Project

General

Profile

Raspi 4 - Responding IoT Device » History » Version 25

Andreas Steffen, 16.08.2015 12:08

1 4 Andreas Steffen
{{>toc}}
2 4 Andreas Steffen
3 1 Andreas Steffen
h1. Raspi 4 - Responding IoT Device
4 1 Andreas Steffen
5 6 Andreas Steffen
h2. Configuration Files
6 6 Andreas Steffen
7 1 Andreas Steffen
strongSwan IPsec configuration file */etc/ipsec.conf*
8 1 Andreas Steffen
<pre>
9 1 Andreas Steffen
config setup
10 1 Andreas Steffen
     charondebug="tnc 2, imc 2, imv 2, pts 3"
11 1 Andreas Steffen
12 1 Andreas Steffen
conn %default
13 1 Andreas Steffen
     ike=aes128-sha256-ecp256!
14 1 Andreas Steffen
     esp=aes128-sha256-ecp256!
15 1 Andreas Steffen
     keyexchange=ikev2
16 1 Andreas Steffen
17 1 Andreas Steffen
conn peer
18 1 Andreas Steffen
     left=10.10.1.40
19 1 Andreas Steffen
     leftauth=eap-ttls
20 1 Andreas Steffen
     leftcert=raspi4Cert.pem
21 1 Andreas Steffen
     leftid=raspi4.example.com
22 1 Andreas Steffen
     leftfirewall=yes
23 1 Andreas Steffen
     right=10.10.1.39
24 1 Andreas Steffen
     rightauth=eap-ttls
25 1 Andreas Steffen
     rightid=raspi3.example.com
26 1 Andreas Steffen
     type=transport
27 1 Andreas Steffen
     auto=add
28 1 Andreas Steffen
</pre>
29 1 Andreas Steffen
30 1 Andreas Steffen
strongSwan IPsec secrets file */etc/ipsec.secrets*
31 1 Andreas Steffen
<pre>
32 1 Andreas Steffen
: RSA raspi4Key.pem
33 1 Andreas Steffen
</pre>
34 1 Andreas Steffen
35 1 Andreas Steffen
strongSwan configuration file */etc/strongswan.conf*
36 1 Andreas Steffen
<pre>
37 1 Andreas Steffen
charon {
38 1 Andreas Steffen
  load = random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 eap-identity eap-ttls eap-tnc sqlite curl kernel-netlink socket-default updown stroke
39 1 Andreas Steffen
40 1 Andreas Steffen
  half_open_timeout = 90
41 1 Andreas Steffen
42 1 Andreas Steffen
  plugins {
43 1 Andreas Steffen
    eap-ttls
44 1 Andreas Steffen
    {
45 1 Andreas Steffen
      max_message_count = 0
46 1 Andreas Steffen
      request_peer_auth = yes
47 1 Andreas Steffen
      phase2_piggyback = yes
48 1 Andreas Steffen
      phase2_tnc = yes
49 1 Andreas Steffen
    }
50 1 Andreas Steffen
    eap-tnc {
51 1 Andreas Steffen
      max_message_count = 0
52 1 Andreas Steffen
    }
53 1 Andreas Steffen
    tnccs-20 {
54 1 Andreas Steffen
      mutual = yes
55 1 Andreas Steffen
    }
56 1 Andreas Steffen
  }
57 1 Andreas Steffen
}
58 1 Andreas Steffen
59 1 Andreas Steffen
libimcv {
60 1 Andreas Steffen
  database = sqlite:///etc/pts/config.db
61 1 Andreas Steffen
  policy_script = ipsec imv_policy_manager
62 1 Andreas Steffen
63 1 Andreas Steffen
  plugins {
64 1 Andreas Steffen
    imc-os {
65 1 Andreas Steffen
      device_pubkey = /etc/pts/aik4Pub.der
66 1 Andreas Steffen
    }
67 1 Andreas Steffen
    imc-attestation {
68 1 Andreas Steffen
      aik_blob = /etc/pts/aik4Blob.bin
69 1 Andreas Steffen
      aik_cert = /etc/pts/aik4Cert.der
70 1 Andreas Steffen
    }
71 1 Andreas Steffen
    imv-attestation {
72 1 Andreas Steffen
      cadir = /etc/pts/cacerts
73 1 Andreas Steffen
      hash_algorithm = sha1
74 1 Andreas Steffen
    }
75 1 Andreas Steffen
  }
76 1 Andreas Steffen
}
77 1 Andreas Steffen
78 1 Andreas Steffen
libtls {
79 1 Andreas Steffen
  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
80 1 Andreas Steffen
}
81 1 Andreas Steffen
82 1 Andreas Steffen
pt-tls-client {
83 1 Andreas Steffen
  load = random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 curl 
84 1 Andreas Steffen
}
85 1 Andreas Steffen
86 1 Andreas Steffen
attest {
87 1 Andreas Steffen
  database=sqlite:///etc/pts/config.db
88 1 Andreas Steffen
}
89 1 Andreas Steffen
</pre>
90 1 Andreas Steffen
91 25 Andreas Steffen
In order to do mutual attestation, both IMCs and IMVs are loaded via */etc/tnc_config*.
92 25 Andreas Steffen
<pre>
93 25 Andreas Steffen
IMC "OS"                /usr/lib/ipsec/imcvs/imc-os.so
94 25 Andreas Steffen
IMC "Attestation"       /usr/lib/ipsec/imcvs/imc-attestation.so
95 25 Andreas Steffen
IMV "Attestation"       /usr/lib/ipsec/imcvs/imv-attestation.so
96 25 Andreas Steffen
</pre>
97 25 Andreas Steffen
98 6 Andreas Steffen
h2. Starting the IKEv2 Daemon
99 6 Andreas Steffen
100 6 Andreas Steffen
First the IKEv2 charon daemon is started in the background
101 1 Andreas Steffen
<pre>
102 6 Andreas Steffen
raspi4# ipsec start
103 6 Andreas Steffen
</pre>
104 6 Andreas Steffen
105 6 Andreas Steffen
<pre>
106 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.1, Linux 3.18.13-v7+, armv7l)
107 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] TNC recommendation policy is 'default'
108 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] loading IMVs from '/etc/tnc_config'
109 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] added IETF attributes
110 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] added ITA-HSR attributes
111 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] added TCG attributes
112 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS] added TCG functional component namespace
113 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS] added ITA-HSR functional component namespace
114 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS] added ITA-HSR functional component 'Trusted GRUB Boot Loader'
115 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS] added ITA-HSR functional component 'Trusted Boot'
116 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS] added ITA-HSR functional component 'Linux IMA'
117 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[LIB] libimcv initialized
118 6 Andreas Steffen
</pre>
119 6 Andreas Steffen
120 6 Andreas Steffen
Loading Attestation IMV
121 6 Andreas Steffen
<pre>
122 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[IMV] IMV 1 "Attestation" initialized
123 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS] loading PTS ca certificates from '/etc/pts/cacerts'
124 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   loaded ca certificate "C=US, O=TNC Demo, CN=AIK CA" from '/etc/pts/cacerts/aikCaCert.pem'
125 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA1[openssl] available
126 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA256[openssl] available
127 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS measurement algorithm HASH_SHA384[openssl] available
128 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS DH group MODP_2048[openssl] available
129 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS DH group MODP_1536[openssl] available
130 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS DH group MODP_1024[openssl] available
131 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   mandatory PTS DH group ECP_256[openssl] available
132 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS DH group ECP_384[openssl] available
133 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] IMV 1 supports 2 message types: 'TCG/PTS' 0x005597/0x00000001 'IETF/Operating System' 0x000000/0x00000001
134 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] IMV 1 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imv-attestation.so'
135 6 Andreas Steffen
</pre>
136 6 Andreas Steffen
137 6 Andreas Steffen
Loading OS IMC
138 6 Andreas Steffen
<pre>
139 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
140 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[IMC] IMC 1 "OS" initialized
141 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[IMC] processing "/etc/debian_version" file
142 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[IMC] operating system name is 'Debian'
143 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[IMC] operating system version is '7.8 armv7l'
144 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] IMC 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
145 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] IMC 1 "OS" loaded from '/usr/lib/ipsec/imcvs/imc-os.so'
146 6 Andreas Steffen
</pre>
147 6 Andreas Steffen
148 6 Andreas Steffen
Loading Attestation IMC
149 6 Andreas Steffen
<pre>
150 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[IMC] IMC 2 "Attestation" initialized
151 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA1[openssl] available
152 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   mandatory PTS measurement algorithm HASH_SHA256[openssl] available
153 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS measurement algorithm HASH_SHA384[openssl] available
154 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS DH group MODP_2048[openssl] available
155 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS DH group MODP_1536[openssl] available
156 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS DH group MODP_1024[openssl] available
157 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   mandatory PTS DH group ECP_256[openssl] available
158 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[PTS]   optional  PTS DH group ECP_384[openssl] available
159 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] IMC 2 supports 1 message type: 'TCG/PTS' 0x005597/0x00000001
160 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[TNC] IMC 2 "Attestation" loaded from '/usr/lib/ipsec/imcvs/imc-attestation.so'
161 6 Andreas Steffen
</pre>
162 6 Andreas Steffen
163 6 Andreas Steffen
Initializing IKE daemon
164 6 Andreas Steffen
<pre>
165 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
166 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[CFG]   loaded ca certificate "C=US, O=TNC Demo, CN=TNC Demo CA" from '/etc/ipsec.d/cacerts/demoCaCert.pem'
167 6 Andreas Steffen
'/etc/ipsec.d/cacerts/MSE_CA_Cert.pem'
168 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
169 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
170 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
171 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
172 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
173 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/raspi4Key.pem'
174 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[LIB] loaded plugins: charon random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 eap-identity eap-ttls eap-tnc sqlite curl kernel-netlink socket-default updown stroke
175 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 00[JOB] spawning 16 worker threads
176 6 Andreas Steffen
</pre>
177 6 Andreas Steffen
178 6 Andreas Steffen
Loading *peer* IPsec connection
179 6 Andreas Steffen
<pre>
180 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 06[CFG] received stroke: add connection 'peer'
181 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 06[CFG]   loaded certificate "C=US, O=TNC Demo, CN=raspi4.example.com" from 'raspi4Cert.pem'
182 1 Andreas Steffen
Aug 15 14:45:49 raspi4 charon: 06[CFG] added configuration 'peer'
183 6 Andreas Steffen
</pre>
184 6 Andreas Steffen
185 6 Andreas Steffen
h2. Responding to IPsec Connection Setup
186 6 Andreas Steffen
187 6 Andreas Steffen
<pre>
188 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 07[NET] received packet: from 10.10.1.39[500] to 10.10.1.40[500] (256 bytes)
189 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
190 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 07[IKE] 10.10.1.39 is initiating an IKE_SA
191 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 07[IKE] sending cert request for "C=US, O=TNC Demo, CN=TNC Demo CA"
192 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
193 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 07[NET] sending packet: from 10.10.1.40[500] to 10.10.1.39[500] (309 bytes)
194 6 Andreas Steffen
</pre>
195 6 Andreas Steffen
196 6 Andreas Steffen
<pre>
197 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (304 bytes)
198 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
199 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[IKE] received cert request for "C=US, O=TNC Demo, CN=TNC Demo CA"
200 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[CFG] looking for peer configs matching 10.10.1.40[raspi4.example.com]...10.10.1.39[raspi3.example.com]
201 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[CFG] selected peer config 'peer'
202 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[IKE] initiating EAP_TTLS method (id 0xDB)
203 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[IKE] peer supports MOBIKE
204 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[ENC] generating IKE_AUTH response 1 [ IDr EAP/REQ/TTLS ]
205 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 08[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (112 bytes)
206 6 Andreas Steffen
</pre>
207 6 Andreas Steffen
208 6 Andreas Steffen
<pre>
209 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 09[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (208 bytes)
210 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/TTLS ]
211 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 09[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
212 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 09[TLS] sending TLS server certificate 'C=US, O=TNC Demo, CN=raspi4.example.com'
213 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 09[TLS] sending TLS cert request for 'C=CH, O=MSE, OU=TSM_ITSec, CN=MSE CA'
214 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 09[TLS] sending TLS cert request for 'C=US, O=TNC Demo, CN=TNC Demo CA'
215 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TTLS ]
216 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 09[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)
217 6 Andreas Steffen
</pre>
218 6 Andreas Steffen
219 6 Andreas Steffen
<pre>
220 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 10[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)
221 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TTLS ]
222 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 10[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TTLS ]
223 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 10[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (480 bytes)
224 6 Andreas Steffen
</pre>
225 6 Andreas Steffen
226 6 Andreas Steffen
<pre>
227 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 11[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)
228 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TTLS ]
229 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TTLS ]
230 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 11[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)
231 6 Andreas Steffen
</pre>
232 6 Andreas Steffen
233 6 Andreas Steffen
<pre>
234 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (352 bytes)
235 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TTLS ]
236 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[TLS] received TLS peer certificate 'C=US, O=TNC Demo, CN=raspi3.example.com'
237 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[CFG]   using certificate "C=US, O=TNC Demo, CN=raspi3.example.com"
238 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[CFG]   using trusted ca certificate "C=US, O=TNC Demo, CN=TNC Demo CA"
239 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[CFG] checking certificate status of "C=US, O=TNC Demo, CN=raspi3.example.com"
240 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[CFG] certificate status is not available
241 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[CFG]   reached self-signed root ca with a path length of 0
242 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
243 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TTLS ]
244 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 12[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)
245 6 Andreas Steffen
</pre>
246 6 Andreas Steffen
247 6 Andreas Steffen
<pre>
248 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 13[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (192 bytes)
249 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 13[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TTLS ]
250 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 13[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
251 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 13[IKE] received EAP identity 'raspi3.example.com'
252 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 13[IKE] phase2 method EAP_PT_EAP selected
253 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
254 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 13[ENC] generating IKE_AUTH response 6 [ EAP/REQ/TTLS ]
255 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 13[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (176 bytes)
256 6 Andreas Steffen
</pre>
257 6 Andreas Steffen
258 6 Andreas Steffen
<pre>
259 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (448 bytes)
260 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[ENC] parsed IKE_AUTH request 7 [ EAP/RES/TTLS ]
261 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
262 6 Andreas Steffen
</pre>
263 6 Andreas Steffen
264 10 Andreas Steffen
h2. Start of Mutual Attestation
265 10 Andreas Steffen
266 21 Andreas Steffen
h3. Assigning Connection to TNC Server
267 21 Andreas Steffen
268 6 Andreas Steffen
<pre>
269 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] assigned TNCCS Connection ID 1
270 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV] IMV 1 "Attestation" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
271 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
272 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV]   user AR identity 'raspi3.example.com' of type username authenticated by certificate
273 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV]   machine AR identity '10.10.1.39' of type IPv4 address authenticated by unknown method
274 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Handshake'
275 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] received TNCCS batch (283 bytes)
276 6 Andreas Steffen
</pre>
277 6 Andreas Steffen
278 6 Andreas Steffen
<pre>
279 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] TNC server is handling inbound connection
280 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PB-TNC CDATA batch for Connection ID 1
281 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] PB-TNC state transition from 'Init' to 'Server Working'
282 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing ITA-HSR/PB-Mutual-Capability message (16 bytes)
283 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing IETF/PB-Language-Preference message (31 bytes)
284 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing IETF/PB-PA message (228 bytes)
285 6 Andreas Steffen
</pre>
286 6 Andreas Steffen
287 6 Andreas Steffen
<pre>
288 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] activating mutual PB-TNC half duplex protocol
289 6 Andreas Steffen
</pre>
290 6 Andreas Steffen
291 7 Andreas Steffen
<pre>
292 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] setting language preference to 'en'
293 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
294 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 1
295 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PA-TNC message with ID 0x83cf019d
296 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
297 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
298 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
299 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
300 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
301 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
302 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
303 6 Andreas Steffen
</pre>
304 6 Andreas Steffen
305 20 Andreas Steffen
h3. Receiving OS Information
306 20 Andreas Steffen
307 6 Andreas Steffen
<pre>
308 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV] operating system name is 'Debian' from vendor Debian Project
309 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV] operating system version is '7.8 armv7l'
310 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV] device ID is 565feb9e8462870dba884ce540a0768d68829873
311 6 Andreas Steffen
</pre>
312 6 Andreas Steffen
313 22 Andreas Steffen
h3. Starting Session with Policy Manager
314 22 Andreas Steffen
315 6 Andreas Steffen
<pre>
316 1 Andreas Steffen
Aug 15 14:46:05 raspi4 charon: 14[IMV] assigned session ID 3 to Connection ID 1
317 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] policy: imv_policy_manager start successful
318 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] policy: skipping enforcment 6
319 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] FWDEN workitem 13
320 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] FMETA workitem 14
321 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] PCKGS workitem 15
322 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] TCPOP workitem 16
323 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] UDPOP workitem 17
324 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] TPMRA workitem 18
325 6 Andreas Steffen
</pre>
326 6 Andreas Steffen
327 6 Andreas Steffen
<pre>
328 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV] IMV 1 requests a segmentation contract for PA message type 'TCG/PTS' 0x005597/0x00000001
329 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IMV]   maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes
330 6 Andreas Steffen
</pre>
331 6 Andreas Steffen
332 6 Andreas Steffen
<pre>
333 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] creating PA-TNC message with ID 0x42501f74
334 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
335 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] creating PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
336 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
337 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
338 6 Andreas Steffen
</pre>
339 6 Andreas Steffen
340 6 Andreas Steffen
<pre>
341 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] TNC server is handling outbound connection
342 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
343 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] creating PB-TNC SDATA batch
344 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] adding ITA-HSR/PB-Mutual-Capability message
345 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] adding IETF/PB-PA message
346 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[TNC] sending PB-TNC SDATA batch (108 bytes) for Connection ID 1
347 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
348 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[ENC] generating IKE_AUTH response 7 [ EAP/REQ/TTLS ]
349 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 14[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (272 bytes)
350 6 Andreas Steffen
</pre>
351 6 Andreas Steffen
352 6 Andreas Steffen
<pre>
353 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (176 bytes)
354 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ]
355 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
356 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] received TNCCS batch (8 bytes)
357 21 Andreas Steffen
</pre>
358 21 Andreas Steffen
359 21 Andreas Steffen
h3. Assigning Connection to TNC Client
360 21 Andreas Steffen
361 21 Andreas Steffen
<pre>
362 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] assigned TNCCS Connection ID 2
363 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] IMC 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
364 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
365 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[PTS] loaded AIK certificate from '/etc/pts/aik4Cert.der'
366 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[PTS] loaded AIK Blob from '/etc/pts/aik4Blob.bin'
367 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] IMC 2 "Attestation" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh
368 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
369 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] IMC 1 "OS" changed state of Connection ID 2 to 'Handshake'
370 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] IMC 2 "Attestation" changed state of Connection ID 2 to 'Handshake'
371 6 Andreas Steffen
</pre>
372 20 Andreas Steffen
373 20 Andreas Steffen
h3. Sending OS Information
374 6 Andreas Steffen
375 6 Andreas Steffen
<pre>
376 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] operating system numeric version is 7.8
377 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] last boot: Aug 15 07:56:45 UTC 2015, 17363 s ago
378 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] IPv4 forwarding is disabled
379 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] factory default password is disabled
380 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] loaded device public key from '/etc/pts/aik4Pub.der'
381 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IMC] device ID is 762872c90011671ef219b6a2a0c3c7dda875b43c
382 6 Andreas Steffen
</pre>
383 6 Andreas Steffen
384 6 Andreas Steffen
<pre>
385 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PA-TNC message with ID 0x366c28ea
386 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
387 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
388 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
389 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
390 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
391 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
392 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
393 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
394 6 Andreas Steffen
</pre>
395 6 Andreas Steffen
396 6 Andreas Steffen
<pre>
397 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] TNC client is handling inbound connection
398 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] processing PB-TNC SDATA batch for Connection ID 2
399 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] PB-TNC state transition from 'Init' to 'Client Working'
400 9 Andreas Steffen
</pre>
401 9 Andreas Steffen
402 9 Andreas Steffen
<pre>
403 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] TNC client is handling outbound connection
404 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
405 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] creating PB-TNC CDATA batch
406 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] adding IETF/PB-Language-Preference message
407 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] adding IETF/PB-PA message
408 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[TNC] sending PB-TNC CDATA batch (267 bytes) for Connection ID 2
409 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
410 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[ENC] generating IKE_AUTH response 8 [ EAP/REQ/TTLS ]
411 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 15[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (432 bytes)
412 6 Andreas Steffen
</pre>
413 6 Andreas Steffen
414 6 Andreas Steffen
<pre>
415 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)
416 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TTLS ]
417 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
418 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] received TNCCS batch (92 bytes)
419 6 Andreas Steffen
</pre>
420 6 Andreas Steffen
421 6 Andreas Steffen
<pre>
422 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] TNC server is handling inbound connection
423 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] processing PB-TNC CDATA batch for Connection ID 1
424 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
425 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] processing IETF/PB-PA message (84 bytes)
426 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
427 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 2 to IMV 1
428 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] processing PA-TNC message with ID 0x1d5fa63a
429 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022
430 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
431 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
432 6 Andreas Steffen
</pre>
433 6 Andreas Steffen
434 6 Andreas Steffen
<pre>
435 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IMV] IMV 1 received a segmentation contract response from IMC 2 for PA message type 'TCG/PTS' 0x005597/0x00000001
436 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IMV]   maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes
437 6 Andreas Steffen
</pre>
438 6 Andreas Steffen
439 23 Andreas Steffen
h3. Receiving PTS Protocol Capabilities
440 23 Andreas Steffen
441 6 Andreas Steffen
<pre>
442 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[PTS] supported PTS protocol capabilities: .VDT.
443 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[PTS] selected PTS measurement algorithm is HASH_SHA1
444 6 Andreas Steffen
</pre>
445 6 Andreas Steffen
446 6 Andreas Steffen
<pre>
447 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IMV] IMV 1 handles FMETA workitem 14
448 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IMV] IMV 1 requests metadata for file '/etc/tnc_config'
449 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IMV] IMV 1 handled FMETA workitem 14: allow - file metadata requested
450 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IMV] IMV 1 handles TPMRA workitem 18
451 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] creating PA-TNC message with ID 0xaff3c130
452 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] creating PA-TNC attribute type 'TCG/Request File Metadata' 0x005597/0x00700000
453 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
454 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
455 6 Andreas Steffen
</pre>
456 6 Andreas Steffen
457 6 Andreas Steffen
<pre>
458 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] TNC server is handling outbound connection
459 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
460 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] creating PB-TNC SDATA batch
461 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] adding IETF/PB-PA message
462 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[TNC] sending PB-TNC SDATA batch (87 bytes) for Connection ID 1
463 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
464 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[ENC] generating IKE_AUTH response 9 [ EAP/REQ/TTLS ]
465 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 16[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)
466 11 Andreas Steffen
</pre>
467 11 Andreas Steffen
468 11 Andreas Steffen
<pre>
469 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)
470 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[ENC] parsed IKE_AUTH request 10 [ EAP/RES/TTLS ]
471 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
472 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] received TNCCS batch (92 bytes)
473 9 Andreas Steffen
</pre>
474 9 Andreas Steffen
475 9 Andreas Steffen
<pre>
476 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] TNC client is handling inbound connection
477 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] processing PB-TNC SDATA batch for Connection ID 2
478 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
479 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] processing IETF/PB-PA message (84 bytes)
480 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
481 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[IMC] IMC 2 "Attestation" received message for Connection ID 2 from IMV 1
482 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] processing PA-TNC message with ID 0x918da8fe
483 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
484 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] processing PA-TNC attribute type 'TCG/Request PTS Protocol Capabilities' 0x005597/0x01000000
485 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm Request' 0x005597/0x06000000
486 11 Andreas Steffen
</pre>
487 11 Andreas Steffen
488 11 Andreas Steffen
<pre>
489 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[IMC] IMC 2 received a segmentation contract request from IMV 1 for PA message type 'TCG/PTS' 0x005597/0x00000001
490 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[IMC]   maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes
491 11 Andreas Steffen
</pre>
492 11 Andreas Steffen
493 23 Andreas Steffen
h3. Sending PTS Protocol Capabilities
494 23 Andreas Steffen
495 11 Andreas Steffen
<pre>
496 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[PTS] supported PTS protocol capabilities: .VDT.
497 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[PTS] selected PTS measurement algorithm is HASH_SHA1
498 11 Andreas Steffen
</pre>
499 11 Andreas Steffen
500 11 Andreas Steffen
<pre>
501 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] creating PA-TNC message with ID 0xf94741eb
502 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022
503 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] creating PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000
504 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] creating PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000
505 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
506 9 Andreas Steffen
</pre>
507 9 Andreas Steffen
508 9 Andreas Steffen
<pre>
509 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] TNC client is handling outbound connection
510 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
511 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] creating PB-TNC CDATA batch
512 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] adding IETF/PB-PA message
513 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[TNC] sending PB-TNC CDATA batch (92 bytes) for Connection ID 2
514 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
515 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[ENC] generating IKE_AUTH response 10 [ EAP/REQ/TTLS ]
516 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 05[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)
517 11 Andreas Steffen
</pre>
518 11 Andreas Steffen
519 11 Andreas Steffen
<pre>
520 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (400 bytes)
521 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[ENC] parsed IKE_AUTH request 11 [ EAP/RES/TTLS ]
522 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
523 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] received TNCCS batch (226 bytes)
524 9 Andreas Steffen
</pre>
525 9 Andreas Steffen
526 9 Andreas Steffen
<pre>
527 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] TNC server is handling inbound connection
528 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] processing PB-TNC CDATA batch for Connection ID 1
529 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
530 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] processing IETF/PB-PA message (218 bytes)
531 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
532 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 2 to IMV 1
533 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] processing PA-TNC message with ID 0x5e3ee705
534 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] processing PA-TNC attribute type 'TCG/Unix-Style File Metadata' 0x005597/0x00900000
535 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
536 11 Andreas Steffen
</pre>
537 11 Andreas Steffen
538 11 Andreas Steffen
<pre>
539 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[IMV] metadata request returned 1 file:
540 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[IMV]  'tnc_config' (177 bytes) owner 0, group 0, type Regular
541 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[IMV]     created Jun 05 20:02:25 2015, modified Jun 05 20:02:25 2015, accessed Jun 05 20:02:25 2015
542 11 Andreas Steffen
</pre>
543 11 Andreas Steffen
544 11 Andreas Steffen
<pre>
545 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS] selected DH hash algorithm is HASH_SHA1
546 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS] selected PTS DH group is ECP_256
547 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS] nonce length is 20
548 11 Andreas Steffen
</pre>
549 11 Andreas Steffen
550 11 Andreas Steffen
<pre>
551 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS] initiator nonce: => 20 bytes @ 0x1ab4f40
552 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS]    0: 01 97 8C C2 90 09 6D 02 F0 0A 40 E1 8C 90 5F 15  ......m...@..._.
553 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS]   16: FB 4E 28 AD                                      .N(.
554 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS] responder nonce: => 20 bytes @ 0x1aafba0
555 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS]    0: 3D D0 72 39 3A E1 A0 E2 0B 30 B4 D4 D9 22 9F E0  =.r9:....0..."..
556 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS]   16: B6 D1 2A 01                                      ..*.
557 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS] shared DH secret: => 32 bytes @ 0x1ab3078
558 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS]    0: 5F 0F D8 1E B5 39 B4 E2 86 BF 0C 92 9E E3 3A EA  _....9........:.
559 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS]   16: D7 23 93 EB C2 85 F5 09 EC DB C0 B1 E5 51 50 DE  .#...........QP.
560 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS] secret assessment value: => 20 bytes @ 0x1ab4f28
561 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS]    0: D8 9D 1E 70 CE 78 C3 13 F2 79 BA 5D 7C E5 05 7C  ...p.x...y.]|..|
562 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[PTS]   16: E0 E0 83 77                                      ...w
563 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] creating PA-TNC message with ID 0xd27d5b33
564 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
565 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] creating PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
566 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] creating PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
567 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
568 9 Andreas Steffen
</pre>
569 9 Andreas Steffen
570 9 Andreas Steffen
<pre>
571 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] TNC server is handling outbound connection
572 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
573 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] creating PB-TNC SDATA batch
574 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] adding IETF/PB-PA message
575 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[TNC] sending PB-TNC SDATA batch (172 bytes) for Connection ID 1
576 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
577 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[ENC] generating IKE_AUTH response 11 [ EAP/REQ/TTLS ]
578 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 06[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (336 bytes)
579 11 Andreas Steffen
</pre>
580 11 Andreas Steffen
581 11 Andreas Steffen
<pre>
582 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)
583 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[ENC] parsed IKE_AUTH request 12 [ EAP/RES/TTLS ]
584 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
585 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] received TNCCS batch (87 bytes)
586 9 Andreas Steffen
</pre>
587 9 Andreas Steffen
588 9 Andreas Steffen
<pre>
589 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] TNC client is handling inbound connection
590 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] processing PB-TNC SDATA batch for Connection ID 2
591 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
592 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] processing IETF/PB-PA message (79 bytes)
593 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
594 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[IMC] IMC 2 "Attestation" received message for Connection ID 2 from IMV 1
595 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] processing PA-TNC message with ID 0xda2a70e9
596 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] processing PA-TNC attribute type 'TCG/Request File Metadata' 0x005597/0x00700000
597 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Parameters Request' 0x005597/0x03000000
598 11 Andreas Steffen
</pre>
599 11 Andreas Steffen
600 11 Andreas Steffen
<pre>
601 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[IMC] metadata request for file '/etc/tnc_config'
602 11 Andreas Steffen
</pre>
603 11 Andreas Steffen
604 11 Andreas Steffen
<pre>
605 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[PTS] selected PTS DH group is ECP_256
606 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[PTS] nonce length is 20
607 11 Andreas Steffen
</pre>
608 12 Andreas Steffen
609 12 Andreas Steffen
<pre>
610 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] creating PA-TNC message with ID 0x676268aa
611 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] creating PA-TNC attribute type 'TCG/Unix-Style File Metadata' 0x005597/0x00900000
612 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] creating PA-TNC attribute type 'TCG/DH Nonce Parameters Response' 0x005597/0x04000000
613 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
614 9 Andreas Steffen
</pre>
615 9 Andreas Steffen
616 9 Andreas Steffen
<pre>
617 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] TNC client is handling outbound connection
618 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
619 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] creating PB-TNC CDATA batch
620 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] adding IETF/PB-PA message
621 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[TNC] sending PB-TNC CDATA batch (226 bytes) for Connection ID 2
622 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
623 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[ENC] generating IKE_AUTH response 12 [ EAP/REQ/TTLS ]
624 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 07[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (400 bytes)
625 11 Andreas Steffen
</pre>
626 11 Andreas Steffen
627 11 Andreas Steffen
<pre>
628 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1072 bytes)
629 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[ENC] parsed IKE_AUTH request 13 [ EAP/RES/TTLS ]
630 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
631 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] received TNCCS batch (902 bytes)
632 9 Andreas Steffen
</pre>
633 9 Andreas Steffen
634 9 Andreas Steffen
<pre>
635 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] TNC server is handling inbound connection
636 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] processing PB-TNC CDATA batch for Connection ID 1
637 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
638 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] processing IETF/PB-PA message (894 bytes)
639 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
640 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 2 to IMV 1
641 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] processing PA-TNC message with ID 0x641bcea1
642 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
643 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
644 11 Andreas Steffen
</pre>
645 11 Andreas Steffen
646 23 Andreas Steffen
h3. Receiving TPM Version Information
647 23 Andreas Steffen
648 11 Andreas Steffen
<pre>
649 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[PTS] TPM Version Info: Chip Version: 1.2.133.32, Spec Level: 2, Errata Rev: 3, Vendor ID: IFX
650 11 Andreas Steffen
</pre>
651 11 Andreas Steffen
652 11 Andreas Steffen
<pre>
653 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[IMV] verifying AIK with keyid 56:5f:eb:9e:84:62:87:0d:ba:88:4c:e5:40:a0:76:8d:68:82:98:73
654 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[IMV] AIK public key is trusted
655 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[CFG]   using trusted certificate "C=US, O=TNC Demo, CN=AIK CA"
656 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[IMV] AIK certificate is trusted
657 11 Andreas Steffen
</pre>
658 11 Andreas Steffen
659 11 Andreas Steffen
<pre>
660 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[IMV] evidence request by
661 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[PTS]   ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
662 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] creating PA-TNC message with ID 0xed256fac
663 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] creating PA-TNC attribute type 'TCG/Request Functional Component Evidence' 0x005597/0x00100000
664 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] creating PA-TNC attribute type 'TCG/Generate Attestation Evidence' 0x005597/0x00200000
665 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
666 9 Andreas Steffen
</pre>
667 9 Andreas Steffen
668 9 Andreas Steffen
<pre>
669 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] TNC server is handling outbound connection
670 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
671 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] creating PB-TNC SDATA batch
672 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] adding IETF/PB-PA message
673 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[TNC] sending PB-TNC SDATA batch (80 bytes) for Connection ID 1
674 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
675 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[ENC] generating IKE_AUTH response 13 [ EAP/REQ/TTLS ]
676 1 Andreas Steffen
Aug 15 14:46:08 raspi4 charon: 08[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)
677 11 Andreas Steffen
</pre>
678 11 Andreas Steffen
679 11 Andreas Steffen
<pre>
680 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (336 bytes)
681 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[ENC] parsed IKE_AUTH request 14 [ EAP/RES/TTLS ]
682 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
683 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] received TNCCS batch (172 bytes)
684 9 Andreas Steffen
</pre>
685 9 Andreas Steffen
686 9 Andreas Steffen
<pre>
687 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] TNC client is handling inbound connection
688 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] processing PB-TNC SDATA batch for Connection ID 2
689 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
690 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] processing IETF/PB-PA message (164 bytes)
691 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
692 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[IMC] IMC 2 "Attestation" received message for Connection ID 2 from IMV 1
693 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] processing PA-TNC message with ID 0xe1b84e91
694 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] processing PA-TNC attribute type 'TCG/DH Nonce Finish' 0x005597/0x05000000
695 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] processing PA-TNC attribute type 'TCG/Get TPM Version Information' 0x005597/0x08000000
696 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] processing PA-TNC attribute type 'TCG/Get Attestation Identity Key' 0x005597/0x0d000000
697 11 Andreas Steffen
</pre>
698 11 Andreas Steffen
699 11 Andreas Steffen
<pre>
700 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS] selected DH hash algorithm is HASH_SHA1
701 11 Andreas Steffen
</pre>
702 11 Andreas Steffen
703 13 Andreas Steffen
<pre>
704 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS] initiator nonce: => 20 bytes @ 0x1ab0dc0
705 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS]    0: 27 B7 51 A0 C8 66 92 54 F0 57 C1 49 9D 2A 7D 3A  '.Q..f.T.W.I.*}:
706 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS]   16: F1 38 81 26                                      .8.&
707 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS] responder nonce: => 20 bytes @ 0x1ab2e48
708 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS]    0: 96 48 1F 52 8C A6 D5 6E 5F A4 17 2B AF BE 26 71  .H.R...n_..+..&q
709 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS]   16: 49 73 01 42                                      Is.B
710 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS] shared DH secret: => 32 bytes @ 0x1aac378
711 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS]    0: AA FE 9F 01 D7 CC 22 17 FF 35 CF 9C 70 41 7B 11  ......"..5..pA{.
712 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS]   16: D0 3C B6 32 BF 3D 80 BF 73 32 1E 95 F3 20 9E D1  .<.2.=..s2... ..
713 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS] secret assessment value: => 20 bytes @ 0x1ab0d20
714 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS]    0: B2 E0 AB DF 89 C5 1D B2 A3 51 FD A9 C8 3B F8 7F  .........Q...;..
715 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS]   16: 68 50 6C DE                                      hPl.
716 11 Andreas Steffen
</pre>
717 23 Andreas Steffen
718 23 Andreas Steffen
h3. Sending TPM Version Information
719 11 Andreas Steffen
720 11 Andreas Steffen
<pre>
721 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[PTS] TPM Version Info: Chip Version: 1.2.133.32, Spec Level: 2, Errata Rev: 3, Vendor ID: IFX
722 11 Andreas Steffen
</pre>
723 11 Andreas Steffen
724 11 Andreas Steffen
<pre>
725 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] creating PA-TNC message with ID 0x951e0284
726 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] creating PA-TNC attribute type 'TCG/TPM Version Information' 0x005597/0x09000000
727 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] creating PA-TNC attribute type 'TCG/Attestation Identity Key' 0x005597/0x0e000000
728 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
729 9 Andreas Steffen
</pre>
730 9 Andreas Steffen
731 9 Andreas Steffen
<pre>
732 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] TNC client is handling outbound connection
733 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
734 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] creating PB-TNC CDATA batch
735 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] adding IETF/PB-PA message
736 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[TNC] sending PB-TNC CDATA batch (902 bytes) for Connection ID 2
737 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
738 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[ENC] generating IKE_AUTH response 14 [ EAP/REQ/TTLS ]
739 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 09[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1072 bytes)
740 14 Andreas Steffen
</pre>
741 14 Andreas Steffen
742 14 Andreas Steffen
<pre>
743 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 10[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)
744 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 10[ENC] parsed IKE_AUTH request 15 [ EAP/RES/TTLS ]
745 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 10[ENC] generating IKE_AUTH response 15 [ EAP/REQ/TTLS ]
746 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 10[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)
747 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 11[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)
748 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 11[ENC] parsed IKE_AUTH request 16 [ EAP/RES/TTLS ]
749 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 11[ENC] generating IKE_AUTH response 16 [ EAP/REQ/TTLS ]
750 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 11[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)
751 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 12[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)
752 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 12[ENC] parsed IKE_AUTH request 17 [ EAP/RES/TTLS ]
753 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 12[ENC] generating IKE_AUTH response 17 [ EAP/REQ/TTLS ]
754 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 12[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)
755 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 13[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)
756 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 13[ENC] parsed IKE_AUTH request 18 [ EAP/RES/TTLS ]
757 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 13[ENC] generating IKE_AUTH response 18 [ EAP/REQ/TTLS ]
758 1 Andreas Steffen
Aug 15 14:46:09 raspi4 charon: 13[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)
759 4 Andreas Steffen
...
760 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 07[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)
761 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 07[ENC] parsed IKE_AUTH request 60 [ EAP/RES/TTLS ]
762 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 07[ENC] generating IKE_AUTH response 60 [ EAP/REQ/TTLS ]
763 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 07[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)
764 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (1104 bytes)
765 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[ENC] parsed IKE_AUTH request 61 [ EAP/RES/TTLS ]
766 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
767 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] received TNCCS batch (47615 bytes)
768 9 Andreas Steffen
</pre>
769 9 Andreas Steffen
770 9 Andreas Steffen
<pre>
771 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] TNC server is handling inbound connection
772 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PB-TNC CDATA batch for Connection ID 1
773 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
774 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing IETF/PB-PA message (47607 bytes)
775 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
776 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[IMV] IMV 1 "Attestation" received message for Connection ID 1 from IMC 2 to IMV 1
777 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC message with ID 0x2d059578
778 11 Andreas Steffen
</pre>
779 11 Andreas Steffen
780 15 Andreas Steffen
h3. Initiator Attestation Measurement Values
781 15 Andreas Steffen
782 11 Andreas Steffen
<pre>
783 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
784 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
785 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] measurement time: Jan 01 01:00:04 1970
786 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] PCR 10 extended with: dd:ee:60:04:dc:3b:d4:ee:30:04:06:cd:93:18:1c:5a:21:87:b5:9b
787 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 'sha1:boot_aggregate'
788 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
789 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
790 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] measurement time: Jan 01 01:00:04 1970
791 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] PCR 10 extended with: 65:ee:0c:a2:cd:ac:0d:67:f8:1a:fd:53:7b:96:75:6f:3b:b8:0f:82
792 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 'sha1:/init'
793 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
794 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
795 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] measurement time: Jan 01 01:00:04 1970
796 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] PCR 10 extended with: 6b:a1:a0:58:89:a8:f2:57:53:42:b5:dc:5f:3e:de:54:89:8a:ee:29
797 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 'sha1:/bin/sh'
798 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
799 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
800 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] measurement time: Jan 01 01:00:04 1970
801 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] PCR 10 extended with: 85:e6:6e:7a:96:98:8b:0a:af:c8:88:46:5d:7a:fe:b5:e9:d3:c2:3e
802 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 'sha1:/lib/klibc-sO6SifHCdmbehHGtm0y1yHu6vb0.so'
803 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
804 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
805 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] measurement time: Jan 01 01:00:04 1970
806 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] PCR 10 extended with: 68:4a:c3:8d:48:55:be:e0:21:93:4f:52:a0:d2:3d:66:86:0c:b2:82
807 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 'sha1:/bin/mkdir'
808 1 Andreas Steffen
...
809 2 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
810 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
811 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] measurement time: Jan 01 01:00:04 1970
812 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] PCR 10 extended with: 1a:71:6c:9c:9f:6d:4f:2e:4a:88:42:49:b0:00:8d:5e:ec:05:7e:eb
813 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 'sha1:/usr/sbin/service'
814 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
815 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
816 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] measurement time: Jan 01 01:00:04 1970
817 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] PCR 10 extended with: e8:f5:f2:02:d4:c1:18:d5:f7:55:5c:2d:4a:a0:d3:12:d4:13:06:ce
818 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 'sha1:/bin/cp'
819 16 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[TNC] processing PA-TNC attribute type 'TCG/Simple Evidence Final' 0x005597/0x00400000
820 11 Andreas Steffen
</pre>
821 11 Andreas Steffen
822 16 Andreas Steffen
h3. Verifying Initiator Measurements
823 16 Andreas Steffen
824 1 Andreas Steffen
<pre>
825 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] checking boot aggregate evidence measurement
826 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 65:ee:0c:a2:cd:ac:0d:67:f8:1a:fd:53:7b:96:75:6f:3b:b8:0f:82 for '/init' not found
827 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 6b:a1:a0:58:89:a8:f2:57:53:42:b5:dc:5f:3e:de:54:89:8a:ee:29 for '/bin/sh' is ok
828 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 85:e6:6e:7a:96:98:8b:0a:af:c8:88:46:5d:7a:fe:b5:e9:d3:c2:3e for '/lib/klibc-sO6SifHCdmbehHGtm0y1yHu6vb0.so' is ok
829 1 Andreas Steffen
Aug 15 14:46:10 raspi4 charon: 08[PTS] 68:4a:c3:8d:48:55:be:e0:21:93:4f:52:a0:d2:3d:66:86:0c:b2:82 for '/bin/mkdir' is ok
830 1 Andreas Steffen
...
831 3 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS] 1a:71:6c:9c:9f:6d:4f:2e:4a:88:42:49:b0:00:8d:5e:ec:05:7e:eb for '/usr/sbin/service' is ok
832 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS] e8:f5:f2:02:d4:c1:18:d5:f7:55:5c:2d:4a:a0:d3:12:d4:13:06:ce for '/bin/cp' is ok
833 11 Andreas Steffen
</pre>
834 1 Andreas Steffen
835 16 Andreas Steffen
h3. Verifying Initiator TPM Quote Signature
836 16 Andreas Steffen
837 11 Andreas Steffen
<pre>
838 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS] constructed PCR Composite: => 29 bytes @ 0x1b27188
839 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS]    0: 00 03 00 04 00 00 00 00 14 F7 5E 84 36 2B C2 83  ..........^.6+..
840 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS]   16: 28 8E 90 7E B3 39 45 74 33 60 2E B7 8E           (..~.9Et3`...
841 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS] constructed PCR Composite hash: 58:f2:83:91:d6:a8:df:3d:3e:c6:33:c7:24:93:9f:9c:22:a2:01:20
842 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS] constructed TPM Quote Info: => 52 bytes @ 0x1b27e68
843 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS]    0: 00 36 51 55 54 32 D8 9D 1E 70 CE 78 C3 13 F2 79  .6QUT2...p.x...y
844 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS]   16: BA 5D 7C E5 05 7C E0 E0 83 77 00 03 00 04 00 01  .]|..|...w......
845 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS]   32: 58 F2 83 91 D6 A8 DF 3D 3E C6 33 C7 24 93 9F 9C  X......=>.3.$...
846 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS]   48: 22 A2 01 20                                      ".. 
847 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[IMV] received PCR Composite matches constructed one
848 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[IMV] TPM Quote Info signature verification successful
849 11 Andreas Steffen
</pre>
850 11 Andreas Steffen
851 11 Andreas Steffen
<pre>
852 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[PTS] processed 433 IMA file evidence measurements: 377 ok, 56 unknown, 0 differ, 0 failed
853 11 Andreas Steffen
</pre>
854 11 Andreas Steffen
855 11 Andreas Steffen
<pre>
856 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[IMV] IMV 1 handled TPMRA workitem 18: allow - processed 433 IMA file evidence measurements: 377 ok, 56 unknown, 0 differ, 0 failed
857 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] creating PA-TNC message with ID 0x57254d62
858 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
859 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
860 19 Andreas Steffen
</pre>
861 19 Andreas Steffen
862 19 Andreas Steffen
h3. Sending Assessment Result
863 19 Andreas Steffen
864 19 Andreas Steffen
<pre>
865 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] IMV 1 provides recommendation 'allow' and evaluation 'compliant'
866 9 Andreas Steffen
</pre>
867 9 Andreas Steffen
868 9 Andreas Steffen
<pre>
869 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] TNC server is handling outbound connection
870 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[IMV] policy: recommendation for access requestor 10.10.1.39 is allow
871 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[IMV] policy: imv_policy_manager stop successful
872 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[IMV] IMV 1 "Attestation" changed state of Connection ID 1 to 'Allowed'
873 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
874 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] creating PB-TNC RESULT batch
875 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] adding IETF/PB-PA message
876 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] adding IETF/PB-Assessment-Result message
877 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] adding IETF/PB-Access-Recommendation message
878 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[TNC] sending PB-TNC RESULT batch (88 bytes) for Connection ID 1
879 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
880 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[ENC] generating IKE_AUTH response 61 [ EAP/REQ/TTLS ]
881 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 08[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (256 bytes)
882 11 Andreas Steffen
</pre>
883 11 Andreas Steffen
884 11 Andreas Steffen
<pre>
885 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)
886 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[ENC] parsed IKE_AUTH request 62 [ EAP/RES/TTLS ]
887 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
888 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] received TNCCS batch (80 bytes)
889 9 Andreas Steffen
</pre>
890 9 Andreas Steffen
891 9 Andreas Steffen
<pre>
892 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] TNC client is handling inbound connection
893 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] processing PB-TNC SDATA batch for Connection ID 2
894 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
895 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] processing IETF/PB-PA message (72 bytes)
896 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
897 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[IMC] IMC 2 "Attestation" received message for Connection ID 2 from IMV 1
898 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] processing PA-TNC message with ID 0xc8f4500b
899 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] processing PA-TNC attribute type 'TCG/Request Functional Component Evidence' 0x005597/0x00100000
900 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[TNC] processing PA-TNC attribute type 'TCG/Generate Attestation Evidence' 0x005597/0x00200000
901 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[IMC] evidence requested for 1 functional components
902 11 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] * ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
903 1 Andreas Steffen
</pre>
904 15 Andreas Steffen
905 16 Andreas Steffen
h3. Responder Attestation Measurement Values
906 11 Andreas Steffen
907 11 Andreas Steffen
<pre>
908 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] loaded ima measurements '/sys/kernel/security/ima/binary_runtime_measurements' (451 entries)
909 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
910 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] measurement time: Jan 01 01:00:04 1970
911 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] PCR 10 extended with: dd:ee:60:04:dc:3b:d4:ee:30:04:06:cd:93:18:1c:5a:21:87:b5:9b
912 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] 'sha1:boot_aggregate'
913 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
914 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] measurement time: Jan 01 01:00:04 1970
915 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] PCR 10 extended with: 65:ee:0c:a2:cd:ac:0d:67:f8:1a:fd:53:7b:96:75:6f:3b:b8:0f:82
916 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] 'sha1:/init'
917 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
918 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] measurement time: Jan 01 01:00:04 1970
919 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] PCR 10 extended with: 6b:a1:a0:58:89:a8:f2:57:53:42:b5:dc:5f:3e:de:54:89:8a:ee:29
920 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] 'sha1:/bin/sh'
921 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
922 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] measurement time: Jan 01 01:00:04 1970
923 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] PCR 10 extended with: 85:e6:6e:7a:96:98:8b:0a:af:c8:88:46:5d:7a:fe:b5:e9:d3:c2:3e
924 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] 'sha1:/lib/klibc-sO6SifHCdmbehHGtm0y1yHu6vb0.so'
925 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
926 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] measurement time: Jan 01 01:00:04 1970
927 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] PCR 10 extended with: 68:4a:c3:8d:48:55:be:e0:21:93:4f:52:a0:d2:3d:66:86:0c:b2:82
928 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] 'sha1:/bin/mkdir'
929 4 Andreas Steffen
...
930 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
931 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] measurement time: Jan 01 01:00:04 1970
932 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] PCR 10 extended with: 55:f4:cd:fd:82:d2:99:e1:33:b6:82:67:95:e6:5d:03:5c:bb:d2:c2
933 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] 'sha1:/usr/bin/clear_console'
934 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] ITA-HSR functional component 'Linux IMA' [K.] 'Operating System'
935 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] measurement time: Jan 01 01:00:04 1970
936 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] PCR 10 extended with: 7a:fc:49:eb:8f:e6:74:3f:ac:91:41:a2:c0:ac:92:28:33:fd:7b:33
937 1 Andreas Steffen
Aug 15 14:46:16 raspi4 charon: 10[PTS] 'sha1:/usr/libexec/ipsec/stroke'
938 1 Andreas Steffen
</pre>
939 16 Andreas Steffen
940 17 Andreas Steffen
h3. Generating Responder TPM Quote Signature
941 11 Andreas Steffen
942 11 Andreas Steffen
<pre>
943 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS] Hash of PCR Composite: c4:6a:f4:fa:82:39:a6:7a:80:fe:4e:d2:7e:a5:05:b3:1e:60:4f:ff
944 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS] TPM Quote Info: => 52 bytes @ 0x1ae0580
945 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]    0: 00 36 51 55 54 32 B2 E0 AB DF 89 C5 1D B2 A3 51  .6QUT2.........Q
946 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   16: FD A9 C8 3B F8 7F 68 50 6C DE 00 03 00 04 00 01  ...;..hPl.......
947 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   32: C4 6A F4 FA 82 39 A6 7A 80 FE 4E D2 7E A5 05 B3  .j...9.z..N.~...
948 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   48: 1E 60 4F FF                                      .`O.
949 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS] TPM Quote Signature: => 256 bytes @ 0x1ae0c00
950 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]    0: 6C 25 B7 58 F9 5C CA CA 86 6F 9A BD 24 2E 32 D9  l%.X.\...o..$.2.
951 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   16: 36 DD 4F DF 37 09 1E 60 56 45 0E B4 32 52 A2 6A  6.O.7..`VE..2R.j
952 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   32: B4 A5 27 59 79 25 F2 DC A1 05 14 5C 0C 71 DD DC  ..'Yy%.....\.q..
953 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   48: 96 31 9C 69 DD 60 AC 51 70 95 47 48 62 FF 40 DC  .1.i.`.Qp.GHb.@.
954 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   64: FF FF C3 55 5D 1C DF E2 D6 4B 8E 4F BF 0A 47 CC  ...U]....K.O..G.
955 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   80: 1E C5 42 7D 3B 39 C4 4D 6A A0 A4 CD 3E E3 E6 C6  ..B};9.Mj...>...
956 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]   96: A1 DB F1 AF F3 2B 48 0D 74 60 A3 B3 E3 43 5E 22  .....+H.t`...C^"
957 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  112: 99 EC 5B 23 FD 57 D4 1F 97 32 28 DC 4A 38 36 15  ..[#.W...2(.J86.
958 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  128: 75 57 53 18 21 29 5C CD 8F C6 66 60 70 7C 47 0F  uWS.!)\...f`p|G.
959 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  144: 9B 7B FE BA 29 80 0C 87 11 41 81 95 6D 74 6B FA  .{..)....A..mtk.
960 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  160: 4D 5F F7 23 C4 60 D2 2A C2 16 08 EA AF 59 CC D2  M_.#.`.*.....Y..
961 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  176: 18 EC 20 18 5B 1D 42 72 E1 C8 33 02 A1 37 ED EA  .. .[.Br..3..7..
962 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  192: B8 CD CA 2B 83 D3 B2 77 1C 45 2D C7 36 FA E6 88  ...+...w.E-.6...
963 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  208: 93 C3 BE D9 26 31 A5 59 3D 20 24 B1 0F F3 04 5C  ....&1.Y= $....\
964 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  224: 93 FA 8C 09 3E C3 FF E0 A1 EB 03 58 0B AB 08 89  ....>......X....
965 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[PTS]  240: BA A4 22 ED AB D6 BA 7C 65 8D B6 75 5C 7C 67 28  .."....|e..u\|g(
966 18 Andreas Steffen
</pre>
967 18 Andreas Steffen
968 18 Andreas Steffen
<pre>
969 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PA-TNC message with ID 0xed64f7ab
970 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
971 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
972 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
973 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
974 5 Andreas Steffen
...
975 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
976 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PA-TNC attribute type 'TCG/Simple Component Evidence' 0x005597/0x00300000
977 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PA-TNC attribute type 'TCG/Simple Evidence Final' 0x005597/0x00400000
978 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PB-PA message type 'TCG/PTS' 0x005597/0x00000001
979 9 Andreas Steffen
</pre>
980 9 Andreas Steffen
981 9 Andreas Steffen
<pre>
982 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] TNC client is handling outbound connection
983 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
984 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] creating PB-TNC CDATA batch
985 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] adding IETF/PB-PA message
986 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[TNC] sending PB-TNC CDATA batch (49524 bytes) for Connection ID 2
987 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
988 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[ENC] generating IKE_AUTH response 62 [ EAP/REQ/TTLS ]
989 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 10[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)
990 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 11[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)
991 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 11[ENC] parsed IKE_AUTH request 63 [ EAP/RES/TTLS ]
992 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 11[ENC] generating IKE_AUTH response 63 [ EAP/REQ/TTLS ]
993 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 11[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)
994 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 12[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)
995 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 12[ENC] parsed IKE_AUTH request 64 [ EAP/RES/TTLS ]
996 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 12[ENC] generating IKE_AUTH response 64 [ EAP/REQ/TTLS ]
997 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 12[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)
998 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 13[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)
999 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 13[ENC] parsed IKE_AUTH request 65 [ EAP/RES/TTLS ]
1000 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 13[ENC] generating IKE_AUTH response 65 [ EAP/REQ/TTLS ]
1001 1 Andreas Steffen
Aug 15 14:46:17 raspi4 charon: 13[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)
1002 5 Andreas Steffen
...
1003 1 Andreas Steffen
Aug 15 14:46:18 raspi4 charon: 08[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)
1004 1 Andreas Steffen
Aug 15 14:46:18 raspi4 charon: 08[ENC] parsed IKE_AUTH request 109 [ EAP/RES/TTLS ]
1005 1 Andreas Steffen
Aug 15 14:46:18 raspi4 charon: 08[ENC] generating IKE_AUTH response 109 [ EAP/REQ/TTLS ]
1006 1 Andreas Steffen
Aug 15 14:46:18 raspi4 charon: 08[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1104 bytes)
1007 1 Andreas Steffen
Aug 15 14:46:18 raspi4 charon: 10[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)
1008 1 Andreas Steffen
Aug 15 14:46:18 raspi4 charon: 10[ENC] parsed IKE_AUTH request 110 [ EAP/RES/TTLS ]
1009 1 Andreas Steffen
Aug 15 14:46:18 raspi4 charon: 10[ENC] generating IKE_AUTH response 110 [ EAP/REQ/TTLS ]
1010 1 Andreas Steffen
Aug 15 14:46:18 raspi4 charon: 10[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (1040 bytes)
1011 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (256 bytes)
1012 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[ENC] parsed IKE_AUTH request 111 [ EAP/RES/TTLS ]
1013 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
1014 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] received TNCCS batch (88 bytes)
1015 9 Andreas Steffen
</pre>
1016 9 Andreas Steffen
1017 9 Andreas Steffen
<pre>
1018 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] TNC client is handling inbound connection
1019 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] processing PB-TNC RESULT batch for Connection ID 2
1020 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
1021 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] processing IETF/PB-PA message (48 bytes)
1022 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] processing IETF/PB-Assessment-Result message (16 bytes)
1023 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] processing IETF/PB-Access-Recommendation message (16 bytes)
1024 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] handling PB-PA message type 'TCG/PTS' 0x005597/0x00000001
1025 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[IMC] IMC 2 "Attestation" received message for Connection ID 2 from IMV 1
1026 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] processing PA-TNC message with ID 0x4077e3ed
1027 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] processing PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
1028 11 Andreas Steffen
</pre>
1029 19 Andreas Steffen
1030 19 Andreas Steffen
h3. Receiving Assessment Result
1031 11 Andreas Steffen
1032 11 Andreas Steffen
<pre>
1033 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[IMC] ***** assessment of IMC 2 "Attestation" from IMV 1 *****
1034 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[IMC] assessment result is 'compliant'
1035 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[IMC] ***** end of assessment *****
1036 11 Andreas Steffen
</pre>
1037 11 Andreas Steffen
1038 11 Andreas Steffen
<pre>
1039 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] PB-TNC assessment result is 'compliant'
1040 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] PB-TNC access recommendation is 'Access Allowed'
1041 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[IMC] IMC 1 "OS" changed state of Connection ID 2 to 'Allowed'
1042 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[IMC] IMC 2 "Attestation" changed state of Connection ID 2 to 'Allowed'
1043 9 Andreas Steffen
</pre>
1044 9 Andreas Steffen
1045 9 Andreas Steffen
<pre>
1046 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] TNC client is handling outbound connection
1047 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] PB-TNC state transition from 'Decided' to 'End'
1048 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] creating PB-TNC CLOSE batch
1049 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[TNC] sending PB-TNC CLOSE batch (8 bytes) for Connection ID 2
1050 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
1051 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[ENC] generating IKE_AUTH response 111 [ EAP/REQ/TTLS ]
1052 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 11[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (176 bytes)
1053 11 Andreas Steffen
</pre>
1054 11 Andreas Steffen
1055 11 Andreas Steffen
<pre>
1056 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (176 bytes)
1057 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[ENC] parsed IKE_AUTH request 112 [ EAP/RES/TTLS ]
1058 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
1059 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] received TNCCS batch (8 bytes)
1060 9 Andreas Steffen
</pre>
1061 9 Andreas Steffen
1062 9 Andreas Steffen
<pre>
1063 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] TNC server is handling inbound connection
1064 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] processing PB-TNC CLOSE batch for Connection ID 1
1065 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] PB-TNC state transition from 'Decided' to 'End'
1066 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] final recommendation is 'allow' and evaluation is 'compliant'
1067 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] policy enforced on peer 'raspi3.example.com' is 'allow'
1068 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] policy enforcement point added group membership 'allow'
1069 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[IKE] EAP_TTLS phase2 authentication of 'raspi3.example.com' with EAP_PT_EAP successful
1070 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[IMV] IMV 1 "Attestation" deleted the state of Connection ID 1
1071 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] removed TNCCS Connection ID 1
1072 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[IMC] IMC 1 "OS" deleted the state of Connection ID 2
1073 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[IMC] IMC 2 "Attestation" deleted the state of Connection ID 2
1074 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[TNC] removed TNCCS Connection ID 2
1075 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[IKE] EAP method EAP_TTLS succeeded, MSK established
1076 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[ENC] generating IKE_AUTH response 112 [ EAP/SUCC ]
1077 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 12[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)
1078 11 Andreas Steffen
</pre>
1079 11 Andreas Steffen
1080 11 Andreas Steffen
<pre>
1081 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (112 bytes)
1082 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[ENC] parsed IKE_AUTH request 113 [ AUTH ]
1083 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[IKE] authentication of 'raspi3.example.com' with EAP successful
1084 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[IKE] authentication of 'raspi4.example.com' (myself) with EAP
1085 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[IKE] IKE_SA peer[1] established between 10.10.1.40[raspi4.example.com]...10.10.1.39[raspi3.example.com]
1086 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[IKE] scheduling reauthentication in 10143s
1087 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[IKE] maximum IKE_SA lifetime 10683s
1088 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[IKE] CHILD_SA peer{1} established with SPIs ce21eedf_i c12c1aae_o and TS 10.10.1.40/32 === 10.10.1.39/32 
1089 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[ENC] generating IKE_AUTH response 113 [ AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
1090 1 Andreas Steffen
Aug 15 14:46:25 raspi4 charon: 13[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (240 bytes)
1091 10 Andreas Steffen
</pre>
1092 10 Andreas Steffen
1093 24 Andreas Steffen
h2. strongTNC Policy Manager
1094 24 Andreas Steffen
1095 24 Andreas Steffen
!tnc4.png!
1096 24 Andreas Steffen
1097 24 Andreas Steffen
This screenshot of the strongTNC policy manager running on *raspi4* shows that the attestation of *raspi3* has been successful.
1098 24 Andreas Steffen
1099 24 Andreas Steffen
h2. IPsec Connection established
1100 24 Andreas Steffen
1101 24 Andreas Steffen
The command
1102 24 Andreas Steffen
<pre>
1103 24 Andreas Steffen
raspi4# ipsec statusall
1104 24 Andreas Steffen
</pre>
1105 24 Andreas Steffen
1106 24 Andreas Steffen
shows that the IPsec transport connection between *raspi4* and *raspi3* has been successfully established.
1107 24 Andreas Steffen
<pre>
1108 24 Andreas Steffen
Status of IKE charon daemon (strongSwan 5.3.1, Linux 3.18.13-v7+, armv7l):
1109 24 Andreas Steffen
  uptime: 2 minutes, since Aug 15 14:45:50 2015
1110 24 Andreas Steffen
  malloc: sbrk 1941504, mmap 0, used 1440680, free 500824
1111 24 Andreas Steffen
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
1112 24 Andreas Steffen
  loaded plugins: charon random nonce x509 revocation constraints pkcs1 pkcs8 pem openssl pubkey tnc-imc tnc-imv tnc-tnccs tnccs-20 eap-identity eap-ttls eap-tnc sqlite curl kernel-netlink socket-default updown stroke
1113 24 Andreas Steffen
Listening IP addresses:
1114 24 Andreas Steffen
  10.10.1.40
1115 24 Andreas Steffen
Connections:
1116 24 Andreas Steffen
        peer:  10.10.1.40...10.10.1.39  IKEv2
1117 24 Andreas Steffen
        peer:   local:  [raspi4.example.com] uses EAP_TTLS authentication
1118 24 Andreas Steffen
        peer:    cert:  "C=US, O=TNC Demo, CN=raspi4.example.com"
1119 24 Andreas Steffen
        peer:   remote: [raspi3.example.com] uses EAP_TTLS authentication
1120 24 Andreas Steffen
        peer:   child:  dynamic === dynamic TRANSPORT
1121 24 Andreas Steffen
Security Associations (1 up, 0 connecting):
1122 24 Andreas Steffen
        peer[1]: ESTABLISHED 2 minutes ago, 10.10.1.40[raspi4.example.com]...10.10.1.39[raspi3.example.com]
1123 24 Andreas Steffen
        peer[1]: IKEv2 SPIs: 168d780b16692776_i 24a43cb75417ebe5_r*, EAP reauthentication in 2 hours
1124 24 Andreas Steffen
        peer[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
1125 24 Andreas Steffen
        peer{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: ce21eedf_i c12c1aae_o
1126 24 Andreas Steffen
        peer{1}:  AES_CBC_128/HMAC_SHA2_256_128, 640 bytes_i (10 pkts, 48s ago), 640 bytes_o (10 pkts, 48s ago), rekeying in 46 minutes
1127 24 Andreas Steffen
        peer{1}:   10.10.1.40/32 === 10.10.1.39/32 
1128 24 Andreas Steffen
</pre>
1129 24 Andreas Steffen
1130 10 Andreas Steffen
h2. Terminating the IPsec Connection
1131 10 Andreas Steffen
1132 10 Andreas Steffen
<pre>
1133 1 Andreas Steffen
Aug 15 14:49:04 raspi4 charon: 05[NET] received packet: from 10.10.1.39[4500] to 10.10.1.40[4500] (80 bytes)
1134 1 Andreas Steffen
Aug 15 14:49:04 raspi4 charon: 05[ENC] parsed INFORMATIONAL request 114 [ D ]
1135 1 Andreas Steffen
Aug 15 14:49:04 raspi4 charon: 05[IKE] received DELETE for IKE_SA peer[1]
1136 1 Andreas Steffen
Aug 15 14:49:04 raspi4 charon: 05[IKE] deleting IKE_SA peer[1] between 10.10.1.40[raspi4.example.com]...10.10.1.39[raspi3.example.com]
1137 1 Andreas Steffen
Aug 15 14:49:04 raspi4 charon: 05[IKE] IKE_SA deleted
1138 1 Andreas Steffen
Aug 15 14:49:05 raspi4 charon: 05[ENC] generating INFORMATIONAL response 114 [ ]
1139 1 Andreas Steffen
Aug 15 14:49:05 raspi4 charon: 05[NET] sending packet: from 10.10.1.40[4500] to 10.10.1.39[4500] (80 bytes)
1140 10 Andreas Steffen
</pre>
1141 10 Andreas Steffen
1142 10 Andreas Steffen
h2. Stopping the IKEv2 Daemon
1143 10 Andreas Steffen
1144 10 Andreas Steffen
<pre>
1145 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[DMN] signal of type SIGINT received. Shutting down
1146 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[IMC] IMC 2 "Attestation" terminated
1147 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[IMC] IMC 1 "OS" terminated
1148 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[IMV] IMV 1 "Attestation" terminated
1149 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[PTS] removed TCG functional component namespace
1150 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[PTS] removed ITA-HSR functional component namespace
1151 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[TNC] removed IETF attributes
1152 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[TNC] removed ITA-HSR attributes
1153 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[TNC] removed TCG attributes
1154 1 Andreas Steffen
Aug 15 14:49:13 raspi4 charon: 00[LIB] libimcv terminated
1155 1 Andreas Steffen
</pre>