Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Fraunhofer-SIT/charra

Proof-of-concept implementation of the "Challenge/Response Remote Attestation" interaction model of the IETF RATS Reference Interaction Models for Remote Attestation Procedures using TPM 2.0.
https://github.com/Fraunhofer-SIT/charra

Last synced: 29 days ago
JSON representation

Proof-of-concept implementation of the "Challenge/Response Remote Attestation" interaction model of the IETF RATS Reference Interaction Models for Remote Attestation Procedures using TPM 2.0.

Host: GitHub
URL: https://github.com/Fraunhofer-SIT/charra
Owner: Fraunhofer-SIT
License: bsd-3-clause
Created: 2019-08-26T13:14:15.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2024-04-15T14:43:11.000Z (8 months ago)
Last Synced: 2024-04-24T06:09:52.270Z (8 months ago)
Language: C
Homepage:
Size: 244 KB
Stars: 27
Watchers: 1
Forks: 20
Open Issues: 1
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE.md

Awesome Lists containing this project

awesome-software-supply-chain-security - Fraunhofer-SIT/charra: Proof-of-concept implementation of the "Challenge/Response Remote Attestation" interaction model of the IETF RATS Reference Interaction Models for Remote Attestation Procedures using TPM 2.0.

README

        

# CHARRA: CHAllenge-Response based Remote Attestation with TPM 2.0

![CHARRA Logo](charra-logo_small.png)

This is a proof-of-concept implementation of the "Challenge/Response Remote Attestation" interaction model of the [IETF RATS](https://datatracker.ietf.org/wg/rats/about/) [Reference Interaction Models for Remote Attestation Procedures](https://datatracker.ietf.org/doc/draft-ietf-rats-reference-interaction-models/) using TPM 2.0. The [IETF Remote Attestation Procedures (RATS)](https://datatracker.ietf.org/wg/rats/about/) working group standardizes formats for describing assertions/claims about system components and associated evidence; and procedures and protocols to convey these assertions/claims to relying parties. Given the security and privacy sensitive nature of these assertions/claims, the working group specifies approaches to protect this exchanged data.

This proof-of-concept implementation realizes the Attesting Computing Environment—a Computing Environment capable of monitoring and attesting a target Computing Environment—as well as the target Computing Environment itself, as described in the [RATS Architecture](https://datatracker.ietf.org/doc/rfc9334/).

## Quickstart

The following assumes that [Docker](https://docs.docker.com/get-docker/) and its *buildx* component (and [Docker Compose](https://docs.docker.com/compose/install/)) are installed and configured on your system.

Please see [`INSTALL.md`](INSTALL.md) for details, also for manually building CHARRA.

All commands are to be executed in [Bash](https://www.gnu.org/software/bash/).

For Docker, build the image and run the container with:

    ./docker/build.sh

    ./docker/run.sh

With Docker Compose do:

    docker-compose build --build-arg uid="${UID}" --build-arg gid="${UID}"

    docker-compose run --rm charra-dev-env

Inside the container, change to the `~/charra/` folder, build it, and run it:

    cd ~/charra/

    make -j

    ./generate-ak.sh

    (bin/attester --attestation-key context:tpm_keys/rsa_ak.ctx &); sleep .2 ; bin/verifier -f yaml:reference-pcrs.yml --attestation-public-key tpm_keys/rsa_ak.pub ; sleep 1 ; pkill -SIGINT attester

## How it Works: Protocol Flow

The following diagram shows the protocol flow of the CHARRA attestation process.

    .----------.                                    .----------.

    | Attester |                                    | Verifier |

    '----------'                                    '----------'

         |                                                |

         | <----- requestAttestation(nonce, keyID, pcrSelection)

         |                                                |

    tpmQuote(nonce, pcrSelection)                         |

         | => evidence                                    |

         |                                                |

     evidence ------------------------------------------> |

         |                                                |

         |      appraiseEvidence(evidence, nonce, referencePcrs)

         |                           attestationResult <= |

         |                                                |

## Changelog

You find the changelog in [`CHANGELOG.md`](CHANGELOG.md).

## Next Steps

* Allow verifier to perform periodic attestations, e.g., perform attestation every 10 seconds.

* Refactor and implement forward-declared (but not yet implemented) functions.

* Use non-zero reference PCRs.

* "Extended" *TPM Quote* using TPM audit session(s) and *TPM PCR Read* operations.

* Make CHARRA a library (`libcharra`) and make *attester* and *verifier* example code in `example` folder.

* Add `*_free()` functions for all data transfer objects (DTOs).

* Introduce semantic versioning as CHARRA develops along the way to become stable.

*The order of the list is entirely arbitrary and does not reflect any priorities.*