masterthesis/thesis/05_appendix.tex

\chapter{Installation instructions}
\section{Installing IMA on Arch}
\url{https://wiki.archlinux.org/index.php/Kernel/Arch_Build_System} in combination with \url{https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture}:

\begin{lstlisting}
	sudo pacman -S asp base-devel
	cd ~
	mkdir build && cd build
	asp update linux
	asp export linux	#Linux repo exported to this directory
\end{lstlisting}
Change \emph{pkgbase} in \texttt{linux/PKGBUILD} to custom name, e.g. linux-ima.
Check \texttt{linux/config} for the following settings:
\begin{lstlisting}
	CONFIG_INTEGRITY=y
	CONFIG_IMA=y
	CONFIG_IMA_MEASURE_PCR_IDX=10
	CONFIG_IMA_LSM_RULES=y
	CONFIG_INTEGRITY_SIGNATURE=y
	CONFIG_IMA_APPRAISE=y
	IMA_APPRAISE_BOOTPARAM=y
\end{lstlisting}
For optimizing file access, add to every fstab-entry \emph{iversion}.
It prevents creating a hash of the file at every access.
Instead the hash will only be created when writing the file.

\texttt{updpkgsums} generates new checksums for the modified files.

\texttt{makepkg -s} then makes the new kernel

\section{Installing Xaptum DAA}
We use the Ubuntu 20.04 server edition for testing the environment.
It supports Trusted Boot an IMA out of the box.
Three systems need to be installed -- the BS host, the issuer of the BS group and a verifier.
Only the BS host needs to have a TPM in it, which requires a non-virtualized installation.
The other hosts can easily be virtualized if needed.

Note: The DAA protocol can be tested without using the TPM.

\subsection{Encrypted File System}
Optional: It is usefult to enable disk encryption on the BS host.
Therefore only the boot section remains unencrypted and the TPM is used to decrypt the disk.

\subsection{Unified Boot Loader}


\subsection{TPM-tools}
The TPM2-tools provide the features of the TPM to the shell and furthermore install the system API
\texttt{apt install tpm2-tools}

\subsection{Prerequisities for Xaptum ECDAA}
Besides the building packages you should build two other projects from Xaptum. The first ist their variant of AMCL
\begin{lstlisting}
	sudo apt install cmake build-essential python3 python3-dev python3-pip gcc doxygen doxygen-latex parallel checkinstall
	git clone https://github.com/xaptum/amcl.git
	cd amcl
	make
	mkdir -p target/build
	cd target/build
	cmake -D CMAKE_INSTALL_PREFIX=/opt/amcl ../..
	export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./
	make
	make test
	make doc
	sudo checkinstall
	export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./:/opt/amcl/lib
\end{lstlisting}
The Apache Milagro Crypto Library is now installed in \texttt{/opt}. 

The next part is the \texttt{xaptum-tpm} project, which provides the interface between the ECDAA application and the TPM hardware.
\begin{lstlisting}
	git clone https://github.com/xaptum/xaptum-tpm.git
	cd xaptum-tpm
	mkdir build
	cd build
	cmake .. -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_INSTALL_PREFIX=/opt
	cmake --build . --target install
\end{lstlisting}

\subsection{Installing Xaptum ECDAA}
Finally the main project can be installed:
\begin{lstlisting}
	git clone https://github.com/xaptum/ecdaa.git
	cd ecdaa
	mkdir build
	cd build
	cmake  . -DECDAA_TPM_SUPPORT=ON -DCMAKE_INSTALL_PREFIX=/opt -DTEST_USE_TCP_TPM=off
	ctest -V
	cmake --build . --target=install
\end{lstlisting}