Configuring Remote Attestation

This section describes how to configure the remote attestation (RA) function to allow an RA server to authenticate a device and determine whether the device is trustworthy.

Pre-configuration Tasks

In a trusted environment, after the RA function is enabled on a device that supports trusted boot, the device sends information to a remote RA server. The remote RA server then compares the information it receives with locally stored information to determine whether the device is trustworthy. Therefore, RA provides users with a method of remotely checking device trustworthiness.

Before configuring RA, complete the following tasks:

  • Configure the device to communicate with the RA server, and configure the RA function on the RA server.
  • Create a public key infrastructure (PKI) domain on the device to implement PKI certificate management between the Certificate Authority (CA) and device through the Certificate Management Protocol (CMP).

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki import-certificate ca file-name file-name

    The downloaded certificate is imported to the device.

  3. Run trustem

    The trusted management view is displayed.

  4. Run remote-attestation enable

    RA is enabled.

  5. (Optional) Run remote-attestation pki bind domain domainName

    A specified PKI domain is bound to RA.

  6. (Optional) If the PKI certificate is ineffective, run remote-attestation pki update-request { all | slot slotID }

    PKI certificate information is updated.

  7. Run commit

    The configuration is committed.

  8. Run quit

    Return to the system view.

  9. Run quit

    Return to the user view.

  10. (Optional) Run set tpm password { slot slotId | all }

    The TPM password is changed.

    If the device needs to be rolled back to a version that does not support the configuration of the TPM password, run the set tpm password { slot slotId | all }command to restore the default TPM password Changeme_123 before the rollback.

    After the set tpm password { slot slotId | all } command is run, the device must be restarted. Otherwise, the TPM cannot be accessed and the remote attestation function is unavailable.

Verifying the Configuration

Run the display trustem remote-attestation bd-status { slot slotId | all } command to check the RA status.

Parent Topic: Trusted System Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic