Great work.
A few comments from a first read-through.
Section 3.6, hwversion. I think the encoding should be PrintableString (like in swversion), as it is defined as a text string.
Section 3.7 swversion. The eat reference should be to 4.2.7 instead of 4.2.5.
Section 3.9, software component claims. For Measurement Value it says "For interoperability, SHA-256 is assumed to be the default". As this value can not be excluded from the sequence a verifyer can't really make any default decisions. I think the "default" statement is aimed at the producer, is it? In that case this can be rephrased to something like "For interoperability, SHA-256 SHOULD be used to produce this value".
For measurement-desc, should it say (OPTIONAL)?
3.10 and 3.11: I would like HSM manufacturers to review this, and make any assertion to what an HSM could but in these values.
I have not seen any HSM where FIPS mode can be configured for L2, L3 or L4. That's more for the HW certification, while fips mode enforcements are for the SW, hence the HSM itself can not configure itself into i.e. L2 or L4.
Cheers,
Tomas
https://mailarchive.ietf.org/arch/msg/spasm/zvS83Ju-hMuC5TGPcr9uTZBdtAw/