640x480, 7.5MB
Knoppix511trust_Demo-sub-small.swf
Open Platform Trust Services is a proof-of-concept (PoC) and experimental implementation of Platform Trust Services (PTS) which is defined by the Trusted Computing Group (TCG). From version 0.2, it is fully written in C to support many type of target platforms, include PC, server and embedded devices.
Previous version : OpenPlatformTrustServices-0.1
Version 0.2.4 supports the following features,
Deprecated features,
| Vendor | Type | Comments |
| Lenovo | Thinkpad | |
| IBM | System X server | |
| Panasonic | Lets's Note |
| Name | Status | Comments |
| Fedora12-14 | ||
| Fedora15 | with tboot-20101005 | |
| RHEL6 | ||
| Ubuntu 10.04 |
TPM v1.2 Error Code Cheat Sheet
TSS v1.2 Error Code Cheat Sheet
Open Platform Trust Services is a proof-of-concept (PoC) and reference implementation of Platform Trust Services (PTS) which is defined by the Trusted Computing Group.
This pts use two integrity manifest, platform and runtime. The platform manifest covers BIOS integrity. As it stands, no PC BIOS vender provides a manifest. thus we create the manifest from existing PC BIOS, The eventlog is stored at ACPI Table and Linux Kenrel supports to access that.
The runtime manifest will cover Bootloader, Operating System and Virtual Machine Monitor.
| Vendor | Type | Comments |
| Lenovo | Thinkpad X60,X61,T60,T61 etc | pls. update the BIOS |
| Panasonic | W7,Y7, etc |
| Name | Status | Comments |
| KNOPPIX511 Trusted Computing Geeks | VALID | Linux-IMA |
Other Linux based Operating Systems are possible to support.
ToolsCommandReference
TcdemoCommandReference
TPM v1.2 Error Code Cheat Sheet
TSS v1.2 Error Code Cheat Sheet
LinuxDistroComparisonTable
HackingLinuxTpmDeviceDriver
| Distro | Release | bootloader (patch) | Kernel (patch) |
| CentOS 5 | (grub-ima) | 2.6.18 | |
| Fedora 7 | 2007/5/31 | (grub-ima) | 2.6.21 |
| Fedora 8 | 2007/11/8 | (grub-ima) | 2.6.23 |
| Fedora 9 | 2008/5/14 | grub-0.97-33 (grub-ima) | 2.6.25 - 2.6.27.25 (ibm_ima_8.5_2.6.27.6.patch) |
| Fedora 10 | 2008/11/25 | grub-0.97-38 (grub-0.97-38.fc10.ima-1.1.0.0.patch) | 2.6.27 - 2.6.27.41 (ibm_ima_8.5_2.6.27.6.patch) |
| Fedora 11 | 2009/6/9 | grub-0.97-50 (grub-ima) | 2.6.29 - 2.6.30.10 (ibm_ima_2.6.29.1.patch) |
| Fedora 12 | 2009/11/17 | grub-0.97-60 (grub-ima) | 2.6.31 - 2.6.31.12 (need fix for iTPM) |
| Ubuntu Hardy | 2008/4/24 | (grub-ima) | 2.6.24 (ibm_ima_8.3_2.6.24.3.patch) |
| Ubuntu Intrepid | 2008/10/30 | (grub-0.97-29ubuntu45-ima-1.1.0.0.patch) | 2.6.27 (ibm_ima_8.5_2.6.27.6.patch) |
| Ubuntu Jaunty | 2009/4/23 | (grub-0.97-29ubuntu45-ima-1.1.0.0.patch) | 2.6.28 |
| Ubuntu Kermic | 2009/10/29 | N/A (grub2) | 2.6.31 - 2.6.31-14 |
| Ubuntu Lucid | 2010/4/29 | N/A (grub2) | ? |
This guide is intended to build Ubuntu Jaunty (9.04, i386) with Trusted Computing.
note) We are using Thinkpad X200 to make this document. It has intel's iTPM chip, and this instruction contains some workarounds for this TPM. Other TPM user does not need such workarounds.
Download ISO image. and install to your HDD.
Update to be work with latest packages.
enable TPM.
Download source package and build.
$ sudo apt-get build-dep grub $ apt-get source grub $ pushd grub-0.97/debian/patches/ $ wget http://osdn.dl.sourceforge.jp/openpts/37646/grub-0.97-29ubuntu45-ima-1.1.0.0.patch $ popd $ echo "# This patch supports IMA" >> grub-0.97/debian/patches/00list $ echo "grub-0.97-29ubuntu45-ima-1.1.0.0.patch" >> grub-0.97/debian/patches/00list $ mv grub-0.97/debian/rules grub-0.97/debian/rules.orig $ sed -e 's/--disable-auto-linux-mem-opt/--disable-auto-linux-mem-opt --enable-ima/g' grub-0.97/debian/rules.orig > grub-0.97/debian/rules $ chmod +x grub-0.97/debian/rules
Build deb package.
$ pushd grub-0.97 $ debchange -i
add changelog message. e.g.
grub (0.97-29ubuntu53.ima) jaunty; urgency=low * enable Trusted Boot -- foo <foo@users.sourceforge.jp> Tue, 31 Mar 2009 23:27:39 +0900
$ dpkg-buildpackage -rfakeroot -us -uc $ popd
Install new GRUB package.
$ sudo dpkg -i grub_0.97-29ubuntu53.ima_i386.deb $ grep TCG /usr/lib/grub/i386-pc/* Binary file /usr/lib/grub/i386-pc/stage1 matches Binary file /usr/lib/grub/i386-pc/stage2 matches Binary file /usr/lib/grub/i386-pc/stage2_eltorito matches
install new GRUB to local system (replace the bootloader components).
$ sudo grub-install /dev/sda $ grep TCG /boot/grub/* Binary file /boot/grub/stage1 matches Binary file /boot/grub/stage2 matches
OK:-)
References: https://help.ubuntu.com/community/Kernel/Compile
$ sudo apt-get install build-essential $ sudo apt-get install kernel-package $ sudo apt-get install ncurses-dev
$ cd /usr/src $ sudo wget http://ftp.riken.jp/Linux/kernel.org/linux/kernel/v2.6/linux-2.6.30.tar.bz2 $ sudo tar jxvf linux-2.6.30.tar.bz2 $ cd linux-2.6.30/ $ sudo cp /boot/config-2.6.27-11-generic .config $ sudo make oldconfig $ sudo make menuconfig $ sudo make xconfig
CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=y
Intel iTPM requires following patches to fix the problem.
$ sudo wget http://cybione.org/~cdidier/log/data/200812020841/itpm.diff $ sudo patch -p0 -z .itpm --dry-run < itpm.diff $ sudo patch -p0 -z .itpm < itpm.diff
$ sudo make-kpkg clean $ sudo CONCURRENCY_LEVEL=3 make-kpkg --append-to-version=-ima --initrd kernel_image kernel_headers $ sudo dpkg -i ../linux-image-2.6.30-ima_2.6.30-ima-10.00.Custom_i386.deb $ sudo dpkg -i ../linux-headers-2.6.30-ima_2.6.30-ima-10.00.Custom_i386.deb $ vim /boot/grub/menu.lst
Edit /boot/grub/menu.lst to enable IMA. e.g.
title Ubuntu 9.04, kernel 2.6.30 (IMA) uuid fc0f489b-9a7c-43bd-90fa-bb49979b0c23 kernel /boot/vmlinuz-2.6.30-ima root=UUID=fc0f489b-9a7c-43bd-90fa-bb49979b0c23 ro quiet splash ima=1 selinux=1 tpm_tis.force=1 tpm_tis.interrupts=0 initrd /boot/initrd.img-2.6.30-ima quiet
Reboot the system. and check the measurements
$ dmesg <snip> [ 1.992012] tpm_tis tpm_tis: 1.2 TPM (device-id 0x1020, rev-id 6) <snip> $ ls /sys/kernel/security/ ima tpm0 $ sudo cat /sys/kernel/security/ima/ascii_runtime_measurements 10 adc64d7b762408a258e81b9bbb55fa8781ed42bf ima 705418e94288d91ce1ada49dbd4343b82882c9fb boot_aggregate 10 8a11aa2017bfdf52ae1ab8cfb277fc651bc7d611 ima e6d56d44e22b8f6b783c039d45703e8fd28cb796 /init 10 a078e19e5ea2bf75ed353fc6613f7132863618d5 ima 3d90e18f67f1c580c1212126a3c22cf07c7288dd /init 10 089c6ce6198fee74262cf4244ffdea98a2392ded ima 3d90e18f67f1c580c1212126a3c22cf07c7288dd /bin/busybox 10 c69571a6b6185b474fa7437cb2b31253721824d4 ima 7e9431ee7bcbe0c4ea0054baf84672fdff7d6391 arch.conf 10 3d0d130a199ea78a53fc52f4913d28f5d0da8910 ima 0ec1deb5c2338808cf9dd31a0b16473d273fb570 initramfs.conf 10 a193e5f0c6958e3a979d2c1a5af1abcb657ef79e ima 3addb8e6e83e82a86b3ad215bcd771a12c9d4d74 resume 10 71fc6cf0e268c0ffad291eaa1ce49ab14b6e39de ima a1550fe2ce2f915eac8786d1d693141072feea87 functions 10 a14f597eb53f1a12725c9f772229f59c0de61110 ima ad273a22d013fab039459654369b40e47a6e04ac /sbin/depmod 10 30b51606815deb8bb6c9d1a17db33eb8e5ce1465 ima b9269024f4129804673f366b5a67061f54d7be3f ld-linux.so.2 10 e978baf0c895be2b32a803e200b15b9c4a5d3464 ima 803088880d0abdda917385e88a9ac1ed61ce0f71 libc.so.6 10 3b92eee85ca026ca93ba1d0c81d34fa6f88784a0 ima 8a622a41977d6e4cec14e800d76c4aafbaaa9658 nfs.ko 10 5080904daf0e2ba76394f91ac2b63e788db66fb6 ima 4a63e2031da51dbddb9c98ca35a01306c71873b4 reiserfs.ko <snip>
OK.
URL: http://sourceforge.net/projects/trousers/
A) Install from Ubuntu repository
$ sudo apt-get install trousers
B) re-build debian package
$ sudo apt-get build-dep trousers $ apt-get source trousers $ cd trousers-0.3.1 $ dpkg-buildpackage -rfakeroot -us -uc
C) Use the latest version at TrouSerS CVS repo.
$ cvs -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers login hit return when asked for password; $ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P trousers $ cp -r trousers /tmp/trousers-0.3.3.cvs $ cd /tmp/trousers-0.3.3.cvs $ sh bootstrap.sh $ dh_make --createorig $ dpkg-buildpackage -rfakeroot $ sudo dpkg -i ../trousers_0.3.3.cvs-1_i386.deb $ sudo adduser --system --home /var/lib/tpm --shell /usr/sbin/nologin --no-create-home --group tss $ sudo chown tss:tss /usr/sbin/tcsd $ sudo chown tss:tss /var/lib/tpm -R $ sudo chown tss:tss /etc/tcsd.conf $ sudo chmod 0600 /etc/tcsd.conf $ sudo chmod 1777 /var/lib/tpm $ sudo /etc/init.d/trousers start
Note1) Modify configure to remove "attribute warn_unused_result" check in CFLAGS Note2) remove trousers tpm-tools libtspi-dev libtspi1 libtpm-unseal-dev libtpm-unseal0 opencryptoki libopencryptoki0
D) Use the latest version at TrouSerS GIT repo (TBD)
git clone git://trousers.git.sourceforge.net/gitroot/trousers
A) Install from Ubuntu repository
$ sudo apt-get install tpm-tools $ tpm_version TPM 1.2 Version Info: Chip Version: 1.2.4.0 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: INTC Vendor Specific data: 00040000 00030464 TPM Version: 01010000 Manufacturer Info: 494e5443
B) Use the latest version at TrouSerS CVS repo.
$ cvs -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers login hit return when asked for password; $ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P tpm-tools $ cp -r tpm-tools /tmp/tpm-tools-1.3.3.cvs $ sh bootstrap.sh $ dh_make --createorig $ dpkg-buildpackage -rfakeroot $ sudo dpkg -i ../tpm-tools_1.3.3.cvs-1_i386.deb $ tpm_version TPM 1.2 Version Info: Chip Version: 1.2.4.0 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: INTC Vendor Specific data: 00040000 00030464 TPM Version: 01010000 Manufacturer Info: 494e5443
Note) comment out "dh_shlibdeps" in debian/rules
$ sudo apt-get install trousers libtspi-dev tpm-tools libtpm-unseal0 libtpm-unseal-dev $ sudo apt-get install libcommons-codec-java libcommons-logging-java libpg-java liblog4j1.2-java libibatis-java $ sudo apt-get install libcommons-discovery-java libaxis-java $ sudo apt-get install liblog4j1.2-java-gcj libaxis-java-gcj
From GIT repository (2009-02-22)
$ git clone git://git.sourceforge.jp/gitroot/openpts/tools.git $ cd tools $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-tools_0.1.3-git20090331_i386.deb
$ /usr/bin/tpm_pcrread -a pcr.0=fd696e0329f63bf288616865f86227aea0bff6af pcr.1=0f028024e085e43db5bd29cf771acbb8ab4fb473 pcr.2=d68ec5b044f32933f6bf2488c1b36a0c3bc970e0 pcr.3=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.4=db8be6e34e5f2c5c4b11f918aec25fe7333f6471 pcr.5=b74a56f449507542c3ad1def88e0e34617c3ba8f pcr.6=585e579e48997fee8efd20830c6a841eb353c628 pcr.7=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.8=55e50e41bec4225964925f4db2fd1781011ca188 pcr.9=0000000000000000000000000000000000000000 pcr.10=a99b9181fc6f73d30e44442965b9a546b9b9a643 pcr.11=0000000000000000000000000000000000000000 pcr.12=0000000000000000000000000000000000000000 pcr.13=0000000000000000000000000000000000000000 pcr.14=0000000000000000000000000000000000000000 pcr.15=0000000000000000000000000000000000000000 pcr.16=0000000000000000000000000000000000000000 pcr.17=ffffffffffffffffffffffffffffffffffffffff pcr.18=ffffffffffffffffffffffffffffffffffffffff pcr.19=ffffffffffffffffffffffffffffffffffffffff pcr.20=ffffffffffffffffffffffffffffffffffffffff pcr.21=ffffffffffffffffffffffffffffffffffffffff pcr.22=ffffffffffffffffffffffffffffffffffffffff pcr.23=0000000000000000000000000000000000000000
$ iml -p 4 Idx PCR Type Digest EventData ----------------------------------------------------------------------- 179 4 0x80000003 9b4d80cfefc7d5576c4d9f224872505896ef2798 [BIOS:LENOVO NEW(TBD) len=10,00001000000000000010] 180 4 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 181 4 0x00000005 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f [BIOS:EV_ACTION, Calling INT 19h] 182 4 0x00000005 6ab91c9fbe9489ea35f226ec70e23c7bb09db9a3 [BIOS:EV_ACTION, Booting BCV Device 80h, - HITACHI HTS541616J9SA00-(S1)] 183 4 0x0000000d c72cb355f3c9978fa9f15ec692264356c7328855 [BIOS:EV_IPL] 184 4 0x0000000d b82f5fa84465edfc054591b059bb65ea54f67282 [GRUB:EV_IPL, Stage1(MBR)] 185 4 0x0000000d d4fa72b193753834e25ca5dc420f9c23d14c6087 [GRUB:EV_IPL, Stage1.5] 186 4 0x0000000d 55fc0eb1ceb08bf75cdd3fb1f0235d8471b748d3 [GRUB:EV_IPL, Stage1.5(filesystem)] 187 4 0x00000006 9fc81a0038d3a3ffdbc053b2eb13b28a8db461cd [GRUB: measure MBR again] 188 4 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator]
OK :-)
$ git clone git://git.sourceforge.jp/gitroot/openpts/core.git $ cd core $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-core_0.1.3-git20090405_all.deb $ sudo dpkg -i ../openpts-core-gcj_0.1.3-git20090405_i386.deb
$
TODO create deb package for jtreemap. until we need manual installation.
$ wget http://jaist.dl.sourceforge.net/sourceforge/jtreemap/jtreemap-1.1.0.zip $ unzip jtreemap-1.1.0.zip $ sudo cp jtreemap-site-1.1.0/jtreemap-1.1.0.jar /usr/share/java/jtreemap.jar
TODO
sudo apt-get install tomcat5.5 tomcat5.5-webapps postgresql-8.3
$ git clone git://git.sourceforge.jp/gitroot/openpts/demo.git $ cd demo $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-tcdemo-client_0.1.3-git20090405_all.deb $ sudo dpkg -i ../openpts-tcdemo-client-gcj_0.1.3-git20090405_i386.deb $ sudo dpkg -i ../openpts-tcdemo-server_0.1.3-git20090405_all.deb
The SRK password must be a default setting. Just enter for SRK password.
$ tpm_takeownership Enter owner password: ******** Confirm password: ******** Enter SRK password: Confirm password:
If you get the following error message, The TPM has been taken the ownership.
Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled
And, If the size of "/var/lib/tpm/system.data" file is zero, your TSS forgot your ownership. To fix this, you take ownership again, or you can put the dummy system.data file to enable TSS as follows.
sudo cp demo/sampledata/knoppix/dummy_system.data /var/lib/tpm/system.data sudo /etc/init.d/tcsd restart
sudo /usr/bin/ptsclientadmin --commandline --user USERNAME
User's local configurations are stored at /home/$USERNAME/.pts
Install PostgreSQL
sudo apt-get install postgresql <snip> Setting up postgresql (8.3.7-1) ... sudo /etc/init.d/postgresql-8.3 status 8.3 main 5432 online postgres /var/lib/postgresql/8.3/main /var/log/postgresql/postgresql-8.3-main.log
Set an admin password for postgres
sudo passwd postgres su - postgres psql -c "alter user postgres with password 'PASSWORD'" template1
Configure PostgreSQL for OpenPTS.
cd /usr/lib/openpts/database/ bash dbsetup.sh load /etc/openpts/db.conf S) Setup New Databases C) Show Current Configuration L) Show State B) Backup Databases D) Delete Databases Q) Exit select:C Current Configurations DB type : postgres DB admin : ptsadmin DB user : ptsuser Vulnerability Database name : vuldb Integrity Information Database 0 name : iidb_redhat Integrity Information Database 1 name : iidb_centos Integrity Information Database 2 name : iidb_knoppix Integrity Information Database 3 name : iidb_ubuntu Integrity Information Database 4 name : iidb_fedora Integrity Information Database 5 name : iidb Integrity Information Database 6 name : iidb Integrity Information Database 7 name : iidb_bios <snip> select:S <snip>
it takes few hours.
cd /var/lib/openpts sudo sh /usr/lib/openpts/scripts/deb-all.sh ubuntu Collect Package info of ubuntu package list... treemap data... metadata... md5 digests... sha1 digests... <snip>
Create map file, "/var/lib/openpts/database/ibatis/sqlMapsConfig.properties", e.g.
driver=org.postgresql.Driver url_vul=jdbc:postgresql://localhost/vuldb url_iidb0=jdbc:postgresql://localhost/iidb_redhat url_iidb1=jdbc:postgresql://localhost/iidb_centos url_iidb2=jdbc:postgresql://localhost/iidb_knoppix url_iidb3=jdbc:postgresql://localhost/iidb_ubuntu url_iidb4=jdbc:postgresql://localhost/iidb_fedora url_iidb5=jdbc:postgresql://localhost/iidb url_iidb6=jdbc:postgresql://localhost/iidb url_iidb7=jdbc:postgresql://localhost/iidb username=ptsadmin password=password
Import RPM metadata/digest into IIDB. it takes time.
# /usr/bin/openpts rpmimport --dbindex 4 --inputdir /var/lib/openpts/fedora/data/
Check the IIDB using openpts command. e.g.
# openpts iidb --list --index 4 IIDB index: 4 packages: 1622 measuremnets: 250925 - vulnerable: package 0 measurement 0 - safe: package 0 measurement 0 - unclear: package 0 measurement 0 - unchecked: package 1622 measurement 250925 # sha1sum /usr/sbin/acpid b5e042dfeac3bb70a686be5abd1fcb6a9472c6de /usr/sbin/acpid # openpts iidb --search --index 4 --digest b5e042dfeac3bb70a686be5abd1fcb6a9472c6de hexDigest : b5e042dfeac3bb70a686be5abd1fcb6a9472c6de id : 47331 filename : /usr/sbin/acpid obsolete : 0 vulnerability : 0 packageName : acpid-1.0.6-11.fc10.x86_64
Just fill CVE info into Vulnerability Database. The database can not link with integrity database. Since there is no good source of Security Advisory for Fedora, OVAL only support RHEL.
/usr/bin/openpts cve --xmlfile http://nvd.nist.gov/download/nvdcve-2009.xml --outputdir /tmp
$ pg_dump database_name > file_name.sql $ psql -e database_name < file_name.sql $ pg_restore –d database_name file_name.sql
sudo apt-get install phppgadmin /etc/init.d/apache2 start
login as "ptsuser"
if login was failed, check the configuration file: /etc/postgresql/8.3/main/pg_hba.conf
# yum install tomcat5 tomcat5-webapps tomcat5-admin-webapps
/etc/sysconfig/tomcat5
JAVA_HOME="/usr/java/jdk1.6.0_12/"
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-server-0.1.3-git20090613.fc10.x86_64.rpm'
# /sbin/service tomcat5 start # chkconfig tomcat5 on
Log file /var/log/tomcat5/catalina.out 6-3-X. Setup Demo Contents¶
Create account, user "guest" and password "given".
# htpasswd -c /var/www/.htpasswd guest
Create demo contents
# mkdir -p /var/www/html/tcdemo
Edit /var/www/html/tcdemo/index.html
<html> <head> <title> OpenPTS Test </title> </head> <body> <h1> OpenPTS Test </h1> </body> </html>
Edit /etc/httpd/conf/httpd.conf
... <Directory "/var/www/html"> ... AuthType Basic AuthName "Password Required" AuthUserFile /var/www/.htpasswd AuthGroupFile /dev/null require valid-user
</Directory> ...
# service httpd start # chkconfig httpd on
(OPTION) To monitor server-side validation log, open terminal
tailf /var/log/openpts.log
/usr/bin/ptsclientuser --commandline
if validation was success, it open http://localhost/tcdemo.
Congratulation!
Ubuntu package does not support GTK. to enable GTK feature (popup password), re-build the trousers with GTK option.
$ sudo apt-get build-dep trousers $ apt-get source trousers $ cd trousers-0.3.1 $ dpkg-buildpackage -rfakeroot -us -uc
EOF
]]>Following instruction is tested by using Fedora10 x86_64.
$ su -c 'yum install yum-utils rpmdevtools' $ rpmdev-setuptree
Now ~/rpmbuild/ is your work space.
Download and Install Java Development Kit 6 from http://java.sun.com/javase/downloads/index.jsp (OPTION)
$ su -c 'sh jdk-6u12-linux-amd64-rpm.bin'
export JAVA_HOME=/usr/java/default export PATH=/usr/java/default/bin:$PATH
OK, let's build/install Trusted Computing components.
TBD, The GRIB-IMA patch for F10 is still under test.
$ su -c 'yumdownloader --source grub' $ su -c 'yum-builddep grub-0.97-38.fc10.src.rpm' $ rpm -Uvh grub-0.97-38.fc10.src.rpm $ cd ~/rpmbuild/SOURCES $ wget http://osdn.dl.sourceforge.jp/openpts/40294/grub-0.97-38.fc10.ima-1.1.0.0.patch $ cd ~/rpmbuild/SPECS
Modify grub.spec to support GRUB-IMA, e.g.
+Release: 38%{?dist}.ima
+Patch2: grub-0.97-38.fc10.ima-1.1.0.0.patch
+%patch2 -p1
+%configure --sbindir=/sbin --disable-auto-linux-mem-opt --enable-ima --datarootdir=%{_datadir}
Then, Build and Install.
$ rpmbuild -ba grub.spec $ su -c 'rpm -ivh ../RPMS/x86_64/grub-0.97-38.fc10.ima.x86_64.rpm' $ su -c 'grub-install /dev/sda'
Reboot,
/sys/kernel/security/tpm0/ascii_bios_measurements has new events. e.g.
<snip> 4 a6814bcb5db0cf04d8dcab87eb28f5da08f8fb88 0d [IPL] 4 1b2db0cc9522e668216df23894622abae5a5bfb8 0d [IPL] 4 2088cf4ac5161ed201988c4a7eef032edfcbe11c 0d [IPL] 4 9c4f005da6861894101336242cf6a6b4f48932de 06 [] 4 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 04 [Grub Event Separator] 5 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 04 [Grub Event Separator] 5 9cd8a5fd7d52a7500aec4acad1ba165e1fed8786 0e [IPL Partition Data] 5 791724465beff9845e79f6a7e38e5d8d7fe9a706 1105 [] 8 177f4ea8f72db0082f832667701f9d072b1f5df2 1205 [] 8 4ecccf21df1f87f7203112bcf8555475cfdca7e9 1305 [] 5 2431ed60130faeaf3a045f21963f71cacd46a029 04 [OS Event Separator] 8 2431ed60130faeaf3a045f21963f71cacd46a029 04 [OS Event Separator] 8 f3973cae05d6e2055062119d6e6e1e077b7df876 1005 []
note1) Please mount securityfs to access the eventlog
# mount -t securityfs securityfs /sys/kernel/security
or ,add the folloing line to your /etc/fstab
securityfs /sys/kernel/security securityfs rw 0 0
note2) This patch does not support Trusted Boot on EFI platform.
At this moment, we are recomended to use OLD IMA, since NEW IMA is not integrated with Trousers and OpenPTS yet.
References:
1 http://fedoraproject.org/wiki/Docs/CustomKernel
2 http://sourceforge.net/projects/linux-ima
Example:
$ yumdownloader --source kernel $ su -c 'yum-builddep kernel-<version>.src.rpm' $ rpm -Uvh kernel-<version>.src.rpm $ cd ~/rpmbuild/SOURCE $ wget http://jaist.dl.sourceforge.net/sourceforge/linux-ima/ibm_ima_8.5_2.6.27.6.patch $ cd ~/rpmbuild/SPECS $ rpmbuild -bp --target=`uname -m` kernel.spec $ cd ~/rpmbuild/BUILD $ cp configs/<desired-config-file> .config or $ cp /boot/config-$(uname -r) .config $ make -s xconfig OR $ make -s menuconfig Device Driver > Character devices > TPM hardware Supports = Y Device Driver > Character devices > TPM hardware Supports > * Interface= Y Cryptographic API > SHA1 = Y Security options > Capability = N Security options > Smack = N Security options > TCG run-time Integrity Measuremenet = Y add "# x86_64" at top $ cp .config /home/foo/rpmbuild/SOURCES/config-x86_64-generic $ cd ~/rpmbuild/SPECS add "%define buildid .ima" to kernel.spec $ rpmbuild -ba --with baseonly --with firmware --without debuginfo --target=`uname -m` kernel.spec $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-firmware-2.6.27.19-170.2.35.ima.fc10.x86_64.rpm' $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-2.6.27.19-170.2.35.ima.fc10.x86_64.rpm' add "ima=1" to the kernel line in /boot/grub/grub.conf.
/etc/tcsd.conf
system_ps_file = /var/lib/tpm/system.data firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements firmware_pcrs = 0,1,2,3,4,5,6,7,8 kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements kernel_pcrs = 10
note) The pc which has new Intel iTPM needs to fix the tpm_tis.c code. then add "tpm_tis.force=1 tpm_tis.interrupts=0" to the kernel line.
note) the new eventlog reported by IMA is not supported by Trousers yet, since the eventlog format was changed.
e.g.
wget http://ftp.riken.jp/Linux/kernel.org/linux/kernel/v2.6/testing/linux-2.6.30-rc1.tar.bz2 tar xvfj linux-2.6.30-rc1.tar.bz2 cd linux-2.6.30-rc1 cp /boot/config-$(uname -r) .config make xconfig make rpm $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-2.6.30rc1-1.x86_64.rpm' $ su -c '/sbin/mkinitrd /boot/initrd-2.6.30-rc1.img 2.6.30-rc1'
Edit /boot/grub/grub.conf to add 2.6.30-rc1 (2.6.30 will not need "ima=1" kernel option, but in 2.6.31 will need "ima_tcb=1") , then reboot.
/sys/kernel/security/ima/ascii_runtime_measurements
10 817c49849831408d9644f0211acd1cf6b5f11d72 ima c61c6ca6a34a76d58bf49a2609bd025c8786a4be boot_aggregate 10 c87f38a0c5e5f969ef2a9858ae08e5e9c060d2d5 ima 654cd04f9f1775de24c4d6b32c8f400fe630be63 /init 10 71ccedd1d3c118d3aed7ce6b2e3550928f56ef3d ima 2117139e75aae8b96ffbd81b2b76ba2e289248d9 /init 10 960937de5c7f27bbe737e09444ea567ab55dadd1 ima 81d18b105b656ff4619750d96f72973cae2700da ld-2.9.so <snip>
/etc/tcsd.conf
system_ps_file = /var/lib/tpm/system.data firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements firmware_pcrs = 0,1,2,3,4,5,6,7,8
$ su -c 'yum install trousers trousers-devel tpm-tools tpm-tools-devel'
Enable tcsd service. System->Administration->Services
$ /usr/sbin/tpm_version TPM 1.2 Version Info: Chip Version: 1.2.4.0 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: INTC Vendor Specific data: 00040000 00030464 TPM Version: 01010000 Manufacturer Info: 494e5443
$ cvs -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers login hit return when asked for password; $ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P trousers $ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P tpm-tools
$ cd trousers $ sh bootstrap.sh $ ./configure --prefix=/usr --libdir=/usr/lib64 $ cd .. $ ln -s trousers trousers-0.3.2cvs $ tar cvfz ~/rpmbuild/SOURCES/trousers-0.3.2cvs.tar.gz ./trousers-0.3.2cvs/* $ rpmbuild -ba trousers-0.3.2cvs/dist/fedora/trousers.spec
note) please modify dist/Makefile.am if you want to remove groupadd feature
$ cd tpm-tools $ sh bootstrap.sh $ ./configure --prefix=/usr --libdir=/usr/lib64
Edit dist/tpm-tools-nopkcs11.spec
$ cd .. $ ln -s tpm-tools tpm-tools-1.3.2cvs $ tar cvfz ~/rpmbuild/SOURCES/tpm-tools-1.3.2cvs.tar.gz ./tpm-tools-1.3.2cvs/* $ rpmbuild -ba tpm-tools-1.3.2cvs/dist/tpm-tools-nopkcs11.spec
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/trousers-0.3.2cvs-1.x86_64.rpm # rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/trousers-devel-0.3.2cvs-1.x86_64.rpm # rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/tpm-tools-1.3.2cvs-1.x86_64.rpm # rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/tpm-tools-devel-1.3.2cvs-1.x86_64.rpm
build.
$ git clone git://git.sourceforge.jp/gitroot/openpts/tools.git $ cd tools $ make rpmbuild-ba $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tools-0.1.3-git20090530.fc10.x86_64.rpm'
test.
$ /usr/bin/tpm_pcrread -a pcr.0=fd696e0329f63bf288616865f86227aea0bff6af pcr.1=4063c23534fc231a45a5e62cb1f0d306e6f4b46e pcr.2=d68ec5b044f32933f6bf2488c1b36a0c3bc970e0 pcr.3=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.4=0e764ceb8414213d60cd7806658c46727546c4b3 pcr.5=879a6daae2fdaeac689a979dd59a786bcbb75b67 pcr.6=585e579e48997fee8efd20830c6a841eb353c628 pcr.7=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.8=7928d1771976b14d379e0d152c82d9f97c062e99 pcr.9=0000000000000000000000000000000000000000 pcr.10=6ac63a51abccd57745acb56207ef330312488370 pcr.11=0000000000000000000000000000000000000000 pcr.12=0000000000000000000000000000000000000000 pcr.13=0000000000000000000000000000000000000000 pcr.14=0000000000000000000000000000000000000000 pcr.15=0000000000000000000000000000000000000000 pcr.16=0000000000000000000000000000000000000000 pcr.17=ffffffffffffffffffffffffffffffffffffffff pcr.18=ffffffffffffffffffffffffffffffffffffffff pcr.19=ffffffffffffffffffffffffffffffffffffffff pcr.20=ffffffffffffffffffffffffffffffffffffffff pcr.21=ffffffffffffffffffffffffffffffffffffffff pcr.22=ffffffffffffffffffffffffffffffffffffffff pcr.23=0000000000000000000000000000000000000000
$ /usr/bin/iml Idx PCR Type Digest EventData ----------------------------------------------------------------------- 0 0 0x00000008 4081b13dc986e581d587aa7fe6c61e02ef7312b2 [BIOS:EV_S_CRTM_VERSION] 1 0 0x00000001 8b5c22ae675ea440e2f403b4d5e88131fecc2a1c [BIOS:EV_POST_CODE(EV_CODE_NOCERT)] <snip> 183 4 0x0000000d dc717bf8fd6cadfc50e5d0a401eac1f93bdddc3e [BIOS:EV_IPL] 184 4 0x0000000d a6814bcb5db0cf04d8dcab87eb28f5da08f8fb88 [GRUB:EV_IPL, Stage1(MBR)] 185 4 0x0000000d 1b2db0cc9522e668216df23894622abae5a5bfb8 [GRUB:EV_IPL, Stage1.5] 186 4 0x0000000d 2088cf4ac5161ed201988c4a7eef032edfcbe11c [GRUB:EV_IPL, Stage1.5(filesystem)] 187 4 0x00000006 9c4f005da6861894101336242cf6a6b4f48932de [GRUB: measure MBR again] 188 4 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator] 189 5 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 190 5 0x0000000e 26a08ab97c4bffb3dd84f4f6dbd3b475d22abe3f [BIOS:EV_IPL_PERTITION_DATA] 191 5 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator] 192 5 0x0000000e 9cd8a5fd7d52a7500aec4acad1ba165e1fed8786 [GRUB:grub.conf] 193 5 0x00001105 791724465beff9845e79f6a7e38e5d8d7fe9a706 [GRUB:KERNEL_OPT /vmlinuz-2.6.30-rc2 ro root=/dev/VolGroup00/LogVol00 ima=1 tpm_tis.itpmfix=1 tpm_tis.force=1 tpm_tis.interrupts=0 numa=fake=2*512] 194 5 0x00000004 2431ed60130faeaf3a045f21963f71cacd46a029 [GRUB:EV_SEPARATOR, OS Event Separator] 195 6 0x00000005 017263855c5e8b20f2896a3135b8e4652ab1e708 [BIOS:EV_ACTION, WAKE EVENT 0] 196 6 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 197 7 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 198 8 0x00001205 177f4ea8f72db0082f832667701f9d072b1f5df2 [GRUB:KERNEL /vmlinuz-2.6.30-rc2] 199 8 0x00001305 4ecccf21df1f87f7203112bcf8555475cfdca7e9 [GRUB:INITRD /initrd-2.6.30-rc2.img] 200 8 0x00000004 2431ed60130faeaf3a045f21963f71cacd46a029 [GRUB:EV_SEPARATOR, OS Event Separator] 201 8 0x00001005 f3973cae05d6e2055062119d6e6e1e077b7df876 [GRUB:ACTION, Booting Linux Kenrel]
install required java packages
yum install java-devel ant ant-nodeps java-gcj-compat-devel yum install jakarta-commons-logging jakarta-commons-codec log4j postgresql-jdbc
Get the source code from GIT repo.
$ git clone git://git.sourceforge.jp/gitroot/openpts/core.git $ cd core
Build and Install iBatis.
$ wget http://ftp.kddilabs.jp/infosystems/apache/ibatis/binaries/ibatis.java/ibatis-2.3.4.726.zip -O ~/rpmbuild/SOURCES/ibatis-2.3.4.726.zip $ rpmbuild -ba dist/ibatis.spec $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/ibatis-2.3.4.726-1.fc10.x86_64.rpm'
$ make rpmbuild-ba $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-core-0.1.3-git20090613.fc10.x86_64.rpm'
note) make sure your JDK or JRE is Sun.
Quick test. get IML from TSS, calc. PCR from IML, check current PCR
$ /usr/bin/iml -b -o binary_iml.log $ /usr/bin/openpts iml --text --in binary_iml.log --- PCR[0] CRTM, POST BIOS, and Embedded Option ROMs --- 0 4081b13dc986e581d587aa7fe6c61e02ef7312b2,0x8,[EV_S_CRTM_VERSION[12]=0800feffffffffff05000000] <snip> PCR-00: FD 69 6E 03 29 F6 3B F2 88 61 68 65 F8 62 27 AE A0 BF F6 AF <snip> $ /usr/bin/tpm_pcrread -p 0 pcr.0=fd696e0329f63bf288616865f86227aea0bff6af
build.
$ git clone git://git.sourceforge.jp/gitroot/openpts/demo.git $ cd demo
$ rpmbuild -ba dist/rpm/jtreemap.spec $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/jtreemap-1.1.0-1.fc10.x86_64.rpm'
$ make rpmbuild-ba $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-client-0.1.3-git20090613.fc10.x86_64.rpm'
test.
# /usr/bin/ptsclientadmin
GUI program will start, Platform Information tab shows your platform's info/PCR/IML. Next, goto Reference Manifest tab and Press "Create/Update" Button. Then it generate new Reference Manifest(/var/lib/openpts/platform_rm.xml). Press View button, it will start firefox to see the XML file.
note) For LIM/IMA, it supports platform (BIOS/Bootloader) manifest only as for 2009/6/1.
Setup the client and server on single machine.
You need to disable prelink since it modify the executable (the digest will became an unique value for each machine). Modify /etc/sysconfig/prelink file as follows:
PRELINKING=no
Undo prelink. this may take a while.
# /usr/sbin/prelink -ua
The SRK password must be a default setting. Just enter for SRK password.
$ tpm_takeownership Enter owner password: ******** Confirm password: ******** Enter SRK password: Confirm password:
If you get the following error message, The TPM has been taken the ownership.
Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled
And, If the size of "/var/lib/tpm/system.data" file is zero, your TSS forgot your ownership. To fix this, you take ownership again, or you can put the dummy system.data file to enable TSS as follows.
# cp demo/sampledata/knoppix/dummy_system.data /var/lib/tpm/system.data # service tcsd restart
/usr/bin/ptsclientadmin --commandline --user USERNAME
User's local configurations are stored at /home/$USERNAME/.pts
# yum install postgresql-server # service postgresql start # chkconfig postgresql on
Set an admin password for postgres
# passwd postgres
# cd /usr/lib64/openpts/database/ # sh dbsetup.sh load /etc/openpts/db.conf S) Setup New Databases C) Show Current Configuration L) Show State B) Backup Databases D) Delete Databases Q) Exit select:C Current Configurations DB type : postgres DB admin : ptsadmin DB user : ptsuser Vulnerability Database name : vuldb Integrity Information Database 0 name : iidb_redhat Integrity Information Database 1 name : iidb_centos Integrity Information Database 2 name : iidb_knoppix Integrity Information Database 3 name : iidb_ubuntu Integrity Information Database 4 name : iidb_fedora Integrity Information Database 5 name : iidb Integrity Information Database 6 name : iidb Integrity Information Database 7 name : iidb_bios <snip> select:S <snip>
it takes few hours.
# cd /var/lib/openpts # sh /usr/lib64/openpts/scripts/rpm-all.sh fedora Collect Package info of fedora package list... treemap data... metadata... md5 digests...
Create map file, "/var/lib/openpts/database/ibatis/sqlMapsConfig.properties", e.g.
driver=org.postgresql.Driver url_vul=jdbc:postgresql://localhost/vuldb url_iidb0=jdbc:postgresql://localhost/iidb_redhat url_iidb1=jdbc:postgresql://localhost/iidb_centos url_iidb2=jdbc:postgresql://localhost/iidb_knoppix url_iidb3=jdbc:postgresql://localhost/iidb_ubuntu url_iidb4=jdbc:postgresql://localhost/iidb_fedora url_iidb5=jdbc:postgresql://localhost/iidb url_iidb6=jdbc:postgresql://localhost/iidb url_iidb7=jdbc:postgresql://localhost/iidb username=ptsadmin password=password
Import RPM metadata/digest into IIDB. it takes time.
# /usr/bin/openpts rpmimport --dbindex 4 --inputdir /var/lib/openpts/fedora/data/
Check the IIDB using openpts command. e.g.
# openpts iidb --list --index 4 IIDB index: 4 packages: 1622 measuremnets: 250925 - vulnerable: package 0 measurement 0 - safe: package 0 measurement 0 - unclear: package 0 measurement 0 - unchecked: package 1622 measurement 250925 # sha1sum /usr/sbin/acpid b5e042dfeac3bb70a686be5abd1fcb6a9472c6de /usr/sbin/acpid # openpts iidb --search --index 4 --digest b5e042dfeac3bb70a686be5abd1fcb6a9472c6de hexDigest : b5e042dfeac3bb70a686be5abd1fcb6a9472c6de id : 47331 filename : /usr/sbin/acpid obsolete : 0 vulnerability : 0 packageName : acpid-1.0.6-11.fc10.x86_64
Just fill CVE info into Vulnerability Database. The database can not link with integrity database. Since there is no good source of Security Advisory for Fedora, OVAL only support RHEL.
/usr/bin/openpts cve --xmlfile http://nvd.nist.gov/download/nvdcve-2009.xml --outputdir /tmp
$ pg_dump database_name > file_name.sql
$ psql -e database_name < file_name.sql $ pg_restore –d database_name file_name.sql
# yum install tomcat5 tomcat5-webapps tomcat5-admin-webapps
/etc/sysconfig/tomcat5
JAVA_HOME="/usr/java/jdk1.6.0_12/"
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-server-0.1.3-git20090613.fc10.x86_64.rpm'
# /sbin/service tomcat5 start # chkconfig tomcat5 on
Log file /var/log/tomcat5/catalina.out
Create account, user "guest" and password "given".
# htpasswd -c /var/www/.htpasswd guest
Create demo contents
# mkdir -p /var/www/html/tcdemo
Edit /var/www/html/tcdemo/index.html
<html> <head> <title> OpenPTS Test </title> </head> <body> <h1> OpenPTS Test </h1> </body> </html>
Edit /etc/httpd/conf/httpd.conf
... <Directory "/var/www/html"> ... AuthType Basic AuthName "Password Required" AuthUserFile /var/www/.htpasswd AuthGroupFile /dev/null require valid-user </Directory> ...
# service httpd start # chkconfig httpd on
(OPTION) To monitor server-side validation log, open terminal
tailf /var/log/openpts.log
/usr/bin/ptsclientuser --commandline
if validation was success, it open http://localhost/tcdemo.
Congratulation!
/varlib/openpts/database/ibatis/commons-logging.properties
org.apache.commons.logging.log=org.apache.commons.logging.impl.Log4JLogger
/var/lib/openpts/database/ibatis/log4j.properties
log4j.rootCategory=DEBUG, CONSOLE log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout log4j.appender.CONSOLE.layout.ConversionPattern=%5p [%t] (%F:%L) - %m%n log4j.appender.LOGFILE=org.apache.log4j.FileAppender log4j.appender.LOGFILE.File=/tmp/openpts.log log4j.appender.LOGFILE.Append=true log4j.appender.LOGFILE.layout=org.apache.log4j.PatternLayout log4j.appender.LOGFILE.layout.ConversionPattern=%p %t %c - %m%n
This is the enhancement of Linux boot loader, GRUB for adding the TCG measurement capability. It supports TCG compliant PCs with TPM 1.1b and 1.2. Main features are:
Environment:
Links
GNU GRUB http://www.gnu.org/software/grub/grub.html
GNU GRUB Mailing List Archive http://lists.gnu.org/archive/html/bug-grub/
TCG https://www.trustedcomputinggroup.org/home
OLD Instruction http://trousers.sourceforge.net/grub.html
| distro | patch |
| original 0.97 | |
| RHEL5/CentOS5 | http://sourceforge.net/projects/trousers/files/Grub-IMA/0.97-13-ima-1.1.0.0/grub-0.97-13-ima-1.1.0.0.tgz/download |
| Fedora 7 | |
| Fedora 8 | |
| Fedora 9 | |
| Fedora 10 | http://sourceforge.jp/projects/openpts/downloads/40294/grub-0.97-38.fc10.ima-1.1.0.0.patch/ |
| Fedora 11 | |
| Ubuntu 8.10 | http://sourceforge.jp/projects/openpts/downloads/37646/grub-0.97-29ubuntu45-ima-1.1.0.0.patch/ |
| Ubuntu 9.04 | use above patch |
TBD
TBD
]]>This guide is intended to build Ubuntu Intrepid (8.10, i386) with Trusted Computing.
Download ISO image. and install to your HDD.
Update to be work with latest packages.
Download source package and build.
$ sudo apt-get build-dep grub $ apt-get source grub $ pushd grub-0.97/debian/patches/ $ wget http://osdn.dl.sourceforge.jp/openpts/37646/grub-0.97-29ubuntu45-ima-1.1.0.0.patch $ popd $ echo "# This patch supports IMA" >> grub-0.97/debian/patches/00list $ echo "grub-0.97-29ubuntu45-ima-1.1.0.0.patch" >> grub-0.97/debian/patches/00list $ mv grub-0.97/debian/rules grub-0.97/debian/rules.orig $ sed -e 's/--disable-auto-linux-mem-opt/--disable-auto-linux-mem-opt --enable-ima/g' grub-0.97/debian/rules.orig > grub-0.97/debian/rules $ chmod +x grub-0.97/debian/rules
Build deb package.
$ pushd grub-0.97 $ debchange -i $ dpkg-buildpackage -rfakeroot -us -uc $ pop
Install new GRUB package.
$ sudo dpkg -i grub_0.97-29ubuntu45.ima_i386.deb $ grep TCG /usr/lib/grub/i386-pc/* Binary file /usr/lib/grub/i386-pc/stage1 matches Binary file /usr/lib/grub/i386-pc/stage2 matches Binary file /usr/lib/grub/i386-pc/stage2_eltorito matches
install new GRUB to local system (replace the bootloader components).
$ sudo grub-install /dev/sda $ grep TCG /boot/grub/* Binary file /boot/grub/stage1 matches Binary file /boot/grub/stage2 matches
OK:-)
References: https://help.ubuntu.com/community/Kernel/Compile
This is original IMA patch using LSM. The patch is available from http://sourceforge.net/projects/linux-ima
$ sudo apt-get build-dep linux-image-debug-$(uname -r) $ apt-get source linux-image-debug-$(uname -r) $ cd linux-2.6.27 $ debchange -i $ wget http://nchc.dl.sourceforge.net/sourceforge/linux-ima/ibm_ima_8.5_2.6.27.6.patch $ patch -p1 -z .ima < ibm_ima_8.5_2.6.27.6.patch patching file Documentation/ima/INSTALL patching file Documentation/ima/integrity_measurements.txt patching file Makefile Hunk #1 succeeded at 629 (offset 10 lines). patching file drivers/char/tpm/tpm.c patching file drivers/char/tpm/tpm.h patching file drivers/char/tpm/tpm_atmel.c patching file drivers/char/tpm/tpm_infineon.c patching file drivers/char/tpm/tpm_nsc.c patching file drivers/char/tpm/tpm_tis.c patching file include/linux/ima_module.h patching file include/linux/tpm.h patching file init/Kconfig patching file kernel/module.c patching file security/Kconfig Hunk #1 FAILED at 117. 1 out of 1 hunk FAILED -- saving rejects to file security/Kconfig.rej patching file security/Makefile Hunk #2 FAILED at 15. 1 out of 2 hunks FAILED -- saving rejects to file security/Makefile.rej patching file security/ima/Kconfig patching file security/ima/Makefile patching file security/ima/ima.h patching file security/ima/ima_fs.c patching file security/ima/ima_init.c patching file security/ima/ima_lsmhooks.c patching file security/ima/ima_main.c patching file security/ima/ima_queue.c
some FAILED exist, since the AppArmor patch was applied. Manually fix security/Kconfig and security/Makefile files. Also it can not compile ubuntu/aufs/vfsub.c due to error. fix manually.
$ cp /boot/config-$(uname -r) .config $ make -s xconfig OR $ make -s menuconfig
Device Driver > Character devices > TPM hardware Supports = Y Device Driver > Character devices > TPM hardware Supports > * Interface= Y Cryptographic API > SHA1 = Y Security options > Capability = N Security options > Smack = N Security options > TCG run-time Integrity Measuremenet = Y
$ UBUNTUBUILD=1 DEBIAN_SRCTOP=./ CONCURRENCY_LEVEL=2 fakeroot make-kpkg -initrd kernel_image kernel_headers modules_image $ cd .. $ sudo dpkg -i linux-headers-2.6.27.10_2.6.27-11.27ubuntu.ima_i386.deb $ sudo dpkg -i linux-image-2.6.27.10_2.6.27-11.27ubuntu.ima_i386.deb
Edit /boot/grub/menu.lst to enable IMA. e.g.
title Ubuntu 8.10, kernel 2.6.27.10 uuid 31e82bb7-f3a8-4536-8b40-b3182c6872e2 kernel /vmlinuz-2.6.27.10 root=UUID=7183f5c8-fc83-4554-b335-8440370ca77a ro quiet splash crashkernel=384M-2G:64M@16M,2G-:128M@16M ima=1 selinux=0 apparmor=0 tpm_tis.force=1 tpm_tis.interrupts=0 initrd /initrd.img-2.6.27.10 quiet
Reboot the system. and check the measurements
$ dmesg <snip> [ 0.004000] Security Framework initialized [ 0.004000] SELinux: Disabled at boot. [ 0.004000] AppArmor: AppArmor disabled by boottime parameter <snip> [ 2.060007] tpm_tis tpm_tis: 1.2 TPM (device-id 0x1020, rev-id 6) <snip> [ 5.896625] IBM Integrity Measurement Architecture (IBM IMA v8.4 08/27/2008). [ 5.896627] IMA (test mode) <snip> $ ls /sys/kernel/security/ ima tpm0 $ sudo cat /sys/kernel/security/ima/ascii_runtime_measurements 10 ed83754d46a567afb945e5b1bfb5ac2ea3a4560d boot_aggregate 10 48059cf5953adb47e81146859ae02eb5d07ae261 /bin/sh 10 202e1dd4affcf58805f662290eb4a0d534be60f0 /bin/mkdir 10 b913e527d69496b5692cbc8bc2a97f49cd0be5a8 /lib/klibc-zUXi_KjK5ZQAIyc8jlwme9T6a4U.so 10 b8634abcb46d9c76567528fce662d00110dce97e /bin/mknod 10 30d6d100429132f64fb8b24f0c4c6011c5d819c1 /bin/cat 10 e4ece1b97ab901e6433c7f917615fc104ba3a4f8 /sbin/depmod <snip> 10 49e97774326fc9eb5f7cb680477c1d56f4e28921 /usr/bin/sudo <snip> $ sha1sum /usr/bin/sudo 49e97774326fc9eb5f7cb680477c1d56f4e28921 /usr/bin/sudo
OK.
$ sudo apt-get install trousers
$ sudo apt-get install tpm-tools $ tpm_version TPM 1.2 Version Info: Chip Version: 1.2.4.0 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: INTC Vendor Specific data: 00040000 00030464 TPM Version: 01010000 Manufacturer Info: 494e5443
$ sudo apt-get install trousers libtspi-dev tpm-tools libtpm-unseal0 libtpm-unseal-dev $ sudo apt-get install libcommons-codec-java libcommons-logging-java libpg-java liblog4j1.2-java libibatis-java $ sudo apt-get install libcommons-discovery-java libaxis-java $ sudo apt-get install liblog4j1.2-java-gcj libaxis-java-gcj
From GIT repository (2009-02-22)
$ git clone git://git.sourceforge.jp/gitroot/openpts/tools.git $ cd tools $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-tools_0.1.3-git20090331_i386.deb
$ /usr/bin/tpm_pcrread -a pcr.0=fd696e0329f63bf288616865f86227aea0bff6af pcr.1=0f028024e085e43db5bd29cf771acbb8ab4fb473 pcr.2=d68ec5b044f32933f6bf2488c1b36a0c3bc970e0 pcr.3=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.4=db8be6e34e5f2c5c4b11f918aec25fe7333f6471 pcr.5=b74a56f449507542c3ad1def88e0e34617c3ba8f pcr.6=585e579e48997fee8efd20830c6a841eb353c628 pcr.7=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.8=55e50e41bec4225964925f4db2fd1781011ca188 pcr.9=0000000000000000000000000000000000000000 pcr.10=a99b9181fc6f73d30e44442965b9a546b9b9a643 pcr.11=0000000000000000000000000000000000000000 pcr.12=0000000000000000000000000000000000000000 pcr.13=0000000000000000000000000000000000000000 pcr.14=0000000000000000000000000000000000000000 pcr.15=0000000000000000000000000000000000000000 pcr.16=0000000000000000000000000000000000000000 pcr.17=ffffffffffffffffffffffffffffffffffffffff pcr.18=ffffffffffffffffffffffffffffffffffffffff pcr.19=ffffffffffffffffffffffffffffffffffffffff pcr.20=ffffffffffffffffffffffffffffffffffffffff pcr.21=ffffffffffffffffffffffffffffffffffffffff pcr.22=ffffffffffffffffffffffffffffffffffffffff pcr.23=0000000000000000000000000000000000000000
$ iml -p 4 Idx PCR Type Digest EventData ----------------------------------------------------------------------- 179 4 0x80000003 9b4d80cfefc7d5576c4d9f224872505896ef2798 [BIOS:LENOVO NEW(TBD) len=10,00001000000000000010] 180 4 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 181 4 0x00000005 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f [BIOS:EV_ACTION, Calling INT 19h] 182 4 0x00000005 6ab91c9fbe9489ea35f226ec70e23c7bb09db9a3 [BIOS:EV_ACTION, Booting BCV Device 80h, - HITACHI HTS541616J9SA00-(S1)] 183 4 0x0000000d c72cb355f3c9978fa9f15ec692264356c7328855 [BIOS:EV_IPL] 184 4 0x0000000d b82f5fa84465edfc054591b059bb65ea54f67282 [GRUB:EV_IPL, Stage1(MBR)] 185 4 0x0000000d d4fa72b193753834e25ca5dc420f9c23d14c6087 [GRUB:EV_IPL, Stage1.5] 186 4 0x0000000d 55fc0eb1ceb08bf75cdd3fb1f0235d8471b748d3 [GRUB:EV_IPL, Stage1.5(filesystem)] 187 4 0x00000006 9fc81a0038d3a3ffdbc053b2eb13b28a8db461cd [GRUB: measure MBR again] 188 4 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator]
OK :-)
$ git clone git://git.sourceforge.jp/gitroot/openpts/core.git $ cd tools $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-core_0.1.3-1_i386.deb $ sudo dpkg -i ../openpts-core-gcj_0.1.3-1_i386.deb
$
$ git clone git://git.sourceforge.jp/gitroot/openpts/demo.git $ cd tools $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-tcdemo-client_0.1.3-git20090405_i386.deb $ sudo dpkg -i ../openpts-tcdemo-client-gcj_0.1.3-git20090405_i386.deb $ sudo dpkg -i ../openpts-tcdemo-server_0.1.3-git20090405_i386.deb
$ apt-get source grub $ cd grub-0.97 $ dpkg-buildpackage -rfakeroot -us -uc $ wget http://jaist.dl.sourceforge.net/sourceforge/trousers/grub-0.97-13-ima-1.1.0.0.tgz $ tar xvfz grub-0.97-13-ima-1.1.0.0.tgz $ patch -p1 -z ima < ./grub-0.97-13-ima-1.1.0.0/grub-0.97-13-ima-1.1.0.0.patch patching file configure.ac Hunk #2 FAILED at 665. 1 out of 2 hunks FAILED -- saving rejects to file configure.ac.rej patching file stage1/stage1.h patching file stage1/stage1.S patching file stage2/asm.S Hunk #1 succeeded at 2612 (offset 134 lines). patching file stage2/boot.c Hunk #1 succeeded at 32 with fuzz 2 (offset 2 lines). Hunk #2 succeeded at 64 (offset 2 lines). Hunk #3 succeeded at 97 (offset 2 lines). Hunk #4 succeeded at 801 (offset 11 lines). Hunk #5 succeeded at 832 (offset 11 lines). Hunk #6 succeeded at 921 (offset 11 lines). patching file stage2/builtins.c Hunk #1 succeeded at 122 (offset 14 lines). Hunk #2 succeeded at 170 (offset 14 lines). Hunk #3 succeeded at 314 (offset -20 lines). Hunk #4 succeeded at 361 (offset -20 lines). Hunk #5 succeeded at 371 (offset -20 lines). Hunk #6 succeeded at 491 (offset -19 lines). Hunk #7 succeeded at 504 (offset -19 lines). Hunk #8 succeeded at 578 (offset -19 lines). Hunk #9 succeeded at 2101 (offset 106 lines). Hunk #10 succeeded at 2146 (offset 106 lines). Hunk #11 succeeded at 2771 (offset 97 lines). Hunk #12 succeeded at 2815 (offset 97 lines). Hunk #13 succeeded at 2849 (offset 97 lines). Hunk #14 succeeded at 2870 (offset 97 lines). Hunk #15 succeeded at 2889 (offset 97 lines). Hunk #16 succeeded at 3065 (offset 97 lines). Hunk #17 succeeded at 3121 (offset 97 lines). Hunk #18 succeeded at 3165 (offset 97 lines). Hunk #19 succeeded at 3465 (offset 104 lines). Hunk #20 FAILED at 5375. Hunk #21 succeeded at 5847 (offset 351 lines). Hunk #22 succeeded at 5892 with fuzz 1 (offset 354 lines). 1 out of 22 hunks FAILED -- saving rejects to file stage2/builtins.c.rej patching file stage2/shared.h Hunk #1 succeeded at 373 (offset -2 lines). Hunk #2 succeeded at 1011 (offset 4 lines). patching file stage2/start.S patching file stage2/stage1_5.c patching file stage2/stage2.c Hunk #1 succeeded at 582 (offset 16 lines). Hunk #2 succeeded at 978 (offset -31 lines). patching file stage2/ima.h patching file stage2/ima.c patching file stage2/start_eltorito.S patching file stage2/Makefile.am Hunk #1 succeeded at 109 (offset 12 lines). Manually apply rejected patches, configure.ac.rej and stage2/builtins.c.rej $ aclocal-1.9 && automake-1.9 && autoconf CC=gcc LDFLAGS=-Wl,-Bsymbolic-functions ./configure \ --host=i486-linux-gnu \ --build=i486-linux-gnu \ --prefix=/usr \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ --disable-auto-linux-mem-opt --enable-ima $ make $ sudo make install $ grep TCG /usr/lib/grub/i386-pc/* Binary file /usr/lib/grub/i386-pc/stage1 matches Binary file /usr/lib/grub/i386-pc/stage2 matches Binary file /usr/lib/grub/i386-pc/stage2_eltorito matches $ sudo grub-install /dev/sda Searching for GRUB installation directory ... found: /boot/grub Installing GRUB to /dev/sda as (hd0)... Installation finished. No error reported. This is the contents of the device map /boot/grub/device.map. Check if this is correct or not. If any of the lines is incorrect, fix it and re-run the script `grub-install'. (hd0) /dev/sda (hd1) /dev/sdb $ grep TCG /boot/grub/* Binary file /boot/grub/stage1 matches Binary file /boot/grub/stage2 matches
Reboot and check the measurement.
$ reboot $ sudo modprobe tpm_tis force=1 interrupt=0 $ sudo less /sys/kernel/security/tpm0/ascii_bios_measurements <snip> 4 1d1ff5054e9cf7bf546fa42433b8fae0f25f00a4 0d [IPL] 5 e94b3d1db138c8fae4e24caa215aed0e1ba8ef9a 0e [IPL Partition Data] 4 b82f5fa84465edfc054591b059bb65ea54f67282 0d [IPL] 4 d4fa72b193753834e25ca5dc420f9c23d14c6087 0d [IPL] 4 463c5c57665fd7c60eba7fd3d650960e97344129 0d [IPL] 4 2e7bc2484bfcf3314fb2a862fd538eabf7a172f8 06 [] 4 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 04 [Grub Event Separator] 5 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 04 [Grub Event Separator] 5 fe2c7e55d455f98be04eeb9c359bd6eb2ad86af5 0e [IPL Partition Data] 5 d63d12ced978aca120bfe6ee7683e394c2ffaef0 05 [Boot Sequance User Intervention] 5 5a138fa63f0ec58a2ebd9be12e400c22ceefffa7 1105 [] 8 ed3cc112f2f583be1c4866f21628d35844239500 1205 [] 8 0c58b59507f08ebfe876aa8fca53a8ff6744c582 1305 [] 5 2431ed60130faeaf3a045f21963f71cacd46a029 04 [OS Event Separator] 8 2431ed60130faeaf3a045f21963f71cacd46a029 04 [OS Event Separator] 8 fac33a1fc0ad42c07d00322d64c23f67567f334a 1005 []
OK, update the patch for Ubuntu.
$ cd .. $ mv grub-0.97 grub-0.97-ima $ apt-get source grub $ cd grub-0.97 $ dpkg-buildpackage -rfakeroot -us -uc $ files="configure.ac stage1/stage1.h stage1/stage1.S stage2/asm.S stage2/boot.c stage2/builtins.c stage2/shared.h stage2/start.S stage2/stage1_5.c stage2/stage2.c stage2/ima.h stage2/ima.c stage2/start_eltorito.S stage2/Makefile.am" $ for file in $files ; do diff -urN grub-0.97/$file grub-0.97-ima/$file >> grub-0.97-29ubuntu45-ima-1.1.0.0.patch; done $ rm -rf grub-0.97 $ apt-get source grub $ cp grub-0.97-29ubuntu45-ima-1.1.0.0.patch grub-0.97/debian/patches/ $ echo "# This patch supports IMA" >> grub-0.97/debian/patches/00list $ echo "grub-0.97-29ubuntu45-ima-1.1.0.0.patch" >> grub-0.97/debian/patches/00list $ mv grub-0.97/debian/rules grub-0.97/debian/rules.orig $ sed -e 's/--disable-auto-linux-mem-opt/--disable-auto-linux-mem-opt --enable-ima/g' grub-0.97/debian/rules.orig > grub-0.97/debian/rules $ chmod +x grub-0.97/debian/rules $ cd grub-0.97 $ dpkg-buildpackage -rfakeroot -us -uc $ cd .. $ sudo dpkg -i grub_0.97-29ubuntu45_i386.deb $ grep TCG /usr/lib/grub/i386-pc/* Binary file /usr/lib/grub/i386-pc/stage1 matches Binary file /usr/lib/grub/i386-pc/stage2 matches Binary file /usr/lib/grub/i386-pc/stage2_eltorito matches
OK.
Download source package and test the kernel build.
$ sudo apt-get build-dep linux-image-debug-$(uname -r) $ apt-get source linux-image-debug-$(uname -r) $ cd linux-2.6.27 $ cp /boot/config-$(uname -r) .config $ make oldconfig $ CONCURRENCY_LEVEL=2 UBUNTUBUILD=1 DEBIAN_SRCTOP=./ fakeroot make-kpkg -initrd kernel_image kernel_headers modules_image $ dpkg-buildpackage -rfakeroot -us -uc
OK?
Ubuntu package does not support GTK. to enable GTK feature (popup password), re-build the trousers with GTK option.
$ sudo apt-get build-dep trousers $ apt-get source trousers $ cd trousers-0.3.1 $ dpkg-buildpackage -rfakeroot -us -uc
OLD instruction
$ wget http://iij.dl.sourceforge.jp/openpts/32519/OpenPlatformTrustServices-0.1.2.tar.gz $ tar xzvf OpenPlatformTrustServices-0.1.2.tar.gz $ mv OpenPlatformTrustServices-0.1.2 openplatformtrustservices-0.1.2 $ munetoh@munetoh-laptop:~/sandbox$ mv OpenPlatformTrustServices-0.1.2.tar.gz openplatformtrustservices-0.1.2.tar.gz $ cd openplatformtrustservices-0.1.2 $ dh_make -e munetoh@sourceforge.jp -f ../openplatformtrustservices-0.1.2.tar.gz $ sudo make setup-jars
Add "(MAKE) all" in debian/rules.
$ dpkg-buildpackage -rfakeroot $ cd .. $ sudo dpkg -i openplatformtrustservices_0.1.2-1_i386.deb
Build process needs to fix later.
$ wget http://osdn.dl.sourceforge.jp/openpts/32520/OpenPlatformTrustServices-tcdemo-0.1.2.tar.gz $ tar xzvf OpenPlatformTrustServices-tcdemo-0.1.2.tar.gz $ mv OpenPlatformTrustServices-tcdemo-0.1.2 openplatformtrustservices-tcdemo-0.1.2 $ mv OpenPlatformTrustServices-tcdemo-0.1.2.tar.gz openplatformtrustservices-tcdemo-0.1.2.tar.gz $ cd openplatformtrustservices-tcdemo-0.1.2 $ dh_make -e munetoh@sourceforge.jp -f ../openplatformtrustservices-tcdemo-0.1.2.tar.gz $ sudo make setup-jars
Fix debian/rules to have.
$ sudo dpkg-buildpackage -rfakeroot $ cd .. $ sudo dpkg -i openplatformtrustservices-tcdemo_0.1.2-1_i386.deb
Take TPM ownership. here, SRK password is null.
$ tpm_takeownership Enter owner password: ******** Confirm password: ******** Enter SRK password: Confirm password:
Current demo package does not support Ubuntu.
$ sudo cp -r openplatformtrustservices-tcdemo-0.1.2/sampledata/knoppix /opt/OpenPlatformTrustServices/tcdemo $ sudo cp openplatformtrustservices-tcdemo-0.1.2/sampledata/server/* /opt/OpenPlatformTrustServices/tcdemo/ $ cd /opt/OpenPlatformTrustServices/tcdemo $ cp TCDEMO_UserTool.desktop /home/$USER/Desktop/ export JAVA_HOME=/usr/lib/jvm/java-6-sun-1.6.0.10 $ /opt/OpenPlatformTrustServices/bin/openpts manifest --create --platform --model platform_model.properties --prop ./tcdemo.properties log4j:WARN No appenders could be found for logger (com.ibm.trl.tcg.pts.eventlog.IML). log4j:WARN Please initialize the log4j system properly. Internal Error java.lang.Exception: no Trans? at com.ibm.trl.tcg.pts.engine.FiniteStateMachine.generateRuntimeModelByEventlog(Unknown Source) at com.ibm.trl.tcg.pts.integrity.ReferenceManifest.generatePlatformReferenceManifest(Unknown Source) at com.ibm.trl.tcg.pts.integrity.ReferenceManifest.generatePlatformReferenceManifestByProp(Unknown Source) at com.ibm.trl.tcg.pts.integrity.ReferenceManifest.main(Unknown Source) at com.ibm.trl.tcg.pts.PlatformTrustServices.main(Unknown Source) Uhmmm, Current BIOS (Thinkpad X200) transition was not supported yet. $ /opt/OpenPlatformTrustServices/bin/openpts manifest --create --knoppix --model knoppix_model.properties --prop ./tcdemo.properties log4j:WARN No appenders could be found for logger (com.ibm.trl.tcg.pts.integrity.ReferenceManifest). log4j:WARN Please initialize the log4j system properly. Internal Error java.lang.Exception: Grub Install path is not found. .//usr/share/grub/i386-pc at com.ibm.trl.tcg.pts.eventlog.RuntimeDigest.<init>(Unknown Source) at com.ibm.trl.tcg.pts.integrity.ReferenceManifest.generateKnoppixReferenceManifest(Unknown Source) at com.ibm.trl.tcg.pts.integrity.ReferenceManifest.generateKnoppixReferenceManifestByProp(Unknown Source) at com.ibm.trl.tcg.pts.integrity.ReferenceManifest.main(Unknown Source) at com.ibm.trl.tcg.pts.PlatformTrustServices.main(Unknown Source) $ sudo /opt/OpenPlatformTrustServices/bin/openpts manifest --create --runtime --model runtime_model.properties --prop ./tcdemo.properties log4j:WARN No appenders could be found for logger (com.ibm.trl.tcg.pts.integrity.ReferenceManifest). log4j:WARN Please initialize the log4j system properly. $ sudo make start-client-admin-gcj $ sudo make start-client-user-gcj
EOF
]]>OpenPTS was developed by Eclipse 3.2 and NEC System Director Application Modeler (SDAM) v2.0. You can use latest version of Eclipse but SDAM can't support UML export. If you want to modify the UML Transitive Trust Model, please use Eclipse 3.2.
$ git clone git://git.sourceforge.jp/gitroot/openpts/core.git
GIT repo contans .classpath file. jar files should be places in ./lib directory. To create a symbolic-link for them.
$ make eclipse-setup-fedora
OR
$ make eclipse-setup-ubuntu
then all build errors will gone.
Right click demo/src/tcdemo/swing/ClientAdmin.java, then select Run As./Run
Set Program Arguments: "--propdir config/fedora10" for Fedora and "--propdir config/ubuntu810" for Ubuntu at Argument tab.
Then, press the run button.
OpenPTS uses log4j. the configuration files are:
core/src/commons-logging.properties
core/src/log4j.properties
demo/src/commons-logging.properties
demo/src/log4j.properties
For DEBUG, set the log4j.rootCategory to your appropriate value (FATAL, ERROR, WARN, INFO, DEBUG)
]]>If you can not detect a TPM on your machine.
http://www-06.ibm.com/jp/domino05/pc/download/download.nsf/jtechinfo/MIGR-66306 ThinkCentre M55 Small (タイプ 8800, 8808) ThinkCentre M55 Tower (タイプ 8802, 8811) ThinkCentre M55 Ultra Small (タイプ 8799, 8009, 8803, 8807) ThinkStation S10(タイプ 6483, 6423) uses Broadcom TPm chip.
http://www-06.ibm.com/jp/domino05/pc/download/download.nsf/jtechinfo/MIGR-66304 ThinkCentre M55p Small (タイプ 8800, 8808) ThinkCentre M55p Tower (タイプ 8811) uses Atmel TPM chip.
http://www-06.ibm.com/jp/domino05/pc/download/download.nsf/jtechinfo/MIGR-58054 ThinkPad R60, R60e, R61 ThinkPad T42, T42p ThinkPad T60, T60p, T61, T61p ThinkPad X300 ThinkPad X41, X41 Tablet ThinkPad X60, X60s, X60 Tablet ThinkPad X61, X61s, X61 Tablet ThinkPad Z60m, Z60t ThinkPad Z61e, Z61m, Z61p, Z61t uses Atmel TPM 1.2 chip.
http://www-06.ibm.com/jp/domino05/pc/download/download.nsf/jtechinfo/MIGR-70813 ThinkCentre M58 Small (タイプ 7174, 6258) ThinkCentre M58 Tower (タイプ 7244, 6239) ThinkCentre M58 Ultra Small (タイプ 7187) ThinkCentre M58p Small (タイプ 7346, 7220, 6137, 6234) ThinkCentre M58p Tower (タイプ 7347, 7188, 6138, 6209) ThinkCentre M58p Ultra Small (タイプ 7345, 6136) uses Winbond TPM 1.2 chip.
http://www-06.ibm.com/jp/domino05/pc/download/download.nsf/jtechinfo/MIGR-70123 ThinkPad R400 ThinkPad R500 ThinkPad T400 ThinkPad T500 ThinkPad W500 ThinkPad W700 ThinkPad X200, X200, X200 Tablet ThinkPad X301 uses Intel Integrated TPM.
Check /boot/config-XXXX file, which may have the following lines
CONFIG_PNPACPI=y CONFIG_PNP=y CONFIG_TCG_TPM=m CONFIG_TCG_TIS=m CONFIG_TCG_NSC=m CONFIG_TCG_ATMEL=m CONFIG_TCG_INFINEON=m
e.g. Thinkpad X60
# /sbin/modprobe tpm_tis # dmesg | tail <snip> tpm_tis 00:0b: 1.2 TPM (device-id 0x3202, rev-id 5) # cat /sys/class/misc/tpm0/device/id ATM1200 PNP0c31
/sbin/modprobe tpm_tis force=1 interrupts=0
e.g. Intel iTPM on GM45
# cat /sys/class/misc/tpm0/device/caps Manufacturer: 0x494e5443
# mount -t securityfs none /sys/kernel/security # cat /sys/kernel/security/tpm0/ascii_bios_measurements 0 13cb4e01fde5d83f521ce265a6a0d5eeb0114daf 08 [S-CRTM Version] 0 b5b241ead6d2ff8e5f8c049f1e8bc157bb71b190 01 [POST CODE] 0 ec5446d7e84aa3bc22a5dd7fb0a290831dce5818 01 [POST CODE] <snip>
Add following line to /etc/fstab
securityfs /sys/kernel/security securityfs rw 0 0
Install iasl. e.g. yum install iasl
cat /proc/acpi/dsdt > dsdt.dat iasl -d dsdt.dat
File, dsdt.dsl is generated.
Thinkpad X60, Atmel TPM v1.2
Device (TPM)
{
Name (_HID, EisaId ("ATM1200"))
Name (_CID, 0x310CD041)
Method (_STA, 0, NotSerialized)
{
If (And (\TPMP, 0x01))
{
Store (0x0F, Local0)
}
Else
{
Store (0x00, Local0)
}
Return (Local0)
}
Name (_CRS, ResourceTemplate ()
{
Memory32Fixed (ReadWrite,
0xFED40000, // Address Base
0x00001000, // Address Length
)
})
This is typical definition. "ATM1200" is the device ID.
Thinkpad X200, Intel iTPM
<snip>
Device (TPM)
{
Method (_HID, 0, NotSerialized)
{
TPHY (0x00)
If (LEqual (TPMV, 0x01))
{
Return (0x0201D824)
}
If (LEqual (TPMV, 0x02))
{
Return (0x0435CF4D)
}
If (LEqual (TPMV, 0x03))
{
Return (0x02016D08)
}
If (LEqual (TPMV, 0x04))
{
Return (0x01016D08)
}
If (LOr (LEqual (TPMV, 0x05), LEqual (TPMV, 0x06)))
{
Return (0x0010A35C)
}
If (LEqual (TPMV, 0x08))
{
Return (0x00128D06)
}
If (LEqual (TPMV, 0x09))
{
Return ("INTC0102")
}
Return (0x310CD041)
}
Name (_CID, 0x310CD041)
Name (_UID, 0x01)
<snip>
This is new definiton. It seems current Linux PnP driver can't support this. use force=1 option with tpm_tis driver.
cat /proc/ioport
$ sudo apt-get install fakeroot build-essential makedumpfile $ sudo apt-get build-dep linux $ sudo apt-get build-dep linux-image-$(uname -r) $ apt-get source linux-image-$(uname -r)
Modify driver code, then just rebuild the tpm driver.
$ cd linux-2.6.27/drivers/char/tpm $ make -C /usr/src/linux M=`pwd` V=1 $ sudo cp -b tpm_tis.ko /lib/modules/$(uname -r)/kernel/drivers/char/tpm/tpm_tis.ko
$ sudo modprobe tpm_tis $ sudo modprobe tpm_tis force=1 interrupts=0 $ lsmod | grep tpm tpm_tis 17676 0 tpm 22848 1 tpm_tis tpm_bios 14080 1 tpm $ cat /sys/class/misc/tpm0/device/pcrs $ sudo less /sys/kernel/security/tpm0/ascii_bios_measurements $ sudo modprobe -r tpm_tis
$ sudo apt-get install tpm-tools $ /usr/sbin/tpm_getpubek Public Endorsement Key: Version: 01010000 Usage: 0x0002 (Unknown) Flags: 0x00000000 (!VOLATILE, !MIGRATABLE, !REDIRECTION) AuthUsage: 0x00 (Never) Algorithm: 0x00000020 (Unknown) Encryption Scheme: 0x00000012 (Unknown) Signature Scheme: 0x00000010 (Unknown) Public Key: c31d0e0b b963be82 3520493e f2dc1eb0 8b2e8b98 cd22cc37 9c4ea3b4 b97705e4 <snip>
tpmdd project http://sourceforge.net/projects/tpmdd
Please use PDF view to avoid sidebar overrap on the table:-)
Sorted by BIOS release date
| Vendor | Type | P/N | BIOS Version | BIOS Date | TPM | HDD Boot | USB Boot | CD Boot | Comments |
| Panasonic | W4 | CF-W4HW8AXR? | V1.00L11 | ? | Infineon v1.1b? | ? | ? | NG | no TCGBIOS |
| IBM | Thinkpad X31 | 2672CBJ | 1QET78WW (2.15 ) | 11/18/2004 | Atmel v1.1b | OK(3) | NG(1) | ||
| IBM | Thinkpad T42 | 2373J8J | 1RETDNWW (3.19 ) | 10/13/2005 | Atmel v1.1b | OK(3) | NG(1) | ||
| DELL | OptiPlex GX620 | OptiPlex GX620 | A07 | 03/31/2006 | ST Micro v1.2? | ? | NG(7) | NG(6) | |
| IBM | Thinkpad T43 | 266872J | 1YET65WW (1.29 ) | 08/21/2006 | NG(2,3) | NG(1,2) | |||
| Lenovo | Thinkpad T60 | 20076EJ | 79ETC9WW (2.09 ) | 12/22/2006 | Atmel v1.2 | OK(3) | NG(1) | Pls. update BIOS | |
| Lenovo | Thinkpad T60p | 8741JMJ | 7IET23WW (1.04 ) | 12/27/2006 | Atmel v1.2 | OK(3) | NG(1) | Pls. update BIOS | |
| Lenovo | Thinkpad X60 | 1706Q6J | 7BETC7WW (2.18 ) | 03/07/2007 | Atmel v1.2 | OK | OK? | (9 to use XGA), Video: Intel GMA 950 | |
| Lenovo | ThinkCenter M55 | 879998J | 2JKT32AUS | 03/13/2007 | Atmel | NG(1) | (9,12), Video: Intel GMA 3000 | ||
| Panasonic | Y7 | CF-Y7AWDAJS | V1.00L11 | 04/11/2007 | Infineon v1.2 | OK | OK | ||
| IBM | Thinkpad T42 | 2373J8J | 1RETDRWW (3.23 ) | 06/18/2007 | Atmel v1.1b | OK(3) | NG? | NG(1) | |
| Fujitsu | Lifebook S2210 | CP327301 | V1.09 | 06/21/2007 | Infineon v1.2 | OK? | OK? | NG(5) | (8), AMD SKINIT |
| DELL | OptiPlex 755 | OptiPlex 755 | A01 | 08/10/2007 | ? | NG(5) | (9) | ||
| GREATWALL | BYOSOFT BIOS VERSION P5GATB23.225 | Tiano.PreRelease0_7.EFI1.10 IA32 | 07/11/2007 | v1.2 | NG | NG | NG | (7) | |
| HP | dc7800p | GC760AV | 786F1 v01.04 | 08/27/2007 | NG(4) | NG(4) | (9,10,11) | ||
| Lenovo | Thinkpad T60 | 20076EJ | 79ETD9WW (2.19 ) | 09/19/2007 | Atmel v1.2 | OK(3) | OK | OK | |
| Lenovo | Thinkpad T60p | 8741JMJ | 7IET31WW (1.12 ) | 09/19/2007 | Atmel v1.2 | OK(3) | OK | OK | |
| Panasonic | W7 | CF-W7BWHAJS | V1.00L10 | 09/28/2007 | Infineon v1.2 | OK | |||
| Lenovo | Thinkpad X61 | 76735BJ | 7NET29WW (1.10 ) | 10/22/2007 | Atmel v1.2 | OK? | OK? | OK | (9 to use XGA), Video: Intel GMA 3100 |
| Lenovo | Thinkpad T61 | 645948J | 7LETA7WW (2.07 ) | 12/06/2007 | Atmel v1.2 | OK | Video: nVidia Quadro NVS 140M | ||
| DELL | OptiPlex 745 | OptiPlex 745 | 2.6.1 | 12/06/2007 | Atmel v1.2 | OK? | NG(5) | ||
| Intel | DQ35JO | v.0745 | 01/02/2008 | v1.2 | NG(4, Use USB-CD/DVD drive to boot, but slow) | (9,10) | |||
| DELL | Latitude D830 | Latitude D830 | A08 | 01/14/2008 | Broadcom v1.2 | OK? | NG(5) | ||
| Lenovo | ThinkCenter M57 | 6062A16 | 2RKT37AUS | 01/25/2008 | Winbond(WEC) | NG(1) | (9,12), Video: Intel GMA 3100 | ||
| Intel | DQ35JO | v.0865 | 04/04/2008 | Winbond(WEC) v1.2 | NG(4,5) | NG(4,5) | tested by UbuntuHardy | ||
| Lenovo | ThinkPad X200 | 6062A16 | 6DET28WW (1.05 ) | 07/30/2008 | Intel(INTC0102) | OK | ? | OK | (13), Video: Intel GMA 4500 |
| Lenovo | ThinkPad W500/T500/T400? | Intel(INTC0102) | ? | ? | ? | (13) | |||
| Xen | HVM DomU | 3.2.0 | 3.2.0 | N/A | ETHZ v1.2 (TPM Emulator) | OK | VMKNOPPIX | ||
640x480, 7.5MB
Knoppix511trust_Demo-sub-small.swf
Usage: tpm_createkey [options]
-h, --help
Display command usage info.
-u, --uuid UUID
Set UUID of key. Default is randum number
-N, --noauth
Create key without auth secret
-a, --auth PASSWORD
Create key with auth secret, PASSWORD
-P, --popup\n");
Use TSS diaglog to set the authsecret, PASSWORD
-f, --force
Update the key
-S, --system
Use SYSTEM_PS
-U, --user
Use USER_PS
-B, --blob FILENAME
Use blob file
Usage: tpm_pcrread [options]
-h, --help
Display command usage info.
-p, --pcrindex NUMBER
PCR to read to. Default is none.
This option can be specified multiple times to choose more than one PCR.
-a, --all
Display all PCRs
-k, --kernel
Display PCR same as kernel format (/sys/class/misc/tpm0/device/pcrs)
-o, --output FILE
Filename to write quote result to. Default is STDOUT.
Usage: tpm_quote [options]
-h, --help
Display command usage info.
-u, --uuid UUID\n");
Set UUID of key
-n, --nonce NONCE
Set NONCE
-p, --pcr NUMBER
PCR to quote to. Default is none.
This option can be specified multiple times to choose more than one PCR.
-o, --output FILE
Filename to write quote result to. Default is STDOUT.
-N, --noauth
Use the key without auth secret
-a, --auth PASSWORD
Use key with auth secret, PASSWORD
-P, --popup
Use TSS diaglog to set the authsecret, PASSWORD
-S, --system
Use SYSTEM_PS
-U, --user
Use USER_PS
-B, --blob FILENAME
Use blob file
Usage: tpm_extend [options]
-h, --help
Display command usage info.
-f, --file FILE
Filename containing data to extend.
-t, --type EVENTTYPE
Set Event Type. default value is zero
Usage: tpm_unsealdata [options]
-h, --help
Display command usage info.
-i, --input FILE
Filename containing data to unseal.
-o, --output FILE
Filename to write unsealed data to. Default is STDOUT.
"tcdemo.properties" must be comfigured before use folowing commands.
Usage: pts-ca [OPTIONS]
OPTIONS
--propdir DIRNAME
Slect properties location
--auth PASSWORD");
Set user password
--popup
Set user password by popup dialog
--verbose");
Verbose mode
Usage: pts-cu [OPTIONS]
OPTIONS
-propdir DIRNAME
Slect properties location
--auth PASSWORD");
Set user password
--popup
Set user password by popup dialog
--verbose
Verbose mode
Usage: pts-ca-swing [OPTIONS]
OPTIONS
-propdir DIRNAME
Select properties location
Usage: pts-cu-swing [OPTIONS]
OPTIONS
-propdir DIRNAME
Select properties location
Following commands are bash scripts to launch the Java application.
Usage:
ptsclinetadmin
launch Java/Swing GUI
ptsclinetadmin --commandline
launch commandline
ptsclinetadmin --commandline --password SIGKEY_PASSWORD
commandline w/ password
Usage:
ptsclientuser
launch Java/Swing GUI
ptsclientuser --commandline
launch commandline
ptsclientuser --commandline --password SIGKEY_PASSWORD
commandline w/ password
]]>
/opt/OpenPlatformServices/bin/
Native Client Admin command. commandline version. Before use this command, please configure the DIRNAME/tcdemo.properties file.
Usage: pts-ca [OPTIONS]
OPTIONS
--propdir DIRNAME
Select properties file location
the default location is /home/USERNAME/.pts/
--auth PASSWORD
Set Sign Key Password
--popup
Set user password by popup dialog (via TSS)
--verbose
Verbose mode
Native Client User command. commandline version
Usage: pts-ca [OPTIONS]
OPTIONS
--propdir DIRNAME
Select properties file location
the default location is /opt/OpenPlatformServices/tcdemo
--auth PASSWORD
Set Sign Key Password
--popup
Set user password by popup dialog (via TSS)
--verbose
Verbose mode
]]>
OpenPlatformTrustServices v0.1.2 Server Setup Guide (DRAFT)
This is a demonstration using KNOPPIX - CD bootable Operating System - for experiencing the Remote Attestation which is the fundamental capability provided by Trusted Computing technology.
This KNOPPIX supports Trusted Boot and client software for Remote Attestation, and can be validated by demo Validation Service on Internet. When the validation results in success without any known vulnerability, the client will be able to use a service like a demonstration service of vulnerability search.
This guide is for setting up the server which used in this experiment. Any information you can share with us, including your test result and trouble, will be very helpful and appreciated. The following mailing-lists are available for such reporting.
This guidance shows about how to setup the server on the “Red Hat Enterprise Linux 4”.
Supported Clients
Section 3 presents the construction of a database server. Section 4 describes about the application server. Section 5 describes about the interface to access the database.
Install a Red Hat Enterprise Linux 4.
After installation, you have to disable prelink function by modifying /etc/sysconfig/prelink file.
PRELINKING=noIn order to confirm a setup immediately, execute the following command.
$ prelink -ua
Download a RPM package of Java Runtime Environment Version 6, and install it.
Install PostgreSQL Server RPM package.
$ rpm -q postgresql-serverStart postgresql server, and set the password for postgres user.
# /sbin/service postgresql start # passwd postgres
Edit /var/lib/pgsql/data/postgresql.conf
tcpip_socket = trueAlso edit /var/lib/pgsql/data/pg_hba.conf
host all all 127.0.0.1 255.255.255.255 password local all all password
Start the postgresql server.
# /sbin/service postgresql start
Set the environment variable for the administrator of the database.
> su postgres Password: xxxxxxxx > export PGDATA=/var/lib/pgsql/data
To create an administrator account, login to the database by administrator privilege and enter a new password for an administrator.
> createuser -a -d -P ptsadmin Enter password for new user: xxxxxxxx Enter it again: xxxxxxxx CREATE USER
To create a user account, login to the database by administrator privilege and enter a new password for a new user.
> createuser -A -D -P ptsuser Enter password for new user: xxxxxxxx Enter it again: xxxxxxxx CREATE USER
Create two databases. One is an integrity information database for knoppix named "iidb_knoppix", and the other is a vulnerability database named "vul".
> createdb -E utf8 iidb_knoppix CREATE DATABASE > createdb -E utf8 vul CREATE DATABASE
Install following two Open Platform Trust Services.
Run the script, /opt/OpenPlatformTrustServices/database/dbsetup.sh of openpts-tools.
Confirm the configuration of the database and modify them if needed. To create the database, select S) Setup New Databases.
$ sh /opt/OpenPlatformTrustServices/database/dbsetup.sh S) Setup New Databases C) Show Current Configuration L) Show State B) Backup Databases D) Delete Databases Q) Exit
When you use the same variables as examples 3.2 and 3.3, the setting becomes to the following values.
At first, run the KNOPPIX on the client platform to correct package information.
To get package information from current host, execute the script /opt/OpenPlatformTrustServices/bin/deb-all.sh of openpts-tools. The argument is a directory name. In the following example, “knoppix” is the directory name to store the corrected information. This shell script runs “deb-meta.pl”, “deb-file.pl sha1” and “deb-file.pl md5”.
$ sh /opt/OpenPlatformTrustServices/bin/deb-all.sh knoppix
At the host using rpm packages, just run tools/package/rpm/rpm-all.sh in a similar manner as the debian host.
After running this command, we can get the data files in the directory. The files are
In order to import in the database, transport these data to the server. To use the openpts command at /opt/OpenPlatformTrustServices/bin/openpts, setup the database configuration.
Copy /opt/OpenPlatformTrustServices/database/ibatis/sqlMapsConfig.properties.sample to sqlMapsConfig.properties and edit it according to your environment. When you use the same variables as examples 3.2 and 3.3, the following values are used in setting.
To insert the data into Integrity Information Database, run the following command. The last argument is the data directory which storing the package information. The “—dbindex” is the database index listed as url_iidb in sqlMapsConfig.properties. If you want to use the database of “url_iidb0”, add “–dbindex 0”.
$ /opt/OpenPlatformTrustServices/bin/openpts debimport --dbindex 0 --inputdir ~/knoppix/data/
Get the vulnerability information via Internet. We need CVE data and DSA (Debian Security Advisory) data to check the security of KNOPPIX.
CVE is released from 2002 to 2008 (from nvdcve-2002.xml to nvdcve-2008.xml). To setup cve_definitions table, execute the following command for each year. In this example, the xml files are saved at “—outputdir /tmp”.
$ /opt/OpenPlatformTrustServices/bin/openpts cve --xmlfile http://nvd.nist.gov/download/nvdcve-2008.xml --outputdir /tmp
To store the DSA data to debian_security_advisories table, execute the following command for each year from 2000 to 2008.
$ /opt/OpenPlatformTrustServices/bin/openpts dsainfo --url http://www.debian.org/security/2008/ --outdir /tmp
Then, get the detail information for each DSA entry, and make it reflected to the database of package information.
$ /opt/OpenPlatformTrustServices/bin/openpts dsadetail --outdir /tmp $ /opt/OpenPlatformTrustServices/bin/openpts dsasync --dbindex 0
If you use the RPM package of Red Hat, get OVAL information instead of DSA. In this case, the argument “–distribution” is for the version number of Red Hat.
$ /opt/OpenPlatformTrustServices/bin/openpts oval --dbindex 0 --xmlfile https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml --distribution rhel5
In PostgreSQL, you can recover an unnecessary domain by performing VACUUM.
REINDEX command re-create the INDEX which was created beforehand.
You can write out the database to a file as SQL.
$ pg_dump database_name > file_name.sql
To restore the backup files to database,
$ psql -e database_name < file_name.sql $ pg_restore –d database_name file_name.sql
Example, demo user is
account : guest
password : password
htpasswd -c /var/www/.htaccess guest mkdir /var/www/html/demo
Edit /var/www/html/demo/.htaccess
AuthType Basic AuthName "Password Required" AuthUserFile /var/www/.htpasswd AuthGroupFile /dev/null Require valid-user
Edit /var/www/html/demo/index.html put any contents
Download a Tomcat 5.5, and install it.
# cd /opt # tar xvfz /home/munetoh/Desktop/apache-tomcat-5.5.26.tar.gz # /opt/apache-tomcat-5.5.26/bin/catalina.sh run
Check the URL, http://localhost:8080/
Install the following two Open Platform Trust Services.
$ cd OpenPlatformTrustServices-0.1.1 $ sudo make setup-jars $ make all $ sudo make install
$ cd OpenPlatformTrustServices-0.1.1 $ sudo make setup-jars $ make all $ make servlet $ sudo make install-servlet $ cp /opt/OpenPlatformTrustServices/database/ibatis/sqlMapsConfig.properties /opt/apache-tomcat-5.5.26//webapps/pva/WEB-INF/classes/sqlMapsConfig.properties
Note) ID & PW to access the demo site is hard coded (Sorry). fix the string at 104 line in src/tcdemo/Server.java
Restart the Tomcat and check the existance of validation app on http://localhost:8080/pva/
# /opt/apache-tomcat-5.5.26/bin/catalina.sh run
/opt/apache-tomcat-5.5.26//webapps/pva/WEB-INF/classes/log4j.properties
These tools are the viewer for the PostgreSQL database.
Download RPM package for RHEL4 http://rpm.pbone.net/index.php3/stat/4/idpl/6893237/com/phpPgAdmin-4.2-1.el4.noarch.rpm.html
# rpm -ivh /home/munetoh/Desktop/phpPgAdmin-4.2-1.el4.noarch.rpm
Copyright IBM Japan, Ltd. 2008 *) This work is sponsored by the Ministry of Economy. Trade and Industry, Japan (METI) under contract for the New-Generation Information Security R&D Program. *) Linux is a trademark of Linus Torvalds. All trademarks, logos, service marks, and other materials used in this site are the property of IBM corp. or other entities.
]]>| Distro | Kernel Version | TPM Driver/TSS | GCJ Version | Comment | URL | |
| SLED10 SP1 | 2.6.16.43 | 4.1.2 | packages | |||
| SLED10 SP2 | 2.6.16.60 | module/NA | 4.1.2 | packages | ||
| openSUSE 10.1 | 03-May-2006 | 2.6.16.13 | 4.1.2, 4.1.3 | packages | ||
| openSUSE 10.2 | 27-Nov-2006 | 2.6.18 | 4.1.2, 4.1.3 | packages | ||
| openSUSE 10.3 | 21-Sep-2007 | 2.6.22 | 4.1.3, 4.2.1 | packages | ||
| openSUSE 11 | 06-Jun-2008 | 2.6.25.5 | 4.3.1 | packages | ||
| Fedora8 | 27-Oct-2007 | 2.6.23.1 | 4.1.2 | packages | ||
| Fedora9 | 16-Apr-2008 | 2.6.25 | module/trousers-0.3.1,tpm-tools-1.3.1 | 4.3.0 | packages | |
| CentOS 5.1 | 2.6.18-53 | 4.1.2-14 | packages | |||
| CentOS 5.2 | 2.6.18-92 | module/trousers-0.3.1,tpm-tools-1.3.1 | 4.1.2-42 | packages | ||
| Ubuntu Gusty(7.10) | 2.6.22 | module/trousers-0.2.9.1,tpm-tools-1.2.5.1 | 4.1.2, 4.2.1 | packages | ||
| Ubuntu Hardy (8.04) | 24-Apr-2008 | 2.6.24 | module/trousers-0.3.1,tpm-tools-1.3.1 | 4.1.2, 4.2.3 | packages |
Following instruction is tested by using Fedora9.
Download and Install Java Development Kit V6 from http://java.sun.com/javase/downloads/index.jsp (OPTION)
# sh jdk-6u6-linux-i586-rpm.bin # export JAVA_HOME=/usr/java/jdk1.6.0_06 # export PATH=/usr/java/jdk1.6.0_06/bin:$PATH
Install TrouSers and tpm-tools from http://sourceforge.net/projects/trousers/
# yum install trousers trousers-devel tpm-tools tpm-tools-devel
Download jTreemap and Install from http://jaist.dl.sourceforge.net/sourceforge/jtreemap/jtreemap-1.1.0.zip
# cd /tmp # wget http://jaist.dl.sourceforge.net/sourceforge/jtreemap/jtreemap-1.1.0.zip # cd /opt # unzip /tmp/jtreemap-1.1.0.zip
$ wget http://jaist.dl.sourceforge.jp/openpts/29083/OpenPlatformTrustServices-tools-0.1.1.tgz $ tar xzvf OpenPlatformTrustServices-tools-0.1.1.tgz $ cd OpenPlatformTrustServices-tools-0.1.1 $ su # make rpmbuild-ba # rpm -ivh /usr/src/redhat/RPMS/i386/OpenPlatformTrustServices-tools-0.1.1-1.i386.rpm
$ wget http://jaist.dl.sourceforge.jp/openpts/29083/OpenPlatformTrustServices-0.1.1.tgz $ tar xzvf OpenPlatformTrustServices-0.1.1.tgz $ cd OpenPlatformTrustServices-0.1.1 $ su # make rpmbuild-ba # rpm -ivh /usr/src/redhat/RPMS/noarch/OpenPlatformTrustServices-0.1.1-1.noarch.rpm
$ wget http://osdn.dl.sourceforge.jp/openpts/29082/OpenPlatformTrustServices-tcdemo-0.1.1.tgz $ tar xzvf OpenPlatformTrustServices-tcdemo-0.1.1.tgz $ cd OpenPlatformTrustServices-tcdemo-0.1.1 $ su # make rpmbuild-ba # rpm -ivh --nodeps /usr/src/redhat/RPMS/i386/OpenPlatformTrustServices-tcdemo-0.1.1-1.i386.rpm
Boot the KNOPPIX DVD.
Following instruction is tested by using KNOPPIX 5.3.1 EN DVD available from http://www.knoppix.net/
If you use a persistent KNOPPIX disk image, the size must be larger than 384MB. 512MB is recommended. And in this case, it is better to use /tmp as work space.
Download Java Development Kit V6 from http://java.sun.com/javase/downloads/index.jsp (Choose Linux self-extracting file) and install as follows
cd /opt/ chmod +x /home/knoppix/Desktop/jdk-6u6-linux-i586.bin /home/knoppix/Desktop/jdk-6u6-linux-i586.bin export JAVA_HOME=/opt/jdk1.6.0_06 export PATH=/opt/jdk1.6.0_06/bin:$PATH
Download jTreemap and Install from http://jaist.dl.sourceforge.net/sourceforge/jtreemap/jtreemap-1.1.0.zip and extract as follows
cd /tmp wget http://jaist.dl.sourceforge.net/sourceforge/jtreemap/jtreemap-1.1.0.zip cd /opt unzip /tmp/jtreemap-1.1.0.zip
Install TrouSers and tpm-tools from http://sourceforge.net/projects/trousers/
wget http://jaist.dl.sourceforge.net/sourceforge/trousers/trousers-0.3.1.tar.gz
tar xvfz trousers-0.3.1.tar.gz
cd trousers-0.3.1
sh bootstrap.sh
./configure
cd ..
su
tar zcvf /usr/src/rpm/SOURCES/trousers-0.3.1.tar.gz trousers-0.3.1
vi trousers-0.3.1/dist/trousers.spec (quick fix)
#%config %attr(600, tss, tss) %{_sysconfdir}/tcsd.conf
%config %attr(600, tss, tss) %{_sysconfdir}/../../etc/tcsd.conf
rpmbuild -bb trousers-0.3.1/dist/trousers.spec
cd /usr/src/rpm/RPMS/i386/
alien --to-deb trousers-0.3.1-1.i386.rpm
alien --to-deb trousers-devel-0.3.1-1.i386.rpm
dpkg -i trousers_0.3.1-2_i386.deb
dpkg -i trousers-devel_0.3.1-2_i386.deb
wget http://jaist.dl.sourceforge.net/sourceforge/trousers/tpm-tools-1.3.1.tar.gz tar xvfz tpm-tools-1.3.1.tar.gz cd tpm-tools-1.3.1 sh ./bootstrap.sh ./configure cd .. su tar zcvf /usr/src/rpm/SOURCES/tpm-tools-1.3.1.tar.gz tpm-tools-1.3.1 vi tpm-tools-1.3.1/dist/tpm-tools.spec (quick fix) #BuildRequires: autoconf automake libtool trousers-devel opencryptoki-devel openssl-devel rpmbuild -bb tpm-tools-1.3.1/dist/tpm-tools.spec TBD BUILD WAS FAIL DO TO THE DEPENDANCY
wget http://jaist.dl.sourceforge.jp/openpts/29083/OpenPlatformTrustServices-tools-0.1.1.tgz tar xzvf OpenPlatformTrustServices-tools-0.1.1.tgz su cp OpenPlatformTrustServices-tools-0.1.1.tgz /usr/src/rpm/SOURCES/OpenPlatformTrustServices-tools-0.1.1.tar.gz rpmbuild -bb OpenPlatformTrustServices-tools-0.1.1/dist/OpenPlatformTrustServices-tools.spec
OLD OLD OLD
Download OpenPlatformTrustServices OpenPlatformTrustServices-tools OpenPlatformTrustServices-tcdemo packages from http://sourceforge.jp/projects/openpts
$ tar xzvf OpenPlatformTrustServices-0.1.1.tgz $ tar xzvf OpenPlatformTrustServices-tools-0.1.1.tgz $ tar xzvf OpenPlatformTrustServices-tcdemo-0.1.1.tgz $ cp OpenPlatformTrustServices-0.1.1/dist/OpenPlatformTrustServices.spec /usr/src/rpm/SPECS/ $ cp OpenPlatformTrustServices-tools-0.1.1/dist/OpenPlatformTrustServices* /usr/src/rpm/SPECS/ $ cp OpenPlatformTrustServices-tcdemo-0.1.1/dist/OpenPlatformTrustServices-tcdemo.spec /usr/src/rpm/SPECS/ $ cp OpenPlatformTrustServices-0.1.1.tgz /usr/src/rpm/SOURCES/OpenPlatformTrustServices-0.1.1.tar.gz $ cp OpenPlatformTrustServices-tools-0.1.1.tgz /usr/src/rpm/SOURCES/OpenPlatformTrustServices-tools-0.1.1.tar.gz $ cp OpenPlatformTrustServices-tcdemo-0.1.1.tgz /usr/src/rpm/SOURCES/OpenPlatformTrustServices-tcdemo-0.1.1.tar.gz # cd /usr/src/rpm/SPECS/ # rpmbuild -bb OpenPlatformTrustServices-tools.spec # rpmbuild -bb OpenPlatformTrustServices.spec # cd /usr/src/rpm/RPMS/i386/ # alien --to-deb OpenPlatformTrustServices-tools-0.1.1-1.i386.rpm # dpkg -i openplatformtrustservices-tools_0.1.1-2_i386.deb # cd /usr/src/rpm/RPMS/noarch/ # alien --to-deb OpenPlatformTrustServices-0.1.1-1.noarch.rpm # dpkg -i openplatformtrustservices_0.1.1-2_all.deb # cd /usr/src/rpm/SPECS/ # rpmbuild -bb OpenPlatformTrustServices-tcdemo.spec # cd /usr/src/rpm/RPMS/i386/ # alien --to-deb OpenPlatformTrustServices-tcdemo-0.1.1-1.i386.rpm # dpkg -i openplatformtrustservices-tcdemo_0.1.1-2_i386.deb
export JAVA_HOME=/opt/jdk1.6.0_06 export PATH=/opt/jdk1.6.0_06/bin:$PATH cp OpenPlatformTrustServices-0.1.1/ sudo make make all
Boot the KNOPPIX DVD (CD Version is insufficient).
Following instruction is tested by using KNOPPIX Japanese 5.1.1DVD available from http://unit.aist.go.jp/itri/knoppix/
CD Version is insufficient. If you use CD version, you have to install ant package, gcj package and their dependable packages additionally.*1
If you use a persistent KNOPPIX disk image, the size must be larger than 384MB. 512MB is recommended. And in this case, it is better to use /tmp as work space.
Download and Install Java Development Kit V6 from http://java.sun.com/javase/downloads/index.jsp
# cd /opt/ # jdk-6u4-linux-i586.bin # export JAVA_HOME=/opt/jdk1.6.0_04 # export PATH=/opt/jdk1.6.0_04/bin:$PATH
Install TrouSers and tpm-tools from http://sourceforge.net/projects/trousers/
Download jTreemap and Install from http://jaist.dl.sourceforge.net/sourceforge/jtreemap/jtreemap-1.1.0.zip
# cp jtreemap-1.1.0.zip /tmp/ # cd /opt # unzip /tmp/jtreemap-1.1.0.zip
Download OpenPlatformTrustServices OpenPlatformTrustServices-tools OpenPlatformTrustServices-tcdemo packages from http://sourceforge.jp/projects/openpts.
$ tar xzvf OpenPlatformTrustServices-0.1.1.tgz $ tar xzvf OpenPlatformTrustServices-tools-0.1.1.tgz $ tar xzvf OpenPlatformTrustServices-tcdemo-0.1.1.tgz $ cp OpenPlatformTrustServices-0.1.1/dist/OpenPlatformTrustServices.spec /usr/src/rpm/SPECS/ $ cp OpenPlatformTrustServices-tools-0.1.1/dist/OpenPlatformTrustServices* /usr/src/rpm/SPECS/ $ cp OpenPlatformTrustServices-tcdemo-0.1.1/dist/OpenPlatformTrustServices-tcdemo.spec /usr/src/rpm/SPECS/ $ cp OpenPlatformTrustServices-0.1.1.tgz /usr/src/rpm/SOURCES/OpenPlatformTrustServices-0.1.1.tar.gz $ cp OpenPlatformTrustServices-tools-0.1.1.tgz /usr/src/rpm/SOURCES/OpenPlatformTrustServices-tools-0.1.1.tar.gz $ cp OpenPlatformTrustServices-tcdemo-0.1.1.tgz /usr/src/rpm/SOURCES/OpenPlatformTrustServices-tcdemo-0.1.1.tar.gz # cd /usr/src/rpm/SPECS/ # rpmbuild -bb OpenPlatformTrustServices-tools.spec # rpmbuild -bb OpenPlatformTrustServices.spec # cd /usr/src/rpm/RPMS/i386/ # alien --to-deb OpenPlatformTrustServices-tools-0.1.1-1.i386.rpm # dpkg -i openplatformtrustservices-tools_0.1.1-2_i386.deb # cd /usr/src/rpm/RPMS/noarch/ # alien --to-deb OpenPlatformTrustServices-0.1.1-1.noarch.rpm # dpkg -i openplatformtrustservices_0.1.1-2_all.deb # cd /usr/src/rpm/SPECS/ # rpmbuild -bb OpenPlatformTrustServices-tcdemo.spec # cd /usr/src/rpm/RPMS/i386/ # alien --to-deb OpenPlatformTrustServices-tcdemo-0.1.1-1.i386.rpm # dpkg -i openplatformtrustservices-tcdemo_0.1.1-2_i386.deb
*1 To use CD version KNOPPIX, install ant package from http://packages.debian.org/etch/ant
dpkg -i --ignore-depends=java-gcj-compat ant_1.6.5-6_all.deb
And also, install gcj package from http://packages.debian.org/etch/gcj (and cpp, gij, gij-4.1, gcj-4.1, gcj-4.1-base, libgcj7-dev, libgcj7-0, libgcj-common, libgcj7-awt, libgcj-bc, libgcj7-jar)
This guide is intended to build Ubuntu with Trusted Computing.
Download ISO image. and install to your HDD.
Update to be work with latest packages.
Install additional packages, dpkg-dev, devscripts, fakeroot, pbuilder
Download source package and test the build.
$ sudo apt-get build-dep grub $ apt-get source grub $ cd grub-0.97 $ debchange -i $ dpkg-buildpackage -rfakeroot -us -uc
OK? Next apply the IMA patch.
Download source package and test the build.
TBD
Reboot
http://sourceforge.net/projects/trustedgrub
$ wget http://jaist.dl.sourceforge.net/sourceforge/trustedgrub/TrustedGRUB-1.1.3.tgz $ tar xvfz TrustedGRUB-1.1.3.tgz $ cd TrustedGRUB-1.1.3 $ ./build_tgrub.sh $ cd TrustedGRUB-1.1.3 $ ./configure CFLAGS="-fno-stack-protector" STAGE2_CFLAGS="-fno-stack-protector" $ make $ sudo make install $ sudo /usr/local/sbin/grub-install /dev/sda
Download source package and test the build.
$ sudo apt-get build-dep linux-image-debug-2.6.24-12-generic $ apt-get source linux-image-debug-2.6.24-12-generic $ cd linux-2.6.24 $ debchange -i $ cp /boot/config-2.6.24-12-generic .config $ make oldconfig UBUNTUBUILD=1 DEBIAN_SRCTOP=./ fakeroot make-kpkg -initrd kernel_image kernel_headers modules_image $ dpkg-buildpackage -rfakeroot -us -uc
OK? Next, try to apply the Integrity Measurement patch.
This is original IMA patch using LSM. The patch is available from http://sourceforge.net/projects/linux-ima
$ sudo apt-get build-dep linux-image-debug-2.6.24-12-generic $ apt-get source linux-image-debug-2.6.24-12-generic $ cd linux-2.6.24 $ debchange -i $ wget http://nchc.dl.sourceforge.net/sourceforge/linux-ima/ibm_ima_8.3_2.6.24.3.patch $ patch -p1 --dry-run < ibm_ima_8.3_2.6.24.3.patch some failes, since the AppArmor patch was applied. $ patch -p1 < ibm_ima_8.3_2.6.24.3.patch Manualy fix security/Kconfig and security/Makefile. $ cp /boot/config-2.6.24-12-generic .config $ make -s menuconfig Device Driver > Character devices > TPM hardware Supports = Y Device Driver > Character devices > TPM hardware Supports > * Interface= Y Cryptographic API > SHA1 = Y Security options > Capability = N Security options > SELinux = N Security options > AppArmor = N Security options > TCG run-time Integrity Measuremenet = Y $ UBUNTUBUILD=1 DEBIAN_SRCTOP=./ fakeroot make-kpkg -initrd kernel_image kernel_headers modules_image $ cd .. $ sudo dpkg -i linux-headers-2.6.24.3_2.6.24-13.23ubuntu1_i386.deb $ sudo dpkg -i linux-image-2.6.24.3_2.6.24-13.23ubuntu1_i386.deb
Edit /boot/grub/menu.lst to enable IMA.
title Ubuntu hardy (development branch), kernel 2.6.24.3 root (hd0,0) kernel /boot/vmlinuz-2.6.24.3 root=UUID=e915d681-5805-4cdd-b5ca-6e7bacd474b5 ro quiet splash locale=ja_JP ima=1 initrd /boot/initrd.img-2.6.24.3 quiet
Reboot the system. and check the measurements
$ ls /sys/kernel/security/ ima tpm0 $ sudo cat /sys/kernel/security/ima/ascii_runtime_measurements <snip> 10 094fe12401c97bdfeef1c11938f331fb143fe056 /usr/bin/sudo $ sha1sum /usr/bin/sudo 094fe12401c97bdfeef1c11938f331fb143fe056 /usr/bin/sudo
New version based on Linux Integrity Module (LIM). This IMA works with other LSM-MAC modules, like SELinux, AppArmor, SMACK, TOMOYO.
$ sudo apt-get install trousers
$ sudo apt-get install tpm-tools $ tpm_version TPM Version: 01010000 Manufacturer Info: 57454300
http://sourceforge.net/projects/tpmmanager
$ wget http://nchc.dl.sourceforge.net/sourceforge/tpmmanager/tpmmanager-0.4.tar.gz $ cd tpmmanager-0.4 $ ./configure $ make $ sudo make install
http://projects.csail.mit.edu/tc/tpmj/
http://sourceforge.net/projects/tpmj/
$ wget http://nchc.dl.sourceforge.net/sourceforge/tpmj/tpmj-alpha0.3.0.zip $ unzip tpmj-alpha0.3.0.zip TBD
TBD
]]>Geeks ISO image is available from Japanese English
Reference
Ubuntu Burning ISO How To JapaneseEnglish
If you are not enable the TPM yet. Goto BIOS setup menu and enable TPM at the boot.
| Vendor | Key to enter BIOS menu | Location of TPM setup menu | Comments |
| IBM, Lenovo | F1 | Security -> IBM Security Chip | |
| Panasonic | F2 | Security tab -> Embedded Security (TPM)Sub-Menu -> Embedded Security Chip -> Enable | Requires Supervisor PW |
| HP | F10 | Security menu -> System Security -> Embedded Security Device Support | requires setup password |
| DELL | |||
| Fujitsu | |||
| NEC | F2 |
Ref http://www.michaelstevenstech.com/bios_manufacturer.htm
After your Desktop is displayed, Start terminal and correct platform info as follows:
$ su # cd /tmp # /opt/OpenPlatformTrustServices/bin/getiml info tar cvfz info.tgz ./info/*
Now /tmp has info.tgz file.
Insert USB memory. USB will be mounted on /media/sda1 or /media/sdb1.
# cp /tmp/nfo.tgz /media/sda1/
We would like to use this data to update PlatformInfo page. If you'll please send the tar ball to munetoh at users.sourceforge.jp
note) dmidecode reports your SMBIOS information. this is usefull to identify the BIOS metadata, e.g. P/N and BIOS version, but it also include an identity of your machine. Thus, please delete Serial Number and UUID in System Information section before send. thanks.
We appreciate your cooperation. :-)
USB boot also supports Trusted Boot.
$ su # mkbootdev
This will install syslinux. Next step, we update IPL to Grub-IMA. e.g. USB drive at /dev/sda, and mounted on /media/sda1
# grub-install --recheck --no-floppy --root-directory=/media/sda1 /dev/sda # cp /cdrom/boot/grub/grub.conf /media/sda1/boot/grub/]]>
This setup guide is intended for administrator who just setup this OS quickly.
Geeks ISO image is available from Japanese English
Ubuntu Burning ISO How To JapaneseEnglish
| Vendor | Key to enter BIOS menu | Location of TPM setup menu | Comments |
| IBM, Lenovo | F1 | Security -> IBM Security Chip | |
| Panasonic | F2 | Security tab -> Embedded Security (TPM)Sub-Menu -> Embedded Security Chip -> Enable | Requires Supervisor PW |
| HP | F10 | Security menu -> System Security -> Embedded Security Device Support | requires setup password |
| DELL | F2 | ||
| Fujitsu | |||
| NEC | F2 |
Ref Access/Enter Motherboard BIOS
1) CD 2) USB Memory 3) Local HDD
Grub boot menu
| Entry | Description |
| KNOPPIX (2.6.19.1+ima) | Normal e.g. Thinkpad T60, Panasonic W7 |
| KNOPPIX (2.6.19.1+ima, fdev 1024x768) | for PC with new grapics chip |
| KNOPPIX (2.6.19.1+ima, vesa 1024x768) | for PC with new grapics chip e.g. Thinkpad X60, Dell OptiPlex 755,HP dc7800 etc |
Click Knosole (terminal icon on menu bar)
$ cd /cdrom/KNOPPIX/updates $ sudo dpkg -i iceweasel_2.0.0.12-0etch1_i386.deb <snip>
Or update to any latest version.
Just enter for SRK password.
$ tpm_takeownership Enter owner password: ******** Confirm password: ******** Enter SRK password: Confirm password:
I'm sorry to trouble you, but please fix some typos in the tcdemo.properties file.
$ cd /opt/OpenPlatformTrustServices/tcdemo $ sudo vi tcdemo.propertiescomment out the 63rd and 64th line
service.1.url=https:/124.32.19.56/knoppix/measurement_user #service.1.url=http:/124.32.19.56:80
$ make setup-desktop $ sudo make start-client-admin-gcj
GUI Tool will start.
If new UUID was not appeared, The PC has some problem of TCG support.
Configuration of demo was done. Close the GUI.
$ sudo make start-client-user-gcj
Click "Validate Platform and Start Service" button and wait for a while. "Website Certified by an Unknown Authority" dialog will popup, the signature of demoservice as follows, if OK, please accept.
Common Name (CN) : 124.32.19.56 Certificate Signature Value: Size: 128 Bytes / 1024 Bits 9d 9b 31 fe 87 6b 82 c6 55 82 6a fa ed c5 79 9b 61 cc 62 b8 80 19 cd 4f 25 7c 9e 0c 0b 5e aa 30 67 fb 7a 2b 75 c2 a1 3a 62 f6 47 35 ea ff 41 32 55 5d 81 25 eb 15 54 02 6e 09 bb 1e 58 40 79 cc b0 21 d4 41 21 67 b9 72 cf 95 56 2d 4a 1a ca 41 f4 28 5f 36 ed 2b e8 28 a3 1a 13 9c dd 39 c7 f8 37 bd 65 97 f4 c0 9c 57 e3 74 96 b7 59 93 a9 7d d2 22 d5 34 e4 3f 09 51 39 ae f8 5d 9d 98 98 c6
"Confirm" dialog to ask log into the site with "guest" account, select OK.
Then "Platform Validation Authority - Listing package page" will open.
Set a USB memory. Dialog will popup. Please select "Open in New Window" (derault).
Click KNOPPIX (penguin icon on menu bar)
Restart the PC with Geeks CD and the USB memory. Click the "TCDEMO_UserTool" icon on the desktop to start the demo GUI again.
That's it. Enjoy:-)
]]>This table shows the test result of BIOS INT 1AH Functions. In this test, we use "tpm test" command that supported by Grub-IMA patch. Let us know the your test result and please feel free to contact us (mailto: munetoh at users.sourceforge.jp) if you have any question.
Sorted by BIOS release date
| Vendor, Type, P/N | BIOS Version | BIOS Date | BB00h | BB01h | BB02h | BB03h | BB04h | BB05h | BB06h | BB07h |
| TCG_ Status Check | TCG_ Hash Log Extend Event | TCG_ Pass Through To TPM | TCG_ Shutdown Pre Boot Interface | TCG_ Log Event | TCG_ Hash All | TCG_ TSS | TCG_ Compact Hash Log Extend Event | |||
| IBM, Thinkpad X30, 26724HJ | 1KET46WW (1.07 ) | 07/02/2004 | OK (v1.0) | OK (F2 only) | OK | - | OK (w/ extend) | OK | - | NA |
| Lenovo, Thinkpad X60, 1706Q6J | 7BETC7WW (2.18 ) | 03/07/2007 | OK (v1.2) | OK (F1,F2) | OK | - | OK (w/o extend) | OK | - | OK |
| DELL, OptiPlex 755 | A01 | 08/10/2007 | OK (v1.2) | OK (F1,F2) | OK | - | OK (w/o extend) | OK | - | OK |
| HP, dc7800p, GC760AV | 786F1 v01.04 | 08/27/2007 | OK (v1.2) | (1) | OK | - | (1) | OK | - | (1) |
| Panasonic W7,CF-W7BWHAJS | V1.00L10 | 09/28/2007 | OK (v1.2) | OK (F1,F2) | OK | - | OK(w/ Extend) | OK | - | OK |
| Intel,DQ35JO | JOQ3510J... | 01/02/2008 | OK (v1.2) | NG | ? | - | NG | OK | - | OK |
| ? | ||||||||||
| ? |
1) Could not check the BIOS since the eventlog was broken.
Let's use KNOPPIX511 Trusted Computing Geeks to check the BIOS Int 1AH capability of your PC.
Grub> tpm test
Start BIOS TCG compliance check
0) TCG_StatusCheck - INT 1Ah (AH)=BBh,(AL)=00h
TCG Version major : 1
TCG Version major : 2
BIOS Eventtable ptr : 0x3F6E1C26
1) TCG_HashLogExtendEvent - INT 1Ah (AH)=BBh,(AL)=01h (v1.1 & v1.2) (Format 2)
Good Eventlog & PCR - OK
2) TCG_PassThroughToTPM - INT 1Ah (AH)=BBh,(AL)=02h
OK
PCR[15]=9E70.....8AEB
3) TCG_ShutdownPreBootInterface - INT 1Ah (AH)=BBh,(AL)=03h
SKIP
4-1) TCG_LogEvent (w/ Extend) - INT 1Ah (AH)=BBh,(AL)=04h (IBM/Lenovo only?)
Wrong PCR Value = 0000....
should be = 0EE2....
Event Log is OK, but PCR[14] has wrong value
4-2) TCG_LogEvent (w/o Extend) - INT 1Ah (AH)=BBh,(AL)=04h (v1.2)
Good Eventlog & PCR - OK
5) TCG_HashAll - INT 1Ah (AH)=BBh,(AL)=05h
OK!
6) TCG_TSS - INT 1Ah (AH)=BBh,(AL)=06h- TBD
SKIP
7) TCG_CompactHashLogExtendEvent - INT 1Ah (AH)=BBh,(AL)=07h
OK!
Next, try with --format=1 option to check the another input format of BB01h(TCG_HashLogExtendEvent) call.
Grub> tpm test --format=1 <snip> 1) TCG_HashLogExtendEvent - INT 1Ah (AH)=BBh,(AL)=01h (v1.1 & v1.2) (Format 1) Good Eventlog & PCR - OK <snip>
IBM BIOS with TPM v1.1b support "Format 2" input defined by TCG v1.2 spec.
There are two behaviors, The call with Extend operation, and without Extend operation. In the TCG v1.2 specification, "without Extend" is right operation.
Some PC destroy the ACPI Eventlog table structure after Int 1Ah BB01h(TCG_HashLogExtendEvent) call.
TCG PC Specific Implementation Specification Version 1.1 (pdf, 403Kb)
TCG PC Client Specific Implementation Specification for Conventional Bios Version 1.2 (pdf, 809Kb)
Windows Vista BitLocker Client Platform Requirements, this requires BB00,BB02,BB03, and BB07
EOF
]]>EOF
]]>Following instruction is tested by using CentOS5.
Download and Install Java Development Kit V6 from http://java.sun.com/javase/downloads/index.jsp
# sh jdk-6u4-linux-i586-rpm.bin # export JAVA_HOME=/usr/java/jdk1.6.0_04 # export PATH=/usr/java/jdk1.6.0_04/bin:$PATH
Install TrouSers(0.2.9.x) and tpm-tools from http://sourceforge.net/projects/trousers/
Download jTreemap and Install from http://jaist.dl.sourceforge.net/sourceforge/jtreemap/jtreemap-1.1.0.zip
# cp jtreemap-1.1.0.zip /tmp/ # cd /opt # unzip /tmp/jtreemap-1.1.0.zip
Download OpenPlatformTrustServices OpenPlatformTrustServices-tools OpenPlatformTrustServices-tcdemo packages from http://sourceforge.jp/projects/openpts.
$ tar xzvf OpenPlatformTrustServices-0.1.0.tgz $ tar xzvf OpenPlatformTrustServices-tools-0.1.0.tgz $ tar xzvf OpenPlatformTrustServices-tcdemo-0.1.0.tgz $ cp OpenPlatformTrustServices-0.1.0/dist/OpenPlatformTrustServices.spec /usr/src/redhat/SPECS/ $ cp OpenPlatformTrustServices-tools-0.1.0/dist/OpenPlatformTrustServices* /usr/src/redhat/SPECS/ $ cp OpenPlatformTrustServices-tcdemo-0.1.0/dist/OpenPlatformTrustServices-tcdemo.spec /usr/src/redhat/SPECS/ $ cp OpenPlatformTrustServices-0.1.0.tgz /usr/src/redhat/SOURCES/OpenPlatformTrustServices-0.1.0.tar.gz $ cp OpenPlatformTrustServices-tools-0.1.0.tgz /usr/src/redhat/SOURCES/OpenPlatformTrustServices-tools-0.1.0.tar.gz $ cp OpenPlatformTrustServices-tcdemo-0.1.0.tgz /usr/src/redhat/SOURCES/OpenPlatformTrustServices-tcdemo-0.1.0.tar.gz # cd /usr/src/redhat/SPECS/ # rpmbuild -bb OpenPlatformTrustServices-tools.spec # rpmbuild -bb OpenPlatformTrustServices.spec # cd /usr/src/redhat/RPMS/i386/ # rpm -ivh --nodeps OpenPlatformTrustServices-tools-0.1.0-1.i386.rpm # cd /usr/src/redhat/RPMS/noarch/ # rpm -ivh OpenPlatformTrustServices-0.1.0-1.noarch.rpm # cd /usr/src/redhat/SPECS/ # rpmbuild -bb OpenPlatformTrustServices-tcdemo.spec # cd /usr/src/redhat/RPMS/i386/ # rpm -ivh --nodeps OpenPlatformTrustServices-tcdemo-0.1.0-1.i386.rpm