Gettingstarted
- Set up the Attestation CA and Client (refers to the Installation Notes page)
- Install a HIRS server
- Enable your client device's TPM in its BIOS (typically defaults to enabled)
- Install the HIRS provisioner on a TPM-enabled device
- Test the HIRS client/server setup
- Configure the Attestation CA to perform Endorsement Credential Validation
- Determine the TPM manufacturer using the ACA Portal or the command line utilities
- Download the TPM manufacturers trust chains
- Upload TPM trusted certificates to the ACA
- Test the EK Credential validation
- Configure the Attestation CA to perform Platform Credential Validation
-
Make sure to disable all Credential Validations on the Policy page of the ACA:
-
On the client, issue the following command in a terminal:
On Linux:
sudo tpm_aca_provision
On Windows open a PowerShell terminal as an administrator:
tpm_acaPprovision
- Select the Validation Reports tab to see the status of the request:![ACA_ValidationReport_Default_Policy]
- The appearance of the green check box
under the Result column indicates success. Note that there are no checks in the Endorsement, Platform, or Platform Attributes columns. The current policy setting did not require any credential validation.
In an operational environment, the TPM manufacturer should be determined by consulting system specifications issued by the vendor at purchase time. However, for this proof-of-concept, it is acceptable to look up the manufacturer from the local device.
Even though the Endorsement Credential was not required by the ACA during provisioning, it should have been delivered as part of the request.
- To see the Endorsement Certificate, select the Endorsement Credentials page (also called the Endorsement Key Credentials page):
- To see the details of the Endorsement Credential, select the display icon
for the credential obtained during the provisioning process. Read the issuer field to determine the manufacturer:
Identify the client’s TPM manufacturer and obtain a copy of the TPM manufacturer's trust chain (one or more x.509 certificates used to validate Endorsement Credentials).
Determine the manufacturer of the TPM.
> tpm2_getcap properties-fixed
Typical output:
TPM2_PT_MANUFACTURER:
raw: 0x49465800
value: "IFX"
Where the value can be found in the TCG Vendor ID Registry.
Now you are ready to download the TPM manufacturer's root and intermediate certificate chains
The best single source for TPM manufacturer CA certificates is kept by Microsoft: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-install-trusted-tpm-root-certificates
Some TPM manufacturers have TPM CA certificates available on the web (not a complete list):
Infineon: https://www.infineon.com/cms/en/product/promopages/optiga_tpm_certificates/#SLB9670xx2.0
ST Microelectronics: (Document which lists the URL for the certificates) https://www.st.com/content/ccc/resource/technical/document/data_brief/fc/46/5e/73/66/bf/42/d4/DM00213539.pdf/files/DM00213539.pdf/jcr:content/translations/en.DM00213539.pdf
Once the certificates have been downloaded, they may need to be unzipped. Once they are available as individual files, proceed to upload the trusted certificate(s) to the ACA.
Navigate to the Trust Chain Management Page and click on the 
symbol next to "Import Trust Chain CA Certificate" to upload the certificates:
You can load a single certificate or all the certificates provided by the manufacturer at this stage. Just note that while there could be dozens of manufacturer certificates, typically only a few are needed.
For the Endorsement Credential, the issuer certificate and the certificates of any of its subsequent issuers are needed. There may be several, depending upon the PKI configuration of the manufacturer.
- Navigate to the Policy page and enable Endorsement Credential Validation by selecting the edit icon
next to the Endorsement Credential Validation label:
- On the client, issue the following command in a terminal:
> sudo tpm_aca_provision - Check the success on the Validation reports page:
The appearance of the green check box
under the Result column indicates success. The green check box
under the Endorsement column links back the Endorsement Credential obtained from the TPM during the provisioning process.
The HIRS open source release contains a Platform Certificate test generator (PACCOR) that can be used for generating Platform Credentials used for testing purposes. Follow the instructions for installing PACCOR before continuing. The PACCOR documentation contains instructions for configuring it for Platform Credential generation.
PACCOR currently supports the following fields as default components (although more can be added) within the Platform Credential:
- Baseboard (Motherboard)
- Processor
- Firmware (BIOS/UEFI)
- Chassis
- Memory
- Hard Drive/SSD
- NIC
PACCOR creates a self signed certificate that can be used as a root CA certificate and a Platform Credential based on the component information from the current device. The Platform Credential that is produced is signed by the self-signed root CA certificate. Together, these two certificates are referred to as "test patterns". To create a test pattern, run the PACCOR provided pc_testgen.sh script (as root).
> sudo sh /opt/paccor/scripts/pc_certgen.sh
This script will create a folder in your home directory called pc_testgen that will contain a self-signed certificate named PCTestCA.example.com.pem, which is intended to be uploaded to the ACA as a trust chain. It will also contain a Platform Credential file with a named platform_cert.crt. This is intended to be uploaded into the ACA as a Platform Credential.
Test patterns will be placed in the /opt/paccor/scripts/pc_testgen directory. Permissions will need to be changed on the test patterns in order to use them in the following steps:
> sudo chmod 744 /opt/paccor/scripts/pc_testgen/PCTestCA.example.com.pem
> sudo chmod 744 /opt/paccor/scripts/pc_testgen/platform_cert*.crt
The platform manufacturer's CA certificate (or the test CA certificate created in the above sequence) needs to be uploaded in the ACA trust store. Select the symbol:
Then select the platform CA certificate(s) to be uploaded.
Upload the Platform Credentials to the ACA via the ACA's Platform Credential page. Select the add icon next to the Import Platform Credentials label:
- Navigate to the Policy page and enable Platform Credential Validation by selecting the edit icon next to the Platform Credential label. Then do the same for Platform Credential Attributes Validation.
- On the client, issue the following command in a terminal:
> sudo tpm_aca_provision - Check the success on the Validation reports page:
The appearance of the green check box
under the Result column indicates success. The green check box
under the Endorsement column links back the Endorsement Credential obtained from the TPM during the provisioning process. The green check box
under the Platform column links back the Platform Credential obtained during the previous create Platform Credential creation process. The green check box
under the Platform Attributes column indicates a success in checking the Platform Credential component fields against values obtained from the client. Any failed component comparison will cause this field to change to a red icon 
indicating a failure.