IMA Client
The IMA Client is based on the basic TNC Client configuration
and combines the SWIMA Client and
Attestation Client functionality. The Attestation IMC
collects IMA events in addition to BIOS events and certifies the measurements based
on the local TPM 2.0.
Activate IMA in the Linux Kernel
Ubuntu is one of the Linux distributions which have IMA capability already compiled
into their Linux kernel (CONFIG_IMA=y). This has the advantage that no special kernel
must be built which can become quite involved if you intend to use IMA in conjunction
with Secure Boot requiring a signed kernel. With Ubuntu, activating IMA in the kernel
is a piece of cake: Just add the boot option ima_tcb to the /etc/default/grub
configuration file
GRUB_CMDLINE_LINUX="ima_tcb ima_hash=sha256"
and automatically generate an updated /boot/grub/grub.cfg file using the command
sudo update-grub
Since SHA-1 has been "shattered" we strongly recommend to use SHA-256 for the file measurement hashes since the TPM 2.0 comes by default with a SHA-256 PCR bank.
Configure the IMA Policy
The default IMA policy that is hard-coded into the kernel causes quite a lot of
measurement violations which corrupt the content of the PCR10 register so that
reliable remote attestation becomes impossible. The cause for the violations is
the following default policy entry
measure func=FILE_CHECK mask=MAY_READ uid=0
which measures all files which are read by root. These are mainly configuration
files, some of which seem to change during the actual measurement, thus causing the
violations. We want to overwrite the default IMA policy at the earliest possible
boot stage which can be done by adding the following ima_policy script to the
/etc/initramfs-tools/scripts/init-top/ directory
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
# mount securityfs
SECURITYFSDIR="/sys/kernel/security"
mount -t securityfs securityfs ${SECURITYFSDIR} >/dev/null 2>&1
# set IMA policy
cat << @EOF > ${SECURITYFSDIR}/ima/policy
# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_measure fsmagic=0x858458f6
# SECURITYFS_MAGIC
dont_measure fsmagic=0x73636673
# MEASUREMENTS
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=MODULE_CHECK uid=0
@EOF
Make this script executable
$ sudo chmod a+x /etc/initramfs-tools/scripts/init-top/ima_policy
and include it in the initramfs of the latest kernel by executing
$ sudo update-initramfs -u
IMA Enabled
With the updated /boot/grub/grub.cfg boot menu and the modified initramfs
in place, you can reboot the Linux client and you should then be able to see the
enabled IMA measurements
$ ls -l /sys/kernel/security/integrity/ima/ total 0 -r--r----- 1 root root 0 Jun 25 12:41 ascii_runtime_measurements -r--r----- 1 root root 0 Jun 25 12:41 binary_runtime_measurements -r--r----- 1 root root 0 Jun 25 12:41 runtime_measurements_count -r--r----- 1 root root 0 Jun 25 12:41 violations
The current number of measured files can be seen with the following command
$ sudo cat /sys/kernel/security/ima/runtime_measurements_count 1732
We can also check that there are no violations
$ sudo cat /sys/kernel/security/ima/violations 0
IMA-NG Measurement Log
With the ima_hash=sha256 boot option SHA-256 file measurement hashes are computed
before they are extended into the SHA-1 and SHA-256 based PCR10
TPM 2.0 registers.
sys/kernel/security/ima/ascii_runtime_measurements-
This human-readable file shows only the SHA-1 hashes
10 0aedf435fa6da8f3ac01b53f6dcb2634dc2b41ad ima-ng sha256:fe824c47b289ddcdb919a46c477ff9da377de57668f2d8b679d57df2402b9331 boot_aggregate 10 0b5a1ee5112b581fc74040146ce5bdb607c1e1ac ima-ng sha256:d9d1775d643f6f70a1a6f646dfe023052765f558a167ec58951ad2f1013b3e46 /init 10 dbc038c03d50fed2ac6f7f8eb210f7e670d1c720 ima-ng sha256:4cf7b8e820dda4c1154ab59d994278c2bfb95942bce75bd4a3047d33f2d63206 /usr/bin/sh 10 b6a0d6a27247a1af40cd7101130c688f77142513 ima-ng sha256:b30a5d834a1c820db8eda3a6bafbc5d1b0e51d29de47579ada264f69c18003dd /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 10 fa5df98ea572ec24c06f0ef9452a9ab23a1a41a7 ima-ng sha256:9dc532785eead16b446ff85deefb011f36a733f7217440bb5f660d8f5cacd26a /etc/ld.so.cache 10 b0594fefde8e4981dfded3099cf0c45968e64c88 ima-ng sha256:ebaed8bd64291875c908cc6e7f5115ae7bf605a5da56ce3da4028e2fcfb0d8e5 /usr/lib/x86_64-linux-gnu/libc.so.6 10 0f8b2256c6159adfec34fc26b0f70f62b189e9a6 ima-ng sha256:91f2413151b7b0451ce0b6cedc7e5919931acf792d9a26645c0deb3bc230d9fe /conf/arch.conf 10 4ca27c56eba7dd5535fc2c4d5d733e39c490e510 ima-ng sha256:5235ceda36f17ee742839d8c0210350142c35f61a51046627a308a3822f592c2 /conf/initramfs.conf 10 010d880f5ed8c0ebb0c79e6689c29e710846339c ima-ng sha256:1b575a98aa5e5b4e71045564fad7e32bb90a7db2577d354a25c3bb5e92a71a94 /scripts/functions 10 3f43a151e6f6a6761f03565c9b746e13aad582d5 ima-ng sha256:fee37fb19f7fafa3ddcd6a035b4655647c3720fdb38e5214dd5f0529a7f22197 /scripts/init-top/ORDER 10 53348acf965694b535dbabadf80b4220cb911940 ima-ng sha256:d6e4045a43660a69a33d623c8dc8fb3fd219def71efacf75dccc4bd024ca497f /scripts/init-top/all_generic_ide 10 0d0059a86ebd7752476a86167a54abb11a76f6df ima-ng sha256:50d990344cb18e8fad0d77992e68ca2c504283d578abb358ffbd90342a03ebf2 /scripts/init-top/blacklist 10 1618f1b6075cf0890e4399ba987ecb895a4209dc ima-ng sha256:6b64b35475cb78a76c7b11f6cbaf311027758f347aee128565b67e55a6d596fe /scripts/init-top/ima_policy 10 f2c218e142ec0e97b647580d5b0f8ae3f93ff77e ima-ng sha256:22369e9244b4705443f65980a64d8398f146e908c7f6d691ad368ace52102bdd /usr/lib/systemd/systemd 10 1f3296dd47365478fdf482c9db4e79ca78a876f0 ima-ng sha256:ba47fe82527cfc237756ce09d80fc0a38a6f57952275fcc75dea0a3f878cf982 /usr/lib/systemd/libsystemd-shared-249.so 10 6d6fbb86316216b7dcbe7715ee7c1b897ccdc514 ima-ng sha256:d60148325d84cab666b226676c5009a61eea24f3902598829fe714da87ef3587 /usr/lib/x86_64-linux-gnu/libseccomp.so.2.5.3 10 70dc3756ce4ddbbf707adbe36987877b51e4d9ad ima-ng sha256:624eb1e6a7510e0983e9caa1bbf3e1966acb64fd6d3ad4db94528addbe1e7224 /usr/lib/x86_64-linux-gnu/libselinux.so.1 10 777f6fb3e3b4726a2e6eb462193ecc982b867931 ima-ng sha256:50f2409908922a65f827a160a855bf5cf7f9548c17a9158cce29fc03d91afeae /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0 10 10fa01fb4900a66814949b35a139cbb524f546a0 ima-ng sha256:aa6dd3339ab3cb94615d20c38352b9b35e79c936be967a34b58662c9c46ad47e /usr/lib/x86_64-linux-gnu/libpam.so.0.85.1 ...
sys/kernel/security/ima/binary_runtime_measurements-
This binary file contains all the hashes supported by the TPM 2.0 PCR banks and is parsed by the
Attestation IMC.
Plugin Configuration
For the IMA use case, the OS IMC, SWIMA IMC and the Attestation IMC
have to be enabled in the /etc/tnc_config configuration file
#IMC-Configuration IMC "OS" /usr/lib/ipsec/imcvs/imc-os.so IMC "SWIMA" /usr/lib/ipsec/imcvs/imc-swima.so IMC "Attestation" /usr/lib/ipsec/imcvs/imc-attestation.so
These Integrity Measurement Collectors have to be built beforehand with the
./configure options
--enable-imc-os --enable-imc-swima --enable-imc-attestation
In the
imc-os,
imc-swima, and
imc-attestation
subsections of strongswan.conf some parameters
have to be configured. As a minimum the following entries are needed
libimcv {
plugins {
imc-os {
device_handle = 0x81010003
}
imc-swima {
swid_full = yes
swid_database = sqlite:///etc/pts/collector.db
# subscription = yes
}
imc-attestation {
aik_handle = 0x81010003
}
}
}
Both the device_handle and aik_handle point to an RSA or ECC
Attestation Key (AK)
stored in the TPM 2.0. This means that the keyid of
the AK public key is used as a strong hardware ID of the endpoint and the final state
of the PCRs after the boot measurements will be signed by the AK private key.
As an alternative to aik_handle, the aik_cert option can be chosen to specify
the path to an X.509 certificate containing the AK public key.
00[DMN] Starting IKE charon daemon (strongSwan 5.9.7, Linux 5.13.0-44-generic, x86_64) 00[PTS] TPM 2.0 - "/dev/tpmrm0" in-kernel resource manager is present 00[PTS] TPM 2.0 - "libtss2-tcti-device.so.0" successfully loaded
The OS IMC, SWIMA IMC and Attestaton IMC are dynamically loaded and
subscribe to the PA-TNC subtypes IETF/Operating System, IETF/SWIMA and
TCG/PTS, respectively
00[TNC] loading IMCs from '/etc/tnc_config' 00[TNC] added IETF attributes 00[TNC] added ITA-HSR attributes 00[TNC] added PWG attributes 00[TNC] added TCG attributes 00[PTS] added TCG functional component namespace 00[PTS] added ITA-HSR functional component namespace 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader' 00[PTS] added ITA-HSR functional component 'Trusted Boot' 00[PTS] added ITA-HSR functional component 'Linux IMA' 00[LIB] libimcv initialized 00[IMC] IMC 1 "OS" initialized 00[IMC] processing "/etc/os-release" file 00[IMC] operating system type is 'Ubuntu' 00[IMC] operating system name is 'Ubuntu' 00[IMC] operating system version is '20.04 x86_64' 00[TNC] IMC 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001 00[TNC] IMC 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imc-os.so' 00[IMC] IMC 2 "SWIMA" initialized 00[TNC] IMC 2 supports 1 message type: 'IETF/SWIMA' 0x000000/0x00000009 00[TNC] IMC 2 "SWIMA" loaded from '/usr/lib/ipsec/imcvs/imc-swima.so' 00[IMC] IMC 3 "Attestation" initialized 00[PTS] mandatory PTS measurement algorithm HASH_SHA1[openssl] available 00[PTS] mandatory PTS measurement algorithm HASH_SHA2_256[openssl] available 00[PTS] optional PTS measurement algorithm HASH_SHA2_384[openssl] available 00[PTS] optional PTS measurement algorithm HASH_SHA2_512[openssl] available 00[PTS] optional PTS DH group MODP_2048[openssl] available 00[PTS] optional PTS DH group MODP_1536[openssl] available 00[PTS] optional PTS DH group MODP_1024[openssl] available 00[PTS] mandatory PTS DH group ECP_256[openssl] available 00[PTS] optional PTS DH group ECP_384[openssl] available 00[TNC] IMC 3 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001 00[TNC] IMC 3 "ATTESTATION" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
VPN Configuration
The VPN configuration choses for this example is the same as for the general
TNC client but just
uses different client and server identities. For reasons of brevity we will omit
the PT-EAP and IKEv2 EAP transport layers. Authentication is based on a
TLS client certificate.
PB-TNC Connection
The PB-TNC (TCG TNC IF-TNCCS 2.0) Connection ID 1 is assigned to the connection
by the TNC client and a new state is created for the OS IMC, the SWIMA IMC
and the Attestation IMC
11[TNC] assigned TNCCS Connection ID 1 11[IMC] IMC 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh 11[IMC] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 32722 bytes 11[IMC] IMC 2 "SWIMA" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh 11[IMC] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 32722 bytes 11[IMC] IMC 3 "Attestation" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh 11[IMC] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 32722 bytes 11[IMC] IMC 1 "OS" changed state of Connection ID 1 to 'Handshake' 11[IMC] IMC 2 "SWIMA" changed state of Connection ID 1 to 'Handshake' 11[IMC] IMC 3 "Attestation" changed state of Connection ID 1 to 'Handshake'
OS Information
The OS IMC gathers information on the operating system, creates seven PA-TNC
attributes and puts them in a PA-TNC message of the standard subtype
Operating System
11[IMC] operating system numeric version is 20.4 11[IMC] last boot: May 31 08:26:24 UTC 2022, 45859 s ago 11[IMC] IPv4 forwarding is enabled 11[IMC] factory default password is disabled 11[PTS] signature algorithm is ECDSA with SHA256 hash 11[IMC] device ID is 732c769e8d1b2efef8b64d5ae83f84d129733fdd 11[TNC] creating PA-TNC message with ID 0x9db26aae 11[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 11[TNC] creating PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 11[TNC] creating PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003 11[TNC] creating PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005 11[TNC] creating PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b 11[TNC] creating PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c 11[TNC] creating PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008 11[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
SWIMA Segmentation Contract
The SWIMA IMC creates a Segmentation Contract Request attribute defined
in the TCG namespace which proposes to split up huge PA-TNC messages into
segments with a maximum size of 32'698 bytes each
(see PA-TNC message
segmentation). This attribute is put into a PA-TNC message of standard subtype
SWIMA
11[IMC] IMC 2 requests a segmentation contract for PA message type 'IETF/SWIMA' 0x000000/0x00000009 11[IMC] no message size limit, maximum segment size of 32698 bytes 11[TNC] creating PA-TNC message with ID 0xc9a4e2e5 11[TNC] creating PA-TNC attribute type 'TCG/Segmentation Contract Request' 0x005597/0x00000021 11[TNC] creating PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009
Both PA-TNC messages are sent in a TNC Client Data batch to the TNC server
11[TNC] PB-TNC state transition from 'Init' to 'Server Working' 11[TNC] creating PB-TNC CDATA batch 11[TNC] adding IETF/PB-Language-Preference message 11[TNC] adding IETF/PB-PA message 11[TNC] adding IETF/PB-PA message 11[TNC] sending PB-TNC CDATA batch (321 bytes) for Connection ID 1
PDP-Referral
The TNC client receives a PB-TNC PDP-Referral payload defined in the TGC
namespace and four PA-TNC messages in a PB-TNC Server Data batch
06[TNC] received TNCCS batch (402 bytes) 06[TNC] TNC client is handling inbound connection 06[TNC] processing PB-TNC SDATA batch for Connection ID 1 06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 06[TNC] processing TCG/PB-PDP-Referral message (41 bytes) 06[TNC] processing IETF/PB-PA message (52 bytes) 06[TNC] processing IETF/PB-PA message (141 bytes) 06[TNC] processing IETF/PB-PA message (76 bytes) 06[TNC] processing IETF/PB-PA message (84 bytes)
In the PB-TNC PDP-Referral payload, the TNC server forwards the hostname
of the Policy Decision Point (PDP) and the TCP port through which the PDP
will be reachable via PT-TLS transport after the IPsec connection has been
successfully established.
06[TNC] PDP server 'edu.strongsec.com' is listening on port 271
Thus after the endpoint has connected to the internal network via VPN, continuous
health measurements would be possible. This dynamic switch-over from PT-EAP to
PT-TLS transport of the PB-TNC connection hasn’t been implemented yet, though.
The first PA-TNC message of standard subtype SWIMA is handled by the SWIMA IMC
and contains a Segmentation Contract Response attribute defined in the TCG
namespace
06[TNC] handling PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009 06[IMC] IMC 2 "SWIMA" received message for Connection ID 1 from IMV 2 to IMC 2 06[TNC] processing PA-TNC message with ID 0x3c431f74 06[TNC] processing PA-TNC attribute type 'TCG/Segmentation Contract Response' 0x005597/0x00000022 06[IMC] IMC 2 received a segmentation contract response from IMV 2 for PA message type 'IETF/SWIMA' 0x000000/0x00000009 06[IMC] no message size limit, maximum segment size of 32698 bytes
OS Assessment Result
The second PA-TNC message of standard subtype Operating System is handled by
the OS IMC and contains the standard Assessment Result and Remediation
Instructions attributes
06[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 06[IMC] IMC 1 "OS" received message for Connection ID 1 from IMV 1 06[TNC] processing PA-TNC message with ID 0x37f97573 06[TNC] processing PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009 06[TNC] processing PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a 06[IMC] ***** assessment of IMC 1 "OS" from IMV 1 ***** 06[IMC] assessment result is 'don't know' 06[IMC] remediation string: [en] 06[IMC] IP Packet Forwarding 06[IMC] Please disable the forwarding of IP packets 06[IMC] ***** end of assessment *****
Software Identifier Events
The third PA-TNC message of standard subtype SWIMA is handled by the SWIMA IMC
and contains a Segmentation Contract Request defined in the TCG namespace
and a standard SWIMA Request attribute
06[TNC] handling PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009 06[IMC] IMC 2 "SWIMA" received message for Connection ID 1 from IMV 2 06[TNC] processing PA-TNC message with ID 0x2eabec55 06[TNC] processing PA-TNC attribute type 'TCG/Segmentation Contract Request' 0x005597/0x00000021 06[TNC] processing PA-TNC attribute type 'IETF/SWIMA Request' 0x000000/0x0000000d 06[IMC] IMC 2 received a segmentation contract request from IMV 2 for PA message type 'IETF/SWIMA' 0x000000/0x00000009 06[IMC] no message size limit, maximum segment size of 65466 bytes 06[IMC] lowered maximum segment size to 32698 bytes
The SWIMA IMC creates the following three PA-TNC attributes:
-
Segmentation Contract Responsedefined in theTCGnamespace:
The maximum segment size is reduced from to proposed65'366bytes to32'698bytes. -
PA-TNC Errordefined in the standardIETFnamespace:
TheSWIMA Requestcontained a subscription request forSW Identifier Eventswhich is not enabled on the TNC client (imc-swima.subscriptionoption). Therefore an informational error message is generated. -
SW Identifier Eventsdefined in the standardIETFnamespace:
26 new SW ID events were collected since the last run.
and inserts them into a PA-TNC message of standard subtype SWIMA
06[IMC] collected 26 SW ID events at last eid 323 of epoch 0x38cd4cc6 06[TNC] creating PA-TNC message with ID 0x58b37554 06[TNC] creating PA-TNC attribute type 'TCG/Segmentation Contract Response' 0x005597/0x00000022 06[TNC] creating PA-TNC attribute type 'IETF/PA-TNC Error' 0x000000/0x00000008 06[TNC] creating PA-TNC attribute type 'IETF/SW Identifier Events' 0x000000/0x0000000f 06[TNC] creating PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009
PTS Configuration
The fourth PA-TNC message of subtype PTS defined in the TCG namespace is
handled by the Attestation IMC and contains the following three attributes
defined in the TCG namespace
- Segmentation Contract Request - Request PTS Protocol Capabilities - PTS Measurement Algorithm Request
Since the local TPM 2.0 only supports SHA1 and SHA256 PCR banks,
the PTS measurement algorithm is set to SHA2_256
06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 06[IMC] IMC 3 "Attestation" received message for Connection ID 1 from IMV 3 06[TNC] processing PA-TNC message with ID 0xe6a89ae6 06[TNC] processing PA-TNC attribute type 'TCG/Segmentation Contract Request' 0x005597/0x00000021 06[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000 06[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000 06[IMC] IMC 3 received a segmentation contract request from IMV 3 for PA message type 'TCG/PTS' 0x005597/0x00000001 06[IMC] no message size limit, maximum segment size of 65466 bytes 06[IMC] lowered maximum segment size to 32698 bytes 06[PTS] supported PTS protocol capabilities: .VDT. 06[PTS] selected PTS measurement algorithm is HASH_SHA2_256
As a response the following three attributes defined in the TCG namespace
- Segmentation Contract Response - PTS Protocol Capabilities - PTS Measurement Algorithm
are put into a PA-TNC message of subtype PTS defined in the TCG namespace
06[TNC] creating PA-TNC message with ID 0x03a3bf23 06[TNC] creating PA-TNC attribute type 'TCG/Segmentation Contract Response' 0x005597/0x00000022 06[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000 06[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000 06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
The two PA-TNC messages created above are sent in a TNC Client Data batch to the TNC server
06[TNC] TNC client is handling outbound connection 06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 06[TNC] creating PB-TNC CDATA batch 06[TNC] adding IETF/PB-PA message 06[TNC] adding IETF/PB-PA message 06[TNC] sending PB-TNC CDATA batch (2847 bytes) for Connection ID 1
The TNC client receives a PB-TNC Server Data batch containing two PA-TNC messages
09[TNC] received TNCCS batch (104 bytes) 09[TNC] TNC client is handling inbound connection 09[TNC] processing PB-TNC SDATA batch for Connection ID 1 09[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 09[TNC] processing IETF/PB-PA message (48 bytes) 09[TNC] processing IETF/PB-PA message (48 bytes)
The first PA-TNC message of standard subtype SWIMA is handled by the SWIMA IMC
and contains a standard Assessment Result with content compliant
09[TNC] handling PB-PA message type 'IETF/SWIMA' 0x000000/0x00000009 09[IMC] IMC 2 "SWIMA" received message for Connection ID 1 from IMV 2 to IMC 2 09[TNC] processing PA-TNC message with ID 0xcf298442 09[TNC] processing PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009 09[IMC] ***** assessment of IMC 2 "SWIMA" from IMV 2 ***** 09[IMC] assessment result is 'compliant' 09[IMC] ***** end of assessment *****
The second PA-TNC message of subtype PTS defined in the TCG namespace contains
a DH Nonce Parameters Request. The ECP_256 Diffie-Hellman group and a nonce
length of 20 bytes is chosen
09[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 09[IMC] IMC 3 "Attestation" received message for Connection ID 1 from IMV 3 09[TNC] processing PA-TNC message with ID 0x87cd81b4 09[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000 09[PTS] selected PTS DH group is ECP_256 09[PTS] nonce length is 20
The DH Nonce Parameters Response is put into a PA-TNC message of subtype PTS
defined in the TCG namespace
09[TNC] creating PA-TNC message with ID 0x0949ab4c 09[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000 09[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
The PA-TNC message is sent in a TNC Client Data batch to the TNC server
09[TNC] TNC client is handling outbound connection 09[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 09[TNC] creating PB-TNC CDATA batch 09[TNC] adding IETF/PB-PA message 09[TNC] sending PB-TNC CDATA batch (144 bytes) for Connection ID 1
The TNC client receives a PB-TNC Server Data batch containing a PA-TNC message
05[TNC] received TNCCS batch (172 bytes) 05[TNC] TNC client is handling inbound connection 05[TNC] processing PB-TNC SDATA batch for Connection ID 1 05[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 05[TNC] processing IETF/PB-PA message (164 bytes)
The PA-TNC message of subtype PTS defined in the TCG namespace
contains the following three attributes defined in the TCG namespace
- DH Nonce Finish - Get TPM Version Information - Get Attestation Identity Key
05[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 05[IMC] IMC 3 "Attestation" received message for Connection ID 1 from IMV 3 05[TNC] processing PA-TNC message with ID 0x385528f6 05[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000 05[TNC] processing PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000 05[TNC] processing PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000 05[PTS] selected DH hash algorithm is HASH_SHA2_256
The TPM Version Information and the Attestation Identity Key attributes,
both defined in the TCG namespace are inserted into a PA-TNC message of subtype
PTS defined in the TCG namespace
05[TNC] creating PA-TNC message with ID 0xf413fa9e 05[TNC] creating PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000 05[TNC] creating PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000 05[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
The PA-TNC message is sent in a TNC Client Data batch to the TNC server
05[TNC] TNC client is handling outbound connection 05[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 05[TNC] creating PB-TNC CDATA batch 05[TNC] adding IETF/PB-PA message 05[TNC] sending PB-TNC CDATA batch (172 bytes) for Connection ID 1
Boot and IMA Event Measurements
The TNC client receives a PB-TNC Server Data batch containing a PA-TNC message
06[TNC] received TNCCS batch (105 bytes) 06[TNC] TNC client is handling inbound connection 06[TNC] processing PB-TNC SDATA batch for Connection ID 1 06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 06[TNC] processing IETF/PB-PA message (97 bytes)
The PA-TNC message of subtype PTS defined in the TCG namespace contains
three attributes:
-
Get Symlinksdefined in theITA-HSRnamespace:
Request a list of symbolic links created by the operating system due to UsrMerge (eg./bin → /usr/bin). -
Request Functional Component Evidencedefined in theTCGnamespace:
BIOS pre-boot and IMA runtime evidence is requested. -
Generate Attestation Evidencedefinedd in theTDGnamespace:
Generate a TPM Quote Signature over the final state of the PCR registers involved in the evidence measurement.
06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001 06[IMC] IMC 3 "Attestation" received message for Connection ID 1 from IMV 3 06[TNC] processing PA-TNC message with ID 0xe05b2cac 06[TNC] processing PA-TNC attribute type 'ITA-HSR/Get Symlinks' 0x00902a/0x00000009 06[TNC] processing PA-TNC attribute type 'TCG/Request Functional Component Evidence' 0x005597/0x00100000 06[TNC] processing PA-TNC attribute type 'TCG/Generate Attestation Evidence' 0x005597/0x00200000 06[IMC] evidence requested for 2 functional components 06[PTS] TPM 2.0 - locality indicator set to 3 06[PTS] No. PCR Event Type (Size)
The Boot Events log containing 136 entries and the corresponding PCR event hashes are extracted
06[PTS] loaded bios measurements '/sys/kernel/security/tpm0/binary_bios_measurements' (136 entries)
The runtime IMA file measurement log containing 1733 entries and the corresponding PCR event hashes are extracted
06[PTS] loaded ima measurements '/sys/kernel/security/ima/binary_runtime_measurements' (1733 entries)
The final state of the PCRs 0..10 and 14 are concatenaded into a PCR Composite
value, hashed into a digest and then signed together with additional system information
into a TPM Quote Signature
06[PTS] boot aggregate computed over PCR0..PCR9 is correct
06[PTS] PCR values hashed into PCR Composite:
06[PTS] PCR 0 06:15:6c:e6:46:85:9e:e3:81:09:57:54:9a:18:4b:7a:2e:a6:c6:c0:4f:3d:db:8a:2c:d3:a3:67:f4:93:16:71 ok
06[PTS] PCR 1 6c:b0:42:07:6e:c2:b8:67:a9:2b:cb:8e:12:f9:14:d6:4a:06:e2:9b:a1:08:0c:e4:e0:27:55:c0:21:23:6c:81 ok
06[PTS] PCR 2 30:3b:09:87:95:4c:d0:9c:a1:78:b8:6b:dd:60:55:40:f4:00:40:e8:e6:42:bd:11:73:ac:45:bc:9b:36:a3:49 ok
06[PTS] PCR 3 3d:45:8c:fe:55:cc:03:ea:1f:44:3f:15:62:be:ec:8d:f5:1c:75:e1:4a:9f:cf:9a:72:34:a1:3f:19:8e:79:69 ok
06[PTS] PCR 4 a3:1d:bf:9d:3b:ce:32:03:f2:54:59:8d:69:35:1d:8e:4b:7e:1b:54:cd:43:3d:1c:71:07:92:52:24:6a:ec:ef ok
06[PTS] PCR 5 bb:49:6d:97:1f:ab:ac:31:bc:4d:1c:a2:f2:ea:f7:c0:82:f3:e9:3c:25:6f:07:93:e0:cf:67:14:fd:36:40:4d ok
06[PTS] PCR 6 3d:45:8c:fe:55:cc:03:ea:1f:44:3f:15:62:be:ec:8d:f5:1c:75:e1:4a:9f:cf:9a:72:34:a1:3f:19:8e:79:69 ok
06[PTS] PCR 7 44:6f:7a:67:d5:78:b2:f9:47:c4:e1:12:f7:69:96:e7:e3:67:d2:74:af:af:be:77:89:94:c4:1a:4b:67:bc:fe ok
06[PTS] PCR 8 36:77:2c:b7:7b:34:c1:bc:dc:41:6e:3c:c0:50:e7:26:7b:64:c2:91:28:12:9b:6a:3a:13:8a:74:c6:58:73:ad ok
06[PTS] PCR 9 e2:09:7c:e2:17:04:a8:46:b3:55:3f:24:df:4e:57:26:f1:b9:86:dc:31:c3:11:b8:30:28:8d:86:00:21:ee:57 ok
06[PTS] PCR 10 a2:7f:76:a0:91:10:eb:d4:37:a0:35:fe:9f:ce:70:bc:c6:5a:05:ed:aa:81:ca:bb:37:7f:b5:49:01:a1:4e:b6 ok
06[PTS] PCR 14 e3:99:1b:7d:dd:47:be:7e:92:72:6a:83:2d:68:74:c5:34:9b:52:b7:89:fa:0d:b8:b5:58:c6:9f:ea:29:57:4e ok
06[PTS] PCR Composite digest: => 32 bytes @ 0x7f4747e5ebf3
06[PTS] 0: 86 88 05 24 23 5E 82 D2 4E 3A 21 88 2A F6 F0 E0 ...$#^..N:!.*...
06[PTS] 16: C7 46 4D 35 FF A1 FE 93 88 FE 2E C0 02 95 70 86 .FM5..........p.
06[PTS] TPM Quote Info: => 145 bytes @ 0x7f4747e5eb82
06[PTS] 0: FF 54 43 47 80 18 00 22 00 0B BD E2 F1 F3 E7 B6 .TCG..."........
06[PTS] 16: 0C A6 6D 93 1C EC AC 7D 25 B4 69 F0 E3 9E 96 9D ..m....}%.i.....
06[PTS] 32: 3D B8 A8 79 89 FB E2 C1 9B C5 00 20 C0 82 AC F2 =..y....... ....
06[PTS] 48: 74 2A AB 92 A1 A7 48 8A 8B 74 DC 29 0A 4E 82 30 t*....H..t.).N.0
06[PTS] 64: 9B D6 11 43 53 B1 95 21 5B B2 3F 59 00 00 00 00 ...CS..![.?Y....
06[PTS] 80: 5F AE 07 C5 00 00 01 13 00 00 00 00 01 00 01 01 _...............
06[PTS] 96: 02 00 00 00 00 00 00 00 01 00 0B 03 FF 47 00 00 .............G..
06[PTS] 112: 20 86 88 05 24 23 5E 82 D2 4E 3A 21 88 2A F6 F0 ...$#^..N:!.*..
06[PTS] 128: E0 C7 46 4D 35 FF A1 FE 93 88 FE 2E C0 02 95 70 ..FM5..........p
06[PTS] 144: 86 .
06[PTS] qualifiedSigner: => 34 bytes @ 0x7f4747e5eb8a
06[PTS] 0: 00 0B BD E2 F1 F3 E7 B6 0C A6 6D 93 1C EC AC 7D ..........m....}
06[PTS] 16: 25 B4 69 F0 E3 9E 96 9D 3D B8 A8 79 89 FB E2 C1 %.i.....=..y....
06[PTS] 32: 9B C5 ..
06[PTS] extraData: => 32 bytes @ 0x7f4747e5ebae
06[PTS] 0: C0 82 AC F2 74 2A AB 92 A1 A7 48 8A 8B 74 DC 29 ....t*....H..t.)
06[PTS] 16: 0A 4E 82 30 9B D6 11 43 53 B1 95 21 5B B2 3F 59 .N.0...CS..![.?Y
06[PTS] clockInfo: => 17 bytes @ 0x7f4747e5ebce
06[PTS] 0: 00 00 00 00 5F AE 07 C5 00 00 01 13 00 00 00 00 ...._...........
06[PTS] 16: 01 .
06[PTS] firmwareVersion: => 8 bytes @ 0x7f4747e5ebdf
06[PTS] 0: 00 01 01 02 00 00 00 00 ........
06[PTS] pcrSelect: => 10 bytes @ 0x7f4747e5ebe7
06[PTS] 0: 00 00 00 01 00 0B 03 FF 47 00 ........G.
06[PTS] PCR digest algorithm is SHA256
06[PTS] TPM Quote Signature: => 64 bytes @ 0x7f4724075610
06[PTS] 0: 67 38 58 0E 75 97 16 7C 9E F5 66 C1 4E 62 9E 88 g8X.u..|..f.Nb..
06[PTS] 16: C3 EF C9 62 04 7A A9 A8 9F ED 28 D8 11 0B 84 63 ...b.z....(....c
06[PTS] 32: 98 77 A8 C2 37 72 BE 3B EF 32 E5 8C 9C 99 A5 DA .w..7r.;.2......
06[PTS] 48: AE 7C 4C E1 B6 E5 7D 82 5F 11 50 7B 0C A9 F1 A5 .|L...}._.P{....
The Symlinks attribute defined in the ITA-HSR namespace, 136 + 1733
Simple Component Evidence attributes plus the Simple Evidence Final attribute
defined in the TCG namespace are inserted into a series of PA-TNC messages of
subtype PTS defined in the TCG namespace
06[TNC] creating PA-TNC message with ID 0x895b637c
06[TNC] creating PA-TNC attribute type 'ITA-HSR/Symlinks' 0x00902a/0x0000000a
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
...
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Second PA-TNC message
06[TNC] creating PA-TNC message with ID 0x04e49de2
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
...
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Third PA-TNC message
06[TNC] creating PA-TNC message with ID 0x71bfc1a0
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
...
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Fourth PA-TNC message
06[TNC] creating PA-TNC message with ID 0x93f33309
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
...
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Fifth PA-TNC message
06[TNC] creating PA-TNC message with ID 0xe031c311
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
...
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Sixth PA-TNC message
06[TNC] creating PA-TNC message with ID 0xa8f82bc7
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
...
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Seventh PA-TNC message
06[TNC] creating PA-TNC message with ID 0xe9d4eb18
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
...
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Eighth PA-TNC message
06[TNC] creating PA-TNC message with ID 0xfc858c90
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
...
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
06[TNC] creating PA-TNC attribute type 'TCG/Simple Evidence Final' 0x005597/0x00400000
06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
Sending first PB-TNC Client Data batch
06[TNC] TNC client is handling outbound connection 06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 06[TNC] creating PB-TNC CDATA batch 06[TNC] adding IETF/PB-PA message 06[TNC] sending PB-TNC CDATA batch (32745 bytes) for Connection ID 1 06[TNC] queued 7 PB-TNC messages for next CDATA batch
Receiving empty PB-TNC Server Data batch and sending second PB-TNC Client Data batch
09[TNC] received TNCCS batch (8 bytes) 09[TNC] TNC client is handling inbound connection 09[TNC] processing PB-TNC SDATA batch for Connection ID 1 09[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 09[TNC] TNC client is handling outbound connection 09[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 09[TNC] creating PB-TNC CDATA batch 09[TNC] adding IETF/PB-PA message 09[TNC] sending PB-TNC CDATA batch (32671 bytes) for Connection ID 1 09[TNC] queued 6 PB-TNC messages for next CDATA batch
Receiving empty PB-TNC Server Data batch and sending third PB-TNC Client Data batch
13[TNC] received TNCCS batch (8 bytes) 13[TNC] TNC client is handling inbound connection 13[TNC] processing PB-TNC SDATA batch for Connection ID 1 13[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 13[TNC] TNC client is handling outbound connection 13[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 13[TNC] creating PB-TNC CDATA batch 13[TNC] adding IETF/PB-PA message 13[TNC] sending PB-TNC CDATA batch (32680 bytes) for Connection ID 1 13[TNC] queued 5 PB-TNC messages for next CDATA batch
Receiving empty PB-TNC Server Data batch and sending fourth PB-TNC Client Data batch
11[TNC] received TNCCS batch (8 bytes) 11[TNC] TNC client is handling inbound connection 11[TNC] processing PB-TNC SDATA batch for Connection ID 1 11[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 11[TNC] TNC client is handling outbound connection 11[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 11[TNC] creating PB-TNC CDATA batch 11[TNC] adding IETF/PB-PA message 11[TNC] sending PB-TNC CDATA batch (32644 bytes) for Connection ID 1 11[TNC] queued 4 PB-TNC messages for next CDATA batch
Receiving empty PB-TNC Server Data batch and sending fifth PB-TNC Client Data batch
08[TNC] received TNCCS batch (8 bytes) 08[TNC] TNC client is handling inbound connection 08[TNC] processing PB-TNC SDATA batch for Connection ID 1 08[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 08[TNC] TNC client is handling outbound connection 08[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 08[TNC] creating PB-TNC CDATA batch 08[TNC] adding IETF/PB-PA message 08[TNC] sending PB-TNC CDATA batch (32614 bytes) for Connection ID 1 08[TNC] queued 3 PB-TNC messages for next CDATA batch
Receiving empty PB-TNC Server Data batch and sending sixth PB-TNC Client Data batch
06[TNC] received TNCCS batch (8 bytes) 06[TNC] TNC client is handling inbound connection 06[TNC] processing PB-TNC SDATA batch for Connection ID 1 06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 06[TNC] TNC client is handling outbound connection 06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 06[TNC] creating PB-TNC CDATA batch 06[TNC] adding IETF/PB-PA message 06[TNC] sending PB-TNC CDATA batch (32671 bytes) for Connection ID 1 06[TNC] queued 2 PB-TNC messages for next CDATA batch
Receiving empty PB-TNC Server Data batch and sending seventh PB-TNC Client Data batch
14[TNC] received TNCCS batch (8 bytes) 14[TNC] TNC client is handling inbound connection 14[TNC] processing PB-TNC SDATA batch for Connection ID 1 14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 14[TNC] TNC client is handling outbound connection 14[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 14[TNC] creating PB-TNC CDATA batch 14[TNC] adding IETF/PB-PA message 14[TNC] sending PB-TNC CDATA batch (32630 bytes) for Connection ID 1 14[TNC] queued 1 PB-TNC message for next CDATA batch
Receiving empty PB-TNC Server Data batch and sending eighth PB-TNC Client Data batch
05[TNC] received TNCCS batch (8 bytes) 05[TNC] TNC client is handling inbound connection 05[TNC] processing PB-TNC SDATA batch for Connection ID 1 05[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 05[TNC] TNC client is handling outbound connection 05[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 05[TNC] creating PB-TNC CDATA batch 05[TNC] adding IETF/PB-PA message 05[TNC] sending PB-TNC CDATA batch (23330 bytes) for Connection ID 1
TNC Assessment Result
The TNC client receives a PB-TNC Result batch containing a PA-TNC message as well
as both a PB-TNC Assessment-Result and a PB-TNC Access-Recommendation payload
13[TNC] received TNCCS batch (88 bytes) 13[TNC] TNC client is handling inbound connection 13[TNC] processing PB-TNC RESULT batch for Connection ID 1 13[TNC] PB-TNC state transition from 'Server Working' to 'Decided' 13[TNC] processing IETF/PB-PA message (48 bytes) 13[TNC] processing IETF/PB-Assessment-Result message (16 bytes) 13[TNC] processing IETF/PB-Access-Recommendation message (16 bytes) 13[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
The Assessment Result attribute received in the PA-TNC message of subtype PTS
defined in the TCG namespace as well as the overall PB-TNC assessment says
compliant and the recommendation is Access Allowed
13[IMC] IMC 3 "Attestation" received message for Connection ID 1 from IMV 3 13[TNC] processing PA-TNC message with ID 0x5553fd69 13[TNC] processing PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009 13[IMC] ***** assessment of IMC 3 "Attestation" from IMV 3 ***** 13[IMC] assessment result is 'compliant' 13[IMC] ***** end of assessment ***** 13[TNC] PB-TNC assessment result is 'compliant' 13[TNC] PB-TNC access recommendation is 'Access Allowed' 13[IMC] IMC 1 "OS" changed state of Connection ID 1 to 'Allowed' 13[IMC] IMC 2 "SWIMA" changed state of Connection ID 1 to 'Allowed' 13[IMC] IMC 3 "Attestation" changed state of Connection ID 1 to 'Allowed'
A PB-TNC Close batch is sent to the TNC server
13[TNC] TNC client is handling outbound connection 13[TNC] PB-TNC state transition from 'Decided' to 'End' 13[TNC] creating PB-TNC CLOSE batch 13[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 1
IKEv2 Authentication Success
An EAP-SUCCESS message is received from the EAP server. The EAP client authenticates
itself via an IKEv2 AUTH payload based on the MSK (Master Session Key) derived
from the EAP-TTLS session
15[NET] received packet: from 10.10.0.150[4500] to 10.10.1.52[4500] (80 bytes) 15[ENC] parsed IKE_AUTH response 269 [ EAP/SUCC ] 15[IKE] EAP method EAP_TTLS succeeded, MSK established 15[IKE] authentication of 'mijas.strongsec.com' (myself) with EAP 15[ENC] generating IKE_AUTH request 270 [ AUTH ] 15[NET] sending packet: from 10.10.1.52[4500] to 10.10.0.150[4500] (112 bytes)
The IKEv2 server in turn authenticates itself again via an AUTH payload depending
on the EAP-TTLS MSK as well. The OS IMC, SWIMA IMC and Attestation IMC
states as well as the PB-TNC connection are deleted
10[NET] received packet: from 10.10.0.150[4500] to 10.10.1.52[4500] (272 bytes) 10[ENC] parsed IKE_AUTH response 270 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ] 10[IKE] authentication of 'vpn.strongswan.org' with EAP successful 10[TNC] TODO: setup PT-TLS connection to edu.strongsec.com:271 10[IMC] IMC 1 "OS" deleted the state of Connection ID 1 10[IMC] IMC 2 "SWIMA" deleted the state of Connection ID 1 10[IMC] IMC 3 "Attestation" deleted the state of Connection ID 1 10[TNC] removed TNCCS Connection ID 1
The IKEv2 connection has been successfully established.
10[IKE] IKE_SA tnc[1] established between 10.10.1.52[mijas.strongsec.com]...10.10.0.150[vpn.strongswan.org]
10[IKE] scheduling reauthentication in 10179s
10[IKE] maximum IKE_SA lifetime 11259s
10[IKE] installing DNS server 10.10.0.1 to /etc/resolv.conf
10[IKE] installing new virtual IP 10.10.1.65
10[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
10[IKE] CHILD_SA tnc{1} established with SPIs c28cd4ab_i c3c268a8_o and TS 10.10.1.65/32 === 10.10.0.150/32