For the runtime attestation to work, you must record the current good state of your gateway. For this, you must run the ima_snapshot tool on the gateway.

  1. To generate ima-policy, run the following script:

    The ima-policy is generated and is placed in /etc/ima/ima-policy.

  2. To generate ima-snapshot file, run the following script:
    /opt/vmware/iotc-agent/bin/ima_snapshot -o <<ima.json path>>
    • Add all the paths to be excluded in a file and provide the file path to -e option in the final ima.json file.
    • Edit the ima.json file and delete all the /usr/lib and /usr/lib64 file paths.
  3. Verify the file by running the following command:
    cat ima.json
    Note: The ima.json file must contain all the hashes.
  4. Generate a fingerprint file. Run the following command:
    /opt/vmware/iotc-agent/bin/fingerprint dev > fp.json
  5. Verify the fingerprint file:
    cat fp.json

Using the ima.json and fp.json files, you can now create a runtime attestation profile from the VMware Pulse IoT Center console.