(This document needs a LOT more work, contributions welcome, expecially if you find something that is just plain wrong.) DEBIAN: There are Debian/unstable packages available from the SourceForge site that make the following unnecessary for those running Debian. REQUIREMENTS: This module requires the Linux Security Module framework, Linux 2.6.3+, IBM's TCPA library, and a TCPA enabled LILO. IBM's TCPA LIBRARY: The build system expects IBM's TPM library to be installed on the system. Download http://www.research.ibm.com/gsal/tcpa/tpm-1.1b.tar.gz . Make the library and examples: # (cd libtcpa && make) # (cd examples && make) Copy the library libtcpa/libtcpa.a to /usr/lib . Copy the headers libtcpa/*.h to /usr/include/tcpa/ . Copy the examples to /usr/lib/libtcpa1.1/examples . # cp libtcpa/libtcpa.a /usr/lib # mkdir /usr/include/tcpa/ && cp libtcpa/*.h /usr/include/tcpa # mkdir -p /usr/lib/libtcpa1.1/examples && cp tcpa_demo takeown \ createkey loadkey evictkey signfile verifyfile sealfile unsealfile \ /usr/lib/libtcpa1.1/examples PATCHING: Apply patches/patch-enforcer-2.6.4-0.4.beta to the kernel. This will patch security/Makefile and security/Kconfig and add a directory security/enforcer . Compile the Enforcer LSM, either as a module, or built into the kernel. The kernel option is CONFIG_SECURITY_ENFORCER and is tagged experimental. The option will be at the bottom of the 'Security options' group as 'Kernel Enforcer Support (EXPERIMENTAL)' . For testing, recommended options are: Compile the Enforcer as a module Enable 'Enforcer debug statements' Enable 'Enable TCPA support for the Enforcer' if you have TCPA hardware Build, install, and reboot with your newly patched kernel. Be sure you use the TCPA enabled LILO. CREATING THE UTILS: In the top level enforcer directory run: # make && make install This will make the admin tools, the database signing tools, and the helper, and install them. Now, read README.CONFIG to do the configuration. PROJECT HOME PAGE: