From 58ee2748eff0c05d6b6dbe219e3deea78b04a5af Mon Sep 17 00:00:00 2001 From: iadgovuser26 <33069955+iadgovuser26@users.noreply.github.com> Date: Mon, 5 Aug 2024 16:09:59 -0400 Subject: [PATCH] Update README.md --- README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bd05ceef..c458e14b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@

Host Integrity at Runtime and Start-up (HIRS)

+**Notice**: Over the next few weeks HIRS will be upgrading to Version 3.0. Version 3.0 has been completely refactored to support deployments to muiltiple Operating Systems. For a discussion of these changes please refer to the [Github Discussion](https://github.com/nsacyber/HIRS/discussions/498) for further details. These changes will take several weeks and will effect the building and installation of the project. +

Attestation Certificate Authority (ACA) and TPM Provisioning with Trusted Computing-based Supply Chain Validation

The Host Integrity at Runtime and Start-up Attestation Certificate Authority is a Proof of Concept - Prototype intended to spur interest and adoption of the [Trusted Platform Module (TPM)](https://trustedcomputinggroup.org/work-groups/trusted-platform-module/). The ACA can be configured to enforce the Validation of Endorsement and Platform Credentials to illustrate a **Supply Chain Validation** capability. It's intended for testing and development purposes only and is not intended for production. The ACA's functionality supports the provisioning of the [TPM 2.0](https://trustedcomputinggroup.org/wp-content/uploads/2019_TCG_TPM2_BriefOverview_DR02web.pdf) with an [Attestation Identity Credential (AIC)](https://www.trustedcomputinggroup.org/wp-content/uploads/IWG-Credential_Profiles_V1_R1_14.pdf). @@ -7,12 +9,15 @@ The Host Integrity at Runtime and Start-up Attestation Certificate Authority is The ACA provides a “provisioner” application to be installed on all devices which will be requesting Attestation Credentials. The ACA is a web based server which processes Attestation Identity Requests. ![TPM Provisioning](images/TPM_Provisioning.jpg) - +Please refer to [this link](https://github.com/nsacyber/HIRS/blob/master/HIRS_AttestationCAPortal/src/main/webapp/docs/HIRS%20.NET%20Provisioner%20Readme_2.2.pdf) for details on the the HIRS dotnet provisioner Version 1.1 added support for the [Platform Certificate v1.1 Specification](https://trustedcomputinggroup.org/resource/tcg-platform-certificate-profile/). This allows entities that are part of the supply chain (System integrators and Value Added Resellers) the ability to create Delta Platform Certificate to compliment the Base Platform Certificate created by the Platform Manufacturer. See the [Article on Base and Delta Platform Certificates](https://github.com/nsacyber/HIRS/wiki/Base-and-Delta-Platform-Certificates) for details. Version 2.0 added support for the [PC Client Reference Integrity Manifest (RIM) Specification](https://trustedcomputinggroup.org/resource/tcg-pc-client-reference-integrity-manifest-specification/) to provide firmware validation capability to the HIRS ACA. This requires that the manufacturer of a device provide a digitally signed RIM "Bundle" for each device. The HIRS ACA has a new page for uploading and viewing RIM Bundles and a policy setting for requiring Firmware validation. -Version 2.2 introduces the HIRS_Provisioner.NET. The HIRS_Provisioner.NET is a C# implementation of the HIRS Provisioner designed to be a replacement for the HIRS_ProvisionerTPM2. The HIRS_Provisioner.NET can be packaged for Windows as well as most Linux distributions. This portability will support a wider set of scenarios and products. See the [HIRS_Provisioner.NET README](https://github.com/nsacyber/HIRS/blob/master/HIRS_AttestationCAPortal/src/main/webapp/docs/HIRS%20.NET%20Provisioner%20Readme_2.2.pdf) for details. +Version 2.2 introduced the HIRS_Provisioner.NET. The HIRS_Provisioner.NET is a C# implementation of the HIRS Provisioner designed to be a replacement for the HIRS_ProvisionerTPM2. The HIRS_Provisioner.NET can be packaged for Windows as well as most Linux distributions. This portability will support a wider set of scenarios and products. See the [HIRS_Provisioner.NET README](https://github.com/nsacyber/HIRS/blob/master/HIRS_AttestationCAPortal/src/main/webapp/docs/HIRS%20.NET%20Provisioner%20Readme_2.2.pdf) for details. +Please refer to [this link](https://github.com/nsacyber/HIRS/blob/master/HIRS_AttestationCAPortal/src/main/webapp/docs/HIRS%20.NET%20Provisioner%20Readme_2.2.pdf) for details on the the HIRS dotnet provisioner + +Version 3.0 was completely refactored to build and run on multiple platforms. The Base OS used for development of the ACA was migrated to Rocky Linux with updates to current dependencies (e.g. Java, Tomcat, Mariadb, etc.) and development tools (e.g. Gradle). New features introduced in Version 3.0 include support for the [PC Client RIM 1.1](https://trustedcomputinggroup.org/resource/tcg-pc-client-reference-integrity-manifest-specification/) specification including composite RIMs, time-stamps, and counter signatures and detailed linkages between TCG Event Logs, OEM issuer certificates, and Reference Integrity Manifests (RIMs) have been added to provide greater granularity of information. Support for TPM 1.2 (HIRS_Provisioner) and the Cplus version of the TPM provsioner (HIRS_ProvisionerTPM2) was dropped from Version 3.0 and replaced with the HIRS_Provisioner.NET. An ACA Docker image is now automatically created for each release. See the [packages page](https://github.com/orgs/nsacyber/packages?repo_name=HIRS) for published ACA docker images.