Skip to content

Configure the HIRS validation variables

HIRS is configured directly through the ACA Web Portal. This section steps through a few sample configurations.

Note

Configuration of the ACA can be done before or after installing the Provisioner, but it must be done prior to running the Provisioner.

Get familiar with the Validation Reports page

If you are new to HIRS, it would be helpful to become familiar with the Validation Reports page. If no validations have been run yet, there will be nothing listed in the results table. Note that any
validations that have been run will persist in the database even if the ACA is uninstalled and reinstalled.

Set the level of logging desired

On the Help page, you can change the log level depending on how much detail you would like recorded in the logs. The default level is Info.

'Blank' configuration - software install check

After a fresh installation of the ACA and/or Provisioner, it can be useful to configure the ACA with all credential validations disabled and all outputs disabled to ensure that nothing went wrong with the ACA or Provisioner installation. Note that this will not actually check anything in terms of validation; it is simply an install-sanity check.

On the Policy page, ensure the following credential validations are configured as follows:

Endorsement Credential Validation: Disabled
Platform Credential Validation: Disabled
Firmware Validation: Disabled

Ensure the following outputs are configured as follows:

Generate Attestation Certificate: Disabled
Generate LDevID Certificate: Disabled

In this case you can skip the artifacts stage. After the Provisioner install stage and Provisioner run stage, the validation result should be successful if the software was installed properly.

Select the input configuration

To configure the inputs that the ACA will validate, select one of the following options and follow the instructions.

Configuration with the Endorsement Check Enabled

The Endorsement Certificate is used as an assertion of identity and authenticity of the TPM. The TPM is the sole entity with the private key that matches the public key of its Endorsement Certificate. There are various reasons you may want to test a validation of the Endorsement Certificate only:

  • Most modern computers come with a TPM and Endorsement Certificate, and usually you can obtain the certificate chain, so this can be an easy initial test.
  • If you do not have a Platform Certificate or its trusted chain, the Endorsement/TPM check will be the highest level validation you can perform.

On the Policy page, ensure the following:

Endorsement Credential Validation: Enabled
Platform Credential Validation: Disabled
Firmware Validation: Disabled

Configuration with the Platform Check Enabled

To validate the hardware, you will need to enable the Platform check. The Platform Certificate is used as the Assertion for the measured Evidence of the hardware. This check also requires that you have Endorsement checked, as the hardware validation requires a validated TPM.

On the Policy page, ensure the following:

Endorsement Credential Validation: Enabled
Platform Credential Validation: Enabled
Firmware Validation: Disabled

Info

For more information on the specific options under Platform Certificate Validation, see the Portal Policy Guide.

Configuration with the Firmware Check Enabled

This configuration is the recommended report policy for supply chain validation as it checks the validity of the firmware in addition to the TPM and platform hardware. The RIM is used as the Assertion for the measured Evidence of the firmware. This check also requires that you have Endorsement and Platform checked.

On the Policy page, ensure the following:

Endorsement Credential Validation: Enabled
Platform Credential Validation: Enabled
Firmware Validation: Enabled

Info

For more information on the specifc options under Firmware Validation, see the Portal Policy Guide.

Select the output configuration

To configure the outputs that the ACA will create, the following are options. One or both can be enabled.

Configuration with Attestation Certificate

On the Policy page, ensure the following outputs are configured as follows:

Generate Attestation Certificate: Enabled

Configuration with LDevID

On the Policy page, ensure the following outputs are configured as follows:

Generate LDevID Certificate: Enabled