	   o  the time-synchronization between the Attester and the TSA.  The
484	      time between the two tickstamps acquired via the hardware RoT
485	      define the scope of the maximum drift ("left" and "right" in
486	      respect to the timeline) to the TSA timestamp, and

488	   o  the drift of clocks included in the hardware RoT.

490	   Since the conveyance of TUDA evidence does not rely upon a Verifier
491	   provided value (i.e. the nonce), the security guarantees of the
492	   protocol only incorporate the TSA and the hardware RoT.  In
493	   consequence, TUDA evidence can even serve as proof of integrity in
494	   audit logs with precise point-in-time guarantees, in contrast to
495	   classical attestations.

497	   Appendix A contains guidance on how to utilize a REST architecture.

499	   Appendix B contains guidance on how to create an SNMP binding and a
500	   corresponding TUDA-MIB.

502	   Appendix C contains a corresponding YANG module that supports both
503	   RESTCONF and CoMI.

505	   Appendix D.2 contains a realization of TUDA using TPM 1.2 primitives.

507	   Appendix D.3 contains a realization of TUDA using TPM 2.0 primitives.

509	3.  Terminology

511	   This document introduces roles, information elements and types
512	   required to conduct TUDA and uses terminology (e.g. specific
513	   certificate names) typically seen in the context of attestation or
514	   hardware security modules.

516	3.1.  Universal Terms

518	   Attestation Identity Key (AIK):  a special purpose signature
519	      (therefore asymmetric) key that supports identity related
520	      operations.  The private portion of the key pair is maintained
521	      confidential to the entity via appropriate measures (that have an
522	      impact on the scope of confidence).  The public portion of the key
523	      pair may be included in AIK credentials that provide a claim about
524	      the entity.

526	   Claim:  A piece of information asserted about a subject [RFC4949].  A
527	      claim is represented as a name/value pair consisting of a Claim
528	      Name and a Claim Value [RFC7519].

530	      In the context of SACM, a claim is also specialized as an
531	      attribute/value pair that is intended to be related to a statement
532	      [I-D.ietf-sacm-terminology].

534	   Endpoint Attestation:  the creation of evidence on the Attester that
535	      provides proof of a set of the endpoints's integrity measurements.
536	      This is done by digitally signing a set of PCRs using an AIK
537	      shielded by the hardware RoT.

539	   Endpoint Characteristics:  the context, composition, configuration,
540	      state, and behavior of an endpoint.

542	   Evidence:  a trustworthy set of claims about an endpoint's
543	      characteristics.

545	   Identity:  a set of claims that is intended to be related to an
546	      entity.

548	   Integrity Measurements:  Metrics of endpoint characteristics (i.e.
549	      composition, configuration and state) that affect the confidence
550	      in the trustworthiness of an endpoint.  Digests of integrity
551	      measurements can be stored in shielded locations (i.e.  PCR of a
552	      TPM).

554	   Reference Integrity Measurements:  Signed measurements about the
555	      characteristics of an endpoint's characteristics that are provided
556	      by a vendor and are intended to be used as declarative guidance
557	      [I-D.ietf-sacm-terminology] (e.g. a signed CoSWID).

559	   Trustworthy:  the qualities of an endpoint that guarantee a specific
560	      behavior and/or endpoint characteristics defined by declarative
561	      guidance.  Analogously, trustworthiness is the quality of being
562	      trustworthy with respect to declarative guidance.  Trustworthiness
563	      is not an absolute property but defined with respect to an entity,
564	      corresponding declarative guidance, and has a scope of confidence.

566	      Trustworthy Endpoint: an endpoint that guarantees trustworthy
567	      behavior and/or composition (with respect to certain declarative
568	      guidance and a scope of confidence).

570	      Trustworthy Statement: evidence that is trustworthy conveyed by an
571	      endpoint that is not necessarily trustworthy.

573	3.2.  Roles

575	   Attester:  the endpoint that is the subject of the attestation to
576	      another endpoint.

578	   Verifier:  the endpoint that consumes the attestation of another
579	      endpoint to conduct a verification.

581	   TSA:  a Time Stamp Authority [RFC3161]

583	3.2.1.  General Types

585	   Byte:  the now customary synonym for octet

587	   Cert:  an X.509 certificate represented as a byte-string

589	3.2.2.  RoT specific terms

591	   PCR:  a Platform Configuration Register that is part of a hardware
592	      root of trust and is used to securely store and report
593	      measurements about security posture

595	   PCR-Hash:  a hash value of the security posture measurements stored
596	      in a TPM PCR (e.g. regarding running software instances)
597	      represented as a byte-string

599	3.3.  Certificates

601	   TSA-CA:  the Certificate Authority that provides the certificate for
602	      the TSA represented as a Cert

604	   AIK-CA:  the Certificate Authority that provides the certificate for
605	      the attestation identity key of the TPM.  This is the client
606	      platform credential for this protocol.  It is a placeholder for a
607	      specific CA and AIK-Cert is a placeholder for the corresponding
608	      certificate, depending on what protocol was used.  The specific
609	      protocols are out of scope for this document, see also
610	      [AIK-Enrollment] and [IEEE802.1AR].

612	4.  Time-Based Uni-Directional Attestation

614	   A Time-Based Uni-Directional Attestation (TUDA) consists of the
615	   following seven information elements.  They are used to gain
616	   assurance of the Attester's platform configuration at a certain point
617	   in time:

619	   TSA Certificate:  The certificate of the Time Stamp Authority that is
620	      used in a subsequent synchronization protocol token.  This
621	      certificate is signed by the TSA-CA.

623	   AIK Certificate:  A certificate about the Attestation Identity Key
624	      (AIK) used.  This may or may not also be an [IEEE802.1AR] IDevID
625	      or LDevID, depending on their setting of the corresponding
626	      identity property.  ([AIK-Credential], [AIK-Enrollment]; see
627	      Appendix D.2.1.)

629	   Synchronization Token:  The reference for attestations are the
630	      relative timestanps provided by the hardware RoT.  In order to put
631	      attestations into relation with a Real Time Clock (RTC), it is
632	      necessary to provide a cryptographic synchronization between these
633	      trusted relative timestamps and the regular RTC that is a hardware
634	      component of the Attester.  To do so, a synchronization protocol
635	      is run with a Time Stamp Authority (TSA).

637	   Restriction Info:  The attestation relies on the capability of the
638	      hardware RoT to operate on restricted keys.  Whenever the PCR
639	      values for the machine to be attested change, a new restricted key
640	      is created that can only be operated as long as the PCRs remain in
641	      their current state.

643	      In order to prove to the Verifier that this restricted temporary
644	      key actually has these properties and also to provide the PCR
645	      value that it is restricted, the corresponding signing
646	      capabilities of the hardware RoT are used.  It creates a signed
647	      certificate using the AIK about the newly created restricted key.

649	   Measurement Log:  Similarly to regular attestations, the Verifier
650	      needs a way to reconstruct the PCRs' values in order to estimate
651	      the trustworthiness of the device.  As such, a list of those
652	      elements that were extended into the PCRs is reported.  Note
653	      though that for certain environments, this step may be optional if
654	      a list of valid PCR configurations (in the form of RIM available
655	      to the Verifier) exists and no measurement log is required.

657	   Implicit Attestation:  The actual attestation is then based upon a
658	      signed timestamp provided by the hardware RoT using the restricted
659	      temporary key that was certified in the steps above.  The signed
660	      timestamp provides evidence that at this point in time (with
661	      respect to the relative time of the hardware RoT) a certain
662	      configuration existed (namely the PCR values associated with the
663	      restricted key).  Together with the synchronization token this
664	      timestamp represented in relative time can then be related to the
665	      real-time clock.

667	   Concise SWID tags:  As an option to better assess the trustworthiness
668	      of an Attester, a Verifier can request the reference hashes (RIM,
669	      which are often referred to as golden measurements) of all started
670	      software components to compare them with the entries in the
671	      measurement log.  References hashes regarding installed (and
672	      therefore running) software can be provided by the manufacturer
673	      via SWID tags.  SWID tags are provided by the Attester using the
674	      Concise SWID representation [I-D.ietf-sacm-coswid] and bundled
675	      into a CBOR array (a RIM Manifest).  Ideally, the reference hashes
676	      include a signature created by the manufacturer of the software to
677	      prove their integrity.

679	   These information elements could be sent en bloc, but it is
680	   recommended to retrieve them separately to save bandwidth, since
681	   these elements have different update cycles.  In most cases,
682	   retransmitting all seven information elements would result in
683	   unnecessary redundancy.

685	   Furthermore, in some scenarios it might be feasible not to store all
686	   elements on the Attester endpoint, but instead they could be
687	   retrieved from another location or be pre-deployed to the Verifier.
688	   It is also feasible to only store public keys on the Verifier and
689	   skip the whole certificate provisioning completely in order to save
690	   bandwidth and computation time for certificate verification.

692	4.1.  TUDA Information Elements Update Cycles

694	   An endpoint can be in various states and have various information
695	   associated with it during its life cycle.  For TUDA, a subset of the
696	   states (which can include associated information) that an endpoint
697	   and its hardware root of trust can be in, is important to the
698	   attestation process.  States can be:

700	   o  persistent, even after a hard reboot.  This includes certificates
701	      that are associated with the endpoint itself or with services it
702	      relies on.

704	   o  volatile to a degree, because they change at the beginning of each
705	      boot cycle.  This includes the capability of a hardware RoT to
706	      provide relative time which provides the basis for the
707	      synchronization token and implicit attestation--and which can
708	      reset after an endpoint is powered off.

710	   o  very volatile, because they change during an uptime cycle (the
711	      period of time an endpoint is powered on, starting with its boot).
712	      This includes the content of PCRs of a hardware RoT and thereby
713	      also the PCR-restricted signing keys used for attestation.

715	   Depending on this "lifetime of state", data has to be transported
716	   over the wire, or not.  E.g. information that does not change due to
717	   a reboot typically has to be transported only once between the
718	   Attester and the Verifier.

720	   There are three kinds of events that require a renewed attestation:

722	   o  The Attester completes a boot-cycle

724	   o  A relevant PCR changes

726	   o  Too much time has passed since the last attestation statement

728	   The third event listed above is variable per application use case and
729	   also depends on the precision of the clock included in the hardware
730	   RoT.  For usage scenarios, in which the device would periodically
731	   push information to be used in an audit-log, a time-frame of
732	   approximately one update per minute should be sufficient in most
733	   cases.  For those usage scenarios, where Verifiers request (pull) a
734	   fresh attestation statement, an implementation could use the hardware
735	   RoT continuously to always present the most freshly created results.
736	   To save some utilization of the hardware RoT for other purposes,
737	   however, a time-frame of once per ten seconds is recommended, which
738	   would typically leave about 80% of utilization for other
739	   applications.

741	   Attester                                                 Verifier
742	      |                                                         |
743	    Boot                                                        |
744	      |                                                         |
745	    Create Sync-Token                                           |
746	      |                                                         |
747	    Create Restricted Key                                       |
748	    Certify Restricted Key                                      |
749	      |                                                         |
750	      | AIK-Cert ---------------------------------------------> |
751	      | Sync-Token -------------------------------------------> |
752	      | Certify-Info -----------------------------------------> |
753	      | Measurement Log --------------------------------------> |
754	      | Attestation ------------------------------------------> |
755	      |                                           Verify Attestation
756	      |                                                         |
757	      |       <Time Passed>                                     |
758	      |                                                         |
759	      | Attestation ------------------------------------------> |
760	      |                                           Verify Attestation
761	      |                                                         |
762	      |       <Time Passed>                                     |
763	      |                                                         |
764	    PCR-Change                                                  |
765	      |                                                         |
766	    Create Restricted Key                                       |
767	    Certify Restricted Key                                      |
768	      |                                                         |
769	      | Certify-Info -----------------------------------------> |
770	      | Measurement Log --------------------------------------> |
771	      | Attestation ------------------------------------------> |
772	      |                                           Verify Attestation
773	      |                                                         |
774	    Boot                                                        |
775	      |                                                         |
776	    Create Sync-Token                                           |
777	      |                                                         |
778	    Create Restricted Key                                       |
779	    Certify Restricted Key                                      |
780	      |                                                         |
781	      | Sync-Token -------------------------------------------> |
782	      | Certify-Info -----------------------------------------> |
783	      | Measurement Log --------------------------------------> |
784	      | Attestation ------------------------------------------> |
785	      |                                           Verify Attestation
786	      |                                                         |
787	      |       <Time Passed>                                     |
788	      |                                                         |
789	      | Attestation ------------------------------------------> |
790	      |                                           Verify Attestation
791	      |                                                         |

793	                   Figure 1: Example sequence of events

795	5.  Sync Base Protocol

797	   The uni-directional approach of TUDA requires evidence on how the TPM
798	   time represented in ticks (relative time since boot of the TPM)
799	   relates to the standard time provided by the TSA.  The Sync Base
800	   Protocol (SBP) creates evidence that binds the TPM tick time to the
801	   TSA timestamp.  The binding information is used by and conveyed via
802	   the Sync Token (TUDA IE).  There are three actions required to create
803	   the content of a Sync Token:

805	   o  At a given point in time (called "left"), a signed tickstamp
806	      counter value is acquired from the hardware RoT.  The hash of
807	      counter and signature is used as a nonce in the request directed
808	      at the TSA.

810	   o  The corresponding response includes a data-structure incorporating
811	      the trusted timestamp token and its signature created by the TSA.

813	   o  At the point-in-time the response arrives (called "right"), a
814	      signed tickstamp counter value is acquired from the hardware RoT
815	      again, using a hash of the signed TSA timestamp as a nonce.

817	   The three time-related values -- the relative timestamps provided by
818	   the hardware RoT ("left" and "right") and the TSA timestamp -- and
819	   their corresponding signatures are aggregated in order to create a
820	   corresponding Sync Token to be used as a TUDA Information Element
821	   that can be conveyed as evidence to a Verifier.

823	   The drift of a clock incorporated in the hardware RoT that drives the
824	   increments of the tick counter constitutes one of the triggers that
825	   can initiate a TUDA Information Element Update Cycle in respect to
826	   the freshness of the available Sync Token.

828	   content TBD

830	6.  IANA Considerations

832	   This memo includes requests to IANA, including registrations for
833	   media type definitions.

835	   TBD

837	7.  Security Considerations

839	   There are Security Considerations.  TBD

841	8.  Change Log

843	   Changes from version 04 to I2NSF related document version 00: *
844	   Refactored main document to be more technology agnostic * Added first
845	   draft of procedures for TPM 2.0 * Improved content consistency and
846	   structure of all sections

848	   Changes from version 03 to version 04:

850	   o  Refactoring of Introduction, intend, scope and audience

852	   o  Added first draft of Sync Base Prootoll section illustrated
853	      background for interaction with TSA

855	   o  Added YANG module

857	   o  Added missing changelog entry
858	   Changes from version 02 to version 03:

860	   o  Moved base concept out of Introduction

862	   o  First refactoring of Introduction and Concept

864	   o  First restructuring of Appendices and improved references

866	   Changes from version 01 to version 02:

868	   o  Restructuring of Introduction, highlighting conceptual
869	      prerequisites

871	   o  Restructuring of Concept to better illustrate differences to hand-
872	      shake based attestation and deciding factors regarding freshness
873	      properties

875	   o  Subsection structure added to Terminology

877	   o  Clarification of descriptions of approach (these were the FIXMEs)

879	   o  Correction of RestrictionInfo structure: Added missing signature
880	      member

882	   Changes from version 00 to version 01:

884	   Major update to the SNMP MIB and added a table for the Concise SWID
885	   profile Reference Hashes that provides additional information to be
886	   compared with the measurement logs.

888	9.  Contributors

890	   TBD

892	10.  References

894	10.1.  Normative References

896	   [I-D.birkholz-rats-architecture]
897	              Birkholz, H., Wiseman, M., Tschofenig, H., and N. Smith,
898	              "Architecture and Reference Terminology for Remote
899	              Attestation Procedures", draft-birkholz-rats-
900	              architecture-01 (work in progress), March 2019.

902	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
903	              Requirement Levels", BCP 14, RFC 2119,
904	              DOI 10.17487/RFC2119, March 1997,
905	              <https://www.rfc-editor.org/info/rfc2119>.

907	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
908	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
909	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

911	   [RFC8639]  Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard,
912	              E., and A. Tripathy, "Subscription to YANG Notifications",
913	              RFC 8639, DOI 10.17487/RFC8639, September 2019,
914	              <https://www.rfc-editor.org/info/rfc8639>.

916	   [RFC8640]  Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard,
917	              E., and A. Tripathy, "Dynamic Subscription to YANG Events
918	              and Datastores over NETCONF", RFC 8640,
919	              DOI 10.17487/RFC8640, September 2019,
920	              <https://www.rfc-editor.org/info/rfc8640>.

922	   [RFC8641]  Clemm, A. and E. Voit, "Subscription to YANG Notifications
923	              for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641,
924	              September 2019, <https://www.rfc-editor.org/info/rfc8641>.

926	10.2.  Informative References

928	   [AIK-Credential]
929	              TCG Infrastructure Working Group, "TCG Credential
930	              Profile", 2007, <https://www.trustedcomputinggroup.org/wp-
931	              content/uploads/IWG-Credential_Profiles_V1_R1_14.pdf>.

933	   [AIK-Enrollment]
934	              TCG Infrastructure Working Group, "A CMC Profile for AIK
935	              Certificate Enrollment", 2011,
936	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
937	              IWG_CMC_Profile_Cert_Enrollment_v1_r7.pdf>.

939	   [I-D.birkholz-rats-reference-interaction-model]
940	              Birkholz, H. and M. Eckel, "Reference Interaction Model
941	              for Challenge-Response-based Remote Attestation", draft-
942	              birkholz-rats-reference-interaction-model-01 (work in
943	              progress), July 2019.

945	   [I-D.ietf-core-comi]
946	              Veillette, M., Stok, P., Pelov, A., Bierman, A., and I.
947	              Petrov, "CoAP Management Interface", draft-ietf-core-
948	              comi-07 (work in progress), July 2019.

950	   [I-D.ietf-sacm-coswid]
951	              Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
952	              Waltermire, "Concise Software Identification Tags", draft-
953	              ietf-sacm-coswid-12 (work in progress), July 2019.

955	   [I-D.ietf-sacm-terminology]
956	              Birkholz, H., Lu, J., Strassner, J., Cam-Winget, N., and
957	              A. Montville, "Security Automation and Continuous
958	              Monitoring (SACM) Terminology", draft-ietf-sacm-
959	              terminology-16 (work in progress), December 2018.

961	   [IEEE1609]
962	              IEEE Computer Society, "1609.4-2016 - IEEE Standard for
963	              Wireless Access in Vehicular Environments (WAVE) -- Multi-
964	              Channel Operation", IEEE Std 1609.4, 2016.

966	   [IEEE802.1AR]
967	              IEEE Computer Society, "802.1AR-2009 - IEEE Standard for
968	              Local and metropolitan area networks - Secure Device
969	              Identity", IEEE Std 802.1AR, 2009.

971	   [PRIRA]    Coker, G., Guttman, J., Loscocco, P., Herzog, A., Millen,
972	              J., O'Hanlon, B., Ramsdell, J., Segall, A., Sheehy, J.,
973	              and B. Sniffen, "Principles of Remote Attestation",
974	              Springer International Journal of Information Security,
975	              Vol. 10, pp. 63-81, DOI 10.1007/s10207-011-0124-7, April
976	              2011.

978	   [PTS]      TCG TNC Working Group, "TCG Attestation PTS Protocol
979	              Binding to TNC IF-M", 2011,
980	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
981	              IFM_PTS_v1_0_r28.pdf>.

983	   [REST]     Fielding, R., "Architectural Styles and the Design of
984	              Network-based Software Architectures", Ph.D. Dissertation,
985	              University of California, Irvine, 2000,
986	              <http://www.ics.uci.edu/~fielding/pubs/dissertation/
987	              fielding_dissertation.pdf>.

989	   [RFC1213]  McCloghrie, K. and M. Rose, "Management Information Base
990	              for Network Management of TCP/IP-based internets: MIB-II",
991	              STD 17, RFC 1213, DOI 10.17487/RFC1213, March 1991,
992	              <https://www.rfc-editor.org/info/rfc1213>.

994	   [RFC2790]  Waldbusser, S. and P. Grillo, "Host Resources MIB",
995	              RFC 2790, DOI 10.17487/RFC2790, March 2000,
996	              <https://www.rfc-editor.org/info/rfc2790>.

998	   [RFC3161]  Adams, C., Cain, P., Pinkas, D., and R. Zuccherato,
999	              "Internet X.509 Public Key Infrastructure Time-Stamp
1000	              Protocol (TSP)", RFC 3161, DOI 10.17487/RFC3161, August
1001	              2001, <https://www.rfc-editor.org/info/rfc3161>.

1003	   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
1004	              Architecture for Describing Simple Network Management
1005	              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1006	              DOI 10.17487/RFC3411, December 2002,
1007	              <https://www.rfc-editor.org/info/rfc3411>.

1009	   [RFC3418]  Presuhn, R., Ed., "Management Information Base (MIB) for
1010	              the Simple Network Management Protocol (SNMP)", STD 62,
1011	              RFC 3418, DOI 10.17487/RFC3418, December 2002,
1012	              <https://www.rfc-editor.org/info/rfc3418>.

1014	   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
1015	              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
1016	              <https://www.rfc-editor.org/info/rfc4949>.

1018	   [RFC6690]  Shelby, Z., "Constrained RESTful Environments (CoRE) Link
1019	              Format", RFC 6690, DOI 10.17487/RFC6690, August 2012,
1020	              <https://www.rfc-editor.org/info/rfc6690>.

1022	   [RFC6933]  Bierman, A., Romascanu, D., Quittek, J., and M.
1023	              Chandramouli, "Entity MIB (Version 4)", RFC 6933,
1024	              DOI 10.17487/RFC6933, May 2013,
1025	              <https://www.rfc-editor.org/info/rfc6933>.

1027	   [RFC7049]  Bormann, C. and P. Hoffman, "Concise Binary Object
1028	              Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
1029	              October 2013, <https://www.rfc-editor.org/info/rfc7049>.

1031	   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
1032	              Protocol (HTTP/1.1): Message Syntax and Routing",
1033	              RFC 7230, DOI 10.17487/RFC7230, June 2014,
1034	              <https://www.rfc-editor.org/info/rfc7230>.

1036	   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
1037	              Application Protocol (CoAP)", RFC 7252,
1038	              DOI 10.17487/RFC7252, June 2014,
1039	              <https://www.rfc-editor.org/info/rfc7252>.

1041	   [RFC7320]  Nottingham, M., "URI Design and Ownership", BCP 190,
1042	              RFC 7320, DOI 10.17487/RFC7320, July 2014,
1043	              <https://www.rfc-editor.org/info/rfc7320>.

1045	   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
1046	              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
1047	              <https://www.rfc-editor.org/info/rfc7519>.

1049	   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
1050	              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
1051	              DOI 10.17487/RFC7540, May 2015,
1052	              <https://www.rfc-editor.org/info/rfc7540>.

1054	   [RFC8040]  Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
1055	              Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
1056	              <https://www.rfc-editor.org/info/rfc8040>.

1058	   [RFC8610]  Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
1059	              Definition Language (CDDL): A Notational Convention to
1060	              Express Concise Binary Object Representation (CBOR) and
1061	              JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
1062	              June 2019, <https://www.rfc-editor.org/info/rfc8610>.

1064	   [SCALE]    Fuchs, A., "Improving Scalability for Remote Attestation",
1065	              Master Thesis (Diplomarbeit), Technische Universitaet
1066	              Darmstadt, Germany, 2008.

1068	   [SFKE2008]
1069	              Stumpf, F., Fuchs, A., Katzenbeisser, S., and C. Eckert,
1070	              "Improving the scalability of platform attestation",
1071	              ACM Proceedings of the 3rd ACM workshop on Scalable
1072	              trusted computing - STC '08 , page 1-10,
1073	              DOI 10.1145/1456455.1456457, 2008.

1075	   [STD62]    "Internet Standard 62", STD 62, RFCs 3411 to 3418,
1076	              December 2002.

1078	   [TCGGLOSS]
1079	              TCG, "TCG Glossary", 2012,
1080	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
1081	              TCG_Glossary_Board-Approved_12.13.2012.pdf>.

1083	   [TEE]      Global Platform, "TEE System Architecture v1.1,
1084	              GPD_SPE_009", 2017.

1086	   [TPM12]    "Information technology -- Trusted Platform Module -- Part
1087	              1: Overview", ISO/IEC 11889-1, 2009.

1089	   [TPM2]     "Trusted Platform Module Library Specification, Family
1090	              2.0, Level 00, Revision 01.16 ed., Trusted Computing
1091	              Group", 2014.

1093	Appendix A.  REST Realization

1095	   Each of the seven data items is defined as a media type (Section 6).
1096	   Representations of resources for each of these media types can be
1097	   retrieved from URIs that are defined by the respective servers
1098	   [RFC7320].  As can be derived from the URI, the actual retrieval is
1099	   via one of the HTTPs ([RFC7230], [RFC7540]) or CoAP [RFC7252].  How a
1100	   client obtains these URIs is dependent on the application; e.g., CoRE
1101	   Web links [RFC6690] can be used to obtain the relevant URIs from the
1102	   self-description of a server, or they could be prescribed by a
1103	   RESTCONF data model [RFC8040].

1105	Appendix B.  SNMP Realization

1107	   SNMPv3 [STD62] [RFC3411] is widely available on computers and also
1108	   constrained devices.  To transport the TUDA information elements, an
1109	   SNMP MIB is defined below which encodes each of the seven TUDA
1110	   information elements into a table.  Each row in a table contains a
1111	   single read-only columnar SNMP object of datatype OCTET-STRING.  The
1112	   values of a set of rows in each table can be concatenated to
1113	   reconstitute a CBOR-encoded TUDA information element.  The Verifier
1114	   can retrieve the values for each CBOR fragment by using SNMP GetNext
1115	   requests to "walk" each table and can decode each of the CBOR-encoded
1116	   data items based on the corresponding CDDL [RFC8610] definition.

1118	   Design Principles:

1120	   1.  Over time, TUDA attestation values age and should no longer be
1121	       used.  Every table in the TUDA MIB has a primary index with the
1122	       value of a separate scalar cycle counter object that
1123	       disambiguates the transition from one attestation cycle to the
1124	       next.

1126	   2.  Over time, the measurement log information (for example) may grow
1127	       large.  Therefore, read-only cycle counter scalar objects in all
1128	       TUDA MIB object groups facilitate more efficient access with SNMP
1129	       GetNext requests.

1131	   3.  Notifications are supported by an SNMP trap definition with all
1132	       of the cycle counters as bindings, to alert a Verifier that a new
1133	       attestation cycle has occurred (e.g., synchronization data,
1134	       measurement log, etc. have been updated by adding new rows and
1135	       possibly deleting old rows).

1137	B.1.  Structure of TUDA MIB

1139	   The following table summarizes the object groups, tables and their
1140	   indexes, and conformance requirements for the TUDA MIB:

1142	   |-------------|-------|----------|----------|----------|
1143	   | Group/Table | Cycle | Instance | Fragment | Required |
1144	   |-------------|-------|----------|----------|----------|
1145	   | General     |       |          |          | x        |
1146	   | AIKCert     | x     | x        | x        |          |
1147	   | TSACert     | x     | x        | x        |          |
1148	   | SyncToken   | x     |          | x        | x        |
1149	   | Restrict    | x     |          |          | x        |
1150	   | Measure     | x     | x        |          |          |
1151	   | VerifyToken | x     |          |          | x        |
1152	   | SWIDTag     | x     | x        | x        |          |
1153	   |-------------|-------|----------|----------|----------|

1155	B.1.1.  Cycle Index

1157	   A tudaV1<Group>CycleIndex is the:

1159	   1.  first index of a row (element instance or element fragment) in
1160	       the tudaV1<Group>Table;

1162	   2.  identifier of an update cycle on the table, when rows were added
1163	       and/or deleted from the table (bounded by tudaV1<Group>Cycles);
1164	       and

1166	   3.  binding in the tudaV1TrapV2Cycles notification for directed
1167	       polling.

1169	B.1.2.  Instance Index

1171	   A tudaV1<Group>InstanceIndex is the:

1173	   1.  second index of a row (element instance or element fragment) in
1174	       the tudaV1<Group>Table; except for

1176	   2.  a row in the tudaV1SyncTokenTable (that has only one instance per
1177	       cycle).

1179	B.1.3.  Fragment Index

1181	   A tudaV1<Group>FragmentIndex is the:

1183	   1.  last index of a row (always an element fragment) in the
1184	       tudaV1<Group>Table; and

1186	   2.  accomodation for SNMP transport mapping restrictions for large
1187	       string elements that require fragmentation.

1189	B.2.  Relationship to Host Resources MIB

1191	   The General group in the TUDA MIB is analogous to the System group in
1192	   the Host Resources MIB [RFC2790] and provides context information for
1193	   the TUDA attestation process.

1195	   The Verify Token group in the TUDA MIB is analogous to the Device
1196	   group in the Host MIB and represents the verifiable state of a TPM
1197	   device and its associated system.

1199	   The SWID Tag group (containing a Concise SWID reference hash profile
1200	   [I-D.ietf-sacm-coswid]) in the TUDA MIB is analogous to the Software
1201	   Installed and Software Running groups in the Host Resources MIB
1202	   [RFC2790].

1204	B.3.  Relationship to Entity MIB

1206	   The General group in the TUDA MIB is analogous to the Entity General
1207	   group in the Entity MIB v4 [RFC6933] and provides context information
1208	   for the TUDA attestation process.

1210	   The SWID Tag group in the TUDA MIB is analogous to the Entity Logical
1211	   group in the Entity MIB v4 [RFC6933].

1213	B.4.  Relationship to Other MIBs

1215	   The General group in the TUDA MIB is analogous to the System group in
1216	   MIB-II [RFC1213] and the System group in the SNMPv2 MIB [RFC3418] and
1217	   provides context information for the TUDA attestation process.

1219	B.5.  Definition of TUDA MIB

1221	   <CODE BEGINS>
1222	   TUDA-V1-ATTESTATION-MIB DEFINITIONS ::= BEGIN

1224	   IMPORTS
1225	       MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32,
1226	       enterprises, NOTIFICATION-TYPE
1227	           FROM SNMPv2-SMI                 -- RFC 2578
1228	       MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
1229	           FROM SNMPv2-CONF                -- RFC 2580
1230	       SnmpAdminString
1231	           FROM SNMP-FRAMEWORK-MIB;        -- RFC 3411

1233	   tudaV1MIB MODULE-IDENTITY
1234	       LAST-UPDATED    "201903120000Z" --  12 March 2019
1235	       ORGANIZATION
1236	           "Fraunhofer SIT"
1237	       CONTACT-INFO
1238	           "Andreas Fuchs
1239	           Fraunhofer Institute for Secure Information Technology
1240	           Email: andreas.fuchs@sit.fraunhofer.de

1242	           Henk Birkholz
1243	           Fraunhofer Institute for Secure Information Technology
1244	           Email: henk.birkholz@sit.fraunhofer.de

1246	           Ira E McDonald
1247	           High North Inc
1248	           Email: blueroofmusic@gmail.com

1250	           Carsten Bormann
1251	           Universitaet Bremen TZI
1252	           Email: cabo@tzi.org"

1254	       DESCRIPTION
1255	           "The MIB module for monitoring of time-based unidirectional
1256	           attestation information from a network endpoint system,
1257	           based on the Trusted Computing Group TPM 1.2 definition.

1259	           Copyright (C) High North Inc (2019)."

1261	       REVISION "201903120000Z" -- 12 March 2019
1262	       DESCRIPTION
1263	           "Eighth version, published as draft-birkholz-rats-tuda-00."

1265	       REVISION "201805030000Z" -- 03 May 2018
1266	       DESCRIPTION
1267	           "Seventh version, published as draft-birkholz-i2nsf-tuda-03."

1269	       REVISION "201805020000Z" -- 02 May 2018
1270	       DESCRIPTION
1271	           "Sixth version, published as draft-birkholz-i2nsf-tuda-02."

1273	       REVISION "201710300000Z" -- 30 October 2017
1274	       DESCRIPTION
1275	           "Fifth version, published as draft-birkholz-i2nsf-tuda-01."

1277	       REVISION "201701090000Z" -- 09 January 2017
1278	       DESCRIPTION
1279	           "Fourth version, published as draft-birkholz-i2nsf-tuda-00."

1281	       REVISION "201607080000Z" -- 08 July 2016
1282	       DESCRIPTION
1283	           "Third version, published as draft-birkholz-tuda-02."

1285	       REVISION "201603210000Z" -- 21 March 2016
1286	       DESCRIPTION
1287	           "Second version, published as draft-birkholz-tuda-01."

1289	       REVISION "201510180000Z" -- 18 October 2015
1290	       DESCRIPTION
1291	           "Initial version, published as draft-birkholz-tuda-00."

1293	           ::= { enterprises fraunhofersit(21616) mibs(1) tudaV1MIB(1) }

1295	   tudaV1MIBNotifications      OBJECT IDENTIFIER ::= { tudaV1MIB 0 }
1296	   tudaV1MIBObjects            OBJECT IDENTIFIER ::= { tudaV1MIB 1 }
1297	   tudaV1MIBConformance        OBJECT IDENTIFIER ::= { tudaV1MIB 2 }

1299	   --
1300	   --  General
1301	   --
1302	   tudaV1General           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 1 }

1304	   tudaV1GeneralCycles OBJECT-TYPE
1305	       SYNTAX      Counter32
1306	       MAX-ACCESS  read-only
1307	       STATUS      current
1308	       DESCRIPTION
1309	           "Count of TUDA update cycles that have occurred, i.e.,
1310	           sum of all the individual group cycle counters.

1312	           DEFVAL intentionally omitted - counter object."
1313	       ::= { tudaV1General 1 }

1315	   tudaV1GeneralVersionInfo OBJECT-TYPE
1316	       SYNTAX      SnmpAdminString (SIZE(0..255))
1317	       MAX-ACCESS  read-only
1318	       STATUS      current
1319	       DESCRIPTION
1320	           "Version information for TUDA MIB, e.g., specific release
1321	           version of TPM 1.2 base specification and release version
1322	           of TPM 1.2 errata specification and manufacturer and model
1323	           TPM module itself."
1324	       DEFVAL      { "" }
1325	       ::= { tudaV1General 2 }

1327	   --
1328	   --  AIK Cert
1329	   --
1330	   tudaV1AIKCert           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 2 }

1332	   tudaV1AIKCertCycles OBJECT-TYPE
1333	       SYNTAX      Counter32
1334	       MAX-ACCESS  read-only
1335	       STATUS      current
1336	       DESCRIPTION
1337	           "Count of AIK Certificate chain update cycles that have
1338	           occurred.

1340	           DEFVAL intentionally omitted - counter object."
1341	       ::= { tudaV1AIKCert 1 }

1343	   tudaV1AIKCertTable OBJECT-TYPE
1344	       SYNTAX      SEQUENCE OF TudaV1AIKCertEntry
1345	       MAX-ACCESS  not-accessible
1346	       STATUS      current
1347	       DESCRIPTION
1348	           "A table of fragments of AIK Certificate data."
1349	       ::= { tudaV1AIKCert 2 }

1351	   tudaV1AIKCertEntry OBJECT-TYPE
1352	       SYNTAX      TudaV1AIKCertEntry
1353	       MAX-ACCESS  not-accessible
1354	       STATUS      current
1355	       DESCRIPTION
1356	           "An entry for one fragment of AIK Certificate data."
1357	       INDEX       { tudaV1AIKCertCycleIndex,
1358	                     tudaV1AIKCertInstanceIndex,
1359	                     tudaV1AIKCertFragmentIndex }
1360	       ::= { tudaV1AIKCertTable 1 }

1362	   TudaV1AIKCertEntry ::=
1363	       SEQUENCE {
1364	           tudaV1AIKCertCycleIndex         Integer32,
1365	           tudaV1AIKCertInstanceIndex      Integer32,
1366	           tudaV1AIKCertFragmentIndex      Integer32,
1367	           tudaV1AIKCertData               OCTET STRING
1368	       }

1370	   tudaV1AIKCertCycleIndex OBJECT-TYPE
1371	       SYNTAX      Integer32 (1..2147483647)
1372	       MAX-ACCESS  not-accessible
1373	       STATUS      current
1374	       DESCRIPTION
1375	           "High-order index of this AIK Certificate fragment.
1376	           Index of an AIK Certificate chain update cycle that has
1377	           occurred (bounded by the value of tudaV1AIKCertCycles).

1379	           DEFVAL intentionally omitted - index object."
1380	       ::= { tudaV1AIKCertEntry 1 }

1382	   tudaV1AIKCertInstanceIndex OBJECT-TYPE
1383	       SYNTAX      Integer32 (1..2147483647)
1384	       MAX-ACCESS  not-accessible
1385	       STATUS      current
1386	       DESCRIPTION
1387	           "Middle index of this AIK Certificate fragment.
1388	           Ordinal of this AIK Certificate in this chain, where the AIK
1389	           Certificate itself has an ordinal of '1' and higher ordinals
1390	           go *up* the certificate chain to the Root CA.

1392	           DEFVAL intentionally omitted - index object."
1393	       ::= { tudaV1AIKCertEntry 2 }

1395	   tudaV1AIKCertFragmentIndex OBJECT-TYPE
1396	       SYNTAX      Integer32 (1..2147483647)
1397	       MAX-ACCESS  not-accessible
1398	       STATUS      current
1399	       DESCRIPTION
1400	           "Low-order index of this AIK Certificate fragment.

1402	           DEFVAL intentionally omitted - index object."
1403	       ::= { tudaV1AIKCertEntry 3 }

1405	   tudaV1AIKCertData OBJECT-TYPE
1406	       SYNTAX      OCTET STRING (SIZE(0..1024))
1407	       MAX-ACCESS  read-only
1408	       STATUS      current
1409	       DESCRIPTION
1410	           "A fragment of CBOR encoded AIK Certificate data."
1411	       DEFVAL      { "" }
1412	       ::= { tudaV1AIKCertEntry 4 }

1414	   --
1415	   --  TSA Cert
1416	   --
1417	   tudaV1TSACert           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 3 }

1419	   tudaV1TSACertCycles OBJECT-TYPE
1420	       SYNTAX      Counter32
1421	       MAX-ACCESS  read-only
1422	       STATUS      current
1423	       DESCRIPTION
1424	           "Count of TSA Certificate chain update cycles that have
1425	           occurred.

1427	           DEFVAL intentionally omitted - counter object."
1428	       ::= { tudaV1TSACert 1 }

1430	   tudaV1TSACertTable OBJECT-TYPE
1431	       SYNTAX      SEQUENCE OF TudaV1TSACertEntry
1432	       MAX-ACCESS  not-accessible
1433	       STATUS      current
1434	       DESCRIPTION
1435	           "A table of fragments of TSA Certificate data."
1436	       ::= { tudaV1TSACert 2 }

1438	   tudaV1TSACertEntry OBJECT-TYPE
1439	       SYNTAX      TudaV1TSACertEntry
1440	       MAX-ACCESS  not-accessible
1441	       STATUS      current
1442	       DESCRIPTION
1443	           "An entry for one fragment of TSA Certificate data."
1444	       INDEX       { tudaV1TSACertCycleIndex,
1445	                     tudaV1TSACertInstanceIndex,
1446	                     tudaV1TSACertFragmentIndex }
1447	       ::= { tudaV1TSACertTable 1 }

1449	   TudaV1TSACertEntry ::=
1450	       SEQUENCE {
1451	           tudaV1TSACertCycleIndex         Integer32,
1452	           tudaV1TSACertInstanceIndex      Integer32,
1453	           tudaV1TSACertFragmentIndex      Integer32,
1454	           tudaV1TSACertData               OCTET STRING
1455	       }

1457	   tudaV1TSACertCycleIndex OBJECT-TYPE
1458	       SYNTAX      Integer32 (1..2147483647)
1459	       MAX-ACCESS  not-accessible
1460	       STATUS      current
1461	       DESCRIPTION
1462	           "High-order index of this TSA Certificate fragment.
1463	           Index of a TSA Certificate chain update cycle that has
1464	           occurred (bounded by the value of tudaV1TSACertCycles).

1466	           DEFVAL intentionally omitted - index object."
1467	       ::= { tudaV1TSACertEntry 1 }

1469	   tudaV1TSACertInstanceIndex OBJECT-TYPE
1470	       SYNTAX      Integer32 (1..2147483647)
1471	       MAX-ACCESS  not-accessible
1472	       STATUS      current
1473	       DESCRIPTION
1474	           "Middle index of this TSA Certificate fragment.

1476	           Ordinal of this TSA Certificate in this chain, where the TSA
1477	           Certificate itself has an ordinal of '1' and higher ordinals
1478	           go *up* the certificate chain to the Root CA.

1480	           DEFVAL intentionally omitted - index object."
1481	       ::= { tudaV1TSACertEntry 2 }

1483	   tudaV1TSACertFragmentIndex OBJECT-TYPE
1484	       SYNTAX      Integer32 (1..2147483647)
1485	       MAX-ACCESS  not-accessible
1486	       STATUS      current
1487	       DESCRIPTION
1488	           "Low-order index of this TSA Certificate fragment.

1490	           DEFVAL intentionally omitted - index object."
1491	       ::= { tudaV1TSACertEntry 3 }

1493	   tudaV1TSACertData OBJECT-TYPE
1494	       SYNTAX      OCTET STRING (SIZE(0..1024))
1495	       MAX-ACCESS  read-only
1496	       STATUS      current
1497	       DESCRIPTION
1498	           "A fragment of CBOR encoded TSA Certificate data."
1499	       DEFVAL      { "" }
1500	       ::= { tudaV1TSACertEntry 4 }

1502	   --
1503	   --  Sync Token
1504	   --
1505	   tudaV1SyncToken         OBJECT IDENTIFIER ::= { tudaV1MIBObjects 4 }

1507	   tudaV1SyncTokenCycles OBJECT-TYPE
1508	       SYNTAX      Counter32
1509	       MAX-ACCESS  read-only
1510	       STATUS      current
1511	       DESCRIPTION
1512	           "Count of Sync Token update cycles that have
1513	           occurred.

1515	           DEFVAL intentionally omitted - counter object."
1516	       ::= { tudaV1SyncToken 1 }

1518	   tudaV1SyncTokenInstances OBJECT-TYPE
1519	       SYNTAX      Counter32
1520	       MAX-ACCESS  read-only
1521	       STATUS      current
1522	       DESCRIPTION
1523	           "Count of Sync Token instance entries that have
1524	           been recorded (some entries MAY have been pruned).

1526	           DEFVAL intentionally omitted - counter object."
1527	       ::= { tudaV1SyncToken 2 }

1529	   tudaV1SyncTokenTable OBJECT-TYPE
1530	       SYNTAX      SEQUENCE OF TudaV1SyncTokenEntry
1531	       MAX-ACCESS  not-accessible
1532	       STATUS      current
1533	       DESCRIPTION
1534	           "A table of fragments of Sync Token data."
1535	       ::= { tudaV1SyncToken 3 }

1537	   tudaV1SyncTokenEntry OBJECT-TYPE
1538	       SYNTAX      TudaV1SyncTokenEntry
1539	       MAX-ACCESS  not-accessible
1540	       STATUS      current
1541	       DESCRIPTION
1542	           "An entry for one fragment of Sync Token data."
1543	       INDEX       { tudaV1SyncTokenCycleIndex,
1544	                     tudaV1SyncTokenInstanceIndex,
1545	                     tudaV1SyncTokenFragmentIndex }
1546	       ::= { tudaV1SyncTokenTable 1 }

1548	   TudaV1SyncTokenEntry ::=
1549	       SEQUENCE {
1550	           tudaV1SyncTokenCycleIndex       Integer32,
1551	           tudaV1SyncTokenInstanceIndex    Integer32,
1552	           tudaV1SyncTokenFragmentIndex    Integer32,
1553	           tudaV1SyncTokenData             OCTET STRING
1554	       }

1556	   tudaV1SyncTokenCycleIndex OBJECT-TYPE
1557	       SYNTAX      Integer32 (1..2147483647)
1558	       MAX-ACCESS  not-accessible
1559	       STATUS      current
1560	       DESCRIPTION
1561	           "High-order index of this Sync Token fragment.
1562	           Index of a Sync Token update cycle that has
1563	           occurred (bounded by the value of tudaV1SyncTokenCycles).

1565	           DEFVAL intentionally omitted - index object."
1566	       ::= { tudaV1SyncTokenEntry 1 }

1568	   tudaV1SyncTokenInstanceIndex OBJECT-TYPE
1569	       SYNTAX      Integer32 (1..2147483647)
1570	       MAX-ACCESS  not-accessible
1571	       STATUS      current
1572	       DESCRIPTION
1573	           "Middle index of this Sync Token fragment.
1574	           Ordinal of this instance of Sync Token data
1575	           (NOT bounded by the value of tudaV1SyncTokenInstances).

1577	           DEFVAL intentionally omitted - index object."
1578	       ::= { tudaV1SyncTokenEntry 2 }

1580	   tudaV1SyncTokenFragmentIndex OBJECT-TYPE
1581	       SYNTAX      Integer32 (1..2147483647)
1582	       MAX-ACCESS  not-accessible
1583	       STATUS      current
1584	       DESCRIPTION
1585	           "Low-order index of this Sync Token fragment.

1587	           DEFVAL intentionally omitted - index object."
1588	       ::= { tudaV1SyncTokenEntry 3 }

1590	   tudaV1SyncTokenData OBJECT-TYPE
1591	       SYNTAX      OCTET STRING (SIZE(0..1024))
1592	       MAX-ACCESS  read-only
1593	       STATUS      current
1594	       DESCRIPTION
1595	           "A fragment of CBOR encoded Sync Token data."
1596	       DEFVAL      { "" }
1597	       ::= { tudaV1SyncTokenEntry 4 }

1599	   --
1600	   --  Restriction Info
1601	   --
1602	   tudaV1Restrict          OBJECT IDENTIFIER ::= { tudaV1MIBObjects 5 }

1604	   tudaV1RestrictCycles OBJECT-TYPE
1605	       SYNTAX      Counter32
1606	       MAX-ACCESS  read-only
1607	       STATUS      current
1608	       DESCRIPTION
1609	           "Count of Restriction Info update cycles that have
1610	           occurred.

1612	           DEFVAL intentionally omitted - counter object."
1613	       ::= { tudaV1Restrict 1 }

1615	   tudaV1RestrictTable OBJECT-TYPE
1616	       SYNTAX      SEQUENCE OF TudaV1RestrictEntry
1617	       MAX-ACCESS  not-accessible
1618	       STATUS      current
1619	       DESCRIPTION
1620	           "A table of instances of Restriction Info data."
1621	       ::= { tudaV1Restrict 2 }

1623	   tudaV1RestrictEntry OBJECT-TYPE
1624	       SYNTAX      TudaV1RestrictEntry
1625	       MAX-ACCESS  not-accessible
1626	       STATUS      current
1627	       DESCRIPTION
1628	           "An entry for one instance of Restriction Info data."
1629	       INDEX       { tudaV1RestrictCycleIndex }
1630	       ::= { tudaV1RestrictTable 1 }

1632	   TudaV1RestrictEntry ::=
1633	       SEQUENCE {
1634	           tudaV1RestrictCycleIndex        Integer32,
1635	           tudaV1RestrictData              OCTET STRING
1636	       }

1638	   tudaV1RestrictCycleIndex OBJECT-TYPE
1639	       SYNTAX      Integer32 (1..2147483647)
1640	       MAX-ACCESS  not-accessible
1641	       STATUS      current
1642	       DESCRIPTION
1643	           "Index of this Restriction Info entry.
1644	           Index of a Restriction Info update cycle that has
1645	           occurred (bounded by the value of tudaV1RestrictCycles).

1647	           DEFVAL intentionally omitted - index object."
1648	       ::= { tudaV1RestrictEntry 1 }

1650	   tudaV1RestrictData OBJECT-TYPE
1651	       SYNTAX      OCTET STRING (SIZE(0..1024))
1652	       MAX-ACCESS  read-only
1653	       STATUS      current
1654	       DESCRIPTION
1655	           "An instance of CBOR encoded Restriction Info data."
1656	       DEFVAL      { "" }
1657	       ::= { tudaV1RestrictEntry 2 }

1659	   --
1660	   --  Measurement Log
1661	   --
1662	   tudaV1Measure           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 6 }

1664	   tudaV1MeasureCycles OBJECT-TYPE
1665	       SYNTAX      Counter32
1666	       MAX-ACCESS  read-only
1667	       STATUS      current
1668	       DESCRIPTION
1669	           "Count of Measurement Log update cycles that have
1670	           occurred.

1672	           DEFVAL intentionally omitted - counter object."
1673	       ::= { tudaV1Measure 1 }

1675	   tudaV1MeasureInstances OBJECT-TYPE
1676	       SYNTAX      Counter32
1677	       MAX-ACCESS  read-only
1678	       STATUS      current
1679	       DESCRIPTION
1680	           "Count of Measurement Log instance entries that have
1681	           been recorded (some entries MAY have been pruned).

1683	           DEFVAL intentionally omitted - counter object."
1684	       ::= { tudaV1Measure 2 }

1686	   tudaV1MeasureTable OBJECT-TYPE
1687	       SYNTAX      SEQUENCE OF TudaV1MeasureEntry
1688	       MAX-ACCESS  not-accessible
1689	       STATUS      current
1690	       DESCRIPTION
1691	           "A table of instances of Measurement Log data."
1692	       ::= { tudaV1Measure 3 }

1694	   tudaV1MeasureEntry OBJECT-TYPE
1695	       SYNTAX      TudaV1MeasureEntry
1696	       MAX-ACCESS  not-accessible
1697	       STATUS      current
1698	       DESCRIPTION
1699	           "An entry for one instance of Measurement Log data."
1700	       INDEX       { tudaV1MeasureCycleIndex,
1701	                     tudaV1MeasureInstanceIndex }
1702	       ::= { tudaV1MeasureTable 1 }

1704	   TudaV1MeasureEntry ::=
1705	       SEQUENCE {
1706	           tudaV1MeasureCycleIndex         Integer32,
1707	           tudaV1MeasureInstanceIndex      Integer32,
1708	           tudaV1MeasureData               OCTET STRING
1709	       }

1711	   tudaV1MeasureCycleIndex OBJECT-TYPE
1712	       SYNTAX      Integer32 (1..2147483647)
1713	       MAX-ACCESS  not-accessible
1714	       STATUS      current
1715	       DESCRIPTION
1716	           "High-order index of this Measurement Log entry.
1717	           Index of a Measurement Log update cycle that has
1718	           occurred (bounded by the value of tudaV1MeasureCycles).

1720	           DEFVAL intentionally omitted - index object."
1721	       ::= { tudaV1MeasureEntry 1 }

1723	   tudaV1MeasureInstanceIndex OBJECT-TYPE
1724	       SYNTAX      Integer32 (1..2147483647)
1725	       MAX-ACCESS  not-accessible
1726	       STATUS      current
1727	       DESCRIPTION
1728	           "Low-order index of this Measurement Log entry.
1729	           Ordinal of this instance of Measurement Log data
1730	           (NOT bounded by the value of tudaV1MeasureInstances).

1732	           DEFVAL intentionally omitted - index object."
1733	       ::= { tudaV1MeasureEntry 2 }

1735	   tudaV1MeasureData OBJECT-TYPE
1736	       SYNTAX      OCTET STRING (SIZE(0..1024))
1737	       MAX-ACCESS  read-only
1738	       STATUS      current
1739	       DESCRIPTION
1740	           "A instance of CBOR encoded Measurement Log data."
1741	       DEFVAL      { "" }
1742	       ::= { tudaV1MeasureEntry 3 }

1744	   --
1745	   --  Verify Token
1746	   --
1747	   tudaV1VerifyToken       OBJECT IDENTIFIER ::= { tudaV1MIBObjects 7 }

1749	   tudaV1VerifyTokenCycles OBJECT-TYPE
1750	       SYNTAX      Counter32
1751	       MAX-ACCESS  read-only
1752	       STATUS      current
1753	       DESCRIPTION
1754	           "Count of Verify Token update cycles that have
1755	           occurred.

1757	           DEFVAL intentionally omitted - counter object."
1758	       ::= { tudaV1VerifyToken 1 }

1760	   tudaV1VerifyTokenTable OBJECT-TYPE
1761	       SYNTAX      SEQUENCE OF TudaV1VerifyTokenEntry
1762	       MAX-ACCESS  not-accessible
1763	       STATUS      current
1764	       DESCRIPTION
1765	           "A table of instances of Verify Token data."
1766	       ::= { tudaV1VerifyToken 2 }

1768	   tudaV1VerifyTokenEntry OBJECT-TYPE
1769	       SYNTAX      TudaV1VerifyTokenEntry
1770	       MAX-ACCESS  not-accessible
1771	       STATUS      current
1772	       DESCRIPTION
1773	           "An entry for one instance of Verify Token data."
1774	       INDEX       { tudaV1VerifyTokenCycleIndex }
1775	       ::= { tudaV1VerifyTokenTable 1 }

1777	   TudaV1VerifyTokenEntry ::=
1778	       SEQUENCE {
1779	           tudaV1VerifyTokenCycleIndex     Integer32,
1780	           tudaV1VerifyTokenData           OCTET STRING
1781	       }

1783	   tudaV1VerifyTokenCycleIndex OBJECT-TYPE
1784	       SYNTAX      Integer32 (1..2147483647)
1785	       MAX-ACCESS  not-accessible
1786	       STATUS      current
1787	       DESCRIPTION
1788	           "Index of this instance of Verify Token data.
1789	           Index of a Verify Token update cycle that has
1790	           occurred (bounded by the value of tudaV1VerifyTokenCycles).

1792	           DEFVAL intentionally omitted - index object."
1793	       ::= { tudaV1VerifyTokenEntry 1 }

1795	   tudaV1VerifyTokenData OBJECT-TYPE
1796	       SYNTAX      OCTET STRING (SIZE(0..1024))
1797	       MAX-ACCESS  read-only
1798	       STATUS      current
1799	       DESCRIPTION
1800	           "A instance of CBOR encoded Verify Token data."
1801	       DEFVAL      { "" }
1802	       ::= { tudaV1VerifyTokenEntry 2 }

1804	   --
1805	   --  SWID Tag
1806	   --
1807	   tudaV1SWIDTag           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 8 }

1809	   tudaV1SWIDTagCycles OBJECT-TYPE
1810	       SYNTAX      Counter32
1811	       MAX-ACCESS  read-only
1812	       STATUS      current
1813	       DESCRIPTION
1814	           "Count of SWID Tag update cycles that have occurred.

1816	           DEFVAL intentionally omitted - counter object."
1817	       ::= { tudaV1SWIDTag 1 }

1819	   tudaV1SWIDTagTable OBJECT-TYPE
1820	       SYNTAX      SEQUENCE OF TudaV1SWIDTagEntry
1821	       MAX-ACCESS  not-accessible
1822	       STATUS      current
1823	       DESCRIPTION
1824	           "A table of fragments of SWID Tag data."
1825	       ::= { tudaV1SWIDTag 2 }

1827	   tudaV1SWIDTagEntry OBJECT-TYPE
1828	       SYNTAX      TudaV1SWIDTagEntry
1829	       MAX-ACCESS  not-accessible
1830	       STATUS      current
1831	       DESCRIPTION
1832	           "An entry for one fragment of SWID Tag data."
1833	       INDEX       { tudaV1SWIDTagCycleIndex,
1834	                     tudaV1SWIDTagInstanceIndex,
1835	                     tudaV1SWIDTagFragmentIndex }
1836	       ::= { tudaV1SWIDTagTable 1 }

1838	   TudaV1SWIDTagEntry ::=
1839	       SEQUENCE {
1840	           tudaV1SWIDTagCycleIndex         Integer32,
1841	           tudaV1SWIDTagInstanceIndex      Integer32,
1842	           tudaV1SWIDTagFragmentIndex      Integer32,
1843	           tudaV1SWIDTagData               OCTET STRING
1844	       }

1846	   tudaV1SWIDTagCycleIndex OBJECT-TYPE
1847	       SYNTAX      Integer32 (1..2147483647)
1848	       MAX-ACCESS  not-accessible
1849	       STATUS      current
1850	       DESCRIPTION
1851	           "High-order index of this SWID Tag fragment.
1852	           Index of an SWID Tag update cycle that has
1853	           occurred (bounded by the value of tudaV1SWIDTagCycles).

1855	           DEFVAL intentionally omitted - index object."
1856	       ::= { tudaV1SWIDTagEntry 1 }

1858	   tudaV1SWIDTagInstanceIndex OBJECT-TYPE
1859	       SYNTAX      Integer32 (1..2147483647)
1860	       MAX-ACCESS  not-accessible
1861	       STATUS      current
1862	       DESCRIPTION
1863	           "Middle index of this SWID Tag fragment.
1864	           Ordinal of this SWID Tag instance in this update cycle.

1866	           DEFVAL intentionally omitted - index object."
1867	       ::= { tudaV1SWIDTagEntry 2 }

1869	   tudaV1SWIDTagFragmentIndex OBJECT-TYPE
1870	       SYNTAX      Integer32 (1..2147483647)
1871	       MAX-ACCESS  not-accessible
1872	       STATUS      current
1873	       DESCRIPTION
1874	           "Low-order index of this SWID Tag fragment.

1876	           DEFVAL intentionally omitted - index object."
1877	       ::= { tudaV1SWIDTagEntry 3 }

1879	   tudaV1SWIDTagData OBJECT-TYPE
1880	       SYNTAX      OCTET STRING (SIZE(0..1024))
1881	       MAX-ACCESS  read-only
1882	       STATUS      current
1883	       DESCRIPTION
1884	           "A fragment of CBOR encoded SWID Tag data."
1885	       DEFVAL      { "" }
1886	       ::= { tudaV1SWIDTagEntry 4 }

1888	   --
1889	   --  Trap Cycles
1890	   --
1891	   tudaV1TrapV2Cycles NOTIFICATION-TYPE
1892	       OBJECTS {
1893	           tudaV1GeneralCycles,
1894	           tudaV1AIKCertCycles,
1895	           tudaV1TSACertCycles,
1896	           tudaV1SyncTokenCycles,
1897	           tudaV1SyncTokenInstances,
1898	           tudaV1RestrictCycles,
1899	           tudaV1MeasureCycles,
1900	           tudaV1MeasureInstances,
1901	           tudaV1VerifyTokenCycles,
1902	           tudaV1SWIDTagCycles
1903	       }
1904	       STATUS  current
1905	       DESCRIPTION
1906	           "This trap is sent when the value of any cycle or instance
1907	           counter changes (i.e., one or more tables are updated).

1909	           Note:  The value of sysUpTime in IETF MIB-II (RFC 1213) is
1910	           always included in SNMPv2 traps, per RFC 3416."
1911	       ::= { tudaV1MIBNotifications 1 }

1913	   --
1914	   --  Conformance Information
1915	   --
1916	   tudaV1Compliances           OBJECT IDENTIFIER
1917	       ::= { tudaV1MIBConformance 1 }

1919	   tudaV1ObjectGroups          OBJECT IDENTIFIER
1920	       ::= { tudaV1MIBConformance 2 }

1922	   tudaV1NotificationGroups    OBJECT IDENTIFIER
1923	       ::= { tudaV1MIBConformance 3 }

1925	   --
1926	   --  Compliance Statements
1927	   --
1928	   tudaV1BasicCompliance MODULE-COMPLIANCE
1929	       STATUS  current
1930	       DESCRIPTION
1931	           "An implementation that complies with this module MUST
1932	           implement all of the objects defined in the mandatory
1933	           group tudaV1BasicGroup."
1934	       MODULE  -- this module
1935	       MANDATORY-GROUPS { tudaV1BasicGroup }

1937	       GROUP   tudaV1OptionalGroup
1938	       DESCRIPTION
1939	           "The optional TUDA MIB objects.
1940	           An implementation MAY implement this group."

1942	       GROUP   tudaV1TrapGroup
1943	       DESCRIPTION
1944	           "The TUDA MIB traps.
1945	           An implementation SHOULD implement this group."
1946	       ::= { tudaV1Compliances 1 }

1948	   --
1949	   --  Compliance Groups
1950	   --
1951	   tudaV1BasicGroup OBJECT-GROUP
1952	       OBJECTS {
1953	           tudaV1GeneralCycles,
1954	           tudaV1GeneralVersionInfo,
1955	           tudaV1SyncTokenCycles,
1956	           tudaV1SyncTokenInstances,
1957	           tudaV1SyncTokenData,
1958	           tudaV1RestrictCycles,
1959	           tudaV1RestrictData,
1960	           tudaV1VerifyTokenCycles,
1961	           tudaV1VerifyTokenData
1962	       }
1963	       STATUS  current
1964	       DESCRIPTION
1965	           "The basic mandatory TUDA MIB objects."
1966	       ::= { tudaV1ObjectGroups 1 }

1968	   tudaV1OptionalGroup OBJECT-GROUP
1969	       OBJECTS {
1970	           tudaV1AIKCertCycles,
1971	           tudaV1AIKCertData,
1972	           tudaV1TSACertCycles,
1973	           tudaV1TSACertData,
1974	           tudaV1MeasureCycles,
1975	           tudaV1MeasureInstances,
1976	           tudaV1MeasureData,
1977	           tudaV1SWIDTagCycles,
1978	           tudaV1SWIDTagData
1979	       }
1980	       STATUS  current
1981	       DESCRIPTION
1982	           "The optional TUDA MIB objects."
1983	       ::= { tudaV1ObjectGroups 2 }

1985	   tudaV1TrapGroup NOTIFICATION-GROUP
1986	       NOTIFICATIONS { tudaV1TrapV2Cycles }
1987	       STATUS      current
1988	       DESCRIPTION
1989	           "The recommended TUDA MIB traps - notifications."
1990	       ::= { tudaV1NotificationGroups 1 }

1992	   END
1993	   <CODE ENDS>

1995	Appendix C.  YANG Realization

1997	<CODE BEGINS>
1998	module TUDA-V1-ATTESTATION-MIB {

2000	  namespace "urn:ietf:params:xml:ns:yang:smiv2:TUDA-V1-ATTESTATION-MIB";
2001	  prefix "tuda-v1";
2002	  import SNMP-FRAMEWORK-MIB { prefix "snmp-framework"; }
2003	  import yang-types         { prefix "yang"; }

2005	  organization
2006	   "Fraunhofer SIT";

2008	  contact
2009	   "Andreas Fuchs
2010	    Fraunhofer Institute for Secure Information Technology
2011	    Email: andreas.fuchs@sit.fraunhofer.de

2013	    Henk Birkholz
2014	    Fraunhofer Institute for Secure Information Technology
2015	    Email: henk.birkholz@sit.fraunhofer.de

2017	    Ira E McDonald
2018	    High North Inc
2019	    Email: blueroofmusic@gmail.com

2021	    Carsten Bormann
2022	    Universitaet Bremen TZI
2023	    Email: cabo@tzi.org";

2025	  description
2026	   "The MIB module for monitoring of time-based unidirectional
2027	    attestation information from a network endpoint system,
2028	    based on the Trusted Computing Group TPM 1.2 definition.

2030	    Copyright (C) High North Inc (2017).";

2032	  revision "2017-10-30" {
2033	    description
2034	     "Fifth version, published as draft-birkholz-tuda-04.";
2035	    reference
2036	     "draft-birkholz-tuda-04";
2037	  }
2038	  revision "2017-01-09" {
2039	    description
2040	     "Fourth version, published as draft-birkholz-tuda-03.";
2041	    reference
2042	     "draft-birkholz-tuda-03";
2043	  }
2044	  revision "2016-07-08" {
2045	    description
2046	     "Third version, published as draft-birkholz-tuda-02.";
2047	    reference
2048	     "draft-birkholz-tuda-02";
2049	  }
2050	  revision "2016-03-21" {
2051	    description
2052	     "Second version, published as draft-birkholz-tuda-01.";
2053	    reference
2054	     "draft-birkholz-tuda-01";
2055	  }
2056	  revision "2015-10-18" {
2057	    description
2058	     "Initial version, published as draft-birkholz-tuda-00.";
2059	    reference
2060	     "draft-birkholz-tuda-00";
2061	  }

2063	  container tudaV1General {
2064	  description
2065	    "TBD";

2067	    leaf tudaV1GeneralCycles {
2068	      type yang:counter32;
2069	      config false;
2070	      description
2071	       "Count of TUDA update cycles that have occurred, i.e.,
2072	        sum of all the individual group cycle counters.

2074	        DEFVAL intentionally omitted - counter object.";
2075	    }

2077	    leaf tudaV1GeneralVersionInfo {
2078	      type snmp-framework:SnmpAdminString {
2079	        length "0..255";
2080	      }
2081	      config false;
2082	      description
2083	       "Version information for TUDA MIB, e.g., specific release
2084	        version of TPM 1.2 base specification and release version
2085	        of TPM 1.2 errata specification and manufacturer and model
2086	        TPM module itself.";
2087	    }
2088	  }

2090	  container tudaV1AIKCert {
2091	  description
2092	    "TBD";

2094	    leaf tudaV1AIKCertCycles {
2095	      type yang:counter32;
2096	      config false;
2097	      description
2098	       "Count of AIK Certificate chain update cycles that have
2099	        occurred.

2101	        DEFVAL intentionally omitted - counter object.";
2102	    }

2104	    /* XXX table comments here XXX */

2106	    list tudaV1AIKCertEntry {

2108	      key "tudaV1AIKCertCycleIndex tudaV1AIKCertInstanceIndex
2109	           tudaV1AIKCertFragmentIndex";
2110	        config false;
2111	      description
2112	       "An entry for one fragment of AIK Certificate data.";

2114	      leaf tudaV1AIKCertCycleIndex {
2115	        type int32 {
2116	          range "1..2147483647";
2117	        }
2118	        config false;
2119	        description
2120	         "High-order index of this AIK Certificate fragment.
2121	          Index of an AIK Certificate chain update cycle that has
2122	          occurred (bounded by the value of tudaV1AIKCertCycles).

2124	          DEFVAL intentionally omitted - index object.";
2125	      }

2127	      leaf tudaV1AIKCertInstanceIndex {
2128	        type int32 {
2129	          range "1..2147483647";
2130	        }
2131	        config false;
2132	        description
2133	         "Middle index of this AIK Certificate fragment.
2134	          Ordinal of this AIK Certificate in this chain, where the AIK
2135	          Certificate itself has an ordinal of '1' and higher ordinals
2136	          go *up* the certificate chain to the Root CA.

2138	          DEFVAL intentionally omitted - index object.";
2139	      }

2141	      leaf tudaV1AIKCertFragmentIndex {
2142	        type int32 {
2143	          range "1..2147483647";

2145	        }
2146	        config false;
2147	        description
2148	         "Low-order index of this AIK Certificate fragment.

2150	          DEFVAL intentionally omitted - index object.";
2151	      }

2153	      leaf tudaV1AIKCertData {
2154	        type binary {
2155	          length "0..1024";
2156	        }
2157	        config false;
2158	        description
2159	         "A fragment of CBOR encoded AIK Certificate data.";
2160	      }
2161	    }
2162	  }

2164	  container tudaV1TSACert {
2165	  description
2166	    "TBD";

2168	    leaf tudaV1TSACertCycles {
2169	      type yang:counter32;
2170	      config false;
2171	      description
2172	       "Count of TSA Certificate chain update cycles that have
2173	        occurred.

2175	        DEFVAL intentionally omitted - counter object.";
2176	    }

2178	    /* XXX table comments here XXX */

2180	    list tudaV1TSACertEntry {

2182	      key "tudaV1TSACertCycleIndex tudaV1TSACertInstanceIndex
2183	           tudaV1TSACertFragmentIndex";
2184	      config false;
2185	      description
2186	       "An entry for one fragment of TSA Certificate data.";

2188	      leaf tudaV1TSACertCycleIndex {
2189	        type int32 {
2190	          range "1..2147483647";

2192	        }
2193	        config false;
2194	        description
2195	         "High-order index of this TSA Certificate fragment.
2196	          Index of a TSA Certificate chain update cycle that has
2197	          occurred (bounded by the value of tudaV1TSACertCycles).

2199	          DEFVAL intentionally omitted - index object.";
2200	      }

2202	      leaf tudaV1TSACertInstanceIndex {
2203	        type int32 {
2204	          range "1..2147483647";
2205	        }
2206	        config false;
2207	        description
2208	         "Middle index of this TSA Certificate fragment.
2209	          Ordinal of this TSA Certificate in this chain, where the TSA
2210	          Certificate itself has an ordinal of '1' and higher ordinals
2211	          go *up* the certificate chain to the Root CA.

2213	          DEFVAL intentionally omitted - index object.";
2214	      }

2216	      leaf tudaV1TSACertFragmentIndex {
2217	        type int32 {
2218	          range "1..2147483647";
2219	        }
2220	        config false;
2221	        description
2222	         "Low-order index of this TSA Certificate fragment.

2224	          DEFVAL intentionally omitted - index object.";
2225	      }

2227	      leaf tudaV1TSACertData {
2228	        type binary {
2229	          length "0..1024";
2230	        }
2231	        config false;
2232	        description
2233	         "A fragment of CBOR encoded TSA Certificate data.";
2234	      }
2235	    }
2236	  }

2238	  container tudaV1SyncToken {
2239	  description
2240	    "TBD";

2242	    leaf tudaV1SyncTokenCycles {
2243	      type yang:counter32;
2244	      config false;
2245	      description
2246	       "Count of Sync Token update cycles that have
2247	        occurred.

2249	        DEFVAL intentionally omitted - counter object.";
2250	    }

2252	    leaf tudaV1SyncTokenInstances {
2253	      type yang:counter32;
2254	      config false;
2255	      description
2256	       "Count of Sync Token instance entries that have
2257	        been recorded (some entries MAY have been pruned).

2259	        DEFVAL intentionally omitted - counter object.";
2260	    }

2262	    list tudaV1SyncTokenEntry {

2264	      key "tudaV1SyncTokenCycleIndex
2265	           tudaV1SyncTokenInstanceIndex
2266	           tudaV1SyncTokenFragmentIndex";
2267	      config false;
2268	      description
2269	       "An entry for one fragment of Sync Token data.";

2271	      leaf tudaV1SyncTokenCycleIndex {
2272	        type int32 {
2273	          range "1..2147483647";
2274	        }
2275	        config false;
2276	        description
2277	         "High-order index of this Sync Token fragment.
2278	          Index of a Sync Token update cycle that has
2279	          occurred (bounded by the value of tudaV1SyncTokenCycles).

2281	          DEFVAL intentionally omitted - index object.";
2282	      }

2284	      leaf tudaV1SyncTokenInstanceIndex {
2285	        type int32 {
2286	          range "1..2147483647";

2288	        }
2289	        config false;
2290	        description
2291	         "Middle index of this Sync Token fragment.
2292	          Ordinal of this instance of Sync Token data
2293	          (NOT bounded by the value of tudaV1SyncTokenInstances).

2295	          DEFVAL intentionally omitted - index object.";
2296	      }

2298	      leaf tudaV1SyncTokenFragmentIndex {
2299	        type int32 {
2300	          range "1..2147483647";
2301	        }
2302	        config false;
2303	        description
2304	         "Low-order index of this Sync Token fragment.

2306	          DEFVAL intentionally omitted - index object.";
2307	      }

2309	      leaf tudaV1SyncTokenData {
2310	        type binary {
2311	          length "0..1024";
2312	        }
2313	        config false;
2314	        description
2315	         "A fragment of CBOR encoded Sync Token data.";
2316	      }
2317	    }
2318	  }

2320	  container tudaV1Restrict {
2321	  description
2322	    "TBD";

2324	    leaf tudaV1RestrictCycles {
2325	      type yang:counter32;
2326	      config false;
2327	      description
2328	       "Count of Restriction Info update cycles that have
2329	        occurred.

2331	        DEFVAL intentionally omitted - counter object.";
2332	    }

2334	    /* XXX table comments here XXX */
2335	    list tudaV1RestrictEntry {

2337	      key "tudaV1RestrictCycleIndex";
2338	      config false;
2339	      description
2340	       "An entry for one instance of Restriction Info data.";

2342	      leaf tudaV1RestrictCycleIndex {
2343	        type int32 {
2344	          range "1..2147483647";
2345	        }
2346	        config false;
2347	        description
2348	         "Index of this Restriction Info entry.
2349	          Index of a Restriction Info update cycle that has
2350	          occurred (bounded by the value of tudaV1RestrictCycles).

2352	          DEFVAL intentionally omitted - index object.";
2353	      }

2355	      leaf tudaV1RestrictData {
2356	        type binary {
2357	          length "0..1024";
2358	        }
2359	        config false;
2360	        description
2361	         "An instance of CBOR encoded Restriction Info data.";
2362	      }
2363	    }
2364	  }

2366	  container tudaV1Measure {
2367	  description
2368	    "TBD";

2370	    leaf tudaV1MeasureCycles {
2371	      type yang:counter32;
2372	      config false;
2373	      description
2374	       "Count of Measurement Log update cycles that have
2375	        occurred.

2377	        DEFVAL intentionally omitted - counter object.";
2378	    }

2380	    leaf tudaV1MeasureInstances {
2381	      type yang:counter32;
2382	      config false;
2383	      description
2384	       "Count of Measurement Log instance entries that have
2385	        been recorded (some entries MAY have been pruned).

2387	        DEFVAL intentionally omitted - counter object.";
2388	    }

2390	    list tudaV1MeasureEntry {

2392	      key "tudaV1MeasureCycleIndex tudaV1MeasureInstanceIndex";
2393	      config false;
2394	      description
2395	       "An entry for one instance of Measurement Log data.";

2397	      leaf tudaV1MeasureCycleIndex {
2398	        type int32 {
2399	          range "1..2147483647";
2400	        }
2401	        config false;
2402	        description
2403	         "High-order index of this Measurement Log entry.
2404	          Index of a Measurement Log update cycle that has
2405	          occurred (bounded by the value of tudaV1MeasureCycles).

2407	          DEFVAL intentionally omitted - index object.";
2408	      }

2410	      leaf tudaV1MeasureInstanceIndex {
2411	        type int32 {
2412	          range "1..2147483647";
2413	        }
2414	        config false;
2415	        description
2416	         "Low-order index of this Measurement Log entry.
2417	          Ordinal of this instance of Measurement Log data
2418	          (NOT bounded by the value of tudaV1MeasureInstances).

2420	          DEFVAL intentionally omitted - index object.";
2421	      }

2423	      leaf tudaV1MeasureData {
2424	        type binary {
2425	          length "0..1024";
2426	        }
2427	        config false;
2428	        description
2429	         "A instance of CBOR encoded Measurement Log data.";
2430	      }
2431	    }
2432	  }

2434	  container tudaV1VerifyToken {
2435	  description
2436	    "TBD";

2438	    leaf tudaV1VerifyTokenCycles {
2439	      type yang:counter32;
2440	      config false;
2441	      description
2442	       "Count of Verify Token update cycles that have
2443	        occurred.

2445	        DEFVAL intentionally omitted - counter object.";
2446	    }

2448	    /* XXX table comments here XXX */

2450	    list tudaV1VerifyTokenEntry {

2452	      key "tudaV1VerifyTokenCycleIndex";
2453	      config false;
2454	      description
2455	       "An entry for one instance of Verify Token data.";

2457	      leaf tudaV1VerifyTokenCycleIndex {
2458	        type int32 {
2459	          range "1..2147483647";
2460	        }
2461	        config false;
2462	        description
2463	         "Index of this instance of Verify Token data.
2464	          Index of a Verify Token update cycle that has
2465	          occurred (bounded by the value of tudaV1VerifyTokenCycles).

2467	          DEFVAL intentionally omitted - index object.";
2468	      }

2470	      leaf tudaV1VerifyTokenData {
2471	        type binary {
2472	          length "0..1024";
2473	        }
2474	        config false;
2475	        description
2476	         "A instanc-V1-ATTESTATION-MIB.yang
2477	      }
2478	    }
2479	  }

2481	  container tudaV1SWIDTag {
2482	  description
2483	    "see CoSWID and YANG SIWD module for now"

2485	    leaf tudaV1SWIDTagCycles {
2486	      type yang:counter32;
2487	      config false;
2488	      description
2489	       "Count of SWID Tag update cycles that have occurred.

2491	        DEFVAL intentionally omitted - counter object.";
2492	    }

2494	    list tudaV1SWIDTagEntry {

2496	      key "tudaV1SWIDTagCycleIndex tudaV1SWIDTagInstanceIndex
2497	           tudaV1SWIDTagFragmentIndex";
2498	      config false;
2499	      description
2500	       "An entry for one fragment of SWID Tag data.";

2502	      leaf tudaV1SWIDTagCycleIndex {
2503	        type int32 {
2504	          range "1..2147483647";
2505	        }
2506	        config false;
2507	        description
2508	         "High-order index of this SWID Tag fragment.
2509	          Index of an SWID Tag update cycle that has
2510	          occurred (bounded by the value of tudaV1SWIDTagCycles).

2512	          DEFVAL intentionally omitted - index object.";
2513	      }

2515	      leaf tudaV1SWIDTagInstanceIndex {
2516	        type int32 {
2517	          range "1..2147483647";
2518	        }
2519	        config false;
2520	        description
2521	         "Middle index of this SWID Tag fragment.

2523	          Ordinal of this SWID Tag instance in this update cycle.

2525	          DEFVAL intentionally omitted - index object.";
2526	      }

2528	      leaf tudaV1SWIDTagFragmentIndex {
2529	        type int32 {
2530	          range "1..2147483647";
2531	        }
2532	        config false;
2533	        description
2534	         "Low-order index of this SWID Tag fragment.

2536	          DEFVAL intentionally omitted - index object.";
2537	      }

2539	      leaf tudaV1SWIDTagData {
2540	        type binary {
2541	          length "0..1024";
2542	        }
2543	        config false;
2544	        description
2545	         "A fragment of CBOR encoded SWID Tag data.";
2546	      }
2547	    }
2548	  }

2550	  notification tudaV1TrapV2Cycles {
2551	    description
2552	     "This trap is sent when the value of any cycle or instance
2553	      counter changes (i.e., one or more tables are updated).

2555	      Note:  The value of sysUpTime in IETF MIB-II (RFC 1213) is
2556	      always included in SNMPv2 traps, per RFC 3416.";

2558	    container tudaV1TrapV2Cycles-tudaV1GeneralCycles {
2559	      description
2560	       "TPD"
2561	      leaf tudaV1GeneralCycles {
2562	        type yang:counter32;
2563	        description
2564	         "Count of TUDA update cycles that have occurred, i.e.,
2565	          sum of all the individual group cycle counters.

2567	          DEFVAL intentionally omitted - counter object.";
2568	      }
2569	    }
2570	    container tudaV1TrapV2Cycles-tudaV1AIKCertCycles {
2571	      description
2572	       "TPD"
2573	      leaf tudaV1AIKCertCycles {
2574	        type yang:counter32;
2575	        description
2576	         "Count of AIK Certificate chain update cycles that have
2577	          occurred.

2579	          DEFVAL intentionally omitted - counter object.";
2580	      }
2581	    }

2583	    container tudaV1TrapV2Cycles-tudaV1TSACertCycles {
2584	      description
2585	       "TPD"
2586	      leaf tudaV1TSACertCycles {
2587	        type yang:counter32;
2588	        description
2589	         "Count of TSA Certificate chain update cycles that have
2590	          occurred.

2592	          DEFVAL intentionally omitted - counter object.";
2593	      }
2594	    }

2596	    container tudaV1TrapV2Cycles-tudaV1SyncTokenCycles {
2597	      description
2598	       "TPD"
2599	      leaf tudaV1SyncTokenCycles {
2600	        type yang:counter32;
2601	        description
2602	         "Count of Sync Token update cycles that have
2603	          occurred.

2605	          DEFVAL intentionally omitted - counter object.";
2606	      }
2607	    }

2609	    container tudaV1TrapV2Cycles-tudaV1SyncTokenInstances {
2610	      description
2611	       "TPD"
2612	      leaf tudaV1SyncTokenInstances {
2613	        type yang:counter32;
2614	        description
2615	         "Count of Sync Token instance entries that have
2616	          been recorded (some entries MAY have been pruned).

2618	          DEFVAL intentionally omitted - counter object.";
2619	      }
2620	    }

2622	    container tudaV1TrapV2Cycles-tudaV1RestrictCycles {
2623	      description
2624	       "TPD"
2625	      leaf tudaV1RestrictCycles {
2626	        type yang:counter32;
2627	        description
2628	         "Count of Restriction Info update cycles that have
2629	          occurred.

2631	          DEFVAL intentionally omitted - counter object.";
2632	      }
2633	    }

2635	    container tudaV1TrapV2Cycles-tudaV1MeasureCycles {
2636	      description
2637	       "TPD"
2638	      leaf tudaV1MeasureCycles {
2639	        type yang:counter32;
2640	        description
2641	         "Count of Measurement Log update cycles that have
2642	          occurred.

2644	          DEFVAL intentionally omitted - counter object.";
2645	      }
2646	    }

2648	    container tudaV1TrapV2Cycles-tudaV1MeasureInstances {
2649	      description
2650	       "TPD"
2651	      leaf tudaV1MeasureInstances {
2652	        type yang:counter32;
2653	        description
2654	         "Count of Measurement Log instance entries that have
2655	          been recorded (some entries MAY have been pruned).

2657	          DEFVAL intentionally omitted - counter object.";
2658	      }
2659	    }

2661	    container tudaV1TrapV2Cycles-tudaV1VerifyTokenCycles {
2662	      description
2663	       "TPD"
2664	      leaf tudaV1VerifyTokenCycles {
2665	        type yang:counter32;
2666	        description
2667	         "Count of Verify Token update cycles that have
2668	          occurred.

2670	          DEFVAL intentionally omitted - counter object.";
2671	      }
2672	    }

2674	    container tudaV1TrapV2Cycles-tudaV1SWIDTagCycles {
2675	      description
2676	       "TPD"
2677	      leaf tudaV1SWIDTagCycles {
2678	        type yang:counter32;
2679	        description
2680	         "Count of SWID Tag update cycles that have occurred.

2682	          DEFVAL intentionally omitted - counter object.";
2683	      }
2684	    }

2686	  }
2687	}
2688	<CODE ENDS>

2690	Appendix D.  Realization with TPM functions

2692	D.1.  TPM Functions

2694	   The following TPM structures, resources and functions are used within
2695	   this approach.  They are based upon the TPM specifications [TPM12]
2696	   and [TPM2].

2698	D.1.1.  Tick-Session and Tick-Stamp

2700	   On every boot, the TPM initializes a new Tick-Session.  Such a tick-
2701	   session consists of a nonce that is randomly created upon each boot
2702	   to identify the current boot-cycle - the phase between boot-time of
2703	   the device and shutdown or power-off - and prevent replaying of old
2704	   tick-session values.  The TPM uses its internal entropy source that
2705	   guarantees virtually no collisions of the nonce values between two of
2706	   such boot cycles.

2708	   It further includes an internal timer that is being initialize to
2709	   Zero on each reboot.  From this point on, the TPM increments this
2710	   timer continuously based upon its internal secure clocking
2711	   information until the device is powered down or set to sleep.  By its
2712	   hardware design, the TPM will detect attacks on any of those
2713	   properties.

2715	   The TPM offers the function TPM_TickStampBlob, which allows the TPM
2716	   to create a signature over the current tick-session and two
2717	   externally provided input values.  These input values are designed to
2718	   serve as a nonce and as payload data to be included in a
2719	   TickStampBlob: TickstampBlob := sig(TPM-key, currentTicks || nonce ||
2720	   externalData).

2722	   As a result, one is able to proof that at a certain point in time
2723	   (relative to the tick-session) after the provisioning of a certain
2724	   nonce, some certain externalData was known and provided to the TPM.
2725	   If an approach however requires no input values or only one input
2726	   value (such as the use in this document) the input values can be set
2727	   to well-known value.  The convention used within TCG specifications
2728	   and within this document is to use twenty bytes of zero
2729	   h'0000000000000000000000000000000000000000' as well-known value.

2731	D.1.2.  Platform Configuration Registers (PCRs)

2733	   The TPM is a secure cryptoprocessor that provides the ability to
2734	   store measurements and metrics about an endpoint's configuration and
2735	   state in a secure, tamper-proof environment.  Each of these security
2736	   relevant metrics can be stored in a volatile Platform Configuration
2737	   Register (PCR) inside the TPM.  These measurements can be conducted
2738	   at any point in time, ranging from an initial BIOS boot-up sequence
2739	   to measurements taken after hundreds of hours of uptime.

2741	   The initial measurement is triggered by the Platforms so-called pre-
2742	   BIOS or ROM-code.  It will conduct a measurement of the first
2743	   loadable pieces of code; i.e.\ the BIOS.  The BIOS will in turn
2744	   measure its Option ROMs and the BootLoader, which measures the OS-
2745	   Kernel, which in turn measures its applications.  This describes a
2746	   so-called measurement chain.  This typically gets recorded in a so-
2747	   called measurement log, such that the values of the PCRs can be
2748	   reconstructed from the individual measurements for validation.

2750	   Via its PCRs, a TPM provides a Root of Trust that can, for example,
2751	   support secure boot or remote attestation.  The attestation of an
2752	   endpoint's identity or security posture is based on the content of an
2753	   TPM's PCRs (platform integrity measurements).

2755	D.1.3.  PCR restricted Keys

2757	   Every key inside the TPM can be restricted in such a way that it can
2758	   only be used if a certain set of PCRs are in a predetermined state.
2759	   For key creation the desired state for PCRs are defined via the
2760	   PCRInfo field inside the keyInfo parameter.  Whenever an operation
2761	   using this key is performed, the TPM first checks whether the PCRs
2762	   are in the correct state.  Otherwise the operation is denied by the
2763	   TPM.

2765	D.1.4.  CertifyInfo

2767	   The TPM offers a command to certify the properties of a key by means
2768	   of a signature using another key.  This includes especially the
2769	   keyInfo which in turn includes the PCRInfo information used during
2770	   key creation.  This way, a third party can be assured about the fact
2771	   that a key is only usable if the PCRs are in a certain state.

2773	D.2.  IE Generation Procedures for TPM 1.2

2775	D.2.1.  AIK and AIK Certificate

2777	   Attestations are based upon a cryptographic signature performed by
2778	   the TPM using a so-called Attestation Identity Key (AIK).  An AIK has
2779	   the properties that it cannot be exported from a TPM and is used for
2780	   attestations.  Trust in the AIK is established by an X.509
2781	   Certificate emitted by a Certificate Authority.  The AIK certificate
2782	   is either provided directly or via a so-called PrivacyCA
2783	   [AIK-Enrollment].

2785	   This element consists of the AIK certificate that includes the AIK's
2786	   public key used during verification as well as the certificate chain
2787	   up to the Root CA for validation of the AIK certificate itself.

2789	   TUDA-Cert = [AIK-Cert, TSA-Cert]; maybe split into two for SNMP
2790	   AIK-Cert = Cert
2791	   TSA-Cert = Cert

2793	                    Figure 2: TUDA-Cert element in CDDL

2795	   The TSA-Cert is a standard certificate of the TSA.

2797	   The AIK-Cert may be provisioned in a secure environment using
2798	   standard means or it may follow the PrivacyCA protocols.  Figure 3
2799	   gives a rough sketch of this protocol.  See [AIK-Enrollment] for more
2800	   information.

2802	   The X.509 Certificate is built from the AIK public key and the
2803	   corresponding PKCS #7 certificate chain, as shown in Figure 3.

2805	   Required TPM functions:

2807	   | create_AIK_Cert(...) = {
2808	   |   AIK = TPM_MakeIdentity()
2809	   |   IdReq = CollateIdentityRequest(AIK,EK)
2810	   |   IdRes = Call(AIK-CA, IdReq)
2811	   |   AIK-Cert = TPM_ActivateIdentity(AIK, IdRes)
2812	   | }
2813	   |
2814	   | /* Alternative */
2815	   |
2816	   | create_AIK_Cert(...) = {
2817	   |   AIK = TPM_CreateWrapKey(Identity)
2818	   |   AIK-Cert = Call(AIK-CA, AIK.pubkey)
2819	   | }

2821	                 Figure 3: Creating the TUDA-Cert element

2823	D.2.2.  Synchronization Token

2825	   The reference for Attestations are the Tick-Sessions of the TPM.  In
2826	   order to put Attestations into relation with a Real Time Clock (RTC),
2827	   it is necessary to provide a cryptographic synchronization between
2828	   the tick session and the RTC.  To do so, a synchronization protocol
2829	   is run with a Time Stamp Authority (TSA) that consists of three
2830	   steps:

2832	   o  The TPM creates a TickStampBlob using the AIK

2834	   o  This TickstampBlob is used as nonce to the Timestamp of the TSA

2836	   o  Another TickStampBlob with the AIK is created using the TSA's
2837	      Timestamp a nonce

2839	   The first TickStampBlob is called "left" and the second "right" in a
2840	   reference to their position on a time-axis.

2842	   These three elements, with the TSA's certificate factored out, form
2843	   the synchronization token
2844	   TUDA-Synctoken = [
2845	     left: TickStampBlob-Output,
2846	     timestamp: TimeStampToken,
2847	     right: TickStampBlob-Output,
2848	   ]

2850	   TimeStampToken = bytes ; RFC 3161

2852	   TickStampBlob-Output = [
2853	     currentTicks: TPM-CURRENT-TICKS,
2854	     sig: bytes,
2855	   ]

2857	   TPM-CURRENT-TICKS = [
2858	     currentTicks: uint
2859	     ? (
2860	       tickRate: uint
2861	       tickNonce: TPM-NONCE
2862	     )
2863	   ]
2864	   ; Note that TickStampBlob-Output "right" can omit the values for
2865	   ;   tickRate and tickNonce since they are the same as in "left"

2867	   TPM-NONCE = bytes .size 20

2869	                    Figure 4: TUDA-Sync element in CDDL

2871	   Required TPM functions:

2873	   | dummyDigest = h'0000000000000000000000000000000000000000'
2874	   | dummyNonce = dummyDigest
2875	   |
2876	   | create_sync_token(AIKHandle, TSA) = {
2877	   |   ts_left = TPM_TickStampBlob(
2878	   |       keyHandle = AIK_Handle,      /*TPM_KEY_HANDLE*/
2879	   |       antiReplay = dummyNonce,     /*TPM_NONCE*/
2880	   |       digestToStamp = dummyDigest  /*TPM_DIGEST*/)
2881	   |
2882	   |   ts = TSA_Timestamp(TSA, nonce = hash(ts_left))
2883	   |
2884	   |   ts_right = TPM_TickStampBlob(
2885	   |       keyHandle = AIK_Handle,      /*TPM_KEY_HANDLE*/
2886	   |       antiReplay = dummyNonce,     /*TPM_NONCE*/
2887	   |       digestToStamp = hash(ts))    /*TPM_DIGEST*/
2888	   |
2889	   |   TUDA-SyncToken = [[ts_left.ticks, ts_left.sig], ts,
2890	   |                     [ts_right.ticks.currentTicks, ts_right.sig]]
2891	   |   /* Note: skip the nonce and tickRate field for ts_right.ticks */
2892	   | }

2894	                 Figure 5: Creating the Sync-Token element

2896	D.2.3.  RestrictionInfo

2898	   The attestation relies on the capability of the TPM to operate on
2899	   restricted keys.  Whenever the PCR values for the machine to be
2900	   attested change, a new restricted key is created that can only be
2901	   operated as long as the PCRs remain in their current state.

2903	   In order to prove to the Verifier that this restricted temporary key
2904	   actually has these properties and also to provide the PCR value that
2905	   it is restricted, the TPM command TPM_CertifyInfo is used.  It
2906	   creates a signed certificate using the AIK about the newly created
2907	   restricted key.

2909	   This token is formed from the list of:

2911	   o  PCR list,

2913	   o  the newly created restricted public key, and

2915	   o  the certificate.

2917	 TUDA-RestrictionInfo = [Composite,
2918	                         restrictedKey_Pub: Pubkey,
2919	                         CertifyInfo]

2921	 PCRSelection = bytes .size (2..4) ; used as bit string

2923	 Composite = [
2924	   bitmask: PCRSelection,
2925	   values: [*PCR-Hash],
2926	 ]

2928	 Pubkey = bytes ; may be extended to COSE pubkeys

2930	 CertifyInfo = [
2931	   TPM-CERTIFY-INFO,
2932	   sig: bytes,
2933	 ]

2935	 TPM-CERTIFY-INFO = [
2936	   ; we don't encode TPM-STRUCT-VER:
2937	   ; these are 4 bytes always equal to h'01010000'
2938	   keyUsage: uint, ; 4byte? 2byte?
2939	   keyFlags: bytes .size 4, ; 4byte
2940	   authDataUsage: uint, ; 1byte (enum)
2941	   algorithmParms: TPM-KEY-PARMS,
2942	   pubkeyDigest: Hash,
2943	   ; we don't encode TPM-NONCE data, which is 20 bytes, all zero
2944	   parentPCRStatus: bool,
2945	   ; no need to encode pcrinfosize
2946	   pcrinfo: TPM-PCR-INFO,        ; we have exactly one
2947	 ]

2949	 TPM-PCR-INFO = [
2950	     pcrSelection: PCRSelection; /* TPM_PCR_SELECTION */
2951	     digestAtRelease: PCR-Hash;  /* TPM_COMPOSITE_HASH */
2952	     digestAtCreation: PCR-Hash; /* TPM_COMPOSITE_HASH */
2953	 ]

2955	 TPM-KEY-PARMS = [
2956	   ; algorithmID: uint, ; <= 4 bytes -- not encoded, constant for TPM1.2
2957	   encScheme: uint, ; <= 2 bytes
2958	   sigScheme: uint, ; <= 2 bytes
2959	   parms: TPM-RSA-KEY-PARMS,
2960	 ]

2962	 TPM-RSA-KEY-PARMS = [
2963	   ; "size of the RSA key in bits":
2964	   keyLength: uint
2965	   ; "number of prime factors used by this RSA key":
2966	   numPrimes: uint
2967	   ; "This SHALL be the size of the exponent":
2968	   exponentSize: null / uint / biguint
2969	   ; "If the key is using the default exponent then the exponentSize
2970	   ; MUST be 0" -> we represent this case as null
2971	 ]

2973	                    Figure 6: TUDA-Key element in CDDL

2975	   Required TPM functions:

2977	   | dummyDigest = h'0000000000000000000000000000000000000000'
2978	   | dummyNonce = dummyDigest
2979	   |
2980	   | create_Composite
2981	   |
2982	   | create_restrictedKey_Pub(pcrsel) = {
2983	   |   PCRInfo = {pcrSelection = pcrsel,
2984	   |              digestAtRelease = hash(currentValues(pcrSelection))
2985	   |              digestAtCreation = dummyDigest}
2986	   |   / * PCRInfo is a TPM_PCR_INFO and thus also a TPM_KEY */
2987	   |
2988	   |   wk = TPM_CreateWrapKey(keyInfo = PCRInfo)
2989	   |   wk.keyInfo.pubKey
2990	   | }
2991	   |
2992	   | create_TPM-Certify-Info = {
2993	   |   CertifyInfo = TPM_CertifyKey(
2994	   |       certHandle = AIK,          /* TPM_KEY_HANDLE */
2995	   |       keyHandle = wk,            /* TPM_KEY_HANDLE */
2996	   |       antiReply = dummyNonce)    /* TPM_NONCE */
2997	   |
2998	   |   CertifyInfo.strip()
2999	   |   /* Remove those values that are not needed */
3000	   | }

3002	                       Figure 7: Creating the pubkey

3004	D.2.4.  Measurement Log

3006	   Similarly to regular attestations, the Verifier needs a way to
3007	   reconstruct the PCRs' values in order to estimate the trustworthiness
3008	   of the device.  As such, a list of those elements that were extended
3009	   into the PCRs is reported.  Note though that for certain
3010	   environments, this step may be optional if a list of valid PCR
3011	   configurations exists and no measurement log is required.

3013	   TUDA-Measurement-Log = [*PCR-Event]
3014	   PCR-Event = [
3015	     type: PCR-Event-Type,
3016	     pcr: uint,
3017	     template-hash: PCR-Hash,
3018	     filedata-hash: tagged-hash,
3019	     pathname: text; called filename-hint in ima (non-ng)
3020	   ]

3022	   PCR-Event-Type = &(
3023	     bios: 0
3024	     ima: 1
3025	     ima-ng: 2
3026	   )

3028	   ; might want to make use of COSE registry here
3029	   ; however, that might never define a value for sha1
3030	   tagged-hash /= [sha1: 0, bytes .size 20]
3031	   tagged-hash /= [sha256: 1, bytes .size 32]

3033	D.2.5.  Implicit Attestation

3035	   The actual attestation is then based upon a TickStampBlob using the
3036	   restricted temporary key that was certified in the steps above.  The
3037	   TPM-Tickstamp is executed and thereby provides evidence that at this
3038	   point in time (with respect to the TPM internal tick-session) a
3039	   certain configuration existed (namely the PCR values associated with
3040	   the restricted key).  Together with the synchronization token this
3041	   tick-related timing can then be related to the real-time clock.

3043	   This element consists only of the TPM_TickStampBlock with no nonce.

3045	   TUDA-Verifytoken = TickStampBlob-Output

3047	                   Figure 8: TUDA-Verify element in CDDL

3049	   Required TPM functions:

3051	   | imp_att = TPM_TickStampBlob(
3052	   |     keyHandle = restrictedKey_Handle,     /*TPM_KEY_HANDLE*/
3053	   |     antiReplay = dummyNonce,              /*TPM_NONCE*/
3054	   |     digestToStamp = dummyDigest)          /*TPM_DIGEST*/
3055	   |
3056	   | VerifyToken = imp_att

3058	                    Figure 9: Creating the Verify Token

3060	D.2.6.  Attestation Verification Approach

3062	   The seven TUDA information elements transport the essential content
3063	   that is required to enable verification of the attestation statement
3064	   at the Verifier.  The following listings illustrate the verification
3065	   algorithm to be used at the Verifier in pseudocode.  The pseudocode
3066	   provided covers the entire verification task.  If only a subset of
3067	   TUDA elements changed (see Section 4.1), only the corresponding code
3068	   listings need to be re-executed.

3070	   | TSA_pub = verifyCert(TSA-CA, Cert.TSA-Cert)
3071	   | AIK_pub = verifyCert(AIK-CA, Cert.AIK-Cert)

3073	                  Figure 10: Verification of Certificates

3075	  | ts_left = Synctoken.left
3076	  | ts_right = Synctoken.right
3077	  |
3078	  | /* Reconstruct ts_right's omitted values; Alternatively assert == */
3079	  | ts_right.currentTicks.tickRate = ts_left.currentTicks.tickRate
3080	  | ts_right.currentTicks.tickNonce = ts_left.currentTicks.tickNonce
3081	  |
3082	  | ticks_left = ts_left.currentTicks
3083	  | ticks_right = ts_right.currentTicks
3084	  |
3085	  | /* Verify Signatures */
3086	  | verifySig(AIK_pub, dummyNonce || dummyDigest || ticks_left)
3087	  | verifySig(TSA_pub, hash(ts_left) || timestamp.time)
3088	  | verifySig(AIK_pub, dummyNonce || hash(timestamp) || ticks_right)
3089	  |
3090	  | delta_left = timestamp.time -
3091	  |     ticks_left.currentTicks * ticks_left.tickRate / 1000
3092	  |
3093	  | delta_right = timestamp.time -
3094	  |     ticks_right.currentTicks * ticks_right.tickRate / 1000

3096	             Figure 11: Verification of Synchronization Token

3098	   | compositeHash = hash_init()
3099	   | for value in Composite.values:
3100	   |     hash_update(compositeHash, value)
3101	   | compositeHash = hash_finish(compositeHash)
3102	   |
3103	   | certInfo = reconstruct_static(TPM-CERTIFY-INFO)
3104	   |
3105	   | assert(Composite.bitmask == ExpectedPCRBitmask)
3106	   | assert(certInfo.pcrinfo.PCRSelection == Composite.bitmask)
3107	   | assert(certInfo.pcrinfo.digestAtRelease == compositeHash)
3108	   | assert(certInfo.pubkeyDigest == hash(restrictedKey_Pub))
3109	   |
3110	   | verifySig(AIK_pub, dummyNonce || certInfo)

3112	                Figure 12: Verification of Restriction Info

3114	   | for event in Measurement-Log:
3115	   |     if event.pcr not in ExpectedPCRBitmask:
3116	   |         continue
3117	   |     if event.type == BIOS:
3118	   |         assert_whitelist-bios(event.pcr, event.template-hash)
3119	   |     if event.type == ima:
3120	   |         assert(event.pcr == 10)
3121	   |         assert_whitelist(event.pathname, event.filedata-hash)
3122	   |         assert(event.template-hash ==
3123	   |                hash(event.pathname || event.filedata-hash))
3124	   |     if event.type == ima-ng:
3125	   |         assert(event.pcr == 10)
3126	   |         assert_whitelist-ng(event.pathname, event.filedata-hash)
3127	   |         assert(event.template-hash ==
3128	   |                hash(event.pathname || event.filedata-hash))
3129	   |
3130	   |     virtPCR[event.pcr] = hash_extend(virtPCR[event.pcr],
3131	   |                                      event.template-hash)
3132	   |
3133	   | for pcr in ExpectedPCRBitmask:
3134	   |     assert(virtPCR[pcr] == Composite.values[i++]

3136	                Figure 13: Verification of Measurement Log

3138	  | ts = Verifytoken
3139	  |
3140	  | /* Reconstruct ts's omitted values; Alternatively assert == */
3141	  | ts.currentTicks.tickRate = ts_left.currentTicks.tickRate
3142	  | ts.currentTicks.tickNonce = ts_left.currentTicks.tickNonce
3143	  |
3144	  | verifySig(restrictedKey_pub, dummyNonce || dummyDigest || ts)
3145	  |
3146	  | ticks = ts.currentTicks
3147	  |
3148	  | time_left = delta_right + ticks.currentTicks * ticks.tickRate / 1000
3149	  | time_right = delta_left + ticks.currentTicks * ticks.tickRate / 1000
3150	  |
3151	  | [time_left, time_right]

3153	               Figure 14: Verification of Attestation Token

3155	D.3.  IE Generation Procedures for TPM 2.0

3157	   The pseudo code below includes general operations that are conducted
3158	   as specific TPM commands:

3160	   o  hash() : description TBD

3162	   o  sig() : description TBD

3164	   o  X.509-Certificate() : description TBD

3166	   These represent the output structure of that command in the form of a
3167	   byte string value.

3169	D.3.1.  AIK and AIK Certificate

3171	   Attestations are based upon a cryptographic signature performed by
3172	   the TPM using a so-called Attestation Identity Key (AIK).  An AIK has
3173	   the properties that it cannot be exported from a TPM and is used for
3174	   attestations.  Trust in the AIK is established by an X.509
3175	   Certificate emitted by a Certificate Authority.  The AIK certificate
3176	   is either provided directly or via a so-called PrivacyCA
3177	   [AIK-Enrollment].

3179	   This element consists of the AIK certificate that includes the AIK's
3180	   public key used during verification as well as the certificate chain
3181	   up to the Root CA for validation of the AIK certificate itself.

3183	   TUDA-Cert = [AIK-Cert, TSA-Cert]; maybe split into two for SNMP
3184	   AIK-Certificate = X.509-Certificate(AIK-Key,Restricted-Flag)
3185	   TSA-Certificate = X.509-Certificate(TSA-Key, TSA-Flag)

3187	                 Figure 15: TUDA-Cert element for TPM 2.0

3189	D.3.2.  Synchronization Token

3191	   The synchronization token uses a different TPM command, TPM2
3192	   GetTime() instead of TPM TickStampBlob().  The TPM2 GetTime() command
3193	   contains the clock and time information of the TPM.  The clock
3194	   information is the equivalent of TUDA v1's tickSession information.

3196	   TUDA-SyncToken = [
3197	     left_GetTime = sig(AIK-Key,
3198	                        TimeInfo = [
3199	                          time,
3200	                          resetCount,
3201	                          restartCount
3202	                        ]
3203	                       ),
3204	     middle_TimeStamp = sig(TSA-Key,
3205	                            hash(left_TickStampBlob),
3206	                            UTC-localtime
3207	                           ),
3208	     right_TickStampBlob = sig(AIK-Key,
3209	                               hash(middle_TimeStamp),
3210	                               TimeInfo = [
3211	                                 time,
3212	                                 resetCount,
3213	                                 restartCount
3214	                               ]
3215	                              )
3216	   ]

3218	                 Figure 16: TUDA-Sync element for TPM 2.0

3220	D.3.3.  Measurement Log

3222	   The creation procedure is identical to Appendix D.2.4.

3224	   Measurement-Log = [
3225	     * [ EventName,
3226	         PCR-Num,
3227	         Event-Hash ]
3228	   ]

3230	                  Figure 17: TUDA-Log element for TPM 2.0

3232	D.3.4.  Explicit time-based Attestation

3234	   The TUDA attestation token consists of the result of TPM2_Quote() or
3235	   a set of TPM2_PCR_READ followed by a TPM2_GetSessionAuditDigest.  It
3236	   proves that -- at a certain point-in-time with respect to the TPM's
3237	   internal clock -- a certain configuration of PCRs was present, as
3238	   denoted in the keys restriction information.

3240	TUDA-AttestationToken = TUDA-AttestationToken_quote / TUDA-AttestationToken_audit

3242	TUDA-AttestationToken_quote = sig(AIK-Key,
3243	                                  TimeInfo = [
3244	                                    time,
3245	                                    resetCount,
3246	                                    restartCount
3247	                                  ],
3248	                                  PCR-Selection = [ * PCR],
3249	                                  PCR-Digest := PCRDigest
3250	                                 )

3252	TUDA-AttestationToken_audit = sig(AIK-key,
3253	                                  TimeInfo = [
3254	                                    time,
3255	                                    resetCount,
3256	                                    restartCount
3257	                                  ],
3258	                                  Session-Digest := PCRDigest
3259	                                 )

3261	                Figure 18: TUDA-Attest element for TPM 2.0

3263	D.3.5.  Sync Proof

3265	   In order to proof to the Verifier that the TPM's clock was not 'fast-
3266	   forwarded' the result of a TPM2_GetTime() is sent after the TUDA-
3267	   AttestationToken.

3269	   TUDA-SyncProof = sig(AIK-Key,
3270	                        TimeInfo = [
3271	                          time,
3272	                          resetCount,
3273	                          restartCount
3274	                        ]
3275	                       ),

3277	                 Figure 19: TUDA-Proof element for TPM 2.0

3279	Acknowledgements

3281	Authors' Addresses

3283	   Andreas Fuchs
3284	   Fraunhofer Institute for Secure Information Technology
3285	   Rheinstrasse 75
3286	   Darmstadt  64295
3287	   Germany

3289	   Email: andreas.fuchs@sit.fraunhofer.de

3291	   Henk Birkholz
3292	   Fraunhofer Institute for Secure Information Technology
3293	   Rheinstrasse 75
3294	   Darmstadt  64295
3295	   Germany

3297	   Email: henk.birkholz@sit.fraunhofer.de

3299	   Ira E McDonald
3300	   High North Inc
3301	   PO Box 221
3302	   Grand Marais  49839
3303	   US

3305	   Email: blueroofmusic@gmail.com

3307	   Carsten Bormann
3308	   Universitaet Bremen TZI
3309	   Bibliothekstr. 1
3310	   Bremen  D-28359
3311	   Germany

3313	   Phone: +49-421-218-63921
3314	   Email: cabo@tzi.org