RFC 8572
Secure Zero Touch Provisioning (SZTP)
5. Device Details
Devices supporting the bootstrapping strategy described in this document MUST have the pre-configured state and bootstrapping logic described in the following sections.5.1. Initial State
+-------------------------------------------------------------+ | <device> | | | | +---------------------------------------------------------+ | | | <read/write storage> | | | | | | | | 1. flag to enable SZTP bootstrapping set to "true" | | | +---------------------------------------------------------+ | | | | +---------------------------------------------------------+ | | | <read-only storage> | | | | | | | | 2. TLS client cert & related intermediate certificates | | | | 3. list of trusted well-known bootstrap servers | | | | 4. list of trust anchor certs for bootstrap servers | | | | 5. list of trust anchor certs for ownership vouchers | | | +---------------------------------------------------------+ | | | | +-----------------------------------------------------+ | | | <secure storage> | | | | | | | | 6. private key for TLS client certificate | | | | 7. private key for decrypting SZTP artifacts | | | +-----------------------------------------------------+ | | | +-------------------------------------------------------------+ Each numbered item below corresponds to a numbered item in the diagram above. 1. Devices MUST have a configurable variable that is used to enable/ disable SZTP bootstrapping. This variable MUST be enabled by default in order for SZTP bootstrapping to run when the device first powers on. Because it is a goal that the configuration installed by the bootstrapping process disables SZTP bootstrapping, and because the configuration may be merged into the existing configuration, using a configuration node that
relies on presence is NOT RECOMMENDED, as it cannot be removed by
the merging process.
2. Devices that support loading bootstrapping data from bootstrap
servers (see Section 4.4) SHOULD possess a TLS-level client
certificate and any intermediate certificates leading to the
certificate's well-known trust anchor. The well-known trust
anchor certificate may be an intermediate certificate or a self-
signed root certificate. To support devices not having a client
certificate, devices MAY, alternatively or in addition to,
identify and authenticate themselves to the bootstrap server
using an HTTP authentication scheme, as allowed by Section 2.5 of
[RFC8040]; however, this document does not define a mechanism for
operator input enabling, for example, the entering of a password.
3. Devices that support loading bootstrapping data from well-known
bootstrap servers MUST possess a list of the well-known bootstrap
servers. Consistent with redirect information (Section 2.1),
each bootstrap server can be identified by its hostname or IP
address and an optional port.
4. Devices that support loading bootstrapping data from well-known
bootstrap servers MUST also possess a list of trust anchor
certificates that can be used to authenticate the well-known
bootstrap servers. For each trust anchor certificate, if it is
not itself a self-signed root certificate, the device SHOULD also
possess the chain of intermediate certificates leading up to and
including the self-signed root certificate.
5. Devices that support loading signed data (see Section 1.2) MUST
possess the trust anchor certificates for validating ownership
vouchers. For each trust anchor certificate, if it is not itself
a self-signed root certificate, the device SHOULD also possess
the chain of intermediate certificates leading up to and
including the self-signed root certificate.
6. Devices that support using a TLS-level client certificate to
identify and authenticate themselves to a bootstrap server MUST
possess the private key that corresponds to the public key
encoded in the TLS-level client certificate. This private key
SHOULD be securely stored, ideally in a cryptographic processor,
such as a trusted platform module (TPM) chip.
7. Devices that support decrypting SZTP artifacts MUST posses the
private key that corresponds to the public key encoded in the
secure device identity certificate used when encrypting the
artifacts. This private key SHOULD be securely stored, ideally
in a cryptographic processor, such as a trusted platform module
(TPM) chip. This private key MAY be the same as the one
associated to the TLS-level client certificate used when
connecting to bootstrap servers.
A YANG module representing this data is provided in Appendix A.
5.2. Boot Sequence
A device claiming to support the bootstrapping strategy defined in
this document MUST support the boot sequence described in this
section.
Power On
|
v No
1. SZTP bootstrapping configured ------> Boot normally
|
| Yes
v
2. For each supported source of bootstrapping data,
try to load bootstrapping data from the source
|
|
v Yes
3. Able to bootstrap from any source? -----> Run with new config
|
| No
v
4. Loop back to Step 1
Note: At any time, the device MAY be configured via an alternate
provisioning mechanism (e.g., command-line interface (CLI)).
Each numbered item below corresponds to a numbered item in the
diagram above.
1. When the device powers on, it first checks to see if SZTP
bootstrapping is configured, as is expected to be the case for
the device's pre-configured initial state. If SZTP bootstrapping
is not configured, then the device boots normally.
2. The device iterates over its list of sources for bootstrapping
data (Section 4). Details for how to process a source of
bootstrapping data are provided in Section 5.3.
3. If the device is able to bootstrap itself from any of the sources
of bootstrapping data, it runs with the new bootstrapped
configuration.
4. Otherwise, the device MUST loop back through the list of
bootstrapping sources again.
This document does not limit the simultaneous use of alternate
provisioning mechanisms. Such mechanisms may include, for instance,
a CLI, a web-based user interface, or even another bootstrapping
protocol. Regardless of how it is configured, the configuration
SHOULD unset the flag enabling SZTP bootstrapping as discussed in
Section 5.1.
5.3. Processing a Source of Bootstrapping Data
This section describes a recursive algorithm that devices can use to,
ultimately, obtain onboarding information. The algorithm is
recursive because sources of bootstrapping data may return redirect
information, which causes the algorithm to run again, for the newly
discovered sources of bootstrapping data. An expression that
captures all possible successful sequences of bootstrapping data is:
zero or more redirect information responses, followed by one
onboarding information response.
An important aspect of the algorithm is knowing when data needs to be
signed or not. The following figure provides a summary of options:
Untrusted Source Trusted Source
Kind of Bootstrapping Data Can Provide? Can Provide?
Unsigned Redirect Info : Yes+ Yes
Signed Redirect Info : Yes Yes*
Unsigned Onboarding Info : No Yes
Signed Onboarding Info : Yes Yes*
The '+' above denotes that the source redirected to MUST
return signed data or more unsigned redirect information.
The '*' above denotes that, while possible, it is generally
unnecessary for a trusted source to return signed data.
The recursive algorithm uses a conceptual globally scoped variable
called "trust-state". The trust-state variable is initialized to
FALSE. The ultimate goal of this algorithm is for the device to
process onboarding information (Section 2.2) while the trust-state
variable is TRUE.
If the source of bootstrapping data (Section 4) is a bootstrap server (Section 4.4), and the device is able to authenticate the bootstrap server using X.509 certificate path validation ([RFC6125], Section 6) to one of the device's pre-configured trust anchors, or to a trust anchor that it learned from a previous step, then the device MUST set trust-state to TRUE. When establishing a connection to a bootstrap server, whether trusted or untrusted, the device MUST identify and authenticate itself to the bootstrap server using a TLS-level client certificate and/or an HTTP authentication scheme, per Section 2.5 of [RFC8040]. If both authentication mechanisms are used, they MUST both identify the same serial number. When sending a client certificate, the device MUST also send all of the intermediate certificates leading up to, and optionally including, the client certificate's well-known trust anchor certificate. For any source of bootstrapping data (e.g., Section 4), if any artifact obtained is encrypted, the device MUST first decrypt it using the private key associated with the device certificate used to encrypt the artifact. If the conveyed information artifact is signed, and the device is able to validate the signed data using the algorithm described in Section 5.4, then the device MUST set trust-state to TRUE; otherwise, if the device is unable to validate the signed data, the device MUST set trust-state to FALSE. Note that this is worded to cover the special case when signed data is returned even from a trusted source of bootstrapping data. If the conveyed information artifact contains redirect information, the device MUST, within limits of how many recursive loops the device allows, process the redirect information as described in Section 5.5. Implementations MUST limit the maximum number of recursive redirects allowed; the maximum number of recursive redirects allowed SHOULD be no more than ten. This is the recursion step; it will cause the device to reenter this algorithm, but this time the data source will definitely be a bootstrap server, as redirect information is only able to redirect devices to bootstrap servers. If the conveyed information artifact contains onboarding information, and trust-state is FALSE, the device MUST exit the recursive algorithm (as this is not allowed; see the figure above), returning to the bootstrapping sequence described in Section 5.2. Otherwise, the device MUST attempt to process the onboarding information as described in Section 5.6. Whether the processing of the onboarding
information succeeds or fails, the device MUST exit the recursive algorithm, returning to the bootstrapping sequence described in Section 5.2; the only difference is how it responds to the "Able to bootstrap from any source?" conditional described in the figure in that section.5.4. Validating Signed Data
Whenever a device is presented signed data, it MUST validate the signed data as described in this section. This includes the case where the signed data is provided by a trusted source. Whenever there is signed data, the device MUST also be provided an ownership voucher and an owner certificate. How all the needed artifacts are provided for each source of bootstrapping data is described in Section 4. In order to validate signed data, the device MUST first authenticate the ownership voucher by validating its signature to one of its pre- configured trust anchors (see Section 5.1), which may entail using additional intermediate certificates attached to the ownership voucher. If the device has an accurate clock, it MUST verify that the ownership voucher was created in the past (i.e., "created-on" < now), and if the "expires-on" leaf is present, the device MUST verify that the ownership voucher has not yet expired (i.e., now < "expires- on"). The device MUST verify that the ownership voucher's "assertion" value is acceptable (e.g., some devices may only accept the assertion value "verified"). The device MUST verify that the ownership voucher specifies the device's serial number in the "serial-number" leaf. If the "idevid-issuer" leaf is present, the device MUST verify that the value is set correctly. If the authentication of the ownership voucher is successful, the device extracts the "pinned-domain-cert" node, an X.509 certificate, that is needed to verify the owner certificate in the next step. The device MUST next authenticate the owner certificate by performing X.509 certificate path verification to the trusted certificate extracted from the ownership voucher's "pinned-domain-cert" node. This verification may entail using additional intermediate certificates attached to the owner certificate artifact. If the ownership voucher's "domain-cert-revocation-checks" node's value is set to "true", the device MUST verify the revocation status of the certificate chain used to sign the owner certificate, and if a suitably fresh revocation status is unattainable or if it is determined that a certificate has been revoked, the device MUST NOT validate the owner certificate.
Finally, the device MUST verify that the conveyed information artifact was signed by the validated owner certificate. If any of these steps fail, the device MUST invalidate the signed data and not perform any subsequent steps.5.5. Processing Redirect Information
In order to process redirect information (Section 2.1), the device MUST follow the steps presented in this section. Processing redirect information is straightforward; the device sequentially steps through the list of provided bootstrap servers until it can find one it can bootstrap from. If a hostname is provided, and the hostname's DNS resolution is to more than one IP address, the device MUST attempt to connect to all of the DNS resolved addresses at least once, before moving on to the next bootstrap server. If the device is able to obtain bootstrapping data from any of the DNS resolved addresses, it MUST immediately process that data, without attempting to connect to any of the other DNS resolved addresses. If the redirect information is trusted (e.g., trust-state is TRUE), and the bootstrap server entry contains a trust anchor certificate, then the device MUST authenticate the specified bootstrap server's TLS server certificate using X.509 certificate path validation ([RFC6125], Section 6) to the specified trust anchor. If the bootstrap server entry does not contain a trust anchor certificate device, the device MUST establish a provisional connection to the bootstrap server (i.e., by blindly accepting its server certificate) and set trust-state to FALSE. If the redirect information is untrusted (e.g., trust-state is FALSE), the device MUST discard any trust anchors provided by the redirect information and establish a provisional connection to the bootstrap server (i.e., by blindly accepting its TLS server certificate).5.6. Processing Onboarding Information
In order to process onboarding information (Section 2.2), the device MUST follow the steps presented in this section. When processing onboarding information, the device MUST first process the boot image information (if any), then execute the pre- configuration script (if any), then commit the initial configuration
(if any), and then execute the post-configuration script (if any), in that order. When the onboarding information is obtained from a trusted bootstrap server, the device MUST send the "bootstrap-initiated" progress report and send a terminating "boot-image-installed-rebooting", "bootstrap-complete", or error-specific progress report. If the "reporting-level" node of the bootstrap server's "get-bootstrapping- data" RPC-reply is the value "verbose", the device MUST additionally send all appropriate non-terminating progress reports (e.g., initiated, warning, complete, etc.). Regardless of the reporting level requested by the bootstrap server, the device MAY send progress reports beyond those required by the reporting level. When the onboarding information is obtained from an untrusted bootstrap server, the device MUST NOT send any progress reports to the bootstrap server, even though the onboarding information was, necessarily, signed and authenticated. Please be aware that bootstrap servers are recommended to promote untrusted connections to trusted connections, in the last paragraph of Section 9.6, so as to, in part, be able to collect progress reports from devices. If the device encounters an error at any step, it MUST stop processing the onboarding information and return to the bootstrapping sequence described in Section 5.2. In the context of a recursive algorithm, the device MUST return to the enclosing loop, not back to the very beginning. Some state MAY be retained from the bootstrapping process (e.g., updated boot image, logs, remnants from a script, etc.). However, the retained state MUST NOT be active in any way (e.g., no new configuration or running of software) and MUST NOT hinder the ability for the device to continue the bootstrapping sequence (i.e., process onboarding information from another bootstrap server). At this point, the specific ordered sequence of actions the device MUST perform is described. If the onboarding information is obtained from a trusted bootstrap server, the device MUST send a "bootstrap-initiated" progress report. It is an error if the device does not receive back the "204 No Content" HTTP status line. If an error occurs, the device MUST try to send a "bootstrap-error" progress report before exiting. The device MUST parse the provided onboarding information document, to extract values used in subsequent steps. Whether using a stream- based parser or not, if there is an error when parsing the onboarding
information, and the device is connected to a trusted bootstrap server, the device MUST try to send a "parsing-error" progress report before exiting. If boot image criteria are specified, the device MUST first determine if the boot image it is running satisfies the specified boot image criteria. If the device is already running the specified boot image, then it skips the remainder of this step. If the device is not running the specified boot image, then it MUST download, verify, and install, in that order, the specified boot image, and then reboot. If connected to a trusted bootstrap server, the device MAY try to send a "boot-image-mismatch" progress report. To download the boot image, the device MUST only use the URIs supplied by the onboarding information. To verify the boot image, the device MUST use either one of the verification fingerprints supplied by the onboarding information or a cryptographic signature embedded into the boot image itself using a mechanism not described by this document. Before rebooting, if connected to a trusted bootstrap server, the device MUST try to send a "boot-image-installed-rebooting" progress report. Upon rebooting, the bootstrapping process runs again, which will eventually come to this step again, but then the device will be running the specified boot image and thus will move to processing the next step. If an error occurs at any step while the device is connected to a trusted bootstrap server (i.e., before the reboot), the device MUST try to send a "boot-image-error" progress report before exiting. If a pre-configuration script has been specified, the device MUST execute the script, capture any output emitted from the script, and check if the script had any warnings or errors. If an error occurs while the device is connected to a trusted bootstrap server, the device MUST try to send a "pre-script-error" progress report before exiting. If an initial configuration has been specified, the device MUST atomically commit the provided initial configuration, using the approach specified by the "configuration-handling" leaf. If an error occurs while the device is connected to a trusted bootstrap server, the device MUST try to send a "config-error" progress report before exiting. If a post-configuration script has been specified, the device MUST execute the script, capture any output emitted from the script, and check if the script had any warnings or errors. If an error occurs while the device is connected to a trusted bootstrap server, the device MUST try to send a "post-script-error" progress report before exiting.
If the onboarding information was obtained from a trusted bootstrap server, and the result of the bootstrapping process did not disable the "flag to enable SZTP bootstrapping" described in Section 5.1, the device SHOULD send an "bootstrap-warning" progress report. If the onboarding information was obtained from a trusted bootstrap server, the device MUST send a "bootstrap-complete" progress report. It is an error if the device does not receive back the "204 No Content" HTTP status line. If an error occurs, the device MUST try to send a "bootstrap-error" progress report before exiting. At this point, the device has completely processed the bootstrapping data. The device is now running its initial configuration. Notably, if NETCONF Call Home or RESTCONF Call Home [RFC8071] is configured, the device initiates trying to establish the call home connections at this time. Implementation Notes: Implementations may vary in how to ensure no unwanted state is retained when an error occurs. If the implementation chooses to undo previous steps, the following guidelines apply: * When an error occurs, the device must rollback the current step and any previous steps. * Most steps are atomic. For example, the processing of a configuration is atomic (as specified above), and the processing of scripts is atomic (as specified in the "ietf- sztp-conveyed-info" YANG module). * In case the error occurs after the initial configuration was committed, the device must restore the configuration to the configuration that existed prior to the configuration being committed. * In case the error occurs after a script had executed successfully, it may be helpful for the implementation to define scripts as being able to take a conceptual input parameter indicating that the script should remove its previously set state.
6. The Conveyed Information Data Model
This section defines a YANG 1.1 [RFC7950] module that is used to define the data model for the conveyed information artifact described in Section 3.1. This data model uses the "yang-data" extension statement defined in [RFC8040]. Examples illustrating this data model are provided in Section 6.2.6.1. Data Model Overview
The following tree diagram provides an overview of the data model for the conveyed information artifact. module: ietf-sztp-conveyed-info yang-data conveyed-information: +-- (information-type) +--:(redirect-information) | +-- redirect-information | +-- bootstrap-server* [address] | +-- address inet:host | +-- port? inet:port-number | +-- trust-anchor? cms +--:(onboarding-information) +-- onboarding-information +-- boot-image | +-- os-name? string | +-- os-version? string | +-- download-uri* inet:uri | +-- image-verification* [hash-algorithm] | +-- hash-algorithm identityref | +-- hash-value yang:hex-string +-- configuration-handling? enumeration +-- pre-configuration-script? script +-- configuration? binary +-- post-configuration-script? script6.2. Example Usage
The following example illustrates how redirect information (Section 2.1) can be encoded using JSON [RFC8259]. { "ietf-sztp-conveyed-info:redirect-information" : { "bootstrap-server" : [ { "address" : "sztp1.example.com", "port" : 8443,
"trust-anchor" : "base64encodedvalue=="
},
{
"address" : "sztp2.example.com",
"port" : 8443,
"trust-anchor" : "base64encodedvalue=="
},
{
"address" : "sztp3.example.com",
"port" : 8443,
"trust-anchor" : "base64encodedvalue=="
}
]
}
}
The following example illustrates how onboarding information
(Section 2.2) can be encoded using JSON [RFC8259].
[Note: '\' line wrapping for formatting only]
{
"ietf-sztp-conveyed-info:onboarding-information" : {
"boot-image" : {
"os-name" : "VendorOS",
"os-version" : "17.2R1.6",
"download-uri" : [ "https://example.com/path/to/image/file" ],
"image-verification" : [
{
"hash-algorithm" : "ietf-sztp-conveyed-info:sha-256",
"hash-value" : "ba:ec:cf:a5:67:82:b4:10:77:c6:67:a6:22:ab:\
7d:50:04:a7:8b:8f:0e:db:02:8b:f4:75:55:fb:c1:13:b2:33"
}
]
},
"configuration-handling" : "merge",
"pre-configuration-script" : "base64encodedvalue==",
"configuration" : "base64encodedvalue==",
"post-configuration-script" : "base64encodedvalue=="
}
}
6.3. YANG Module
The conveyed information data model is defined by the YANG module presented in this section. This module uses data types defined in [RFC5280], [RFC5652], [RFC6234], and [RFC6991]; an extension statement from [RFC8040]; and an encoding defined in [ITU.X690.2015]. <CODE BEGINS> file "ietf-sztp-conveyed-info@2019-04-30.yang" module ietf-sztp-conveyed-info { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-sztp-conveyed-info"; prefix sztp-info; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } import ietf-restconf { prefix rc; reference "RFC 8040: RESTCONF Protocol"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/netconf/> WG List: <mailto:netconf@ietf.org> Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; description "This module defines the data model for the conveyed information artifact defined in RFC 8572 ('Secure Zero Touch Provisioning (SZTP)'). The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8572; see the
RFC itself for full legal notices.";
revision 2019-04-30 {
description
"Initial version";
reference
"RFC 8572: Secure Zero Touch Provisioning (SZTP)";
}
// identities
identity hash-algorithm {
description
"A base identity for hash algorithm verification.";
}
identity sha-256 {
base hash-algorithm;
description
"The SHA-256 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms";
}
// typedefs
typedef cms {
type binary;
description
"A ContentInfo structure, as specified in RFC 5652,
encoded using ASN.1 distinguished encoding rules (DER),
as specified in ITU-T X.690.";
reference
"RFC 5652:
Cryptographic Message Syntax (CMS)
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER)";
}
// yang-data
rc:yang-data conveyed-information {
choice information-type {
mandatory true;
description
"This choice statement ensures the response contains
redirect-information or onboarding-information.";
container redirect-information {
description
"Redirect information is described in Section 2.1 of
RFC 8572. Its purpose is to redirect a device to
another bootstrap server.";
reference
"RFC 8572: Secure Zero Touch Provisioning (SZTP)";
list bootstrap-server {
key "address";
min-elements 1;
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
leaf trust-anchor {
type cms;
description
"A CMS structure that MUST contain the chain of
X.509 certificates needed to authenticate the TLS
certificate presented by this bootstrap server.
The CMS MUST only contain a single chain of
certificates. The bootstrap server MUST only
authenticate to last intermediate CA certificate
listed in the chain.
In all cases, the chain MUST include a self-signed
root certificate. In the case where the root
certificate is itself the issuer of the bootstrap
server's TLS certificate, only one certificate
is present.
If needed by the device, this CMS structure MAY
also contain suitably fresh revocation objects
with which the device can verify the revocation
status of the certificates.
This CMS encodes the degenerate form of the SignedData
structure that is commonly used to disseminate X.509
certificates and revocation objects (RFC 5280).";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile";
}
}
}
container onboarding-information {
description
"Onboarding information is described in Section 2.2 of
RFC 8572. Its purpose is to provide the device everything
it needs to bootstrap itself.";
reference
"RFC 8572: Secure Zero Touch Provisioning (SZTP)";
container boot-image {
description
"Specifies criteria for the boot image the device MUST
be running, as well as information enabling the device
to install the required boot image.";
leaf os-name {
type string;
description
"The name of the operating system software the device
MUST be running in order to not require a software
image upgrade (e.g., VendorOS).";
}
leaf os-version {
type string;
description
"The version of the operating system software the
device MUST be running in order to not require a
software image upgrade (e.g., 17.3R2.1).";
}
leaf-list download-uri {
type inet:uri;
ordered-by user;
description
"An ordered list of URIs to where the same boot image
file may be obtained. How the URI schemes (http, ftp,
etc.) a device supports are known is vendor specific.
If a secure scheme (e.g., https) is provided, a device
MAY establish an untrusted connection to the remote
server, by blindly accepting the server's end-entity
certificate, to obtain the boot image.";
}
list image-verification {
must '../download-uri' {
description
"Download URIs must be provided if an image is to
be verified.";
}
key "hash-algorithm";
description
"A list of hash values that a device can use to verify
boot image files with.";
leaf hash-algorithm {
type identityref {
base hash-algorithm;
}
description
"Identifies the hash algorithm used.";
}
leaf hash-value {
type yang:hex-string;
mandatory true;
description
"The hex-encoded value of the specified hash
algorithm over the contents of the boot image
file.";
}
}
}
leaf configuration-handling {
type enumeration {
enum merge {
description
"Merge configuration into the running datastore.";
}
enum replace {
description
"Replace the existing running datastore with the
passed configuration.";
}
}
must '../configuration';
description
"This enumeration indicates how the server should process
the provided configuration.";
}
leaf pre-configuration-script {
type script;
description
"A script that, when present, is executed before the
configuration has been processed.";
}
leaf configuration {
type binary;
must '../configuration-handling';
description
"Any configuration known to the device. The use of
the 'binary' type enables content (e.g., XML) to be
embedded into a JSON document. The exact encoding
of the content, as with the scripts, is vendor
specific.";
}
leaf post-configuration-script {
type script;
description
"A script that, when present, is executed after the
configuration has been processed.";
}
}
}
}
typedef script {
type binary;
description
"A device-specific script that enables the execution of
commands to perform actions not possible thru configuration
alone.
No attempt is made to standardize the contents, running
context, or programming language of the script, other than
that it can indicate if any warnings or errors occurred and
can emit output. The contents of the script are considered
specific to the vendor, product line, and/or model of the
device.
If the script execution indicates that a warning occurred,
then the device MUST assume that the script had a soft error
that the script believes will not affect manageability.
If the script execution indicates that an error occurred,
the device MUST assume the script had a hard error that the
script believes will affect manageability. In this case,
the script is required to gracefully exit, removing any
state that might hinder the device's ability to continue
the bootstrapping sequence (e.g., process onboarding
information obtained from another bootstrap server).";
}
}
<CODE ENDS>
(next page on part 3)
