Mudassar Aslam
mudas****@sics*****
Mon Oct 7 07:28:44 JST 2013
Hi More experiences for others when they try. And some remaining problems in the end... *1. My experience:* I tried with RHEL latest gurb (grub-0.97-68.el6.src.rpm) and Fedora 12 patch which was available online (grub-0.97-62.fc12.ima-1.1.0.0.patch). The rpmbuild ended up with following errors Bad exit status from /var/tmp/rpm-tmp.xbQQ8q (%prep) patching file stage2/shared.h Hunk #1 FAILED at 379. Hunk #2 succeeded at 1049 (offset 24 lines). 1 out of 2 hunks FAILED -- saving rejects to file stage2/shared.h.rej I don't exactly understand the problem therefore I switched to the second option. That is, use an older grub from Fedora 12 and its corresponding patch. Ofcourse, due to older version, I had to number the patch as 26 in the grub.spec file (as opposed to 32 as specified in the new user guides for later grub-0.97-68....). The grub was installed successfully and after reboot I could see measurements for PCR0..8 (using tpm_readpcr). So the underlying setup for the openPTS is up and running. Briefly, I have following configuration now. Setup guide used: https://github.com/openpts/openpts/wiki/RHEL6.4-Quick-setup-guide CenOS 6.4 trousers-0.3.6 tpm-tools-1.3.7 openpts-0.2.6 grub-0.97-62.fc12.src.rpm WITH grub-0.97-62.fc12.ima-1.1.0.0.patch *2. Unsolved Problem:* Next step: Enrolling/intializing the Collector (ptsc -i) I can initialize the collector and now the ptsc dump command shows additional PCR8 behaviour model which was missing in my earlier attempts without GRUB-IMA installed. BUT THE "....PCR10.UML" IS STILL MISSING. I tried to fix this by downloading and using older uml models available in previous openpts versions (old repositories) but could not succeed. I tried with these .uml settings and placing their corresponding model files in the /usr/share/openpts/models ima_rhel6_pcr10.uml (latest and only available for PCR10) rhel6_ima_pcr10.uml (old version from openpts 0.2.5) f12_ima_pcr10.uml (old version from openpts 0.2.5) Here is the output of dump command: $ ptsc -i Sign key location: SYSTEM Generate uuid: a00f114e-2ece-11e3-91af-00216a94960e Generate UUID (for RM): a04cdccc-2ece-11e3-91af-00216a94960e level 0 Reference Manifest : /var/lib/openpts//a04cdccc-2ece-11e3-91af-00216a94960e/rm0.xml level 1 Reference Manifest : /var/lib/openpts//a04cdccc-2ece-11e3-91af-00216a94960e/rm1.xml ptsc has successfully initialized! /$ ptsc -D/ /openpts version 0.2.6/ / / /config file: /etc/ptsc.conf/ /UUID: a00f114e-2ece-11e3-91af-00216a94960e (/var/lib/openpts/uuid)/ /IML access mode : TSS/ / Runtime IML type: unknown type 0x0/ /RM UUID (current): a04cdccc-2ece-11e3-91af-00216a94960e/ /RM UUID (for next boot): (null)/ /List of RM set: 1 RM set in config dir/ / ID UUID date(UTC) status/ / -----------------------------------------------------------------------------------------/ / 0 a04cdccc-2ece-11e3-91af-00216a94960e 2013-10-06-21:31:13 NOW/ / -----------------------------------------------------------------------------------------/ /Integrity Report dir: /tmp/.ptsc/ /Model dir: /usr/share/openpts/models/ /Behavior Models/ / PCR lv FSM files/ / -----------------------------------------------------/ / 0 0 /usr/share/openpts/models/bios_pcr0.uml/ / 1 0 /usr/share/openpts/models/bios_pcr1.uml/ / 2 0 /usr/share/openpts/models/bios_pcr2.uml/ / 3 0 /usr/share/openpts/models/bios_pcr3.uml/ / 4 0 /usr/share/openpts/models/bios_pcr4.uml/ / 4 1 /usr/share/openpts/models/grub_pcr4.uml/ / 5 0 /usr/share/openpts/models/bios_pcr5.uml/ / 5 1 /usr/share/openpts/models/grub_pcr5.uml/ / 6 0 /usr/share/openpts/models/bios_pcr6.uml/ / 7 0 /usr/share/openpts/models/bios_pcr7.uml/ / 8 1 /usr/share/openpts/models/grub_pcr8.uml/ / -----------------------------------------------------/ ANY SUGGESTIONS TO FIX THIS? Thanks and regards Mudassar. On 02/10/2013 23:00, Seiji Munetoh wrote: > On Thu, Oct 3, 2013 at 3:49 AM, Mudassar Aslam<mudas****@sics*****> wrote: >> I don't want to use IntelTXT therefore fallback to GRUB-IMA is the only >> oprion left. Due to different reasons, I have now switched to CentOS 6.4 >> which comes with grub legacy. I am trying to patch the grub as specified in >> the user guide. While doing so, I could find and download the SRPM >> (grub-0.97-68.el6.src.rpm) but could not find the relevant patch >> (grub-0.97-68.el6.ima-1.1.0.0.patch) from the link given in the user guide >> i.e. >> http://osdn.dl.sourceforge.jp/openpts/40294/grub-0.97-68.el6.ima-1.1.0.0.patch >> is not valid anymore. I tried to google for it but could not find the patch. >> Do you know any other place from where I can get this patch? > I will try to find from my backup. But, it might take a little time. > >> Or, another option is to try some older version (if that does not affect >> OpenPTS) e.g. building an older grub from CentOS5/RHEL5? or Fedora12? > You can use the patch for F12 with some fixes, or Grub SRPM of F12 > with the patch. > >> Or, trying with TrustedGRUB >> (http://projects.sirrix.com/trac/trustedgrub/wiki/Documentation) if OpenPTS >> supports that? > No, TrustedGRUB does not support an eventlog. Thus we cannot validate > the measurements done bye TrustedGRUB. > > -- > Seiji -------------- next part -------------- An HTML attachment was scrubbed...Download -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3750 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.sourceforge.jp/mailman/archives/openpts-users/attachments/20131007/074a2d2e/attachment-0001.bin
Fork