Diff: rfc9683v4.txt - rfc9683.txt

	rfc9683v4.txt	rfc9683.txt

	Internet Engineering Task Force (IETF) G. C. Fedorkow, Ed.	Internet Engineering Task Force (IETF) G. C. Fedorkow, Ed.
	Request for Comments: 9683 Juniper Networks, Inc.	Request for Comments: 9683 Juniper Networks, Inc.
	Category: Informational E. Voit	Category: Informational E. Voit
	ISSN: 2070-1721 Cisco	ISSN: 2070-1721 Cisco
	J. Fitzgerald-McKay	J. Fitzgerald-McKay
	National Security Agency	National Security Agency

	November 2024	December 2024

	Remote Integrity Verification of Network Devices Containing Trusted	Remote Integrity Verification of Network Devices Containing Trusted
	Platform Modules	Platform Modules

	Abstract	Abstract

	This document describes a workflow for remote attestation of the	This document describes a workflow for remote attestation of the
	integrity of firmware and software installed on network devices that	integrity of firmware and software installed on network devices that
	contain Trusted Platform Modules (TPMs), as defined by the Trusted	contain Trusted Platform Modules (TPMs), as defined by the Trusted
	Computing Group (TCG), or equivalent hardware implementations that	Computing Group (TCG), or equivalent hardware implementations that

	skipping to change at line 1551 ¶	skipping to change at line 1551 ¶
	W. Pan, "Remote ATtestation procedureS (RATS)	W. Pan, "Remote ATtestation procedureS (RATS)
	Architecture", RFC 9334, DOI 10.17487/RFC9334, January	Architecture", RFC 9334, DOI 10.17487/RFC9334, January
	2023, <https://www.rfc-editor.org/info/rfc9334>.	2023, <https://www.rfc-editor.org/info/rfc9334>.

	[RFC9393] Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.	[RFC9393] Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
	Waltermire, "Concise Software Identification Tags",	Waltermire, "Concise Software Identification Tags",
	RFC 9393, DOI 10.17487/RFC9393, June 2023,	RFC 9393, DOI 10.17487/RFC9393, June 2023,
	<https://www.rfc-editor.org/info/rfc9393>.	<https://www.rfc-editor.org/info/rfc9393>.

	[RFC9684] Birkholz, H., Eckel, M., Bhandari, S., Voit, E., Sulzen,	[RFC9684] Birkholz, H., Eckel, M., Bhandari, S., Voit, E., Sulzen,

	B., Xia, L., Laffey, T., and G. Fedorkow, "A YANG Data	B., Xia, L., Laffey, T., and G. C. Fedorkow, "A YANG Data
	Model for Challenge-Response-Based Remote Attestation	Model for Challenge-Response-Based Remote Attestation
	(CHARRA) Procedures Using Trusted Platform Modules	(CHARRA) Procedures Using Trusted Platform Modules

	(TPMs)", RFC 9684, DOI 10.17487/RFC9684, October 2024,	(TPMs)", RFC 9684, DOI 10.17487/RFC9684, December 2024,
	<https://www.rfc-editor.org/info/rfc9684>.	<https://www.rfc-editor.org/info/rfc9684>.

	[RIM] Trusted Computing Group, "TCG Reference Integrity Manifest	[RIM] Trusted Computing Group, "TCG Reference Integrity Manifest
	(RIM) Information Model", Version 1.01, Revision 0.16,	(RIM) Information Model", Version 1.01, Revision 0.16,
	November 2020,	November 2020,
	<https://trustedcomputinggroup.org/resource/tcg-reference-	<https://trustedcomputinggroup.org/resource/tcg-reference-
	integrity-manifest-rim-information-model/>.	integrity-manifest-rim-information-model/>.

	[SWID] ISO/IEC, "Information technology - IT asset management -	[SWID] ISO/IEC, "Information technology - IT asset management -
	Part 2: Software identification tag", ISO/	Part 2: Software identification tag", ISO/

	skipping to change at line 1920 ¶	skipping to change at line 1920 ¶
	\| * [SP800-193] also provides \| \|	\| * [SP800-193] also provides \| \|
	\| guidelines on Roots of Trust. \| \|	\| guidelines on Roots of Trust. \| \|
	+----------------------------------------+--------------------------+	+----------------------------------------+--------------------------+
	\| Provision the TPM as described in the \| [PLATFORM-DEVID-TPM-2.0] \|	\| Provision the TPM as described in the \| [PLATFORM-DEVID-TPM-2.0] \|
	\| TCG documents. \| \|	\| TCG documents. \| \|
	\| \| [PLATFORM-CERTS] \|	\| \| [PLATFORM-CERTS] \|
	+----------------------------------------+--------------------------+	+----------------------------------------+--------------------------+
	\| Put a DevID or Platform Certificate \| [PLATFORM-DEVID-TPM-2.0] \|	\| Put a DevID or Platform Certificate \| [PLATFORM-DEVID-TPM-2.0] \|
	\| in the TPM: \| \|	\| in the TPM: \| \|
	\| \| [PLATFORM-CERTS] \|	\| \| [PLATFORM-CERTS] \|

	\| * Install an IAK at the same time so +--------------------------+	\| * Install an IAK at the same time so \| \|
	\| that Attestation can work out of \| [IEEE-802-1AR] \|	\| that Attestation can work out of \| \|
		\| the box. \| \|
		\| \| \|
		\| * Equipment suppliers and owners may \| \|
		\| want to implement LDevID as well \| \|
		\| as IDevID. \| \|
		\| +--------------------------+
		\| \| [IEEE-802-1AR] \|
	+----------------------------------------+--------------------------+	+----------------------------------------+--------------------------+
	\| Connect the TPM to the TLS stack: \| Vendor TLS stack (This \|	\| Connect the TPM to the TLS stack: \| Vendor TLS stack (This \|
	\| \| action configures TLS to \|	\| \| action configures TLS to \|
	\| * Use the DevID in the TPM to \| use the DevID as its \|	\| * Use the DevID in the TPM to \| use the DevID as its \|

	\| authenticate TAP connections, \| client certificate) \|	\| authenticate TAP connections, \| client certificate.) \|
	\| identifying the device \| \|	\| identifying the device. \| \|
	+----------------------------------------+--------------------------+	+----------------------------------------+--------------------------+
	\| Make CoSWID tags for BIOS/Loader/ \| [RFC9393] \|	\| Make CoSWID tags for BIOS/Loader/ \| [RFC9393] \|
	\| Kernel objects: \| \|	\| Kernel objects: \| \|
	\| \| [SWID] \|	\| \| [SWID] \|
	\| * Add reference measurements into \| \|	\| * Add reference measurements into \| \|
	\| SWID tags. \| [NIST-IR-8060] \|	\| SWID tags. \| [NIST-IR-8060] \|
	\| \| \|	\| \| \|
	\| * Manufacturer should sign the SWID \| \|	\| * Manufacturer should sign the SWID \| \|
	\| tags. \| \|	\| tags. \| \|
	\| \| \|	\| \| \|
	\| * The TCG RIM-IM [RIM] identifies \| \|	\| * The TCG RIM-IM [RIM] identifies \| \|
	\| further procedures to create \| \|	\| further procedures to create \| \|
	\| signed RIM documents that provide \| \|	\| signed RIM documents that provide \| \|
	\| the necessary reference \| \|	\| the necessary reference \| \|
	\| information. \| \|	\| information. \| \|
	+----------------------------------------+--------------------------+	+----------------------------------------+--------------------------+
	\| Package the SWID tags with a vendor \| Retrieve tags with \|	\| Package the SWID tags with a vendor \| Retrieve tags with \|
	\| software release: \| [RFC9393]. \|	\| software release: \| [RFC9393]. \|

		\| \| \|
		\| * A tag-generator plugin such as \| \|
		\| [SWID-GEN] can be used. \| \|
	\| +--------------------------+	\| +--------------------------+

	\| * A tag-generator plugin such as \| [PC-CLIENT-RIM] \|	\| \| [PC-CLIENT-RIM] \|
	+----------------------------------------+--------------------------+	+----------------------------------------+--------------------------+
	\| Use PC Client measurement definitions \| [PC-CLIENT-BIOS-TPM-2.0] \|	\| Use PC Client measurement definitions \| [PC-CLIENT-BIOS-TPM-2.0] \|
	\| to define the use of PCRs (although \| \|	\| to define the use of PCRs (although \| \|
	\| Windows OS is rare on Networking \| \|	\| Windows OS is rare on Networking \| \|
	\| Equipment, UEFI BIOS is not). \| \|	\| Equipment, UEFI BIOS is not). \| \|
	+----------------------------------------+--------------------------+	+----------------------------------------+--------------------------+
	\| Use TAP to retrieve measurements: \| [RFC9684] \|	\| Use TAP to retrieve measurements: \| [RFC9684] \|
	\| \| \|	\| \| \|
	\| * Map to YANG. \| [CEL] \|	\| * Map to YANG. \| [CEL] \|
	\| \| \|	\| \| \|

End of changes. 7 change blocks.
	8 lines changed or deleted	18 lines changed or added
This html diff was produced by rfcdiff 1.48.