SORRY, This page is still under construction.

Ubuntu Jaunty (9.04)

This guide is intended to build Ubuntu Jaunty (9.04, i386) with Trusted Computing.

note) We are using Thinkpad X200 to make this document. It has intel's iTPM chip, and this instruction contains some workarounds for this TPM. Other TPM user does not need such workarounds.

1. Install Ubuntu Desktop

Download ISO image. and install to your HDD.

Update to be work with latest packages.

2. Enable Integrity Measurement

2.1. BIOS

enable TPM.

2.2. Bootloader Component

2.2.1 GRUB-IMA

Download source package and build.

$ sudo apt-get build-dep grub
$ apt-get source grub
$ pushd grub-0.97/debian/patches/
$ wget
$ popd
$ echo "# This patch supports IMA"              >> grub-0.97/debian/patches/00list
$ echo "grub-0.97-29ubuntu45-ima-" >> grub-0.97/debian/patches/00list
$ mv grub-0.97/debian/rules grub-0.97/debian/rules.orig
$ sed -e 's/--disable-auto-linux-mem-opt/--disable-auto-linux-mem-opt --enable-ima/g' grub-0.97/debian/rules.orig > grub-0.97/debian/rules
$ chmod +x grub-0.97/debian/rules

Build deb package.

$ pushd grub-0.97
$ debchange -i

add changelog message. e.g.

grub (0.97-29ubuntu53.ima) jaunty; urgency=low

  * enable Trusted Boot

 -- foo <>  Tue, 31 Mar 2009 23:27:39 +0900
$ dpkg-buildpackage -rfakeroot -us -uc
$ popd

Install new GRUB package.

$ sudo dpkg -i grub_0.97-29ubuntu53.ima_i386.deb
$ grep TCG /usr/lib/grub/i386-pc/*
Binary file /usr/lib/grub/i386-pc/stage1 matches
Binary file /usr/lib/grub/i386-pc/stage2 matches
Binary file /usr/lib/grub/i386-pc/stage2_eltorito matches

install new GRUB to local system (replace the bootloader components).

$ sudo grub-install /dev/sda
$ grep TCG /boot/grub/*
Binary file /boot/grub/stage1 matches
Binary file /boot/grub/stage2 matches


2.3. Kernel Component


2.2.1 2.6.30 w/ LIM/IMA Kernel Build

$ sudo apt-get install build-essential
$ sudo apt-get install kernel-package
$ sudo apt-get install ncurses-dev
$ cd /usr/src
$ sudo wget
$ sudo tar jxvf linux-2.6.30.tar.bz2
$ cd linux-2.6.30/
$ sudo cp /boot/config-2.6.27-11-generic .config
$ sudo make oldconfig
$ sudo make menuconfig
$ sudo make xconfig

Intel iTPM requires following patches to fix the problem.

$ sudo wget
$ sudo patch -p0 -z .itpm --dry-run < itpm.diff
$ sudo patch -p0 -z .itpm  < itpm.diff

$ sudo make-kpkg clean
$ sudo CONCURRENCY_LEVEL=3 make-kpkg --append-to-version=-ima --initrd kernel_image kernel_headers
$ sudo dpkg -i ../linux-image-2.6.30-ima_2.6.30-ima-10.00.Custom_i386.deb
$ sudo dpkg -i ../linux-headers-2.6.30-ima_2.6.30-ima-10.00.Custom_i386.deb
$ vim /boot/grub/menu.lst

Edit /boot/grub/menu.lst to enable IMA. e.g.

title           Ubuntu 9.04, kernel 2.6.30 (IMA)
uuid            fc0f489b-9a7c-43bd-90fa-bb49979b0c23
kernel          /boot/vmlinuz-2.6.30-ima root=UUID=fc0f489b-9a7c-43bd-90fa-bb49979b0c23 ro quiet splash ima=1 selinux=1 tpm_tis.force=1 tpm_tis.interrupts=0
initrd          /boot/initrd.img-2.6.30-ima

Reboot the system. and check the measurements

$ dmesg
[    1.992012] tpm_tis tpm_tis: 1.2 TPM (device-id 0x1020, rev-id 6)

$ ls /sys/kernel/security/
ima  tpm0
$  sudo cat /sys/kernel/security/ima/ascii_runtime_measurements 
10 adc64d7b762408a258e81b9bbb55fa8781ed42bf ima 705418e94288d91ce1ada49dbd4343b82882c9fb boot_aggregate
10 8a11aa2017bfdf52ae1ab8cfb277fc651bc7d611 ima e6d56d44e22b8f6b783c039d45703e8fd28cb796 /init
10 a078e19e5ea2bf75ed353fc6613f7132863618d5 ima 3d90e18f67f1c580c1212126a3c22cf07c7288dd /init
10 089c6ce6198fee74262cf4244ffdea98a2392ded ima 3d90e18f67f1c580c1212126a3c22cf07c7288dd /bin/busybox
10 c69571a6b6185b474fa7437cb2b31253721824d4 ima 7e9431ee7bcbe0c4ea0054baf84672fdff7d6391 arch.conf
10 3d0d130a199ea78a53fc52f4913d28f5d0da8910 ima 0ec1deb5c2338808cf9dd31a0b16473d273fb570 initramfs.conf
10 a193e5f0c6958e3a979d2c1a5af1abcb657ef79e ima 3addb8e6e83e82a86b3ad215bcd771a12c9d4d74 resume
10 71fc6cf0e268c0ffad291eaa1ce49ab14b6e39de ima a1550fe2ce2f915eac8786d1d693141072feea87 functions
10 a14f597eb53f1a12725c9f772229f59c0de61110 ima ad273a22d013fab039459654369b40e47a6e04ac /sbin/depmod
10 30b51606815deb8bb6c9d1a17db33eb8e5ce1465 ima b9269024f4129804673f366b5a67061f54d7be3f
10 e978baf0c895be2b32a803e200b15b9c4a5d3464 ima 803088880d0abdda917385e88a9ac1ed61ce0f71
10 3b92eee85ca026ca93ba1d0c81d34fa6f88784a0 ima 8a622a41977d6e4cec14e800d76c4aafbaaa9658 nfs.ko
10 5080904daf0e2ba76394f91ac2b63e788db66fb6 ima 4a63e2031da51dbddb9c98ca35a01306c71873b4 reiserfs.ko


2.4 Useland Components

2.4.1 TrouSerS (TBD)


A) Install from Ubuntu repository

$ sudo apt-get install trousers

B) re-build debian package

$ sudo apt-get build-dep trousers
$ apt-get source trousers
$ cd trousers-0.3.1
$ dpkg-buildpackage -rfakeroot -us -uc

C) Use the latest version at TrouSerS CVS repo.

$ cvs login
hit return when asked for password;
$ cvs -z3 co -P trousers

$ cp -r trousers /tmp/trousers-0.3.3.cvs
$ cd /tmp/trousers-0.3.3.cvs
$ sh
$ dh_make --createorig
$ dpkg-buildpackage -rfakeroot
$ sudo dpkg -i ../trousers_0.3.3.cvs-1_i386.deb

$ sudo adduser --system --home /var/lib/tpm --shell /usr/sbin/nologin --no-create-home --group tss

$ sudo chown tss:tss /usr/sbin/tcsd
$ sudo chown tss:tss /var/lib/tpm -R
$ sudo chown tss:tss /etc/tcsd.conf
$ sudo chmod 0600 /etc/tcsd.conf
$ sudo chmod 1777 /var/lib/tpm

$ sudo /etc/init.d/trousers start

Note1) Modify configure to remove "attribute warn_unused_result" check in CFLAGS Note2) remove trousers tpm-tools libtspi-dev libtspi1 libtpm-unseal-dev libtpm-unseal0 opencryptoki libopencryptoki0

D) Use the latest version at TrouSerS GIT repo (TBD)

git clone git://

2.4.2 tpm-tools

A) Install from Ubuntu repository

$ sudo apt-get install tpm-tools

$ tpm_version
  TPM 1.2 Version Info:
  Chip Version:
  Spec Level:          2
  Errata Revision:     2
  TPM Vendor ID:       INTC
  Vendor Specific data: 00040000 00030464
  TPM Version:         01010000
  Manufacturer Info:   494e5443

B) Use the latest version at TrouSerS CVS repo.

$ cvs login
hit return when asked for password;
$ cvs -z3 co -P tpm-tools
$ cp -r tpm-tools /tmp/tpm-tools-1.3.3.cvs
$ sh
$ dh_make --createorig
$ dpkg-buildpackage -rfakeroot
$ sudo dpkg -i ../tpm-tools_1.3.3.cvs-1_i386.deb

$ tpm_version
  TPM 1.2 Version Info:
  Chip Version:
  Spec Level:          2
  Errata Revision:     2
  TPM Vendor ID:       INTC
  Vendor Specific data: 00040000 00030464
  TPM Version:         01010000
  Manufacturer Info:   494e5443

Note) comment out "dh_shlibdeps" in debian/rules

2.4.5 OpenPlatformTrustServices

$ sudo apt-get install trousers libtspi-dev tpm-tools libtpm-unseal0 libtpm-unseal-dev
$ sudo apt-get install libcommons-codec-java libcommons-logging-java libpg-java liblog4j1.2-java libibatis-java

$ sudo apt-get install libcommons-discovery-java libaxis-java

$ sudo apt-get install liblog4j1.2-java-gcj libaxis-java-gcj Build and Install : OpenPlatformTrustServices Tools Package

From GIT repository (2009-02-22)

$ git clone git://
$ cd tools
$ make dpkg-buildpackage
$ sudo dpkg -i ../openpts-tools_0.1.3-git20090331_i386.deb
$ /usr/bin/tpm_pcrread -a
$ iml -p 4
 Idx PCR       Type    Digest                                EventData
 179   4 0x80000003 9b4d80cfefc7d5576c4d9f224872505896ef2798 [BIOS:LENOVO NEW(TBD) len=10,00001000000000000010]
 180   4 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
 181   4 0x00000005 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f [BIOS:EV_ACTION, Calling INT 19h]
 182   4 0x00000005 6ab91c9fbe9489ea35f226ec70e23c7bb09db9a3 [BIOS:EV_ACTION, Booting BCV Device 80h, - HITACHI HTS541616J9SA00-(S1)]
 183   4 0x0000000d c72cb355f3c9978fa9f15ec692264356c7328855 [BIOS:EV_IPL]
 184   4 0x0000000d b82f5fa84465edfc054591b059bb65ea54f67282 [GRUB:EV_IPL, Stage1(MBR)]
 185   4 0x0000000d d4fa72b193753834e25ca5dc420f9c23d14c6087 [GRUB:EV_IPL, Stage1.5]
 186   4 0x0000000d 55fc0eb1ceb08bf75cdd3fb1f0235d8471b748d3 [GRUB:EV_IPL, Stage1.5(filesystem)]
 187   4 0x00000006 9fc81a0038d3a3ffdbc053b2eb13b28a8db461cd [GRUB: measure MBR again]
 188   4 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator]

OK :-) Build and Install : OpenPlatformTrustServices Core package

$ git clone git://
$ cd core
$ make dpkg-buildpackage
$ sudo dpkg -i ../openpts-core_0.1.3-git20090405_all.deb
$ sudo dpkg -i ../openpts-core-gcj_0.1.3-git20090405_i386.deb
$ Build and Install : OpenPlatformTrustServices DEMO package

TODO create deb package for jtreemap. until we need manual installation.

$ wget
$ unzip
$ sudo cp jtreemap-site-1.1.0/jtreemap-1.1.0.jar /usr/share/java/jtreemap.jar


sudo apt-get install tomcat5.5 tomcat5.5-webapps postgresql-8.3
$ git clone git://
$ cd demo
$ make dpkg-buildpackage 
$ sudo dpkg -i ../openpts-tcdemo-client_0.1.3-git20090405_all.deb
$ sudo dpkg -i ../openpts-tcdemo-client-gcj_0.1.3-git20090405_i386.deb
$ sudo dpkg -i ../openpts-tcdemo-server_0.1.3-git20090405_all.deb

3. Demo setup

3.1. Client side

3.1.1 Take the TPM ownership (TBD)

The SRK password must be a default setting. Just enter for SRK password.

$ tpm_takeownership
Enter owner password: ********
Confirm password: ********
Enter SRK password:
Confirm password:

If you get the following error message, The TPM has been taken the ownership.

Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled

And, If the size of "/var/lib/tpm/" file is zero, your TSS forgot your ownership. To fix this, you take ownership again, or you can put the dummy file to enable TSS as follows.

sudo cp demo/sampledata/knoppix/ /var/lib/tpm/
sudo /etc/init.d/tcsd restart

3.1.2. Setup Demo Env (TBD)

sudo /usr/bin/ptsclientadmin --commandline --user USERNAME

User's local configurations are stored at /home/$USERNAME/.pts

3.2. Server side

3.2.1. Setup PostgreSQL (TBD)

Install PostgreSQL

sudo apt-get install postgresql
Setting up postgresql (8.3.7-1) ...

sudo /etc/init.d/postgresql-8.3 status
8.3     main      5432 online postgres /var/lib/postgresql/8.3/main       /var/log/postgresql/postgresql-8.3-main.log

Set an admin password for postgres

sudo passwd postgres
su - postgres
psql -c "alter user postgres with password 'PASSWORD'" template1

Configure PostgreSQL for OpenPTS.

cd /usr/lib/openpts/database/
load /etc/openpts/db.conf
S) Setup New Databases
C) Show Current Configuration
L) Show State
B) Backup Databases
D) Delete Databases
Q) Exit


Current Configurations
DB type                               : postgres 
DB admin                              : ptsadmin 
DB user                               : ptsuser 
Vulnerability Database name           : vuldb 
Integrity Information Database 0 name : iidb_redhat 
Integrity Information Database 1 name : iidb_centos 
Integrity Information Database 2 name : iidb_knoppix 
Integrity Information Database 3 name : iidb_ubuntu 
Integrity Information Database 4 name : iidb_fedora 
Integrity Information Database 5 name : iidb 
Integrity Information Database 6 name : iidb 
Integrity Information Database 7 name : iidb_bios 


3.2.2. Setup Integrity Information Database of current host

it takes few hours.

cd /var/lib/openpts
sudo sh /usr/lib/openpts/scripts/ ubuntu
Collect Package info of ubuntu
  package list...
  treemap data...
  md5 digests...
  sha1 digests...

Create map file, "/var/lib/openpts/database/ibatis/", e.g.


Import RPM metadata/digest into IIDB. it takes time.

# /usr/bin/openpts rpmimport --dbindex 4 --inputdir  /var/lib/openpts/fedora/data/

Check the IIDB using openpts command. e.g.

# openpts iidb --list --index 4
IIDB index:	4
packages:	1622
measuremnets:	250925
 - vulnerable:
	package    	0
	measurement	0
 - safe:
	package    	0
	measurement	0
 - unclear:
	package    	0
	measurement	0
 - unchecked:
	package    	1622
	measurement	250925

# sha1sum /usr/sbin/acpid
b5e042dfeac3bb70a686be5abd1fcb6a9472c6de  /usr/sbin/acpid

# openpts iidb --search --index 4 --digest b5e042dfeac3bb70a686be5abd1fcb6a9472c6de
hexDigest     : b5e042dfeac3bb70a686be5abd1fcb6a9472c6de
id            : 47331
filename      : /usr/sbin/acpid
obsolete      : 0
vulnerability : 0
packageName : acpid-1.0.6-11.fc10.x86_64
3.2.3. Setup Vulnerability Database (TBD)

Just fill CVE info into Vulnerability Database. The database can not link with integrity database. Since there is no good source of Security Advisory for Fedora, OVAL only support RHEL.

/usr/bin/openpts cve --xmlfile --outputdir /tmp

3.2.4.. Backup and restore database (TBD)
$ pg_dump database_name > file_name.sql

$ psql -e database_name < file_name.sql
$ pg_restore –d database_name file_name.sql
3.2.5. View IIDB,VULDB using phpPgAdmin
sudo apt-get install phppgadmin
/etc/init.d/apache2 start


login as "ptsuser"

if login was failed, check the configuration file: /etc/postgresql/8.3/main/pg_hba.conf

3.3 Setup Validation Server (TBD)

3.3.1. Setup TOMCAT (TBD)

# yum install tomcat5 tomcat5-webapps tomcat5-admin-webapps



# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-server-0.1.3-git20090613.fc10.x86_64.rpm'

# /sbin/service tomcat5 start # chkconfig tomcat5 on


Log file /var/log/tomcat5/catalina.out 6-3-X. Setup Demo Contents¶

Create account, user "guest" and password "given".

# htpasswd -c /var/www/.htpasswd guest

Create demo contents

# mkdir -p /var/www/html/tcdemo

Edit /var/www/html/tcdemo/index.html

<html> <head> <title> OpenPTS Test </title> </head> <body> <h1> OpenPTS Test </h1> </body> </html>

Edit /etc/httpd/conf/httpd.conf

... <Directory "/var/www/html"> ... AuthType Basic AuthName "Password Required" AuthUserFile /var/www/.htpasswd AuthGroupFile /dev/null require valid-user

</Directory> ...

# service httpd start # chkconfig httpd on


Run TC Demo (TBD)

(OPTION) To monitor server-side validation log, open terminal

tailf /var/log/openpts.log

/usr/bin/ptsclientuser --commandline

if validation was success, it open http://localhost/tcdemo.


3.3. Test

X. memo

X.X Test Trousers Build (Option)

Ubuntu package does not support GTK. to enable GTK feature (popup password), re-build the trousers with GTK option.

$ sudo apt-get build-dep trousers
$ apt-get source trousers
$ cd trousers-0.3.1
$ dpkg-buildpackage -rfakeroot -us -uc