VirtualBox + CentOS6 + TPM Emulator + TrouSerS + OpenPTS
Download CentOS6 BIN ISO image
Install CentOS6 as Guest on VirtualBox
Memory: 512MB
Storage: 20GB
Boot LiveCD
Select install at the boot menu.
Note)
Install from LiveCD does not work.
Somehow desktop icon, "Install to hard disk" on the Live not work.
/usr/bin/liveinst also not work. :-(
Update
# yum update
Reboot
- Install requires packages
# yum install automake autoconf libtool gettext gettext-devel libxml2 libxml2-devel libuuid libuuid-devel gmp-devel subversion cmake kernel-devel rpmdevtools gtk2-developencryptoki-devel
rpmdev-setuptree
Build & Install TrouSerS from git repo
$ git clone git://trousers.git.sourceforge.net/gitroot/trousers/trousers
$ cd trousers
$ sh bootstrap.sh
$ ./configure
Fix dist/trousers.spec file
Requires: gtk2, openssl BuildRequires: gtk2, openssl %{?arch64:,%{packages64}}
$ cd .. $ ln -s trousers trousers-0.3.7 $ tar zcvf ~/rpmbuild/SOURCES/trousers-0.3.7.tar.gz trousers-0.3.7/* $ rpmbuild -bb trousers-0.3.7/dist/trousers.spec
# rpm -ivh /home/foo/rpmbuild/RPMS/i686/trousers-0.3.7-1.i686.rpm # rpm -ivh /home/foo/rpmbuild/RPMS/i686/trousers-devel-0.3.7-1.i686.rpm
$ git clone git://trousers.git.sourceforge.net/gitroot/trousers/tpm-tools
$ cd tpm-tools
$ sh bootstrap.sh
$ ./configure
Fix dist/tpm-tools.spec
%attr(755, root, root) %{_libdir}/libtpm_unseal.so.?.?.? %{_libdir}/libtpm_unseal.so.*
$ cd .. $ ln -s tpm-tools tpm-tools-1.3.6 $ tar zcvf ~/rpmbuild/SOURCES/tpm-tools-1.3.6.tar.gz tpm-tools-1.3.6/* $ rpmbuild -bb tpm-tools-1.3.6/dist/tpm-tools.spec
# rpm -ivh /home/foo/rpmbuild/RPMS/i686/tpm-tools-1.3.6-1.i686.rpm
Build & Install TPM-Emulator from svn repo
revision 467
$ svn checkout svn://svn.berlios.de/tpm-emulator/trunk tpm-emulator $ cd tpm-emulator $ ./build.sh $ su # make -C ./build install
# modprobe tpmd_dev # ls -l /dev/tpm* crw-rw---- 1 root tss 10, 224 Sep 2 06:31 /dev/tpm lrwxrwxrwx 1 root root 3 Sep 2 06:31 /dev/tpm0 -> tpm # tpmd -d clear tpmd.c:390: Info: starting TPM Emulator daemon (1.2.0.7-464) tpmd.c:93: Info: parsing options tpmd.c:100: Debug: debug mode enabled tpmd.c:145: Debug: startup mode = 'clear' tpmd.c:198: Info: installing signal handlers tpmd.c:220: Info: daemonizing process # tcsd
$ tpm_version TPM 1.2 Version Info: Chip Version: 1.2.0.7 Spec Level: 2 Errata Revision: 1 TPM Vendor ID: ETHZ TPM Version: 01010000 Manufacturer Info: 4554485a $ tpm_takeownership -y -z
Kill tcsd and tpmd
Build & Install OpenPTS from git repo
$ git clone git://git.sourceforge.jp/gitroot/openpts/openpts.git $ cd openpts $ ./bootstrap.sh $ ./configure $ make rpmbuild-ba # rpm -ivh /home/foo/rpmbuild/RPMS/i686/openpts-0.2.5-1.i686.rpm
Setup TPM-Emulator with DUMMY eventlog
$ cd /usr/share/openpts/tpm_emulator # mkdir -p /var/lib/openpts/ # cp binary_bios_measurements /var/lib/openpts/binary_bios_measurements # cp tcsd /etc/init.d/tcsd # echo "firmware_log_file = /var/lib/openpts/binary_bios_measurements" > /etc/tcsd.conf # echo "firmware_pcrs = 0,1,2,3,4,5,6,7,8" >> /etc/tcsd.conf # service tcsd start tpmd.c:93: Info: parsing options tpmd.c:100: Debug: debug mode enabled tpmd.c:198: Info: installing signal handlers tpmd.c:220: Info: daemonizing process [ OK ] Starting tcsd: [ OK ] Stopping tcsd: [ OK ] Starting tcsd: [ OK ] # tpm_readpcr -k PCR-00: 91 3B D8 A3 CC 3A 2E C6 73 6C FE 32 57 70 83 1A 5A 53 A3 0D PCR-01: D5 7D D1 86 A1 94 F9 ED E9 0D 8B 62 2D 4A 8E F0 5A 6D 40 B5 PCR-02: 53 DE 58 4D CE F0 3F 6A 7D AC 1A 24 0A 83 58 93 89 6F 21 8D PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR-04: E8 2D A7 CE D9 48 71 F9 F2 F1 65 FE C2 15 12 89 29 B6 3F EB PCR-05: AD 09 32 5A B3 77 10 B2 34 96 18 CB F9 72 2C 8F 0E E0 81 0F PCR-06: 58 5E 57 9E 48 99 7F EE 8E FD 20 83 0C 6A 84 1E B3 53 C6 28 PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-16: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-23: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF # iml2text -V Idx PCR Type Digest EventData ----------------------------------------------------------------------- 0 0 0x00000008 1dfce7dde0cf13cfff102b1eb01875f752d5090c [BIOS:EV_S_CRTM_VERSION] 1dfce7dde0cf13cfff102b1eb01875f752d5090c <= SHA1(Version[5]) 1 0 0x00000001 1c41801dd329198e50a3d98040230095693e49b3 [BIOS:EV_POST_CODE(EV_CODE_NOCERT)] 2 0 0x00000001 16fb111792cb98a3de12f3abd0406fc04c7e5fca [BIOS:EV_POST_CODE(EV_CODE_NOCERT)] 3 0 0x00000001 dd261ca7511a7daf9e16cb572318e8e5fbd22963 [BIOS:EV_POST_CODE(EV_CODE_NOCERT)] <snip> Verify IML :-) calculated pcr values actual pcr values ------------------------------------------------------------------------------------------------------ pcr.0= 913bd8a3cc3a2ec6736cfe325770831a5a53a30d == 913bd8a3cc3a2ec6736cfe325770831a5a53a30d pcr.1= d57dd186a194f9ede90d8b622d4a8ef05a6d40b5 == d57dd186a194f9ede90d8b622d4a8ef05a6d40b5 pcr.2= 53de584dcef03f6a7dac1a240a835893896f218d == 53de584dcef03f6a7dac1a240a835893896f218d pcr.3= 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 == 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.4= e82da7ced94871f9f2f165fec215128929b63feb == e82da7ced94871f9f2f165fec215128929b63feb pcr.5= ad09325ab37710b2349618cbf9722c8f0ee0810f == ad09325ab37710b2349618cbf9722c8f0ee0810f pcr.6= 585e579e48997fee8efd20830c6a841eb353c628 == 585e579e48997fee8efd20830c6a841eb353c628 pcr.7= 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 == 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.8= 0000000000000000000000000000000000000000 == 0000000000000000000000000000000000000000 pcr.9= 0000000000000000000000000000000000000000 == 0000000000000000000000000000000000000000 pcr.10= 0000000000000000000000000000000000000000 == 0000000000000000000000000000000000000000 pcr.11= 0000000000000000000000000000000000000000 == 0000000000000000000000000000000000000000 pcr.12= 0000000000000000000000000000000000000000 == 0000000000000000000000000000000000000000 pcr.13= 0000000000000000000000000000000000000000 == 0000000000000000000000000000000000000000 pcr.14= 0000000000000000000000000000000000000000 == 0000000000000000000000000000000000000000 pcr.15= 0000000000000000000000000000000000000000 == 0000000000000000000000000000000000000000 pcr.16= ffffffffffffffffffffffffffffffffffffffff == ffffffffffffffffffffffffffffffffffffffff pcr.17= ffffffffffffffffffffffffffffffffffffffff == ffffffffffffffffffffffffffffffffffffffff pcr.18= ffffffffffffffffffffffffffffffffffffffff == ffffffffffffffffffffffffffffffffffffffff pcr.19= ffffffffffffffffffffffffffffffffffffffff == ffffffffffffffffffffffffffffffffffffffff pcr.20= ffffffffffffffffffffffffffffffffffffffff == ffffffffffffffffffffffffffffffffffffffff pcr.21= ffffffffffffffffffffffffffffffffffffffff == ffffffffffffffffffffffffffffffffffffffff pcr.22= ffffffffffffffffffffffffffffffffffffffff == ffffffffffffffffffffffffffffffffffffffff pcr.23= ffffffffffffffffffffffffffffffffffffffff == ffffffffffffffffffffffffffffffffffffffff
Now you have FAKE trusted platform as a testbed.
If init.d script does not work well. like
# service tcsd start tpmd.c:93: Info: parsing options tpmd.c:100: Debug: debug mode enabled tpmd.c:164: Info: no startup mode was specified; asuming 'clear' tpmd.c:198: Info: installing signal handlers tpmd.c:220: Info: daemonizing process [ OK ] Starting tcsd: [FAILED] ERROR: Tspi_Context_Connect failed rc=0x3011 Stopping tcsd: [FAILED] Starting tcsd: [FAILED]
check tpmd
# tpmd -d -f <snip> tpmd.c:276: Error: bind(/var/run/tpm/tpmd_socket:0) failed: No such file or directory # rm /var/run/tpm/tpmd_socket:0
Setup OpenPTS Collector
# ptsc -i Sign key location : SYSTEM Generate uuid : 3aa77640-d4e7-11e0-8e72-080027660ccf Generate UUID (for RM) : 3afb79de-d4e7-11e0-8e72-080027660ccf level 0 Reference Manifest : /var/lib/openpts//3afb79de-d4e7-11e0-8e72-080027660ccf/rm0.xml ptsc is successfully initialized! # ptsc -t selftest - OK
ERROR: Tspi_Key_CreateKey failed rc=0x0003
Take ownership again?
tpm_takeownership -y -z
Setup OpenPTS Verifier
1st step, we use same localhost.
You already installed OpenPTS package.
You must be member of "ptsc" group to access the integrity information of target platform.
# usermod -a -G ptsc yourname
Setup SSH public key auth. create RSA key without password.
$ ssh-keygen -t rsa
$ ssh-copy-id yourname@localhost
$ openpts -i localhost ERROR:uuid.c:194 genOpenptsUuid() (null) filled, before load the UUID from file Target : localhost Manifest UUID : 3afb79de-d4e7-11e0-8e72-080027660ccf manifest[0] : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf//3afb79de-d4e7-11e0-8e72-080027660ccf/rm0.xml Collector UUID : 3aa77640-d4e7-11e0-8e72-080027660ccf configuration : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf/target.conf validation policy : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf/policy.conf
I gnore the UUID ERROR message. :-(
Let's validate localhost.
$ openpts localhost Target : localhost Collector UUID : 3aa77640-d4e7-11e0-8e72-080027660ccf (date: 2011-09-01-22:10:40) Manifest UUID : 3afb79de-d4e7-11e0-8e72-080027660ccf (date: 2011-09-01-22:10:41) username(ssh) : default port(ssh) : default policy file : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf/policy.conf property file : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf/vr.properties integrity : valid
Show the list of target (now you have one target)
$ openpts -D ID UUID date(UTC) username@hostname:port ----------------------------------------------------------------------------------------- 0 3aa77640-d4e7-11e0-8e72-080027660ccf 2011-09-01-22:10:40 default@localhost:default -----------------------------------------------------------------------------------------
Show the detail of localhost
$ openpts -D localhost hostname : localhost UUID : 3aa77640-d4e7-11e0-8e72-080027660ccf State : 0 Dir : /home/foo/.openpts/3aa77640-d4e7-11e0-8e72-080027660ccf Manifests : ID UUID date(UTC) status ----------------------------------------------------------------------------------------- 0 3afb79de-d4e7-11e0-8e72-080027660ccf 2011-09-01-22:10:41 NOW -----------------------------------------------------------------------------------------
References
http://tpm-emulator.berlios.de/documentation.html
http://sourceforge.net/projects/trousers/
http://sourceforge.jp/projects/openpts/