The development and execution OS used was Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4 on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO).
The Intel® CSE (Intel® Converged Security Engine) enabled FDO Client SDK execution depends on OpenSSL* toolkit 1.1.1t version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment.
The system hardware should have the support for Intel® CSE FDO client with UUID: 125405e0-fca9-4110-8f88-b4dbcdcb876f
The linux kernel should have the support to enable the Intel® CSE clients and have FDO in that list. This support is available in intel-next kernel version 5.9 onwards and is upstreamed in kernel.org version 6.2-rc7 onwards.
- For Ubuntu* OS version 20.04 or 22.04 / Debian 11.4:
sudo apt-get install build-essential python-setuptools clang-format dos2unix ruby build-essential \
libglib2.0-dev libpcap-dev autoconf libtool libproxy-dev doxygen cmake libssl-dev mercurial- For RHEL* OS version 8.4 or 8.6:
sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpmsudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix ruby gcc gcc-c++ make perl glibc-static \
glib2-devel libpcap-devel autoconf libtool libproxy-devel mozjs52-devel doxygen cmake openssl-devel make mercurial perl
OpenSSL* toolkit version 1.1.1t GCC version > 7.5 Curl version 7.88
- If curl and libcurl are already installed, uninstall it:
In case of RHEL OS, use below commands to uninstall:
sudo apt remove curl libcurl4-openssl-devyum remove curl libcurl-devel
-
Pull the tarball:
wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz -
Unpack the tarball with:
tar -zxf openssl-1.1.1t.tar.gz && cd openssl-1.1.1t -
Issue the command:
./config -
Issue the command:
make -
Check for possible errors:
make test -
Backup the current OpenSSL* binary:
sudo mv /usr/bin/openssl ~/tmp -
Issue the command:
sudo make install -
Create a symbolic link from the newly installed binary to the default location:
sudo ln -s /usr/local/bin/openssl /usr/bin/openssl -
Run the command to update symlinks and rebuild the library cache:
sudo ldconfig -
Assuming no errors in executing steps 4 through 10, you should have successfully installed the new version of the OpenSSL* toolkit. Issue the following command from the terminal:
openssl versionYour output should be as follows:
OpenSSL* 1.1.1t 7 Feb 2023
After installing openssl, proceed with the installation of curl.
-
Pull the tarball:
wget https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.gz -
Unpack the tarball with:
tar -zxf curl-7.88.0.tar.gz && cd curl-7.88.0 -
Issue the command to configure the curl with openssl:
./configure --with-openssl="OpenSSL Path" --enable-versioned-symbols -
Issue the command to build curl:
make -j$(nproc) -
Command to install curl:
sudo make install -
Assuming no errors in executing steps 1 through 5, you should have successfully installed curl configured with openssl Issue the following command from the terminal:
curl --versionYour output should point to the openssl version which you installed.
curl 7.88.0 (x86_64-pc-linux-gnu) libcurl/7.88.0 OpenSSL/1.1.1t zlib/1.2.11
Alternatively, execute Installation-Script which can be used for both installation and uninstallation of OpenSSL and Curl. Script usage command
-
Command to install OpenSSL and Curl
sudo ./install_openssl_curl.sh -i -v 1.1.1t -
Command to uninstall OpenSSL
sudo ./install_openssl_curl.sh -u -v 1.1.1t
Note 1: If above command is not successful, then link the path where curl is installed to the system path
sudo ln -s /usr/local/bin/curl /usr/bin/curl
Note 2: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 7.88 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples.
Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" Range of IP addresses example: no_proxy="10.60.0.0/16"
Note 3: On RHEL, Curl could also be installed using yum package manager as shown below:
sudo yum -y install libcurl-devel
FDO Client SDK uses safestringlib for string and memory operations to prevent serious security vulnerabilities (For example, buffer overflows). Download safestringlib from intel-safestringlib and follow these instructions to build: From the root of the safestringlib, do the following:
mkdir obj
makeAfter this step, libsafestring.a library will be created.
FDO Client SDK uses TinyCBOR library for Concise Binary Object Representation (CBOR) encoding and decoding. Download TinyCBOR from TinyCBOR, checkout to the tag v0.5.3 and follow these instructions to build:
From the root of the TinyCBOR (named tinycbor), do the following:
makeIntel® CSE enabled FDO Client SDK uses ME TEE library to communicate with CSE through HECI. Download ME TEE from METEE, and follow these instructions to build:
From the root of the METEE(named metee), do the following:
cmake .
make -j$(nproc)
sudo make installAdd these environment variables to ~/.bashrc or similar (replace with actual paths). Provide safestringlib and tinycbor paths:
export SAFESTRING_ROOT=path/to/safestringlib
export TINYCBOR_ROOT=path/to/tinycbor
export METEE_ROOT=path/to/meteeThe Intel® CSE enabled FDO Client SDK build system is based on GNU make. It assumes that all the requirements are set up according to FDO Compilation Setup . The application is built using the cmake [options] in the root of the repository for all supported platforms. The debug and release build modes are supported in building the Intel® CSE enabled FDO Client SDK.
For an advanced build configuration, refer to Advanced Build Configuration .
make pristine
cmake -DDA=cse_ecdsa384 .
make -j$(nproc)Refer to the section FDO Build configurations for more build options.
The Intel® CSE enabled FDO Client SDK Linux device is compatible with FDO PRI components namely: Manufacturer, Rendezvous, and Owner.
To test the Intel® CSE enabled FDO Client SDK Linux device, setup the FDO PRI Manufacturer, FDO PRI Rendezvous, and FDO PRI Owner.
After a successful compilation, the Intel® CSE enabled FDO Client SDK Linux device executable can be found at <path-to-client-sdk-fidoiot>/build/linux-client.
NOTE: Built binary can be either
debugorreleasebased on the compilation step.
-
Before executing
linux-client, prepare for Device Initialization (DI) by starting the FDO PRI Manufacturer. Refer to Device Initialization Setup . Then, executelinux-client. The device is now initialized with the credentials and is ready for ownership transfer.sudo ./build/linux-client
-
To enable the device for Transfer Ownership protocol (TO1 and TO2), configure the FDO PRI Rendezvous and Owner. Refer to Ownership Transfer Setup . After these are set up, execute
linux-clientagain.sudo ./build/linux-client
NOTE: To do the DI again we need to clear the Device status from CSE storage. To clear the storage, compile the code with "-DCSE_CLEAR=true" flag and then execute the following command
sudo ./build/cse-clearNOTE: Enabling CSE_SHUTDOWN flag in cmake/cli_input.cmake will disable CSE FDO interface as part of the cleanup routine. This flag is enabled by default. But note that this may require the user to reboot the system before any consecutive execution of linux-client. As a security measure, invoking linux-client as part of initialization script(init.d) will close the CSE interface for current boot.