Client Registration

Client Registration

Client Registration is the process of taking ownership of the Trusted Platform Module (TPM), generating the Attestation Identity Key (AIK) and the True Identity Key (TIK) and generating both the golden PCRs verification block and the certificate signing request (CSR) for the AIK. It is also the process of generating a set of policies that [tboot] will enforce to ensure that the kernel has not been tampered with, thereby ensuring that the IMA measurements are a part of a chain of trust from the TPM to the actual program measurements.

The TPM provides a mechanism for creating a TIK, which is a non-migratable key that can only be used for signing a quote from the TPM. Ideally, the creation of this key requires that the TPM manufacturer has created a certificate for the Endorsement Key (EK) associated with this specific TPM, and that the key creation process has access to that public certificate. Unfortunately, almost no manufacturer today produces such a certificate, and in the typical environments in which attestation is run, access to the Certificate Authority (CA) that hold that certificate is problematic.

The solution is to have the client system act as the CA holding the EK certificate. Since registration is normally done immediately after installation (typically during first boot) while the client system is in a protected state, this is a reasonably safe alternative.

This module is provided as a source RPM. It will generate 1 binary RPM, which will consist of five programs. It is dependent on the [Attestation Utilities], [trousers], and [tboot]. All of the programs are required to run as root.

The five programs this module consist of are:
1. fbInitTPM
2. genpcrs
3. genaikcsr
4. LCP_Update
5. map_ima

fbInitTPM is responsible for
1. Taking ownership of the TPM
2. Generating the AIK by the TPM
3. Generating the TIK by the TPM

genpcrs is responsible for generating the golden PCRs block which is transferred to the Policy Decision Point (PDP) for use in later determining if the client system has had its hardware or firmware changed since installation. The golden PCRS block consists of the golden quote and the TIK verify block.

The golden quote consists of
1.    A Nonce. This is a fixed value
2.    PCRs 0-7, 10, 17, 18, and 19
3.    Signature of the block including the nonce and the PCRs signed by the 
      TPM using the private key of the TIK.

The verify block consists of
1.    TIK public key
2.    The SHA1 hash of the TIK public key
3.    Signature of the SHA1 hash of the TIK public key signed with the AIK private key.

The golden PCRs block should be transported to the PDP immediately after it is generated, to ensure that it cannot be tampered with before it is safe stored on the PDP.

genaikcsr is responsible for generating a certificate signing request for the AIK. This CSR should alos be transferred to the PDP immediately after it is generated.

LCP_Update is responsible for generating the Launch Control Policy (LCP), which, in conjunction with the Intel provided SINIT modules, is used to ensure that tboot itself has not been tampered with since the policy was generated. It will also generate the Verified Launch (VL) policy, which in conjunction with tboot ensures that the kernel and initrd files have not been tampered with, since the policy was generated. Note that in each case, the command line arguments provided to tboot and the kernel are included in the policy, so that any attempt to modify the behavior of either by modifying the command line arguments will be detected, and the bootload halted. The command line arguments used for generating the policy will be the ones found in the /boot/grub/grub.conf file for both tboot and the kernel.

map-ima is responsible for foring the integrity measurement of an arbitrary list of files, both executable files that might not have been executed at the time an IMR is requested, and whose integrity is considered crucial for the integrity of the system, and should therefore be contained in the IMR, and non-executable files such as configuration files. This program uses a single data file /etc/attest/ima_policy, which is just a list of files that are to be measured.