IMA Server

The IMA Server is based on the basic TNC Server configuration and combines the SWIMA Server and Attestation Server functionality.

Plugin Configuration

For the IMA use case, the OS IMV. the SWIMA IMV and the Attestation IMV have to be enabled in the /etc/tnc_config configuration file

#IMV-Configuration

IMV "OS"           /usr/lib/ipsec/imcvs/imv-os.so
IMV "SWIMA"        /usr/lib/ipsec/imcvs/imv-swima.so
IMV "Attestation"  /usr/lib/ipsec/imcvs/imv-attestation.so

These Integrity Measurement Verifieres have to be built beforehand with the ./configure options

--enable-imv-os --enable-imv-swima --enable-imv-attestation

When the charon daemon starts up, the IMVs are loaded. OS IMV and Attestation IMV both subscribe to the standard PA-TNC message subtype Operating System. The Attestation IMV additionally subscribes to the PTS message subtype defined in the TCG namespace and the SWIMA IMV to messages of the standard SWIMA subtype

00[DMN] Starting IKE charon daemon (strongSwan 5.9.7, Linux 5.13.0-44-generic, x86_64)
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[TNC] added PWG attributes
00[TNC] added TCG attributes
00[PTS] added TCG functional component namespace
00[PTS] added ITA-HSR functional component namespace
00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
00[PTS] added ITA-HSR functional component 'Trusted Boot'
00[PTS] added ITA-HSR functional component 'Linux IMA'
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "SWIMA" initialized
00[TNC] IMV 2 supports 1 message type: 'IETF/SWIMA' 0x000000/0x00000009
00[TNC] IMV 2 "SWIMA" loaded from '/usr/lib/ipsec/imcvs/imv-swima.so'
00[IMV] IMV 3 "Attestation" initialized
00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
00[PTS]   mandatory PTS measurement algorithm HASH_SHA1[openssl] available
00[PTS]   mandatory PTS measurement algorithm HASH_SHA2_256[openssl] available
00[PTS]   optional  PTS measurement algorithm HASH_SHA2_384[openssl] available
00[PTS]   optional  PTS measurement algorithm HASH_SHA2_512[openssl] available
00[PTS]   optional  PTS DH group MODP_2048[openssl] available
00[PTS]   optional  PTS DH group MODP_1536[openssl] available
00[PTS]   optional  PTS DH group MODP_1024[openssl] available
00[PTS]   mandatory PTS DH group ECP_256[openssl] available
00[PTS]   optional  PTS DH group ECP_384[openssl] available
00[TNC] IMV 3 supports 2 message types: 'TCG/PTS' 0x005597/0x00000001 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 3 "ATTESTATION" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'

IMA Client >

VPN Configuration

The VPN configuration choses for this example is the same as for the general TNC server but just uses different client and server identities. For reasons of brevity we will omit the PT-EAP and IKEv2 EAP transport layers.

IMA Client >

PB-TNC Connection

The TNC server receives the first PB-TNC Client Data batch and assigns the PB-TNC (TCG TNC IF-TNCCS 2.0) Connection ID 1 to the connection and also creates a new states for the OS IMV, SWIMA IMV and the Attestation IMV. The OS IMV gets the Access requestor’s identities mijas.strongsec.com and 10.10.1.52 from the TNC server via the TNC IF-IMV API.

09[TNC] assigned TNCCS Connection ID 1
09[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
09[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
09[IMV]   user AR identity 'mijas.strongsec.com' of type username authenticated by certificate
09[IMV]   machine AR identity '10.10.1.52' of type IPv4 address authenticated by unknown method
09[IMV] IMV 2 "SWIMA" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
09[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
09[IMV] IMV 3 "Attestation" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
09[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
09[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake'
09[IMV] IMV 2 "SWIMA" changed state of Connection ID 1 to 'Handshake'
09[IMV] IMV 3 "Attestation" changed state of Connection ID 1 to 'Handshake'

IMA Client >

OS Information

The TNC server receives a PB-TNC Client Data batch containing a standard PB-Language-Preference message which sets the preferred language to English [en] and two PA-TNC messages

09[TNC] received TNCCS batch (321 bytes)
09[TNC] TNC server is handling inbound connection
09[TNC] processing PB-TNC CDATA batch for Connection ID 1
09[TNC] PB-TNC state transition from 'Init' to 'Server Working'
09[TNC] processing IETF/PB-Language-Preference message (31 bytes)
09[TNC] processing IETF/PB-PA message (230 bytes)
09[TNC] processing IETF/PB-PA message (52 bytes)
09[TNC] setting language preference to 'en'

The first PA-TNC message of standard subtype Operating System containing seven PA-TNC attributes that are processed by the OS IMV. The most important attribute is the Device ID defined in the ITA-HSR namespace. Based on the keyid of the endpoint’s Attestation Key it uniquely identfies the endpoint to be measured

09[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
09[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1
09[TNC] processing PA-TNC message with ID 0x9db26aae
09[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
09[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
09[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
09[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
09[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
09[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
09[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
09[IMV] operating system name is 'Ubuntu' from vendor Canonical
09[IMV] operating system version is '20.04 x86_64'
09[IMV] operating system numeric version is 20.4
09[IMV] operational status: operational, result: successful
09[IMV] last boot: May 31 08:26:24 UTC 2022
09[IMV] IPv4 forwarding is enabled
09[IMV] factory default password is disabled
09[IMV] device ID is 732c769e8d1b2efef8b64d5ae83f84d129733fdd

The Attestation IMV has subscribed to messages of subtype Operating System as well

09[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 1
09[TNC] processing PA-TNC message with ID 0x9db26aae
09[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
09[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
09[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
09[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
09[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
09[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
09[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
09[IMV] operating system name is 'Ubuntu' from vendor Canonical
09[IMV] operating system version is '20.04 x86_64'
09[IMV] device ID is 732c769e8d1b2efef8b64d5ae83f84d129733fdd

IMA Client >

SWIMA Segmentation Contract

The second PA-TNC message is of standard subtype SWIMA and contains a Segmentation Contract Request attribute defined in the TCG namespace which proposes to split up huge PA-TNC messages into segments with a maximum size of 32'698 bytes each (see PA-TNC message segmentation),

09[TNC] handling PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009
09[IMV] IMV 2 "SWIMA" received message for Connection ID 1 from IMC 2
09[TNC] processing PA-TNC message with ID 0xc9a4e2e5
09[TNC] processing PA-TNC attribute type 'TCG/Segmentation Contract Request' 0x005597/0x00000021
09[IMV] IMV 2 received a segmentation contract request from IMC 2 for PA message type 'IETF/SWIMA' 0x000000/0x00000009
09[IMV]   no message size limit, maximum segment size of 32698 bytes

The Segmentation Contract Response attribute defined in the TCG namespace is inserted into a first PA-TNC message of standard subtype SWIMA

09[TNC] creating PA-TNC message with ID 0x3c431f74
09[TNC] creating PA-TNC attribute type 'TCG/Segmentation Contract Response' 0x005597/0x00000022
09[TNC] creating PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009
09[IMV] IMV 1 requests a segmentation contract for PA message type 'IETF/Operating System' 0x000000/0x00000001
09[IMV]   no message size limit, maximum segment size of 65466 bytes

IMA Client >

IMV Policy Workitems

The imv_policy_manager program is executed which connects to the TNC database and assigns the session number 363 to the current connection with ID 1. Two measurement workitems are configured in the database:

  • SWIDT - SWID Tag IDs

  • TPMRA - TPM Remote Attestation

09[IMV] assigned session ID 363 to Connection ID 1
09[IMV] policy: imv_policy_manager start successful
09[IMV] SWIDT workitem 659
09[IMV] TPMRA workitem 660

OS Assessment Result

No policy enforcements are defined for the OS IMV, so standard Assessment Result and Remediation Instructions attributes are generated and inserted into a second PA-TNC message of standard subtype Operating Systems

09[IMV] IMV 1 has no workitems - no evaluation requested
09[TNC] creating PA-TNC message with ID 0x37f97573
09[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
09[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
09[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
09[TNC] IMV 1 provides recommendation 'allow' and evaluation 'don't know'

IMA Client >

Software Identifier Event Request

The SWIMA IMV is responsible for handling the SWID Tag ID workitem, including a SWIMA subscription request

09[IMV] IMV 2 handles SWIDT workitem 659
09[IMV] SWIMA subscription 659 requested

First a Segmentation Contract Request attribute defined in the TCG namespace is generated

09[IMV] IMV 2 requests a segmentation contract for PA message type 'IETF/SWIMA' 0x000000/0x00000009
09[IMV]   no message size limit, maximum segment size of 65466 bytes

and then a standard SWIMA Request requesting a continuous update on the endpoint’s Software Identifier Events starting with Event ID 323

09[IMV] IMV 2 issues sw request 659 with earliest eid 323

Both attributes are inserted into a third PA-TNC message of standard subtype SWIMA

09[TNC] creating PA-TNC message with ID 0x2eabec55
09[TNC] creating PA-TNC attribute type 'TCG/Segmentation Contract Request' 0x005597/0x00000021
09[TNC] creating PA-TNC attribute type 'IETF/SWIMA Request' 0x000000/0x0000000d
09[TNC] creating PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009

IMA Client >

PTS Configuration

The Attestation IMV generates the following three PA-TNC attributes defined in the TCG namespace

- Segmentation Contract Request
- Request PTS Protocol Capabilities
- PTS Measurement Algorithm Request

and inserts them into a fourth PA-TNC message of subtype PTS defined in the TCG namespace

09[IMV] IMV 3 requests a segmentation contract for PA message type 'TCG/PTS' 0x005597/0x00000001
09[IMV]   no message size limit, maximum segment size of 65466 bytes
09[TNC] creating PA-TNC message with ID 0xe6a89ae6
09[TNC] creating PA-TNC attribute type 'TCG/Segmentation Contract Request' 0x005597/0x00000021
09[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
09[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
09[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

The four PA-TNC messages together with a PB-TNC PDP-Referral message defined in the TCG namespace are sent in a PB-TNC Server Data batch to the TNC client

09[TNC] TNC server is handling outbound connection
09[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
09[TNC] creating PB-TNC SDATA batch
09[TNC] adding TCG/PB-PDP-Referral message
09[TNC] adding IETF/PB-PA message
09[TNC] adding IETF/PB-PA message
09[TNC] adding IETF/PB-PA message
09[TNC] adding IETF/PB-PA message
09[TNC] sending PB-TNC SDATA batch (402 bytes) for Connection ID 1

The TNC server receives a PB-TNC Client Data batch containing two PA-TNC messages

11[TNC] received TNCCS batch (2847 bytes)
11[TNC] TNC server is handling inbound connection
11[TNC] processing PB-TNC CDATA batch for Connection ID 1
11[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
11[TNC] processing IETF/PB-PA message (2755 bytes)
11[TNC] processing IETF/PB-PA message (84 bytes)

The SWIMA IMV handles the first PA-TNC message of standard subtype SWIMA containing the following three attributes:

  • Segmentation Contract Response defined in the TCG namespace:
    The maximum segment size is reduced from to proposed 65'366 bytes to 32'698 bytes.

  • PA-TNC Error defined in the standard IETF namespace:
    The SWIMA Request contained a subscription request for SW Identifier Events which is not enabled on the TNC client (imc-swima.subscription option). Therefore the TNC server clears the SWIMA subscription.

  • SW Identifier Events defined in the standard IETF namespace:
    26 new SW ID events were collected since the last run.

11[TNC] handling PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009
11[IMV] IMV 2 "SWIMA" received message for Connection ID 1 from IMC 2 to IMV 2
11[TNC] processing PA-TNC message with ID 0x58b37554
11[TNC] processing PA-TNC attribute type 'TCG/Segmentation Contract Response' 0x005597/0x00000022
11[TNC] processing PA-TNC attribute type 'IETF/PA-TNC Error' 0x000000/0x00000008
11[TNC] processing PA-TNC attribute type 'IETF/SW Identifier Events' 0x000000/0x0000000f
11[IMV] IMV 2 received a segmentation contract response from IMC 2 for PA message type 'IETF/SWIMA' 0x000000/0x00000009
11[IMV]   no message size limit, maximum segment size of 32698 bytes
11[IMV] received PA-TNC error 'SWIMA Subscription Denied' for request 659
11[IMV]   description: subscriptions not enabled
11[IMV] SWIMA subscription 659 cleared
11[IMV] received software ID events with 26 items for request 659 at last eid 323 of epoch 0x38cd4cc6, 0 items to follow

The second PA-TNC message of subtype PTS defined in the TCG namespace contains the following three attributes defined in the TCG namespace

- Segmentation Contract Response
- PTS Protocol Capabilities
- PTS Measurement Algorithm

as a response to the previous requests.

11[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
11[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
11[TNC] processing PA-TNC message with ID 0x03a3bf23
11[TNC] processing PA-TNC attribute type 'TCG/Segmentation Contract Response' 0x005597/0x00000022
11[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
11[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
11[IMV] IMV 3 received a segmentation contract response from IMC 3 for PA message type 'TCG/PTS' 0x005597/0x00000001
11[IMV]   no message size limit, maximum segment size of 32698 bytes
11[PTS] supported PTS protocol capabilities: .VDT.
11[PTS] selected PTS measurement algorithm is HASH_SHA2_256

The SWIMA IMV arrives at its assessment which is allow and creates a standard Assessment Result attribute inserted into a PA-TNC message of standard subtype `SWIMA

11[IMV] IMV 2 handled SWIDT workitem 659: allow - received 26 SW ID events and 0 SWID tags
11[TNC] creating PA-TNC message with ID 0xcf298442
11[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
11[TNC] creating PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009
11[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'

The Attestation IMV creates a DH Nonce Parameters Request in the TCG namespace and inserts it into a PA-TNC message of subtype PTS defined in the TCG namespace

11[IMV] IMV 3 handles TPMRA workitem 660
11[TNC] creating PA-TNC message with ID 0x87cd81b4
11[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
11[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

The two PA-TNC messages are sent in a PB-TNC Server Data batch to the TNC client

11[TNC] TNC server is handling outbound connection
11[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
11[TNC] creating PB-TNC SDATA batch
11[TNC] adding IETF/PB-PA message
11[TNC] adding IETF/PB-PA message
11[TNC] sending PB-TNC SDATA batch (104 bytes) for Connection ID 1

The TNC server receives a PB-TNC Client Data batch containing a PA-TNC message

13[TNC] received TNCCS batch (144 bytes)
13[TNC] TNC server is handling inbound connection
13[TNC] processing PB-TNC CDATA batch for Connection ID 1
13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
13[TNC] processing IETF/PB-PA message (136 bytes)

The PA-TNC message of subtype PTS defined in the TCG namespace contains the DH Nonce Parameters Response defined in the TCG namespace which sets the Diffie-Hellman group to ECP_256. the hash algorithm to SHA_256 and the nonce length to 20 bytes

13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
13[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
13[TNC] processing PA-TNC message with ID 0x0949ab4c
13[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
13[PTS] selected DH hash algorithm is HASH_SHA2_256
13[PTS] selected PTS DH group is ECP_256
13[PTS] nonce length is 20

The Attestation IMV creates the following three attributes defined in the TCG namespace

- DH Nonce Finish
- Get TPM Version Information
- Get Attestation Identity Key

and inserts them in a PA-TNC message of subtype PTS defined in the TCG namespace

13[TNC] creating PA-TNC message with ID 0x385528f6
13[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
13[TNC] creating PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
13[TNC] creating PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
13[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

The PA-TNC message is sent in a PB-TNC Server Data batch to the TNC client

13[TNC] TNC server is handling outbound connection
13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
13[TNC] creating PB-TNC SDATA batch
13[TNC] adding IETF/PB-PA message
13[TNC] sending PB-TNC SDATA batch (172 bytes) for Connection ID 1

The TNC server receives a PB-TNC Client Data batch containing a PA-TNC message

12[TNC] received TNCCS batch (172 bytes)
12[TNC] TNC server is handling inbound connection
12[TNC] processing PB-TNC CDATA batch for Connection ID 1
12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[TNC] processing IETF/PB-PA message (164 bytes)

he PA-TNC message of subtype PTS defined in the TCG namespace contains two attributes defined in the TCG namespace:

  • TPM Version Information:
    Indicates the version of the implemented TPM standard (rev. 1.38), the chip or firmware vendor (STM) as well as the startup locality (3) that is important to correctly initialize PCR0 of the IMV’s own PCR bank emulation

  • Attestation Identity Key:
    This is the public part of the enpoint’s Attestation Key (AK) which is used by the Attestion IMV to verify the TPM Quote Signature. The keyid is usually equivalent to the endpoint’s hardware ID. Using strongTNC, the Trusted flag must be set in the Device Info view. As an alternative the attribute can transport the endpoint’s AK certificate.

12[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
12[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
12[TNC] processing PA-TNC message with ID 0xf413fa9e
12[TNC] processing PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
12[TNC] processing PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
12[PTS] Version Information: TPM 2.0 rev. 1.38 2018 STM  - startup locality: 3
12[IMV] verifying AIK with keyid 73:2c:76:9e:8d:1b:2e:fe:f8:b6:4d:5a:e8:3f:84:d1:29:73:3f:dd
12[IMV] AIK public key is trusted

IMA Client >

Boot and IMA Event Measurements

The following three attributes are inserted into a PA-TNC message of subtype PTS defined in the TCG namespace:

  • Get Symlinks defined in the ITA-HSR namespace:
    Request a list of symbolic links created by the operating system due to UsrMerge (eg. /bin → /usr/bin).

  • Request Functional Component Evidence defined in the TCG namespace:
    Request BIOS pre-boot and IMA runtime evidence.

  • Generate Attestation Evidence defined in the TCG namespace:
    Request a TPM Quote Signature over the final state of the PCR registers involved in the evidence measurement.

12[IMV] evidence request by
12[TNC] creating PA-TNC message with ID 0xe05b2cac
12[TNC] creating PA-TNC attribute type 'ITA-HSR/Get Symlinks' 0x00902a/0x00000009
12[TNC] creating PA-TNC attribute type 'TCG/Request Functional Component Evidence' 0x005597/0x00100000
12[TNC] creating PA-TNC attribute type 'TCG/Generate Attestation Evidence' 0x005597/0x00200000
12[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001

The PA-TNC message is sent in a PB-TNC Server Data batch to the TNC client

12[TNC] TNC server is handling outbound connection
12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
12[TNC] creating PB-TNC SDATA batch
12[TNC] adding IETF/PB-PA message
12[TNC] sending PB-TNC SDATA batch (105 bytes) for Connection ID 1

The TNC server receives a PB-TNC Client Data batch containing a PA-TNC message

14[TNC] received TNCCS batch (32745 bytes)
14[TNC] TNC server is handling inbound connection
14[TNC] processing PB-TNC CDATA batch for Connection ID 1
14[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
14[TNC] processing IETF/PB-PA message (32737 bytes)

The PA-TNC message of subtype PTS contains the following attributes:

  • Symlinks defined in the ITA-HSR namespace:
    If the endpoint’s Linux distribution supports UsrMerge then it sends a list of directory symbolic links.

  • Simple Component Evidence (first batch):
    Each attribute instance contains a single Boot Event measurement (SHA256 hash value plus event log entry).

14[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
14[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
14[TNC] processing PA-TNC message with ID 0x895b637c
14[TNC] processing PA-TNC attribute type 'ITA-HSR/Symlinks' 0x00902a/0x0000000a
14[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
14[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
        ...
14[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
14[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

The following symbolic links are applied during the lookup of IMA file measurements

14[PTS] adding directory symlinks:
14[PTS]   /lib32 -> /usr/lib32
14[PTS]   /lib -> /usr/lib
14[PTS]   /libx32 -> /usr/libx32
14[PTS]   /sbin -> /usr/sbin
14[PTS]   /bin -> /usr/bin
14[PTS]   /lib64 -> /usr/lib64

The 136 BIOS measurements are checked and the boot aggregate value as a starting point for the IMA measurements is computed and verified

14[PTS] TPM 2.0 - locality indicator set to 3
14[PTS] checking 136 BIOS evidence measurements
14[PTS] boot aggregate computed over PCR0..PCR9 is correct
14[PTS] checking boot aggregate evidence measurement

Two of the file measurements are not found in the strongTNC database

14[PTS] bc:d0:97:eb:35:88:dc:1d:c1:21:2c:8c:60:5d:55:34:db:90:f9:88:ca:a4:5f:18:ad:44:06:3a:1f:d5:cf:7e for '/usr/lib/systemd/system-generators/lvm2-activation-generator' not found
14[PTS] 14:46:6a:ac:b9:7b:20:ac:d1:2a:04:c3:c6:e7:82:1b:cb:a3:5c:82:38:68:39:64:5d:d6:4b:1c:6a:2e:c7:53 for '/etc/console-setup/cached_setup_keyboard.sh' not found

The next PB-TNC Client Data batch is requested by sending an empty PB-TNC Server Data batch

14[TNC] TNC server is handling outbound connection
14[TNC] no recommendation available yet, sending empty PB-TNC SDATA batch
14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
14[TNC] creating PB-TNC SDATA batch
14[TNC] sending PB-TNC SDATA batch (8 bytes) for Connection ID 1

The second PB-TNC Client Data batch is received

08[TNC] received TNCCS batch (32671 bytes)
08[TNC] TNC server is handling inbound connection
08[TNC] processing PB-TNC CDATA batch for Connection ID 1
08[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
08[TNC] processing IETF/PB-PA message (32663 bytes)

The PA-TNC message of subtype PTS defined in the TCG namespace contains Simple Component Evidence attributes

08[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
08[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
08[TNC] processing PA-TNC message with ID 0x04e49de2
08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
        ...
08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Two of the file measurements are not found in the strongTNC database

08[PTS] c0:bb:99:9d:87:8c:ab:eb:ee:34:b1:57:9e:b1:96:22:a9:be:33:d3:c2:81:1f:f2:f2:38:fc:82:27:e1:43:45 for '/usr/lib/systemd/system-generators/lvm2-activation-generator' not found
08[PTS] 32:a1:e4:d4:41:06:3d:7e:4c:3b:0f:9a:f9:e6:14:9f:2b:7a:ff:c3:b7:5c:83:74:54:fe:93:39:d3:6c:60:1f for '/etc/console-setup/cached_setup_keyboard.sh' not found

The next PB-TNC Client Data batch is requested by sending an empty PB-TNC Server Data batch

08[TNC] TNC server is handling outbound connection
08[TNC] no recommendation available yet, sending empty PB-TNC SDATA batch
08[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
08[TNC] creating PB-TNC SDATA batch
08[TNC] sending PB-TNC SDATA batch (8 bytes) for Connection ID 1

The third PB-TNC Client Data batch is received

06[TNC] received TNCCS batch (32680 bytes)
06[TNC] TNC server is handling inbound connection
06[TNC] processing PB-TNC CDATA batch for Connection ID 1
06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
06[TNC] processing IETF/PB-PA message (32672 bytes)

The PA-TNC message of subtype PTS defined in the TCG namespace contains Simple Component Evidence attributes

06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
06[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
06[TNC] processing PA-TNC message with ID 0x71bfc1a0
06[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
        ...
06[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

The next PB-TNC Client Data batch is requested by sending an empty PB-TNC Server Data batch

06[TNC] TNC server is handling outbound connection
06[TNC] no recommendation available yet, sending empty PB-TNC SDATA batch
06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
06[TNC] creating PB-TNC SDATA batch
06[TNC] sending PB-TNC SDATA batch (8 bytes) for Connection ID 1

The fourth PB-TNC Client Data batch is received

12[TNC] received TNCCS batch (32644 bytes)
12[TNC] TNC server is handling inbound connection
12[TNC] processing PB-TNC CDATA batch for Connection ID 1
12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[TNC] processing IETF/PB-PA message (32636 bytes)

The PA-TNC message of subtype PTS defined in the TCG namespace contains Simple Component Evidence attributes

12[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
12[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
12[TNC] processing PA-TNC message with ID 0x93f33309
12[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
12[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
        ...
12[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
12[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

The next PB-TNC Client Data batch is requested by sending an empty PB-TNC Server Data batch

12[TNC] TNC server is handling outbound connection
12[TNC] no recommendation available yet, sending empty PB-TNC SDATA batch
12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
12[TNC] creating PB-TNC SDATA batch
12[TNC] sending PB-TNC SDATA batch (8 bytes) for Connection ID 1

The fifth PB-TNC Client Data batch is received

14[TNC] received TNCCS batch (32614 bytes)
14[TNC] TNC server is handling inbound connection
14[TNC] processing PB-TNC CDATA batch for Connection ID 1
14[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
14[TNC] processing IETF/PB-PA message (32606 bytes)

The PA-TNC message of subtype PTS defined in the TCG namespace contains Simple Component Evidence attributes

14[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
14[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
14[TNC] processing PA-TNC message with ID 0xe031c311
14[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
14[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
        ....
14[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
14[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Several file measurements are not found in the strongTNC database

14[PTS] ee:cf:63:75:e5:f4:5a:5b:22:a6:8f:65:93:38:68:f1:51:53:ab:a8:cd:8c:d5:27:fc:ab:ca:44:f0:f5:e6:ea for '/usr/sbin/charon-systemd' not found
        ...
14[PTS] 4b:b6:e3:67:88:fa:fe:d6:2a:ef:2e:50:a8:e2:cc:0b:e3:be:f4:69:94:35:6f:d3:40:7a:a7:71:fc:9f:13:18 for '/usr/lib/libtss2-sys.so.1.0.0' not found
14[PTS] 58:ca:88:d2:8b:16:b1:8b:ee:c1:90:46:52:f7:0f:2e:4c:0e:97:72:92:38:3c:da:4c:71:f5:a5:ed:74:58:8a for '/usr/lib/libtss2-mu.so.0.0.0' not found
14[PTS] 3a:9a:93:1d:bc:5b:19:5b:23:e5:64:f9:7b:54:d0:34:ae:e7:62:9a:1f:1b:7a:dc:01:ce:d2:0a:67:60:89:ae for '/usr/lib/libtss2-tcti-device.so.0.0.0' not found

The next PB-TNC Client Data batch is requested by sending an empty PB-TNC Server Data batch

14[TNC] TNC server is handling outbound connection
14[TNC] no recommendation available yet, sending empty PB-TNC SDATA batch
14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
14[TNC] creating PB-TNC SDATA batch
14[TNC] sending PB-TNC SDATA batch (8 bytes) for Connection ID 1

The sixth PB-TNC Client Data batch is received

08[TNC] received TNCCS batch (32671 bytes)
08[TNC] TNC server is handling inbound connection
08[TNC] processing PB-TNC CDATA batch for Connection ID 1
08[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
08[TNC] processing IETF/PB-PA message (32663 bytes)
08[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001

The PA-TNC message of subtype PTS defined in the TCG namespace contains Simple Component Evidence attributes

08[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
08[TNC] processing PA-TNC message with ID 0xa8f82bc7
08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
        ...
08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

The next PB-TNC Client Data batch is requested by sending an empty PB-TNC Server Data batch

08[TNC] TNC server is handling outbound connection
08[TNC] no recommendation available yet, sending empty PB-TNC SDATA batch
08[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
08[TNC] creating PB-TNC SDATA batch
08[TNC] sending PB-TNC SDATA batch (8 bytes) for Connection ID 1

The seventh PB-TNC Client Data batch is received

06[TNC] received TNCCS batch (32630 bytes)
06[TNC] TNC server is handling inbound connection
06[TNC] processing PB-TNC CDATA batch for Connection ID 1
06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
06[TNC] processing IETF/PB-PA message (32622 bytes)

The PA-TNC message of subtype PTS defined in the TCG namespace contains Simple Component Evidence attributes

06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
06[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
06[TNC] processing PA-TNC message with ID 0xe9d4eb18
06[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
        ...
06[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000

Several file measurements are not found in the strongTNC database

06[PTS] 56:bb:f2:6a:62:bc:ca:e7:ff:f5:2e:06:59:e2:18:5b:c8:af:c1:7d:bb:44:89:67:10:ae:db:44:1d:3c:c1:29 for '/usr/bin/tpm2' not found
06[PTS] 9a:a2:6f:88:6d:ad:01:a0:6c:6d:c5:ed:2d:4f:d3:7a:5a:57:89:19:17:28:14:27:9e:1c:7d:40:12:5d:50:e2 for '/usr/lib/libtss2-esys.so.0.0.0' not found
06[PTS] 1a:d6:6d:27:a1:92:dd:81:ae:a3:bc:37:b5:cc:7b:fa:60:9d:94:84:0e:c1:4f:c3:9c:2a:5c:9d:69:eb:e2:95 for '/usr/lib/libtss2-tctildr.so.0.0.0' not found
06[PTS] c2:4f:e6:31:c7:19:40:c5:a7:10:b3:85:c2:2e:16:a4:0e:b4:74:16:23:a0:a1:5e:e1:e0:99:85:66:52:10:95 for '/usr/lib/libtss2-rc.so.0.0.0' not found

The next PB-TNC Client Data batch is requested by sending an empty PB-TNC Server Data batch

06[TNC] TNC server is handling outbound connection
06[TNC] no recommendation available yet, sending empty PB-TNC SDATA batch
06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
06[TNC] creating PB-TNC SDATA batch
06[TNC] sending PB-TNC SDATA batch (8 bytes) for Connection ID 1

The eighth PB-TNC Client Data batch is received

15[TNC] received TNCCS batch (23330 bytes)
15[TNC] TNC server is handling inbound connection
15[TNC] processing PB-TNC CDATA batch for Connection ID 1
15[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
15[TNC] processing IETF/PB-PA message (23322 bytes)

The PA-TNC message of subtype PTS defined in the TCG namespace contains Simple Component Evidence attributes and the Simple Evidence Final attribute

15[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
15[IMV] IMV 3 "Attestation" received message for Connection ID 1 from IMC 3 to IMV 3
15[TNC] processing PA-TNC message with ID 0xfc858c90
15[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
15[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
        ...
15[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
15[TNC] processing PA-TNC attribute type 'TCG/Simple Evidence Final' 0x005597/0x00400000

Several file measurements are not found in the strongTNC database

15[PTS] 8e:4a:5a:53:da:25:7c:18:53:c5:2a:52:5d:04:84:e4:41:7a:de:c5:cf:94:7b:a7:bc:62:16:eb:91:dc:fc:5f for '/etc/initramfs-tools/scripts/init-top/ima_policy' not found
15[PTS] af:e4:6b:04:21:cf:d7:b8:c0:08:c2:c5:10:96:44:28:e5:77:8c:9c:91:2c:6e:aa:75:4a:9e:73:b4:dd:12:ba for '/usr/share/initramfs-tools/scripts/local-block/lvm2' not found
        ...
15[PTS] bd:7a:11:17:66:ff:e9:d8:14:1d:c6:21:b7:f6:a2:b0:dc:30:77:be:49:3a:33:ca:74:48:bb:ee:ec:3c:84:9a for '/usr/share/initramfs-tools/scripts/local-top/lvm2' not found
15[PTS] fa:94:2b:f9:c1:d2:e0:17:03:56:e3:1a:59:94:fc:cd:ad:89:6d:0c:1f:74:df:95:56:c3:7c:2a:4f:ca:61:86 for '/usr/share/initramfs-tools/scripts/init-premount/lvm2' not found

The TPM Quote Signature computed over the PCR Composite digest and some additional system information that is contained in the Simple Evidence Final attribute is successfully verified

15[PTS] constructed PCR Composite: => 384 bytes @ 0x7f7dd80468f0
15[PTS]    0: 06 15 6C E6 46 85 9E E3 81 09 57 54 9A 18 4B 7A  ..l.F.....WT..Kz
15[PTS]   16: 2E A6 C6 C0 4F 3D DB 8A 2C D3 A3 67 F4 93 16 71  ....O=..,..g...q
15[PTS]   32: 6C B0 42 07 6E C2 B8 67 A9 2B CB 8E 12 F9 14 D6  l.B.n..g.+......
15[PTS]   48: 4A 06 E2 9B A1 08 0C E4 E0 27 55 C0 21 23 6C 81  J........'U.!#l.
15[PTS]   64: 30 3B 09 87 95 4C D0 9C A1 78 B8 6B DD 60 55 40  0;...L...x.k.`U@
15[PTS]   80: F4 00 40 E8 E6 42 BD 11 73 AC 45 BC 9B 36 A3 49  ..@..B..s.E..6.I
15[PTS]   96: 3D 45 8C FE 55 CC 03 EA 1F 44 3F 15 62 BE EC 8D  =E..U....D?.b...
15[PTS]  112: F5 1C 75 E1 4A 9F CF 9A 72 34 A1 3F 19 8E 79 69  ..u.J...r4.?..yi
15[PTS]  128: A3 1D BF 9D 3B CE 32 03 F2 54 59 8D 69 35 1D 8E  ....;.2..TY.i5..
15[PTS]  144: 4B 7E 1B 54 CD 43 3D 1C 71 07 92 52 24 6A EC EF  K~.T.C=.q..R$j..
15[PTS]  160: BB 49 6D 97 1F AB AC 31 BC 4D 1C A2 F2 EA F7 C0  .Im....1.M......
15[PTS]  176: 82 F3 E9 3C 25 6F 07 93 E0 CF 67 14 FD 36 40 4D  ...<%o....g..6@M
15[PTS]  192: 3D 45 8C FE 55 CC 03 EA 1F 44 3F 15 62 BE EC 8D  =E..U....D?.b...
15[PTS]  208: F5 1C 75 E1 4A 9F CF 9A 72 34 A1 3F 19 8E 79 69  ..u.J...r4.?..yi
15[PTS]  224: 44 6F 7A 67 D5 78 B2 F9 47 C4 E1 12 F7 69 96 E7  Dozg.x..G....i..
15[PTS]  240: E3 67 D2 74 AF AF BE 77 89 94 C4 1A 4B 67 BC FE  .g.t...w....Kg..
15[PTS]  256: 36 77 2C B7 7B 34 C1 BC DC 41 6E 3C C0 50 E7 26  6w,.{4...An<.P.&
15[PTS]  272: 7B 64 C2 91 28 12 9B 6A 3A 13 8A 74 C6 58 73 AD  {d..(..j:..t.Xs.
15[PTS]  288: E2 09 7C E2 17 04 A8 46 B3 55 3F 24 DF 4E 57 26  ..|....F.U?$.NW&
15[PTS]  304: F1 B9 86 DC 31 C3 11 B8 30 28 8D 86 00 21 EE 57  ....1...0(...!.W
15[PTS]  320: A2 7F 76 A0 91 10 EB D4 37 A0 35 FE 9F CE 70 BC  ..v.....7.5...p.
15[PTS]  336: C6 5A 05 ED AA 81 CA BB 37 7F B5 49 01 A1 4E B6  .Z......7..I..N.
15[PTS]  352: E3 99 1B 7D DD 47 BE 7E 92 72 6A 83 2D 68 74 C5  ...}.G.~.rj.-ht.
15[PTS]  368: 34 9B 52 B7 89 FA 0D B8 B5 58 C6 9F EA 29 57 4E  4.R......X...)WN
15[PTS] constructed PCR Composite digest: => 32 bytes @ 0x7f7dd8044bc0
15[PTS]    0: 86 88 05 24 23 5E 82 D2 4E 3A 21 88 2A F6 F0 E0  ...$#^..N:!.*...
15[PTS]   16: C7 46 4D 35 FF A1 FE 93 88 FE 2E C0 02 95 70 86  .FM5..........p.
15[PTS] constructed TPM Quote Info: => 145 bytes @ 0x7f7dd80411e0
15[PTS]    0: FF 54 43 47 80 18 00 22 00 0B BD E2 F1 F3 E7 B6  .TCG..."........
15[PTS]   16: 0C A6 6D 93 1C EC AC 7D 25 B4 69 F0 E3 9E 96 9D  ..m....}%.i.....
15[PTS]   32: 3D B8 A8 79 89 FB E2 C1 9B C5 00 20 C0 82 AC F2  =..y....... ....
15[PTS]   48: 74 2A AB 92 A1 A7 48 8A 8B 74 DC 29 0A 4E 82 30  t*....H..t.).N.0
15[PTS]   64: 9B D6 11 43 53 B1 95 21 5B B2 3F 59 00 00 00 00  ...CS..![.?Y....
15[PTS]   80: 5F AE 07 C5 00 00 01 13 00 00 00 00 01 00 01 01  _...............
15[PTS]   96: 02 00 00 00 00 00 00 00 01 00 0B 03 FF 47 00 00  .............G..
15[PTS]  112: 20 86 88 05 24 23 5E 82 D2 4E 3A 21 88 2A F6 F0   ...$#^..N:!.*..
15[PTS]  128: E0 C7 46 4D 35 FF A1 FE 93 88 FE 2E C0 02 95 70  ..FM5..........p
15[PTS]  144: 86                                               .
15[IMV] TPM Quote Info signature verification successful

1732 IMA file evidence measurements were processed, only 107 of them were not found in the strongTNC database

15[PTS] processed 1732 IMA file evidence measurements: 1625 ok, 107 unknown, 0 differ, 0 failed
15[PTS] 136 BIOS evidence measurements are ok
15[IMV] MV 3 handled TPMRA workitem 660: allow - processed 1732 IMA file evidence measurements: 1625 ok, 107 unknown, 0 differ, 0 failed; 136 BIOS evidence measurements are ok

IMA Client >

TNC Assessment Result

Since all 136 BIOS evidence and 1625 IMA file evidence measurements and the TPM Quote Signature were correct, the Attestation IMV generates a standard Assessment Result attribute with the evaluation compliant and the recommendation allow and inserts it in a PA-TNC message of subtype PTS defined in the TGC namespace

15[TNC] creating PA-TNC message with ID 0x5553fd69
15[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
15[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
15[TNC] IMV 3 provides recommendation 'allow' and evaluation 'compliant'

The overall policy recommendation issued by the TNC server is allow and communicated to the TNC client in the form of a PB-TNC Assessment-Result and a PB-TNC Access-Recommendation payload, both of which are sent together with the PA-TNC message from the Attestation IMV in a PB-TNC Result batch to the TNC client

15[TNC] TNC server is handling outbound connection
15[IMV] policy: recommendation for access requestor 10.10.1.52 is allow
15[IMV] policy: imv_policy_manager stop successful
15[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Allowed'
15[IMV] IMV 2 "SWIMA" changed state of Connection ID 1 to 'Allowed'
15[IMV] IMV 3 "Attestation" changed state of Connection ID 1 to 'Allowed'
15[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
15[TNC] creating PB-TNC RESULT batch
15[TNC] adding IETF/PB-PA message
15[TNC] adding IETF/PB-Assessment-Result message
15[TNC] adding IETF/PB-Access-Recommendation message
15[TNC] sending PB-TNC RESULT batch (88 bytes) for Connection ID 1

The TNC client replies with a PB-TNC Close batch which causes the OS IMV, SWIMA IMV and Attestation IMV states as well as the PB-TNC connection to be deleted. Due to the positive final recommendation, the IKEv2 connection is allowed to complete

06[TNC] received TNCCS batch (8 bytes)
06[TNC] TNC server is handling inbound connection
06[TNC] processing PB-TNC CLOSE batch for Connection ID 1
06[TNC] PB-TNC state transition from 'Decided' to 'End'
06[TNC] final recommendation is 'allow' and evaluation is 'compliant'
06[TNC] policy enforced on peer 'mijas.strongsec.com' is 'allow'
06[TNC] policy enforcement point added group membership 'allow'
06[IKE] EAP_TTLS phase2 authentication of 'mijas.strongsec.com' with EAP_PT_EAP successful
06[IMV] IMV 1 "OS" deleted the state of Connection ID 1
06[IMV] IMV 2 "SWIMA" deleted the state of Connection ID 1
06[IMV] IMV 3 "Attestation" deleted the state of Connection ID 1
06[TNC] removed TNCCS Connection ID 1

IMA Client >

IKEv2 Authentication Success

The EAP TTLS authentication based on a TLS client certificate plus the TNC measurements was successful. Thus an EAP-SUCCESS message is sent to the EAP client

06[IKE] EAP method EAP_TTLS succeeded, MSK established
06[ENC] generating IKE_AUTH response 269 [ EAP/SUCC ]
06[NET] sending packet: from 10.10.0.150[4500] to 10.10.1.52[4500] (80 bytes)

The IKEv2 client sends an AUTH payload depending on the MSK (Master Secret Key) derived from the EAP-TTLS session

05[NET] received packet: from 10.10.1.52[4500] to 10.10.0.150[4500] (112 bytes)
05[ENC] parsed IKE_AUTH request 270 [ AUTH ]
05[IKE] authentication of 'mijas.strongsec.com' with EAP successful
05[IKE] authentication of 'vpn.strongswan.org' (myself) with EAP
05[IKE] IKE_SA eap[1] established between 10.10.0.150[vpn.strongswan.org]...10.10.1.52[mijas.strongsec.com]

The IKEv2 server in turn authenticates itself again via an AUTH payload depending on the EAP-TTLS MSK as well

05[IKE] maximum IKE_SA lifetime 11245s
05[IKE] peer requested virtual IP %any
05[CFG] assigning new lease to 'mijas.strongsec.com'
05[IKE] assigning virtual IP 10.10.1.65 to peer 'mijas.strongsec.com'
05[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
05[IKE] CHILD_SA eap{1} established with SPIs c3c268a8_i c28cd4ab_o and TS 10.10.0.150/32 === 10.10.1.65/32
05[ENC] generating IKE_AUTH response 270 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]
05[NET] sending packet: from 10.10.0.150[4500] to 10.10.1.52[4500] (272 bytes)

The IKEv2 connection has been successfully established.

IMA Client >