2 # Config for PTS Client (ptsc) on Linux
7 ################################################################################
9 ################################################################################
14 openpts.version=@VERSION@
17 # Platform metadata (SMBIOS) - TBD
21 # platform.system.manufacturer=LENOVO
22 # platform.system.productname=745749J
23 # platform.system.version=ThinkPad X200
24 # platform.bios.version=6DET58WW
26 platform.system.manufacturer=TBD
27 platform.system.productname=TBD
28 platform.system.version=TBD
29 platform.bios.version=TBD
32 # Runtime metadata - TBD
34 # e.g. Fedora12 : redhat, fedora, 12
35 # runtime.vendor.name=redhat
36 # runtime.distro.name=fedora
37 # runtime.distro.version=12
39 # e.g. RHEL6 : redhat, rhel, 6
40 # runtime.vendor.name=redhat
41 # runtime.distro.name=rhel
42 # runtime.distro.version=6
44 runtime.vendor.name=TBD
45 runtime.distro.name=TBD
46 runtime.distro.version=TBD
49 ################################################################################
51 # Used to generate Platform Manifest and Integrity Report
52 ################################################################################
55 # Dir of Platform FSMs
57 model.dir=/usr/share/openpts/models
61 # Dir to store the manifest
63 # set the location to store the manifest of this platform
64 # The manifest generated by 'ptsc -i' command
66 rm.basedir=/var/lib/openpts/
70 # Number of the manifest
73 # 2 RM[0]:BIOS, RM[1]:IPL and OS
79 # RM[0] Legacy BIOS OR UEFI BIOS models
81 # BIOS(SRTM) uses PCR0 to PCR7
82 rm.model.0.pcr.0=bios_pcr0.uml
83 rm.model.0.pcr.1=bios_pcr1.uml
84 rm.model.0.pcr.2=bios_pcr2.uml
85 rm.model.0.pcr.3=bios_pcr3.uml
86 rm.model.0.pcr.4=bios_pcr4.uml
87 rm.model.0.pcr.5=bios_pcr5.uml
88 rm.model.0.pcr.6=bios_pcr6.uml
89 rm.model.0.pcr.7=bios_pcr7.uml
91 # UEFI BIOS(SRTM) uses PCR0 to PCR7
92 #rm.model.0.pcr.0=uefi_pcr0.uml
93 #rm.model.0.pcr.1=uefi_pcr1.uml
94 #rm.model.0.pcr.2=uefi_pcr2.uml
95 #rm.model.0.pcr.3=uefi_pcr3.uml
96 #rm.model.0.pcr.4=uefi_pcr4.uml
97 #rm.model.0.pcr.5=uefi_pcr5.uml
98 #rm.model.0.pcr.6=uefi_pcr6.uml
99 #rm.model.0.pcr.7=uefi_pcr7.uml
102 # RM[1] IPL models (GRUB-IMA)
104 # Used to generate Runtime Manifest and Integrity Report
105 # You have to build and install GRUB-IMA
108 # rm.model.1.pcr.4=grub_pcr4.uml
109 # rm.model.1.pcr.5=grub_pcr5.uml
110 # rm.model.1.pcr.8=grub_pcr8.uml
113 # rm.model.1.pcr.4=grub_livecd_pcr4.uml
114 # rm.model.1.pcr.5=grub_pcr5.uml
115 # rm.model.1.pcr.8=grub_pcr8.uml
118 # RM[1] OS (Linux-IMA with GRUB-IMA)
120 # Used to generate Runtime Manifest and Integrity Report
121 # You have to enable Linux-IMA
123 # /boot/grub/grub.conf (or menu.conf)
125 # Fedora12 'ima_tcb=1'
126 # RHEL6 'ima=on ima_tcb'
127 # Intel TPM 'tpm_tis.force=1 tpm_tis.interrupts=0 tpm_tis.itpm=1'
129 # rm.model.1.pcr.10=rhel6_ima_pcr10.uml
133 # RM[1] OpenPTS Collector (ptsc)
135 # rm.model.1.pcr.11=ptsc_pcr11.uml
139 # RM[0] Intel TXT tboot (DRTM)
141 # rm.model.0.pcr.17=tboot_pcr17.uml
142 # rm.model.0.pcr.18=tboot_pcr18.uml
143 # rm.model.0.pcr.19=tboot_pcr19.uml
145 ################################################################################
147 ################################################################################
150 # Dir to store the platform data
152 config.dir=/var/lib/openpts
155 # Dir to store the IR
157 # IR file will be /tmp/.ptsc/VerifierUUID_IRUUID.xml
163 # File to store the Collector UUID
165 uuid.file=/var/lib/openpts/uuid
169 # File to store the current manifest UUID
171 rm.uuid.file=/var/lib/openpts/rm_uuid
175 # File to store the manifest UUID for next/new boot
177 newrm.uuid.file=/var/lib/openpts/newrm_uuid
179 ################################################################################
181 ################################################################################
189 ################################################################################
191 ################################################################################
194 # Attestation(sign) key
197 # tss use tcsd ps_system
198 # blob use the file (set the filename by aik.storage.filename)
201 # null use the null secret
202 # common use the common secret
204 # Uncomment the following line for Infineon TPM(v1.2)
205 # aik.storage.type=blob
206 # aik.storage.filename=key.blob
207 # aik.auth.type=common
212 # null tpm_takeownership with null password (just enter)
213 # known tpm_takeownership with -z option
215 srk.password.mode=known
218 # Force reset the TPM LOCK FLAG if your TPM returns 0x803 error
220 # off don't reset the TPM (default)
221 # on reset TPM LOCK FLAG
223 # 0x803 is TPM_DEFEND_LOCK_RUNNING error.
224 # TPM from WEC has this problem please set this to 'on'
225 # Note that TPM ownership must be known value since this requires ownership.
226 # (tpm_takeownership -y -z)
232 # Select TPM_Quote or TPM_Quote2
234 # quote use TPM_Quote
235 # quote2 use TPM_Quote2
237 # TPM v1.1b did not support TPM_Quote2.
238 # OpenSSL before version 1.0 can't validate TPM_Quote2 signature.
239 # If the platform uses DRTM, set to quote2 to cover PCR16-23
240 # e.g. Ubuntu 10.04 uses old OpenOOL thus it can't verity Quote2 signature
241 # set this to 'quote'
243 tpm.quote.type=quote2
249 # tss get IML through TSS
250 # securityfs get IML through securityfs (w/o TSS)
252 # Configure TSS(TrouSerS) to handle eventlog which measured by BIOS and
253 # LinuxIMA by edit the /etc/tcsd.conf file.
254 # E.g. BIOS + GRUN-IMA + Linux-IMA
256 # firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
257 # kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
258 # firmware_pcrs = 0,1,2,3,4,5,6,7,8
261 # If TSS has a problem to handle BIOS or LinuxIMA's eventlog,
262 # As an alternative, OpenPTS can read the IML files.
263 # Also specify the IML files as follows.
265 # iml.mode=securityfs
266 # bios.iml.file=/sys/kernel/security/tpm0/binary_bios_measurements
267 # runtime.iml.file=/sys/kernel/security/ima/binary_runtime_measurements
268 # pcrs.file=/sys/class/misc/tpm0/device/pcrs
272 # bios.iml.file=/sys/kernel/security/tpm0/binary_bios_measurements
273 # runtime.iml.file=/sys/kernel/security/ima/binary_runtime_measurements
274 # pcrs.file=/sys/class/misc/tpm0/device/pcrs
277 # Linux-IMA eventlog format
279 # IMAORIG kernel 2.6.XX - 2.6.29
280 # IMA31 kernel 2.6.30 - 2.6.31
281 # IMA32 kernel 2.6.32
283 #runtime.iml.type=IMA32
288 # use the blob for Infineon TPM
290 #aik.storage.type=blob
291 #aik.storage.filename=./key.blob
292 #aik.auth.type=common