Repository files navigation

This is a proof-of-concept implementation of the "Challenge/Response Remote Attestation" interaction model of theIETF RATSReference Interaction Models for Remote Attestation Procedures using TPM 2.0. TheIETF Remote Attestation Procedures (RATS) working group standardizes formats for describing assertions/claims about system components and associated evidence; and procedures and protocols to convey these assertions/claims to relying parties. Given the security and privacy sensitive nature of these assertions/claims, the working group specifies approaches to protect this exchanged data.

This proof-of-concept implementation realizes the Attesting Computing Environment—a Computing Environment capable of monitoring and attesting a target Computing Environment—as well as the target Computing Environment itself, as described in theRATS Architecture.

The following assumes thatDocker and itsbuildx component (andDocker Compose) are installed and configured on your system.Please seeINSTALL.md for details, also for manually building CHARRA.All commands are to be executed inBash.

For Docker, build the image and run the container with:

./docker/build.sh./docker/run.sh

With Docker Compose do:

docker-compose build --build-arg uid="${UID}" --build-arg gid="${UID}"docker-compose run --rm charra-dev-env

Inside the container, change to the~/charra/ folder, build it, and run it:

cd ~/charra/make -j./generate-ak.sh(bin/attester --attestation-key context:tpm_keys/rsa_ak.ctx &); sleep .2 ; bin/verifier -f yaml:reference-pcrs.yml --attestation-public-key tpm_keys/rsa_ak.pub ; sleep 1 ; pkill -SIGINT attester

The following diagram shows the protocol flow of the CHARRA attestation process.

.----------.                                    .----------.| Attester |                                    | Verifier |'----------'                                    '----------'     |                                                |     | <----- requestAttestation(nonce, keyID, pcrSelection)     |                                                |tpmQuote(nonce, pcrSelection)                         |     | => evidence                                    |     |                                                | evidence ------------------------------------------> |     |                                                |     |      appraiseEvidence(evidence, nonce, referencePcrs)     |                           attestationResult <= |     |                                                |

You find the changelog inCHANGELOG.md.

• Allow verifier to perform periodic attestations, e.g., perform attestation every 10 seconds.
• Refactor and implement forward-declared (but not yet implemented) functions.
• Use non-zero reference PCRs.
• "Extended"TPM Quote using TPM audit session(s) andTPM PCR Read operations.
• Make CHARRA a library (libcharra) and makeattester andverifier example code inexample folder.
• Add*_free() functions for all data transfer objects (DTOs).
• Introduce semantic versioning as CHARRA develops along the way to become stable.

The order of the list is entirely arbitrary and does not reflect any priorities.