1<?xml version="1.0" encoding="UTF-8"?> 2<!----> 3<!--################################################################################ --> 4<!--# Redfish Schema: SecurityPolicy v1.0.1 --> 5<!--# --> 6<!--# For a detailed change log, see the README file contained in the DSP8010 bundle, --> 7<!--# available at http://www.dmtf.org/standards/redfish --> 8<!--# Copyright 2014-2023 DMTF. --> 9<!--# For the full DMTF copyright policy, see http://www.dmtf.org/about/policies/copyright --> 10<!--################################################################################ --> 11<!----> 12<edmx:Edmx xmlns:edmx="http://docs.oasis-open.org/odata/ns/edmx" Version="4.0"> 13 14 <edmx:Reference Uri="http://docs.oasis-open.org/odata/odata/v4.0/errata03/csd01/complete/vocabularies/Org.OData.Core.V1.xml"> 15 <edmx:Include Namespace="Org.OData.Core.V1" Alias="OData"/> 16 </edmx:Reference> 17 <edmx:Reference Uri="http://docs.oasis-open.org/odata/odata/v4.0/errata03/csd01/complete/vocabularies/Org.OData.Capabilities.V1.xml"> 18 <edmx:Include Namespace="Org.OData.Capabilities.V1" Alias="Capabilities"/> 19 </edmx:Reference> 20 <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/RedfishExtensions_v1.xml"> 21 <edmx:Include Namespace="Validation.v1_0_0" Alias="Validation"/> 22 <edmx:Include Namespace="RedfishExtensions.v1_0_0" Alias="Redfish"/> 23 </edmx:Reference> 24 <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/Resource_v1.xml"> 25 <edmx:Include Namespace="Resource"/> 26 <edmx:Include Namespace="Resource.v1_0_0"/> 27 </edmx:Reference> 28 <edmx:Reference Uri="http://redfish.dmtf.org/schemas/v1/CertificateCollection_v1.xml"> 29 <edmx:Include Namespace="CertificateCollection"/> 30 </edmx:Reference> 31 32 <edmx:DataServices> 33 34 <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="SecurityPolicy"> 35 <Annotation Term="Redfish.OwningEntity" String="DMTF"/> 36 37 <EntityType Name="SecurityPolicy" BaseType="Resource.v1_0_0.Resource" Abstract="true"> 38 <Annotation Term="OData.Description" String="The SecurityPolicy resource provides a central point to configure the security policy of a manager."/> 39 <Annotation Term="OData.LongDescription" String="This resource shall represent configurable security-related policies managed by a manager. All security parameters in other resources that are controlled by the manager shall follow the related settings in this security policy. For example, an outbound TLS connection established per an EventDestination resource will follow the values of the properties in the TLS property."/> 40 <Annotation Term="Capabilities.InsertRestrictions"> 41 <Record> 42 <PropertyValue Property="Insertable" Bool="false"/> 43 </Record> 44 </Annotation> 45 <Annotation Term="Capabilities.UpdateRestrictions"> 46 <Record> 47 <PropertyValue Property="Updatable" Bool="true"/> 48 </Record> 49 </Annotation> 50 <Annotation Term="Capabilities.DeleteRestrictions"> 51 <Record> 52 <PropertyValue Property="Deletable" Bool="false"/> 53 </Record> 54 </Annotation> 55 <Annotation Term="Redfish.Uris"> 56 <Collection> 57 <String>/redfish/v1/Managers/{ManagerId}/SecurityPolicy</String> 58 </Collection> 59 </Annotation> 60 </EntityType> 61 </Schema> 62 63 <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="SecurityPolicy.v1_0_0"> 64 <Annotation Term="Redfish.OwningEntity" String="DMTF"/> 65 <Annotation Term="Redfish.Release" String="2022.2"/> 66 67 <EntityType Name="SecurityPolicy" BaseType="SecurityPolicy.SecurityPolicy"> 68 <Property Name="Actions" Type="SecurityPolicy.v1_0_0.Actions" Nullable="false"> 69 <Annotation Term="OData.Description" String="The available actions for this resource."/> 70 <Annotation Term="OData.LongDescription" String="This property shall contain the available actions for this resource."/> 71 </Property> 72 <Property Name="Status" Type="Resource.Status" Nullable="false"> 73 <Annotation Term="OData.Description" String="The status and health of the resource and its subordinate or dependent resources."/> 74 <Annotation Term="OData.LongDescription" String="This property shall contain any status or health properties of the resource."/> 75 </Property> 76 <Property Name="OverrideParentManager" Type="Edm.Boolean" Nullable="false"> 77 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 78 <Annotation Term="OData.Description" String="Override the security policy of the parent manager."/> 79 <Annotation Term="OData.LongDescription" String="This property shall indicate whether this security policy overrides the security policy of the managers referenced by the ManagedBy property within the Links property of the Manager resource for this security policy. If this property is absent, the value shall be assumed to be `false`."/> 80 </Property> 81 <Property Name="SPDM" Type="SecurityPolicy.v1_0_0.SPDMPolicy" Nullable="false"> 82 <Annotation Term="OData.Description" String="The SPDM policy."/> 83 <Annotation Term="OData.LongDescription" String="This property shall contain the policy requirements for SPDM communication and usage."/> 84 </Property> 85 <Property Name="TLS" Type="SecurityPolicy.v1_0_0.TLSCommunication" Nullable="false"> 86 <Annotation Term="OData.Description" String="The TLS policy."/> 87 <Annotation Term="OData.LongDescription" String="This property shall contain the policy requirements for TLS communication and usage."/> 88 </Property> 89 </EntityType> 90 91 <ComplexType Name="Actions"> 92 <Annotation Term="OData.AdditionalProperties" Bool="false"/> 93 <Annotation Term="OData.Description" String="The available actions for this resource."/> 94 <Annotation Term="OData.LongDescription" String="This type shall contain the available actions for this resource."/> 95 <Property Name="Oem" Type="SecurityPolicy.v1_0_0.OemActions" Nullable="false"> 96 <Annotation Term="OData.Description" String="The available OEM-specific actions for this resource."/> 97 <Annotation Term="OData.LongDescription" String="This property shall contain the available OEM-specific actions for this resource."/> 98 </Property> 99 </ComplexType> 100 101 <ComplexType Name="OemActions"> 102 <Annotation Term="OData.AdditionalProperties" Bool="true"/> 103 <Annotation Term="OData.Description" String="The available OEM-specific actions for this resource."/> 104 <Annotation Term="OData.LongDescription" String="This type shall contain the available OEM-specific actions for this resource."/> 105 </ComplexType> 106 107 <ComplexType Name="SPDMPolicy"> 108 <Annotation Term="OData.AdditionalProperties" Bool="false"/> 109 <Annotation Term="OData.Description" String="SPDM policy settings."/> 110 <Annotation Term="OData.LongDescription" String="This object shall contain SPDM policy settings."/> 111 <Property Name="Enabled" Type="Edm.Boolean"> 112 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 113 <Annotation Term="OData.Description" String="An indication of whether SPDM communication with devices is enabled."/> 114 <Annotation Term="OData.LongDescription" String="This property shall indicate whether SPDM communication with devices as defined in DSP0274 is enabled."/> 115 </Property> 116 <Property Name="SecureSessionEnabled" Type="Edm.Boolean"> 117 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 118 <Annotation Term="OData.Description" String="An indication of whether SPDM secure sessions with devices is enabled."/> 119 <Annotation Term="OData.LongDescription" String="This property shall indicate whether SPDM secure sessions with devices as defined in DSP0274 is enabled."/> 120 </Property> 121 <Property Name="AllowExtendedAlgorithms" Type="Edm.Boolean"> 122 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 123 <Annotation Term="OData.Description" String="An indication of whether SPDM extended algorithms are allowed."/> 124 <Annotation Term="OData.LongDescription" String="This property shall indicate whether SPDM extended algorithms as defined in DSP0274 are allowed."/> 125 </Property> 126 <Property Name="VerifyCertificate" Type="Edm.Boolean"> 127 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 128 <Annotation Term="OData.Description" String="An indication of whether the manager will verify the certificate of the SPDM endpoint."/> 129 <Annotation Term="OData.LongDescription" String="This property shall indicate whether the manager will verify the certificate of the SPDM endpoint. If `true`, the manager shall verify the device certificate with the certificates found in the collections referenced by the `RevokedCertificates` and `TrustedCertificates` properties. If `false`, the manager shall not perform verification of the endpoint certificate."/> 130 </Property> 131 <NavigationProperty Name="TrustedCertificates" Type="CertificateCollection.CertificateCollection"> 132 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/Read"/> 133 <Annotation Term="OData.Description" String="The trusted SPDM device certificates."/> 134 <Annotation Term="OData.LongDescription" String="This property shall contain a link to a resource collection of type CertificateCollection that represents the set of trusted SPDM device certificates. Certificates in this collection may contain leaf certificates, partial certificate chains, or complete certificate chains, where a partial certificate chain is a chain containing only CA certificates. If `VerifyCertificate` contains the value `true` and if an SPDM endpoint verifies successfully against a partial chain or exactly matches a leaf certificate, that SPDM endpoint shall be considered verified and other authentications checks are performed."/> 135 </NavigationProperty> 136 <NavigationProperty Name="RevokedCertificates" Type="CertificateCollection.CertificateCollection"> 137 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/Read"/> 138 <Annotation Term="OData.Description" String="The revoked SPDM device certificates."/> 139 <Annotation Term="OData.LongDescription" String="This property shall contain a link to a resource collection of type CertificateCollection that represents the set of revoked SPDM device certificates. Certificates in this collection may contain leaf certificates, partial certificate chains, or complete certificate chains, where a partial certificate chain is a chain containing only CA certificates. If `VerifyCertificate` contains the value `true` and if an SPDM endpoint verifies successfully against a partial chain or exactly matches a leaf certificate, that SPDM endpoint shall fail authentication."/> 140 </NavigationProperty> 141 <Property Name="Allowed" Type="SecurityPolicy.v1_0_0.SPDMParameterSet"> 142 <Annotation Term="OData.Description" String="The SPDM policy settings that are allowed, such as the allowable SPDM versions and algorithms."/> 143 <Annotation Term="OData.LongDescription" String="This property shall contain the SPDM policy settings that are allowed, such as the allowable SPDM versions and algorithms."/> 144 </Property> 145 <Property Name="Denied" Type="SecurityPolicy.v1_0_0.SPDMParameterSet"> 146 <Annotation Term="OData.Description" String="The SPDM policy settings that are prohibited, such as the prohibited SPDM versions and algorithms."/> 147 <Annotation Term="OData.LongDescription" String="This property shall contain the SPDM policy settings that are prohibited, such as the prohibited SPDM versions and algorithms."/> 148 </Property> 149 </ComplexType> 150 151 <ComplexType Name="SPDMParameterSet"> 152 <Annotation Term="OData.AdditionalProperties" Bool="false"/> 153 <Annotation Term="OData.Description" String="The SPDM policy settings."/> 154 <Annotation Term="OData.LongDescription" String="This object shall contain SPDM policy settings."/> 155 <Property Name="Algorithms" Type="SecurityPolicy.v1_0_0.SPDMAlgorithmSet"> 156 <Annotation Term="OData.Description" String="The SPDM algorithms."/> 157 <Annotation Term="OData.LongDescription" String="This property shall contain the SPDM algorithms."/> 158 </Property> 159 <Property Name="Versions" Type="Collection(Edm.String)"> 160 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 161 <Annotation Term="OData.Description" String="The SPDM versions."/> 162 <Annotation Term="OData.LongDescription" String="This property shall contain an array of SPDM versions. An array containing one element with the value of `ALL` or an empty array shall indicate all versions. An array containing one element with a value of `NONE` shall indicate no versions."/> 163 <Annotation Term="Validation.Pattern" String="^\d+\.\d+$|^NONE$|^ALL$"/> 164 </Property> 165 </ComplexType> 166 167 <ComplexType Name="SPDMAlgorithmSet"> 168 <Annotation Term="OData.AdditionalProperties" Bool="false"/> 169 <Annotation Term="OData.Description" String="The SPDM algorithm settings."/> 170 <Annotation Term="OData.LongDescription" String="This object shall contain SPDM algorithm settings."/> 171 <Property Name="AEAD" Type="Collection(Edm.String)"> 172 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 173 <Annotation Term="OData.Description" String="The AEAD algorithms."/> 174 <Annotation Term="OData.LongDescription" String="This property shall contain an array of AEAD algorithms. The allowable values for this property shall be the AEAD algorithm names found in the 'AlgSupported' field of the 'AEAD structure' table in DSP0274, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all AEAD algorithms. An array containing one element with a value of `NONE` shall indicate no AEAD algorithms."/> 175 </Property> 176 <Property Name="BaseAsym" Type="Collection(Edm.String)"> 177 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 178 <Annotation Term="OData.Description" String="The asymmetric signature algorithms."/> 179 <Annotation Term="OData.LongDescription" String="This property shall contain an array of asymmetric signature algorithms. The allowable values for this property shall be the asymmetric key signature algorithm names found in the 'BaseAsymAlgo' field of the 'NEGOTIATE_ALGORITHMS' request message in DSP0274, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all asymmetric signature algorithms. An array containing one element with a value of `NONE` shall indicate no asymmetric signature algorithms."/> 180 </Property> 181 <Property Name="BaseHash" Type="Collection(Edm.String)"> 182 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 183 <Annotation Term="OData.Description" String="The hash algorithms."/> 184 <Annotation Term="OData.LongDescription" String="This property shall contain an array of hash algorithms. The allowable values for this property shall be the hash algorithm names found in the 'BaseHashAlgo' field of the 'NEGOTIATE_ALGORITHMS' request message in DSP0274, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all hash algorithms. An array containing one element with a value of `NONE` shall indicate no hash algorithms."/> 185 </Property> 186 </ComplexType> 187 188 <ComplexType Name="TLSCommunication"> 189 <Annotation Term="OData.Description" String="The TLS client and server policies."/> 190 <Annotation Term="OData.LongDescription" String="This property shall contain the policy requirements for TLS communication and usage for a TLS client and server."/> 191 <Property Name="Client" Type="SecurityPolicy.v1_0_0.TLSPolicy" Nullable="false"> 192 <Annotation Term="OData.Description" String="The TLS policy."/> 193 <Annotation Term="OData.LongDescription" String="This property shall contain the policy requirements and usage for TLS connections where the manager acts as a TLS client."/> 194 </Property> 195 <Property Name="Server" Type="SecurityPolicy.v1_0_0.TLSPolicy" Nullable="false"> 196 <Annotation Term="OData.Description" String="The TLS policy."/> 197 <Annotation Term="OData.LongDescription" String="This property shall contain the policy requirements and usage for TLS connections where the manager acts as a TLS server."/> 198 </Property> 199 </ComplexType> 200 <ComplexType Name="TLSPolicy"> 201 <Annotation Term="OData.AdditionalProperties" Bool="false"/> 202 <Annotation Term="OData.Description" String="TLS policy settings."/> 203 <Annotation Term="OData.LongDescription" String="This object shall contain TLS policy settings."/> 204 <Property Name="VerifyCertificate" Type="Edm.Boolean"> 205 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 206 <Annotation Term="OData.Description" String="An indication of whether the manager will verify the certificate of the remote TLS endpoint."/> 207 <Annotation Term="OData.LongDescription" String="This property shall indicate whether the manager will verify the certificate of the remote endpoint in a TLS connection. If `true`, the manager shall verify the remote endpoint certificate with the certificates found in the collections referenced by the `RevokedCertificates` and `TrustedCertificates` properties. If `false` or not present, the manager shall not perform verification of the endpoint certificate."/> 208 </Property> 209 <NavigationProperty Name="TrustedCertificates" Type="CertificateCollection.CertificateCollection"> 210 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/Read"/> 211 <Annotation Term="OData.Description" String="The trusted TLS server certificates."/> 212 <Annotation Term="OData.LongDescription" String="This property shall contain a link to a resource collection of type CertificateCollection that represents the set of trusted TLS certificates. Certificates in this collection may contain leaf certificates, partial certificate chains, or complete certificate chains, where a partial certificate chain is a chain containing only CA certificates. If `VerifyCertificate` contains the value `true` and if a TLS endpoint verifies successfully against a partial chain or exactly matches a leaf certificate, that TLS endpoint shall be considered verified and other authentications checks are performed."/> 213 </NavigationProperty> 214 <NavigationProperty Name="RevokedCertificates" Type="CertificateCollection.CertificateCollection"> 215 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/Read"/> 216 <Annotation Term="OData.Description" String="The revoked TLS server certificates."/> 217 <Annotation Term="OData.LongDescription" String="This property shall contain a link to a resource collection of type CertificateCollection that represents the set of revoked TLS certificates. Certificates in this collection may contain leaf certificates, partial certificate chains, or complete certificate chains, where a partial certificate chain is a chain containing only CA certificates. If `VerifyCertificate` contains the value `true` and if a TLS endpoint verifies successfully against a partial chain or exactly matches a leaf certificate, that TLS endpoint shall fail authentication."/> 218 </NavigationProperty> 219 <Property Name="Allowed" Type="SecurityPolicy.v1_0_0.TLSParameterSet"> 220 <Annotation Term="OData.Description" String="The TLS policy settings that are allowed, such as the allowable TLS versions and algorithms."/> 221 <Annotation Term="OData.LongDescription" String="This property shall contain the TLS policy settings that are allowed, such as the allowable TLS versions and algorithms. If a value is missing for the same property in the 'Allowed' and 'Denied' object, the missing value shall behave as if the value is present in the same property under the 'Denied' object. If a value conflicts for the same property between the 'Allowed' and 'Denied' object, the value of the same property in the 'Denied' object shall take precedence. A Redfish service can resolve or prevent conflicts at time of request as well."/> 222 </Property> 223 <Property Name="Denied" Type="SecurityPolicy.v1_0_0.TLSParameterSet"> 224 <Annotation Term="OData.Description" String="The TLS policy settings that are prohibited, such as the prohibited TLS versions and algorithms."/> 225 <Annotation Term="OData.LongDescription" String="This property shall contain the TLS policy settings that are prohibited, such as the prohibited TLS versions and algorithms. If a value is missing for the same property in the 'Allowed' and 'Denied' object, the missing value shall behave as if the value is present in the same property under the 'Denied' object. If a value conflicts for the same property between the 'Allowed' and 'Denied' object, the value of the same property in the 'Denied' object shall take precedence. A Redfish service can resolve or prevent conflicts at time of request as well."/> 226 </Property> 227 </ComplexType> 228 229 <ComplexType Name="TLSParameterSet"> 230 <Annotation Term="OData.AdditionalProperties" Bool="false"/> 231 <Annotation Term="OData.Description" String="The TLS policy settings."/> 232 <Annotation Term="OData.LongDescription" String="This object shall contain TLS policy settings."/> 233 <Property Name="Algorithms" Type="SecurityPolicy.v1_0_0.TLSAlgorithmSet"> 234 <Annotation Term="OData.Description" String="The TLS algorithms."/> 235 <Annotation Term="OData.LongDescription" String="This property shall contain the TLS algorithms."/> 236 </Property> 237 <Property Name="Versions" Type="Collection(Edm.String)"> 238 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 239 <Annotation Term="OData.Description" String="The TLS versions."/> 240 <Annotation Term="OData.LongDescription" String="This property shall contain an array of TLS versions. An array containing one element with the value of `ALL` or an empty array shall indicate all versions. An array containing one element with a value of `NONE` shall indicate no versions."/> 241 <Annotation Term="Validation.Pattern" String="^\d+\.\d+$|^NONE$|^ALL$"/> 242 </Property> 243 </ComplexType> 244 245 <ComplexType Name="TLSAlgorithmSet"> 246 <Annotation Term="OData.AdditionalProperties" Bool="false"/> 247 <Annotation Term="OData.Description" String="The TLS algorithm settings."/> 248 <Annotation Term="OData.LongDescription" String="This object shall contain TLS algorithm settings."/> 249 <Property Name="CipherSuites" Type="Collection(Edm.String)"> 250 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 251 <Annotation Term="OData.Description" String="The TLS cipher suites."/> 252 <Annotation Term="OData.LongDescription" String="This property shall contain an array of TLS cipher suites. The allowable values for this property shall be the TLS cipher suites listed in 'CipherSuites' defined in, but not limited to, RFC4346, RFC5246, or RFC8446, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all TLS cipher suites. An array containing one element with a value of `NONE` shall indicate no TLS cipher suites."/> 253 </Property> 254 <Property Name="SignatureAlgorithms" Type="Collection(Edm.String)"> 255 <Annotation Term="OData.Permissions" EnumMember="OData.Permission/ReadWrite"/> 256 <Annotation Term="OData.Description" String="The TLS signature algorithms."/> 257 <Annotation Term="OData.LongDescription" String="This property shall contain an array of TLS signature algorithms. The allowable values for this property shall be the TLS signature algorithms listed in 'SignatureScheme' or the concatenation of 'SignatureAlgorithm', '_', and 'HashAlgorithm' defined in, but not limited to, RFC4346, RFC5246, or RFC8446, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all TLS signature algorithms. An array containing one element with a value of `NONE` shall indicate no TLS signature algorithms."/> 258 </Property> 259 </ComplexType> 260 </Schema> 261 262 <Schema xmlns="http://docs.oasis-open.org/odata/ns/edm" Namespace="SecurityPolicy.v1_0_1"> 263 <Annotation Term="Redfish.OwningEntity" String="DMTF"/> 264 <Annotation Term="OData.Description" String="This version was created to correct various typographical errors."/> 265 <EntityType Name="SecurityPolicy" BaseType="SecurityPolicy.v1_0_0.SecurityPolicy"/> 266 </Schema> 267 268 </edmx:DataServices> 269</edmx:Edmx> 270 271