Imported Upstream version 5.2.0

18 files changed, 1404 insertions, 461 deletions

diff --git a/src/libimcv/imv/_imv_policy b/src/libimcv/imv/_imv_policy
index 68a963c27..056284411 100755
--- a/src/libimcv/imv/_imv_policy
+++ b/src/libimcv/imv/_imv_policy
@@ -20,18 +20,20 @@
 # that, and use the "libimcv.policy_script = " option in strongswan.conf
 # to make strongSwan use yours instead of this default one.
 
-# Environment variables that this script gets 
+# Passed arguments
 #
-#    TNC_SESSION_ID 
-#         unique session ID used as a reference by the policy 
-#         manager. 
+#    $1
+#         action
+#    $2
+#         unique session ID used as a reference by the policy
+#         manager.
 #
 case "$1" in
 start)
-	echo "start session $TNC_SESSION_ID"
+	echo "start session $2"
 	;;
 stop)
-	echo "stop session $TNC_SESSION_ID"
+	echo "stop session $2"
 	;;
 *)	echo "$0: unknown command '$1'"
 	exit 1
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 7f3bae813..b45cad487 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -216,6 +216,96 @@ INSERT INTO products (			/* 36 */
  'Ubuntu 14.04 x86_64'
 );
 
+INSERT INTO products (			/* 37 */
+  name
+) VALUES (
+ 'Debian 7.3 i686'
+);
+
+INSERT INTO products (			/* 38 */
+  name
+) VALUES (
+ 'Debian 7.3 x86_64'
+);
+
+INSERT INTO products (			/* 39 */
+  name
+) VALUES (
+ 'Debian 7.4 i686'
+);
+
+INSERT INTO products (			/* 40 */
+  name
+) VALUES (
+ 'Debian 7.4 x86_64'
+);
+
+INSERT INTO products (			/* 41 */
+  name
+) VALUES (
+ 'Debian 7.5 i686'
+);
+
+INSERT INTO products (			/* 42 */
+  name
+) VALUES (
+ 'Debian 7.5 x86_64'
+);
+
+INSERT INTO products (			/* 43 */
+  name
+) VALUES (
+ 'Debian 7.0 armv6l'
+);
+
+INSERT INTO products (			/* 44 */
+  name
+) VALUES (
+ 'Debian 7.1 armv6l'
+);
+
+INSERT INTO products (			/* 45 */
+  name
+) VALUES (
+ 'Debian 7.2 armv6l'
+);
+
+INSERT INTO products (			/* 46 */
+  name
+) VALUES (
+ 'Debian 7.3 armv6l'
+);
+
+INSERT INTO products (			/* 47 */
+  name
+) VALUES (
+ 'Debian 7.4 armv6l'
+);
+
+INSERT INTO products (			/* 48 */
+  name
+) VALUES (
+ 'Debian 7.5 armv6l'
+);
+
+INSERT INTO products (			/* 49 */
+  name
+) VALUES (
+ 'Android 4.3'
+);
+
+INSERT INTO products (			/* 50 */
+  name
+) VALUES (
+ 'Android 4.4.3'
+);
+
+INSERT INTO products (			/* 51 */
+  name
+) VALUES (
+ 'Android 4.4.4'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -345,12 +435,6 @@ INSERT INTO files (				/*  6 */
 INSERT INTO algorithms (
   id, name
 ) VALUES (
-  65536, 'SHA1-IMA' 
-);
-
-INSERT INTO algorithms (
-  id, name
-) VALUES (
   32768, 'SHA1' 
 );
 
@@ -531,27 +615,27 @@ INSERT INTO versions (
 /* Components */
 
 INSERT INTO components (
-  vendor_id, name, qualifier
+  vendor_id, name, qualifier, label
 ) VALUES (
-  36906, 1, 33  /* ITA TGRUB */
+  36906, 1, 33, 'G'  /* ITA TGRUB */
 );
 
 INSERT INTO components (
-  vendor_id, name, qualifier
+  vendor_id, name, qualifier, label
 ) VALUES (
-  36906, 2, 33  /* ITA TBOOT */
+  36906, 2, 33, 'T'  /* ITA TBOOT */
 );
 
 INSERT INTO components (
-  vendor_id, name, qualifier
+  vendor_id, name, qualifier, label
 ) VALUES (
-  36906, 3, 33  /* ITA IMA - Trusted Platform */
+  36906, 3, 33, 'B' /* ITA IMA - Trusted Platform */
 );
 
 INSERT INTO components (
-  vendor_id, name, qualifier
+  vendor_id, name, qualifier, label
 ) VALUES (
-  36906, 3, 34  /* ITA IMA - Operating System */
+  36906, 3, 34, 'I' /* ITA IMA - Operating System */
 );
 
 /* Groups */
@@ -634,6 +718,12 @@ INSERT INTO groups (            /* 13 */
   'TPM BIOS/IMA'
 );
 
+INSERT INTO groups (			/* 14 */
+  name, parent
+) VALUES (
+  'Debian armv6l', 2
+);
+
 /* Default Product Groups */
 
 INSERT INTO groups_product_defaults (
@@ -669,6 +759,24 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  4, 37
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 39
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 41
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   5, 2
 );
 
@@ -699,6 +807,24 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  5, 38
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 40
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 42
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   6, 9
 );
 
@@ -846,6 +972,60 @@ INSERT INTO groups_product_defaults (
   3, 34
 );
 
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 49
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 50
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 51
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 43
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 44
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 45
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 46
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 47
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 48
+);
+
 /* Policies */
 
 INSERT INTO policies (			/*  1 */
@@ -1078,139 +1258,64 @@ INSERT INTO enforcements (      /* 17 */
   21, 13, 60
 );
 
-/* regids */
+/* swid_entities */
 
-INSERT INTO regids (			/*  1 */
-  name
-) VALUES (
- 'regid.1986-12.com.adobe'
-);
-
-INSERT INTO regids (			/*  2 */
-  name
-) VALUES (
- 'regid.1991-06.com.microsoft'
-);
-
-INSERT INTO regids (			/*  3 */
-  name
-) VALUES (
- 'regid.2004-05.com.ubuntu'
-);
-
-INSERT INTO regids (			/*  4 */
-  name
-) VALUES (
- 'regid.1995-04.org.apache'
-);
-
-INSERT INTO regids (			/*  5 */
-  name
-) VALUES (
- 'regid.1999-03.org.debian'
-);
-
-INSERT INTO regids (			/*  6 */
-  name
-) VALUES (
- 'regid.1994-04.org.isc'
-);
-
-INSERT INTO regids (			/*  7 */
-  name
-) VALUES (
- 'regid.1998-12.org.openssl'
-);
-
-INSERT INTO regids (			/*  8 */
-  name
-) VALUES (
- 'regid.1998-01.org.samba'
-);
-
-INSERT INTO regids (			/*  9 */
-  name
-) VALUES (
- 'regid.2002-08.org.sqlite'
-);
-
-INSERT INTO regids (			/* 10 */
-  name
-) VALUES (
- 'regid.2004-03.org.strongswan'
-);
-
-/* Tags */
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  2, 'Windows-8-Pro'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
-) VALUES (
-  5, 'apache-2-2-22-13'
-);
-
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO "swid_entities" (		/*  1 */
+  "name", "regid"
 ) VALUES (
-  5, 'bind-9-8-4-dfsg'
+  'strongSwan Project', 'regid.2004-03.org.strongswan'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/*  2 */
+  "name", "regid"
 ) VALUES (
-  5, 'libsqlite-3-7-13-1'
+  'Adobe Systems Inc.', 'regid.1986-12.com.adobe'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/*  3 */
+  "name", "regid"
 ) VALUES (
-  5, 'libssl-1-0-1e-2'
+  'Microsoft Corporation', 'regid.1991-06.com.microsoft'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/*  4 */
+  "name", "regid"
 ) VALUES (
-  5, 'libssl-dev-1-0-1e-2'
+  'Ubuntu Project', 'regid.2004-05.com.ubuntu'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/*  5 */
+  "name", "regid"
 ) VALUES (
-  5, 'libssl-doc-1-0-1e-2'
+  'Apache Software Foundation', 'regid.1995-04.org.apache'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/*  6 */
+  "name", "regid"
 ) VALUES (
-  5, 'openssl-1-0-1e-2'
+  'Debian Project', 'regid.1999-03.org.debian'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/*  7 */
+  "name", "regid"
 ) VALUES (
-  5, 'smbclient-3-6-6-6'
+  'Internet Systems Consortium', 'regid.1994-04.org.isc'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/*  8 */
+  "name", "regid"
 ) VALUES (
-  5, 'sqlite-3-7-13-1'
+  'OpenSSL Project', 'regid.1998-12.org.openssl'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/*  9 */
+  "name", "regid"
 ) VALUES (
-  10, 'strongSwan-5-1-1'
+  'Samba Project', 'regid.1998-01.org.samba'
 );
 
-INSERT INTO tags (
-  regid, unique_sw_id
+INSERT INTO swid_entities (			/* 10 */
+  "name", "regid"
 ) VALUES (
-  10, 'strongSwan-5-1-2'
+  'SQLite Project', 'regid.2002-08.org.sqlite'
 );
-
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 435c25a3c..a46455d47 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -52,7 +52,7 @@ struct private_imv_agent_t {
 	/**
 	 * number of message types registered by IMV
 	 */
-	u_int32_t type_count;
+	uint32_t type_count;
 
 	/**
 	 * ID of IMV as assigned by TNCS
@@ -296,10 +296,7 @@ static bool delete_connection(private_imv_agent_t *this, TNC_ConnectionID id)
 		{
 			found = TRUE;
 			session = state->get_session(state);
-			if (session)
-			{
-				imcv_db->remove_session(imcv_db, session);
-			}
+			imcv_sessions->remove_session(imcv_sessions, session);
 			state->destroy(state);
 			this->connections->remove_at(this->connections, enumerator);
 			break;
@@ -346,7 +343,7 @@ static char* get_str_attribute(private_imv_agent_t *this, TNC_ConnectionID id,
 /**
  * Read an UInt32 attribute
  */
-static u_int32_t get_uint_attribute(private_imv_agent_t *this, TNC_ConnectionID id,
+static uint32_t get_uint_attribute(private_imv_agent_t *this, TNC_ConnectionID id,
 									TNC_AttributeID attribute_id)
 {
 	TNC_UInt32 len;
@@ -370,7 +367,7 @@ static linked_list_t* get_identity_attribute(private_imv_agent_t *this,
 {
 	TNC_UInt32 len;
 	char buf[2048];
-	u_int32_t count;
+	uint32_t count;
 	tncif_identity_t *tnc_id;
 	bio_reader_t *reader;
 	linked_list_t *list;
@@ -415,8 +412,8 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	enumerator_t *enumerator;
 	tncif_identity_t *tnc_id;
 	imv_session_t *session;
-	u_int32_t max_msg_len;
-	u_int32_t ar_id_type = TNC_ID_UNKNOWN;
+	uint32_t max_msg_len;
+	uint32_t ar_id_type = TNC_ID_UNKNOWN;
 	chunk_t ar_id_value = chunk_empty;
 
 	conn_id = state->get_connection_id(state);
@@ -453,7 +450,7 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	while (enumerator->enumerate(enumerator, &tnc_id))
 	{
 		pen_type_t id_type, subject_type, auth_type;
-		u_int32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
+		uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
 		chunk_t id_value;
 
 		id_type = tnc_id->get_identity_type(tnc_id);
@@ -474,30 +471,21 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 			 id_value.len, id_value.ptr,
 			 TNC_Authentication_names, tcg_auth_type);
 
+		/* keep the first access requestor ID */
 		if (first)
 		{
 			ar_id_type = tcg_id_type;
 			ar_id_value = id_value;
-			state->set_ar_id(state, ar_id_type, ar_id_value);
 			first = FALSE;
 		}
 	}
 	enumerator->destroy(enumerator);
 
-	if (imcv_db)
-	{
-		session = imcv_db->add_session(imcv_db, conn_id, ar_id_type, ar_id_value);
-		if (session)
-		{
-			DBG2(DBG_IMV, "  assigned session ID %d",
-				 session->get_session_id(session));
-			state->set_session(state, session);
-		}
-		else
-		{
-			DBG1(DBG_IMV, "  no session ID assigned");
-		}
-	}
+	session = imcv_sessions->add_session(imcv_sessions, conn_id,
+										 ar_id_type, ar_id_value);
+	state->set_session(state, session);
+
+	/* clean up temporary variables */
 	ar_identities->destroy_offset(ar_identities,
 						   offsetof(tncif_identity_t, destroy));
 	free(tnccs_p);
@@ -505,9 +493,11 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	free(t_p);
 	free(t_v);
 
+	/* insert state in connection list */
 	this->connection_lock->write_lock(this->connection_lock);
 	this->connections->insert_last(this->connections, state);
 	this->connection_lock->unlock(this->connection_lock);
+
 	return TNC_RESULT_SUCCESS;
 }
 
@@ -622,7 +612,7 @@ METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
 		count--;
 
 		/* store the scalar value in the pointer */
-		pointer = (void*)id;
+		pointer = (void*)(uintptr_t)id;
 		this->additional_ids->insert_last(this->additional_ids, pointer);
 		DBG2(DBG_IMV, "IMV %u \"%s\" reserved additional ID %u",
 					  this->id, this->name, id);
@@ -800,7 +790,7 @@ METHOD(imv_agent_t, destroy, void,
  * Described in header.
  */
 imv_agent_t *imv_agent_create(const char *name,
-							  pen_type_t *supported_types, u_int32_t type_count,
+							  pen_type_t *supported_types, uint32_t type_count,
 							  TNC_IMVID id, TNC_Version *actual_version)
 {
 	private_imv_agent_t *this;
@@ -841,5 +831,3 @@ imv_agent_t *imv_agent_create(const char *name,
 
 	return &this->public;
 }
-
-
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index d58af260b..47ce770bc 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -205,7 +205,7 @@ struct imv_agent_t {
  *
  */
 imv_agent_t *imv_agent_create(const char *name,
-							  pen_type_t *supported_types, u_int32_t type_count,
+							  pen_type_t *supported_types, uint32_t type_count,
 							  TNC_IMVID id, TNC_Version *actual_version);
 
 #endif /** IMV_AGENT_H_ @}*/
diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c
index dc7edd7aa..0c4bb7514 100644
--- a/src/libimcv/imv/imv_database.c
+++ b/src/libimcv/imv/imv_database.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -47,48 +47,28 @@ struct private_imv_database_t {
 	 */
 	char *script;
 
-	/**
-	 * Session list
-	 */
-	linked_list_t *sessions;
-
-	/**
-	 * mutex used to lock session list
-	 */
-	mutex_t *mutex;
-
 };
 
-METHOD(imv_database_t, add_session, imv_session_t*,
-	private_imv_database_t *this, TNC_ConnectionID conn_id,
-	u_int32_t ar_id_type, chunk_t ar_id_value)
+METHOD(imv_database_t, get_database, database_t*,
+	private_imv_database_t *this)
 {
-	enumerator_t *enumerator, *e;
-	imv_session_t *current, *session = NULL;
-	int ar_id = 0, session_id;
-	u_int created;
-
-	this->mutex->lock(this->mutex);
-
-	/* check if a session has already been assigned */
-	enumerator = this->sessions->create_enumerator(this->sessions);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (conn_id == current->get_connection_id(current))
-		{
-			session = current;
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	/* session already exists */
-	if (session)
-	{
-		this->mutex->unlock(this->mutex);
-		return session->get_ref(session);
-	}
+	return this->db;
+}
 
+/**
+ * Create a session entry in the IMV database
+ */
+static bool create_session(private_imv_database_t *this, imv_session_t *session)
+{
+	enumerator_t *e;
+	imv_os_info_t *os_info;
+	chunk_t device_id, ar_id_value;
+	TNC_ConnectionID conn_id;
+	uint32_t ar_id_type;
+	char *product, *device;
+	int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created;
+
+	ar_id_value = session->get_ar_id(session, &ar_id_type);
 	if (ar_id_value.len)
 	{
 		/* get primary key of AR identity if it exists */
@@ -108,46 +88,22 @@ METHOD(imv_database_t, add_session, imv_session_t*,
 				"INSERT INTO identities (type, value) VALUES (?, ?)",
 				 DB_INT, ar_id_type, DB_BLOB, ar_id_value);
 		}
-	}
-	/* create a new session entry */
-	created = time(NULL);
-	this->db->execute(this->db, &session_id,
-				"INSERT INTO sessions (time, connection, identity) "
-				"VALUES (?, ?, ?)",
-				DB_UINT, created, DB_INT, conn_id, DB_INT, ar_id);
-	session = imv_session_create(session_id, conn_id);
-	this->sessions->insert_last(this->sessions, session);
-
-	this->mutex->unlock(this->mutex);
-
-	return session;
-}
 
-METHOD(imv_database_t, remove_session, void,
-	private_imv_database_t *this, imv_session_t *session)
-{
-	enumerator_t *enumerator;
-	imv_session_t *current;
-
-	this->mutex->lock(this->mutex);
-	enumerator = this->sessions->create_enumerator(this->sessions);
-	while (enumerator->enumerate(enumerator, &current))
-	{
-		if (current == session)
+		if (!ar_id)
 		{
-			this->sessions->remove_at(this->sessions, enumerator);
-			break;
+			DBG1(DBG_IMV, "imv_db: registering access requestor failed");
+			return FALSE;
 		}
 	}
-	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
-}
 
-METHOD(imv_database_t, add_product, int,
-	private_imv_database_t *this, imv_session_t *session, char *product)
-{
-	enumerator_t *e;
-	int pid = 0;
+	/* get product info string */
+	os_info = session->get_os_info(session);
+	product = os_info->get_info(os_info);
+	if (!product)
+	{
+		DBG1(DBG_IMV, "imv_db: product info is not available");
+		return FALSE;
+	}
 
 	/* get primary key of product info string if it exists */
 	e = this->db->query(this->db,
@@ -164,92 +120,150 @@ METHOD(imv_database_t, add_product, int,
 		this->db->execute(this->db, &pid,
 			"INSERT INTO products (name) VALUES (?)", DB_TEXT, product);
 	}
-	
-	/* add product reference to session */
-	if (pid)
+
+	if (!pid)
 	{
-		this->db->execute(this->db, NULL,
-			"UPDATE sessions SET product = ? WHERE id = ?",
-			 DB_INT, pid, DB_INT, session->get_session_id(session));
+		DBG1(DBG_IMV, "imv_db: registering product info failed");
+		return FALSE;
 	}
 
-	return pid;
-}
-
-METHOD(imv_database_t, add_device, int,
-	private_imv_database_t *this, imv_session_t *session, chunk_t device)
-{
-	enumerator_t *e;
-	char *device_str;
-	int pid = 0, did = 0;
+	/* get device ID string */
+	if (!session->get_device_id(session, &device_id))
+	{
+		DBG1(DBG_IMV, "imv_db: device ID is not available");
+		return FALSE;
+	}
+	device = strndup(device_id.ptr, device_id.len);
 
-	/* get primary key of product from session */
+	/* get primary key of device ID if it exists */
 	e = this->db->query(this->db,
-			"SELECT product FROM sessions WHERE id = ?",
-			 DB_INT, session->get_session_id(session), DB_INT);
+			"SELECT id, trusted FROM devices WHERE value = ? AND product = ?",
+			 DB_TEXT, device, DB_INT, pid, DB_INT, DB_INT);
 	if (e)
 	{
-		e->enumerate(e, &pid);
+		e->enumerate(e, &did, &trusted);
 		e->destroy(e);
 	}
 
-	/* some IMV policy manager expect a text string */
-	device_str = strndup(device.ptr, device.len);
-
-	/* get primary key of device identification if it exists */
-	e = this->db->query(this->db,
-			"SELECT id FROM devices WHERE value = ? AND product = ?",
-			 DB_TEXT, device_str, DB_INT, pid, DB_INT);
-	if (e)
+	/* if device ID is trusted, set trust in session */
+	if (trusted)
 	{
-		e->enumerate(e, &did);
-		e->destroy(e);
+		session->set_device_trust(session, TRUE);
 	}
 
-	/* if device identification has not been found - register it */
+	/* if device ID has not been found - register it */
 	if (!did)
 	{
 		this->db->execute(this->db, &did,
 			"INSERT INTO devices (value, product) VALUES (?, ?)",
-			 DB_TEXT, device_str, DB_INT, pid);
+			 DB_TEXT, device, DB_INT, pid);
+	}
+	free(device);
+
+	if (!did)
+	{
+		DBG1(DBG_IMV, "imv_db: registering device ID failed");
+		return FALSE;
+	}
+
+	/* create a new session entry */
+	created = session->get_creation_time(session);
+	conn_id = session->get_connection_id(session);
+	this->db->execute(this->db, &session_id,
+			"INSERT INTO sessions (time, connection, identity, product, device) "
+			"VALUES (?, ?, ?, ?, ?)",
+			DB_INT, created, DB_INT, conn_id, DB_INT, ar_id,
+			DB_INT, pid, DB_INT, did);
+
+	if (session_id)
+	{
+		DBG2(DBG_IMV, "assigned session ID %d to Connection ID %d",
+					   session_id, conn_id);
+	}
+	else
+	{
+		DBG1(DBG_IMV, "imv_db: registering session failed");
+		return FALSE;
+	}
+	session->set_session_id(session, session_id, pid, did);
+
+	return TRUE;
+}
+
+static bool add_workitems(private_imv_database_t *this, imv_session_t *session)
+{
+	char *arg_str;
+	int id, arg_int, rec_fail, rec_noresult;
+	imv_workitem_t *workitem;
+	imv_workitem_type_t type;
+	enumerator_t *e;
+
+	e = this->db->query(this->db,
+			"SELECT id, type, arg_str, arg_int, rec_fail, rec_noresult "
+			"FROM workitems WHERE session = ?",
+			 DB_INT, session->get_session_id(session, NULL, NULL),
+			 DB_INT, DB_INT, DB_TEXT, DB_INT,DB_INT, DB_INT);
+	if (!e)
+	{
+		DBG1(DBG_IMV, "imv_db: no workitem enumerator returned");
+		return FALSE;
 	}
-	free(device_str);
-	
-	/* add device reference to session */
-	if (did)
+	while (e->enumerate(e, &id, &type, &arg_str, &arg_int, &rec_fail,
+						   &rec_noresult))
 	{
-		this->db->execute(this->db, NULL,
-			"UPDATE sessions SET device = ? WHERE id = ?",
-			 DB_INT, did, DB_INT, session->get_session_id(session));
+		DBG2(DBG_IMV, "%N workitem %d", imv_workitem_type_names, type, id);
+		workitem = imv_workitem_create(id, type, arg_str, arg_int, rec_fail,
+									   rec_noresult);
+		session->insert_workitem(session, workitem);
 	}
+	e->destroy(e);
 
-	return did;
+	return TRUE;
 }
 
 METHOD(imv_database_t, add_recommendation, void,
 	private_imv_database_t *this, imv_session_t *session,
 	TNC_IMV_Action_Recommendation rec)
 {
-	/* add final recommendation to session */
+	/* add final recommendation to session DB entry */
 	this->db->execute(this->db, NULL,
 			"UPDATE sessions SET rec = ? WHERE id = ?",
-			 DB_INT, rec, DB_INT, session->get_session_id(session));
+			 DB_INT, rec, DB_INT, session->get_session_id(session, NULL, NULL));
 }
 
 METHOD(imv_database_t, policy_script, bool,
 	private_imv_database_t *this, imv_session_t *session, bool start)
 {
-	imv_workitem_t *workitem;
-	imv_workitem_type_t type;
-	int id, session_id, arg_int, rec_fail, rec_noresult;
-	enumerator_t *e;
-	char command[512], resp[128], *last, *arg_str;
+	char command[512], resp[128], *last;
 	FILE *shell;
 
-	session_id = session->get_session_id(session);
+	if (start)
+	{
+		if (session->get_policy_started(session))
+		{
+			DBG1(DBG_IMV, "policy script as already been started");
+			return FALSE;
+		}
 
-	snprintf(command, sizeof(command), "2>&1 TNC_SESSION_ID='%d' %s %s",
-			 session_id, this->script, start ? "start" : "stop");
+		/* add product info and device ID to session DB entry */
+		if (!create_session(this, session))
+		{
+			return FALSE;
+		}
+	}
+	else
+	{
+		if (!session->get_policy_started(session))
+		{
+			DBG1(DBG_IMV, "policy script as already been stopped");
+			return FALSE;
+		}
+	}
+
+	/* call the policy script */
+	snprintf(command, sizeof(command), "2>&1 %s %s %d",
+			 this->script, start ? "start" : "stop",
+			 session->get_session_id(session, NULL, NULL));
 	DBG3(DBG_IMV, "running policy script: %s", command);
 
 	shell = popen(command, "r");
@@ -282,30 +296,16 @@ METHOD(imv_database_t, policy_script, bool,
 	}
 	pclose(shell);
 
-	if (start && !session->get_policy_started(session))
+	if (start)
 	{
-		/* get workitem list generated by policy manager */
-		e = this->db->query(this->db,
-				"SELECT id, type, arg_str, arg_int, rec_fail, rec_noresult "
-				"FROM workitems WHERE session = ?",	DB_INT, session_id,
-				 DB_INT, DB_INT, DB_TEXT, DB_INT,DB_INT, DB_INT);
-		if (!e)
+		/* add workitem list generated by policy manager to session object */
+		if (!add_workitems(this, session))
 		{
-			DBG1(DBG_IMV, "no workitem enumerator returned");
 			return FALSE;
 		}
-		while (e->enumerate(e, &id, &type, &arg_str, &arg_int, &rec_fail,
-							   &rec_noresult))
-		{
-			workitem = imv_workitem_create(id, type, arg_str, arg_int, rec_fail,
-										   rec_noresult);
-			session->insert_workitem(session, workitem);
-		}
-		e->destroy(e);
-
 		session->set_policy_started(session, TRUE);
 	}
-	else if (!start && session->get_policy_started(session))
+	else
 	{
 		session->set_policy_started(session, FALSE);
 	}
@@ -327,19 +327,10 @@ METHOD(imv_database_t, finalize_workitem, bool,
 				DB_INT, workitem->get_id(workitem)) == 1;
 }
 
-METHOD(imv_database_t, get_database, database_t*,
-	private_imv_database_t *this)
-{
-	return this->db;
-}
-
 METHOD(imv_database_t, destroy, void,
 	private_imv_database_t *this)
 {
 	DESTROY_IF(this->db);
-	this->sessions->destroy_offset(this->sessions,
-							offsetof(imv_session_t, destroy));
-	this->mutex->destroy(this->mutex);
 	free(this);
 }
 
@@ -352,20 +343,14 @@ imv_database_t *imv_database_create(char *uri, char *script)
 
 	INIT(this,
 		.public = {
-			.add_session = _add_session,
-			.remove_session = _remove_session,
-			.add_product = _add_product,
-			.add_device = _add_device,
-			.add_recommendation = _add_recommendation,
+			.get_database = _get_database,
 			.policy_script = _policy_script,
 			.finalize_workitem = _finalize_workitem,
-			.get_database = _get_database,
+			.add_recommendation = _add_recommendation,
 			.destroy = _destroy,
 		},
 		.db = lib->db->create(lib->db, uri),
 		.script = script,
-		.sessions = linked_list_create(),
-		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
 	if (!this->db)
@@ -378,4 +363,3 @@ imv_database_t *imv_database_create(char *uri, char *script)
 
 	return &this->public;
 }
-
diff --git a/src/libimcv/imv/imv_database.h b/src/libimcv/imv/imv_database.h
index 48a3ded9e..79551cc79 100644
--- a/src/libimcv/imv/imv_database.h
+++ b/src/libimcv/imv/imv_database.h
@@ -56,26 +56,6 @@ struct imv_database_t {
 	 void (*remove_session)(imv_database_t *this, imv_session_t *session);
 
 	/**
-	 * Add product information string to a session database entry
-	 *
-	 * @param session		Session
-	 * @param product		Product information string
-	 * @return				Product ID
-	 */
-	 int (*add_product)(imv_database_t *this, imv_session_t *session,
-						char *product);
-
-	/**
-	 * Add device identification to a session database entry
-	 *
-	 * @param session		Session
-	 * @param device		Device identification
-	 * @return				Device ID
-	 */
-	 int (*add_device)(imv_database_t *this, imv_session_t *session,
-					   chunk_t device);
-
-	/**
 	 * Add final recommendation to a session database entry
 	 *
 	 * @param session		Session
diff --git a/src/libimcv/imv/imv_if.h b/src/libimcv/imv/imv_if.h
index fa9765b11..2118509e3 100644
--- a/src/libimcv/imv/imv_if.h
+++ b/src/libimcv/imv/imv_if.h
@@ -26,10 +26,10 @@ static imv_agent_if_t *imv_agent;
 /*
  * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
+TNC_Result TNC_IMV_API TNC_IMV_Initialize(TNC_IMVID imv_id,
+										  TNC_Version min_version,
+										  TNC_Version max_version,
+										  TNC_Version *actual_version)
 {
 	if (imv_agent)
 	{
@@ -54,9 +54,9 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 /**
  * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
+TNC_Result TNC_IMV_API TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
+												TNC_ConnectionID connection_id,
+												TNC_ConnectionState new_state)
 {
 	if (!imv_agent)
 	{
@@ -70,11 +70,11 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 /**
  * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
+TNC_Result TNC_IMV_API TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
+											  TNC_ConnectionID connection_id,
+											  TNC_BufferReference msg,
+											  TNC_UInt32 msg_len,
+											  TNC_MessageType msg_type)
 {
 	if (!imv_agent)
 	{
@@ -88,15 +88,15 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 /**
  * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imc_id,
-									  TNC_UInt32 dst_imv_id)
+TNC_Result TNC_IMV_API TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
+												  TNC_ConnectionID connection_id,
+												  TNC_UInt32 msg_flags,
+												  TNC_BufferReference msg,
+												  TNC_UInt32 msg_len,
+												  TNC_VendorID msg_vid,
+												  TNC_MessageSubtype msg_subtype,
+												  TNC_UInt32 src_imc_id,
+												  TNC_UInt32 dst_imv_id)
 {
 	if (!imv_agent)
 	{
@@ -111,8 +111,8 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
 /**
  * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
-										 TNC_ConnectionID connection_id)
+TNC_Result TNC_IMV_API TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
+												TNC_ConnectionID connection_id)
 {
 
 	if (!imv_agent)
@@ -126,7 +126,8 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 /**
  * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id)
+TNC_Result TNC_IMV_API TNC_IMV_BatchEnding(TNC_IMVID imv_id,
+										   TNC_ConnectionID connection_id)
 {
 	if (!imv_agent)
 	{
@@ -139,7 +140,7 @@ TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id)
 /**
  * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
+TNC_Result TNC_IMV_API TNC_IMV_Terminate(TNC_IMVID imv_id)
 {
 	if (!imv_agent)
 	{
@@ -155,8 +156,8 @@ TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
 /**
  * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
-									   TNC_TNCS_BindFunctionPointer bind_function)
+TNC_Result TNC_IMV_API TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
+								TNC_TNCS_BindFunctionPointer bind_function)
 {
 	if (!imv_agent)
 	{
diff --git a/src/libimcv/imv/imv_os_info.c b/src/libimcv/imv/imv_os_info.c
new file mode 100644
index 000000000..dfab19434
--- /dev/null
+++ b/src/libimcv/imv/imv_os_info.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_os_info.h"
+
+typedef struct private_imv_os_info_t private_imv_os_info_t;
+
+/**
+ * Private data of an imv_os_info_t object.
+ *
+ */
+struct private_imv_os_info_t {
+
+	/**
+	 * Public imv_os_info_t interface.
+	 */
+	imv_os_info_t public;
+
+	/**
+	 * OS type
+	 */
+	os_type_t type;
+
+	/**
+	 * OS name
+	 */
+	chunk_t name;
+
+	/**
+	 * OS version
+	 */
+	chunk_t version;
+
+	/**
+	 * This flag allows the OS version to be empty
+	 */
+	bool version_is_set;
+
+	/**
+	 * OS Product Information (OS Name | OS Version)
+	 */
+	char *info;
+
+};
+
+METHOD(imv_os_info_t, get_type, os_type_t,
+	private_imv_os_info_t *this)
+{
+	return this->type;
+}
+
+METHOD(imv_os_info_t, set_name, void,
+	private_imv_os_info_t *this, chunk_t name)
+{
+	/* Has the OS name already been set? */
+	if (this->name.len)
+	{
+		if (chunk_equals(name, this->name))
+		{
+			return;
+		}
+		free(this->name.ptr);
+
+		/* Also clear the OS info string */
+		free(this->info);
+		this->info = NULL;
+	}
+	this->name = chunk_clone(name);
+	this->type = os_type_from_name(name); 
+}
+
+METHOD(imv_os_info_t, get_name, chunk_t,
+	private_imv_os_info_t *this)
+{
+	return this->name;
+}
+
+METHOD(imv_os_info_t, set_version, void,
+	private_imv_os_info_t *this, chunk_t version)
+{
+	/* Has the OS version already been set? */
+	if (this->version_is_set)
+	{
+		if (chunk_equals(version, this->version))
+		{
+			return;
+		}
+		free(this->version.ptr);
+
+		/* Also clear the OS info string */
+		free(this->info);
+		this->info = NULL;
+	}
+	this->version = chunk_clone(version);
+	this->version_is_set = TRUE;
+}
+
+METHOD(imv_os_info_t, get_version, chunk_t,
+	private_imv_os_info_t *this)
+{
+	return this->version;
+}
+
+METHOD(imv_os_info_t, get_info, char*,
+	private_imv_os_info_t *this)
+{
+	int len;
+
+	if (!this->info)
+	{
+		/* Have both OS name and OS version been set? */
+		if (this->name.len == 0 || !this->version_is_set)
+		{
+			return NULL;
+		}
+
+		/* OS info is a concatenation of OS name and OS version */
+		len = this->name.len + 1 + this->version.len + 1;
+		this->info = malloc(len);
+		snprintf(this->info, len, "%.*s %.*s",
+				(int)this->name.len, this->name.ptr,
+				(int)this->version.len, this->version.ptr);
+	}
+	return this->info;
+}
+
+METHOD(imv_os_info_t, destroy, void,
+	private_imv_os_info_t *this)
+{
+	free(this->name.ptr);
+	free(this->version.ptr);
+	free(this->info);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_os_info_t *imv_os_info_create(void)
+{
+	private_imv_os_info_t *this;
+
+	INIT(this,
+		.public = {
+			.get_type = _get_type,
+			.set_name = _set_name,
+			.get_name = _get_name,
+			.set_version = _set_version,
+			.get_version = _get_version,
+			.get_info = _get_info,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libimcv/imv/imv_os_info.h b/src/libimcv/imv/imv_os_info.h
new file mode 100644
index 000000000..b68a17ee7
--- /dev/null
+++ b/src/libimcv/imv/imv_os_info.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup imv_os_info imv_os_info
+ * @{ @ingroup libimcv
+ */
+
+#ifndef IMV_OS_INFO_H_
+#define IMV_OS_INFO_H_
+
+typedef struct imv_os_info_t imv_os_info_t;
+
+#include "os_info/os_info.h"
+
+#include <library.h>
+
+/**
+ * Interface for the IMV Operating System (OS) information module
+ */
+struct imv_os_info_t {
+
+	/**
+	 * Get the OS type
+	 *
+	 * @return					OS type
+	 */
+	os_type_t (*get_type)(imv_os_info_t *this);
+
+	/**
+	 * Set the OS product name or distribution
+	 *
+	 * @param name				OS name
+	 */
+	void (*set_name)(imv_os_info_t *this, chunk_t name);
+
+	/**
+	 * Get the OS product name or distribution
+	 *
+	 * @return					OS name
+	 */
+	chunk_t (*get_name)(imv_os_info_t *this);
+
+	/**
+	 * Set the OS version or release
+	 *
+	 * @param version			OS version
+	 */
+	void (*set_version)(imv_os_info_t *this, chunk_t version);
+
+	/**
+	 * Get the OS version or release
+	 *
+	 * @return					OS version
+	 */
+	chunk_t (*get_version)(imv_os_info_t *this);
+
+	/**
+	 * Get the OS version or release
+	 *
+	 * @return					OS name | OS version
+	 */
+	char* (*get_info)(imv_os_info_t *this);
+
+	/**
+	 * Destroys an imv_os_info_t object.
+	 */
+	void (*destroy)(imv_os_info_t *this);
+};
+
+/**
+ * Create an imv_os_info_t object
+ */
+imv_os_info_t* imv_os_info_create(void);
+
+#endif /** IMV_OS_INFO_H_ @}*/
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index 028721af3..50f7f2e39 100644
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -278,7 +278,7 @@ static bool policy_stop(database_t *db, int session_id)
 int main(int argc, char *argv[])
 {
 	database_t *db;
-	char *uri, *tnc_session_id;
+	char *uri;
 	int session_id;
 	bool start, success;
 
@@ -299,7 +299,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 
-	if (argc < 2)
+	if (argc < 3)
 	{
 		usage();
 		exit(SS_RC_INITIALIZATION_FAILED);
@@ -318,14 +318,7 @@ int main(int argc, char *argv[])
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
 
-	/* get session ID */
-	tnc_session_id = getenv("TNC_SESSION_ID");
-	if (!tnc_session_id)
-	{
-		fprintf(stderr, "environment variable TNC_SESSION_ID is not defined\n");
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-	session_id = atoi(tnc_session_id);
+	session_id = atoi(argv[2]);
 
 	/* attach IMV database */
 	uri = lib->settings->get_str(lib->settings,
diff --git a/src/libimcv/imv/imv_policy_manager_usage.c b/src/libimcv/imv/imv_policy_manager_usage.c
index 3167a5441..c71bc9958 100644
--- a/src/libimcv/imv/imv_policy_manager_usage.c
+++ b/src/libimcv/imv/imv_policy_manager_usage.c
@@ -24,6 +24,5 @@ void usage(void)
 {
 	printf("\
 Usage:\n\
-  imv_policy_manager start|stop\n");
+  imv_policy_manager start|stop <tnc-session-id>\n");
 }
-
diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c
index 754f1f74c..1f0d8cf14 100644
--- a/src/libimcv/imv/imv_session.c
+++ b/src/libimcv/imv/imv_session.c
@@ -35,11 +35,51 @@ struct private_imv_session_t {
 	int session_id;
 
 	/**
+	 * Unique Product ID
+	 */
+	int pid;
+
+	/**
+	 * Unique Device ID
+	 */
+	int did;
+
+	/**
 	 * TNCCS connection ID
 	 */
 	TNC_ConnectionID conn_id;
 
 	/**
+	 * Session creation time
+	 */
+	time_t created;
+
+	/**
+	 * Access Requestor ID type
+	 */
+	uint32_t ar_id_type;
+
+	/**
+	 * Access Requestor ID value
+	 */
+	chunk_t ar_id_value;
+
+	/**
+	 * OS information
+	 */
+	imv_os_info_t *os_info;
+
+	/**
+	 * Device ID
+	 */
+	chunk_t device_id;
+
+	/**
+	 * Is Device ID trusted?
+	 */
+	bool trusted;
+
+	/**
 	 * Have the workitems been generated?
 	 */
 	bool policy_started;
@@ -56,9 +96,25 @@ struct private_imv_session_t {
 
 };
 
+METHOD(imv_session_t, set_session_id, void,
+	private_imv_session_t *this, int session_id, int pid, int did)
+{
+	this->session_id = session_id;
+	this->pid = pid;
+	this->did = did;
+}
+
 METHOD(imv_session_t, get_session_id, int,
-	private_imv_session_t *this)
+	private_imv_session_t *this, int *pid, int *did)
 {
+	if (pid)
+	{
+		*pid = this->pid;
+	}
+	if (did)
+	{
+		*did = this->did;
+	}
 	return this->session_id;
 }
 
@@ -68,6 +124,72 @@ METHOD(imv_session_t, get_connection_id, TNC_ConnectionID,
 	return this->conn_id;
 }
 
+METHOD(imv_session_t, get_creation_time, time_t,
+	private_imv_session_t *this)
+{
+	return this->created;
+}
+
+METHOD(imv_session_t, get_ar_id, chunk_t,
+	private_imv_session_t *this, uint32_t *ar_id_type)
+{
+	if (ar_id_type)
+	{
+		*ar_id_type = this->ar_id_type;
+	}
+	return this->ar_id_value;
+}
+
+METHOD(imv_session_t, get_os_info, imv_os_info_t*,
+	private_imv_session_t *this)
+{
+	return this->os_info;
+}
+
+METHOD(imv_session_t, set_device_id, void,
+	private_imv_session_t *this, chunk_t device_id)
+{
+	if (device_id.len == 0)
+	{
+		device_id = chunk_from_str("unknown");
+	}
+	if (this->device_id.len)
+	{
+		if (chunk_equals(device_id, this->device_id))
+		{
+			return;
+		}
+		free(this->device_id.ptr);
+	}
+	this->device_id = chunk_clone(device_id);
+}
+
+METHOD(imv_session_t, get_device_id, bool,
+	private_imv_session_t *this, chunk_t *device_id)
+{
+	if (this->device_id.len == 0)
+	{
+		return FALSE;
+	}
+	if (device_id)
+	{
+		*device_id = this->device_id;
+	}
+	return TRUE;
+}
+
+METHOD(imv_session_t, set_device_trust, void,
+	private_imv_session_t *this, bool trusted)
+{
+	this->trusted = trusted;
+}
+
+METHOD(imv_session_t, get_device_trust, bool,
+	private_imv_session_t *this)
+{
+	return this->trusted;
+}
+
 METHOD(imv_session_t, set_policy_started, void,
 	private_imv_session_t *this, bool start)
 {
@@ -95,10 +217,6 @@ METHOD(imv_session_t, remove_workitem, void,
 METHOD(imv_session_t, create_workitem_enumerator, enumerator_t*,
 	private_imv_session_t *this)
 {
-	if (!this->policy_started)
-	{
-		return NULL;
-	}
 	return this->workitems->create_enumerator(this->workitems);
 }
 
@@ -137,6 +255,9 @@ METHOD(imv_session_t, destroy, void,
 	{
 		this->workitems->destroy_offset(this->workitems,
 								 offsetof(imv_workitem_t, destroy));
+		this->os_info->destroy(this->os_info);
+		free(this->ar_id_value.ptr);
+		free(this->device_id.ptr);
 		free(this);
 	}
 }
@@ -144,14 +265,23 @@ METHOD(imv_session_t, destroy, void,
 /**
  * See header
  */
-imv_session_t *imv_session_create(int session_id, TNC_ConnectionID conn_id)
+imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
+								  uint32_t ar_id_type, chunk_t ar_id_value)
 {
 	private_imv_session_t *this;
 
 	INIT(this,
 		.public = {
+			.set_session_id = _set_session_id,
 			.get_session_id = _get_session_id,
 			.get_connection_id = _get_connection_id,
+			.get_creation_time = _get_creation_time,
+			.get_ar_id = _get_ar_id,
+			.get_os_info = _get_os_info,
+			.set_device_id = _set_device_id,
+			.get_device_id = _get_device_id,
+			.set_device_trust = _set_device_trust,
+			.get_device_trust = _get_device_trust,
 			.set_policy_started = _set_policy_started,
 			.get_policy_started = _get_policy_started,
 			.insert_workitem = _insert_workitem,
@@ -161,8 +291,11 @@ imv_session_t *imv_session_create(int session_id, TNC_ConnectionID conn_id)
 			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
-		.session_id = session_id,
 		.conn_id = conn_id,
+		.created = created,
+		.ar_id_type = ar_id_type,
+		.ar_id_value = chunk_clone(ar_id_value),
+		.os_info = imv_os_info_create(),
 		.workitems = linked_list_create(),
 		.ref = 1,
 	);
diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h
index 6b94523b8..42b9118a6 100644
--- a/src/libimcv/imv/imv_session.h
+++ b/src/libimcv/imv/imv_session.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -23,11 +23,13 @@
 #define  IMV_SESSION_H_
 
 #include "imv_workitem.h"
+#include "imv_os_info.h"
 
 #include <tncifimv.h>
-
 #include <library.h>
 
+#include <time.h>
+
 typedef struct imv_session_t imv_session_t;
 
 /**
@@ -36,11 +38,22 @@ typedef struct imv_session_t imv_session_t;
 struct imv_session_t {
 
 	/**
+	 * Set unique session ID
+	 *
+	 * @param session_id	primary key into sessions table
+	 * @param pid			primary key into products table
+	 * @param did			Primary key into devices table
+	 */
+	void (*set_session_id)(imv_session_t *this, int session_id, int pid, int did);
+
+	/**
 	 * Get unique session ID
 	 *
-	 * @return				Session ID
+	 * @param pid			primary key into products table
+	 * @param did			Primary key into devices table
+	 * @return				primary key into sessions table
 	 */
-	int (*get_session_id)(imv_session_t *this);
+	int (*get_session_id)(imv_session_t *this, int *pid, int *did);
 
 	/**
 	 * Get TNCCS Connection ID
@@ -50,6 +63,58 @@ struct imv_session_t {
 	TNC_ConnectionID (*get_connection_id)(imv_session_t *this);
 
 	/**
+	 * Get session creation time
+	 *
+	 * @return				Session creation time
+	 */
+	time_t (*get_creation_time)(imv_session_t *this);
+
+	/**
+	 * Get Access Requestor ID
+	 *
+	 * @param id_type		Access Requestor TCG Standard ID Type
+	 * @return				Access Requestor TCG Standard ID Value
+	 */
+	chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type);
+
+	/**
+	 * Get OS Information
+	 *
+	 * @return				OS info object
+	 */
+	imv_os_info_t* (*get_os_info)(imv_session_t *this);
+
+	/**
+	 * Set Device ID
+	 *
+	 * @param device_id		Device ID
+	 */
+	void (*set_device_id)(imv_session_t *this, chunk_t device_id);
+
+	/**
+	 * Get Device ID
+	 *
+	 * @param device_id		Device ID
+	 * @return				TRUE if Device ID has already been set
+	 */
+	bool (*get_device_id)(imv_session_t *this, chunk_t *device_id);
+
+	/**
+	 * Set trust into Device ID
+	 *
+	 * @param trusted		TRUE if Device ID is trusted
+	 */
+	void (*set_device_trust)(imv_session_t *this, bool trusted);
+
+
+	/**
+	 * Get device ID trust (needed for TPM-based attestation)
+	 *
+	 * @return				TRUE if Device ID is trusted
+	 */
+	bool (*get_device_trust)(imv_session_t *this);
+
+	/**
 	 * Set policy_started status
 	 *
 	 * @param start			TRUE if policy started, FALSE if policy stopped
@@ -105,9 +170,12 @@ struct imv_session_t {
 /**
  * Create an imv_session_t instance
  *
- * @param session_id		Unique Session ID
  * @param id				Associated Connection ID
+ * @param created			Session creation time
+ * @param ar_id_type		Access Requestor ID type
+ * @param ar_id_value		Access Requestor ID value
  */
-imv_session_t* imv_session_create(int session_id, TNC_ConnectionID id);
+imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created,
+								  uint32_t ar_id_type, chunk_t ar_id_value);
 
 #endif /**  IMV_SESSION_H_ @}*/
diff --git a/src/libimcv/imv/imv_session_manager.c b/src/libimcv/imv/imv_session_manager.c
new file mode 100644
index 000000000..0fb8de45e
--- /dev/null
+++ b/src/libimcv/imv/imv_session_manager.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_session_manager.h"
+
+#include <threading/mutex.h>
+
+typedef struct private_imv_session_manager_t private_imv_session_manager_t;
+
+/**
+ * Private data of a imv_session_manager_t object.
+ */
+struct private_imv_session_manager_t {
+
+	/**
+	 * Public imv_session_manager_t interface.
+	 */
+	imv_session_manager_t public;
+
+	/**
+	 * Session list
+	 */
+	linked_list_t *sessions;
+
+	/**
+	 * mutex used to lock session list
+	 */
+	mutex_t *mutex;
+
+};
+
+METHOD(imv_session_manager_t, add_session, imv_session_t*,
+	private_imv_session_manager_t *this, TNC_ConnectionID conn_id,
+	uint32_t ar_id_type, chunk_t ar_id_value)
+{
+	enumerator_t *enumerator;
+	imv_session_t *current, *session = NULL;
+	time_t created;
+
+	this->mutex->lock(this->mutex);
+
+	/* check if a session has already been assigned */
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (conn_id == current->get_connection_id(current))
+		{
+			session = current;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* session already exists */
+	if (session)
+	{
+		this->mutex->unlock(this->mutex);
+		return session->get_ref(session);
+	}
+
+	/* create a new session entry */
+	created = time(NULL);
+	session = imv_session_create(conn_id, created, ar_id_type, ar_id_value);
+	this->sessions->insert_last(this->sessions, session);
+
+	this->mutex->unlock(this->mutex);
+
+	return session;
+}
+
+METHOD(imv_session_manager_t, remove_session, void,
+	private_imv_session_manager_t *this, imv_session_t *session)
+{
+	enumerator_t *enumerator;
+	imv_session_t *current;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->sessions->create_enumerator(this->sessions);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current == session)
+		{
+			this->sessions->remove_at(this->sessions, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(imv_session_manager_t, destroy, void,
+	private_imv_session_manager_t *this)
+{
+	this->sessions->destroy_offset(this->sessions,
+							offsetof(imv_session_t, destroy));
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+imv_session_manager_t *imv_session_manager_create(void)
+{
+	private_imv_session_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.add_session = _add_session,
+			.remove_session = _remove_session,
+			.destroy = _destroy,
+		},
+		.sessions = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/imv/imv_session_manager.h b/src/libimcv/imv/imv_session_manager.h
new file mode 100644
index 000000000..8a733accb
--- /dev/null
+++ b/src/libimcv/imv/imv_session_manager.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_session_manager_t imv_session_manager
+ * @{ @ingroup libimcv_imv
+ */
+
+#ifndef IMV_SESSION_MANAGER_H_
+#define IMV_SESSION_MANAGER_H_
+
+#include "imv_session.h"
+
+#include <tncifimv.h>
+
+#include <library.h>
+
+typedef struct imv_session_manager_t imv_session_manager_t;
+
+/**
+ * IMV session manager interface 
+ */
+struct imv_session_manager_t {
+
+	/**
+	 * Create or get a session associated with a TNCCS connection
+	 *
+	 * @param conn_id		TNCCS Connection ID
+	 * @param ar_id_type	Access Requestor identity type
+	 * @param ar_id_value	Access Requestor identity value
+	 * @return				Session associated with TNCCS Connection
+	 */
+	 imv_session_t* (*add_session)(imv_session_manager_t *this,
+								   TNC_ConnectionID conn_id,
+								   uint32_t ar_id_type, chunk_t ar_id_value);
+
+	/**
+	 * Remove a session
+	 *
+	 * @param session		Session
+	 */
+	 void (*remove_session)(imv_session_manager_t *this, imv_session_t *session);
+
+
+	/**
+	 * Destroys an imv_session_manager_t object
+	 */
+	void (*destroy)(imv_session_manager_t *this);
+};
+
+/**
+ * Create an imv_session_manager_t instance
+ */
+imv_session_manager_t* imv_session_manager_create();
+
+#endif /** IMV_SESSION_MANAGER_H_ @}*/
diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h
index 791846bb1..d11d15e0d 100644
--- a/src/libimcv/imv/imv_state.h
+++ b/src/libimcv/imv/imv_state.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -70,45 +70,28 @@ struct imv_state_t {
 	 *
 	 * @param max_msg_len	maximum size of a PA-TNC message
 	 */
-	void (*set_max_msg_len)(imv_state_t *this, u_int32_t max_msg_len);
+	void (*set_max_msg_len)(imv_state_t *this, uint32_t max_msg_len);
 
 	/**
 	 * Get the maximum size of a PA-TNC message for this TNCCS connection
 	 *
 	 * @return				maximum size of a PA-TNC message
 	 */
-	u_int32_t (*get_max_msg_len)(imv_state_t *this);
+	uint32_t (*get_max_msg_len)(imv_state_t *this);
 
 	/**
 	 * Set flags for completed actions
 	 *
 	 * @param flags			Flags to be set
 	 */
-	void (*set_action_flags)(imv_state_t *this, u_int32_t flags);
+	void (*set_action_flags)(imv_state_t *this, uint32_t flags);
 
 	/**
 	 * Get flags set for completed actions
 	 *
 	 * @return				Flags set for completed actions
 	 */
-	u_int32_t (*get_action_flags)(imv_state_t *this);
-
-	/**
-	 * Set Access Requestor ID
-	 *
-	 * @param id_type		Access Requestor TCG Standard ID Type
-	 * @param id_value		Access Requestor TCG Standard ID Value
-	 *
-	 */
-	void (*set_ar_id)(imv_state_t *this, u_int32_t id_type, chunk_t id_value);
-
-	/**
-	 * Get Access Requestor ID
-	 *
-	 * @param id_type		Access Requestor TCG Standard ID Type
-	 * @return				Access Requestor TCG Standard ID Value
-	 */
-	chunk_t (*get_ar_id)(imv_state_t *this, u_int32_t *id_type);
+	uint32_t (*get_action_flags)(imv_state_t *this);
 
 	/**
 	 * Set session associated with TNCCS Connection
diff --git a/src/libimcv/imv/tables-mysql.sql b/src/libimcv/imv/tables-mysql.sql
new file mode 100644
index 000000000..47ee41c86
--- /dev/null
+++ b/src/libimcv/imv/tables-mysql.sql
@@ -0,0 +1,200 @@
+
+DROP TABLE IF EXISTS `directories`;
+CREATE TABLE `directories` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `path` VARCHAR(2048) NOT NULL
+);
+
+DROP TABLE IF EXISTS `files`;
+CREATE TABLE `files` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `dir` INTEGER DEFAULT 0 REFERENCES `directories`(`id`),
+  `name` VARCHAR(512) NOT NULL
+);
+
+DROP TABLE IF EXISTS `products`;
+CREATE TABLE `products` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `name` VARCHAR(128) NOT NULL
+);
+
+DROP TABLE IF EXISTS `algorithms`;
+CREATE TABLE `algorithms` (
+  `id` INTEGER PRIMARY KEY,
+  `name` VARCHAR(20) NOT NULL
+);
+
+DROP TABLE IF EXISTS `file_hashes`;
+CREATE TABLE `file_hashes` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `file` INTEGER NOT NULL REFERENCES `files`(`id`),
+  `product` INTEGER NOT NULL REFERENCES `products`(`id`),
+  `device` INTEGER DEFAULT 0,
+  `key` INTEGER DEFAULT 0 REFERENCES `keys`(id),
+  `algo` INTEGER NOT NULL REFERENCES `algorithms`(`id`),
+  `hash` VARBINARY(64) NOT NULL
+);
+
+DROP TABLE IF EXISTS `keys`;
+CREATE TABLE `keys` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `keyid` VARBINARY(128) NOT NULL,
+  `owner` VARCHAR(128) NOT NULL
+);
+
+DROP TABLE IF EXISTS `groups`;
+CREATE TABLE `groups` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `name` VARCHAR(50) NOT NULL UNIQUE,
+  `parent` INTEGER
+);
+
+DROP TABLE IF EXISTS `groups_members`;
+CREATE TABLE `groups_members` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `group_id` INTEGER NOT NULL REFERENCES `groups`(`id`),
+  `device_id` INTEGER NOT NULL REFERENCES `devices`(`id`),
+  UNIQUE (`group_id`, `device_id`)
+);
+
+DROP TABLE IF EXISTS `groups_product_defaults`;
+CREATE TABLE `groups_product_defaults` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `group_id` INTEGER NOT NULL REFERENCES `groups`(`id`),
+  `product_id` INTEGER NOT NULL REFERENCES `products`(`id`),
+  UNIQUE (`group_id`, `product_id`)
+);
+
+DROP TABLE IF EXISTS `policies`;
+CREATE TABLE `policies` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `type` INTEGER NOT NULL,
+  `name` VARCHAR(100) NOT NULL UNIQUE,
+  `argument` VARCHAR(100) DEFAULT '' NOT NULL,
+  `rec_fail` INTEGER NOT NULL,
+  `rec_noresult` INTEGER NOT NULL,
+  `file` INTEGER DEFAULT 0 REFERENCES `files`(`id`),
+  `dir` INTEGER DEFAULT 0 REFERENCES `directories`(`id`)
+);
+
+DROP TABLE IF EXISTS `enforcements`;
+CREATE TABLE `enforcements` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `policy` INTEGER NOT NULL REFERENCES `policies`(`id`),
+  `group_id` INTEGER NOT NULL REFERENCES `groups`(`id`),
+  `rec_fail` INTEGER,
+  `rec_noresult` INTEGER,
+  `max_age` INTEGER NOT NULL,
+  UNIQUE (`policy`, `group_id`)
+);
+
+DROP TABLE IF EXISTS `sessions`;
+CREATE TABLE `sessions` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `time` INTEGER NOT NULL,
+  `connection` INTEGER NOT NULL,
+  `identity` INTEGER DEFAULT 0 REFERENCES `identities`(`id`),
+  `device` INTEGER DEFAULT 0 REFERENCES `devices`(`id`),
+  `product` INTEGER DEFAULT 0 REFERENCES `products`(`id`),
+  `rec` INTEGER DEFAULT 3
+);
+
+DROP TABLE IF EXISTS `workitems`;
+CREATE TABLE `workitems` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `session` INTEGER NOT NULL REFERENCES `sessions`(`id`),
+  `enforcement` INTEGER NOT NULL REFERENCES `enforcements`(`id`),
+  `type` INTEGER NOT NULL,
+  `arg_str` VARCHAR(128),
+  `arg_int` INTEGER DEFAULT 0,
+  `rec_fail` INTEGER NOT NULL,
+  `rec_noresult` INTEGER NOT NULL,
+  `rec_final` INTEGER,
+  `result` VARCHAR(128)
+);
+
+DROP TABLE IF EXISTS `results`;
+CREATE TABLE `results` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `session` INTEGER NOT NULL REFERENCES `measurements`(`id`),
+  `policy` INTEGER NOT NULL REFERENCES `policies`(`id`),
+  `rec` INTEGER NOT NULL,
+  `result` TEXT NOT NULL
+);
+
+DROP TABLE IF EXISTS `components`;
+CREATE TABLE `components` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `vendor_id` INTEGER NOT NULL,
+  `name` INTEGER NOT NULL,
+  `qualifier` INTEGER DEFAULT 0
+);
+
+DROP TABLE IF EXISTS `key_component`;
+CREATE TABLE `key_component` (
+  `key` INTEGER NOT NULL,
+  `component` INTEGER NOT NULL,
+  `depth` INTEGER DEFAULT 0,
+  `seq_no` INTEGER DEFAULT 0,
+  PRIMARY KEY (`key`, `component`)
+);
+
+DROP TABLE IF EXISTS `component_hashes`;
+CREATE TABLE `component_hashes` (
+  `component` INTEGER NOT NULL,
+  `key` INTEGER NOT NULL,
+  `seq_no` INTEGER NOT NULL,
+  `pcr` INTEGER NOT NULL,
+  `algo` INTEGER NOT NULL,
+  `hash` VARBINARY(32) NOT NULL,
+  PRIMARY KEY(`component`, `key`, `seq_no`, `algo`)
+);
+
+DROP TABLE IF EXISTS `packages`;
+CREATE TABLE `packages` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `name` VARCHAR(128) NOT NULL,
+  `blacklist` INTEGER DEFAULT 0
+);
+
+DROP TABLE IF EXISTS versions;
+CREATE TABLE versions (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `package` INTEGER NOT NULL REFERENCES packages(id),
+  `product` INTEGER NOT NULL REFERENCES products(id),
+  `release` VARCHAR(32) NOT NULL,
+  `security` INTEGER DEFAULT 0,
+  `blacklist` INTEGER DEFAULT 0,
+  `time` INTEGER DEFAULT 0
+);
+
+DROP TABLE IF EXISTS `devices`;
+CREATE TABLE `devices` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `description` VARCHAR(100) DEFAULT "",
+  `value` VARCHAR(256) NOT NULL,
+  `product` INTEGER REFERENCES `products`(`id`),
+  `created` INTEGER
+);
+
+DROP TABLE IF EXISTS `identities`;
+CREATE TABLE `identities` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `type` INTEGER NOT NULL,
+  `value` VARBINARY(128) NOT NULL,
+  UNIQUE (type, value)
+);
+
+DROP TABLE IF EXISTS `regids`;
+CREATE TABLE `regids` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `name` TEXT NOT NULL
+);
+
+DROP TABLE IF EXISTS `tags`;
+CREATE TABLE `tags` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `regid` INTEGER NOT NULL REFERENCES `regids`(`id`),
+  `unique_sw_id` VARCHAR(64) NOT NULL,
+  `value` VARCHAR(128)
+);
diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql
index a0f3a4e8d..f7324896e 100644
--- a/src/libimcv/imv/tables.sql
+++ b/src/libimcv/imv/tables.sql
@@ -42,27 +42,11 @@ CREATE TABLE file_hashes (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   file INTEGER NOT NULL REFERENCES files(id),
   product INTEGER NOT NULL REFERENCES products(id),
-  device INTEGER DEFAULT 0,
-  key INTEGER DEFAULT 0 REFERENCES keys(id),
+  device INTEGER DEFAULT 0 REFERENCES devices(id),
   algo INTEGER NOT NULL REFERENCES algorithms(id),
   hash BLOB NOT NULL
 );
 
-DROP TABLE IF EXISTS keys;
-CREATE TABLE keys (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  keyid BLOB NOT NULL,
-  owner TEXT NOT NULL
-);
-DROP INDEX IF EXISTS keys_keyid;
-CREATE INDEX keys_keyid ON keys (
-  keyid
-);
-DROP INDEX IF EXISTS keys_owner;
-CREATE INDEX keys_owner ON keys (
-  owner
-);
-
 DROP TABLE IF EXISTS groups;
 CREATE TABLE groups (
   id INTEGER NOT NULL PRIMARY KEY,
@@ -156,29 +140,19 @@ CREATE TABLE components (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   vendor_id INTEGER NOT NULL,
   name INTEGER NOT NULL,
-  qualifier INTEGER DEFAULT 0
+  qualifier INTEGER DEFAULT 0,
+  label TEXT NOT NULL
 );
 
-
-DROP TABLE IF EXISTS key_component;
-CREATE TABLE key_component (
-  key INTEGER NOT NULL,
-  component INTEGER NOT NULL,
-  depth INTEGER DEFAULT 0,
-  seq_no INTEGER DEFAULT 0,
-  PRIMARY KEY (key, component)
-);
-
-
 DROP TABLE IF EXISTS component_hashes;
 CREATE TABLE component_hashes (
-  component INTEGER NOT NULL,
-  key INTEGER NOT NULL,
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  component INTEGER NOT NULL REFERENCES components(id),
+  key INTEGER NOT NULL REFERENCES devices(id),
   seq_no INTEGER NOT NULL,
   pcr INTEGER NOT NULL,
-  algo INTEGER NOT NULL,
-  hash BLOB NOT NULL,
-  PRIMARY KEY(component, key, seq_no, algo)
+  algo INTEGER NOT NULL REFERENCES algorithms(id),
+  hash BLOB NOT NULL
 );
 
 DROP TABLE IF EXISTS packages;
@@ -217,6 +191,7 @@ CREATE TABLE devices (
   description TEXT DEFAULT '',
   value TEXT NOT NULL,
   product INTEGER REFERENCES products(id),
+  trusted INTEGER DEFAULT 0,
   created INTEGER
 );
 DROP INDEX IF EXISTS devices_id;
@@ -232,25 +207,101 @@ CREATE TABLE identities (
   UNIQUE (type, value)
 );
 
-DROP TABLE IF EXISTS regids;
-CREATE TABLE regids (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  name TEXT NOT NULL
+DROP TABLE IF EXISTS "swid_entities";
+CREATE TABLE "swid_entities" (
+  "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  "name" VARCHAR(255) NOT NULL,
+  "regid" VARCHAR(255) NOT NULL
 );
-DROP INDEX IF EXISTS regids_name;
-CREATE INDEX regids_name ON regids (
-  name
+DROP INDEX IF EXISTS "swid_entities_name";
+DROP INDEX IF EXISTS "swid_entities_regid";
+CREATE INDEX "swid_entities_name" ON "swid_entities" (
+  "name"
+);
+CREATE INDEX "swid_entities_regid" ON "swid_entities" (
+  "regid"
 );
 
-DROP TABLE IF EXISTS tags;
-CREATE TABLE tags (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  regid INTEGER NOT NULL REFERENCES regids(id),
-  unique_sw_id TEXT NOT NULL,
-  value TEXT
+DROP TABLE IF EXISTS "swid_entityroles";
+CREATE TABLE "swid_entityroles" (
+  "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  "tag_id" INTEGER NOT NULL REFERENCES "swid_tags" ("id"),
+  "entity_id" INTEGER NOT NULL,
+  "role" SMALLINT UNSIGNED NOT NULL
+);
+DROP INDEX if EXISTS "swid_entityroles_tag_id";
+DROP INDEX IF EXISTS "swid_entityroles_tag_entity_id";
+CREATE INDEX "swid_entityroles_tag_id" ON "swid_entityroles" (
+  "tag_id"
+);
+CREATE INDEX "swid_entityroles_entity_id" ON "swid_entityroles" (
+  "entity_id"
+);
+
+DROP TABLE IF EXISTS "swid_tags";
+CREATE TABLE "swid_tags" (
+  "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  "package_name" VARCHAR(255) NOT NULL,
+  "version" VARCHAR(255) NOT NULL,
+  "unique_id" VARCHAR(255) NOT NULL,
+  "swid_xml" TEXT NOT NULL,
+  "software_id" VARCHAR(255) NOT NULL
+);
+DROP INDEX if EXISTS "swid_tags_unique_id";
+DROP INDEX IF EXISTS "swid_tags_package_name";
+DROP INDEX IF EXISTS "swid_tags_software_id";
+CREATE INDEX "swid_tags_unique_id" ON "swid_tags" (
+  "unique_id"
+);
+CREATE INDEX "swid_tags_package_name" ON "swid_tags" (
+  "package_name"
+);
+CREATE INDEX "swid_tags_software_id" ON "swid_tags" (
+  "software_id"
+);
+
+DROP TABLE IF EXISTS "swid_tags_files";
+CREATE TABLE "swid_tags_files" (
+  "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  "tag_id" INTEGER NOT NULL,
+  "file_id" INTEGER NOT NULL REFERENCES "files" ("id"),
+  UNIQUE ("tag_id", "file_id")
+);
+DROP INDEX IF EXISTS "swid_tags_files_file_id";
+DROP INDEX IF EXISTS "swid_tags_files_tag_id";
+CREATE INDEX "swid_tags_files_file_id" ON "swid_tags_files" (
+  "file_id"
+);
+CREATE INDEX "swid_tags_files_tag_id" ON "swid_tags_files" (
+  "tag_id"
+);
+
+DROP TABLE IF EXISTS "swid_tags_sessions";
+CREATE TABLE "swid_tags_sessions" (
+  "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  "tag_id" INTEGER NOT NULL,
+  "session_id" INTEGER NOT NULL REFERENCES "sessions" ("id"),
+  UNIQUE ("tag_id", "session_id")
+);
+DROP INDEX IF EXISTS "swid_tags_sessions_tag_id";
+DROP INDEX IF EXISTS "swid_tags_sessions_session_id";
+CREATE INDEX "swid_tags_sessions_tag_id" ON "swid_tags_sessions" (
+  "tag_id"
 );
-DROP INDEX IF EXISTS tags_name;
-CREATE INDEX tags_unique_sw_id ON tags (
-  unique_sw_id
+CREATE INDEX "swid_tags_sessions_session_id" ON "swid_tags_sessions" (
+"session_id"
 );
 
+DROP TABLE IF EXISTS "swid_tagstats";
+CREATE TABLE "swid_tagstats" (
+  "id" integer NOT NULL PRIMARY KEY,
+  "tag_id" integer NOT NULL REFERENCES "swid_tags" ("id"),
+  "device_id" integer NOT NULL REFERENCES "devices" ("id"),
+  "first_seen_id" integer NOT NULL REFERENCES "sessions" ("id"),
+  "last_seen_id" integer NOT NULL REFERENCES "sessions" ("id"),
+  UNIQUE ("tag_id", "device_id")
+);
+CREATE INDEX "swid_tagstats_tag_id" ON "swid_tagstats" ("tag_id");
+CREATE INDEX "swid_tagstats_device_id" ON "swid_tagstats" ("device_id");
+CREATE INDEX "swid_tagstats_first_seen_id" ON "swid_tagstats" ("first_seen_id");
+CREATE INDEX "swid_tagstats_last_seen_id" ON "swid_tagstats" ("last_seen_id");