\chapter{Installation instructions} \section{Installing IMA on Arch} \url{https://wiki.archlinux.org/index.php/Kernel/Arch_Build_System} in combination with \url{https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture}: \begin{lstlisting} sudo pacman -S asp base-devel cd ~ mkdir build && cd build asp update linux asp export linux #Linux repo exported to this directory \end{lstlisting} Change \emph{pkgbase} in \texttt{linux/PKGBUILD} to custom name, e.g. linux-ima. Check \texttt{linux/config} for the following settings: \begin{lstlisting} CONFIG_INTEGRITY=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_LSM_RULES=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_IMA_APPRAISE=y IMA_APPRAISE_BOOTPARAM=y \end{lstlisting} For optimizing file access, add to every fstab-entry \emph{iversion}. It prevents creating a hash of the file at every access. Instead the hash will only be created when writing the file. \texttt{updpkgsums} generates new checksums for the modified files. \texttt{makepkg -s} then makes the new kernel \section{Installing Xaptum DAA} We use the Ubuntu 20.04 server edition for testing the environment. It supports Trusted Boot an IMA out of the box. Three systems need to be installed -- the BS host, the issuer of the BS group and a verifier. Only the BS host needs to have a TPM in it, which requires a non-virtualized installation. The other hosts can easily be virtualized if needed. Note: The DAA protocol can be tested without using the TPM. \subsection{Encrypted File System} Optional: It is usefult to enable disk encryption on the BS host. Therefore only the boot section remains unencrypted and the TPM is used to decrypt the disk. \subsection{Unified Boot Loader} \subsection{TPM-tools} The TPM2-tools provide the features of the TPM to the shell and furthermore install the system API \texttt{apt install tpm2-tools} \subsection{Prerequisities for Xaptum ECDAA} Besides the building packages you should build two other projects from Xaptum. The first ist their variant of AMCL \begin{lstlisting} sudo apt install cmake build-essential python3 python3-dev python3-pip gcc doxygen doxygen-latex parallel checkinstall git clone https://github.com/xaptum/amcl.git cd amcl make mkdir -p target/build cd target/build cmake -D CMAKE_INSTALL_PREFIX=/opt/amcl ../.. export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./ make make test make doc sudo checkinstall export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./:/opt/amcl/lib \end{lstlisting} The Apache Milagro Crypto Library is now installed in \texttt{/opt}. The next part is the \texttt{xaptum-tpm} project, which provides the interface between the ECDAA application and the TPM hardware. \begin{lstlisting} git clone https://github.com/xaptum/xaptum-tpm.git cd xaptum-tpm mkdir build cd build cmake .. -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_INSTALL_PREFIX=/opt cmake --build . --target install \end{lstlisting} \subsection{Installing Xaptum ECDAA} Finally the main project can be installed: \begin{lstlisting} git clone https://github.com/xaptum/ecdaa.git cd ecdaa mkdir build cd build cmake . -DECDAA_TPM_SUPPORT=ON -DCMAKE_INSTALL_PREFIX=/opt -DTEST_USE_TCP_TPM=off ctest -V cmake --build . --target=install \end{lstlisting}