GitHub - jitesh1337/csc574-net-sec: Docs-only

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 58 Commits
client_crts		client_crts
customer_server		customer_server
qemu-kvm-0.14.0		qemu-kvm-0.14.0
tex		tex
utils		utils
Makefile		Makefile
OpenSSL-README		OpenSSL-README
README		README
connection_str		connection_str
kernel_part.c		kernel_part.c
qemu-build-commands		qemu-build-commands
qemu.patch		qemu.patch
reset_tpm.sh		reset_tpm.sh
secure_daemon.c		secure_daemon.c
tpm-tools-jit-ash.patch		tpm-tools-jit-ash.patch
tpm_unseal.c		tpm_unseal.c
trigger_emulator.c		trigger_emulator.c

Repository files navigation

Title: Enabling Cloud Customers to Trust the Cloud
Authors: Jitesh Shah <jhshah@ncsu.edu> and Ashwin Shashidharan <ashashi3@ncsu.edu>

SETUP
-----
1) Install tpm-emulator from http://tpm-emulator.berlios.de/documentation.html
2) Install tpm-tools and TrouSerS (required for talking to the TPM)
3) Apply provided patch to tpm-tools (tpm-tools-jit-ash.patch) and recompile
   tpm-tools. Install the new version.
4) Install OpenSSL, if not already installed.
5) The sources for the modified qemu-kvm are given with the tarball. The qemu-kvm
   sources are picked up from the Fedora trunk and *not* the upstream sources. 
   qemu.patch shows the changes we made to the qemu-kvm. The qemu-build-commands 
   file has instructions on how to build the qemu source.
6) Type make in the root directory. It makes three binaries: kernel_part, 
   secure_launcher, trigger_emulator. Following sections explain how to
   use each binary.


TPM SETUP
---------
1) Take the ownership of the TPM

# tpm_takeownership
Enter owner password: 
Confirm password: 
Enter SRK password: 
Confirm password: 

Enter owner and SRK passwords.

2) Run kernel_part so that PCR#16 has the appropriate hash

3) Seal the SSL private key
# tpm_sealdata -i client.der.private -o client.der.private.enc -p 16
"client.der.private" is the private portion of the client key.
Refer to OpenSSL-README for instructions on how to create the 
appropriate keys and certificates.

Copy client.der.private.enc to /etc/pki/tls/certs. Copy client.pem
to the same location. SSL connection won't work without these
certificates.

EXECUTION
---------
1) Go to customer_server directory. Compile the server sources using "make".
A binary called "customer_server" will be created. This binary is supposed
to run at the customer site. It reads from a file "in_param" which has
the key for decryption, Initialisation vector and HMAC of the kernel.

Run it as
# ./customer_server
No parameters are necessary. It starts listening on port 4433.

2) Launch the secure launcher daemon (Where real TPM is present, it will
be forked from the last stages of the kernel. Since, we use an emulator
it has to manually called). The Daemon will listen on a UNIX socket for
requests.

3) Finally, launch the trigger emulator. It requires a connection string
from stdin. A sample connection string has been provided in the file
"connection_str". The string after ";" is the TPM SRK password. 

4) Now, the secure daemon should unlock the SSL private key from the
encrypted version stored above, fetch the keys and HMAC from the
customer_server and decrypt and check the kernel. If all checks pass,
a qemu process will be forked.

NOTE
----
Use the encrypt and decrypt utilities provided in the "utils" directory
to encrypt and decrypt the kernel.