Skip to content

Commit

Permalink
Merge pull request #831 from nsacyber/v3_release_tweaks
Browse files Browse the repository at this point in the history
V3 release README.md updates
  • Loading branch information
iadgovuser26 authored Aug 23, 2024
2 parents 606b0ad + ecd479b commit 7cc4060
Show file tree
Hide file tree
Showing 15 changed files with 220 additions and 82 deletions.
23 changes: 23 additions & 0 deletions HIRS_Provisioner.NET/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<h1><center>HIRS Provisioner.NET<BR\></center></h1>

The HIRS Provisioner.NET is an application that can leverage a machine and its TPM to:

* verify system attributes (as chosen in the ACA policy)
* request and store an Attestation Identity Certificate and/or a LDevID Certificate

The HIRS Provisioner.NET application, along with the HIRS ACA, will perform the following high level tasks
during the provision process. Please refer to appendix B for further details:
• The HIRS Provisioner retrieves the EK Certificate from the TPMs NVRAM.
• The HIRS Provisioner retrieves the Platform Certificate from the EFI partition, if present.
• The HIRS Provisioner retrieves the Reference Integrity Manifest (RIM) from the EFI partition, if present.
• The HIRS Provisioner retrieves the TPM Event Log.
• The HIRS Provisioner retrieves Component data from the device.
• An Attestation Identity Key is generated on the TPM, if one is not already present.
• The HIRS Provisioner forwards the collected data and sends it to the ACA.
• The HIRS ACA (Policy based) validates the Endorsement Credential.
• The HIRS ACA (Policy based) validates the Platform Credential(s).
• The HIRS ACA (Policy based) validates and new RIM(s)
• The performs credential validation according to its policy
• If validation is successful, the ACA issues an Attestation Identity Credential or LocalDevID (Policy based) to the device.

For installation, setep, and usage please refer to the [HIRS_Provisioner.NET Readme](https://github.com/nsacyber/HIRS/blob/master/HIRS_AttestationCAPortal/src/main/webapp/docs/HIRS%20.NET%20Provisioner%20Readme_2.2.pdf)
2 changes: 1 addition & 1 deletion HIRS_Provisioner.NET/hirs/HIRS_Provisioner.NET.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
<PublishSingleFile>true</PublishSingleFile>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<PackageVersion>2.2.0</PackageVersion>
<PackageVersion>3.0.0</PackageVersion>
<Release></Release>
</PropertyGroup>

Expand Down
3 changes: 3 additions & 0 deletions HIRS_ProvisionerTPM2/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# HIRS TPM 2.0 Provisioner

Notice: The HIRS TPM 2.0 Provisioner is being deprecated.
Please refer to the [HIRS_Provisioner.Net](https://github.com/nsacyber/HIRS/tree/main/HIRS_Provisioner.NET) for currently supported HIRS provisioner.

### Overview

This document describes the HIRS TPM 2.0 Provisioner, a program that can leverage a machine and its TPM to:
Expand Down
194 changes: 133 additions & 61 deletions README.md

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.1.3
3.0.0
Binary file added images/ACA_ValidationReports.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/AcceptanceTest_CIS.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/EndorsementCertificate.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/HIRS_ACA_MAIN_PAGE.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/PlatformCertificate.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/RIM_Certificate.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/TCG_AcceptanceTest.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
34 changes: 22 additions & 12 deletions tools/tcg_eventlog_tool/README.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
To support the [PC Client RIM Specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_PC_Client_RIM_r0p15_15june2020.pdf) which utilizes the TPM Event Log as a Support RIM type , it was useful to have a tool for inspecting the contents of the [TPM event log](https://github.com/nsacyber/HIRS/wiki/TPM-Event-Logs). A Linux command line tool named "elt" (event log tool) has been created to parse and print human readable output, provide hexidecimal events which can be used as test patterns, and to compare event logs for providing details on what events miscompared.
To support the [PC Client RIM Specification](https://trustedcomputinggroup.org/resource/tcg-pc-client-reference-integrity-manifest-specification/) which utilizes the TPM Event Log as a Support RIM type , it was useful to have a tool for inspecting the contents of the [TPM event log](https://github.com/nsacyber/HIRS/wiki/TPM-Event-Logs). A Linux command line tool named "elt" (event log tool) has been created to parse and print human readable output, provide hexidecimal events which can be used as test patterns, and to compare event logs for providing details on what events mis-compared.

Note that a TCG Event Log will only be populated on a given device if the device:
1. Utilizes TCG compliant UEFI Firmware.
2. Has a TPM 1.2 or 2.0 that has been activated prior to the current boot.
3. Has a TCG aware OS (Most flavors of Linux and Windows 10).
2. Has a TPM 2.0.
3. Has a TPM aware OS (Most flavors of Linux and Windows).

The default locations for the TCG Event Log are:
* Windows: C:\Windows\Logs\MeasuredBoot\
* Windows: C:\Windows\Logs\MeasuredBoot\
* Linux: /sys/kernel/security/tpm0/ with a default name of "binary_bios_measurements"

# Building
Expand All @@ -15,8 +15,8 @@ The default locations for the TCG Event Log are:
To build this tool navigate to the tcg_eventlog-tool directory and use the following command:
> ./gradlew clean build
## Windows 10
Several options exist for building on Windows 10:
## Windows
Several options exist for building on Windows 11:

1. Windows command shell (CMD.exe):
* Navigate to the tcg_eventlog_tool folder and run the widows gradle wrapper:
Expand All @@ -28,16 +28,26 @@ Several options exist for building on Windows 10:
In both cases the tcg_eventlog_tool-X.X.jar file should have been placed in the build\libs\tools\ (Windows) or build/libs/tools/ (Linux) folder.

# Packaging
Currenty only a install file for Linux RPM is supported.
Packages for this tool can be found on the [HIRS release page](https://github.com/nsacyber/HIRS/releases)

To create an RPM on a linux device use the following command in the same directory:
> ./gradlew buildRPM
Currently only a packaging for Linux is supported.

To create an RPM on a Redhat or Rocky linux device use the following command in the same directory:
> ./gradlew buildRpm
or for a Debian or Ubuntu Linux device:
> ./gradlew buildDeb
the package can be found under the build/distributions/ folder

# Installing
Currenty only a install package for Linux is supported.
Currently only a install package for Linux is supported.

To install this tool on a Redhat or Rocky Linux distro use the following command from the same directory:
> sudo dnf install build/distributions/tcg_eventlog_tool*.rpm
To install this tool use the following commmand from the same directory:
> sudo yum localinstall build/distributions/tcg_eventlog_tool*.rpm
or for a Debian or Ubuntu Linux distro:
> sudo apt-get install build/distributions/tcg_eventlog_tool*.deb
# Usage
## Linux
Expand Down
2 changes: 1 addition & 1 deletion tools/tcg_eventlog_tool/VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.0
3.0.0
42 changes: 36 additions & 6 deletions tools/tcg_rim_tool/README.md
Original file line number Diff line number Diff line change
@@ -1,15 +1,45 @@
To support the [TCG RIM concept](https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model_v1-r13_2feb20.pdf) a new command line application alled the The tcg_rim_tool has been created.
The tcg_rim_tool can be used to create NISTIR 8060 compatible SWID tags that adhere to the [TCG PC Client RIM specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_PC_Client_RIM_r0p15_15june2020.pdf).
To support the [TCG RIM concept](https://trustedcomputinggroup.org/resource/tcg-reference-integrity-manifest-rim-information-model/) a new command line application called the The tcg_rim_tool has been created.
The tcg_rim_tool can be used to create NISTIR 8060 compatible SWID tags that adhere to the [TCG PC Client RIM specification](https://trustedcomputinggroup.org/resource/tcg-pc-client-reference-integrity-manifest-specification/).
It also supports the ability to digitally sign the Base RIM file as the HIRS ACA will require a valid signature in order to upload any RIM file.

# Building
To build this tool navigate to the tcg_eventlog-tool directory and use the following commmand:
## Linux
To build this tool navigate to the tcg_eventlog-tool directory and use the following command:
> ./gradlew clean build
## Windows
Several options exist for building on Windows 11:

1. Windows command shell (CMD.exe):
* Navigate to the tcg_eventlog_tool folder and run the widows gradle wrapper:
> gradlew.bat clean build
2. Windows powershell with Windows Subsystem for Linux enabled.
* Navigate to the tcg_eventlog_tool folder and run the Linux gradle wrapper:
> ./gradlew clean build
In both cases the tcg_rim_tool-X.X.jar file should have been placed in the build\libs\tools\ (Windows) or build/libs/tools/ (Linux) folder.

# Packaging
Packages for this tool can be found on the [HIRS release page](https://github.com/nsacyber/HIRS/release

Currently only a packaging for Linux is supported.

To create an RPM package on a Redhat or Rocky linux device use the following command in the same directory:
> ./gradlew buildRpm
or for a Debian or Ubuntu Linux distro:
> ./gradlew buildDeb
the package can be found under the build/distributions/ folder

# Installing
Currently only a install packages for Linux are supported.

To install this tool on a Redhat or Rocky Linux distro use the following command from the same directory:
> sudo dnf install build/distributions/tcg_eventlog_tool*.rpm
To package the tcg_rim_tool use the [package.sh](https://github.com/nsacyber/HIRS/blob/master/tools/tcg_rim_tool/package.sh) script to produce an RPM file for Linux distrobustions that support thw RPM package manager. The rpm file will be located in the rpmbuild/RPMS/x86_64/ directory if the package script was sucessful.
Although packaging for other distributions is not currently avialble the tool can be built an run on other systems that support java and gradle, such as windows 10.
or for a Debian or Ubuntu Linux distro:
> sudo apt-get install build/distributions/tcg_eventlog_tool*.deb
# Usage

Expand All @@ -20,4 +50,4 @@ The tcg_eventlog_tool also can be invoked using java from the tcg_eventlog_tool

> java -jar build/libs/tools/tcg_rim_tool-1.0.jar -h
Current options for the tool can be found using the -h option.
Current options for the tool can be found using the -h option.

0 comments on commit 7cc4060

Please sign in to comment.