under construction. welcome any comments or suggestions on this instruction.
Following instruction is tested by using Fedora10 x86_64.
$ su -c 'yum install yum-utils rpmdevtools' $ rpmdev-setuptree
Now ~/rpmbuild/ is your work space.
Download and Install Java Development Kit 6 from http://java.sun.com/javase/downloads/index.jsp (OPTION)
$ su -c 'sh jdk-6u12-linux-amd64-rpm.bin'
export JAVA_HOME=/usr/java/default export PATH=/usr/java/default/bin:$PATH
OK, let's build/install Trusted Computing components.
TBD, The GRIB-IMA patch for F10 is still under test.
$ su -c 'yumdownloader --source grub' $ su -c 'yum-builddep grub-0.97-38.fc10.src.rpm' $ rpm -Uvh grub-0.97-38.fc10.src.rpm $ cd ~/rpmbuild/SOURCES $ wget http://osdn.dl.sourceforge.jp/openpts/40294/grub-0.97-38.fc10.ima-1.1.0.0.patch $ cd ~/rpmbuild/SPECS
Modify grub.spec to support GRUB-IMA, e.g.
Fork
edit+Release: 38%{?dist}.ima
+Patch2: grub-0.97-38.fc10.ima-1.1.0.0.patch
+%patch2 -p1
+%configure --sbindir=/sbin --disable-auto-linux-mem-opt --enable-ima --datarootdir=%{_datadir}
Then, Build and Install.
$ rpmbuild -ba grub.spec $ su -c 'rpm -ivh ../RPMS/x86_64/grub-0.97-38.fc10.ima.x86_64.rpm' $ su -c 'grub-install /dev/sda'
Reboot,
/sys/kernel/security/tpm0/ascii_bios_measurements has new events. e.g.
<snip> 4 a6814bcb5db0cf04d8dcab87eb28f5da08f8fb88 0d [IPL] 4 1b2db0cc9522e668216df23894622abae5a5bfb8 0d [IPL] 4 2088cf4ac5161ed201988c4a7eef032edfcbe11c 0d [IPL] 4 9c4f005da6861894101336242cf6a6b4f48932de 06 [] 4 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 04 [Grub Event Separator] 5 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 04 [Grub Event Separator] 5 9cd8a5fd7d52a7500aec4acad1ba165e1fed8786 0e [IPL Partition Data] 5 791724465beff9845e79f6a7e38e5d8d7fe9a706 1105 [] 8 177f4ea8f72db0082f832667701f9d072b1f5df2 1205 [] 8 4ecccf21df1f87f7203112bcf8555475cfdca7e9 1305 [] 5 2431ed60130faeaf3a045f21963f71cacd46a029 04 [OS Event Separator] 8 2431ed60130faeaf3a045f21963f71cacd46a029 04 [OS Event Separator] 8 f3973cae05d6e2055062119d6e6e1e077b7df876 1005 []
note1) Please mount securityfs to access the eventlog
# mount -t securityfs securityfs /sys/kernel/security
or ,add the folloing line to your /etc/fstab
securityfs /sys/kernel/security securityfs rw 0 0
note2) This patch does not support Trusted Boot on EFI platform.
At this moment, we are recomended to use OLD IMA, since NEW IMA is not integrated with Trousers and OpenPTS yet.
References:
1 http://fedoraproject.org/wiki/Docs/CustomKernel
2 http://sourceforge.net/projects/linux-ima
Example:
$ yumdownloader --source kernel $ su -c 'yum-builddep kernel-<version>.src.rpm' $ rpm -Uvh kernel-<version>.src.rpm $ cd ~/rpmbuild/SOURCE $ wget http://jaist.dl.sourceforge.net/sourceforge/linux-ima/ibm_ima_8.5_2.6.27.6.patch $ cd ~/rpmbuild/SPECS $ rpmbuild -bp --target=`uname -m` kernel.spec $ cd ~/rpmbuild/BUILD $ cp configs/<desired-config-file> .config or $ cp /boot/config-$(uname -r) .config $ make -s xconfig OR $ make -s menuconfig Device Driver > Character devices > TPM hardware Supports = Y Device Driver > Character devices > TPM hardware Supports > * Interface= Y Cryptographic API > SHA1 = Y Security options > Capability = N Security options > Smack = N Security options > TCG run-time Integrity Measuremenet = Y add "# x86_64" at top $ cp .config /home/foo/rpmbuild/SOURCES/config-x86_64-generic $ cd ~/rpmbuild/SPECS add "%define buildid .ima" to kernel.spec $ rpmbuild -ba --with baseonly --with firmware --without debuginfo --target=`uname -m` kernel.spec $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-firmware-2.6.27.19-170.2.35.ima.fc10.x86_64.rpm' $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-2.6.27.19-170.2.35.ima.fc10.x86_64.rpm' add "ima=1" to the kernel line in /boot/grub/grub.conf.
/etc/tcsd.conf
system_ps_file = /var/lib/tpm/system.data firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements firmware_pcrs = 0,1,2,3,4,5,6,7,8 kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements kernel_pcrs = 10
note) The pc which has new Intel iTPM needs to fix the tpm_tis.c code. then add "tpm_tis.force=1 tpm_tis.interrupts=0" to the kernel line.
note) the new eventlog reported by IMA is not supported by Trousers yet, since the eventlog format was changed.
e.g.
wget http://ftp.riken.jp/Linux/kernel.org/linux/kernel/v2.6/testing/linux-2.6.30-rc1.tar.bz2 tar xvfj linux-2.6.30-rc1.tar.bz2 cd linux-2.6.30-rc1 cp /boot/config-$(uname -r) .config make xconfig make rpm $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-2.6.30rc1-1.x86_64.rpm' $ su -c '/sbin/mkinitrd /boot/initrd-2.6.30-rc1.img 2.6.30-rc1'
Edit /boot/grub/grub.conf to add 2.6.30-rc1 (2.6.30 will not need "ima=1" kernel option, but in 2.6.31 will need "ima_tcb=1") , then reboot.
/sys/kernel/security/ima/ascii_runtime_measurements
10 817c49849831408d9644f0211acd1cf6b5f11d72 ima c61c6ca6a34a76d58bf49a2609bd025c8786a4be boot_aggregate 10 c87f38a0c5e5f969ef2a9858ae08e5e9c060d2d5 ima 654cd04f9f1775de24c4d6b32c8f400fe630be63 /init 10 71ccedd1d3c118d3aed7ce6b2e3550928f56ef3d ima 2117139e75aae8b96ffbd81b2b76ba2e289248d9 /init 10 960937de5c7f27bbe737e09444ea567ab55dadd1 ima 81d18b105b656ff4619750d96f72973cae2700da ld-2.9.so <snip>
/etc/tcsd.conf
system_ps_file = /var/lib/tpm/system.data firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements firmware_pcrs = 0,1,2,3,4,5,6,7,8
$ su -c 'yum install trousers trousers-devel tpm-tools tpm-tools-devel'
Enable tcsd service. System->Administration->Services
$ /usr/sbin/tpm_version TPM 1.2 Version Info: Chip Version: 1.2.4.0 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: INTC Vendor Specific data: 00040000 00030464 TPM Version: 01010000 Manufacturer Info: 494e5443
$ cvs -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers login hit return when asked for password; $ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P trousers $ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P tpm-tools
$ cd trousers $ sh bootstrap.sh $ ./configure --prefix=/usr --libdir=/usr/lib64 $ cd .. $ ln -s trousers trousers-0.3.2cvs $ tar cvfz ~/rpmbuild/SOURCES/trousers-0.3.2cvs.tar.gz ./trousers-0.3.2cvs/* $ rpmbuild -ba trousers-0.3.2cvs/dist/fedora/trousers.spec
note) please modify dist/Makefile.am if you want to remove groupadd feature
$ cd tpm-tools $ sh bootstrap.sh $ ./configure --prefix=/usr --libdir=/usr/lib64
Edit dist/tpm-tools-nopkcs11.spec
$ cd .. $ ln -s tpm-tools tpm-tools-1.3.2cvs $ tar cvfz ~/rpmbuild/SOURCES/tpm-tools-1.3.2cvs.tar.gz ./tpm-tools-1.3.2cvs/* $ rpmbuild -ba tpm-tools-1.3.2cvs/dist/tpm-tools-nopkcs11.spec
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/trousers-0.3.2cvs-1.x86_64.rpm # rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/trousers-devel-0.3.2cvs-1.x86_64.rpm # rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/tpm-tools-1.3.2cvs-1.x86_64.rpm # rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/tpm-tools-devel-1.3.2cvs-1.x86_64.rpm
build.
$ git clone git://git.sourceforge.jp/gitroot/openpts/tools.git $ cd tools $ make rpmbuild-ba $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tools-0.1.3-git20090530.fc10.x86_64.rpm'
test.
$ /usr/bin/tpm_pcrread -a pcr.0=fd696e0329f63bf288616865f86227aea0bff6af pcr.1=4063c23534fc231a45a5e62cb1f0d306e6f4b46e pcr.2=d68ec5b044f32933f6bf2488c1b36a0c3bc970e0 pcr.3=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.4=0e764ceb8414213d60cd7806658c46727546c4b3 pcr.5=879a6daae2fdaeac689a979dd59a786bcbb75b67 pcr.6=585e579e48997fee8efd20830c6a841eb353c628 pcr.7=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.8=7928d1771976b14d379e0d152c82d9f97c062e99 pcr.9=0000000000000000000000000000000000000000 pcr.10=6ac63a51abccd57745acb56207ef330312488370 pcr.11=0000000000000000000000000000000000000000 pcr.12=0000000000000000000000000000000000000000 pcr.13=0000000000000000000000000000000000000000 pcr.14=0000000000000000000000000000000000000000 pcr.15=0000000000000000000000000000000000000000 pcr.16=0000000000000000000000000000000000000000 pcr.17=ffffffffffffffffffffffffffffffffffffffff pcr.18=ffffffffffffffffffffffffffffffffffffffff pcr.19=ffffffffffffffffffffffffffffffffffffffff pcr.20=ffffffffffffffffffffffffffffffffffffffff pcr.21=ffffffffffffffffffffffffffffffffffffffff pcr.22=ffffffffffffffffffffffffffffffffffffffff pcr.23=0000000000000000000000000000000000000000
$ /usr/bin/iml Idx PCR Type Digest EventData ----------------------------------------------------------------------- 0 0 0x00000008 4081b13dc986e581d587aa7fe6c61e02ef7312b2 [BIOS:EV_S_CRTM_VERSION] 1 0 0x00000001 8b5c22ae675ea440e2f403b4d5e88131fecc2a1c [BIOS:EV_POST_CODE(EV_CODE_NOCERT)] <snip> 183 4 0x0000000d dc717bf8fd6cadfc50e5d0a401eac1f93bdddc3e [BIOS:EV_IPL] 184 4 0x0000000d a6814bcb5db0cf04d8dcab87eb28f5da08f8fb88 [GRUB:EV_IPL, Stage1(MBR)] 185 4 0x0000000d 1b2db0cc9522e668216df23894622abae5a5bfb8 [GRUB:EV_IPL, Stage1.5] 186 4 0x0000000d 2088cf4ac5161ed201988c4a7eef032edfcbe11c [GRUB:EV_IPL, Stage1.5(filesystem)] 187 4 0x00000006 9c4f005da6861894101336242cf6a6b4f48932de [GRUB: measure MBR again] 188 4 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator] 189 5 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 190 5 0x0000000e 26a08ab97c4bffb3dd84f4f6dbd3b475d22abe3f [BIOS:EV_IPL_PERTITION_DATA] 191 5 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator] 192 5 0x0000000e 9cd8a5fd7d52a7500aec4acad1ba165e1fed8786 [GRUB:grub.conf] 193 5 0x00001105 791724465beff9845e79f6a7e38e5d8d7fe9a706 [GRUB:KERNEL_OPT /vmlinuz-2.6.30-rc2 ro root=/dev/VolGroup00/LogVol00 ima=1 tpm_tis.itpmfix=1 tpm_tis.force=1 tpm_tis.interrupts=0 numa=fake=2*512] 194 5 0x00000004 2431ed60130faeaf3a045f21963f71cacd46a029 [GRUB:EV_SEPARATOR, OS Event Separator] 195 6 0x00000005 017263855c5e8b20f2896a3135b8e4652ab1e708 [BIOS:EV_ACTION, WAKE EVENT 0] 196 6 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 197 7 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 198 8 0x00001205 177f4ea8f72db0082f832667701f9d072b1f5df2 [GRUB:KERNEL /vmlinuz-2.6.30-rc2] 199 8 0x00001305 4ecccf21df1f87f7203112bcf8555475cfdca7e9 [GRUB:INITRD /initrd-2.6.30-rc2.img] 200 8 0x00000004 2431ed60130faeaf3a045f21963f71cacd46a029 [GRUB:EV_SEPARATOR, OS Event Separator] 201 8 0x00001005 f3973cae05d6e2055062119d6e6e1e077b7df876 [GRUB:ACTION, Booting Linux Kenrel]
install required java packages
yum install java-devel ant ant-nodeps java-gcj-compat-devel yum install jakarta-commons-logging jakarta-commons-codec log4j postgresql-jdbc
Get the source code from GIT repo.
$ git clone git://git.sourceforge.jp/gitroot/openpts/core.git $ cd core
Build and Install iBatis.
$ wget http://ftp.kddilabs.jp/infosystems/apache/ibatis/binaries/ibatis.java/ibatis-2.3.4.726.zip -O ~/rpmbuild/SOURCES/ibatis-2.3.4.726.zip $ rpmbuild -ba dist/ibatis.spec $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/ibatis-2.3.4.726-1.fc10.x86_64.rpm'
$ make rpmbuild-ba $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-core-0.1.3-git20090613.fc10.x86_64.rpm'
note) make sure your JDK or JRE is Sun.
Quick test. get IML from TSS, calc. PCR from IML, check current PCR
$ /usr/bin/iml -b -o binary_iml.log $ /usr/bin/openpts iml --text --in binary_iml.log --- PCR[0] CRTM, POST BIOS, and Embedded Option ROMs --- 0 4081b13dc986e581d587aa7fe6c61e02ef7312b2,0x8,[EV_S_CRTM_VERSION[12]=0800feffffffffff05000000] <snip> PCR-00: FD 69 6E 03 29 F6 3B F2 88 61 68 65 F8 62 27 AE A0 BF F6 AF <snip> $ /usr/bin/tpm_pcrread -p 0 pcr.0=fd696e0329f63bf288616865f86227aea0bff6af
build.
$ git clone git://git.sourceforge.jp/gitroot/openpts/demo.git $ cd demo
$ rpmbuild -ba dist/rpm/jtreemap.spec $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/jtreemap-1.1.0-1.fc10.x86_64.rpm'
$ make rpmbuild-ba $ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-client-0.1.3-git20090613.fc10.x86_64.rpm'
test.
# /usr/bin/ptsclientadmin
GUI program will start, Platform Information tab shows your platform's info/PCR/IML. Next, goto Reference Manifest tab and Press "Create/Update" Button. Then it generate new Reference Manifest(/var/lib/openpts/platform_rm.xml). Press View button, it will start firefox to see the XML file.
note) For LIM/IMA, it supports platform (BIOS/Bootloader) manifest only as for 2009/6/1.
Setup the client and server on single machine.
You need to disable prelink since it modify the executable (the digest will became an unique value for each machine). Modify /etc/sysconfig/prelink file as follows:
PRELINKING=no
Undo prelink. this may take a while.
# /usr/sbin/prelink -ua
The SRK password must be a default setting. Just enter for SRK password.
$ tpm_takeownership Enter owner password: ******** Confirm password: ******** Enter SRK password: Confirm password:
If you get the following error message, The TPM has been taken the ownership.
Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled
And, If the size of "/var/lib/tpm/system.data" file is zero, your TSS forgot your ownership. To fix this, you take ownership again, or you can put the dummy system.data file to enable TSS as follows.
# cp demo/sampledata/knoppix/dummy_system.data /var/lib/tpm/system.data # service tcsd restart
/usr/bin/ptsclientadmin --commandline --user USERNAME
User's local configurations are stored at /home/$USERNAME/.pts
# yum install postgresql-server # service postgresql start # chkconfig postgresql on
Set an admin password for postgres
# passwd postgres
# cd /usr/lib64/openpts/database/ # sh dbsetup.sh load /etc/openpts/db.conf S) Setup New Databases C) Show Current Configuration L) Show State B) Backup Databases D) Delete Databases Q) Exit select:C Current Configurations DB type : postgres DB admin : ptsadmin DB user : ptsuser Vulnerability Database name : vuldb Integrity Information Database 0 name : iidb_redhat Integrity Information Database 1 name : iidb_centos Integrity Information Database 2 name : iidb_knoppix Integrity Information Database 3 name : iidb_ubuntu Integrity Information Database 4 name : iidb_fedora Integrity Information Database 5 name : iidb Integrity Information Database 6 name : iidb Integrity Information Database 7 name : iidb_bios <snip> select:S <snip>
it takes few hours.
# cd /var/lib/openpts # sh /usr/lib64/openpts/scripts/rpm-all.sh fedora Collect Package info of fedora package list... treemap data... metadata... md5 digests...
Create map file, "/var/lib/openpts/database/ibatis/sqlMapsConfig.properties", e.g.
driver=org.postgresql.Driver url_vul=jdbc:postgresql://localhost/vuldb url_iidb0=jdbc:postgresql://localhost/iidb_redhat url_iidb1=jdbc:postgresql://localhost/iidb_centos url_iidb2=jdbc:postgresql://localhost/iidb_knoppix url_iidb3=jdbc:postgresql://localhost/iidb_ubuntu url_iidb4=jdbc:postgresql://localhost/iidb_fedora url_iidb5=jdbc:postgresql://localhost/iidb url_iidb6=jdbc:postgresql://localhost/iidb url_iidb7=jdbc:postgresql://localhost/iidb username=ptsadmin password=password
Import RPM metadata/digest into IIDB. it takes time.
# /usr/bin/openpts rpmimport --dbindex 4 --inputdir /var/lib/openpts/fedora/data/
Check the IIDB using openpts command. e.g.
# openpts iidb --list --index 4 IIDB index: 4 packages: 1622 measuremnets: 250925 - vulnerable: package 0 measurement 0 - safe: package 0 measurement 0 - unclear: package 0 measurement 0 - unchecked: package 1622 measurement 250925 # sha1sum /usr/sbin/acpid b5e042dfeac3bb70a686be5abd1fcb6a9472c6de /usr/sbin/acpid # openpts iidb --search --index 4 --digest b5e042dfeac3bb70a686be5abd1fcb6a9472c6de hexDigest : b5e042dfeac3bb70a686be5abd1fcb6a9472c6de id : 47331 filename : /usr/sbin/acpid obsolete : 0 vulnerability : 0 packageName : acpid-1.0.6-11.fc10.x86_64
Just fill CVE info into Vulnerability Database. The database can not link with integrity database. Since there is no good source of Security Advisory for Fedora, OVAL only support RHEL.
/usr/bin/openpts cve --xmlfile http://nvd.nist.gov/download/nvdcve-2009.xml --outputdir /tmp
$ pg_dump database_name > file_name.sql
$ psql -e database_name < file_name.sql $ pg_restore –d database_name file_name.sql
# yum install tomcat5 tomcat5-webapps tomcat5-admin-webapps
/etc/sysconfig/tomcat5
JAVA_HOME="/usr/java/jdk1.6.0_12/"
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-server-0.1.3-git20090613.fc10.x86_64.rpm'
# /sbin/service tomcat5 start # chkconfig tomcat5 on
Log file /var/log/tomcat5/catalina.out
Create account, user "guest" and password "given".
# htpasswd -c /var/www/.htpasswd guest
Create demo contents
# mkdir -p /var/www/html/tcdemo
Edit /var/www/html/tcdemo/index.html
<html> <head> <title> OpenPTS Test </title> </head> <body> <h1> OpenPTS Test </h1> </body> </html>
Edit /etc/httpd/conf/httpd.conf
... <Directory "/var/www/html"> ... AuthType Basic AuthName "Password Required" AuthUserFile /var/www/.htpasswd AuthGroupFile /dev/null require valid-user </Directory> ...
# service httpd start # chkconfig httpd on
(OPTION) To monitor server-side validation log, open terminal
tailf /var/log/openpts.log
/usr/bin/ptsclientuser --commandline
if validation was success, it open http://localhost/tcdemo.
Congratulation!
/varlib/openpts/database/ibatis/commons-logging.properties
org.apache.commons.logging.log=org.apache.commons.logging.impl.Log4JLogger
/var/lib/openpts/database/ibatis/log4j.properties
log4j.rootCategory=DEBUG, CONSOLE log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout log4j.appender.CONSOLE.layout.ConversionPattern=%5p [%t] (%F:%L) - %m%n log4j.appender.LOGFILE=org.apache.log4j.FileAppender log4j.appender.LOGFILE.File=/tmp/openpts.log log4j.appender.LOGFILE.Append=true log4j.appender.LOGFILE.layout=org.apache.log4j.PatternLayout log4j.appender.LOGFILE.layout.ConversionPattern=%p %t %c - %m%n
[PageInfo]
LastUpdate: 2009-07-31 10:27:26, ModifiedBy: munetoh
[Permissions]
view:all, edit:login users, delete/config:members