A Reference Integrity Manifest (RIM) contains structures that a Verifier uses to validate expected values (Assertions) against actual values (Evidence). The RIM Tool provides a capability to Create, Print, and Verify RIM files that target integrity of firmware.
Functionality provided by this tool includes the following:
- Creates, formats, and digitally signs TCG PC Client Base RIMs
- Creates, formats, and digitally signs TCG Component RIMs (both SWID and CoSWID variants)
- Creates, formats, and digitally signs IETF CoRIMs
- Validates the digital signature of RIMs using X.509 public key certificates
- Prints human readable contents of RIMs
Please see the documentation for detailed installation and usage.
In order to build from source, please first clone the project using git clone --recursive. This will properly initialize any submodules.
To build this tool, navigate to the RIM-Tool directory cloned earlier and use the following command:
./gradlew clean build
The rim-tool-X.X.jar file should have been placed in the /build/libs/tools/ (Linux) folder.
Several options exist for building on Windows 11.
Windows Command Prompt (CMD.exe): Navigate to the RIM-Tool folder and run the Windows Gradle wrapper:
gradlew.bat clean build
Windows PowerShell with Windows Subsystem for Linux (WSL) enabled: Navigate to the RIM-Tool folder and run the Linux Gradle wrapper:
./gradlew clean build
In both cases, the rim-tool-X.X.jar file should have been placed in the \build\libs\tools\ folder.
Packages for this tool can be found on the releases page. Currently, only packaging for Linux is supported.
To create an RPM package on a RHEL or Rocky Linux device, use the following command in the same directory:
./gradlew buildRpm
or for a Debian or Ubuntu Linux distro:
./gradlew buildDeb
The RIM Tool package can be found under the /build/distributions/ folder.
Currently, only install packages for Linux are supported.
To install this tool on a RHEL or Rocky Linux distro, use the following command from the same directory:
sudo dnf install build/distributions/rim-tool*.rpm
or for a Debian or Ubuntu Linux distro:
sudo apt-get install build/distributions/rim-tool*.deb
The RIM Tool RPM will create a rim command line shortcut. This can be invoked from a command line:
rim -h
The RIM Tool also can be invoked using Java from a build directory (if following the Building section earlier):
java -jar build/libs/tools/rim-tool-X.X.jar -h
Current options for the tool can be found using the -h option.
rim <command> <options>
The RIM Tool provides the following commands and options. Note that clustering of options is not currently supported.
- create: Creates a RIM based upon provided options
- verify: Verifies the signature of a RIM.
- sign: Signs a file using specific format option
- print: Provide a human readable representation of a supported RIM object
- get: Retrieves the payload from a signed object and saves it to a file
For details on RIM Tool commands, please refer to the documentation.
- Host Integrity at Runtime and Startup (HIRS) uses RIMs for firmware validation. Compatible with PC Client RIMs created by this tool.
- Trusted Computing Group PC Client RIM specification
- CoSWID Specification (RFC 9393)
- IETF CoRIM Specification (draft-rats-ietf-corim)
- CBOR Playground (useful for viewing/parsing/debugging CBOR data)
- COSE Working Group test patterns that validate with this tool (COSE_Sign1 only)
- Gluecose test patterns that validate with this tool (COSE_Sign1 only)
- Microsoft's COSE Tool (useful for testing detached signatures and embedded certificates)
- EDK2's Trusted Boot Chain Overview