# # Config for PTS Client (ptsc) on Linux # # /etc/ptsc.conf # # ################################################################################ # Platform info ################################################################################ # # OpenPTS version # openpts.version=@VERSION@ # # Logging&Debug # # Normal # debug.mode=0x0 # logging.location=syslog # With debug msg. (syslog does not show debug messages by default. use log file) # debug.mode=0x09 # logging.file=/tmp/openpts.log # debug.mode=0x0 logging.location=syslog # # Platform metadata (SMBIOS) - TBD # # set manually # e.g. # platform.system.manufacturer=LENOVO # platform.system.productname=745749J # platform.system.version=ThinkPad X200 # platform.bios.version=6DET58WW # platform.system.manufacturer=TBD platform.system.productname=TBD platform.system.version=TBD platform.bios.version=TBD # # Runtime metadata - TBD # # e.g. Fedora12 : redhat, fedora, 12 # runtime.vendor.name=redhat # runtime.distro.name=fedora # runtime.distro.version=12 # # e.g. RHEL6 : redhat, rhel, 6 # runtime.vendor.name=redhat # runtime.distro.name=rhel # runtime.distro.version=6 # runtime.vendor.name=TBD runtime.distro.name=TBD runtime.distro.version=TBD ################################################################################ # Reference Manifests # Used to generate Platform Manifest and Integrity Report ################################################################################ # # Dir of Platform FSMs # model.dir=/usr/share/openpts/models # # Dir to store the manifest # # set the location to store the manifest of this platform # The manifest generated by 'ptsc -i' command # rm.basedir=/var/lib/openpts/ # # Number of the manifest # # 1 RM[0]:BIOS only # 2 RM[0]:BIOS, RM[1]:IPL and OS # 3 TBD # rm.num=1 # # RM[0] Legacy BIOS OR UEFI BIOS models # # BIOS(SRTM) uses PCR0 to PCR7 rm.model.0.pcr.0=bios_pcr0.uml rm.model.0.pcr.1=bios_pcr1.uml rm.model.0.pcr.2=bios_pcr2.uml rm.model.0.pcr.3=bios_pcr3.uml rm.model.0.pcr.4=bios_pcr4.uml rm.model.0.pcr.5=bios_pcr5.uml rm.model.0.pcr.6=bios_pcr6.uml rm.model.0.pcr.7=bios_pcr7.uml # UEFI BIOS(SRTM) uses PCR0 to PCR7 #rm.model.0.pcr.0=uefi_pcr0.uml #rm.model.0.pcr.1=uefi_pcr1.uml #rm.model.0.pcr.2=uefi_pcr2.uml #rm.model.0.pcr.3=uefi_pcr3.uml #rm.model.0.pcr.4=uefi_pcr4.uml #rm.model.0.pcr.5=uefi_pcr5.uml #rm.model.0.pcr.6=uefi_pcr6.uml #rm.model.0.pcr.7=uefi_pcr7.uml # # RM[1] IPL models (GRUB-IMA) # # Used to generate Runtime Manifest and Integrity Report # You have to build and install GRUB-IMA # # HDD boot # rm.model.1.pcr.4=grub_pcr4.uml # rm.model.1.pcr.5=grub_pcr5.uml # rm.model.1.pcr.8=grub_pcr8.uml # # Livecd boot # rm.model.1.pcr.4=grub_livecd_pcr4.uml # rm.model.1.pcr.5=grub_pcr5.uml # rm.model.1.pcr.8=grub_pcr8.uml # # RM[1] OS (Linux-IMA with GRUB-IMA) # # Used to generate Runtime Manifest and Integrity Report # You have to enable Linux-IMA # # /boot/grub/grub.conf (or menu.conf) # Set kernel option # Fedora12 'ima_tcb=1' # RHEL6 'ima=on ima_tcb' # Intel TPM 'tpm_tis.force=1 tpm_tis.interrupts=0 tpm_tis.itpm=1' # # rm.model.1.pcr.10=rhel6_ima_pcr10.uml # # RM[1] OpenPTS Collector (ptsc) # # rm.model.1.pcr.11=ptsc_pcr11.uml # # RM[0] Intel TXT tboot (DRTM) # # rm.model.0.pcr.17=tboot_pcr17.uml # rm.model.0.pcr.18=tboot_pcr18.uml # rm.model.0.pcr.19=tboot_pcr19.uml ################################################################################ # Local storage ################################################################################ # # Dir to store the platform data # config.dir=/var/lib/openpts # # Dir to store the IR # # IR file will be /tmp/.ptsc/VerifierUUID_IRUUID.xml # ir.dir=/tmp/.ptsc # # File to store the Collector UUID # uuid.file=/var/lib/openpts/uuid # # File to store the current manifest UUID # rm.uuid.file=/var/lib/openpts/rm_uuid # # File to store the manifest UUID for next/new boot # newrm.uuid.file=/var/lib/openpts/newrm_uuid ################################################################################ # IF-M ################################################################################ # # IF-M timeout [sec] # ifm.timeout=4 ################################################################################ # TPM IML, and TSS ################################################################################ # # Attestation(sign) key # # aik.storage.type # tss use tcsd ps_system # blob use the file (set the filename by aik.storage.filename) # # aik.auth.type # null use the null secret # common use the common secret # # Uncomment the following line for Infineon TPM(v1.2) # aik.storage.type=blob # aik.storage.filename=key.blob # aik.auth.type=common # # SRK password # # null tpm_takeownership with null password (just enter) # known tpm_takeownership with -z option # srk.password.mode=known # # Force reset the TPM LOCK FLAG if your TPM returns 0x803 error # # off don't reset the TPM (default) # on reset TPM LOCK FLAG # # 0x803 is TPM_DEFEND_LOCK_RUNNING error. # TPM from WEC has this problem please set this to 'on' # Note that TPM ownership must be known value since this requires ownership. # (tpm_takeownership -y -z) # tpm.resetdalock=off # # Select TPM_Quote or TPM_Quote2 # # quote use TPM_Quote # quote2 use TPM_Quote2 # # TPM v1.1b did not support TPM_Quote2. # OpenSSL before version 1.0 can't validate TPM_Quote2 signature. # If the platform uses DRTM, set to quote2 to cover PCR16-23 # e.g. Ubuntu 10.04 uses old OpenOOL thus it can't verity Quote2 signature # set this to 'quote' # tpm.quote.type=quote2 # # IML access mode # # tss get IML through TSS # securityfs get IML through securityfs (w/o TSS) # # Configure TSS(TrouSerS) to handle eventlog which measured by BIOS and # LinuxIMA by edit the /etc/tcsd.conf file. # E.g. BIOS + GRUN-IMA + Linux-IMA # # firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements # kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements # firmware_pcrs = 0,1,2,3,4,5,6,7,8 # kernel_pcrs = 10 # # If TSS has a problem to handle BIOS or LinuxIMA's eventlog, # As an alternative, OpenPTS can read the IML files. # Also specify the IML files as follows. # # iml.mode=securityfs # bios.iml.file=/sys/kernel/security/tpm0/binary_bios_measurements # runtime.iml.file=/sys/kernel/security/ima/binary_runtime_measurements # pcrs.file=/sys/class/misc/tpm0/device/pcrs # iml.mode=tss # bios.iml.file=/sys/kernel/security/tpm0/binary_bios_measurements # runtime.iml.file=/sys/kernel/security/ima/binary_runtime_measurements # pcrs.file=/sys/class/misc/tpm0/device/pcrs # # Linux-IMA eventlog format # # IMAORIG kernel 2.6.XX - 2.6.29 # IMA31 kernel 2.6.30 - 2.6.31 # IMA32 kernel 2.6.32 # #runtime.iml.type=IMA32 # # Select Key Storage # # use the blob for Infineon TPM # #aik.storage.type=blob #aik.storage.filename=./key.blob #aik.auth.type=common # EOF