Mudassar Aslam
mudas****@sics*****
Thu Oct 3 03:49:09 JST 2013
Hi again Thanks for the reply Seiji. Link to new setup guides was helpful. I don't want to use IntelTXT therefore fallback to GRUB-IMA is the only oprion left. Due to different reasons, I have now switched to CentOS 6.4 which comes with grub legacy. I am trying to patch the grub as specified in the user guide. While doing so, I could find and download the SRPM (grub-0.97-68.el6.src.rpm) but could not find the relevant patch (grub-0.97-68.el6.ima-1.1.0.0.patch) from the link given in the user guide i.e. http://osdn.dl.sourceforge.jp/openpts/40294/grub-0.97-68.el6.ima-1.1.0.0.patch is not valid anymore. I tried to google for it but could not find the patch. Do you know any other place from where I can get this patch? Or, another option is to try some older version (if that does not affect OpenPTS) e.g. building an older grub from CentOS5/RHEL5? or Fedora12? Or, trying with TrustedGRUB (http://projects.sirrix.com/trac/trustedgrub/wiki/Documentation) if OpenPTS supports that? thanks in advance. regards Mudassar. On 26/09/2013 00:12, Seiji Munetoh wrote: > Hi > > On Thu, Sep 26, 2013 at 1:18 AM, Mudassar Aslam <mudas****@sics*****> wrote: >> I am setting up OpenPTS on Fedora 19 and following the user guide for Fedora >> 12 (section 5.2 in version 0.2.4). I have couple of questions: > There are new setup guide for some OSs. > https://github.com/openpts/openpts/wiki > >> 1. Fedora 19 comes with grub2 whereas all the help I could find so far to >> set up measurements for IPL is about GRUB legacy (0.97 with patch). Even the >> OpenPTS user guide describes about old grub. I don't mind if my reference >> manifests don't have measurements for the grub. Is is necessary to have grub >> measurements when Linux-IMA is used? If yes, is it necessary to use old grub >> with patch or I can configure grub2 as well somehow? > Unfortunately, the grub2 does not supports trusted boot. > Therefore we cannot establish a transitive trust chain from CRTM to > Linux kernel for F19. > The alternative is DRTM by boot if your machine supports Intel TXT. > > In this case, you can validate the BIOS and IMA measurements (without > trust chain) by attestation. > >> 2. I am asking this beacuse when I initialize the collector (ptsc -i), I get >> level 0 and level 1 RMs (i.e. rm0.xml, rm1.xml). However, when I check the >> status (ptsc -D), the FSM models it displays are only for BIOS (pcr0 to >> pcr7). Which means that GRUB models (pcr4,5,8) are not generated (may be >> because I don't have GRUB-IMA). But at the same time model and RM for pcr 10 >> (Linux-IMA) is also missing even though I have complied kernel with IMA >> enabled and have IMA measurements in /sys/kernel/security/ima/. Is this due >> to the missing GRUB-IMA? > Probably, the current validation model does not support validation of > IMA measurements without trust chain (lack of GRUB-IMA). > >> 3. The UML model for PCR10 in /usr/share/openpts/models is >> ima_rhel6_pcr10.uml. Is it OK to use this model in my /etc/ptsc.conf file >> when I am using Fedora? > I have not tested this with F19. > Also the validation of all IMA measurements has still some challenges. > - Limit the number of measurements by policy to solve the performance problem. > - Setup whitelist database > > -- > Seiji -------------- next part -------------- An HTML attachment was scrubbed...下载 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3750 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.sourceforge.jp/mailman/archives/openpts-users/attachments/20131002/ef7a149b/attachment.bin
Fork