4. Gathering artifacts you will need¶
There are certain artifacts that are required based on the input configuration you selected during the HIRS Configuration stage.
Note
Based on your HIRS configuration (whether you checked endorsement, hardware, and/or firmware), if you know that an artifact that you need for your configuration is already in a place where the Provisioner will look and find it, to include that artifact's full trust chain, you can skip the particular section on this page for that particular artifact. For instance, if you have configured the ACA to check endorsement, hardware, and firmware, and you know that the following are all in places where the Provisioner will look and find them:
- Endorsement Certificate
- Platform Certificate
- RIM and TCG Event Log
- All associated trust chains
then you can skip this entire section and move on to Install the Provisioner.
If you don't know where the Provisioner is supposed to find the artifact you need, or you don't know which artifact you need, or you don't understand this note, please continue the steps on this page.
'Blank' configuration - software install check¶
In a configuration with no credential validations enabled, there are no artifacts that are required.
Configuration with the Endorsement Certificate¶
If the Endorsement Certificate configuration on the Policy page is enabled, the validation will require the Endorsement Certificate and its certificate chain.
Endorsement Certificate¶
Depending on the Provisioner Configuration, the Provisioner will search for a TPM in specific locations. If the Provisioner is able to find the TPM and retrieve the Endorsement Certificate, then you will not need to upload an Endorsement Certificate.
However, if the Provisioner cannot retrieve the Endorsement Certificate, you will need to obtain it from the TPM manufacturer and upload it to the Endorsement Key Credentials page.
Endorsement Certificate Trust Chain¶
You will need to obtain the TPM manufacturer's root and intermediate certificates and then upload the (non-zipped) certificates to the Trust Chain Management page. You must obtain these from the TPM manufacturer, or possibly you can obtain them from a few recognized websites:
TPM Manufacturer Information¶
If you do not know the TPM information such as manufacturer, you can determine this via command line:
Run in a terminal:
tpm2_getcap properties-fixed
TPM2_PT_MANUFACTURER:
raw: 0x49465800
value: "IFX"
Where the value can be found in the TCG Vendor ID Registry .
The TPM Management Tool can be used to find information.
You can type 'tpm.msc' into the Windows search bar to get to the tool.
Configuration with the Platform Certificate¶
If the Platform Certificate configuration on the Policy page is enabled, the validation will require
- the artifacts from the Endorsement section above
- the Platform Certificate and its certificate chain
Platform Certificate¶
The Provisioner will search for a Platform Certificate in the directory specified by the Provisioner's configuration file appsettings.json under the scheme efi_prefix. If the Provisioner cannot retrieve the Platform Certificate, you will need to obtain it from the Platform manufacturer and manually upload it to the Platform Certificates page.
If you cannot obtain a manufacturer Platform Certificate, you can create one for testing purposes. See the PACCOR Getting Started page in the PACCOR project for instructions.
Note
At this time, the current ACA is not compatible with Platform Certificate v2.0. If you are using paccor to create platform certificates for HIRS ACA validation runs, be sure to create a Platform Certificate v1.1.
Platform Certificate Trust Chain¶
You will need to obtain the platform manufacturer's root and intermediate certificates and then upload the (non-zipped) certificates to the Trust Chain Management page. You must obtain these from the platform manufacturer.
Configuration with the RIM¶
If the firmware configuration on the Policy page is enabled, the validation will require
- the artifacts from the Endorsement section above
- the artifacts from the Platform section above
- the RIM and its certificate chain
- the TCG Event Log as a support RIM
RIM¶
The Provisioner will search for a RIM in the directory specified by the
Provisioner's configuration file appsettings.json under the scheme
efi_prefix.
If the Provisioner cannot retrieve the RIM, you
will need to obtain it from the RIM manufacturer and upload it to the
Reference Integrity Manifests page.
If you cannot obtain a manufacturer RIM, you can create one for testing purposes. See the RIM-Tool page in the RIM-Tool project for instructions.
RIM Trust Chain¶
You will need to download the RIM manufacturer's root and intermediate certificates and then upload the (non-zipped) certificates to the Trust Chain Management page.
TCG Event Log (Support RIM)¶
Validation of a platform's firmware requires the TCG Event Log as a support RIM.
The Provisioner will search for a TCG Event Log in the directory specified by the
Provisioner's configuration file appsettings.json under the scheme
event_log_file.
If the Provisioner cannot retrieve the TCG Event Log, you
will need to obtain it from the RIM manufacturer and upload it to the
Reference Integrity Manifests page.
If you cannot obtain a manufacturer TCG Event Log, you can create one for testing purposes. See the Rim-Tool Getting Started page in the RIM-Tool project for instructions.