SORRY, This page is still under construction.
This guide is intended to build Ubuntu Jaunty (9.04, i386) with Trusted Computing.
note) We are using Thinkpad X200 to make this document. It has intel's iTPM chip, and this instruction contains some workarounds for this TPM. Other TPM user does not need such workarounds.
Download ISO image. and install to your HDD.
Update to be work with latest packages.
enable TPM.
Download source package and build.
$ sudo apt-get build-dep grub $ apt-get source grub $ pushd grub-0.97/debian/patches/ $ wget http://osdn.dl.sourceforge.jp/openpts/37646/grub-0.97-29ubuntu45-ima-1.1.0.0.patch $ popd $ echo "# This patch supports IMA" >> grub-0.97/debian/patches/00list $ echo "grub-0.97-29ubuntu45-ima-1.1.0.0.patch" >> grub-0.97/debian/patches/00list $ mv grub-0.97/debian/rules grub-0.97/debian/rules.orig $ sed -e 's/--disable-auto-linux-mem-opt/--disable-auto-linux-mem-opt --enable-ima/g' grub-0.97/debian/rules.orig > grub-0.97/debian/rules $ chmod +x grub-0.97/debian/rules
Build deb package.
$ pushd grub-0.97 $ debchange -i
add changelog message. e.g.
grub (0.97-29ubuntu53.ima) jaunty; urgency=low * enable Trusted Boot -- foo <foo@users.sourceforge.jp> Tue, 31 Mar 2009 23:27:39 +0900
$ dpkg-buildpackage -rfakeroot -us -uc $ popd
Install new GRUB package.
$ sudo dpkg -i grub_0.97-29ubuntu53.ima_i386.deb $ grep TCG /usr/lib/grub/i386-pc/* Binary file /usr/lib/grub/i386-pc/stage1 matches Binary file /usr/lib/grub/i386-pc/stage2 matches Binary file /usr/lib/grub/i386-pc/stage2_eltorito matches
install new GRUB to local system (replace the bootloader components).
$ sudo grub-install /dev/sda $ grep TCG /boot/grub/* Binary file /boot/grub/stage1 matches Binary file /boot/grub/stage2 matches
OK:-)
References: https://help.ubuntu.com/community/Kernel/Compile
$ sudo apt-get install build-essential $ sudo apt-get install kernel-package $ sudo apt-get install ncurses-dev
$ cd /usr/src $ sudo wget http://ftp.riken.jp/Linux/kernel.org/linux/kernel/v2.6/linux-2.6.30.tar.bz2 $ sudo tar jxvf linux-2.6.30.tar.bz2 $ cd linux-2.6.30/ $ sudo cp /boot/config-2.6.27-11-generic .config $ sudo make oldconfig $ sudo make menuconfig $ sudo make xconfig
CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=y
Intel iTPM requires following patches to fix the problem.
$ sudo wget http://cybione.org/~cdidier/log/data/200812020841/itpm.diff $ sudo patch -p0 -z .itpm --dry-run < itpm.diff $ sudo patch -p0 -z .itpm < itpm.diff
$ sudo make-kpkg clean $ sudo CONCURRENCY_LEVEL=3 make-kpkg --append-to-version=-ima --initrd kernel_image kernel_headers $ sudo dpkg -i ../linux-image-2.6.30-ima_2.6.30-ima-10.00.Custom_i386.deb $ sudo dpkg -i ../linux-headers-2.6.30-ima_2.6.30-ima-10.00.Custom_i386.deb $ vim /boot/grub/menu.lst
Edit /boot/grub/menu.lst to enable IMA. e.g.
title Ubuntu 9.04, kernel 2.6.30 (IMA) uuid fc0f489b-9a7c-43bd-90fa-bb49979b0c23 kernel /boot/vmlinuz-2.6.30-ima root=UUID=fc0f489b-9a7c-43bd-90fa-bb49979b0c23 ro quiet splash ima=1 selinux=1 tpm_tis.force=1 tpm_tis.interrupts=0 initrd /boot/initrd.img-2.6.30-ima quiet
Reboot the system. and check the measurements
$ dmesg <snip> [ 1.992012] tpm_tis tpm_tis: 1.2 TPM (device-id 0x1020, rev-id 6) <snip> $ ls /sys/kernel/security/ ima tpm0 $ sudo cat /sys/kernel/security/ima/ascii_runtime_measurements 10 adc64d7b762408a258e81b9bbb55fa8781ed42bf ima 705418e94288d91ce1ada49dbd4343b82882c9fb boot_aggregate 10 8a11aa2017bfdf52ae1ab8cfb277fc651bc7d611 ima e6d56d44e22b8f6b783c039d45703e8fd28cb796 /init 10 a078e19e5ea2bf75ed353fc6613f7132863618d5 ima 3d90e18f67f1c580c1212126a3c22cf07c7288dd /init 10 089c6ce6198fee74262cf4244ffdea98a2392ded ima 3d90e18f67f1c580c1212126a3c22cf07c7288dd /bin/busybox 10 c69571a6b6185b474fa7437cb2b31253721824d4 ima 7e9431ee7bcbe0c4ea0054baf84672fdff7d6391 arch.conf 10 3d0d130a199ea78a53fc52f4913d28f5d0da8910 ima 0ec1deb5c2338808cf9dd31a0b16473d273fb570 initramfs.conf 10 a193e5f0c6958e3a979d2c1a5af1abcb657ef79e ima 3addb8e6e83e82a86b3ad215bcd771a12c9d4d74 resume 10 71fc6cf0e268c0ffad291eaa1ce49ab14b6e39de ima a1550fe2ce2f915eac8786d1d693141072feea87 functions 10 a14f597eb53f1a12725c9f772229f59c0de61110 ima ad273a22d013fab039459654369b40e47a6e04ac /sbin/depmod 10 30b51606815deb8bb6c9d1a17db33eb8e5ce1465 ima b9269024f4129804673f366b5a67061f54d7be3f ld-linux.so.2 10 e978baf0c895be2b32a803e200b15b9c4a5d3464 ima 803088880d0abdda917385e88a9ac1ed61ce0f71 libc.so.6 10 3b92eee85ca026ca93ba1d0c81d34fa6f88784a0 ima 8a622a41977d6e4cec14e800d76c4aafbaaa9658 nfs.ko 10 5080904daf0e2ba76394f91ac2b63e788db66fb6 ima 4a63e2031da51dbddb9c98ca35a01306c71873b4 reiserfs.ko <snip>
OK.
URL: http://sourceforge.net/projects/trousers/
A) Install from Ubuntu repository
$ sudo apt-get install trousers
B) re-build debian package
$ sudo apt-get build-dep trousers $ apt-get source trousers $ cd trousers-0.3.1 $ dpkg-buildpackage -rfakeroot -us -uc
C) Use the latest version at TrouSerS CVS repo.
$ cvs -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers login hit return when asked for password; $ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P trousers $ cp -r trousers /tmp/trousers-0.3.3.cvs $ cd /tmp/trousers-0.3.3.cvs $ sh bootstrap.sh $ dh_make --createorig $ dpkg-buildpackage -rfakeroot $ sudo dpkg -i ../trousers_0.3.3.cvs-1_i386.deb $ sudo adduser --system --home /var/lib/tpm --shell /usr/sbin/nologin --no-create-home --group tss $ sudo chown tss:tss /usr/sbin/tcsd $ sudo chown tss:tss /var/lib/tpm -R $ sudo chown tss:tss /etc/tcsd.conf $ sudo chmod 0600 /etc/tcsd.conf $ sudo chmod 1777 /var/lib/tpm $ sudo /etc/init.d/trousers start
Note1) Modify configure to remove "attribute warn_unused_result" check in CFLAGS Note2) remove trousers tpm-tools libtspi-dev libtspi1 libtpm-unseal-dev libtpm-unseal0 opencryptoki libopencryptoki0
D) Use the latest version at TrouSerS GIT repo (TBD)
git clone git://trousers.git.sourceforge.net/gitroot/trousers
A) Install from Ubuntu repository
$ sudo apt-get install tpm-tools $ tpm_version TPM 1.2 Version Info: Chip Version: 1.2.4.0 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: INTC Vendor Specific data: 00040000 00030464 TPM Version: 01010000 Manufacturer Info: 494e5443
B) Use the latest version at TrouSerS CVS repo.
$ cvs -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers login hit return when asked for password; $ cvs -z3 -d:pserver:anonymous@trousers.cvs.sourceforge.net:/cvsroot/trousers co -P tpm-tools $ cp -r tpm-tools /tmp/tpm-tools-1.3.3.cvs $ sh bootstrap.sh $ dh_make --createorig $ dpkg-buildpackage -rfakeroot $ sudo dpkg -i ../tpm-tools_1.3.3.cvs-1_i386.deb $ tpm_version TPM 1.2 Version Info: Chip Version: 1.2.4.0 Spec Level: 2 Errata Revision: 2 TPM Vendor ID: INTC Vendor Specific data: 00040000 00030464 TPM Version: 01010000 Manufacturer Info: 494e5443
Note) comment out "dh_shlibdeps" in debian/rules
$ sudo apt-get install trousers libtspi-dev tpm-tools libtpm-unseal0 libtpm-unseal-dev $ sudo apt-get install libcommons-codec-java libcommons-logging-java libpg-java liblog4j1.2-java libibatis-java $ sudo apt-get install libcommons-discovery-java libaxis-java $ sudo apt-get install liblog4j1.2-java-gcj libaxis-java-gcj
From GIT repository (2009-02-22)
$ git clone git://git.sourceforge.jp/gitroot/openpts/tools.git $ cd tools $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-tools_0.1.3-git20090331_i386.deb
$ /usr/bin/tpm_pcrread -a pcr.0=fd696e0329f63bf288616865f86227aea0bff6af pcr.1=0f028024e085e43db5bd29cf771acbb8ab4fb473 pcr.2=d68ec5b044f32933f6bf2488c1b36a0c3bc970e0 pcr.3=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.4=db8be6e34e5f2c5c4b11f918aec25fe7333f6471 pcr.5=b74a56f449507542c3ad1def88e0e34617c3ba8f pcr.6=585e579e48997fee8efd20830c6a841eb353c628 pcr.7=3a3f780f11a4b49969fcaa80cd6e3957c33b2275 pcr.8=55e50e41bec4225964925f4db2fd1781011ca188 pcr.9=0000000000000000000000000000000000000000 pcr.10=a99b9181fc6f73d30e44442965b9a546b9b9a643 pcr.11=0000000000000000000000000000000000000000 pcr.12=0000000000000000000000000000000000000000 pcr.13=0000000000000000000000000000000000000000 pcr.14=0000000000000000000000000000000000000000 pcr.15=0000000000000000000000000000000000000000 pcr.16=0000000000000000000000000000000000000000 pcr.17=ffffffffffffffffffffffffffffffffffffffff pcr.18=ffffffffffffffffffffffffffffffffffffffff pcr.19=ffffffffffffffffffffffffffffffffffffffff pcr.20=ffffffffffffffffffffffffffffffffffffffff pcr.21=ffffffffffffffffffffffffffffffffffffffff pcr.22=ffffffffffffffffffffffffffffffffffffffff pcr.23=0000000000000000000000000000000000000000
$ iml -p 4 Idx PCR Type Digest EventData ----------------------------------------------------------------------- 179 4 0x80000003 9b4d80cfefc7d5576c4d9f224872505896ef2798 [BIOS:LENOVO NEW(TBD) len=10,00001000000000000010] 180 4 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff] 181 4 0x00000005 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f [BIOS:EV_ACTION, Calling INT 19h] 182 4 0x00000005 6ab91c9fbe9489ea35f226ec70e23c7bb09db9a3 [BIOS:EV_ACTION, Booting BCV Device 80h, - HITACHI HTS541616J9SA00-(S1)] 183 4 0x0000000d c72cb355f3c9978fa9f15ec692264356c7328855 [BIOS:EV_IPL] 184 4 0x0000000d b82f5fa84465edfc054591b059bb65ea54f67282 [GRUB:EV_IPL, Stage1(MBR)] 185 4 0x0000000d d4fa72b193753834e25ca5dc420f9c23d14c6087 [GRUB:EV_IPL, Stage1.5] 186 4 0x0000000d 55fc0eb1ceb08bf75cdd3fb1f0235d8471b748d3 [GRUB:EV_IPL, Stage1.5(filesystem)] 187 4 0x00000006 9fc81a0038d3a3ffdbc053b2eb13b28a8db461cd [GRUB: measure MBR again] 188 4 0x00000004 8cdc27ec545eda33fbba1e8b8dae4da5c7206972 [GRUB:EV_SEPARATOR, Grub Event Separator]
OK :-)
$ git clone git://git.sourceforge.jp/gitroot/openpts/core.git $ cd core $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-core_0.1.3-git20090405_all.deb $ sudo dpkg -i ../openpts-core-gcj_0.1.3-git20090405_i386.deb
$
TODO create deb package for jtreemap. until we need manual installation.
$ wget http://jaist.dl.sourceforge.net/sourceforge/jtreemap/jtreemap-1.1.0.zip $ unzip jtreemap-1.1.0.zip $ sudo cp jtreemap-site-1.1.0/jtreemap-1.1.0.jar /usr/share/java/jtreemap.jar
TODO
sudo apt-get install tomcat5.5 tomcat5.5-webapps postgresql-8.3
$ git clone git://git.sourceforge.jp/gitroot/openpts/demo.git $ cd demo $ make dpkg-buildpackage $ sudo dpkg -i ../openpts-tcdemo-client_0.1.3-git20090405_all.deb $ sudo dpkg -i ../openpts-tcdemo-client-gcj_0.1.3-git20090405_i386.deb $ sudo dpkg -i ../openpts-tcdemo-server_0.1.3-git20090405_all.deb
The SRK password must be a default setting. Just enter for SRK password.
$ tpm_takeownership Enter owner password: ******** Confirm password: ******** Enter SRK password: Confirm password:
If you get the following error message, The TPM has been taken the ownership.
Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled
And, If the size of "/var/lib/tpm/system.data" file is zero, your TSS forgot your ownership. To fix this, you take ownership again, or you can put the dummy system.data file to enable TSS as follows.
sudo cp demo/sampledata/knoppix/dummy_system.data /var/lib/tpm/system.data sudo /etc/init.d/tcsd restart
sudo /usr/bin/ptsclientadmin --commandline --user USERNAME
User's local configurations are stored at /home/$USERNAME/.pts
Install PostgreSQL
sudo apt-get install postgresql <snip> Setting up postgresql (8.3.7-1) ... sudo /etc/init.d/postgresql-8.3 status 8.3 main 5432 online postgres /var/lib/postgresql/8.3/main /var/log/postgresql/postgresql-8.3-main.log
Set an admin password for postgres
sudo passwd postgres su - postgres psql -c "alter user postgres with password 'PASSWORD'" template1
Configure PostgreSQL for OpenPTS.
cd /usr/lib/openpts/database/ bash dbsetup.sh load /etc/openpts/db.conf S) Setup New Databases C) Show Current Configuration L) Show State B) Backup Databases D) Delete Databases Q) Exit select:C Current Configurations DB type : postgres DB admin : ptsadmin DB user : ptsuser Vulnerability Database name : vuldb Integrity Information Database 0 name : iidb_redhat Integrity Information Database 1 name : iidb_centos Integrity Information Database 2 name : iidb_knoppix Integrity Information Database 3 name : iidb_ubuntu Integrity Information Database 4 name : iidb_fedora Integrity Information Database 5 name : iidb Integrity Information Database 6 name : iidb Integrity Information Database 7 name : iidb_bios <snip> select:S <snip>
it takes few hours.
cd /var/lib/openpts sudo sh /usr/lib/openpts/scripts/deb-all.sh ubuntu Collect Package info of ubuntu package list... treemap data... metadata... md5 digests... sha1 digests... <snip>
Create map file, "/var/lib/openpts/database/ibatis/sqlMapsConfig.properties", e.g.
driver=org.postgresql.Driver url_vul=jdbc:postgresql://localhost/vuldb url_iidb0=jdbc:postgresql://localhost/iidb_redhat url_iidb1=jdbc:postgresql://localhost/iidb_centos url_iidb2=jdbc:postgresql://localhost/iidb_knoppix url_iidb3=jdbc:postgresql://localhost/iidb_ubuntu url_iidb4=jdbc:postgresql://localhost/iidb_fedora url_iidb5=jdbc:postgresql://localhost/iidb url_iidb6=jdbc:postgresql://localhost/iidb url_iidb7=jdbc:postgresql://localhost/iidb username=ptsadmin password=password
Import RPM metadata/digest into IIDB. it takes time.
# /usr/bin/openpts rpmimport --dbindex 4 --inputdir /var/lib/openpts/fedora/data/
Check the IIDB using openpts command. e.g.
# openpts iidb --list --index 4 IIDB index: 4 packages: 1622 measuremnets: 250925 - vulnerable: package 0 measurement 0 - safe: package 0 measurement 0 - unclear: package 0 measurement 0 - unchecked: package 1622 measurement 250925 # sha1sum /usr/sbin/acpid b5e042dfeac3bb70a686be5abd1fcb6a9472c6de /usr/sbin/acpid # openpts iidb --search --index 4 --digest b5e042dfeac3bb70a686be5abd1fcb6a9472c6de hexDigest : b5e042dfeac3bb70a686be5abd1fcb6a9472c6de id : 47331 filename : /usr/sbin/acpid obsolete : 0 vulnerability : 0 packageName : acpid-1.0.6-11.fc10.x86_64
Just fill CVE info into Vulnerability Database. The database can not link with integrity database. Since there is no good source of Security Advisory for Fedora, OVAL only support RHEL.
/usr/bin/openpts cve --xmlfile http://nvd.nist.gov/download/nvdcve-2009.xml --outputdir /tmp
$ pg_dump database_name > file_name.sql $ psql -e database_name < file_name.sql $ pg_restore –d database_name file_name.sql
sudo apt-get install phppgadmin /etc/init.d/apache2 start
login as "ptsuser"
if login was failed, check the configuration file: /etc/postgresql/8.3/main/pg_hba.conf
# yum install tomcat5 tomcat5-webapps tomcat5-admin-webapps
/etc/sysconfig/tomcat5
JAVA_HOME="/usr/java/jdk1.6.0_12/"
# rpm -ivh /home/foo/rpmbuild/RPMS/x86_64/openpts-tcdemo-server-0.1.3-git20090613.fc10.x86_64.rpm'
# /sbin/service tomcat5 start # chkconfig tomcat5 on
Log file /var/log/tomcat5/catalina.out 6-3-X. Setup Demo Contents¶
Create account, user "guest" and password "given".
# htpasswd -c /var/www/.htpasswd guest
Create demo contents
# mkdir -p /var/www/html/tcdemo
Edit /var/www/html/tcdemo/index.html
<html> <head> <title> OpenPTS Test </title> </head> <body> <h1> OpenPTS Test </h1> </body> </html>
Edit /etc/httpd/conf/httpd.conf
... <Directory "/var/www/html"> ... AuthType Basic AuthName "Password Required" AuthUserFile /var/www/.htpasswd AuthGroupFile /dev/null require valid-user
</Directory> ...
# service httpd start # chkconfig httpd on
(OPTION) To monitor server-side validation log, open terminal
tailf /var/log/openpts.log
/usr/bin/ptsclientuser --commandline
if validation was success, it open http://localhost/tcdemo.
Congratulation!
Ubuntu package does not support GTK. to enable GTK feature (popup password), re-build the trousers with GTK option.
$ sudo apt-get build-dep trousers $ apt-get source trousers $ cd trousers-0.3.1 $ dpkg-buildpackage -rfakeroot -us -uc
EOF
[PageInfo]
LastUpdate: 2010-07-16 09:04:12, ModifiedBy: munetoh
[Permissions]
view:all, edit:login users, delete/config:members
Fork
edit