RATS Working Group

Internet Engineering Task Force (IETF)               G. C. Fedorkow, Ed.
Internet-Draft
Request for Comments: 9683                        Juniper Networks, Inc.
Intended status:
Category: Informational                                          E. Voit
Expires: 23 September 2022
ISSN: 2070-1721                                                    Cisco
                                                     J. Fitzgerald-McKay
                                                National Security Agency
                                                           22 March 2022
                                                          September 2024

         TPM-based Network Device Remote Integrity Verification
           draft-ietf-rats-tpm-based-network-device-attest-14

Abstract

   This document describes a workflow for remote attestation of the
   integrity of firmware and software installed on network devices that
   contain Trusted Platform Modules [TPM1.2], [TPM2.0], (TPMs), as defined by the Trusted
   Computing Group (TCG)), (TCG), or equivalent hardware implementations that
   include the protected capabilities, as provided by TPMs.

Status of This Memo

   This Internet-Draft document is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list  It represents the consensus of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents valid
   approved by the IESG are candidates for a maximum any level of Internet
   Standard; see Section 2 of six months RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 23 September 2022.
   https://www.rfc-editor.org/info/rfc9683.

Copyright Notice

   Copyright (c) 2022 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info)
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Revised BSD License text as described in Section 4.e of the
   Trust Legal Provisions and are provided without warranty as described
   in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements notation . . . . . . . . . . . . . . . . . .   3 Notation
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
     1.3.  Document Organization . . . . . . . . . . . . . . . . . .   5
     1.4.  Goals . . . . . . . . . . . . . . . . . . . . . . . . . .   5
     1.5.  Description of Remote Integrity Verification (RIV)  . . .   6
     1.6.  Solution Requirements . . . . . . . . . . . . . . . . . .   8
     1.7.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . .   8
       1.7.1.  Out of Scope  . . . . . . . . . . . . . . . . . . . .   9
   2.  Solution Overview . . . . . . . . . . . . . . . . . . . . . .   9
     2.1.  RIV Software Configuration Attestation using Using TPM  . . . .   9
       2.1.1.  What Does RIV Attest? . . . . . . . . . . . . . . . .  11
       2.1.2.  Notes on PCR Allocations  . . . . . . . . . . . . . .  13
     2.2.  RIV Keying  . . . . . . . . . . . . . . . . . . . . . . .  15
     2.3.  RIV Information Flow  . . . . . . . . . . . . . . . . . .  16
     2.4.  RIV Simplifying Assumptions . . . . . . . . . . . . . . .  18
       2.4.1.  Reference Integrity Manifests (RIMs)  . . . . . . . .  18
       2.4.2.  Attestation Logs  . . . . . . . . . . . . . . . . . .  20
   3.  Standards Components  . . . . . . . . . . . . . . . . . . . .  20
     3.1.  Prerequisites for RIV . . . . . . . . . . . . . . . . . .  20
       3.1.1.  Unique Device Identity  . . . . . . . . . . . . . . .  20
       3.1.2.  Keys  . . . . . . . . . . . . . . . . . . . . . . . .  21
       3.1.3.  Appraisal Policy for Evidence . . . . . . . . . . . .  21
     3.2.  Reference Model for Challenge-Response  . . . . . . . . .  21
       3.2.1.  Transport and Encoding  . . . . . . . . . . . . . . .  23
     3.3.  Centralized vs vs. Peer-to-Peer . . . . . . . . . . . . . . .  24
   4.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  25
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  26
     5.1.  Keys Used in RIV  . . . . . . . . . . . . . . . . . . . .  26
     5.2.  Prevention of Spoofing and Person-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . .  28
     5.3.  Replay Attacks  . . . . . . . . . . . . . . . . . . . . .  29
     5.4.  Owner-Signed Keys . . . . . . . . . . . . . . . . . . . .  30
     5.5.  Other Factors for Trustworthy Operation . . . . . . . . .  30
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  32
   7.  Conclusion  . . . . . . . . . . . . . . . . . . . . . . . . .  32
   10.
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  38
     10.1.
     8.1.  Normative References . . . . . . . . . . . . . . . . . .  38
     10.2.
     8.2.  Informative References . . . . . . . . . . . . . . . . .  41
   A.
   Appendix  . . . . . . . . . . . . . . . . . . . . . . . . . .  32 A.  Supporting Materials
     A.1.  Using a TPM for Attestation . . . . . . . . . . . . . . .  32
     A.2.  Root of Trust for Measurement . . . . . . . . . . . . . .  34 (RTM)
     A.3.  Layering Model for Network Equipment Attester and Verifier  . . . . . . . . . . . . . . . . . . . . . . . .  35
     A.4.  Implementation Notes  . . . . . . . . . . . . . . . . . .  37
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  32
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  44

1.  Introduction

   There are many aspects to consider in fielding a trusted computing
   device, from operating systems to applications.  Mechanisms to prove
   that a device installed at a customer's site is authentic (i.e., not
   counterfeit) and has been configured with authorized software, all as
   part of a trusted supply chain, are just a few of the many aspects
   which
   that need to be considered concurrently to have confidence that a
   device is truly trustworthy.

   A generic architecture for remote attestation has been defined in
   [I-D.ietf-rats-architecture].
   [RFC9334].  Additionally, use cases for remotely attesting networking
   devices are discussed within Section 6 5 of
   [I-D.richardson-rats-usecases]. [RATS-USECASES].  However,
   these documents do not provide sufficient guidance for network
   equipment vendors and operators to design, build, and deploy
   interoperable devices.

   The intent of this document is to provide such guidance.  It does
   this by outlining the Remote Integrity Verification (RIV) problem, problem and
   then identifies elements that are by identifying the necessary elements to get the complete,
   scalable attestation procedure working with commercial networking
   products such as routers, switches switches, and firewalls.  An underlying
   assumption will be is the availability within the device of a cryptoprocessor
   that is compatible with the Trusted Platform Module [TPM1.2], [TPM2.0] compatible cryptoprocessor specifications
   [TPM-1.2] [TPM-2.0] to enable the trustworthy trustworthy, remote assessment of
   the device's software and hardware.

1.1.  Requirements notation Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.2.  Terminology

   A number of terms are reused from [I-D.ietf-rats-architecture]. [RFC9334].  These include: include Appraisal
   Policy for Evidence, Attestation Result, Attester, Evidence,
   Reference Value, Relying Party, Verifier, and Verifier Owner.

   Additionally, this document defines the following term:

   Attestation: the  The process of generating, conveying conveying, and appraising
      claims, backed by evidence, about device trustworthiness
      characteristics, including supply chain trust, identity, device
      provenance, software configuration, device composition, compliance
      to test suites, functional and assurance evaluations, etc.

   The goal of attestation is simply to assure an administrator or
   auditor that the device configuration and software that was launched
   when the device was last started is authentic and untampered-with.
   The determination of software authenticity is not prescribed in this
   document, but it's typically taken to mean a software image generated
   by an authority trusted by the administrator, such as the device
   manufacturer.

   Within the context of the Trusted Computing Group (TCG) context, (TCG), the scope of
   attestation is typically narrowed to describe the process by which an
   independent Verifier can obtain cryptographic proof as to the
   identity of the device in question, and evidence of the integrity of the
   device's software loaded on that device when it started up, was loaded upon startup, and then verify verification that what's there
   the current configuration matches the intended configuration.  For
   network equipment, a Verifier capability can be embedded in a Network
   Management Station (NMS), Station, a posture collection server, or other network
   analytics tool (such as a software asset management solution, or a
   threat detection and mitigation tool, etc.).  While informally
   referred to as attestation, this  This document focuses
   on a specific subset of attestation tasks, defined here as Remote
   Integrity Verification (RIV). (RIV), and informally referred to as
   attestation.  RIV in this document takes a network-equipment-
   centric network-equipment-centric
   perspective that includes a set of protocols and procedures for
   determining whether a particular device was launched with authentic
   software, starting from Roots of Trust.  While there are many ways to
   accomplish attestation, RIV sets out a specific set of protocols and
   tools that work in environments commonly found in network equipment.
   RIV does not cover other device characteristics that could be
   attested (e.g., geographic location, location or connectivity; see
   [I-D.richardson-rats-usecases]),
   [RATS-USECASES]), although it does provide evidence of a secure
   infrastructure to increase the level of trust in other device
   characteristics attested by other means (e.g., by Entity Attestation
   Tokens [I-D.ietf-rats-eat]). [RATS-EAT]).

   In line with [I-D.ietf-rats-architecture] definitions, definitions found in [RFC9334], this document uses the
   term Endorser to refer to the role that signs identity and
   attestation certificates used by the Attester, while Reference Values
   are signed by a Reference Value Provider.  Typically, the
   manufacturer of a network device would be accepted as both the
   Endorser and Reference Value Provider, although the choice is
   ultimately up to the Verifier Owner.

1.3.  Document Organization

   The remainder of this document is organized into several sections:

   *  The remainder of this section covers goals and requirements, plus
      a top-level description of RIV.

   *  The Solution Overview section (Section 2) outlines how Remote Integrity
      Verification RIV works.

   *  The Standards Components section (Section 3) links components of
      RIV to normative standards.

   *  The Privacy and Security Considerations sections (Sections 4 and
      5) shows how specific features of RIV contribute to the
      trustworthiness of the Attestation Result.

   *  Supporting material is in an appendix at the end. (Appendix A).

1.4.  Goals

   Network operators benefit from a trustworthy attestation mechanism
   that provides assurance that their network comprises authentic
   equipment,
   equipment and has loaded software free of known vulnerabilities and
   unauthorized tampering.  In line with the overall goal of assuring
   integrity, attestation can be used to assist in asset management,
   vulnerability and compliance assessment, plus configuration
   management.

   The RIV attestation workflow outlined in this document is intended to
   meet the following high-level goals:

   *  Provable Device Identity - This specification requires that an
      Attester (i.e., the attesting device) includes a cryptographic
      identifier unique to each device.  Effectively  Effectively, this means that
      the device's TPM must be so provisioned with this during the
      manufacturing cycle.

   *  Software Inventory - A key goal is Key goals are to identify the software
      release(s) installed on the Attester, Attester and to provide evidence that
      the software stored within hasn't been altered without
      authorization.

   *  Verifiability - Verification of the device's software and
      configuration of the
      device shows that the software that the administrator
      authorized for use was actually launched.

   In addition, RIV is designed to operate either in a centralized
   environment, such as with a central authority that manages and
   configures a number of network devices, or 'peer-to-peer', "peer-to-peer", where
   network devices independently verify one another to establish a trust
   relationship.  (See Section 3.3 below) 3.3.)

1.5.  Description of Remote Integrity Verification (RIV)

   Attestation requires two interlocking mechanisms between the Attester
   network device and the Verifier:

   *  Device Identity, Identity is the mechanism providing that provides trusted identity,
      which can reassure network managers that the specific devices they
      ordered from authorized manufacturers for attachment to their
      network are those that were installed, installed and that they continue to be
      present in their network.  As part of the mechanism for Device
      Identity, cryptographic proof of the manufacturer's identity of the manufacturer is
      also provided.

   *  Software Measurement is the mechanism that reports the state of
      mutable software components on the device, device and that can assure
      administrators that they have known, authentic software configured
      to run in their network.

   Using

   By using these two interlocking mechanisms, RIV RIV, which is a component
   in a chain of procedures that procedures, can assure a network operator that the
   equipment in their network can be reliably identified, identified and that
   authentic software of a known version is installed on each device.
   Equipment in the network includes devices that make up the network
   itself, such as routers, switches switches, and firewalls.

   Software used to boot a device can be identified by a chain of
   measurements, anchored at the start by a Root of Trust for
   Measurement (RTM) (see Section 9.2), Appendix A.2), each measuring the next stage
   and recording the result in tamper-resistant storage, normally ending
   when the system software is fully loaded.  A measurement signifies
   the identity, integrity integrity, and version of each software component
   registered with an Attester's TPM [TPM1.2], [TPM2.0], [TPM-1.2] [TPM-2.0] so that a
   subsequent verification stage can determine if the software installed
   is authentic, up-to-date, and free of tampering.

   RIV includes several major processes, which are split between the
   Attester and Verifier:

   1.  Generation of Evidence is the process whereby an Attester
       generates cryptographic proof (Evidence) of claims about device
       properties.  In particular, the device identity and its software
       configuration are both of critical importance.

   2.  Device Identification refers to the mechanism assuring the
       Relying Party (ultimately, a network administrator) of the
       identity
       identities of devices devices, and the identities of their manufacturers,
       that make up their network, and that their
       manufacturers are known. network.

   3.  Conveyance of Evidence reliably transports the collected Evidence
       from the Attester to a Verifier to allow a management station to
       perform a meaningful appraisal in Step 4.  The transport is
       typically carried out via a management network.  While  Although not
       required for reliable attestation, an encrypted channel may be
       used to provide integrity, authenticity, or confidentiality once
       attestation is complete.  It should be noted that critical
       attestation evidence from the TPM is signed by a key known only
       to TPM, and is not dependent on encyption encryption carried out as part of
       a reliable transport.

   4.  Finally, Appraisal of Evidence occurs.  This is the process of
       verifying the Evidence received by a Verifier from the Attester, Attester
       and using an Appraisal Policy to develop an Attestation Result,
       which is used to inform decision-making.  In practice, this means
       comparing the Attester's measurements reported as Evidence with
       the device configuration expected by the Verifier.  Subsequently,
       the Appraisal Policy for Evidence might match Evidence found
       against Reference Values (aka Golden Measurements), which
       represent the intended configured state of the connected device.

   All implementations supporting this RIV specification require the
   support of the following three technologies:

   1.  Identity: Device identity in RIV is based on IEEE 802.1AR Device Identity
       (DevID) defined by IEEE Std 802.1AR [IEEE-802-1AR], coupled with
       careful supply-
       chain supply-chain management by the manufacturer.  The Initial
       DevID (IDevID) certificate contains a statement by the
       manufacturer that establishes the identity of the device as it
       left the factory.  Some applications with a more-complex post-manufacture more complex post-
       manufacture supply chain (e.g., Value Added Resellers), value added resellers), or with
       different privacy concerns, may want to use alternative
       mechanisms for platform authentication (for example, TCG Platform
       Certificates
       [Platform-Certificates], [PLATFORM-CERTS] or post-manufacture installation of
       Local Device ID DevID (LDevID)).

   2.  Platform Attestation provides evidence of configuration of
       software elements present in the device.  This form of
       attestation can be implemented with TPM Platform Configuration
       Registers (PCRs), (PCRs) and Quote and Log mechanisms, which provide
       cryptographically authenticated evidence to report what software
       was started on the device through the boot cycle.  Successful
       attestation requires an unbroken chain from a boot-time root Root of
       trust
       Trust through all layers of software needed to bring the device
       to an operational state, in which each stage computes the hash of
       components of the next stage, then updates the attestation log
       and the TPM.  The TPM can then report the hashes of all the
       measured hashes as signed evidence called a Quote (see
       Section 9.1
       Appendix A.1 for an overview of TPM operation, operation or [TPM1.2] [TPM-1.2] and
       [TPM2.0]
       [TPM-2.0] for many more details).

   3.  Signed Reference Values (aka Reference Integrity Measurements)
       must be conveyed from the Reference Value Provider (the entity
       accepted as the software authority, often the manufacturer of the
       network device) to the Verifier.

1.6.  Solution Requirements

   Remote Integrity Verification

   RIV must address the "Lying Endpoint" problem, in which malicious
   software on an endpoint may subvert the intended function, function and also
   prevent the endpoint from reporting its compromised status.  (See
   Section 5 for further Security Considerations.)

   RIV attestation is designed to be simple to deploy at scale.  RIV
   should work "out of the box" as far as possible, that is, with the
   fewest possible provisioning steps or configuration databases needed
   at the end-user's end user's site.  Network equipment is often required to
   "self-configure", to reliably reach out without manual intervention
   to prove its identity and operating posture, then download its own
   configuration, a process which precludes pre-installation
   configuration.  See [RFC8572] for an example of Secure Zero Touch
   Provisioning.
   Provisioning (SZTP).

1.7.  Scope

   The need for assurance of software integrity, addressed by Remote
   Attestation, is a very general problem that could apply to most
   network-connected computing devices.  However, this document includes
   several assumptions that limit the scope to network equipment (e.g.,
   routers, switches switches, and firewalls):

   *  This solution is for use in non-privacy-preserving applications
      (for example, networking, Industrial IoT), avoiding networking or industrial Internet of Things (IoT)
      applications), which avoids the need for a Privacy Certificate Certification
      Authority (also called an Attestation CA) for
      attestation keys [AK-Enrollment] Attestation Keys
      (AKs) [AIK-ENROLL] or TCG Platform Certificates
      [Platform-Certificates]. [PLATFORM-CERTS].

   *  This document assumes network protocols that are common in network
      equipment such as YANG [RFC7950] and NETCONF Network Configuration
      Protocol (NETCONF) [RFC6241], but not generally used in other
      applications.

   *  The approach outlined in this document mandates the use of a TPM
      [TPM1.2], [TPM2.0],
      [TPM-1.2] [TPM-2.0] or a compatible cryptoprocessor.

1.7.1.  Out of Scope

   *

   Run-Time Attestation:  The Linux Integrity Measurement Architecture
      [IMA] attests each process launched after a device is started (and
      is in scope for RIV in general), but continuous run-time
      attestation of Linux or other multi-threaded operating system
      processes after the OS has started considerably expands the scope
      of the problem.  Many researchers are working on that problem, but
      this document defers the problem of continuous, in-memory run-time
      attestation.

   *

   Multi-Vendor Embedded Systems:  Additional coordination would be
      needed for devices that themselves comprise hardware and software
      from multiple vendors, vendors and are integrated by the end user.
      Although out of scope for this document, these issues are
      accommodated in
      [I-D.ietf-rats-architecture].

   * [RFC9334].

   Processor Sleep Modes:  Network equipment typically does not "sleep",
      so sleep and hibernate modes are not considered.  Although out of
      scope for RIV in this document, Trusted Computing
      Group TCG specifications do encompass
      sleep and hibernate states, which could be incorporated into
      remote attestation for network equipment in the future, given a
      compelling need.

   *

   Virtualization and Containerization:  In a non-virtualized system,
      the host OS is responsible for measuring each User Space user-space file or
      process throughout the operational lifetime of the system.  For
      virtualized systems, the host OS must verify the hypervisor, but
      then the hypervisor must manage its own chain of trust through the
      virtual machine.  Virtualization and containerization technologies
      are increasingly used in network equipment, but are not considered
      in this document.

2.  Solution Overview

2.1.  RIV Software Configuration Attestation using Using TPM

   RIV Attestation is a process which that can be used to determine the
   identity of software running on a specifically-identified specifically identified device.
   The Remote Attestation steps of Section 1.5 are broken split into two
   phases, phases
   as shown in Figure 1:

   *  During system startup, or boot phase, Boot Phase, each distinct software
      object is "measured" by the Attester.  The object's identity, hash
      (i.e., cryptographic digest) digest), and version information are recorded
      in a log.  Hashes are also extended into the TPM (see Section 9.1 Appendix A.1
      for more on 'extending hashes'), extending hashes) in a way that can be used to
      validate the log entries.  The measurement process generally
      follows the layered chain-of-trust model used in Measured Boot,
      where each stage of the system measures the next one, and extends
      its measurement into the TPM, before launching it.  See
      [I-D.ietf-rats-architecture], section
      Section 3.2 of [RFC9334], "Layered Attestation
      Environments," Environments", for
      an architectural definition of this model.

   *  Once the device is running and has operational network
      connectivity, verification can take place.  A separate Verifier,
      running in its own trusted environment, will interrogate the
      network device to retrieve the logs and a copy of the digests
      collected by hashing each software object, signed by an
      attestation private key secured by, but never released by, the
      TPM.  The YANG model described in [I-D.ietf-rats-yang-tpm-charra] [RFC9684] facilitates this
      operation.

   The result is that the Verifier can verify the device's identity by
   checking the subject[RFC5280] subject [RFC5280] and signature of the certificate
   containing the TPM's attestation public key, and can validate the
   software that was launched by verifying the correctness of the logs
   by comparing with the signed digests from the TPM, and comparing
   digests in the log with Reference Values.

   It should be noted that attestation and identity are inextricably
   linked; signed Evidence that a particular version of software was
   loaded is of little value without cryptographic proof of the identity
   of the Attester producing the Evidence.

       +-------------------------------------------------------+
       | +---------+    +--------+   +--------+    +---------+ |
       | |UEFI BIOS|--->| Loader |-->| Kernel |--->|Userland | |
       | +---------+    +--------+   +--------+    +---------+ |
       |     |            |           |                        |
       |     |            |           |                        |
       |     +------------+-----------+-+                      |
       |                    Boot Phase  |                      |
       |                                V                      |
       |                            +--------+                 |
       |                            |  TPM   |                 |
       |                            +--------+                 |
       |   Router                       |                      |
       +--------------------------------|----------------------+
                                        |
                                        |  Verification Phase
                                        |    +-----------+
                                        +--->| Verifier  |
                                             +-----------+

       Reset---------------flow-of-time-during-boot...--------->

                  Figure 1: Layered RIV Attestation Model

   In the Boot phase, Phase, measurements are "extended", or hashed, into the
   TPM as processes start, with the which result that in the TPM ends up containing hashes of
   all the measured hashes.  Later, once the system is operational, during the Verification phase,
   signed digests are retrieved from the TPM during the Verification
   Phase for off-box analysis.

2.1.1.  What Does RIV Attest?

   TPM attestation is focused on Platform Configuration Registers
   (PCRs), PCRs, but those registers are only
   vehicles for certifying accompanying Evidence, Evidence conveyed in log
   entries.  It is the hashes in log entries that are extended into
   PCRs, where the final PCR values can be retrieved in the form of a
   structure called a Quote, which is signed by an Attestation key AK known only to the
   TPM.  The use of multiple PCRs serves only to provide some
   independence between different classes of
   object, object so that one class of
   objects can be updated without changing the extended hash for other
   classes.  Although PCRs can be used for any purpose, this section
   outlines the objects within the scope of this document which that may be
   extended into the TPM.

   In general, assignment of measurements to PCRs is a policy choice
   made by the device manufacturer, selected to independently attest
   three classes of object:

   *  Code, (i.e., instructions)

   Code:  Instructions to be executed by a CPU.

   *  Configuration -

   Configuration:  Many devices offer numerous options controlled by
      non-volatile configuration variables which that can impact the device's
      security posture.  These settings may have vendor defaults, but
      often can be changed by administrators, who may want to verify via
      attestation that the operational state of the settings match their
      intended state.

   *  Credentials -

   Credentials:  Administrators may wish to verify via attestation that
      public keys and credentials outside the Root of Trust have not
      been subject to unauthorized tampering.  (By definition, keys
      protecting the root Root of trust Trust can't be verified independently.)

   The TCG "TCG PC Client Specific Platform Firmware Profile Specification
   [PC-Client-BIOS-TPM-2.0] gives considerable detail on Specification"
   [PC-CLIENT-BIOS-TPM-2.0] details what is to be measured during the boot phase
   Boot Phase of platform startup using a UEFI Unified Extensible Firmware
   Interface (UEFI) BIOS
   (www.uefi.org), (<www.uefi.org>), but the goal is simply to
   measure every bit of code executed in the process of starting the
   device, along with any configuration information related to security
   posture, leaving no gap for unmeasured code to remain undetected, undetected and
   potentially subverting the chain.

   For devices using a UEFI BIOS, [PC-Client-BIOS-TPM-2.0] [PC-CLIENT-BIOS-TPM-2.0] and
   [PC-Client-EFI-TPM-1.2]
   [PC-CLIENT-EFI-TPM-1.2] give detailed normative requirements for PCR
   usage.  For other platform architectures, where TCG normative
   requirements currently do not exist, the table in Figure 2 Table 1 gives non-
   normative non-normative
   guidance for PCR assignment that generalizes the specific details of [PC-Client-BIOS-TPM-2.0].
   [PC-CLIENT-BIOS-TPM-2.0].

   By convention, most PCRs are assigned in pairs, which with the even-
   numbered PCR used to measure executable code, code and the odd-numbered PCR
   used to measure whatever data and configuration are associated with
   that code.  It is important to note that each PCR may contain results
   from dozens (or even thousands) of individual measurements.

   +------------------------------------------------------------------+

   +===========================================+======================+
   |                                           | Assigned PCR #       |
   +===========================================+======+===============+
   | Function                                  | Code | Configuration|
   -------------------------------------------------------------------- Configuration |
   +===========================================+======+===============+
   | Firmware Static Root of Trust, Trust (i.e.,      | 0    | 1             |
   | initial boot firmware and drivers)        |      |               |
   --------------------------------------------------------------------
   +-------------------------------------------+------+---------------+
   | Drivers and initialization for optional   | 2    | 3             |
   | or add-in devices                         |      |               |
   --------------------------------------------------------------------
   +-------------------------------------------+------+---------------+
   | OS Loader loader code and configuration, configuration (i.e.,   | 4    | 5             |
   | the code launched by firmware) to load an |      |               |
   | operating system kernel.  These PCRs record      |      |               |
   | record each boot attempt, and an identifier for          |      |               |
   | identifier for where the loader was found |      |               |
   --------------------------------------------------------------------
   +-------------------------------------------+------+---------------+
   | Vendor Specific Measurements Vendor-specific measurements during boot  | 6    | 6             |
   --------------------------------------------------------------------
   +-------------------------------------------+------+---------------+
   | Secure Boot Policy.  This PCR records keys     |      | 7             |
   | keys and configuration used to validate the OS   |      |               |
   | the OS loader                             |      |               |
   --------------------------------------------------------------------
   +-------------------------------------------+------+---------------+
   | Measurements made by the OS Loader loader (e.g., | 8    | 9             |
   | (e.g. GRUB2 for Linux)                          |      |               |
   --------------------------------------------------------------------
   +-------------------------------------------+------+---------------+
   | Measurements made by OS (e.g., Linux IMA) | 10   | 10            |
   +------------------------------------------------------------------+

                         Figure 2:
   +-------------------------------------------+------+---------------+

                        Table 1: Attested Objects

2.1.2.  Notes on PCR Allocations

   It is important to recognize that PCR[0] is critical.  The first
   measurement into PCR[0] is taken by the Root of Trust for
   Measurement, which is code which, that, by definition, cannot be verified by
   measurement.  This measurement establishes the chain of trust for all
   subsequent measurements.  If the PCR[0] measurement cannot be
   trusted, the validity of the entire chain is put called into question.

   Distinctions Between between PCR[0], PCR[2], PCR[4] PCR[4], and PCR[8] are
   summarized below:

   *

   PCR[0]  typically represents a consistent view of rarely-changed
      Host Platform rarely changed boot components, allowing
      components of the host platform, which allows Attestation policies
      to be defined using the less changeable components of the
      transitive trust chain.  This PCR typically provides a consistent
      view of the platform regardless of user selected user-selected options.

   *

   PCR[2]  is intended to represent a "user configurable" "user-configurable" environment
      where the user has the ability to alter the components that are
      measured into PCR[2].  This is typically done by adding adapter
      cards, etc., into user-accessible PCI Peripheral Component
      Interconnect (PCI) or other slots.  In UEFI
      systems systems, these devices
      may be configured by Option ROMs measured into PCR[2] and executed
      by the UEFI BIOS.

   *

   PCR[4]  is intended to represent the software that manages the
      transition between the platform's Pre-Operating System pre-OS start and the state of a
      system with the Operating System OS present.  This PCR, along with PCR[5],
      identifies the initial operating system OS loader (e.g., GRUB for Linux).

   *

   PCR[8]  is used by the OS loader (e.g. (e.g., GRUB) to record measurements
      of the various components of the operating system.

   Although the TCG PC Client document [PC-CLIENT-BIOS-TPM-2.0] specifies the use of the first
   eight PCRs very carefully to ensure interoperability among multiple
   UEFI BIOS vendors, it should be noted that embedded software vendors
   may have considerably more flexibility.  Verifiers typically need to
   know which log entries are consequential and which are not (possibly
   controlled by local policies) policies), but the Verifier may not need to know
   what each log entry means or why it was assigned to a particular PCR.
   Designers must recognize that some PCRs may cover log entries that a
   particular Verifier considers critical and other log entries that are
   not considered important, so differing PCR values may not on their
   own constitute a check for authenticity.  For example, in a UEFI
   system, some administrators may consider booting an image from a
   removable drive, something recorded in a PCR, to be a security
   violation, while others might consider that operation to be an
   authorized recovery procedure.

   Designers may allocate particular events to specific PCRs in order to
   achieve a particular objective with local attestation, attestation (e.g., allowing
   a procedure to execute, or releasing a particular decryption key,
   only if a given PCR is in a given state).  It may also be important
   to designers to consider whether streaming notification of PCR
   updates is required (see
   [I-D.birkholz-rats-network-device-subscription]). [RATS-NET-DEV-SUB]).  Specific log entries
   can only be validated if the Verifier receives every log entry
   affecting the relevant PCR, so (for example) a designer might want to
   separate rare, high-value events events, such as configuration changes, from
   high-volume, routine measurements such as IMA [IMA]
   logs. logs [IMA].

2.2.  RIV Keying

   RIV attestation relies on two credentials:

   *  An identity key pair and matching certificate is required to
      certify the identity of the Attester itself.  RIV specifies the
      use of an IEEE 802.1AR Device Identity (DevID) [IEEE-802-1AR], DevID [IEEE-802-1AR] that is signed by the
      device manufacturer, containing manufacturer and contains the device serial number.  This
      requirement goes slightly beyond 802.1AR; see Section 2.4 for
      notes.

   *  An Attestation key pair and matching certificate is required to
      sign the Quote generated by the TPM to report evidence of software
      configuration.

   In a TPM application, both the Attestation private key and the DevID
   private key MUST be protected by the TPM.  Depending on other TPM
   configuration procedures, the two keys are likely to be different;
   some of the considerations are outlined in TCG the "TPM 2.0 Keys for
   Device Identity and Attestation" [Platform-DevID-TPM-2.0]. document [PLATFORM-DEVID-TPM-2.0].

   The TCG TPM "TPM 2.0 Keys for Device Identity and Attestation" document [Platform-DevID-TPM-2.0]
   [PLATFORM-DEVID-TPM-2.0] specifies further conventions for these
   keys:

   *  When separate Identity and Attestation keys are used, the
      Attestation Key (AK) AK and
      its X.509 certificate should parallel the DevID, with the same
      unique device identification as the DevID certificate (that is,
      the same subject and subjectAltName (if present), even though the
      key pairs are different).  This allows a quote from the device,
      signed by an AK, to be linked directly to the device that provided
      it, by examining the corresponding AK certificate.  If the subject
      in the AK certificate doesn't match the corresponding DevID
      certificate, or if they're signed by
      differing authorities different authorities, the
      Verifier may signal the detection of an Asokan-style person-in-the-middle person-in-
      the-middle attack (see Section 5.2).

   *  Network devices that are expected to use secure zero touch
      provisioning SZTP as specified in
      [RFC8572] MUST be shipped by the manufacturer with pre-provisioned
      keys (Initial DevID and Initial AK, called IDevID and IAK). IAK,
      respectively).  IDevID and IAK certificates MUST both be signed by
      the Endorser (typically the device manufacturer).  Inclusion of an
      IDevID and IAK by a vendor does not preclude a mechanism whereby
      an administrator can define Local Identity LDevID and Local Attestation Keys (LDevID and LAK)
      (LAK) if desired.

2.3.  RIV Information Flow

   RIV workflow for network equipment is organized around a simple use
   case where a network operator wishes to verify the integrity of
   software installed in specific, fielded devices.  A normative
   taxonomy of terms is given in [I-D.ietf-rats-architecture], [RFC9334], but as a reminder, this use
   case implies several roles and objects:

   1.

   Attester:  The Attester, the device which that the network operator wants to examine.

   2.  A Verifier (which

   Verifier:  Which might be a network management station)
       somewhere Network Management Station and is
      somewhat separate from the Device that will retrieve the signed
      evidence and measurement logs, and analyze them to pass judgment
      on the security posture of the device.

   3.  A

   Relying Party, which can Party:  Can act on Attestation Results.  Interaction between
      the Relying Party and the Verifier is considered out of scope for
      RIV.

   4.

   Signed Reference Integrity Manifests (RIMs), containing (RIMs):  Contains Reference
       Values,
      Values.  RIMs can either be created by the device manufacturer and
      shipped along with the device as part of its software image, or
      alternatively, could be obtained several other ways (direct to the
      Verifier from the manufacturer, from a third party, from the
      owner's observation concept of what's thought to be a "known good system", etc.).  Retrieving RIMs
      from the device itself allows attestation to be done in systems
      that may not have access to the public internet, Internet, or by other
      devices that are not management stations per se (e.g., a peer
      device; see Section 3.1.3).  If Reference Values are obtained from
      multiple sources, the Verifier may need to evaluate the relative
      level of trust to be placed in each source in case of a
      discrepancy.

   These components are illustrated in Figure 3. 2.

   +----------------+        +-------------+        +---------+--------+
   |Reference Value |        | Attester    | Step 1 | Verifier|        |
   |Provider        |        | (Device     |<-------| (Network| Relying|
   |(Device         |        | under       |------->| Mngmt Mgmt    | Party  |
   |Manufacturer    |        | attestation)| Step 2 | Station)|        |
   |or other        |        |             |        |         |        |
   |authority)      |        |             |        |         |        |
   +----------------+        +-------------+        +---------+--------+
          |                                             /\
          |                  Step 0                      |
          -----------------------------------------------

        Figure 3: 2: RIV Reference Configuration for Network Equipment

   *  In

   Step 0, 0:  The Reference Value Provider (the device manufacturer or
            other authority) makes one or more Reference Integrity
      Manifests (RIMs), corresponding RIMs, which correspond to
            the software image expected to be found on the device, device and
            are signed by the Reference Value Provider, available to the Verifier (see
            Verifier.  (See Section 3.1.3 for "in-band" and "out of
            band" ways to make this happen).

   *  In happen.)

   Step 1, the Verifier (Network Management Station), on 1:  On behalf of a Relying Party, the Verifier (Network
            Management Station) requests Identity, DevID, Measurement Values, and
            possibly RIMs, RIMs from the Attester.

   *  In

   Step 2, the 2:  The Attester responds to the request by providing a DevID,
            quotes (measured values, values that are signed by the Attester),
            and optionally RIMs.

   Use

   The use of the following standards components allows for
   interoperability:

   1.  TPM Keys keys MUST be configured according to
       [Platform-DevID-TPM-2.0], [PLATFORM-DEVID-TPM-2.0]
       or [Platform-ID-TPM-1.2]. [PLATFORM-ID-TPM-1.2].

   2.  For devices using UEFI and Linux, measurements of firmware and
       bootable modules MUST be taken according to TCG "TCG EFI Platform
       Specification" [PC-CLIENT-EFI-TPM-1.2] or "TCG PC Client
       [PC-Client-EFI-TPM-1.2] or [PC-Client-BIOS-TPM-2.0], Specific
       Platform Firmware Profile Specification"
       [PC-CLIENT-BIOS-TPM-2.0], and Linux IMA [IMA].

   3.  Device Identity  DevID MUST be managed as DevID certificates as specified in IEEE
       Std 802.1AR
       Device Identity certificates [IEEE-802-1AR], with keys protected by TPMs.

   4.  Attestation logs from Linux-based systems MUST be formatted
       according to the Canonical "Canonical Event Log format
       [Canonical-Event-Log]. Format" [CEL].  UEFI-based
       systems MUST use the TCG UEFI BIOS event log [PC-Client-EFI-TPM-1.2]
       [PC-CLIENT-EFI-TPM-1.2] for TPM1.2 systems, TPM 1.2 systems and
       TCG the "TCG PC
       Client Specific Platform Firmware Profile [PC-Client-BIOS-TPM-2.0] Profile"
       [PC-CLIENT-BIOS-TPM-2.0] for TPM2.0. TPM 2.0 systems.

   5.  Quotes MUST be retrieved from the TPM according to the TCG TAP
       Trusted Attestation Protocol Information Model (TAP IM) [TAP] and
       the CHARRA Challenge-Response-based Remote Attestation (CHARRA) YANG
       model
       [I-D.ietf-rats-yang-tpm-charra]. [RFC9684].  While the TAP IM gives a protocol-independent
       description of the data elements involved, it's important to note
       that quotes from the TPM are signed inside the TPM, TPM and MUST be
       retrieved in a way that does not invalidate the signature, to
       preserve the trust model.  The
       [I-D.ietf-rats-yang-tpm-charra] CHARRA YANG model [RFC9684] is
       used for this purpose.  (See Section 5 5, Security Considerations).

   6.  Reference Values MUST be encoded as defined in the TCG RIM
       document [RIM], typically using SWID Software Identification (SWID)
       [SWID], [NIST-IR-8060] [NIST-IR-8060], or
       CoSWID Concise SWID (CoSWID) tags [I-D.ietf-sacm-coswid]. [RFC9393].

2.4.  RIV Simplifying Assumptions

   This document makes the following simplifying assumptions to reduce
   complexity:

   *  The product to be attested MUST be shipped by the equipment vendor
      with both an a DevID as specified by IEEE Std 802.1AR Device Identity and an Initial
      Attestation Key (IAK), IAK,
      with certificates in place.  The IAK certificate must contain the
      same identity information as the DevID (specifically, the same
      subject and subjectAltName (if used), signed by the manufacturer).
      The IAK is a type of key that can be used to sign a TPM Quote, but
      not other objects (i.e., it's marked as a TCG "Restricted" key;
      this convention is described in "TPM 2.0 Keys for Device Identity
      and Attestation"
      [Platform-DevID-TPM-2.0]). [PLATFORM-DEVID-TPM-2.0]).  For network
      equipment, which is generally non-privacy-sensitive, not privacy sensitive, shipping a
      device with both an IDevID and an IAK already provisioned
      substantially simplifies initial startup.

   *  IEEE Std 802.1AR does not require a product serial number as part
      of the subject, but RIV-compliant devices MUST include their
      serial numbers in the DevID/IAK certificates to simplify tracking
      logistics for network equipment users.  All other optional 802.1AR
      fields remain optional in RIV.

      It should be noted that 802.1AR the use of X.509 certificate fields as
      specified by IEEE Std 802.1AR is not identical to those descsribed that described
      in [RFC6125] [RFC9525] for representation of application service identity.

   *  The product MUST be equipped with an RTM, a Root of Trust for Measurement
      (RTM), Root of Trust for Storage
      Storage, and a Root of Trust for Reporting (as defined in [SP800-155])
      [SP800-155]), which together are capable of conforming to the TCG Trusted Attestation Protocol Information Model
      TAP IM [TAP].

   *  The authorized software supplier MUST make available Reference
      Values in the form of signed SWID or CoSWID tags.

2.4.1.  Reference Integrity Manifests (RIMs)

   [I-D.ietf-rats-yang-tpm-charra]

   [RFC9684] focuses on collecting and transmitting evidence in the form
   of PCR measurements and attestation logs.  But the critical part of
   the process is enabling the Verifier to decide whether the
   measurements are "the right ones" or not.

   While it must be up to network administrators to decide what they
   want on their networks, the software supplier should supply the
   Reference Values, in signed Reference Integrity Manifests, RIMs, that may be used by a Verifier to
   determine if evidence shows known good, known bad bad, or unknown
   software configurations.

   In general, there are two kinds of reference measurements:

   1.  Measurements of early system startup (e.g., BIOS, boot loader, OS
       kernel) are essentially single-threaded, single threaded and executed exactly
       once, in a known sequence, before any results could can be reported.
       In this case, while the method for computing the hash and
       extending relevant PCRs may be complicated, the net result is
       that the software (more likely, firmware) vendor will have one
       known good PCR value that "should" be present in the relevant
       PCRs after the box has booted.  In this case, the signed
       reference measurement could simply list the expected hashes for
       the given version.  However, a RIM that contains the intermediate
       hashes can be useful in debugging cases where the expected final
       hash is not the one reported.

   2.  Measurements taken later in operation of the system, once an OS
       has started (for example, Linux IMA [IMA]), may be more complex,
       with unpredictable "final" PCR values.  In this case, the
       Verifier must have enough information to reconstruct the expected
       PCR values from logs and signed reference measurements from a
       trusted authority.

   In both cases, the expected values can be expressed as signed SWID or
   CoSWID tags, but the SWID structure in the second case is somewhat
   more complex, as reconstruction of the extended hash in a PCR may
   involve thousands of files and other objects.

   TCG has published an information model defining elements of Reference
   Integrity Manifests RIMs
   under the title TCG "TCG Reference Integrity Manifest (RIM) Information Model
   Model" [RIM].  This information model outlines how SWID tags should
   be structured to allow attestation, and it defines "bundles" of SWID
   tags that may be needed to describe a complete software release.  The
   RIM contains metadata relating to the software release it belongs to,
   plus hashes for each individual file or other object that could be
   attested.

   Many network equipment vendors use a UEFI BIOS to launch their
   network operating system.  These vendors may want to also use the TCG
   "TCG PC Client Reference Integrity Measurement specification
   [PC-Client-RIM], Manifest Specification"
   [PC-CLIENT-RIM], which focuses specifically on a SWID-compatible
   format suitable for expressing measurement values expected from a
   UEFI BIOS.

2.4.2.  Attestation Logs

   Quotes from a TPM can provide evidence of the state of a device up to
   the time the evidence was recorded, but recorded.  However, to make sense of the
   quote in cases where several events are extended into one PCR PCR, an
   event log that identifies which software modules contributed which
   values to the quote during startup must also be provided.  When
   required, the log MUST contain enough information to demonstrate its
   integrity by allowing exact reconstruction of the digest conveyed in
   the signed quote (that is, calculating the hash of all the hashes in
   the log should produce the same values as contained in the PCRs; if
   they don't match, the log may have been tampered with.  See Section 9.1).
   Appendix A.1).

   There are multiple event log formats which that may be supported as viable
   formats of Evidence between the Attester and Verifier, but Verifier; however, to
   simplify interoperability, RIV focuses on just three:

   *

   1.  TCG UEFI BIOS event log for TPM 2.0 (TCG ("TCG PC Client Specific
       Platform Firmware Profile) [PC-Client-BIOS-TPM-2.0]

   * Profile Specification")
       [PC-CLIENT-BIOS-TPM-2.0]

   2.  TCG UEFI BIOS event log for TPM 1.2 (TCG ("TCG EFI Platform
      Specification
       Specification" for TPM Family 1.1 or 1.2, Section 7)
      [PC-Client-EFI-TPM-1.2]

   *
       [PC-CLIENT-EFI-TPM-1.2]

   3.  TCG Canonical "Canonical Event Log [Canonical-Event-Log] Format" [CEL]

3.  Standards Components

3.1.  Prerequisites for RIV

   The Reference Interaction Model for Challenge-Response-based Remote
   Attestation ([I-D.birkholz-rats-reference-interaction-model]) ([RATS-INTERACTION-MODELS]) is based on the standard
   roles defined in [I-D.ietf-rats-architecture]. [RFC9334].  However, additional prerequisites have
   been established to allow for interoperable implementations of RIV
   use case implementations. cases.  These prerequisites are intended to provide sufficient
   context information so that the Verifier can acquire and evaluate
   measurements collected by the Attester.

3.1.1.  Unique Device Identity

   A secure Device Identity (DevID) DevID in the form of an IEEE 802.1AR a DevID certificate as specified by IEEE Std
   802.1AR [IEEE-802-1AR] must be provisioned in the Attester's TPMs.

3.1.2.  Keys

   The Attestation Key (AK) AK and certificate must also be provisioned on the Attester
   according to [Platform-DevID-TPM-2.0], [PLATFORM-DEVID-TPM-2.0] or
   [Platform-ID-TPM-1.2]. [PLATFORM-ID-TPM-1.2].

   It MUST be possible for the Verifier to determine that the Attester's
   Attestation keys
   AKs are resident in the same TPM as its DevID keys (see Section 2.2
   and Section 5 5, Security Considerations).

3.1.3.  Appraisal Policy for Evidence

   As noted in Section 2.3, the Verifier may obtain Reference Values
   from several sources.  In addition, administrators may make
   authorized, site-specific changes (e.g. (e.g., keys in key databases) that
   could impact attestation results.  As such, there could be conflicts,
   omissions
   omissions, or ambiguities between some Reference Values and collected
   Evidence.

   The Verifier MUST have an Appraisal Policy for Evidence to evaluate
   the significance of any discrepancies between different reference
   sources, or between reference values Reference Values and evidence from logs and
   quotes.  While there must be an Appraisal Policy, this document does
   not specify the format or mechanism to convey the intended policy,
   nor does RIV specify mechanisms by which the results of applying the
   policy are communicated to the Relying Party.

3.2.  Reference Model for Challenge-Response

   Once the prerequisites for RIV are met, a Verifier is able to acquire
   Evidence from an Attester.  The following diagram  Figure 3 illustrates a RIV information
   flow between a Verifier and an Attester, derived from Section 7.1 of [I-D.birkholz-rats-reference-interaction-model].
   [RATS-INTERACTION-MODELS].  In this diagram, each event with its
   input and output parameters is shown as "Event(input-params)=>(outputs)".  Event "Event(input-
   params)=>(outputs)".  The event times shown correspond to the time
   types described within Appendix A of
   [I-D.ietf-rats-architecture]: [RFC9334]:

   .----------.                               .-----------------------.
   | Attester |                              | Relying Party/Verifier |
   '----------'                              '------------------------'
     time(VG)                                                      |
   generateClaims(attestingEnvironment)                            |
      | => claims, eventLogs                                       |
      |                                                            |
      |                                                        time(NS)
      | <-- requestAttestation(handle, authSecIDs, claimSelection) |
      |                                                            |
    time(EG)                                                       |
   collectClaims(claims, claimSelection)                           |
      | => collectedClaims                                         |
      |                                                            |
   generateEvidence(handle, authSecIDs, collectedClaims)           |
      | => evidence                                                |
      |                                                    time(RG,RA)
      | evidence, eventLogs -------------------------------------> |
      |                                                            |
      |               appraiseEvidence(evidence, eventLogs, refValues)
      |                                       attestationResult <= |
      |                                                            |
      ~                                                            ~
      |                                                       time(RX)

                Figure 4: 3: IETF Attestation Information Flow

   *

   Step 1 (time(VG)):  One or more Attesting Network Device attesting network device PCRs are
      extended with measurements.  RIV provides no direct link between
      the time at which the event takes place and the time that it's
      attested, although streaming attestation as described in
      [I-D.birkholz-rats-network-device-subscription]
      [RATS-NET-DEV-SUB] could.

   *

   Step 2 (time(NS)):  The Verifier generates a unique random nonce
      ("number used once"), once") and makes a request for one or more PCRs from
      an Attester.  For interoperability, this must be accomplished as
      specified in the "A YANG Data Model for Challenge-Response-based Challenge-Response-Based
      Remote Attestation (CHARRA) Procedures using TPMs
      [I-D.ietf-rats-yang-tpm-charra].  TPM1.2 Using Trusted Platform
      Modules (TPMs)" [RFC9684].  Both TPM 1.2 and TPM2.0 both TPM 2.0 allow nonces
      as large as the operative digest size (i.e., 20 or 32 bytes; see [TPM1.2]
      [TPM-1.2] Part 2, Section 5.5 5.5, and [TPM2.0] [TPM-2.0] Part 2,
      Section 10.4.4).

   *

   Step 3 (time(EG)):  On the Attester, measured values are retrieved
      from the Attester's TPM.  This requested PCR evidence, evidence along with
      the Verifier's nonce, nonce is called a Quote, Quote and is signed by the Attestation
      Key (AK) AK
      associated with the DevID.  Quotes are retrieved according to the
      CHARRA YANG model [I-D.ietf-rats-yang-tpm-charra]. [RFC9684].  At the same time, the Attester
      collects log evidence showing the values have been extended into
      that PCR.  Section 9.1  Appendix A.1 gives more detail on how this works, including works and
      includes references to the structure and contents of quotes in TPM
      documents.

   *

   Step 4: Collected  The collected Evidence is passed from the Attester to the
      Verifier

   *
      Verifier.

   Step 5 (time(RG,RA)):  The Verifier reviews the Evidence and takes
      action as needed.  As the interaction between Relying Party and
      Verifier is out of scope for RIV, this can be described as one
      step.

      -

      *  If the signature covering TPM Evidence is not correct, the
         device SHOULD NOT be trusted.

      -

      *  If the nonce in the response doesn't match the Verifier's
         nonce, the response may be a replay, and the device SHOULD NOT
         be trusted.

      -

      *  If the signed PCR values do not match the set of log entries
         which
         that have extended a particular PCR, the device SHOULD NOT be
         trusted.

      -

      *  If the log entries that the Verifier considers important do not
         match known good values, the device SHOULD NOT be trusted.  We
         note that the process of collecting and analyzing the log can
         be omitted if the value in the relevant PCR is already a known-
         good value.

      -

      *  If the set of log entries are not seen as acceptable by the
         Appraisal Policy for Evidence, the device SHOULD NOT be
         trusted.

      -

      *  If time(RG)-time(NS) is greater than the Appraisal Policy for
         Evidence's threshold for assessing freshness, the Evidence is
         considered stale and SHOULD NOT be trusted.

3.2.1.  Transport and Encoding

   Network Management systems may retrieve signed PCR based PCR-based Evidence
   using NETCONF or RESTCONF with [I-D.ietf-rats-yang-tpm-charra]. [RFC9684].  In either case, implementatations
   implementations must do so using a secure tunnel.

   Log Evidence MUST be retrieved via log interfaces specified in
   [I-D.ietf-rats-yang-tpm-charra].
   [RFC9684].

3.3.  Centralized vs vs. Peer-to-Peer

   Figure 4 above 3 assumes that the Verifier is trusted, while the Attester is
   not.  In a Peer-to-Peer peer-to-peer application such as two routers negotiating a
   trust relationship, the two peers can each ask the other to prove
   software integrity.  In this application, the information flow is the
   same, but each side plays a role both as an Attester and a Verifier.
   Each device issues a challenge, and each device responds to the
   other's challenge, as shown in Figure 5. 4.  Peer-to-peer challenges,
   particularly if used to establish a trust relationship between
   routers, require devices to carry their own signed reference
   measurements (RIMs).  Devices may also have to carry an Appraisal
   Policy for Evidence for each possible peer device so that each device
   has everything needed for remote attestation, without having to
   resort to a central authority.

   +---------------+                            +---------------+
   | RefVal        |                            | RefVal        |
   | Provider A    |                            | Provider B    |
   | Firmware      |                            | Firmware      |
   | Configuration |                            | Configuration |
   | Authority     |                            | Authority     |
   |               |                            |               |
   +---------------+                            +---------------+
         |                                             |
         |                                             |Step 0B
         |       +------------+        +------------+  |
         |       |            | Step 1 |            |  |   \
         |       | Attester   |<------>| Verifier   |  |   |
         |       |            |<------>|            |  |   |  Router B
         +------>|            | Step 2 |            |  |   |- Challenges
          Step 0A|            |        |            |  |   |  Router A
                 |            |------->|            |  |   |
                 |- Router A -| Step 3 |- Router B -|  |   /
                 |            |        |            |  |
                 |            |        |            |  |
                 |            | Step 1 |            |  |   \
                 | Verifier   |<------>| Attester   |<-+   |  Router A
                 |            |<------>|            |      |- Challenges
                 |            | Step 2 |            |      |  Router B
                 |            |        |            |      |
                 |            |<-------|            |      |
                 +------------+ Step 3 +------------+      /

            Figure 5: 4: Peer-to-Peer Attestation Information Flow

   In this application, each device may need to be equipped with signed
   RIMs to act as an Attester, and also to allow each device to act as a
   Verifier, each may need to be equipped with an Appraisal Policy for
   Evidence and a selection of trusted X.509 root certificates, to allow the
   device to act as a Verifier. certificates also.  An
   existing link layer protocol such as 802.1X [IEEE-802.1X] or 802.1AE
   [IEEE-802.1AE], with Evidence being enclosed over a variant of EAP the
   Extensible Authentication Protocol (EAP) [RFC3748] or LLDP [LLDP] Link Layer
   Discovery Protocol (LLDP) [LLDP], are suitable methods for such an
   exchange.  Details of peer-to-peer operation are out of scope for
   this document.

4.  Privacy Considerations

   Network equipment, such as routers, switches switches, and firewalls, has a
   key role to play in guarding the privacy of individuals using the
   network.  Network equipment generally adheres to several rules to
   protect privacy:

   *  Packets passing through the device must not be sent to
      unauthorized destinations.  For example:

      -  Routers often act as Policy Enforcement Points, where
         individual subscribers may be checked for authorization to
         access a network.  Subscriber login information must not be
         released to unauthorized parties.

      -  Network equipment is often called upon to block access to
         protected resources from unauthorized users.

   *  Routing information, such as the identity of a router's peers,
      must not be leaked to unauthorized neighbors.

   *  If configured, encryption and decryption of traffic must be
      carried out reliably, while protecting keys and credentials.

   Functions that protect privacy are implemented as part of each layer
   of hardware and software that makes up the networking device.  In
   light of these requirements for protecting the privacy of users of
   the network, the network equipment must identify itself, and its boot
   configuration and measured device state (for example, PCR values), to
   the equipment's administrator, administrator so there's no uncertainty as to what about the
   device's function each device and configuration is configured to carry out. configuration.  Attestation is a component that
   allows the administrator to ensure that the network provides
   individual and peer privacy guarantees, even though the device itself
   may not have a right to keep its identity secret.

   See [NetEq] [NET-EQ] for more context on privacy in networking devices.

   While attestation information from network devices is not likely to
   contain privacy-sensitive content regarding network users,
   administrators may want to keep attestation records confidential to
   avoid disclosing versions of software loaded on the device,
   information which is
   information that could facilitate attacks against known
   vulnerabilities.

5.  Security Considerations

   Specifications such as TLS [RFC8446] (TLS) and YANG [RFC7950] (YANG) contain
   considerable advice on keeping network-connected systems secure.
   This section outlines specific risks and mitigations related to
   attestation.

   Attestation Evidence obtained by the RIV procedure is subject to a
   number of attacks:

   *  Keys may be compromised.

   *  A counterfeit device may attempt to impersonate (spoof) a known
      authentic device.

   *  Person-in-the-middle attacks may be used by a compromised device
      to attempt to deliver responses that originate in an authentic
      device.

   *  Replay attacks may be attempted by a compromised device.

5.1.  Keys Used in RIV

   Trustworthiness of RIV attestation depends strongly on the validity
   of keys used for identity and attestation reports.  RIV takes full
   advantage of TPM capabilities to ensure that evidence can be trusted.

   Two sets of key-pairs key pairs are relevant to RIV attestation:

   *  A DevID key-pair key pair is used to certify the identity of the device in
      which the TPM is installed.

   *  An Attestation Key-pair Key pair (AK) key is used to certify attestation
      Evidence (called 'quotes' "quotes" in TCG documents), used to provide
      evidence for integrity of the software on the device

   TPM practices usually require that these keys be different, as a way
   of ensuring different to ensure
   that a general-purpose signing key cannot be used to spoof an
   attestation quote.

   In each case, the private half of the key is known only to the TPM, TPM
   and cannot be retrieved externally, even by a trusted party.  To
   ensure that's the case, specification-compliant private/public key- key
   pairs are generated inside the TPM, where they are never exposed, exposed and
   cannot be extracted (See [Platform-DevID-TPM-2.0]). (see [PLATFORM-DEVID-TPM-2.0]).

   Keeping keys safe is a critical enabler of trustworthiness, but it's
   just part of attestation security; knowing which keys are bound to
   the device in question is just as important in an environment where
   private keys are never exposed.

   While there are many ways to manage keys in a TPM (see
   [Platform-DevID-TPM-2.0]),
   [PLATFORM-DEVID-TPM-2.0]), RIV includes support for "zero touch"
   provisioning (also known as zero-touch zero touch onboarding) of fielded devices
   (e.g., Secure ZTP, SZTP [RFC8572]), where keys which that have predictable trust
   properties are provisioned by the device vendor.

   Device identity in RIV is based on DevID defined by IEEE 802.1AR Device Identity
   (DevID). Std 802.1AR.
   This specification provides several elements:

   *  A DevID requires a unique key pair for each device, accompanied by
      an X.509 certificate, certificate.

   *  The private portion of the DevID key is to be stored in the
      device, in a manner that provides confidentiality (Section 6.2.5
      [IEEE-802-1AR])
      of [IEEE-802-1AR]).

   The X.509 certificate contains several components:

   *  The public part of the unique DevID key assigned to that device
      allows a challenge of identity.

   *  An identifying string that's unique to the manufacturer of the
      device.  This is normally the serial number of the unit, which
      might also be printed on a label on the device.

   *  The certificate must be signed by a key traceable to the
      manufacturer's root key.

   With these elements, the device's manufacturer and serial number can
   be identified by analyzing the DevID certificate plus the chain of
   intermediate certificates leading back to the manufacturer's root
   certificate.  As is conventional in TLS or SSH connections, a random
   nonce must be signed by the device in response to a challenge,
   proving possession of its DevID private key.

   RIV uses the DevID to validate a TLS or SSH connection to the device
   as the attestation session begins.  Security of this process derives
   from TLS or SSH security, with the DevID, containing which contains a device
   serial number, providing proof that the session terminates on the
   intended device.  See [RFC8446], [RFC8446] [RFC4253].

   Evidence of software integrity is delivered in the form of a quote
   that is signed by the TPM itself, itself and accompanied by an IAK
   certificate containing the same identity information as the DevID.
   Because the contents of the quote are signed inside the TPM, any
   external modification (including reformatting to a different data
   format) after measurements have been taken will be detected as
   tampering.  An unbroken chain of trust is essential to for ensuring that
   blocks of code that are taking measurements have been verified before
   execution (see Figure 1).

   Requiring measurements of the operating software to be signed by a
   key known only to the TPM also removes the need to trust the device's
   operating software (beyond the first measurement in the RTM; see
   below); any
   below).  Any changes to the quote, generated and signed by the TPM
   itself, made by malicious device software, or in the path back to the
   Verifier, will invalidate the signature on the quote.

   A critical feature of the YANG model described in
   [I-D.ietf-rats-yang-tpm-charra] [RFC9684] is the
   ability to carry TPM data structures in their TCG-defined format,
   without requiring any changes to the structures as they were signed
   and delivered by the TPM.  While alternate methods of conveying TPM
   quotes could compress out redundant information, or add another layer
   of signing using external keys, the implementation MUST preserve the
   TPM signing, signing so that tampering anywhere in the path between the TPM
   itself and the Verifier can be detected.

5.2.  Prevention of Spoofing and Person-in-the-Middle Attacks

   Prevention of spoofing attacks against attestation systems is also
   important.  There are several cases to consider:

   *  The entire device could be spoofed.  If the Verifier goes to
      appraise a specific Attester, it might be redirected to a
      different Attester.

   *  A compromised device could have a valid DevID, but substitute a
      quote from a knonwn-good device, known-good device instead of returning its own, as
      described in [RFC6813].

   *  A device with a compromised OS could return a fabricated quote
      providing spoofed attestation Evidence.

   Use of the 802.1AR Device Identity (DevID) DevID in the TPM provides protection against the
   case of a spoofed device, device by ensuring that the Verifier's TLS or SSH
   session is in fact terminating on the right device.

   Protection against spoofed quotes from a device with valid identity
   is a bit more complex.  An identity key must be available to sign any
   kind of nonce or hash offered by the Verifier, and consequently,
   could be used to sign a fabricated quote.  To block a spoofed
   Attestation Result, the quote generated inside the TPM must be signed
   by a key key, known as an AK, that's different from the DevID, called an Attestation Key
   (AK). DevID.

   Given separate Attestation and DevID keys, the binding between the AK
   and the same device must also be proven to prevent a person-in-the-
   middle attack (e.g., the 'Asokan Attack' "Asokan Attack" [RFC6813]).

   This is accomplished in RIV through use of an AK certificate with the
   same elements as the DevID (same manufacturer's serial number, number and
   signed by the same manufacturer's key), but containing the device's
   unique AK public key instead of the DevID public key.  This binding
   between DevID and AK certificates is critical to reliable
   attestation.

   The TCG document TPM "TPM 2.0 Keys for Device Identity and Attestation
   [Platform-DevID-TPM-2.0] Attestation"
   [PLATFORM-DEVID-TPM-2.0] specifies OIDs for Attestation Certificates
   that allow the CA to mark a key as specifically known to be an
   Attestation key. AK.

   These two key-pairs key pairs and certificates are used together:

   *  The DevID is used to validate a TLS connection terminating on the
      device with a known serial number.

   *  The AK is used to sign attestation quotes, providing which provides proof
      that the attestation evidence comes from the same device.

5.3.  Replay Attacks

   Replay attacks, where the results of a previous attestation are
   submitted in response to subsequent requests, are usually prevented
   by the inclusion of a random nonce in the request to the TPM for a
   quote.  Each request from the Verifier includes a new random number
   (a nonce).  The resulting quote signed by the TPM contains the same
   nonce, allowing which allows the Verifier to determine freshness, freshness (i.e., that
   the resulting quote was generated in response to the Verifier's
   specific request).  Time-Based Uni-directional Attestation
   [I-D.birkholz-rats-tuda]  "Time-Based Uni-Directional Attestation"
   [RATS-TUDA] provides an alternate mechanism to verify freshness
   without requiring a request/response cycle.

5.4.  Owner-Signed Keys

   Although device manufacturers must pre-provision devices with easily
   verified DevID and AK certificates if zero-touch provisioning SZTP such as described in
   [RFC8572] is to be supported, use of those credentials is not
   mandatory.  IEEE Std 802.1AR incorporates the idea of an Initial
   Device ID (IDevID), IDevID,
   which is provisioned by the manufacturer, and a Local
   Device ID (LDevID) LDevID, which is
   provisioned by the owner of the device.  RIV and
   [Platform-DevID-TPM-2.0] extends
   [PLATFORM-DEVID-TPM-2.0] extend that concept by defining an Initial
   Attestation Key (IAK) IAK and Local Attestation Key (LAK)
   LAK with the same properties.

   Device owners can use any method to provision the Local local credentials.

   *  The TCG document [Platform-DevID-TPM-2.0] [PLATFORM-DEVID-TPM-2.0] shows how the initial
      Attestation keys IAKs can
      be used to certify LDevID and LAK keys.  Use  The use of the LDevID and
      LAK allows the device owner to use a uniform identity structure
      across device types from multiple manufacturers (in the same way
      that an "Asset Tag" is used by many enterprises to identify
      devices they own).  The TCG document
      [Provisioning-TPM-2.0] [PROV-TPM-2.0] also contains
      guidance on provisioning
      Local local identity keys in TPM 2.0.  Owners
      should follow the same practice of binding Local DevID LDevID and Local AK LAK as the
      manufacturer would for IDevID and IAK.  See Section Section 2.2.

   *  Device owners, however, can use any other mechanism they want want,
      including physical inspection and programming in a secure
      location, to assure themselves that local identity certificates
      are inserted into the intended device, including physical inspection and
      programming in a secure location, device if they prefer to avoid
      placing trust in the manufacturer-provided keys.

   Clearly, local keys can't be used for secure Zero Touch provisioning; SZTP; installation of the local
   keys can only be done by some process that runs before the device is
   installed for network operation, or by using procedures such as those
   outlined in Bootstrapping Remote Secure Key Infrastructure (BRSKI)
   [RFC8995].

   On the other end of the device life cycle, lifecycle, provision should be made to
   wipe local keys when a device is decommissioned, decommissioned to indicate that the
   device is no longer owned by the enterprise.  The manufacturer's
   Initial
   initial identity keys must be preserved, as they contain no
   information that's not already printed on the device's serial number
   plate.

5.5.  Other Factors for Trustworthy Operation

   In addition to the trustworthy provisioning of keys, RIV depends on a
   number of other factors for trustworthy operation.

   *  Secure identity depends on mechanisms to prevent per-device secret
      keys from being compromised.  The TPM provides this capability as
      a Root of Trust for Storage.

   *  Attestation depends on an unbroken chain of measurements, starting
      from the very first measurement.  See Section 9.1 Appendix A.1 for background
      on TPM practices.

   *  That first measurement is made by code called the Root of Trust
      for Measurement, RTM, typically
      done by trusted firmware stored in boot flash.  Mechanisms for
      maintaining the trustworthiness of the RTM are out of scope for
      RIV, but could include immutable firmware, signed updates, or a
      vendor-specific hardware verification technique.  See Section 9.2 Appendix A.2
      for background on roots Roots of trust. Trust.

   *  The device owner SHOULD provide some level of physical defense for
      the device.  If a TPM that has already been programmed with an
      authentic DevID is stolen and is inserted into a counterfeit
      device, attestation of that counterfeit device may become
      indistinguishable from an authentic device.

   RIV also depends on reliable Reference Values, as expressed by the
   RIM [RIM].  The definition of trust procedures for RIMs is out of
   scope for RIV, and the device owner is free to use any policy to
   validate a set of reference measurements.  It should also be noted
   that, while RIV can provide a reliable indication that a known
   software package is in use by the device, device and that the package has not
   been tampered, tampered with, it is the device owner's responsibility to
   determine that it's the correct package for the application.

   RIMs may be conveyed either out-of-band or in-band, in-band as part of the
   attestation process (see Section 3.1.3).  But  However, for network
   devices, where software is usually shipped as a self-contained
   package, RIMs signed by the manufacturer and delivered in-band may be
   more convenient for the device owner.

   The validity of RIV attestation results is also influenced by
   procedures used to create Reference Values:

   *  While the RIM itself is signed, supply-chains supply chains SHOULD be carefully
      scrutinized to ensure that the values are not subject to
      unexpected manipulation prior to signing.  Insider-attacks  Insider attacks against
      code bases and build chains are particularly hard to spot.

   *  Designers SHOULD guard against hash collision attacks.  Reference
      Integrity Manifests  RIMs often
      give hashes for large objects of indeterminate size; if size.  If one of
      the measured objects can be replaced with an implant engineered to
      produce the same hash, RIV will be unable to detect the
      substitution.  TPM1.2  TPM 1.2 only uses SHA-1 hashes only, hashes, which have been
      shown to be susceptible to collision attack.
      TPM2.0  TPM 2.0 will produce
      quotes with SHA-256, which so far has resisted such attacks.
      Consequently, RIV implementations SHOULD use
      TPM2.0. TPM 2.0.

6.  IANA Considerations

   This document has no IANA actions.

7.  Conclusion

   TCG technologies can play an important part in the implementation of
   Remote Integrity Verification.
   RIV.  Standards for many of the components needed for implementation
   of RIV already exist:

   *  Platform identity can be based on IEEE 802.1AR Device Identity, DevID, coupled with
      careful supply-chain management by the manufacturer.

   *  Complex supply chains can be certified using TCG Platform
      Certificates [Platform-Certificates]. [PLATFORM-CERTS].

   *  The TCG TAP mechanism coupled with [I-D.ietf-rats-yang-tpm-charra] [RFC9684] can be used to
      retrieve attestation evidence.

   *  Reference Values must be conveyed from the software authority
      (e.g., the manufacturer) in Reference Integrity Manifests, RIMs to the system in which
      verification will take place.  IETF and TCG SWID and CoSWID work ([I-D.ietf-sacm-coswid],
      ([RFC9393] [RIM]) forms the basis for this function.

10.

8.  References

10.1.

8.1.  Normative References

   [Canonical-Event-Log]

   [CEL]      Trusted Computing Group, "Canonical Event Log Format Format",
              Version 1.0 1.0, Revision .41, February 25, 2022", December
              2020, <https://trustedcomputinggroup.org/resource/
              canonical-event-log-format/>.

   [I-D.ietf-rats-architecture]
              Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
              W. Pan, "Remote Attestation Procedures Architecture", Work
              in Progress, Internet-Draft, draft-ietf-rats-architecture-
              15, 8 0.41, February 2022, <https://www.ietf.org/archive/id/
              draft-ietf-rats-architecture-15.txt>.

   [I-D.ietf-rats-yang-tpm-charra]
              Birkholz, H., Eckel, M., Bhandari, S., Voit, E., Sulzen,
              B., (Frank), L. X., Laffey, T., and G. C. Fedorkow, "A
              YANG Data Model for Challenge-Response-based Remote
              Attestation Procedures using TPMs", Work in Progress,
              March 2022, <https://www.ietf.org/archive/id/draft-ietf-
              rats-yang-tpm-charra-18.txt>.

   [I-D.ietf-sacm-coswid]
              Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
              Waltermire, "Concise Software Identification Tags", Work
              in Progress, Internet-Draft, draft-ietf-sacm-coswid-21, 7
              March 2022, <https://www.ietf.org/archive/id/draft-ietf-
              sacm-coswid-21.txt>.
              <https://trustedcomputinggroup.org/wp-content/uploads/
              TCG_IWG_CEL_v1_r0p41_pub.pdf>.

   [IEEE-802-1AR]
              Seaman, M., "802.1AR-2018 - IEEE
              IEEE, "IEEE Standard for Local and Metropolitan Area
              Networks - Secure Device Identity, Identity", IEEE
              Computer Society", Std 802.1AR-2018,
              DOI 10.1109/IEEESTD.2018.8423794, August 2018. 2018,
              <https://doi.org/10.1109/IEEESTD.2018.8423794>.

   [IMA]      dsafford, kds_etu, mzohar, reinersailer, and serge_hallyn,      "Integrity Measurement Architecture", June 2019,
              <https://sourceforge.net/p/linux-ima/wiki/Home/>.

   [PC-Client-BIOS-TPM-2.0] Architecture (IMA) Wiki", October
              2018, <https://sourceforge.net/p/linux-ima/wiki/
              Home/?version=31>.

   [PC-CLIENT-BIOS-TPM-2.0]
              Trusted Computing Group, "PC "TCG PC Client Specific Platform
              Firmware Profile Specification Specification", Family "2.0", Level 00
              Revision 1.05 00,
              Version 1.05, Revision 23, May 7, 2021", May 2021,
              <https://trustedcomputinggroup.org/resource/pc-client-
              specific-platform-firmware-profile-specification/>.

   [PC-Client-EFI-TPM-1.2]

   [PC-CLIENT-EFI-TPM-1.2]
              Trusted Computing Group, "TCG EFI Platform Specification
              for Specification",
              For TPM Family 1.1 or 1.2, Specification Version 1.22, Revision 15", 15,
              January 2014,
              <https://trustedcomputinggroup.org/resource/tcg-efi-
              platform-specification/>.

   [PC-Client-RIM] <https://trustedcomputinggroup.org/resource/
              tcg-efi-platform-specification/>.

   [PC-CLIENT-RIM]
              Trusted Computing Group, "TCG PC Client Reference
              Integrity Manifest Specification, v1.04, Nov 4, 2020",
              December 2019,
              <https://trustedcomputinggroup.org/resource/tcg-pc-client-
              reference-integrity-manifest-specification/>.

   [Platform-DevID-TPM-2.0] Specification", Version 1.04, November
              2020, <https://trustedcomputinggroup.org/resource/tcg-pc-
              client-reference-integrity-manifest-specification/>.

   [PLATFORM-DEVID-TPM-2.0]
              Trusted Computing Group, "TPM 2.0 Keys for Device Identity
              and Attestation, Specification Attestation", Version 1.0, 1.00, Revision 2",
              September 2020, 12, October 2021,
              <https://trustedcomputinggroup.org/resource/tpm-2-0-keys-
              for-device-identity-and-attestation/>.

   [Platform-ID-TPM-1.2]

   [PLATFORM-ID-TPM-1.2]
              Trusted Computing Group, "TPM "TCG Infrastructure WG TPM Keys
              for Platform Identity for TPM 1.2, 1.2", Specification Version
              1.0, Revision 3", 3, August 2015, <https://trustedcomputinggroup.org/resource/
              tpm-keys-for-platform-identity-for-tpm-1-2-2/>.
              <https://trustedcomputinggroup.org/resource/tpm-keys-for-
              platform-identity-for-tpm-1-2-2/>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4253]  Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
              Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
              January 2006, <https://www.rfc-editor.org/info/rfc4253>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC6241]  Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
              and A. Bierman, Ed., "Network Configuration Protocol
              (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
              <https://www.rfc-editor.org/info/rfc6241>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

   [RFC9334]  Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
              W. Pan, "Remote ATtestation procedureS (RATS)
              Architecture", RFC 9334, DOI 10.17487/RFC9334, January
              2023, <https://www.rfc-editor.org/info/rfc9334>.

   [RFC9393]  Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
              Waltermire, "Concise Software Identification Tags",
              RFC 9393, DOI 10.17487/RFC9393, June 2023,
              <https://www.rfc-editor.org/info/rfc9393>.

   [RFC9684]  Birkholz, H., Eckel, M., Bhandari, S., Voit, E., Sulzen,
              B., Xia, L., Laffey, T., and G. Fedorkow, "A YANG Data
              Model for Challenge-Response-Based Remote Attestation
              (CHARRA) Procedures Using Trusted Platform Modules
              (TPMs)", RFC 9684, DOI 10.17487/RFC9684, October 2024,
              <https://www.rfc-editor.org/info/rfc9684>.

   [RIM]      Trusted Computing Group, "TCG Reference Integrity Manifest
              (RIM) Information Model, v1.0, Model", Version 1.01, Revision 0.16, Nov 12,
              2020", June 2019,
              November 2020,
              <https://trustedcomputinggroup.org/resource/tcg-reference-
              integrity-manifest-rim-information-model/>.

   [SWID]     The International Organization for Standardization/
              International Electrotechnical Commission,     ISO/IEC, "Information
              Technology Software Asset Management technology - IT asset management -
              Part 2: Software
              Identification Tag, ISO/IEC 19770-2", identification tag", ISO/
              IEC 19770-2:2015, October 2015,
              <https://www.iso.org/standard/65666.html>.

   [TAP]      Trusted Computing Group, "TCG Trusted Attestation Protocol
              (TAP) Information Model for TPM Families 1.2 and 2.0 and
              DICE Family 1.0, 1.0", Version 1.0, Revision 0.36", 0.36, October
              2018, <https://trustedcomputinggroup.org/resource/tcg-tap-
              information-model/>.

10.2. <https://trustedcomputinggroup.org/wp-
              content/uploads/
              TNC_TAP_Information_Model_v1.00_r0.36-FINAL.pdf>.

8.2.  Informative References

   [AK-Enrollment]

   [AIK-ENROLL]
              Trusted Computing Group, "TCG Infrastructure Working Group
              -
              A CMC Profile for AIK Certificate Enrollment Enrollment", Version
              1.0, Revision 7", 7, March 2011,
              <https://trustedcomputinggroup.org/resource/tcg-
              infrastructure-working-group-a-cmc-profile-for-aik-
              certificate-enrollment/>.

   [I-D.birkholz-rats-network-device-subscription]
              Birkholz, H., Voit, E., and W. Pan, "Attestation Event
              Stream Subscription", Work in Progress, Internet-Draft,
              draft-birkholz-rats-network-device-subscription-03, 17
              August 2021, <https://www.ietf.org/archive/id/draft-
              birkholz-rats-network-device-subscription-03.txt>.

   [I-D.birkholz-rats-reference-interaction-model]
              Birkholz, H., Eckel, M., Newton, C., and L. Chen,
              "Reference Interaction Models

   [IEEE-802.1AE]
              IEEE, "IEEE Standard for Remote Attestation
              Procedures", Work in Progress, Internet-Draft, draft-
              birkholz-rats-reference-interaction-model-03, 7 July 2020,
              <https://www.ietf.org/archive/id/draft-birkholz-rats-
              reference-interaction-model-03.txt>.

   [I-D.birkholz-rats-tuda]
              Fuchs, A., Birkholz, H., McDonald, I. E., and C. Bormann,
              "Time-Based Uni-Directional Attestation", Work in
              Progress, Internet-Draft, draft-birkholz-rats-tuda-06, 12
              January 2022, <https://www.ietf.org/archive/id/draft-
              birkholz-rats-tuda-06.txt>.

   [I-D.ietf-rats-eat]
              Lundblade, L., Mandyam, G., and J. O'Donoghue, "The Entity
              Attestation Token (EAT)", Work in Progress, Internet-
              Draft, draft-ietf-rats-eat-12, 24 February 2022,
              <https://www.ietf.org/archive/id/draft-ietf-rats-eat-
              12.txt>.

   [I-D.richardson-rats-usecases]
              Richardson, M., Wallace, C., Local and W. Pan, "Use cases for
              Remote Attestation common encodings", Work in Progress,
              November 2020, <https://www.ietf.org/archive/id/draft-
              richardson-rats-usecases-08.txt>.

   [IEEE-802.1AE]
              Seaman, M., "802.1AE MAC Security (MACsec)", 2018,
              <https://1.ieee802.org/security/802-1ae/>.

   [IEEE-802.1X]
              IEEE Computer Society, "802.1X-2020 metropolitan area
              networks - Media Access Control (MAC) Security", IEEE Std
              802.1AE-2018, DOI 10.1109/IEEESTD.2018.8585421, 2018,
              <https://doi.org/10.1109/IEEESTD.2018.8585421>.

   [IEEE-802.1X]
              IEEE, "IEEE Standard for Local and Metropolitan Area Networks--Port-Based
              Networks - Port-Based Network Access Control", IEEE Std
              802.1X-2020, DOI 10.1109/IEEESTD.2020.9018454, February
              2020,
              <https://standards.ieee.org/standard/802_1X-2020.html>. <https://doi.org/10.1109/IEEESTD.2020.9018454>.

   [LLDP]     IEEE Computer Society, "802.1AB-2016 - IEEE     IEEE, "IEEE Standard for Local and metropolitan area
              networks - Station and Media Access Control Connectivity
              Discovery", IEEE Std 802.1AB-2016,
              DOI 10.1109/IEEESTD.2016.7433915, March 2016,
              <https://standards.ieee.org/standard/802_1AB-2016.html>.

   [NetEq]
              <https://doi.org/10.1109/IEEESTD.2016.7433915>.

   [NET-EQ]   Trusted Computing Group, "TCG Guidance for Securing
              Network Equipment, Equipment Using TCG Technology", Version 1.0,
              Revision 29", 29, January 2018, <https://trustedcomputinggroup.org/resource/tcg-
              guidance-securing-network-equipment/>.
              <https://trustedcomputinggroup.org/resource/tcg-guidance-
              securing-network-equipment/>.

   [NIST-IR-8060]
              National Institute for Standards
              Waltermire, D., Cheikes, B. A., Feldman, L., and Technology, G. Witte,
              "Guidelines for the Creation of Interoperable Software
              Identification (SWID) Tags", NIST NISTIR 8060,
              DOI 10.6028/NIST.IR.8060, April 2016,
              <https://nvlpubs.nist.gov/nistpubs/ir/2016/
              NIST.IR.8060.pdf>.

   [Platform-Certificates]

   [PLATFORM-CERTS]
              Trusted Computing Group, "TCG Platform Attribute
              Credential Profile, Profile", Specification Version 1.0, Revision
              16",
              16, January 2018,
              <https://trustedcomputinggroup.org/resource/tcg-platform-
              attribute-credential-profile/>.

   [Provisioning-TPM-2.0]

   [PROV-TPM-2.0]
              Trusted Computing Group, "TCG TPM v2.0 Provisioning
              Guidance,
              Guidance", Version 1.0, Revision 1.0", 1.0, March 2015, 2017,
              <https://trustedcomputinggroup.org/wp-content/uploads/TCG-
              TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf>.

   [RATS-EAT] Lundblade, L., Mandyam, G., O'Donoghue, J., and C.
              Wallace, "The Entity Attestation Token (EAT)", Work in
              Progress, Internet-Draft, draft-ietf-rats-eat-31, 6
              September 2024, <https://datatracker.ietf.org/doc/html/
              draft-ietf-rats-eat-31>.

   [RATS-INTERACTION-MODELS]
              Birkholz, H., Eckel, M., Pan, W., and E. Voit, "Reference
              Interaction Models for Remote Attestation Procedures",
              Work in Progress, Internet-Draft, draft-ietf-rats-
              reference-interaction-models-11, 22 July 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-rats-
              reference-interaction-models-11>.

   [RATS-NET-DEV-SUB]
              Birkholz, H., Voit, E., and W. Pan, "Attestation Event
              Stream Subscription", Work in Progress, Internet-Draft,
              draft-ietf-rats-network-device-subscription-05, 7 July
              2024, <https://datatracker.ietf.org/doc/html/draft-ietf-
              rats-network-device-subscription-05>.

   [RATS-TUDA]
              Fuchs, A., Birkholz, H., McDonald, I., and C. Bormann,
              "Time-Based Uni-Directional Attestation", Work in
              Progress, Internet-Draft, draft-birkholz-rats-tuda-07, 10
              July 2022, <https://datatracker.ietf.org/doc/html/draft-
              birkholz-rats-tuda-07>.

   [RATS-USECASES]
              Richardson, M., Wallace, C., and W. Pan, "Use cases for
              Remote Attestation common encodings", Work in Progress,
              November 2020, <https://datatracker.ietf.org/doc/html/
              draft-richardson-rats-usecases-08>.

   [RFC3748]  Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
              Levkowetz, Ed., "Extensible Authentication Protocol
              (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004,
              <https://www.rfc-editor.org/info/rfc3748>.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
              2011, <https://www.rfc-editor.org/info/rfc6125>.

   [RFC6813]  Salowey, J. and S. Hanna, "The Network Endpoint Assessment
              (NEA) Asokan Attack Analysis", RFC 6813,
              DOI 10.17487/RFC6813, December 2012,
              <https://www.rfc-editor.org/info/rfc6813>.

   [RFC7950]  Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
              RFC 7950, DOI 10.17487/RFC7950, August 2016,
              <https://www.rfc-editor.org/info/rfc7950>.

   [RFC8572]  Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero
              Touch Provisioning (SZTP)", RFC 8572,
              DOI 10.17487/RFC8572, April 2019,
              <https://www.rfc-editor.org/info/rfc8572>.

   [RFC8995]  Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
              and K. Watsen, "Bootstrapping Remote Secure Key
              Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995,
              May 2021, <https://www.rfc-editor.org/info/rfc8995>.

   [SP800-155]
              National Institute of Standards

   [RFC9525]  Saint-Andre, P. and Technology, R. Salz, "Service Identity in TLS",
              RFC 9525, DOI 10.17487/RFC9525, November 2023,
              <https://www.rfc-editor.org/info/rfc9525>.

   [SP800-155]
              NIST, "BIOS Integrity Measurement Guidelines (Draft)",
              NIST SP 800-155 (Draft), December 2011,
              <https://csrc.nist.gov/csrc/media/publications/sp/800-
              155/draft/documents/draft-sp800-155_dec2011.pdf>.
              <https://csrc.nist.gov/files/pubs/sp/800/155/ipd/docs/
              draft-sp800-155_dec2011.pdf>.

   [SP800-193]
              National Institute for Standards and Technology, "NIST
              Special Publication 800-193: Platform
              NIST, "Platform Firmware Resiliency Guidelines", April NIST
              SP 800-193, DOI 10.6028/NIST.SP.800-193, May 2018,
              <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
              NIST.SP.800-193.pdf>.

   [SWID-Gen]

   [SWID-GEN] Labs64, Munich, Germany, "SoftWare IDentification (SWID) Tags Generator
              (Maven Plugin)", n.d.,
              <https://github.com/Labs64/swid-maven-plugin>.

   [TCGRoT]

   [TCG-RT]   Trusted Computing Group, "DRAFT: TCG "TCG Roots of Trust
              Specification", October (Draft), Family "1.0", Level 00, Revision
              0.20, July 2018,
              <https://trustedcomputinggroup.org/wp-content/uploads/ <https://trustedcomputinggroup.org/wp-
              content/uploads/
              TCG_Roots_of_Trust_Specification_v0p20_PUBLIC_REVIEW.pdf>.

   [TPM1.2]

   [TPM-1.2]  Trusted Computing Group, "TPM 1.2 Main Specification Specification",
              Level 2 2, Version 1.2, Revision 116", 116, March 2011,
              <https://trustedcomputinggroup.org/resource/tpm-main-
              specification/>.

   [TPM2.0]

   [TPM-2.0]  Trusted Computing Group, "Trusted Platform Module Library
              Specification,
              Library", Family "2.0", Level 00, Revision 01.59", 01.59, November
              2019,
              <https://trustedcomputinggroup.org/resource/tpm-library-
              specification/>.

A. <https://trustedcomputinggroup.org/resource/tpm-
              library-specification/>.

Appendix A.  Supporting Materials

A.1.  Using a TPM for Attestation

   The Trusted Platform Module TPM and surrounding ecosystem provide three interlocking
   capabilities to enable secure collection of evidence from a remote device, Platform Configuration Registers (PCRs),
   device: PCRs, a Quote mechanism, and a standardized Event Log.

   Each TPM has at least eight and at most twenty-four PCRs (depending
   on the profile and vendor choices), each one large enough to hold one
   hash value (SHA-1, SHA-256, and other hash algorithms can be used,
   depending on TPM version).  PCRs can't be accessed directly from
   outside the chip, but the TPM interface provides a way to "extend" a
   new security measurement hash into any PCR, a process by which the
   existing value in the PCR is hashed with the new security measurement
   hash, and the result placed back into the same PCR.  The result is a
   composite fingerprint comprising the hash of all the security
   measurements extended into each PCR since the system was reset.

   Every time a PCR is extended, an entry should be added to the
   corresponding Event Log.  Logs contain the security measurement hash
   plus informative fields offering hints as to which event generated
   the security measurement.  The Event Log itself is protected against
   accidental manipulation, but it is implicitly tamper-evident - any tamper-evident: Any
   verification process can read the security measurement hash from the
   log events, compute the composite value value, and compare that to what
   ended up is
   in the PCR.  If there's no discrepancy, the logs do provide an
   accurate view of what was placed into the PCR.

   Note that the composite hash-of-hashes recorded in PCRs is order-
   dependent, resulting in different PCR values for different ordering
   of the same set of events (e.g. (e.g., Event A followed by Event B yields a
   different PCR value than B followed by A).  For single-threaded code,
   where both the events and their order are fixed, a Verifier may
   validate a single PCR value, and use the log only to diagnose a
   mismatch from Reference Values.  However, operating system code is
   usually non-deterministic, nondeterministic, meaning that there may never be a single
   "known good" PCR value.  In this case, the Verifier may have to
   verify that the log is correct, and then analyze each item in the log
   to determine if it represents an authorized event.

   In a conventional TPM Attestation environment, the first measurement
   must be made and extended into the TPM by trusted device code (called
   the Root of Trust for Measurement, RTM).  That first measurement should cover the segment of code
   that is run immediately after the RTM, which then measures the next
   code segment before running it, and so on, forming an unbroken chain
   of trust.  See [TCGRoT] [TCG-RT] for more on Mutable vs vs. Immutable roots Roots of trust.
   Trust.

   The TPM provides another mechanism called a Quote that can read the
   current value of the PCRs and package them, along with the Verifier's
   nonce, into a TPM-specific data structure signed by an Attestation
   private key, known only to the TPM.

   As noted above in Section 5 Security Considerations, it's

   It's important to note that the Quote data structure is signed inside
   the TPM. TPM (see Section 5, Security Considerations).  The trust model is
   preserved by retrieving the Quote in a way that does not invalidate
   the signature, as specified in
   [I-D.ietf-rats-yang-tpm-charra]. [RFC9684].  The structure of the
   command and response for a quote, including its signature, as
   generated by the TPM, can be seen in [TPM1.2] Part 3, Section 16.5, of
   [TPM-1.2] and [TPM2.0] Section 18.4.2. 18.4.2 of [TPM-2.0].

   The Verifier uses the Quote and Log together.  The Quote contains the
   composite hash of the complete sequence of security measurement
   hashes, signed by the TPM's private Attestation Key. AK.  The Log contains a record of
   each measurement extended into the TPM's PCRs.  By computing the
   composite hash of all the measurements, the Verifier can verify the
   integrity of the Event Log, even though the Event Log itself is not
   signed.  Each hash in the validated Event Log can then be compared to
   corresponding expected values in the set of Reference Values to
   validate overall system integrity.

   A summary of information exchanged in obtaining quotes from TPM1.2 TPM 1.2
   and TPM2.0 TPM 2.0 can be found in [TAP], Section 4.  Detailed information
   about PCRs and Quote data structures can be found in [TPM1.2],
   [TPM2.0]. [TPM-1.2],
   [TPM-2.0].  Recommended log formats include [PC-Client-BIOS-TPM-2.0], [PC-CLIENT-BIOS-TPM-2.0],
   and [Canonical-Event-Log]. [CEL].

A.2.  Root of Trust for Measurement (RTM)

   The measurements needed for attestation require that the device being
   attested is equipped with a Root of Trust for Measurement, an RTM, that is, some trustworthy mechanism
   that can compute the first measurement in the chain of trust required
   to attest that each stage of system startup is verified, a Root of
   Trust for Storage (i.e., the TPM PCRs) to record the results, and a
   Root of Trust for Reporting to report the results.

   While there are many complex aspects of Roots of Trust ( [TCGRoT],
   [SP800-155], ([TCG-RT]
   [SP800-155] [SP800-193]), two aspects that are important in the case
   of attestation are:

   *  The first measurement computed by the Root of Trust for
      Measurement, RTM and stored in the TPM's
      Root of Trust for Storage, Storage must be assumed to be correct.

   *  There must not be a way to reset the Root of Trust for Storage
      without re-entering the Root of Trust for Measurement RTM code.

   The first measurement must be computed by code that is implicitly
   trusted; if that first measurement can be subverted, none of the
   remaining measurements can be trusted.  (See [SP800-155]) [SP800-155].)

   It's important to note that the trustworthiness of the RTM code
   cannot be assured by the TPM or TPM supplier - -- code or procedures
   external to the TPM must guarantee the security of the RTM.

A.3.  Layering Model for Network Equipment Attester and Verifier

   Retrieval of identity and attestation state uses one protocol stack,
   while retrieval of Reference Values uses a different set of
   protocols.  Figure 5 shows the components involved.

   +-----------------------+              +-------------------------+
   |                       |              |                         |
   |       Attester        |<-------------|        Verifier         |
   |       (Device)        |------------->|   (Management Station)  |
   |                       |      |       |                         |
   +-----------------------+      |       +-------------------------+
                                  |
              -------------------- --------------------
              |                                        |
   -------------------------------    ---------------------------------
   |Reference
   |      Reference Values       |    |          Attestation          |
   -------------------------------    ---------------------------------

   ********************************************************************
   *         IETF Attestation Reference Interaction Diagram           *
   ********************************************************************

       .........................          .........................
       .  Reference Integrity  .          .   TAP (PTS2.0) Info   .
       .       Manifest        .          .  Model and Canonical  .
       .                       .          .      Log Format       .
       .........................          .........................

       *************************          *************************
       *    YANG SWID Module   *          *    YANG Attestation   *
       * I-D.ietf-sacm-coswid       RFC9393         *          *        Module         *
       *                       *          * I-D.ietf-rats-        RFC9684        *
       *                       *          * yang-tpm-charra                       *
       *************************          *************************

       *************************          *************************
       * XML, JSON, CBOR (etc) CBOR, etc. *          * XML, JSON, CBOR (etc) CBOR, etc. *
       *************************          *************************

       *************************          *************************
       *   RESTCONF/NETCONF    *          *   RESTCONF/NETCONF    *
       *************************          *************************

       *************************          *************************
       *       TLS, SSH        *          *       TLS, SSH        *
       *************************          *************************

                       Figure 6: 5: RIV Protocol Stacks

   IETF documents are captured in boxes surrounded by asterisks.  TCG
   documents are shown in boxes surrounded by dots.

A.4.  Implementation Notes

   Figure 7

   Table 2 summarizes many of the actions needed to complete an
   Attestation system, with links to relevant documents.  While
   documents are controlled by several standards organizations, the
   implied actions required for implementation are all the
   responsibility of the manufacturer of the device, unless otherwise
   noted.

   As noted, SWID tags can be generated many ways, but one possible tool
   is [SWID-Gen]

   +------------------------------------------------------------------+ [SWID-GEN].

   +========================================+==========================+
   | Component                              | Controlling              |
   |                                        | Specification            |
   --------------------------------------------------------------------
   +========================================+==========================+
   | Make a Secure execution environment environment:   | [TCG-RT]                 |   TCG RoT
   |                                        |   o                          |
   | *  Attestation depends on a secure root of     |   UEFI.org <www.uefi.org>           |
   |     trust for measurement    RTM outside the TPM, as well as     |                          |
   |     well as roots    Roots for storage Storage and reporting Reporting     |                          |
   |    inside the TPM.                     |                          |
   |   o                                        |                          |
   | *  Refer to TCG Root "TCG Roots of Trust for Measurement.|        |                          |   o  NIST SP 800-193
   |    Specification" [TCG-RT].            |                          |
   |                                        |                          |
   | *  [SP800-193] also provides guidelines           |                          |
   |    guidelines on Roots of Trust Trust.       |                          |
   --------------------------------------------------------------------
   +----------------------------------------+--------------------------+
   | Provision the TPM as described in       |[Platform-DevID-TPM-2.0]| the  | [PLATFORM-DEVID-TPM-2.0] |
   | TCG documents.                         | TCG Platform                          |
   |                                        |   Certificate [PLATFORM-CERTS]         |
   --------------------------------------------------------------------
   +----------------------------------------+--------------------------+
   | Put a DevID or Platform Cert Certificate    | [PLATFORM-DEVID-TPM-2.0] |
   | in the TPM TPM:                            |                          | TCG TPM DevID
   |                                        |    o [PLATFORM-CERTS]         |
   | *  Install an Initial Attestation Key IAK at the  | TCG Platform   |
   | same time so  +--------------------------+
   |    that Attestation can work out |   Certificate  |
   | of the box                                 |-----------------
   |    o Equipment suppliers and owners may want to | IEEE 802.1AR   |
   |      implement Local Device ID as well as       |                |
   |      Initial Device ID    | [IEEE-802-1AR]           |
   --------------------------------------------------------------------
   +----------------------------------------+--------------------------+
   | Connect the TPM to the TLS stack stack:      | Vendor TLS stack (This   |
   |                                        | action configures TLS to |
   |    o *  Use the DevID in the TPM to authenticate  | stack (This    |
   |       TAP connections, identifying the device   | action is         |
   |                                                 | configuring TLS|
   |                                               | to use the DevID as its     |
   |    authenticate TAP connections,       | as its client certificate)      |
   |    identifying the device              | certificate)                          |
   --------------------------------------------------------------------
   +----------------------------------------+--------------------------+
   | Make CoSWID tags for BIOS/Loader/Kernel objects BIOS/Loader/      | IETF CoSWID [RFC9393]                |
   |    o Kernel objects:                        |                          |
   |                                        | [SWID]                   |
   | *  Add reference measurements into     |                          |
   |    SWID tags tags.                          | [NIST-IR-8060]           |
   |                                        | ISO/IEC 19770-2|                          |    o
   | *  Manufacturer should sign the SWID tags   | NIST IR 8060                          |
   |    o    tags.                               |                          |
   |                                        |                          |
   | *  The TCG RIM-IM [RIM] identifies further     |                          |
   |    further procedures to create signed RIM        |                          |
   |    signed RIM documents that provide   |                          |
   |    the necessary reference             |                          |
   |       reference information    information.                        |                          |
   --------------------------------------------------------------------
   +----------------------------------------+--------------------------+
   | Package the SWID tags with a vendor software    | Retrieve tags with       |
   |  release software release:                      | with [RFC9393].               |
   |    o                                        +--------------------------+
   | *  A tag-generator plugin such          | I-D.ietf-sacm-coswid|
   | as [SWID-Gen] can be used                   |----------------|      | [PC-CLIENT-RIM]          | TCG PC Client  |
   |                                                 | RIM            |
   --------------------------------------------------------------------
   +----------------------------------------+--------------------------+
   | Use PC Client measurement definitions  | TCG PC Client [PC-CLIENT-BIOS-TPM-2.0] |
   | to define the use of PCRs (although    | BIOS                          |
   |  (although Windows OS is rare on Networking       |                          |
   | Equipment, UEFI BIOS is not) not).          |                          |
   --------------------------------------------------------------------
   +----------------------------------------+--------------------------+
   | Use TAP to retrieve measurements measurements:      | [RFC9684]                |
   |    o  Map to YANG                                        | YANG Module for|                          |  Use Canonical Log Format
   |   Basic *  Map to YANG.                        | [CEL]                    |
   |   Attestation                                        |                          |
   | TCG Use Canonical  |
   |                                                 | Log Format Format.              |
   --------------------------------------------------------------------                          |
   +----------------------------------------+--------------------------+
   | A Posture Collection Server (as described in IETF        |                          |
   | described in IETF SACMs ECP) should request the    |                          |
   | request the attestation and analyze the result    |                          |
   | the result.  The Management            |                          |
   | application might be broken down to    |                          |
   |  to several more components:               |                          |
   |    o                                        |                          |
   | *  A Posture Manager Server that       |                          |
   |       which    collects reports and stores them in    |                          |
   |    in a database database.                      |                          |
   |    o                                        |                          |
   | *  One or more Analyzers that can look at the|      |                          |
   |    look at the results and figure out  |                          |
   |    what it means.                      |                          |
   --------------------------------------------------------------------

                         Figure 7:
   +----------------------------------------+--------------------------+

                         Table 2: Component Status

Acknowledgements

   The authors wish to thank numerous reviewers for generous assistance,
   including William Bellingrath, Mark Baushke, Ned Smith, Henk
   Birkholz, Tom Laffey, Dave Thaler, Wei Pan, Michael Eckel, Thomas
   Hardjono, Bill Sulzen, Willard (Monty) Wiseman, Kathleen Moriarty,
   Nancy Cam-Winget Cam-Winget, and Shwetha Bhandari Bhandari.

Authors' Addresses

   Guy Fedorkow (editor)
   Juniper Networks, Inc.
   10 Technology Park Drive
   Westford, Massachusetts 01886
   United States of America
   Email: gfedorkow@juniper.net

   Eric Voit
   Cisco Systems
   Email: evoit@cisco.com

   Jessica Fitzgerald-McKay
   National Security Agency
   9800 Savage Road
   Ft. Meade, Maryland 20755
   United States of America
   Email: jmfitz2@nsa.gov