jitesh1337/csc574-net-sec
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Title: Enabling Cloud Customers to Trust the Cloud Authors: Jitesh Shah <jhshah@ncsu.edu> and Ashwin Shashidharan <ashashi3@ncsu.edu> SETUP ----- 1) Install tpm-emulator from http://tpm-emulator.berlios.de/documentation.html 2) Install tpm-tools and TrouSerS (required for talking to the TPM) 3) Apply provided patch to tpm-tools (tpm-tools-jit-ash.patch) and recompile tpm-tools. Install the new version. 4) Install OpenSSL, if not already installed. 5) The sources for the modified qemu-kvm are given with the tarball. The qemu-kvm sources are picked up from the Fedora trunk and *not* the upstream sources. qemu.patch shows the changes we made to the qemu-kvm. The qemu-build-commands file has instructions on how to build the qemu source. 6) Type make in the root directory. It makes three binaries: kernel_part, secure_launcher, trigger_emulator. Following sections explain how to use each binary. TPM SETUP --------- 1) Take the ownership of the TPM # tpm_takeownership Enter owner password: Confirm password: Enter SRK password: Confirm password: Enter owner and SRK passwords. 2) Run kernel_part so that PCR#16 has the appropriate hash 3) Seal the SSL private key # tpm_sealdata -i client.der.private -o client.der.private.enc -p 16 "client.der.private" is the private portion of the client key. Refer to OpenSSL-README for instructions on how to create the appropriate keys and certificates. Copy client.der.private.enc to /etc/pki/tls/certs. Copy client.pem to the same location. SSL connection won't work without these certificates. EXECUTION --------- 1) Go to customer_server directory. Compile the server sources using "make". A binary called "customer_server" will be created. This binary is supposed to run at the customer site. It reads from a file "in_param" which has the key for decryption, Initialisation vector and HMAC of the kernel. Run it as # ./customer_server No parameters are necessary. It starts listening on port 4433. 2) Launch the secure launcher daemon (Where real TPM is present, it will be forked from the last stages of the kernel. Since, we use an emulator it has to manually called). The Daemon will listen on a UNIX socket for requests. 3) Finally, launch the trigger emulator. It requires a connection string from stdin. A sample connection string has been provided in the file "connection_str". The string after ";" is the TPM SRK password. 4) Now, the secure daemon should unlock the SSL private key from the encrypted version stored above, fetch the keys and HMAC from the customer_server and decrypt and check the kernel. If all checks pass, a qemu process will be forked. NOTE ---- Use the encrypt and decrypt utilities provided in the "utils" directory to encrypt and decrypt the kernel.
About
Docs-only
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published