1{ 2 "$id": "http://redfish.dmtf.org/schemas/v1/SecurityPolicy.v1_0_2.json", 3 "$ref": "#/definitions/SecurityPolicy", 4 "$schema": "http://redfish.dmtf.org/schemas/v1/redfish-schema-v1.json", 5 "copyright": "Copyright 2014-2024 DMTF. For the full DMTF copyright policy, see http://www.dmtf.org/about/policies/copyright", 6 "definitions": { 7 "Actions": { 8 "additionalProperties": false, 9 "description": "The available actions for this resource.", 10 "longDescription": "This type shall contain the available actions for this resource.", 11 "patternProperties": { 12 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 13 "description": "This property shall specify a valid odata or Redfish property.", 14 "type": [ 15 "array", 16 "boolean", 17 "integer", 18 "number", 19 "null", 20 "object", 21 "string" 22 ] 23 } 24 }, 25 "properties": { 26 "Oem": { 27 "$ref": "#/definitions/OemActions", 28 "description": "The available OEM-specific actions for this resource.", 29 "longDescription": "This property shall contain the available OEM-specific actions for this resource." 30 } 31 }, 32 "type": "object" 33 }, 34 "OemActions": { 35 "additionalProperties": true, 36 "description": "The available OEM-specific actions for this resource.", 37 "longDescription": "This type shall contain the available OEM-specific actions for this resource.", 38 "patternProperties": { 39 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 40 "description": "This property shall specify a valid odata or Redfish property.", 41 "type": [ 42 "array", 43 "boolean", 44 "integer", 45 "number", 46 "null", 47 "object", 48 "string" 49 ] 50 } 51 }, 52 "properties": {}, 53 "type": "object" 54 }, 55 "SPDMAlgorithmSet": { 56 "additionalProperties": false, 57 "description": "The SPDM algorithm settings.", 58 "longDescription": "This object shall contain SPDM algorithm settings.", 59 "patternProperties": { 60 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 61 "description": "This property shall specify a valid odata or Redfish property.", 62 "type": [ 63 "array", 64 "boolean", 65 "integer", 66 "number", 67 "null", 68 "object", 69 "string" 70 ] 71 } 72 }, 73 "properties": { 74 "AEAD": { 75 "description": "The AEAD algorithms.", 76 "items": { 77 "type": [ 78 "string", 79 "null" 80 ] 81 }, 82 "longDescription": "This property shall contain an array of AEAD algorithms. The allowable values for this property shall be the AEAD algorithm names found in the 'AlgSupported' field of the 'AEAD structure' table in DSP0274, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all AEAD algorithms. An array containing one element with a value of `NONE` shall indicate no AEAD algorithms.", 83 "readonly": false, 84 "type": "array" 85 }, 86 "BaseAsym": { 87 "description": "The asymmetric signature algorithms.", 88 "items": { 89 "type": [ 90 "string", 91 "null" 92 ] 93 }, 94 "longDescription": "This property shall contain an array of asymmetric signature algorithms. The allowable values for this property shall be the asymmetric key signature algorithm names found in the 'BaseAsymAlgo' field of the 'NEGOTIATE_ALGORITHMS' request message in DSP0274, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all asymmetric signature algorithms. An array containing one element with a value of `NONE` shall indicate no asymmetric signature algorithms.", 95 "readonly": false, 96 "type": "array" 97 }, 98 "BaseHash": { 99 "description": "The hash algorithms.", 100 "items": { 101 "type": [ 102 "string", 103 "null" 104 ] 105 }, 106 "longDescription": "This property shall contain an array of hash algorithms. The allowable values for this property shall be the hash algorithm names found in the 'BaseHashAlgo' field of the 'NEGOTIATE_ALGORITHMS' request message in DSP0274, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all hash algorithms. An array containing one element with a value of `NONE` shall indicate no hash algorithms.", 107 "readonly": false, 108 "type": "array" 109 } 110 }, 111 "type": "object" 112 }, 113 "SPDMParameterSet": { 114 "additionalProperties": false, 115 "description": "The SPDM policy settings.", 116 "longDescription": "This object shall contain SPDM policy settings.", 117 "patternProperties": { 118 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 119 "description": "This property shall specify a valid odata or Redfish property.", 120 "type": [ 121 "array", 122 "boolean", 123 "integer", 124 "number", 125 "null", 126 "object", 127 "string" 128 ] 129 } 130 }, 131 "properties": { 132 "Algorithms": { 133 "$ref": "#/definitions/SPDMAlgorithmSet", 134 "description": "The SPDM algorithms.", 135 "longDescription": "This property shall contain the SPDM algorithms." 136 }, 137 "Versions": { 138 "description": "The SPDM versions.", 139 "items": { 140 "type": [ 141 "string", 142 "null" 143 ] 144 }, 145 "longDescription": "This property shall contain an array of SPDM versions. An array containing one element with the value of `ALL` or an empty array shall indicate all versions. An array containing one element with a value of `NONE` shall indicate no versions.", 146 "pattern": "^\\d+\\.\\d+$|^NONE$|^ALL$", 147 "readonly": false, 148 "type": "array" 149 } 150 }, 151 "type": "object" 152 }, 153 "SPDMPolicy": { 154 "additionalProperties": false, 155 "description": "SPDM policy settings.", 156 "longDescription": "This object shall contain SPDM policy settings.", 157 "patternProperties": { 158 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 159 "description": "This property shall specify a valid odata or Redfish property.", 160 "type": [ 161 "array", 162 "boolean", 163 "integer", 164 "number", 165 "null", 166 "object", 167 "string" 168 ] 169 } 170 }, 171 "properties": { 172 "AllowExtendedAlgorithms": { 173 "description": "An indication of whether SPDM extended algorithms are allowed.", 174 "longDescription": "This property shall indicate whether SPDM extended algorithms as defined in DSP0274 are allowed.", 175 "readonly": false, 176 "type": [ 177 "boolean", 178 "null" 179 ] 180 }, 181 "Allowed": { 182 "$ref": "#/definitions/SPDMParameterSet", 183 "description": "The SPDM policy settings that are allowed, such as the allowable SPDM versions and algorithms.", 184 "longDescription": "This property shall contain the SPDM policy settings that are allowed, such as the allowable SPDM versions and algorithms." 185 }, 186 "Denied": { 187 "$ref": "#/definitions/SPDMParameterSet", 188 "description": "The SPDM policy settings that are prohibited, such as the prohibited SPDM versions and algorithms.", 189 "longDescription": "This property shall contain the SPDM policy settings that are prohibited, such as the prohibited SPDM versions and algorithms." 190 }, 191 "Enabled": { 192 "description": "An indication of whether SPDM communication with devices is enabled.", 193 "longDescription": "This property shall indicate whether SPDM communication with devices as defined in DSP0274 is enabled.", 194 "readonly": false, 195 "type": [ 196 "boolean", 197 "null" 198 ] 199 }, 200 "RevokedCertificates": { 201 "$ref": "http://redfish.dmtf.org/schemas/v1/CertificateCollection.json#/definitions/CertificateCollection", 202 "description": "The revoked SPDM device certificates.", 203 "longDescription": "This property shall contain a link to a resource collection of type `CertificateCollection` that represents the set of revoked SPDM device certificates. Certificates in this collection may contain leaf certificates, partial certificate chains, or complete certificate chains, where a partial certificate chain is a chain containing only CA certificates. If `VerifyCertificate` contains the value `true` and if an SPDM endpoint verifies successfully against a partial chain or exactly matches a leaf certificate, that SPDM endpoint shall fail authentication.", 204 "readonly": true 205 }, 206 "SecureSessionEnabled": { 207 "description": "An indication of whether SPDM secure sessions with devices is enabled.", 208 "longDescription": "This property shall indicate whether SPDM secure sessions with devices as defined in DSP0274 is enabled.", 209 "readonly": false, 210 "type": [ 211 "boolean", 212 "null" 213 ] 214 }, 215 "TrustedCertificates": { 216 "$ref": "http://redfish.dmtf.org/schemas/v1/CertificateCollection.json#/definitions/CertificateCollection", 217 "description": "The trusted SPDM device certificates.", 218 "longDescription": "This property shall contain a link to a resource collection of type `CertificateCollection` that represents the set of trusted SPDM device certificates. Certificates in this collection may contain leaf certificates, partial certificate chains, or complete certificate chains, where a partial certificate chain is a chain containing only CA certificates. If `VerifyCertificate` contains the value `true` and if an SPDM endpoint verifies successfully against a partial chain or exactly matches a leaf certificate, that SPDM endpoint shall be considered verified and other authentications checks are performed.", 219 "readonly": true 220 }, 221 "VerifyCertificate": { 222 "description": "An indication of whether the manager will verify the certificate of the SPDM endpoint.", 223 "longDescription": "This property shall indicate whether the manager will verify the certificate of the SPDM endpoint. If `true`, the manager shall verify the device certificate with the certificates found in the collections referenced by the `RevokedCertificates` and `TrustedCertificates` properties. If `false`, the manager shall not perform verification of the endpoint certificate.", 224 "readonly": false, 225 "type": [ 226 "boolean", 227 "null" 228 ] 229 } 230 }, 231 "type": "object" 232 }, 233 "SecurityPolicy": { 234 "additionalProperties": false, 235 "description": "The `SecurityPolicy` resource provides a central point to configure the security policy of a manager.", 236 "longDescription": "This resource shall represent configurable security-related policies managed by a manager. All security parameters in other resources that are controlled by the manager shall follow the related settings in this security policy. For example, an outbound TLS connection established per an `EventDestination` resource will follow the values of the properties in the `TLS` property.", 237 "patternProperties": { 238 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 239 "description": "This property shall specify a valid odata or Redfish property.", 240 "type": [ 241 "array", 242 "boolean", 243 "integer", 244 "number", 245 "null", 246 "object", 247 "string" 248 ] 249 } 250 }, 251 "properties": { 252 "@odata.context": { 253 "$ref": "http://redfish.dmtf.org/schemas/v1/odata-v4.json#/definitions/context" 254 }, 255 "@odata.etag": { 256 "$ref": "http://redfish.dmtf.org/schemas/v1/odata-v4.json#/definitions/etag" 257 }, 258 "@odata.id": { 259 "$ref": "http://redfish.dmtf.org/schemas/v1/odata-v4.json#/definitions/id" 260 }, 261 "@odata.type": { 262 "$ref": "http://redfish.dmtf.org/schemas/v1/odata-v4.json#/definitions/type" 263 }, 264 "Actions": { 265 "$ref": "#/definitions/Actions", 266 "description": "The available actions for this resource.", 267 "longDescription": "This property shall contain the available actions for this resource." 268 }, 269 "Description": { 270 "anyOf": [ 271 { 272 "$ref": "http://redfish.dmtf.org/schemas/v1/Resource.json#/definitions/Description" 273 }, 274 { 275 "type": "null" 276 } 277 ], 278 "readonly": true 279 }, 280 "Id": { 281 "$ref": "http://redfish.dmtf.org/schemas/v1/Resource.json#/definitions/Id", 282 "readonly": true 283 }, 284 "Name": { 285 "$ref": "http://redfish.dmtf.org/schemas/v1/Resource.json#/definitions/Name", 286 "readonly": true 287 }, 288 "Oem": { 289 "$ref": "http://redfish.dmtf.org/schemas/v1/Resource.json#/definitions/Oem", 290 "description": "The OEM extension property.", 291 "longDescription": "This property shall contain the OEM extensions. All values for properties that this object contains shall conform to the Redfish Specification-described requirements." 292 }, 293 "OverrideParentManager": { 294 "description": "Override the security policy of the parent manager.", 295 "longDescription": "This property shall indicate whether this security policy overrides the security policy of the managers referenced by the `ManagedBy` property within the `Links` property of the `Manager` resource for this security policy. If this property is absent, the value shall be assumed to be `false`.", 296 "readonly": false, 297 "type": "boolean" 298 }, 299 "SPDM": { 300 "$ref": "#/definitions/SPDMPolicy", 301 "description": "The SPDM policy.", 302 "longDescription": "This property shall contain the policy requirements for SPDM communication and usage." 303 }, 304 "Status": { 305 "$ref": "http://redfish.dmtf.org/schemas/v1/Resource.json#/definitions/Status", 306 "description": "The status and health of the resource and its subordinate or dependent resources.", 307 "longDescription": "This property shall contain any status or health properties of the resource." 308 }, 309 "TLS": { 310 "$ref": "#/definitions/TLSCommunication", 311 "description": "The TLS policy.", 312 "longDescription": "This property shall contain the policy requirements for TLS communication and usage." 313 } 314 }, 315 "required": [ 316 "@odata.id", 317 "@odata.type", 318 "Id", 319 "Name" 320 ], 321 "type": "object" 322 }, 323 "TLSAlgorithmSet": { 324 "additionalProperties": false, 325 "description": "The TLS algorithm settings.", 326 "longDescription": "This object shall contain TLS algorithm settings.", 327 "patternProperties": { 328 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 329 "description": "This property shall specify a valid odata or Redfish property.", 330 "type": [ 331 "array", 332 "boolean", 333 "integer", 334 "number", 335 "null", 336 "object", 337 "string" 338 ] 339 } 340 }, 341 "properties": { 342 "CipherSuites": { 343 "description": "The TLS cipher suites.", 344 "items": { 345 "type": [ 346 "string", 347 "null" 348 ] 349 }, 350 "longDescription": "This property shall contain an array of TLS cipher suites. The allowable values for this property shall be the TLS cipher suites listed in 'CipherSuites' defined in, but not limited to, RFC4346, RFC5246, or RFC8446, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all TLS cipher suites. An array containing one element with a value of `NONE` shall indicate no TLS cipher suites.", 351 "readonly": false, 352 "type": "array" 353 }, 354 "SignatureAlgorithms": { 355 "description": "The TLS signature algorithms.", 356 "items": { 357 "type": [ 358 "string", 359 "null" 360 ] 361 }, 362 "longDescription": "This property shall contain an array of TLS signature algorithms. The allowable values for this property shall be the TLS signature algorithms listed in 'SignatureScheme' or the concatenation of 'SignatureAlgorithm', '_', and 'HashAlgorithm' defined in, but not limited to, RFC4346, RFC5246, or RFC8446, `ALL`, and `NONE`. An array containing one element with the value of `ALL` or an empty array shall indicate all TLS signature algorithms. An array containing one element with a value of `NONE` shall indicate no TLS signature algorithms.", 363 "readonly": false, 364 "type": "array" 365 } 366 }, 367 "type": "object" 368 }, 369 "TLSCommunication": { 370 "additionalProperties": false, 371 "description": "The TLS client and server policies.", 372 "longDescription": "This property shall contain the policy requirements for TLS communication and usage for a TLS client and server.", 373 "patternProperties": { 374 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 375 "description": "This property shall specify a valid odata or Redfish property.", 376 "type": [ 377 "array", 378 "boolean", 379 "integer", 380 "number", 381 "null", 382 "object", 383 "string" 384 ] 385 } 386 }, 387 "properties": { 388 "Client": { 389 "$ref": "#/definitions/TLSPolicy", 390 "description": "The TLS policy.", 391 "longDescription": "This property shall contain the policy requirements and usage for TLS connections where the manager acts as a TLS client." 392 }, 393 "Server": { 394 "$ref": "#/definitions/TLSPolicy", 395 "description": "The TLS policy.", 396 "longDescription": "This property shall contain the policy requirements and usage for TLS connections where the manager acts as a TLS server." 397 } 398 }, 399 "type": "object" 400 }, 401 "TLSParameterSet": { 402 "additionalProperties": false, 403 "description": "The TLS policy settings.", 404 "longDescription": "This object shall contain TLS policy settings.", 405 "patternProperties": { 406 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 407 "description": "This property shall specify a valid odata or Redfish property.", 408 "type": [ 409 "array", 410 "boolean", 411 "integer", 412 "number", 413 "null", 414 "object", 415 "string" 416 ] 417 } 418 }, 419 "properties": { 420 "Algorithms": { 421 "$ref": "#/definitions/TLSAlgorithmSet", 422 "description": "The TLS algorithms.", 423 "longDescription": "This property shall contain the TLS algorithms." 424 }, 425 "Versions": { 426 "description": "The TLS versions.", 427 "items": { 428 "type": [ 429 "string", 430 "null" 431 ] 432 }, 433 "longDescription": "This property shall contain an array of TLS versions. An array containing one element with the value of `ALL` or an empty array shall indicate all versions. An array containing one element with a value of `NONE` shall indicate no versions.", 434 "pattern": "^\\d+\\.\\d+$|^NONE$|^ALL$", 435 "readonly": false, 436 "type": "array" 437 } 438 }, 439 "type": "object" 440 }, 441 "TLSPolicy": { 442 "additionalProperties": false, 443 "description": "TLS policy settings.", 444 "longDescription": "This object shall contain TLS policy settings.", 445 "patternProperties": { 446 "^([a-zA-Z_][a-zA-Z0-9_]*)?@(odata|Redfish|Message)\\.[a-zA-Z_][a-zA-Z0-9_]*$": { 447 "description": "This property shall specify a valid odata or Redfish property.", 448 "type": [ 449 "array", 450 "boolean", 451 "integer", 452 "number", 453 "null", 454 "object", 455 "string" 456 ] 457 } 458 }, 459 "properties": { 460 "Allowed": { 461 "$ref": "#/definitions/TLSParameterSet", 462 "description": "The TLS policy settings that are allowed, such as the allowable TLS versions and algorithms.", 463 "longDescription": "This property shall contain the TLS policy settings that are allowed, such as the allowable TLS versions and algorithms. If a value is missing for the same property in the `Allowed` and `Denied` object, the missing value shall behave as if the value is present in the same property under the `Denied` object. If a value conflicts for the same property between the `Allowed` and `Denied` object, the value of the same property in the `Denied` object shall take precedence. A Redfish service can resolve or prevent conflicts at time of request as well." 464 }, 465 "Denied": { 466 "$ref": "#/definitions/TLSParameterSet", 467 "description": "The TLS policy settings that are prohibited, such as the prohibited TLS versions and algorithms.", 468 "longDescription": "This property shall contain the TLS policy settings that are prohibited, such as the prohibited TLS versions and algorithms. If a value is missing for the same property in the `Allowed` and `Denied` object, the missing value shall behave as if the value is present in the same property under the `Denied` object. If a value conflicts for the same property between the `Allowed` and `Denied` object, the value of the same property in the `Denied` object shall take precedence. A Redfish service can resolve or prevent conflicts at time of request as well." 469 }, 470 "RevokedCertificates": { 471 "$ref": "http://redfish.dmtf.org/schemas/v1/CertificateCollection.json#/definitions/CertificateCollection", 472 "description": "The revoked TLS server certificates.", 473 "longDescription": "This property shall contain a link to a resource collection of type `CertificateCollection` that represents the set of revoked TLS certificates. Certificates in this collection may contain leaf certificates, partial certificate chains, or complete certificate chains, where a partial certificate chain is a chain containing only CA certificates. If `VerifyCertificate` contains the value `true` and if a TLS endpoint verifies successfully against a partial chain or exactly matches a leaf certificate, that TLS endpoint shall fail authentication.", 474 "readonly": true 475 }, 476 "TrustedCertificates": { 477 "$ref": "http://redfish.dmtf.org/schemas/v1/CertificateCollection.json#/definitions/CertificateCollection", 478 "description": "The trusted TLS server certificates.", 479 "longDescription": "This property shall contain a link to a resource collection of type `CertificateCollection` that represents the set of trusted TLS certificates. Certificates in this collection may contain leaf certificates, partial certificate chains, or complete certificate chains, where a partial certificate chain is a chain containing only CA certificates. If `VerifyCertificate` contains the value `true` and if a TLS endpoint verifies successfully against a partial chain or exactly matches a leaf certificate, that TLS endpoint shall be considered verified and other authentications checks are performed.", 480 "readonly": true 481 }, 482 "VerifyCertificate": { 483 "description": "An indication of whether the manager will verify the certificate of the remote TLS endpoint.", 484 "longDescription": "This property shall indicate whether the manager will verify the certificate of the remote endpoint in a TLS connection. If `true`, the manager shall verify the remote endpoint certificate with the certificates found in the collections referenced by the `RevokedCertificates` and `TrustedCertificates` properties. If `false` or not present, the manager shall not perform verification of the endpoint certificate.", 485 "readonly": false, 486 "type": [ 487 "boolean", 488 "null" 489 ] 490 } 491 }, 492 "type": "object" 493 } 494 }, 495 "language": "en", 496 "owningEntity": "DMTF", 497 "release": "2022.2", 498 "title": "#SecurityPolicy.v1_0_2.SecurityPolicy" 499}