under construction. welcome any comments or suggestions on this instruction.

How To Build OpenPlatformTrustServices for Fedora10.

Following instruction is tested by using Fedora10 x86_64.

1. Setup build environment

1-1. RPM build environment

$ su -c 'yum install yum-utils rpmdevtools'
$ rpmdev-setuptree

Now ~/rpmbuild/ is your work space.

1-2. Java

Download and Install Java Development Kit 6 from http://java.sun.com/javase/downloads/index.jsp (OPTION)

$ su -c 'sh jdk-6u12-linux-amd64-rpm.bin'
export JAVA_HOME=/usr/java/default
export PATH=/usr/java/default/bin:$PATH

OK, let's build/install Trusted Computing components.

2. Bootloader

TBD, The GRIB-IMA patch for F10 is still under test.

$ su -c 'yumdownloader --source grub'
$ su -c 'yum-builddep grub-0.97-38.fc10.src.rpm'
$ rpm -Uvh grub-0.97-38.fc10.src.rpm
$ cd ~/rpmbuild/SOURCES
$ wget http://osdn.dl.sourceforge.jp/openpts/40294/grub-0.97-38.fc10.ima-
$ cd ~/rpmbuild/SPECS

Modify grub.spec to support GRUB-IMA, e.g.

+Release: 38%{?dist}.ima
+Patch2: grub-0.97-38.fc10.ima-
+%patch2 -p1
+%configure --sbindir=/sbin --disable-auto-linux-mem-opt --enable-ima --datarootdir=%{_datadir}

Then, Build and Install.

$ rpmbuild -ba grub.spec
$ su -c 'rpm -ivh ../RPMS/x86_64/grub-0.97-38.fc10.ima.x86_64.rpm'
$ su -c 'grub-install /dev/sda'


/sys/kernel/security/tpm0/ascii_bios_measurements has new events. e.g.

 4 a6814bcb5db0cf04d8dcab87eb28f5da08f8fb88 0d [IPL]
 4 1b2db0cc9522e668216df23894622abae5a5bfb8 0d [IPL]
 4 2088cf4ac5161ed201988c4a7eef032edfcbe11c 0d [IPL]
 4 9c4f005da6861894101336242cf6a6b4f48932de 06 []
 4 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 04 [Grub Event Separator]
 5 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 04 [Grub Event Separator]
 5 9cd8a5fd7d52a7500aec4acad1ba165e1fed8786 0e [IPL Partition Data]
 5 791724465beff9845e79f6a7e38e5d8d7fe9a706 1105 []
 8 177f4ea8f72db0082f832667701f9d072b1f5df2 1205 []
 8 4ecccf21df1f87f7203112bcf8555475cfdca7e9 1305 []
 5 2431ed60130faeaf3a045f21963f71cacd46a029 04 [OS Event Separator]
 8 2431ed60130faeaf3a045f21963f71cacd46a029 04 [OS Event Separator]
 8 f3973cae05d6e2055062119d6e6e1e077b7df876 1005 []

note1) Please mount securityfs to access the eventlog

# mount -t securityfs securityfs /sys/kernel/security

or ,add the folloing line to your /etc/fstab

securityfs /sys/kernel/security securityfs rw 0 0

note2) This patch does not support Trusted Boot on EFI platform.

3. Linux Kernel

At this moment, we are recomended to use OLD IMA, since NEW IMA is not integrated with Trousers and OpenPTS yet.

3-1. Linux Kernel w/ Linux-IMA

1 http://fedoraproject.org/wiki/Docs/CustomKernel
2 http://sourceforge.net/projects/linux-ima


$ yumdownloader --source kernel
$ su -c 'yum-builddep kernel-<version>.src.rpm'
$ rpm -Uvh kernel-<version>.src.rpm

$ cd ~/rpmbuild/SOURCE

$ wget http://jaist.dl.sourceforge.net/sourceforge/linux-ima/ibm_ima_8.5_2.6.27.6.patch

$ cd ~/rpmbuild/SPECS

$ rpmbuild -bp --target=`uname -m` kernel.spec

$ cd ~/rpmbuild/BUILD

$ cp configs/<desired-config-file> .config


$ cp /boot/config-$(uname -r) .config

$ make -s xconfig 
$ make -s menuconfig

Device Driver > Character devices >  TPM hardware Supports = Y
Device Driver > Character devices >  TPM hardware Supports > * Interface= Y
Cryptographic API > SHA1 = Y
Security options > Capability = N
Security options > Smack = N
Security options > TCG run-time Integrity Measuremenet = Y

add "# x86_64" at top 

$ cp .config /home/foo/rpmbuild/SOURCES/config-x86_64-generic

$ cd ~/rpmbuild/SPECS

add "%define buildid .ima" to kernel.spec

$ rpmbuild -ba --with baseonly --with firmware --without debuginfo --target=`uname -m` kernel.spec

$ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-firmware-'
$ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-'

add "ima=1" to the kernel line in /boot/grub/grub.conf.


system_ps_file = /var/lib/tpm/system.data
firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
firmware_pcrs = 0,1,2,3,4,5,6,7,8
kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
kernel_pcrs = 10

note) The pc which has new Intel iTPM needs to fix the tpm_tis.c code. then add "tpm_tis.force=1 tpm_tis.interrupts=0" to the kernel line.

3-2. Linux Kernel 2.6.30 (LIM/IMA)

note) the new eventlog reported by IMA is not supported by Trousers yet, since the eventlog format was changed.


wget http://ftp.riken.jp/Linux/kernel.org/linux/kernel/v2.6/testing/linux-2.6.30-rc1.tar.bz2
tar xvfj linux-2.6.30-rc1.tar.bz2
cd linux-2.6.30-rc1

cp  /boot/config-$(uname -r) .config

make xconfig
make rpm

$ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/kernel-2.6.30rc1-1.x86_64.rpm'
$ su -c '/sbin/mkinitrd /boot/initrd-2.6.30-rc1.img 2.6.30-rc1'

Edit /boot/grub/grub.conf to add 2.6.30-rc1 (2.6.30 will not need "ima=1" kernel option, but in 2.6.31 will need "ima_tcb=1") , then reboot.


10 817c49849831408d9644f0211acd1cf6b5f11d72 ima c61c6ca6a34a76d58bf49a2609bd025c8786a4be boot_aggregate
10 c87f38a0c5e5f969ef2a9858ae08e5e9c060d2d5 ima 654cd04f9f1775de24c4d6b32c8f400fe630be63 /init
10 71ccedd1d3c118d3aed7ce6b2e3550928f56ef3d ima 2117139e75aae8b96ffbd81b2b76ba2e289248d9 /init
10 960937de5c7f27bbe737e09444ea567ab55dadd1 ima 81d18b105b656ff4619750d96f72973cae2700da ld-2.9.so


system_ps_file = /var/lib/tpm/system.data
firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
firmware_pcrs = 0,1,2,3,4,5,6,7,8

4. TSS

4-1. TrouSerS (using Fedora10 repo)

$ su -c  'yum install trousers trousers-devel tpm-tools tpm-tools-devel'

Enable tcsd service. System->Administration->Services

$ /usr/sbin/tpm_version
  TPM 1.2 Version Info:
  Chip Version:
  Spec Level:          2
  Errata Revision:     2
  TPM Vendor ID:       INTC
  Vendor Specific data: 00040000 00030464
  TPM Version:         01010000
  Manufacturer Info:   494e5443

4-2. TrouSerS (from CVS)

$ cvs -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers login
hit return when asked for password;
$ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P trousers
$ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P tpm-tools
$ cd trousers
$ sh bootstrap.sh
$ ./configure --prefix=/usr --libdir=/usr/lib64
$ cd ..
$ ln -s trousers trousers-0.3.2cvs
$  tar cvfz ~/rpmbuild/SOURCES/trousers-0.3.2cvs.tar.gz ./trousers-0.3.2cvs/*
$ rpmbuild -ba  trousers-0.3.2cvs/dist/fedora/trousers.spec

note) please modify dist/Makefile.am if you want to remove groupadd feature

$ cd tpm-tools
$ sh bootstrap.sh
$ ./configure --prefix=/usr --libdir=/usr/lib64

Edit dist/tpm-tools-nopkcs11.spec

$ cd ..
$ ln -s tpm-tools tpm-tools-1.3.2cvs
$ tar cvfz ~/rpmbuild/SOURCES/tpm-tools-1.3.2cvs.tar.gz ./tpm-tools-1.3.2cvs/*
$ rpmbuild -ba  tpm-tools-1.3.2cvs/dist/tpm-tools-nopkcs11.spec
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/trousers-0.3.2cvs-1.x86_64.rpm
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/trousers-devel-0.3.2cvs-1.x86_64.rpm
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/tpm-tools-1.3.2cvs-1.x86_64.rpm
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/tpm-tools-devel-1.3.2cvs-1.x86_64.rpm

5. Open Platform Trust Service

5-1. openpts-tools package


$ git clone git://git.sourceforge.jp/gitroot/openpts/tools.git
$ cd tools
$ make rpmbuild-ba
$ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tools-0.1.3-git20090530.fc10.x86_64.rpm'


$ /usr/bin/tpm_pcrread -a

$ /usr/bin/iml
 Idx PCR       Type    Digest                                EventData
   0   0 0x00000008 4081b13dc986e581d587aa7fe6c61e02ef7312b2 [BIOS:EV_S_CRTM_VERSION]
   1   0 0x00000001 8b5c22ae675ea440e2f403b4d5e88131fecc2a1c [BIOS:EV_POST_CODE(EV_CODE_NOCERT)]
 183   4 0x0000000d dc717bf8fd6cadfc50e5d0a401eac1f93bdddc3e [BIOS:EV_IPL]
 184   4 0x0000000d a6814bcb5db0cf04d8dcab87eb28f5da08f8fb88 [GRUB:EV_IPL, Stage1(MBR)]
 185   4 0x0000000d 1b2db0cc9522e668216df23894622abae5a5bfb8 [GRUB:EV_IPL, Stage1.5]
 186   4 0x0000000d 2088cf4ac5161ed201988c4a7eef032edfcbe11c [GRUB:EV_IPL, Stage1.5(filesystem)]
 187   4 0x00000006 9c4f005da6861894101336242cf6a6b4f48932de [GRUB: measure MBR again]
 188   4 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator]
 189   5 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
 190   5 0x0000000e 26a08ab97c4bffb3dd84f4f6dbd3b475d22abe3f [BIOS:EV_IPL_PERTITION_DATA]
 191   5 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator]
 192   5 0x0000000e 9cd8a5fd7d52a7500aec4acad1ba165e1fed8786 [GRUB:grub.conf]
 193   5 0x00001105 791724465beff9845e79f6a7e38e5d8d7fe9a706 [GRUB:KERNEL_OPT /vmlinuz-2.6.30-rc2 ro root=/dev/VolGroup00/LogVol00 ima=1 tpm_tis.itpmfix=1 tpm_tis.force=1 tpm_tis.interrupts=0 numa=fake=2*512]
 194   5 0x00000004 2431ed60130faeaf3a045f21963f71cacd46a029 [GRUB:EV_SEPARATOR, OS Event Separator]
 195   6 0x00000005 017263855c5e8b20f2896a3135b8e4652ab1e708 [BIOS:EV_ACTION, WAKE EVENT 0]
 196   6 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
 197   7 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
 198   8 0x00001205 177f4ea8f72db0082f832667701f9d072b1f5df2 [GRUB:KERNEL /vmlinuz-2.6.30-rc2]
 199   8 0x00001305 4ecccf21df1f87f7203112bcf8555475cfdca7e9 [GRUB:INITRD /initrd-2.6.30-rc2.img]
 200   8 0x00000004 2431ed60130faeaf3a045f21963f71cacd46a029 [GRUB:EV_SEPARATOR, OS Event Separator]
 201   8 0x00001005 f3973cae05d6e2055062119d6e6e1e077b7df876 [GRUB:ACTION, Booting Linux Kenrel]

5-2. openpts-core package

install required java packages

yum install java-devel ant ant-nodeps java-gcj-compat-devel
yum install jakarta-commons-logging jakarta-commons-codec log4j postgresql-jdbc

Get the source code from GIT repo.

$ git clone git://git.sourceforge.jp/gitroot/openpts/core.git
$ cd core

Build and Install iBatis.

$ wget http://ftp.kddilabs.jp/infosystems/apache/ibatis/binaries/ibatis.java/ibatis- -O ~/rpmbuild/SOURCES/ibatis-
$ rpmbuild -ba  dist/ibatis.spec
$ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/ibatis-'

$ make rpmbuild-ba
$ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-core-0.1.3-git20090613.fc10.x86_64.rpm'

note) make sure your JDK or JRE is Sun.

Quick test. get IML from TSS, calc. PCR from IML, check current PCR

$ /usr/bin/iml -b -o binary_iml.log
$ /usr/bin/openpts iml --text --in binary_iml.log
--- PCR[0] CRTM, POST BIOS, and Embedded Option ROMs ---
 0 4081b13dc986e581d587aa7fe6c61e02ef7312b2,0x8,[EV_S_CRTM_VERSION[12]=0800feffffffffff05000000]
PCR-00: FD 69 6E 03 29 F6 3B F2 88 61 68 65 F8 62 27 AE A0 BF F6 AF 
$ /usr/bin/tpm_pcrread -p 0

5-3. openpts-demo package


$ git clone git://git.sourceforge.jp/gitroot/openpts/demo.git
$ cd demo

$ rpmbuild -ba dist/rpm/jtreemap.spec
$ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/jtreemap-1.1.0-1.fc10.x86_64.rpm'
$ make rpmbuild-ba
$ su -c 'rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-client-0.1.3-git20090613.fc10.x86_64.rpm'


# /usr/bin/ptsclientadmin

GUI program will start, Platform Information tab shows your platform's info/PCR/IML. Next, goto Reference Manifest tab and Press "Create/Update" Button. Then it generate new Reference Manifest(/var/lib/openpts/platform_rm.xml). Press View button, it will start firefox to see the XML file.

note) For LIM/IMA, it supports platform (BIOS/Bootloader) manifest only as for 2009/6/1.

6. Demo Setup

Setup the client and server on single machine.

6-1. Setup TC Client

6-1-1. Disable Pre-linking

You need to disable prelink since it modify the executable (the digest will became an unique value for each machine). Modify /etc/sysconfig/prelink file as follows:


Undo prelink. this may take a while.

# /usr/sbin/prelink -ua
6-1-2. Take the TPM ownership

The SRK password must be a default setting. Just enter for SRK password.

$ tpm_takeownership
Enter owner password: ********
Confirm password: ********
Enter SRK password:
Confirm password:

If you get the following error message, The TPM has been taken the ownership.

Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled

And, If the size of "/var/lib/tpm/system.data" file is zero, your TSS forgot your ownership. To fix this, you take ownership again, or you can put the dummy system.data file to enable TSS as follows.

# cp demo/sampledata/knoppix/dummy_system.data /var/lib/tpm/system.data
# service tcsd restart

6-1-3. Setup Demo Env
/usr/bin/ptsclientadmin --commandline --user USERNAME

User's local configurations are stored at /home/$USERNAME/.pts

6-2. Setup Integiry and Vulnerability Database

6-2-1. Install PostgreSQL
# yum install postgresql-server
# service postgresql start
# chkconfig postgresql on
6-2-2. Configure PostgreSQL

Set an admin password for postgres

# passwd postgres
# cd /usr/lib64/openpts/database/
# sh dbsetup.sh
load /etc/openpts/db.conf
S) Setup New Databases
C) Show Current Configuration
L) Show State
B) Backup Databases
D) Delete Databases
Q) Exit


Current Configurations
DB type                               : postgres 
DB admin                              : ptsadmin 
DB user                               : ptsuser 
Vulnerability Database name           : vuldb 
Integrity Information Database 0 name : iidb_redhat 
Integrity Information Database 1 name : iidb_centos 
Integrity Information Database 2 name : iidb_knoppix 
Integrity Information Database 3 name : iidb_ubuntu 
Integrity Information Database 4 name : iidb_fedora 
Integrity Information Database 5 name : iidb 
Integrity Information Database 6 name : iidb 
Integrity Information Database 7 name : iidb_bios 

6-2-3. Setup Integrity Information Database of current host

it takes few hours.

# cd /var/lib/openpts
# sh /usr/lib64/openpts/scripts/rpm-all.sh fedora
Collect Package info of fedora
  package list...
  treemap data...
  md5 digests...

Create map file, "/var/lib/openpts/database/ibatis/sqlMapsConfig.properties", e.g.


Import RPM metadata/digest into IIDB. it takes time.

# /usr/bin/openpts rpmimport --dbindex 4 --inputdir  /var/lib/openpts/fedora/data/

Check the IIDB using openpts command. e.g.

# openpts iidb --list --index 4
IIDB index:	4
packages:	1622
measuremnets:	250925
 - vulnerable:
	package    	0
	measurement	0
 - safe:
	package    	0
	measurement	0
 - unclear:
	package    	0
	measurement	0
 - unchecked:
	package    	1622
	measurement	250925

# sha1sum /usr/sbin/acpid
b5e042dfeac3bb70a686be5abd1fcb6a9472c6de  /usr/sbin/acpid

# openpts iidb --search --index 4 --digest b5e042dfeac3bb70a686be5abd1fcb6a9472c6de
hexDigest     : b5e042dfeac3bb70a686be5abd1fcb6a9472c6de
id            : 47331
filename      : /usr/sbin/acpid
obsolete      : 0
vulnerability : 0
packageName : acpid-1.0.6-11.fc10.x86_64

6-2-4. Setup Vulnerability Database

Just fill CVE info into Vulnerability Database. The database can not link with integrity database. Since there is no good source of Security Advisory for Fedora, OVAL only support RHEL.

/usr/bin/openpts cve --xmlfile http://nvd.nist.gov/download/nvdcve-2009.xml --outputdir /tmp
6-2-5. Backup and restore database
$ pg_dump database_name > file_name.sql
$ psql -e database_name < file_name.sql
$ pg_restore –d database_name file_name.sql
6-2-6. View IIDB,VULDB using phpPgAdmin


6-3. Setup Validation Server

6-3-X. Setup TOMCAT

# yum install tomcat5 tomcat5-webapps tomcat5-admin-webapps 


# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-server-0.1.3-git20090613.fc10.x86_64.rpm'
# /sbin/service tomcat5 start 
# chkconfig tomcat5 on


Log file /var/log/tomcat5/catalina.out

6-3-X. Setup Demo Contents

Create account, user "guest" and password "given".

# htpasswd -c /var/www/.htpasswd guest

Create demo contents

# mkdir -p /var/www/html/tcdemo

Edit /var/www/html/tcdemo/index.html

<title> OpenPTS Test </title>
<h1> OpenPTS Test </h1>

Edit /etc/httpd/conf/httpd.conf

<Directory "/var/www/html">
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/.htpasswd
AuthGroupFile /dev/null
require valid-user

# service httpd start
# chkconfig httpd on


6-4. Run TC Demo

(OPTION) To monitor server-side validation log, open terminal

tailf /var/log/openpts.log

/usr/bin/ptsclientuser --commandline 

if validation was success, it open http://localhost/tcdemo.


6-5. How to Debug?

6-4-1. Configure log4j (NG)




log4j.rootCategory=DEBUG, CONSOLE

log4j.appender.CONSOLE.layout.ConversionPattern=%5p [%t] (%F:%L) - %m%n

log4j.appender.LOGFILE.layout.ConversionPattern=%p %t %c - %m%n