2 # Config for PTS Client (ptsc) on Linux
7 ################################################################################
9 ################################################################################
17 # Platform metadata (SMBIOS) - TBD
21 # platform.system.manufacturer=LENOVO
22 # platform.system.productname=745749J
23 # platform.system.version=ThinkPad X200
24 # platform.bios.version=6DET58WW
26 platform.system.manufacturer=TBD
27 platform.system.productname=TBD
28 platform.system.version=TBD
29 platform.bios.version=TBD
32 # Runtime metadata - TBD
34 # e.g. Fedora12 : redhat, fedora, 12
35 # runtime.vendor.name=redhat
36 # runtime.distro.name=fedora
37 # runtime.distro.version=12
39 # e.g. RHEL6 : redhat, rhel, 6
40 # runtime.vendor.name=redhat
41 # runtime.distro.name=rhel
42 # runtime.distro.version=6
44 runtime.vendor.name=TBD
45 runtime.distro.name=TBD
46 runtime.distro.version=TBD
49 ################################################################################
51 # Used to generate Platform Manifest and Integrity Report
52 ################################################################################
55 # Dir of Platform FSMs
57 model.dir=/usr/share/openpts/models
61 # Dir to store the manifest
63 # set the location to store the manifest of this platform
64 # The manifest generated by 'ptsc -i' command
66 rm.basedir=/var/lib/openpts/
70 # Number of the manifest
73 # 2 RM[0]:BIOS, RM[1]:IPL and OS
81 # BIOS(SRTM) uses PCR0 to PCR7
83 rm.model.0.pcr.0=bios_pcr0.uml
84 rm.model.0.pcr.1=bios_pcr1.uml
85 rm.model.0.pcr.2=bios_pcr2.uml
86 rm.model.0.pcr.3=bios_pcr3.uml
87 rm.model.0.pcr.4=bios_pcr4.uml
88 rm.model.0.pcr.5=bios_pcr5.uml
89 rm.model.0.pcr.6=bios_pcr6.uml
90 rm.model.0.pcr.7=bios_pcr7.uml
94 # RM[1] IPL models (GRUB-IMA)
96 # Used to generate Runtime Manifest and Integrity Report
97 # You have to build and install GRUB-IMA
99 # rm.model.1.pcr.4=grub_pcr4hdd.uml
100 # rm.model.1.pcr.5=grub_pcr5.uml
101 # rm.model.1.pcr.8=grub_pcr8.uml
105 # RM[1] OS (Linux-IMA with GRUB-IMA)
107 # Used to generate Runtime Manifest and Integrity Report
108 # You have to enable Linux-IMA
110 # /boot/grub/grub.conf (or menu.conf)
112 # Fedora12 'ima_tcb=1'
113 # RHEL6 'ima=on ima_tcb'
114 # Intel TPM 'tpm_tis.force=1 tpm_tis.interrupts=0 tpm_tis.itpm=1'
116 # rm.model.1.pcr.10=f12_ima_pcr10.uml
117 # rm.model.1.pcr.10=rhel6_ima_pcr10.uml
121 # RM[1] OS (Linux-IMA without GRUB-IMA)
123 # /boot/grub/grub.conf (or menu.conf)
125 # Fedora12 'ima_tcb=1'
126 # RHEL6 'ima=on ima_tcb'
127 # Intel TPM 'tpm_tis.force=1 tpm_tis.interrupts=0 tpm_tis.itpm=1'
129 # rm.model.1.pcr.10=f12_ima_pcr10wog.uml
130 # rm.model.1.pcr.10=rhel6_ima_pcr10wog.uml -- TBD
136 rm.model.1.pcr.11=openpts.uml
140 # RM[0] Intel TXT tboot (DRTM)
142 rm.model.0.pcr.17=intel_txt_tboot_pcr17.uml
143 rm.model.0.pcr.18=intel_txt_tboot_pcr18.uml
144 rm.model.0.pcr.19=intel_txt_tboot_pcr19.uml
146 ################################################################################
148 ################################################################################
151 # Dir to store the platform data
153 config.dir=/var/lib/openpts
156 # Dir to store the IR
158 # IR file will be /tmp/.ptsc/VerifierUUID_IRUUID.xml
164 # File to store the Collector UUID
166 uuid.file=/var/lib/openpts/uuid
170 # File to store the current manifest UUID
172 rm.uuid.file=/var/lib/openpts/rm_uuid
176 # File to store the manifest UUID for next/new boot
178 newrm.uuid.file=/var/lib/openpts/newrm_uuid
180 ################################################################################
182 ################################################################################
190 ################################################################################
192 ################################################################################
197 # null tpm_takeownership with null password (just enter)
198 # known tpm_takeownership with -z option
200 srk.password.mode=known
203 # Force reset the TPM LOCK FLAG if your TPM returns 0x803 error
205 # off don't reset the TPM (default)
206 # on reset TPM LOCK FLAG
208 # 0x803 is TPM_DEFEND_LOCK_RUNNING error.
209 # TPM from WEC has this problem please set this to 'on'
210 # Note that TPM ownership must be known value since this requires ownership.
211 # (tpm_takeownership -y -z)
217 # Select TPM_Quote or TPM_Quote2
219 # quote use TPM_Quote
220 # quote2 use TPM_Quote2
222 # TPM v1.1b did not support TPM_Quote2.
223 # OpenSSL before version 1.0 can't validate TPM_Quote2 signature.
224 # If the platform uses DRTM, set to quote2 to cover PCR16-23
225 # e.g. Ubuntu 10.04 uses old OpenOOL thus it can't verity Quote2 signature
226 # set this to 'quote'
228 tpm.quote.type=quote2
234 # tss get IML through TSS
235 # securityfs get IML through securityfs (w/o TSS)
237 # Configure TSS(TrouSerS) to handle eventlog which measured by BIOS and
238 # LinuxIMA by edit the /etc/tcsd.conf file.
239 # E.g. BIOS + GRUN-IMA + Linux-IMA
241 # firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
242 # kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
243 # firmware_pcrs = 0,1,2,3,4,5,6,7,8
246 # If TSS has a problem to handle BIOS or LinuxIMA's eventlog,
247 # As an alternative, OpenPTS can read the IML files.
248 # Also specify the IML files as follows.
250 # iml.mode=securityfs
251 # bios.iml.file=/sys/kernel/security/tpm0/binary_bios_measurements
252 # runtime.iml.file=/sys/kernel/security/ima/binary_runtime_measurements
253 # pcrs.file=/sys/class/misc/tpm0/device/pcrs
257 # bios.iml.file=/sys/kernel/security/tpm0/binary_bios_measurements
258 # runtime.iml.file=/sys/kernel/security/ima/binary_runtime_measurements
259 # pcrs.file=/sys/class/misc/tpm0/device/pcrs
262 # Linux-IMA eventlog format
264 # IMAORIG kernel 2.6.XX - 2.6.29
265 # IMA31 kernel 2.6.30 - 2.6.31
266 # IMA32 kernel 2.6.32
268 #runtime.iml.type=IMA32