This module defines procedure for remote attestation of a network platform''s security posture. This is useful to assess trust...
Version: 2020-09-26
module Cisco-IOS-XR-remote-attestation-act { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XR-remote-attestation-act"; prefix sb-attest; import cisco-semver { prefix semver; } organization "Cisco Systems, Inc."; contact "Cisco Systems, Inc. Customer Service Postal: 170 West Tasman Drive San Jose, CA 95134 Tel: +1 800 553-NETS E-mail: cs-yang@cisco.com"; description "This module defines procedure for remote attestation of a network platform''s security posture. This is useful to assess trustworthiness of hardware and software of a network device. Copyright (c) 2017 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust''s Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC VVVV; see the RFC itself for full legal notices."; revision "2020-09-26" { description "Added IMA Audit log support"; } revision "2020-07-10" { description "Added xr-task so that Limited access user should not configure router using this model"; } revision "2019-10-01" { description "Made changes to be RFC6087 compliant"; } revision "2019-04-05" { description "Establish semantic version baseline."; } revision "2018-10-08" { description "Adding Hardware integrity RPC"; } revision "2017-06-08" { description "Initial revision."; } semver:module-version "1.2.0"; semver:module-version "1.1.0"; semver:module-version "1.1.0"; semver:module-version "1.0.0"; grouping PCR-DUMP { description "Defines TPM PCR register"; leaf index { type uint16; description "PCR index"; } leaf value { type binary { length "20..64"; } description "PCR register content"; } } // grouping PCR-DUMP grouping hardware-unique-id-digest { description "Defines hardware unique id digests"; leaf index { type uint16; description "Index of the harware digest"; } leaf value { type binary { length "20..64"; } description "Hardware unique ID digest"; } } // grouping hardware-unique-id-digest grouping BOOT-EVENT-LOG { description "Defines an event log corresponding to the event that extended the PCR"; leaf event-number { type uint32; description "Unique event number of this event"; } leaf event-type { type uint32; description "log event type"; } leaf pcr-index { type uint16; description "Defines the PCR index that this event extended"; } list digest-list { key "digest-hash-algorithm"; description "Hash of event data"; leaf digest-hash-algorithm { type enumeration { enum "SHA1" { value 0; description "SHA1 Hash Algorithm"; } enum "SHA256" { value 1; description "SHA1 Hash Algorithm"; } enum "SHA384" { value 2; description "SHA384 Hash Algorithm"; } enum "SHA512" { value 3; description "SHA512 Hash Algorithm"; } } description "Algorithm for this digest"; } leaf digest { type binary; description "The hash of the event data"; } } // list digest-list leaf event-size { type uint32; description "Size of the event data"; } leaf event-data { type binary; description "the event data size determined by event-size"; } } // grouping BOOT-EVENT-LOG grouping IMA-EVENT { description "Defines an hash log extend event for IMA measurements"; leaf event-number { type uint64; description "Unique number for this event for sequencing"; } leaf ima-template { type string; description "Name of the template used for event for e.g. ima, ima-ng"; } leaf filename-hint { type string; description "File that was measured"; } leaf filedata-hash { type binary; description "Hash of filedata"; } leaf template-hash-algorithm { type string; description "Algorithm used for template-hash"; } leaf template-hash { type binary; description " hash(filedata-hash, filename-hint)"; } leaf pcr-index { type uint16; description "Defines the PCR index that this event extended"; } leaf signature { type binary; description "The file signature"; } } // grouping IMA-EVENT grouping IMA-AUDIT { description "Defines a model to display audit event details"; leaf filename { type string; description "file name of the file that was appraised"; } leaf timestamp { type string; description "timestamp of violation"; } leaf type { type string; description "Type of data being appraised"; } leaf pid { type uint64; description "Process ID"; } leaf calling_process { type string; description "calling Process"; } leaf subject { type string; description "SELinux file context label"; } leaf cause { type string; description "Reason for integrity verification failure (invalid-signature, invalid-hash, missing-hash)"; } } // grouping IMA-AUDIT grouping system-certificates { description "System Certificates"; container get-certificate-response { description "Get Certificate Response"; list system-certificates { key "node-location"; description "Certificate data of a node in a distributed system identified by the location"; leaf node-location { type string; description "Location of the node in the distributed system"; } leaf nonce { type binary { length "0..64"; } description "Nonce used for this output"; } container certificates { description "Certificates chain associated with the certificate being queried"; list certificate { key "name"; description "A X.509 certificate"; leaf name { type string; description "A node-unique certificate identifier"; } leaf value { type binary; description "Certificate content in DER format."; } } // list certificate } // container certificates leaf signature_version { type uint32; description "Signature version designates the format of the signed data."; } leaf signature { type binary; description "The optional RSA or ECDSA signature across the certificates,the signature version and the input nonce.Signed data format is: Nonce || UINT32 signature version || [Certificate included in the response in DER format]."; } } // list system-certificates } // container get-certificate-response } // grouping system-certificates grouping platform-config-registers { description "Platform Config Registers"; container platform-config-registers { description "Attested Platform Config Register values"; leaf nonce { type binary { length "0..64"; } description "Nonce used for this output"; } list node-data { key "tpm-name"; description "Certificate data of a node in a distributed system identified by the location"; leaf tpm-name { type string; description "TPM name in the distributed system that has recorded and reporting this measurement"; } leaf node-location { type string; description "Location of the node in the distributed system that is accessing TPM associated with this measurements"; } leaf up-time { type uint32; description "Uptime in seconds of this node reporting its data"; } list PCR { key "index"; description "List of requested PCR contents"; uses PCR-DUMP; } // list PCR leaf pcr-quote { type binary; description "TPM PCR Quote"; } leaf pcr-quote-signature { type binary; description "PCR Quote signature using TPM-held ECC or RSA restricted key"; } } // list node-data } // container platform-config-registers } // grouping platform-config-registers grouping system-boot-integrity { description "System Boot Integrity"; container system-boot-integrity { description "Boot integrity event logs"; list node-data { key "node-location"; description "Boot integrity event logs of a node in a distributed system identified by the location"; leaf node-location { type string; description "Location of the node in the distributed system"; } leaf up-time { type uint32; description "Uptime in seconds of this node reporting its data"; } list event_log { key "event-number"; description "Ordered list of TCG described event log that extended the PCRs in the order they were logged"; uses BOOT-EVENT-LOG; } // list event_log } // list node-data } // container system-boot-integrity } // grouping system-boot-integrity grouping system-ima { description "System IMA"; container system-ima { description "Runtime integrity measurement event logs"; list node-data { key "node-location"; description "IMA event logs of a node in a distributed system identified by the location"; leaf node-location { type string; description "Location of the node in the distributed system"; } leaf up-time { type uint32; description "Uptime in seconds of this node reporting its data"; } leaf start-time { type string; description "start time in asctime format of this node reporting its data"; } list ima-event-log { key "event-number"; description "Ordered list of ima event logs by event-number"; uses IMA-EVENT; } // list ima-event-log } // list node-data } // container system-ima } // grouping system-ima grouping ima-audit-logs { description "System IMA Audit Logs"; container ima-audit-logs { description "Audit logs generated from IMA appraisal"; list node-data { key "node-location"; description "IMA audit event logs of a node in a distributed system identified by the location"; leaf node-location { type string; description "Location of the node in the distributed system"; } leaf up-time { type uint32; description "Uptime in seconds of this node reporting its data"; } leaf start-time { type string; description "Start time of the node in asctime format"; } list audit-event-log { key "filename"; description "Ordered list of audit-event logs"; uses IMA-AUDIT; } // list audit-event-log } // list node-data } // container ima-audit-logs } // grouping ima-audit-logs grouping hardware-integrity { description "Hardware Integrity"; container hardware-integrity { description "Hardware component unique ID digests of the system"; list hardware-integrity-measurements { key "tpm-name"; description "hardware integrity measurement data of a node in a distributed system"; leaf tpm-name { type string; description "TPM name in the distributed system that recorded the hardware integrity"; } leaf location { type string; description "Node location that is accessing TPM associated with this measurements"; } leaf up-time { type uint32; description "Uptime in seconds of this node reporting its data"; } list known-good-digest { key "index"; description "List of Digests of Known Good Values of hardware component unique IDs"; uses hardware-unique-id-digest; } // list known-good-digest list observed-digest { key "index"; description "List of Digests of Observed Values of hardware component unique IDs"; uses hardware-unique-id-digest; } // list observed-digest list PCR { key "index"; description "List of PCR contents that were extended for hardware integrity measurements"; uses PCR-DUMP; } // list PCR leaf pcr-quote { type binary; description "TPM PCR Quote"; } leaf attestation-certificate-identifier { type string; description "Identifier of the certificate used for signing PCR"; } leaf pcr-quote-signature-format { type enumeration { enum "TPM2" { value 0; description "TMP2 format of the pcr-quote-signature"; } enum "CISCO" { value 1; description "Cisco format of the pcr-quote-signature"; } } description "Format of the pcr-quote-signature"; } leaf pcr-quote-signature { type binary; description "PCR Quote signature using TPM-held ECC or RSA restricted key"; } } // list hardware-integrity-measurements } // container hardware-integrity } // grouping hardware-integrity rpc get-certificate { description "Query certificate. Returns certificate chain associated with the queried certificate. An optional nonce can be provided, that is then used to return a signature over the certificate contents returned."; input { leaf nonce { type binary { length "0..64"; } description "Nonce to be included in the attested output to prevent replay attacks"; } leaf certificate-identifier { type string; description "Certificate identifier"; } leaf location { type string; description "In a distributed system get the data from a specific node identified by the location. If this field is not specified data associated with each node forming the system will be returned."; } } output { uses system-certificates; } } // rpc get-certificate rpc attest-platform-config-registers { description "Attest Platform Configuration Register(PCRs)"; input { leaf-list pcr-index { type uint16; min-elements 1; description "PCR register indices to be included in the attested output"; } leaf nonce { type binary { length "0..64"; } description "Nonce to be included in the attested output to prevent replay attacks"; } leaf attestation-certificate-identifier { type string; description "Identifier of the certificate to be used for attestation"; } leaf location { type string; description "In a distributed system get the data from a specific node identified by the location. If this field is not specified data associated with each node forming the system will be returned."; } } output { uses platform-config-registers; } } // rpc attest-platform-config-registers rpc get-platform-boot-integrity-event-logs { description "Get platform's boot integrity"; input { leaf location { type string; description "In a distributed system get the data from a specific node identified by the location. If this field is not specified data associated with each node forming the system will be returned."; } leaf start-event-number { type uint64; description "To filter event logs to be retrieved. - If set only events with sequence number greater than that specified in this argument will be returned."; } leaf end-event-number { type uint64; must "current() >= ../start-event-number" { description "end-event-number must be used with and be greater than or equal to <start-event-number>"; } description "To control event logs to be retrieved. - If set only events with sequence number in the range of start-event-number to end-event-number will be returned."; } } output { uses system-boot-integrity; } } // rpc get-platform-boot-integrity-event-logs rpc get-platform-ima-event-logs { description "Get platform IMA event logs"; input { leaf location { type string; description "In a distributed system get the data from a specific node identified by the location. If this field is not specified data associated with each node forming the system will be returned."; } leaf start-event-number { type uint64; description "To filter event logs to be retrieved. - If set only events with sequence number greater than that specified in this argument will be returned."; } leaf end-event-number { type uint64; must "current() >= ../start-event-number" { description "end-event-number must be used with and be greater than or equal to <start-event-number>"; } description "To control event logs to be retrieved. - If set only events with sequence number in the range of start-event-number to end-event-number will be returned."; } } output { uses system-ima; } } // rpc get-platform-ima-event-logs rpc get-platform-ima-audit-event-logs { description "Get platform IMA Audit event logs"; input { leaf location { type string; description "In a distributed system get the data from a specific node identified by the location. If this field is not specified data associated with each node forming the system will be returned."; } } output { uses ima-audit-logs; } } // rpc get-platform-ima-audit-event-logs rpc get-platform-hardware-integrity-measurements { description "Get platform's hardware integrity measurements"; input { leaf nonce { type binary { length "0..64"; } description "Nonce to be included in the attested output to prevent replay attacks"; } leaf digest-hash-algorithm { type enumeration { enum "SHA1" { value 0; description "SHA1 Hash Algorithm"; } enum "SHA256" { value 1; description "SHA256 Hash Algorithm"; } enum "SHA384" { value 2; description "SHA384 Hash Algorithm"; } enum "SHA512" { value 3; description "SHA512 Hash Algorithm"; } } description "Algorithm for the digest of hardware unique IDs"; } leaf location { type string; description "In a distributed system get the data from a specific node identified by the location. If this field is not specified data associated with each node forming the system will be returned. A node may have multiple TPMs. This will return measurements from all TPMs"; } } output { uses hardware-integrity; } } // rpc get-platform-hardware-integrity-measurements notification hardware-intergrity-failure { description "Notifies failure of hardware integrity check"; leaf system-identifier { type string; description "System identifier"; } } // notification hardware-intergrity-failure notification boot-integrity-failure { description "Notifies failure of boot integrity checks at any stage of boot"; leaf system-identifier { type string; description "System identifier"; } } // notification boot-integrity-failure notification runtime-integrity-failure { description "Notifies failure of runtime integrity checks"; leaf system-identifier { type string; description "System identifier"; } leaf filename-hint { type string; description "File that was appraised and failed integrity checks"; } leaf filedata-hash { type binary; description "Hash of filedata that failed IMA appraisal"; } } // notification runtime-integrity-failure } // module Cisco-IOS-XR-remote-attestation-act
© 2023 YumaWorks, Inc. All rights reserved.