{"id":516,"date":"2023-07-25T12:07:47","date_gmt":"2023-07-25T16:07:47","guid":{"rendered":"https:\/\/mooney.gatech.edu\/security\/?page_id=516"},"modified":"2024-12-14T18:42:18","modified_gmt":"2024-12-14T23:42:18","slug":"running","status":"publish","type":"page","link":"https:\/\/mooney.gatech.edu\/security\/gridtrust\/running\/","title":{"rendered":"GridTrust Running"},"content":{"rendered":"<h1><span style=\"font-size: 24pt;\">Running GridTrust<\/span><\/h1>\n<p><a href=\"http:\/\/mooney.gatech.edu\/security\/wp-content\/uploads\/2023\/07\/gridtrust_implementation2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-374\" src=\"http:\/\/mooney.gatech.edu\/security\/wp-content\/uploads\/2023\/07\/gridtrust_implementation2.png\" alt=\"\" width=\"4131\" height=\"1848\" srcset=\"https:\/\/mooney.gatech.edu\/security\/wp-content\/uploads\/2023\/07\/gridtrust_implementation2.png 4131w, https:\/\/mooney.gatech.edu\/security\/wp-content\/uploads\/2023\/07\/gridtrust_implementation2-300x134.png 300w, https:\/\/mooney.gatech.edu\/security\/wp-content\/uploads\/2023\/07\/gridtrust_implementation2-1024x458.png 1024w, https:\/\/mooney.gatech.edu\/security\/wp-content\/uploads\/2023\/07\/gridtrust_implementation2-768x344.png 768w, https:\/\/mooney.gatech.edu\/security\/wp-content\/uploads\/2023\/07\/gridtrust_implementation2-1536x687.png 1536w, https:\/\/mooney.gatech.edu\/security\/wp-content\/uploads\/2023\/07\/gridtrust_implementation2-2048x916.png 2048w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/a><\/p>\n<p>It is assumed that prior to running you have finished setup for the server, native device, interfacing device, and two PUF boards (one board connected to the native device, one board connected to the interfacing device).<\/p>\n<p>It is also possible to run GridTrust with only the server and a single device.<\/p>\n<p><strong>Networking Notes:<\/strong><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>It is assumed that the server, native device, and interfacing device are all on a LAN network and have been assigned IPv4 addresses.<\/li>\n<li>In our setup, the server was connected directly to the router via ethernet connection, and the router was connected to a switch via ethernet connection<\/li>\n<li>The interfacing device and native device were both connected to the same switch via ethernet connection<\/li>\n<li>On the Fedora environments for the server, native device, and interfacing device, the IPv4 address, netmask, and gateway for the ethernet connection must be specified manually in the network settings\n<ul>\n<li>In our setup, we used the following:<\/li>\n<li>Server IPv4: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">172.23.2.200<\/span><\/li>\n<li>Native Device IPv4: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">172.23.2.205<\/span><\/li>\n<li>Interfacing Device IPv4: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">172.23.2.210<\/span><\/li>\n<li>Netmask (for all): <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">19<\/span><\/li>\n<li>Gateway (for all): <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">172.23.0.1<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Starting<\/h2>\n<p>1. Start the server<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Start Docker: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">sudo docker-compose up -d<\/span><\/li>\n<li>Start Nginx: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">sudo systemctl start nginx<\/span><\/li>\n<li>Start the server: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">cargo run<\/span><\/li>\n<li>If the server starts successfully, you should see the following in the terminal:\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Finished &#8216;dev&#8217; profile [unoptimized + debuginfo] target(s) in 0.11s<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Running &#8216;target\/debug\/server&#8217;<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">&#8220;Local&#8221;<\/span> (or &#8220;Push&#8221; or &#8220;None,&#8221; depending what update type has been configured in the PSQL database)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>2. Start the native device<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Connect the PUF board and the temperature sensor to the native device computer\n<ul>\n<li>One USB connection for each<\/li>\n<\/ul>\n<\/li>\n<li>Test the network connection between the native device and server from the natibe device computer: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">curl https:\/\/&lt;common name you configured when setting up the server certificate&gt;:3030<\/span>, in our case, we used <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">curl https:\/\/172.23.2.200:3030<\/span><\/li>\n<li>Should see: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">HTTP method not allowed<\/span>\n<ul>\n<li>If you see a bad gateway HTML printout, then the SELinux policy has not been set to permissive (see server setup)<\/li>\n<\/ul>\n<\/li>\n<li>Ensure you are in the Rust project root directory for the native device project (<span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Cargo.toml<\/span> will be in this directory)\n<ul>\n<li><code>cargo run<\/code><\/li>\n<li>Common errors and issues:\n<ul>\n<li><span style=\"color: #ff0000;\">Failed to open serial port: Error { kind: Io{PermissionDenied}, description: &#8220;Permission Denied&#8221; }<\/span><\/li>\n<li>Solution: <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">sudo chmod 666 \/dev\/ttyACM0<\/span> (or replace <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">\/dev\/ttyACM0<\/span> with the serial port the native box is connected to), and then <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">cargo run<\/span>\u00a0 again<\/li>\n<li><span style=\"color: #ff0000;\">The same serial port permission error above can happen for both the PUF and temperature sensor<\/span>. Run the same command above for whichever ttyACM port the PUF is connected to<\/li>\n<li>When performing <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">cargo run<\/span> for the first time, some crates (Rust dependencies) need to be downloaded, which requires an internet connection<\/li>\n<li>However, the ethernet on the native computer is used for the LAN between the server, native device, and interface device<\/li>\n<li>Solution: temporarily disconnect from ethernet and connect to WiFi to download the crates, then disable WiFi and reconnect to ethernet (or just connect to a non-LAN ethernet)\n<ul>\n<li>The native device code is configured to continuously log temperatures in the terminal while concurrently transferring data to the server<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>If the native device program runs successfully and authenticates the update, you should see the following behavior in the <strong>terminal on the native device computer<\/strong> (this specific case is for a local update):\n<ul>\n<li>Three temperature printouts, one temperature per line, three-second delay between each temperature<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Enc counter at client: &lt;some encrypted counter value&gt;<\/span>, depending on what the synchronized counter between the client and server is<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Installing update from local files<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">directory \/local_updates\/update64.txt<\/span><\/li>\n<li>The program will loop from here, use <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">ctrl + c<\/span> to terminate<\/li>\n<\/ul>\n<\/li>\n<li>If the native device program runs successfully but does not authenticate the update, the native device should receive an update type of <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">None<\/span> and not proceed with any updates<\/li>\n<li>Similarly, if the update is performed successfully, you should see the following behavior in the <strong>terminal on the server computer<\/strong> (this specific case is for a local update):\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Database stored values:<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Key: (key in the database), Counter: (counter in the database)<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Counter (counter in the database)<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Key (key in the database)\u00a0<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">enc_ctr from Server: (database counter encrypted with AES128-ECB)<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">enc_ctr from Device: (PUF-stored counter encrypted with AES128-ECB)<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Ctrs Match<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">&#8230;<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Updating device<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>3. (Optional) Start the interfacing device<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Same steps as starting the native device<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Changing Update Type<\/h2>\n<p>The PostgreSQL database on the server controls which update type is to be performed.<\/p>\n<p>Access the database and run one of the three commands below to change between a local update (update files are on the native or interface device), remote update (server pushes the update files over ethernet), or none (no update scheduled\/allowed).<\/p>\n<p>A change of update type requires the Rust program for the server to be restarted to take effect.<\/p>\n<ul>\n<li>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">UPDATE updatetype SET updatetype=&#8217;Local&#8217;;<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">UPDATE updatetype SET updatetype=&#8217;Push&#8217;;<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">UPDATE updatetype SET updatetype=&#8217;None&#8217;;<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Changing Update Files (Locally)<\/h2>\n<p>If the update type is set to &#8220;Local&#8221; then the update files (<span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">update64.txt, util_sign64.txt, vendor_sign64.txt<\/span>) must be placed on the target device (native or interface device computer) in the following location:<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">.\/local_updates\/ <\/span>relative to <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Cargo.toml<\/span><\/p>\n<p>Changing Update Files (Remote Update)<\/p>\n<p>If the server is providing the update files, the update files for a device must be placed in the following corresponding location on the server:<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">.\/update_files\/tempsensor\/<\/span> relative to <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Cargo.toml<\/span><\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">.\/update_files\/relay\/<\/span> relative to <span style=\"font-family: 'courier new', courier, monospace; font-size: 10pt;\">Cargo.toml<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Running GridTrust It is assumed that prior to running you have finished setup for the server, native device, interfacing device, and two PUF boards (one board connected to the native device, one board connected to the interfacing device). It is also possible to run GridTrust with only the server and a single device. Networking Notes: &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/mooney.gatech.edu\/security\/gridtrust\/running\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;GridTrust Running&#8221;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"parent":351,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"folder":[],"class_list":["post-516","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/pages\/516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/comments?post=516"}],"version-history":[{"count":21,"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/pages\/516\/revisions"}],"predecessor-version":[{"id":663,"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/pages\/516\/revisions\/663"}],"up":[{"embeddable":true,"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/pages\/351"}],"wp:attachment":[{"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/media?parent=516"}],"wp:term":[{"taxonomy":"folder","embeddable":true,"href":"https:\/\/mooney.gatech.edu\/security\/wp-json\/wp\/v2\/folder?post=516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}