VirtualBox + CentOS6 + TPM Emulator + TrouSerS + OpenPTS

Download CentOS6 BIN ISO image

http://www.centos.org/

Install CentOS6 as Guest on VirtualBox

Memory: 512MB
Storage: 20GB

Boot LiveCD
Select install at the boot menu.

Note)
Install from LiveCD does not work.
Somehow desktop icon, "Install to hard disk" on the Live not work.
/usr/bin/liveinst also not work. :-(

Update

# yum update

Reboot

  1. Install requires packages
# yum install automake autoconf libtool gettext gettext-devel libxml2 libxml2-devel libuuid libuuid-devel gmp-devel subversion cmake kernel-devel rpmdevtools gtk2-developencryptoki-devel

rpmdev-setuptree

Build & Install TrouSerS from git repo

$ git clone git://trousers.git.sourceforge.net/gitroot/trousers/trousers
$ cd trousers
$ sh bootstrap.sh
$ ./configure

Fix dist/trousers.spec file

Requires:       gtk2, openssl
BuildRequires:  gtk2, openssl %{?arch64:,%{packages64}}
$ cd ..
$ ln -s trousers trousers-0.3.7
$ tar zcvf ~/rpmbuild/SOURCES/trousers-0.3.7.tar.gz trousers-0.3.7/*
$ rpmbuild -bb trousers-0.3.7/dist/trousers.spec

# rpm -ivh /home/foo/rpmbuild/RPMS/i686/trousers-0.3.7-1.i686.rpm
# rpm -ivh /home/foo/rpmbuild/RPMS/i686/trousers-devel-0.3.7-1.i686.rpm

$ git clone git://trousers.git.sourceforge.net/gitroot/trousers/tpm-tools
$ cd tpm-tools
$ sh bootstrap.sh
$ ./configure

Fix dist/tpm-tools.spec

%attr(755, root, root) %{_libdir}/libtpm_unseal.so.?.?.?
%{_libdir}/libtpm_unseal.so.*
$ cd ..
$ ln -s tpm-tools tpm-tools-1.3.6
$ tar zcvf ~/rpmbuild/SOURCES/tpm-tools-1.3.6.tar.gz  tpm-tools-1.3.6/*
$ rpmbuild -bb  tpm-tools-1.3.6/dist/tpm-tools.spec

# rpm -ivh /home/foo/rpmbuild/RPMS/i686/tpm-tools-1.3.6-1.i686.rpm

Build & Install TPM-Emulator from svn repo

revision 467

$ svn checkout svn://svn.berlios.de/tpm-emulator/trunk tpm-emulator
$ cd tpm-emulator
$ ./build.sh
$ su
# make -C ./build install

# modprobe tpmd_dev
# ls -l /dev/tpm*
crw-rw---- 1 root tss  10, 224 Sep  2 06:31 /dev/tpm
lrwxrwxrwx 1 root root       3 Sep  2 06:31 /dev/tpm0 -> tpm


# tpmd -d clear
tpmd.c:390: Info: starting TPM Emulator daemon (1.2.0.7-464)
tpmd.c:93: Info: parsing options
tpmd.c:100: Debug: debug mode enabled
tpmd.c:145: Debug: startup mode = 'clear'
tpmd.c:198: Info: installing signal handlers
tpmd.c:220: Info: daemonizing process

# tcsd

$ tpm_version
TPM 1.2 Version Info:
Chip Version:        1.2.0.7
Spec Level:          2
Errata Revision:     1
TPM Vendor ID:       ETHZ
TPM Version:         01010000
Manufacturer Info:   4554485a

$ tpm_takeownership -y -z

Kill tcsd and tpmd


Build & Install OpenPTS from git repo

$ git clone git://git.sourceforge.jp/gitroot/openpts/openpts.git
$ cd openpts
$ ./bootstrap.sh
$ ./configure
$ make rpmbuild-ba

# rpm -ivh /home/foo/rpmbuild/RPMS/i686/openpts-0.2.5-1.i686.rpm

Setup TPM-Emulator with DUMMY eventlog

$ cd /usr/share/openpts/tpm_emulator
# mkdir -p /var/lib/openpts/
# cp binary_bios_measurements  /var/lib/openpts/binary_bios_measurements
# cp tcsd  /etc/init.d/tcsd

# echo "firmware_log_file = /var/lib/openpts/binary_bios_measurements" > /etc/tcsd.conf
# echo "firmware_pcrs = 0,1,2,3,4,5,6,7,8" >> /etc/tcsd.conf

# service tcsd start
tpmd.c:93: Info: parsing options
tpmd.c:100: Debug: debug mode enabled
tpmd.c:198: Info: installing signal handlers
tpmd.c:220: Info: daemonizing process
                                                           [  OK  ]
Starting tcsd:                                             [  OK  ]
Stopping tcsd:                                             [  OK  ]
Starting tcsd:                                             [  OK  ]

# tpm_readpcr -k
PCR-00: 91 3B D8 A3 CC 3A 2E C6 73 6C FE 32 57 70 83 1A 5A 53 A3 0D
PCR-01: D5 7D D1 86 A1 94 F9 ED E9 0D 8B 62 2D 4A 8E F0 5A 6D 40 B5
PCR-02: 53 DE 58 4D CE F0 3F 6A 7D AC 1A 24 0A 83 58 93 89 6F 21 8D
PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-04: E8 2D A7 CE D9 48 71 F9 F2 F1 65 FE C2 15 12 89 29 B6 3F EB
PCR-05: AD 09 32 5A B3 77 10 B2 34 96 18 CB F9 72 2C 8F 0E E0 81 0F
PCR-06: 58 5E 57 9E 48 99 7F EE 8E FD 20 83 0C 6A 84 1E B3 53 C6 28
PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

# iml2text -V
 Idx PCR       Type    Digest                                EventData
-----------------------------------------------------------------------
   0   0 0x00000008 1dfce7dde0cf13cfff102b1eb01875f752d5090c [BIOS:EV_S_CRTM_VERSION]
                    1dfce7dde0cf13cfff102b1eb01875f752d5090c <= SHA1(Version[5])
   1   0 0x00000001 1c41801dd329198e50a3d98040230095693e49b3 [BIOS:EV_POST_CODE(EV_CODE_NOCERT)]
   2   0 0x00000001 16fb111792cb98a3de12f3abd0406fc04c7e5fca [BIOS:EV_POST_CODE(EV_CODE_NOCERT)]
   3   0 0x00000001 dd261ca7511a7daf9e16cb572318e8e5fbd22963 [BIOS:EV_POST_CODE(EV_CODE_NOCERT)]
<snip>
Verify IML :-)

	calculated pcr values				actual pcr values
------------------------------------------------------------------------------------------------------
pcr.0=	913bd8a3cc3a2ec6736cfe325770831a5a53a30d  ==  913bd8a3cc3a2ec6736cfe325770831a5a53a30d
pcr.1=	d57dd186a194f9ede90d8b622d4a8ef05a6d40b5  ==  d57dd186a194f9ede90d8b622d4a8ef05a6d40b5
pcr.2=	53de584dcef03f6a7dac1a240a835893896f218d  ==  53de584dcef03f6a7dac1a240a835893896f218d
pcr.3=	3a3f780f11a4b49969fcaa80cd6e3957c33b2275  ==  3a3f780f11a4b49969fcaa80cd6e3957c33b2275
pcr.4=	e82da7ced94871f9f2f165fec215128929b63feb  ==  e82da7ced94871f9f2f165fec215128929b63feb
pcr.5=	ad09325ab37710b2349618cbf9722c8f0ee0810f  ==  ad09325ab37710b2349618cbf9722c8f0ee0810f
pcr.6=	585e579e48997fee8efd20830c6a841eb353c628  ==  585e579e48997fee8efd20830c6a841eb353c628
pcr.7=	3a3f780f11a4b49969fcaa80cd6e3957c33b2275  ==  3a3f780f11a4b49969fcaa80cd6e3957c33b2275
pcr.8=	0000000000000000000000000000000000000000  ==  0000000000000000000000000000000000000000
pcr.9=	0000000000000000000000000000000000000000  ==  0000000000000000000000000000000000000000
pcr.10=	0000000000000000000000000000000000000000  ==  0000000000000000000000000000000000000000
pcr.11=	0000000000000000000000000000000000000000  ==  0000000000000000000000000000000000000000
pcr.12=	0000000000000000000000000000000000000000  ==  0000000000000000000000000000000000000000
pcr.13=	0000000000000000000000000000000000000000  ==  0000000000000000000000000000000000000000
pcr.14=	0000000000000000000000000000000000000000  ==  0000000000000000000000000000000000000000
pcr.15=	0000000000000000000000000000000000000000  ==  0000000000000000000000000000000000000000
pcr.16=	ffffffffffffffffffffffffffffffffffffffff  ==  ffffffffffffffffffffffffffffffffffffffff
pcr.17=	ffffffffffffffffffffffffffffffffffffffff  ==  ffffffffffffffffffffffffffffffffffffffff
pcr.18=	ffffffffffffffffffffffffffffffffffffffff  ==  ffffffffffffffffffffffffffffffffffffffff
pcr.19=	ffffffffffffffffffffffffffffffffffffffff  ==  ffffffffffffffffffffffffffffffffffffffff
pcr.20=	ffffffffffffffffffffffffffffffffffffffff  ==  ffffffffffffffffffffffffffffffffffffffff
pcr.21=	ffffffffffffffffffffffffffffffffffffffff  ==  ffffffffffffffffffffffffffffffffffffffff
pcr.22=	ffffffffffffffffffffffffffffffffffffffff  ==  ffffffffffffffffffffffffffffffffffffffff
pcr.23=	ffffffffffffffffffffffffffffffffffffffff  ==  ffffffffffffffffffffffffffffffffffffffff


Now you have FAKE trusted platform as a testbed.

If init.d script does not work well. like

# service tcsd start
tpmd.c:93: Info: parsing options
tpmd.c:100: Debug: debug mode enabled
tpmd.c:164: Info: no startup mode was specified; asuming 'clear'
tpmd.c:198: Info: installing signal handlers
tpmd.c:220: Info: daemonizing process
                                                           [  OK  ]
Starting tcsd:                                             [FAILED]
ERROR: Tspi_Context_Connect failed rc=0x3011
Stopping tcsd:                                             [FAILED]
Starting tcsd:                                             [FAILED]

check tpmd

# tpmd -d -f
<snip>
tpmd.c:276: Error: bind(/var/run/tpm/tpmd_socket:0) failed: No such file or directory

# rm /var/run/tpm/tpmd_socket:0


Setup OpenPTS Collector

# ptsc -i 
Sign key  location          : SYSTEM
Generate uuid               : 3aa77640-d4e7-11e0-8e72-080027660ccf 
Generate UUID (for RM)      : 3afb79de-d4e7-11e0-8e72-080027660ccf 
level 0 Reference Manifest  : /var/lib/openpts//3afb79de-d4e7-11e0-8e72-080027660ccf/rm0.xml

ptsc is successfully initialized!

# ptsc -t
selftest - OK


ERROR: Tspi_Key_CreateKey failed rc=0x0003

Take ownership again?

tpm_takeownership -y -z

Setup OpenPTS Verifier

1st step, we use same localhost.
You already installed OpenPTS package.

You must be member of "ptsc" group to access the integrity information of target platform.

# usermod -a -G ptsc yourname

Setup SSH public key auth. create RSA key without password.

$ ssh-keygen -t rsa
$ ssh-copy-id yourname@localhost

$ openpts -i localhost
ERROR:uuid.c:194 genOpenptsUuid() (null) filled, before load the UUID from file
Target            : localhost
Manifest UUID     : 3afb79de-d4e7-11e0-8e72-080027660ccf
manifest[0]       : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf//3afb79de-d4e7-11e0-8e72-080027660ccf/rm0.xml
Collector UUID    : 3aa77640-d4e7-11e0-8e72-080027660ccf
configuration     : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf/target.conf
validation policy : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf/policy.conf

I gnore the UUID ERROR message. :-(
Let's validate localhost.

$ openpts localhost
Target            : localhost
Collector UUID    : 3aa77640-d4e7-11e0-8e72-080027660ccf (date: 2011-09-01-22:10:40)
Manifest UUID     : 3afb79de-d4e7-11e0-8e72-080027660ccf (date: 2011-09-01-22:10:41)
username(ssh)     : default
port(ssh)         : default
policy file       : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf/policy.conf
property file     : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf/vr.properties
integrity         : valid

Show the list of target (now you have one target)

$ openpts -D
  ID    UUID                                 date(UTC)          username@hostname:port
-----------------------------------------------------------------------------------------
    0 3aa77640-d4e7-11e0-8e72-080027660ccf 2011-09-01-22:10:40 default@localhost:default
-----------------------------------------------------------------------------------------

Show the detail of localhost

$ openpts -D localhost
hostname  : localhost
UUID      : 3aa77640-d4e7-11e0-8e72-080027660ccf
State     : 0
Dir       : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf
Manifests :
  ID              UUID                        date(UTC)                status
-----------------------------------------------------------------------------------------
   0 3afb79de-d4e7-11e0-8e72-080027660ccf 2011-09-01-22:10:41 NOW
-----------------------------------------------------------------------------------------

References


http://tpm-emulator.berlios.de/documentation.html
http://sourceforge.net/projects/trousers/
http://sourceforge.jp/projects/openpts/