mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-24 23:26:50 +00:00
added paccor reference
This commit is contained in:
parent
203691e09c
commit
ecd479bd3a
46
README.md
46
README.md
@ -5,7 +5,7 @@
|
|||||||
<h2>Attestation Certificate Authority (ACA) and TPM Provisioning with Trusted Computing-based Supply Chain Validation </h2>
|
<h2>Attestation Certificate Authority (ACA) and TPM Provisioning with Trusted Computing-based Supply Chain Validation </h2>
|
||||||
|
|
||||||
The Host Integrity at Runtime and Start-up Attestation Certificate Authority is a Proof of Concept - Prototype intended to spur interest and adoption of the [Trusted Platform Module (TPM)](https://trustedcomputinggroup.org/work-groups/trusted-platform-module/). It's intended for testing and development purposes only and is not intended for production. The ACA's functionality supports the provisioning of [TPM 2.0](https://trustedcomputinggroup.org/wp-content/uploads/2019_TCG_TPM2_BriefOverview_DR02web.pdf) with an [Attestation Identity Certificate (AIC)](https://www.trustedcomputinggroup.org/wp-content/uploads/IWG-Credential_Profiles_V1_R1_14.pdf). The ACA can be configured to enforce the Validation of Endorsement and Platform Credentials to illustrate a supply chain validation capability.
|
The Host Integrity at Runtime and Start-up Attestation Certificate Authority is a Proof of Concept - Prototype intended to spur interest and adoption of the [Trusted Platform Module (TPM)](https://trustedcomputinggroup.org/work-groups/trusted-platform-module/). It's intended for testing and development purposes only and is not intended for production. The ACA's functionality supports the provisioning of [TPM 2.0](https://trustedcomputinggroup.org/wp-content/uploads/2019_TCG_TPM2_BriefOverview_DR02web.pdf) with an [Attestation Identity Certificate (AIC)](https://www.trustedcomputinggroup.org/wp-content/uploads/IWG-Credential_Profiles_V1_R1_14.pdf). The ACA can be configured to enforce the Validation of Endorsement and Platform Credentials to illustrate a supply chain validation capability.
|
||||||
|
completely
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="images/TCG_AcceptanceTest.png" />
|
<img src="images/TCG_AcceptanceTest.png" />
|
||||||
</p>
|
</p>
|
||||||
@ -13,11 +13,15 @@ The Host Integrity at Runtime and Start-up Attestation Certificate Authority is
|
|||||||
The HIRS ACA can be used to perform the Acceptance Test. The HIRS ACA is a web based server which processes Attestation Identity Requests.
|
The HIRS ACA can be used to perform the Acceptance Test. The HIRS ACA is a web based server which processes Attestation Identity Requests.
|
||||||
The ACA provides a “provisioner” application to be installed on all devices which will be requesting Attestation Certificates.
|
The ACA provides a “provisioner” application to be installed on all devices which will be requesting Attestation Certificates.
|
||||||
|
|
||||||
**Notice:** Github Discussions have been enabled for this repo. Please refer to the Dicussion entitled "[HIRS development changes](https://github.com/nsacyber/HIRS/discussions/498)" for development and support notifications.
|
**Notice:** Github Discussions have been enabled for this repo. Please refer to the Discussion entitled "[HIRS development changes](https://github.com/nsacyber/HIRS/discussions/498)" for development and support notifications.
|
||||||
|
|
||||||
## Features
|
## Features
|
||||||
|
|
||||||
### Attestation Certificate Authority (ACA)
|
### Attestation Certificate Authority (ACA)
|
||||||
|
<p align="center">
|
||||||
|
<img src="images/ACA_ValidationReport_PC_Policy.jpg" />
|
||||||
|
</p>
|
||||||
|
|
||||||
* Issues Attestation Identity Certificates or TPM based [Local Device ID (LDevID) certificates](https://github.com/nsacyber/HIRS/wiki/DevID-Certificates) to validated devices holding a TPM
|
* Issues Attestation Identity Certificates or TPM based [Local Device ID (LDevID) certificates](https://github.com/nsacyber/HIRS/wiki/DevID-Certificates) to validated devices holding a TPM
|
||||||
* Configures policies for enabling/disabling validation procedures
|
* Configures policies for enabling/disabling validation procedures
|
||||||
* Performs TCG-based Supply Chain Validation of connecting clients
|
* Performs TCG-based Supply Chain Validation of connecting clients
|
||||||
@ -30,6 +34,7 @@ The ACA provides a “provisioner” application to be installed on all devices
|
|||||||
* Updates for the [Platform Certificate Version 2.0](https://trustedcomputinggroup.org/wp-content/uploads/TCG-Platform-Certificate-Profile-Version-2.0-Revision-39.pdf) are in the current development cycle
|
* Updates for the [Platform Certificate Version 2.0](https://trustedcomputinggroup.org/wp-content/uploads/TCG-Platform-Certificate-Profile-Version-2.0-Revision-39.pdf) are in the current development cycle
|
||||||
* Verifies the provenance of the system's hardware components, such as the motherboard and chassis, by comparing measured component information against the manufacturers, models, and serial numbers listed in the Platform Certificate
|
* Verifies the provenance of the system's hardware components, such as the motherboard and chassis, by comparing measured component information against the manufacturers, models, and serial numbers listed in the Platform Certificate
|
||||||
* Firmware Integrity Validation
|
* Firmware Integrity Validation
|
||||||
|
* Uploads and processes [TCG PC Client Reference Integrity Manifests](https://trustedcomputinggroup.org/resource/tcg-pc-client-reference-integrity-manifest-specification/) (RIM)s
|
||||||
* Creates and verifies a nonce for the TPM Quote
|
* Creates and verifies a nonce for the TPM Quote
|
||||||
* Process TMP Event Logs and checks digests against the TPM Quote
|
* Process TMP Event Logs and checks digests against the TPM Quote
|
||||||
* Verifies individual event digests against the OEM provided Reference Integrity Measurements
|
* Verifies individual event digests against the OEM provided Reference Integrity Measurements
|
||||||
@ -43,12 +48,26 @@ The ACA provides a “provisioner” application to be installed on all devices
|
|||||||
* Enables Import/Export of Certificate (Trust) Chains, Endorsement Certificates, and Platform Certificates
|
* Enables Import/Export of Certificate (Trust) Chains, Endorsement Certificates, and Platform Certificates
|
||||||
* Optionally allows uploaded Certificates of trusted parties
|
* Optionally allows uploaded Certificates of trusted parties
|
||||||
|
|
||||||
### TPM Provisioner
|
### [TPM Provisioner](https://github.com/nsacyber/HIRS/tree/main/HIRS_Provisioner.NET)
|
||||||
* Requests an Attestation Identity Certificate for the TPM from the ACA.
|
* Requests an Attestation Identity Certificate for the TPM from the ACA.
|
||||||
* Transfer's TCG Artifacts to the ACA (TPM Endorsement Certificates, Platform Certificates, Reference Integrity Manifests, Event Logs, etc.)
|
* Transfer's TCG Artifacts to the ACA (TPM Endorsement Certificates, Platform Certificates, Reference Integrity Manifests, Event Logs, etc.)
|
||||||
* Reads the device's hardware, network, firmware, and OS info for platform and component validation
|
* Reads the device's hardware, network, firmware, and OS info for platform and component validation
|
||||||
* Provides a TPM Quote for Firmware Integrity Checking
|
* Provides a TPM Quote for Firmware Integrity Checking
|
||||||
|
|
||||||
|
### [TCG RIM Tool](https://github.com/nsacyber/HIRS/tree/main/tools/tcg_rim_tool)
|
||||||
|
* Creates , Formats, and Digitally Signs [TCG PC Client Base RIMs](https://trustedcomputinggroup.org/resource/tcg-pc-client-reference-integrity-manifest-specification/)
|
||||||
|
* Validates the signature of TCG PC CLient Base RIMs
|
||||||
|
|
||||||
|
### [TCG Event Log Tool](https://github.com/nsacyber/HIRS/tree/main/tools/tcg_eventlog_tool)
|
||||||
|
* Parses binary TPM Event Logs and displays event data in a human readable form
|
||||||
|
* Extracts Events from TPM Event Logs for test pattern generation
|
||||||
|
* Provides Expected PCR values from a complete TPM Event Log
|
||||||
|
|
||||||
|
### [Platform Certificate Creator - PACCOR](https://github.com/nsacyber/paccor/)
|
||||||
|
* Creates platform certificates according to the [TCG Platform Certificate Profile](https://trustedcomputinggroup.org/resource/tcg-platform-certificate-profile/).
|
||||||
|
* Assists in gathering all of the data that can go into a PC and produce a signed attribute certificate
|
||||||
|
* Validates signatures on TCG Platform Certificates
|
||||||
|
|
||||||
## Installation Instructions
|
## Installation Instructions
|
||||||
|
|
||||||
For detailed instructions, see [Installation notes](https://github.com/nsacyber/HIRS/wiki/installation_notes).
|
For detailed instructions, see [Installation notes](https://github.com/nsacyber/HIRS/wiki/installation_notes).
|
||||||
@ -67,46 +86,47 @@ To install the ACA on a Redhat or Rocky Linux download the latest rpm from the [
|
|||||||
then run the command
|
then run the command
|
||||||
|
|
||||||
```
|
```
|
||||||
dnf install HIRS_AttestationCA*.rpm.
|
sudo dnf install HIRS_AttestationCA*.rpm.
|
||||||
```
|
```
|
||||||
|
|
||||||
To install the ACA on a Ubuntu Linux download the latest rpm from the [release page](https://github.com/nsacyber/HIRS/releases)
|
To install the ACA on a Ubuntu Linux download the latest rpm from the [release page](https://github.com/nsacyber/HIRS/releases)
|
||||||
then run the command
|
then run the command
|
||||||
|
|
||||||
```
|
```
|
||||||
dnf install HIRS_AttestationCA*.deb.
|
sudo apt-get install HIRS_AttestationCA*.deb.
|
||||||
```
|
```
|
||||||
|
|
||||||
### Installing the HIRS_Provisioner.NET
|
### Installing the HIRS_Provisioner.NET
|
||||||
|
|
||||||
To install the HIRS_Provisioner.NET on a Redhat or Rocky Linux download the latest rpm package from the [release page](https://github.com/nsacyber/HIRS/releases) then run the command
|
To install the HIRS_Provisioner.NET on a Redhat or Rocky Linux download the latest rpm package from the [release page](https://github.com/nsacyber/HIRS/releases) then open a terminal and run the command
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo dnf install hirs-provisioner-tpm2*.rpm
|
sudo dnf install HIRS_Provisioner.NET.*.rpm
|
||||||
```
|
```
|
||||||
|
|
||||||
To install the HIRS_Provisioner.NET on Ubuntu Linux download the latest deb package from the [release page](https://github.com/nsacyber/HIRS/releases) then run the command
|
To install the HIRS_Provisioner.NET on Ubuntu Linux download the latest deb package from the [release page](https://github.com/nsacyber/HIRS/releases) then open a terminal and run the command
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo apt-get install hirs-provisioner-tpm2*.rpm
|
sudo apt-get install HIRS_Provisioner.NET.*.deb
|
||||||
```
|
```
|
||||||
|
|
||||||
To install the HIRS_Provisioner.NET on Windows download the latest msi package from the [release page](https://github.com/nsacyber/HIRS/releases) then run the command
|
To install the HIRS_Provisioner.NET on Windows download the latest msi package from the [release page](https://github.com/nsacyber/HIRS/releases) then open a powershell windows as an administrator then run the command
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo apt-get install hirs-provisioner-tpm2*.rpm
|
msiexec /package HIRS_Provisioner.NET.*.msi /quiet
|
||||||
```
|
```
|
||||||
|
|
||||||
Then follow the instructions for setting up the HIRS_provisioner.NET in the [HIRS_Provisioner.NET Readme](https://github.com/nsacyber/HIRS/blob/master/HIRS_AttestationCAPortal/src/main/webapp/docs/HIRS%20.NET%20Provisioner%20Readme_2.2.pdf).
|
Then follow the instructions for setting up the HIRS_provisioner.NET in the [HIRS_Provisioner.NET Readme](https://github.com/nsacyber/HIRS/blob/master/HIRS_AttestationCAPortal/src/main/webapp/docs/HIRS%20.NET%20Provisioner%20Readme_2.2.pdf).
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
On Linux: To kick off a provision on the client, open a terminal and run the command
|
On Linux: To kick off a procompletelyvision on the client, open a terminal and run the command
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo tpm_aca_provision
|
sudo tpm_aca_provision
|
||||||
```
|
```
|
||||||
|
|
||||||
On Windows: Open a powershell as administrator and enter the command
|
On Windows: Open a powershell terminal as an administrator and enter the command
|
||||||
|
|
||||||
```
|
```
|
||||||
tpm_aca_provision
|
tpm_aca_provision
|
||||||
|
Loading…
Reference in New Issue
Block a user