From 0a5de5316e9e0785c9e714064e62bb3ad5e0ca4a Mon Sep 17 00:00:00 2001 From: TheSilentCoder <184309164+ThatSilentCoder@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:14:59 -0400 Subject: [PATCH] Finished issue. Ready for PR --- .../main/java/hirs/utils/SwidResource.java | 2 +- .../hirs/utils/swid/SwidTagConstants.java | 2 +- .../events/DeviceSecurityEventDataHeader.java | 38 +++-- .../DeviceSecurityEventDataHeader2.java | 137 +++++++++--------- .../DeviceSecurityEventDataPciContext.java | 59 ++++---- ...ceSecurityEventDataSubHeaderCertChain.java | 23 +-- ...ventDataSubHeaderSpdmMeasurementBlock.java | 46 +++--- .../events/DeviceSecurityEventHeader.java | 26 ++-- .../tpm/eventlog/events/EvConstants.java | 12 +- .../utils/tpm/eventlog/events/EvNoAction.java | 52 +++---- .../events/NvIndexDynamicEventLogData.java | 48 +++--- .../events/NvIndexInstanceEventLogData.java | 35 +++-- .../eventlog/spdm/SpdmCertificateChain.java | 45 +++--- .../hirs/utils/tpm/eventlog/spdm/SpdmHa.java | 71 +++------ .../tpm/eventlog/spdm/SpdmMeasurement.java | 81 +++++++++-- .../utils/tpm/eventlog/TCGEventLogTest.java | 127 ++++++++-------- build.gradle | 16 +- 17 files changed, 445 insertions(+), 375 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/SwidResource.java b/HIRS_Utils/src/main/java/hirs/utils/SwidResource.java index 01d3b35c..86267964 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/SwidResource.java +++ b/HIRS_Utils/src/main/java/hirs/utils/SwidResource.java @@ -19,7 +19,7 @@ import java.util.Map; public class SwidResource { @Getter - private final boolean validFileSize = false; + private static final boolean VALID_FILE_SIZE = false; @Getter @Setter diff --git a/HIRS_Utils/src/main/java/hirs/utils/swid/SwidTagConstants.java b/HIRS_Utils/src/main/java/hirs/utils/swid/SwidTagConstants.java index baec697f..af58a8bc 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/swid/SwidTagConstants.java +++ b/HIRS_Utils/src/main/java/hirs/utils/swid/SwidTagConstants.java @@ -8,7 +8,7 @@ import javax.xml.namespace.QName; * class. It is expected that member properties of this class will expand as * more functionality is added to SwidTagGateway. */ -public class SwidTagConstants { +public final class SwidTagConstants { public static final String DEFAULT_KEYSTORE_FILE = "keystore.jks"; //"/opt/hirs/rimtool/keystore.jks"; public static final String DEFAULT_KEYSTORE_PASSWORD = "password"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java index 9d02ea47..587b963e 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java @@ -13,18 +13,18 @@ import java.io.IOException; * Class to process the DEVICE_SECURITY_EVENT_DATA_HEADER. * DEVICE_SECURITY_EVENT_DATA_HEADER contains the measurement(s) and hash algorithm identifier * returned by the SPDM "GET_MEASUREMENTS" function. - * + *

* HEADERS defined by PFP v1.06 Rev 52: *

* typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER { - * UINT8 Signature[16]; - * UINT16 Version; - * UINT16 Length; - * UINT32 SpdmHashAlg; - * UINT32 DeviceType; - * SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock; - * UINT64 DevicePathLength; - * UNIT8 DevicePath[DevicePathLength] + * UINT8 Signature[16]; + * UINT16 Version; + * UINT16 Length; + * UINT32 SpdmHashAlg; + * UINT32 DeviceType; + * SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock; + * UINT64 DevicePathLength; + * UNIT8 DevicePath[DevicePathLength] * } DEVICE_SECURITY_EVENT_DATA_HEADER; *

* Assumption: there is only 1 SpdmMeasurementBlock per event. Need more test patterns to verify. @@ -62,8 +62,9 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { super(dsedBytes); + final int dsedBytesSrcIndex1 = 18; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; - System.arraycopy(dsedBytes, 18, lengthBytes, 0, + System.arraycopy(dsedBytes, dsedBytesSrcIndex1, lengthBytes, 0, UefiConstants.SIZE_2); length = HexUtils.leReverseInt(lengthBytes); @@ -72,18 +73,22 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { UefiConstants.SIZE_4); spdmHashAlgo = HexUtils.leReverseInt(spdmHashAlgoBytes); - extractDeviceType(dsedBytes, 24); + final int dsedBytesStartByte = 24; + extractDeviceType(dsedBytes, dsedBytesStartByte); // get the size of the SPDM Measurement Block + final int dsedBytesSrcIndex2 = 30; byte[] sizeOfSpdmMeasBlockBytes = new byte[UefiConstants.SIZE_2]; - System.arraycopy(dsedBytes, 30, sizeOfSpdmMeasBlockBytes, 0, + System.arraycopy(dsedBytes, dsedBytesSrcIndex2, sizeOfSpdmMeasBlockBytes, 0, UefiConstants.SIZE_2); - int sizeOfSpdmMeas = HexUtils.leReverseInt(sizeOfSpdmMeasBlockBytes); - int sizeOfSpdmMeasBlock = sizeOfSpdmMeas + 4; // header is 4 bytes + final int sizeOfSpdmMeas = HexUtils.leReverseInt(sizeOfSpdmMeasBlockBytes); + final int offSetBytesForSpdm = 4; + final int sizeOfSpdmMeasBlock = sizeOfSpdmMeas + offSetBytesForSpdm; // header is 4 bytes // extract the bytes that comprise the SPDM Measurement Block + final int dsedBytesSrcIndex3 = 28; byte[] spdmMeasBlockBytes = new byte[sizeOfSpdmMeasBlock]; - System.arraycopy(dsedBytes, 28, spdmMeasBlockBytes, 0, + System.arraycopy(dsedBytes, dsedBytesSrcIndex3, spdmMeasBlockBytes, 0, sizeOfSpdmMeasBlock); ByteArrayInputStream spdmMeasurementBlockData = @@ -96,7 +101,8 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { spdmMeasurementBlockInfo = " Error reading SPDM Measurement Block"; } - int devPathLenStartByte = 28 + sizeOfSpdmMeasBlock; + final int offSetBytesForDevPath = 28; + final int devPathLenStartByte = offSetBytesForDevPath + sizeOfSpdmMeasBlock; extractDevicePathAndFinalSize(dsedBytes, devPathLenStartByte); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java index 6c402afd..55ec9c06 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java @@ -7,26 +7,52 @@ import lombok.Getter; * Class to process the DEVICE_SECURITY_EVENT_DATA_HEADER2. * DEVICE_SECURITY_EVENT_DATA_HEADER2 contains the measurement(s) and hash algorithm identifier * returned by the SPDM "GET_MEASUREMENTS" function. - * + *

* HEADERS defined by PFP v1.06 Rev 52: *

* typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER2 { - * UINT8 Signature[16]; - * UINT16 Version; - * UINT8 AuthState; - * UINT8 Reserved - * UINT32 Length; - * UINT32 DeviceType; - * UINT32 SubHeaderType; - * UINT32 SubHeaderLength; - * UINT64 SubHeaderUID; - * UINT64 DevicePathLength; - * UNIT8 DevicePath[DevicePathLength] + * UINT8 Signature[16]; + * UINT16 Version; + * UINT8 AuthState; + * UINT8 Reserved + * UINT32 Length; + * UINT32 DeviceType; + * UINT32 SubHeaderType; + * UINT32 SubHeaderLength; + * UINT64 SubHeaderUID; + * UINT64 DevicePathLength; + * UNIT8 DevicePath[DevicePathLength] * } DEVICE_SECURITY_EVENT_DATA_HEADER2; *

*/ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { + /** + * Auth state - success. + */ + public static final int AUTH_SUCCESS = 0; + /** + * Auth state - digital signature of the data is valid, but the public key certificate chain is not + * validated with the entry in the UEFI device signature variable. + */ + public static final int AUTH_NO_AUTHORITY = 1; + /** + * Auth state - digital signature of the measurement data is valid, but the reported device capabilities, + * negotiated parameters or certificate chains were not validated by a transcript. + */ + public static final int AUTH_NO_BINDING = 2; + /** + * Auth state - data has no digital signature. + */ + public static final int AUTH_FAIL_NO_SIG = 3; + /** + * Auth state - data is invalid. + */ + public static final int AUTH_FAIL_INVALID = 4; + /** + * Auth state - device is not an SPDM-capable device. + */ + public static final int AUTH_NO_SPDM = 0xFF; /** * Event auth state. */ @@ -55,33 +81,6 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { @Getter private String subHeaderUid = ""; - /** - * Auth state - success. - */ - public static final int AUTH_SUCCESS = 0; - /** - * Auth state - digital signature of the data is valid, but the public key certificate chain is not - * validated with the entry in the UEFI device signature variable. - */ - public static final int AUTH_NO_AUTHORITY = 1; - /** - * Auth state - digital signature of the measurement data is valid, but the reported device capabilities, - * negotiated parameters or certificate chains were not validated by a transcript. - */ - public static final int AUTH_NO_BINDING = 2; - /** - * Auth state - data has no digital signature. - */ - public static final int AUTH_FAIL_NO_SIG = 3; - /** - * Auth state - data is invalid. - */ - public static final int AUTH_FAIL_INVALID = 4; - /** - * Auth state - device is not an SPDM-capable device. - */ - public static final int AUTH_NO_SPDM = 0xFF; - /** * DeviceSecurityEventDataHeader2 Constructor. * @@ -91,33 +90,43 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { super(dsedBytes); + final int dsedBytesSrcIndex = 18; byte[] authStateBytes = new byte[1]; - System.arraycopy(dsedBytes, 18, authStateBytes, 0, 1); + System.arraycopy(dsedBytes, dsedBytesSrcIndex, authStateBytes, 0, 1); authState = HexUtils.leReverseInt(authStateBytes); // byte[] reserved[Bytes]: 1 byte - byte[] lengthBytes = new byte[4]; - System.arraycopy(dsedBytes, 20, lengthBytes, 0, 4); + final int dsedBytesSrcIndex2 = 20; + final int lengthBytesSize = 4; + byte[] lengthBytes = new byte[lengthBytesSize]; + System.arraycopy(dsedBytes, dsedBytesSrcIndex2, lengthBytes, 0, lengthBytesSize); length = HexUtils.leReverseInt(lengthBytes); - extractDeviceType(dsedBytes, 24); + final int dsedBytesStartByte1 = 24; + extractDeviceType(dsedBytes, dsedBytesStartByte1); - byte[] subHeaderTypeBytes = new byte[4]; - System.arraycopy(dsedBytes, 28, subHeaderTypeBytes, 0, 4); + final int dsedBytesSrcIndex3 = 28; + final int subHeaderTypeBytesSize = 4; + byte[] subHeaderTypeBytes = new byte[subHeaderTypeBytesSize]; + System.arraycopy(dsedBytes, dsedBytesSrcIndex3, subHeaderTypeBytes, 0, subHeaderTypeBytesSize); subHeaderType = HexUtils.leReverseInt(subHeaderTypeBytes); - byte[] subHeaderLengthBytes = new byte[4]; - System.arraycopy(dsedBytes, 32, subHeaderLengthBytes, 0, 4); + final int dsedBytesSrcIndex4 = 32; + final int subHeaderLengthBytesSize = 4; + byte[] subHeaderLengthBytes = new byte[subHeaderLengthBytesSize]; + System.arraycopy(dsedBytes, dsedBytesSrcIndex4, subHeaderLengthBytes, 0, subHeaderLengthBytesSize); subHeaderLength = HexUtils.leReverseInt(subHeaderLengthBytes); - byte[] subHeaderUidBytes = new byte[8]; - System.arraycopy(dsedBytes, 36, subHeaderUidBytes, 0, 8); + final int dsedBytesSrcIndex5 = 36; + final int subHeaderUidBytesSize = 8; + byte[] subHeaderUidBytes = new byte[subHeaderUidBytesSize]; + System.arraycopy(dsedBytes, dsedBytesSrcIndex5, subHeaderUidBytes, 0, subHeaderUidBytesSize); subHeaderUidBytes = HexUtils.leReverseByte(subHeaderUidBytes); subHeaderUid = HexUtils.byteArrayToHexString(subHeaderUidBytes); - int devPathLenStartByte = 44; - extractDevicePathAndFinalSize(dsedBytes, devPathLenStartByte); + final int dsedBytesStartByte2 = 44; + extractDevicePathAndFinalSize(dsedBytes, dsedBytesStartByte2); } /** @@ -139,22 +148,14 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { * @return a description of the auth state. */ public String getAuthStateString() { - - switch (authState) { - case AUTH_SUCCESS: - return ("AUTH_SUCCESS"); - case AUTH_NO_AUTHORITY: - return ("AUTH_NO_AUTHORITY"); - case AUTH_NO_BINDING: - return ("AUTH_NO_BINDING"); - case AUTH_FAIL_NO_SIG: - return ("AUTH_FAIL_NO_SIG"); - case AUTH_FAIL_INVALID: - return ("AUTH_FAIL_INVALID"); - case AUTH_NO_SPDM: - return ("AUTH_NO_SPDM"); - default: - return ("Auth State unknown"); - } + return switch (authState) { + case AUTH_SUCCESS -> ("AUTH_SUCCESS"); + case AUTH_NO_AUTHORITY -> ("AUTH_NO_AUTHORITY"); + case AUTH_NO_BINDING -> ("AUTH_NO_BINDING"); + case AUTH_FAIL_NO_SIG -> ("AUTH_FAIL_NO_SIG"); + case AUTH_FAIL_INVALID -> ("AUTH_FAIL_INVALID"); + case AUTH_NO_SPDM -> ("AUTH_NO_SPDM"); + default -> ("Auth State unknown"); + }; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index fda1397c..05073d41 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -13,27 +13,27 @@ import static hirs.utils.PciIds.translateVendor; * Class to process the DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT event per PFP. *

* typedef struct tdDEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT { - * UINT16 Version; - * UINT16 Length; - * UINT16 VendorId; - * UINT16 DeviceId; - * UINT16 RevisionId; - * UINT16 ClassCode[3]; - * UINT16 SubsystemVendorId; - * UINT16 SubsystemId; + * UINT16 Version; + * UINT16 Length; + * UINT16 VendorId; + * UINT16 DeviceId; + * UINT16 RevisionId; + * UINT16 ClassCode[3]; + * UINT16 SubsystemVendorId; + * UINT16 SubsystemId; *

* The following fields are defined by the PCI Express Base Specification rev4.0 v1.0. - * VendorId - * DeviceId - * RevisionId - * ClassCode - * SubsystemVendorId - * SubsystemId + * VendorId + * DeviceId + * RevisionId + * ClassCode + * SubsystemVendorId + * SubsystemId * Vendor id and device id are registered to specific manufacturers. - * https://admin.pci-ids.ucw.cz/read/PC/ - * Ex. vendor id 8086 and device id 0b60: https://admin.pci-ids.ucw.cz/read/PC/8086/0b60 + * https://admin.pci-ids.ucw.cz/read/PC/ + * Ex. vendor id 8086 and device id 0b60: https://admin.pci-ids.ucw.cz/read/PC/8086/0b60 * Class code can be looked up on the web. - * https://admin.pci-ids.ucw.cz/read/PD/ + * https://admin.pci-ids.ucw.cz/read/PD/ * The revision ID is controlled by the vendor and cannot be looked up. */ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDeviceContext { @@ -78,28 +78,36 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe super(dSEDpciContextBytes); + final int dSEDpciContextBytesSrcIndex1 = 4; byte[] pciVendorIdBytes = new byte[2]; - System.arraycopy(dSEDpciContextBytes, 4, pciVendorIdBytes, 0, 2); + System.arraycopy(dSEDpciContextBytes, dSEDpciContextBytesSrcIndex1, pciVendorIdBytes, 0, 2); vendorId = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciVendorIdBytes)); + final int dSEDpciContextBytesSrcIndex2 = 6; byte[] pciDeviceIdBytes = new byte[2]; - System.arraycopy(dSEDpciContextBytes, 6, pciDeviceIdBytes, 0, 2); + System.arraycopy(dSEDpciContextBytes, dSEDpciContextBytesSrcIndex2, pciDeviceIdBytes, 0, 2); deviceId = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciDeviceIdBytes)); + final int dSEDpciContextBytesSrcIndex3 = 8; byte[] pciRevisionIdBytes = new byte[1]; - System.arraycopy(dSEDpciContextBytes, 8, pciRevisionIdBytes, 0, 1); + System.arraycopy(dSEDpciContextBytes, dSEDpciContextBytesSrcIndex3, pciRevisionIdBytes, 0, 1); revisionId = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciRevisionIdBytes)); - byte[] pciClassCodeBytes = new byte[3]; - System.arraycopy(dSEDpciContextBytes, 9, pciClassCodeBytes, 0, 3); + final int dSEDpciContextBytesSrcIndex4 = 9; + final int pciClassCodeBytesSize = 3; + byte[] pciClassCodeBytes = new byte[pciClassCodeBytesSize]; + System.arraycopy(dSEDpciContextBytes, dSEDpciContextBytesSrcIndex4, pciClassCodeBytes, 0, + pciClassCodeBytesSize); classCode = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciClassCodeBytes)); + final int dSEDpciContextBytesSrcIndex5 = 12; byte[] pciSubsystemVendorIdBytes = new byte[2]; - System.arraycopy(dSEDpciContextBytes, 12, pciSubsystemVendorIdBytes, 0, 2); + System.arraycopy(dSEDpciContextBytes, dSEDpciContextBytesSrcIndex5, pciSubsystemVendorIdBytes, 0, 2); subsystemVendorId = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciSubsystemVendorIdBytes)); + final int dSEDpciContextBytesSrcIndex6 = 14; byte[] pciSubsystemIdBytes = new byte[2]; - System.arraycopy(dSEDpciContextBytes, 14, pciSubsystemIdBytes, 0, 2); + System.arraycopy(dSEDpciContextBytes, dSEDpciContextBytesSrcIndex6, pciSubsystemIdBytes, 0, 2); subsystemId = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciSubsystemIdBytes)); } @@ -118,8 +126,9 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe dSEDpciContextInfo += " RevisionID = " + revisionId + "\n"; List classCodeList = translateDeviceClass(classCode); + final int validClassCodeListSize = 3; dSEDpciContextInfo += " Device Class: \n"; - if (classCodeList.size() == 3) { + if (classCodeList.size() == validClassCodeListSize) { dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index 727883ec..a6c752e9 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -9,11 +9,11 @@ import hirs.utils.tpm.eventlog.spdm.SpdmHa; * *

* typedef union tdDEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN { - * UINT16 SpdmVersion; - * UINT8 SpdmSlotId; - * UINT8 Reserved; - * UINT32 SpdmBaseHashAlgo; - * SPDM_CERT_CHAIN SpdmCertChain; + * UINT16 SpdmVersion; + * UINT8 SpdmSlotId; + * UINT8 Reserved; + * UINT32 SpdmBaseHashAlgo; + * SPDM_CERT_CHAIN SpdmCertChain; * } DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN; *

* SpdmVersion: SpdmBaseHashAlgo @@ -61,16 +61,21 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve // byte[] reserved[Bytes]: 1 byte - byte[] spdmBaseHashAlgoBytes = new byte[4]; - System.arraycopy(dsedSubHBytes, 4, spdmBaseHashAlgoBytes, 0, 4); + final int dsedSybHBytesSrcIndex1 = 4; + final int spdmBaseHashAlgoBytesSize = 4; + byte[] spdmBaseHashAlgoBytes = new byte[spdmBaseHashAlgoBytesSize]; + System.arraycopy(dsedSubHBytes, dsedSybHBytesSrcIndex1, spdmBaseHashAlgoBytes, 0, + spdmBaseHashAlgoBytesSize); spdmBaseHashAlgo = HexUtils.leReverseInt(spdmBaseHashAlgoBytes); // get the size of the SPDM Cert Chain - int spdmCertChainSize = dsedSubHBytes.length - 8; + final int offsetForSpdmCertChain = 8; + int spdmCertChainSize = dsedSubHBytes.length - offsetForSpdmCertChain; // extract the bytes that comprise the SPDM Cert Chain + final int dsedSybHBytesSrcIndex2 = 8; byte[] spdmCertChainBytes = new byte[spdmCertChainSize]; - System.arraycopy(dsedSubHBytes, 8, spdmCertChainBytes, 0, + System.arraycopy(dsedSubHBytes, dsedSybHBytesSrcIndex2, spdmCertChainBytes, 0, spdmCertChainSize); int spdmBaseHashAlgoSize = SpdmHa.tcgAlgIdToByteSize(spdmBaseHashAlgo); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java index c13c2251..c4cf4659 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java @@ -15,24 +15,28 @@ import java.util.List; * *

* typedef union tdDEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_MEASUREMENT_BLOCK { - * UINT16 SpdmVersion; - * UINT8 SpdmMeasurementBlockCount; - * UINT8 Reserved; - * UINT32 SpdmMeasurementHashAlgo; - * SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock[SpdmMeasurementBlockCount]; + * UINT16 SpdmVersion; + * UINT8 SpdmMeasurementBlockCount; + * UINT8 Reserved; + * UINT32 SpdmMeasurementHashAlgo; + * SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock[SpdmMeasurementBlockCount]; * } DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_MEASUREMENT_BLOCK; *

- * + *

* SpdmMeasurementBlock is an array of SPDM_MEASUREMENT_BLOCKs - * The size of each block is the same and can be found by either: - * 1) 4 + SpdmMeasurementBlock MeasurementSize - * OR - * 2) 4 + hash length of the hash algorithm found in - * DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_MEASUREMENT_BLOCK SpdmMeasurementHashAlgo - * where 4 is the size of the SpdmMeasurementBlock header + * The size of each block is the same and can be found by either: + * 1) 4 + SpdmMeasurementBlock MeasurementSize + * OR + * 2) 4 + hash length of the hash algorithm found in + * DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_MEASUREMENT_BLOCK SpdmMeasurementHashAlgo + * where 4 is the size of the SpdmMeasurementBlock header */ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends DeviceSecurityEventDataSubHeader { + /** + * List of SPDM Measurement Blocks. + */ + private final List spdmMeasurementBlockList; /** * SPDM version. */ @@ -48,11 +52,6 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device */ @Getter private int spdmMeasurementHashAlgo = -1; - - /** - * List of SPDM Measurement Blocks. - */ - private List spdmMeasurementBlockList; /** * Error reading SPDM Measurement Block. */ @@ -77,16 +76,21 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device // byte[] reserved[Bytes]: 1 byte - byte[] spdmMeasurementHashAlgoBytes = new byte[4]; - System.arraycopy(dsedSubHBytes, 4, spdmMeasurementHashAlgoBytes, 0, 4); + final int spdmMeasurementHashAlgoBytesSize = 4; + final int dsedSubHBytesSrcIndex1 = 4; + byte[] spdmMeasurementHashAlgoBytes = new byte[spdmMeasurementHashAlgoBytesSize]; + System.arraycopy(dsedSubHBytes, dsedSubHBytesSrcIndex1, spdmMeasurementHashAlgoBytes, 0, + spdmMeasurementHashAlgoBytesSize); spdmMeasurementHashAlgo = HexUtils.leReverseInt(spdmMeasurementHashAlgoBytes); // get the total size of the SPDM Measurement Block List - int spdmMeasurementBlockListSize = dsedSubHBytes.length - 8; + final int offsetForspdmMeasurementBlockList = 8; + final int spdmMeasurementBlockListSize = dsedSubHBytes.length - offsetForspdmMeasurementBlockList; // extract the bytes that comprise the SPDM Measurement Block List + final int dsedSubHBytesSrcIndex2 = 8; byte[] spdmMeasurementBlockListBytes = new byte[spdmMeasurementBlockListSize]; - System.arraycopy(dsedSubHBytes, 8, spdmMeasurementBlockListBytes, 0, + System.arraycopy(dsedSubHBytes, dsedSubHBytesSrcIndex2, spdmMeasurementBlockListBytes, 0, spdmMeasurementBlockListSize); ByteArrayInputStream spdmMeasurementBlockListData = diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 1f413c20..68d6ea98 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -55,7 +55,7 @@ public abstract class DeviceSecurityEventHeader { * UEFI Device Path Length. */ @Getter - private final int devicePathLength = 0; + private static final int DEVICE_PATH_LENGTH = 0; /** * Contains the size (in bytes) of the header. */ @@ -128,13 +128,15 @@ public abstract class DeviceSecurityEventHeader { int startByteUpdated = startByte; // get the device path length - byte[] devicePathLengthBytes = new byte[8]; - System.arraycopy(dsedBytes, startByteUpdated, devicePathLengthBytes, 0, 8); + final int devicePathLengthBytesSize = 8; + byte[] devicePathLengthBytes = new byte[devicePathLengthBytesSize]; + System.arraycopy(dsedBytes, startByteUpdated, devicePathLengthBytes, 0, devicePathLengthBytesSize); int retrievedDevicePathLength = HexUtils.leReverseInt(devicePathLengthBytes); // get the device path if (retrievedDevicePathLength > 0) { - startByteUpdated = startByteUpdated + 8; + final int startByteUpdatedOffset = 8; + startByteUpdated = startByteUpdated + startByteUpdatedOffset; byte[] devPathBytes = new byte[retrievedDevicePathLength]; System.arraycopy(dsedBytes, startByteUpdated, devPathBytes, 0, retrievedDevicePathLength); @@ -153,16 +155,12 @@ public abstract class DeviceSecurityEventHeader { * @return name of the device type */ public String deviceTypeToString(final int deviceTypeInt) { - switch (deviceTypeInt) { - case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE: - return "No device type"; - case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI: - return "PCI"; - case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB: - return "USB"; - default: - return "Unknown or invalid Device Type"; - } + return switch (deviceTypeInt) { + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE -> "No device type"; + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI -> "PCI"; + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB -> "USB"; + default -> "Unknown or invalid Device Type"; + }; } /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvConstants.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvConstants.java index f71574db..8e9d05de 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvConstants.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvConstants.java @@ -6,11 +6,6 @@ package hirs.utils.tpm.eventlog.events; */ public final class EvConstants { - /** - * Default private constructor so checkstyles doesn't complain - */ - private EvConstants() { } - /** * Type length = 4 bytes. */ @@ -39,11 +34,11 @@ public final class EvConstants { * Each PCR bank holds 24 registers. */ public static final int PCR_COUNT = 24; - // Event IDs /** * Pre boot cert Event ID. */ public static final int EV_PREBOOT_CERT = 0x00000000; + // Event IDs /** * POST Code Event ID. */ @@ -180,4 +175,9 @@ public final class EvConstants { * EFI SPDM Device Authority Event ID. */ public static final int EV_EFI_SPDM_DEVICE_AUTHORITY = 0x800000E4; + /** + * Default private constructor so checkstyles doesn't complain. + */ + private EvConstants() { + } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 5e38264d..983e2f44 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -11,16 +11,16 @@ import java.nio.charset.StandardCharsets; * Class to process the EV_NO_ACTION event. * The first 16 bytes of the event data MUST be a String based identifier (Signature). * Currently defined Signatures are - * "Spec ID Event03" - * - implies the data is a TCG_EfiSpecIDEvent - * - TCG_EfiSpecIDEvent is the first event in a TPM Event Log and is used to determine - * if the format of the Log (SHA1 vs Crypto Agile). - * "StartupLocality" - * - implies the data represents locality info (use lookup to interpret) - * "NvIndexInstance" - * - implies the data is a NV_INDEX_INSTANCE_EVENT_LOG_DATA - * "NvIndexDynamic" - * - implies the data is a NV_INDEX_DYNAMIC_EVENT_LOG_DATA + * "Spec ID Event03" + * - implies the data is a TCG_EfiSpecIDEvent + * - TCG_EfiSpecIDEvent is the first event in a TPM Event Log and is used to determine + * if the format of the Log (SHA1 vs Crypto Agile). + * "StartupLocality" + * - implies the data represents locality info (use lookup to interpret) + * "NvIndexInstance" + * - implies the data is a NV_INDEX_INSTANCE_EVENT_LOG_DATA + * "NvIndexDynamic" + * - implies the data is a NV_INDEX_DYNAMIC_EVENT_LOG_DATA *

* Notes: * 1. First 16 bytes of the structure is an ASCII with a fixed Length of 16 @@ -66,7 +66,7 @@ public class EvNoAction { signature = signature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters if (signature.contains("Spec ID Event03")) { // implies CryptAgileFormat EvEfiSpecIdEvent specIDEvent = new EvEfiSpecIdEvent(eventData); - noActionInfo += specIDEventToString(specIDEvent).toString(); + noActionInfo += specIDEventToString(specIDEvent); bSpecIDEvent = true; specVersion = String.format("%s.%s", specIDEvent.getVersionMajor(), @@ -126,25 +126,21 @@ public class EvNoAction { * @return a description of the locality. */ private String getLocality(final byte[] eventData) { - String localityInfo = ""; + final int eventDataSrcIndex = 16; byte[] localityBytes = new byte[1]; - System.arraycopy(eventData, 16, localityBytes, 0, 1); - int locality = HexUtils.leReverseInt(localityBytes); + System.arraycopy(eventData, eventDataSrcIndex, localityBytes, 0, 1); + final int locality = HexUtils.leReverseInt(localityBytes); - switch (locality) { - case 0: - localityInfo += "Locality 0 without an H-CRTM sequence"; - break; - case 3: - localityInfo += "Locality 3 without an H-CRTM sequence"; - break; - case 4: - localityInfo += "Locality 4 with an H-CRTM sequence initialized"; - break; - default: - localityInfo += "Unknown"; - } - return localityInfo; + final int locality0 = 0; + final int locality3 = 3; + final int locality4 = 4; + + return switch (locality) { + case locality0 -> "Locality 0 without an H-CRTM sequence"; + case locality3 -> "Locality 3 without an H-CRTM sequence"; + case locality4 -> "Locality 4 with an H-CRTM sequence initialized"; + default -> "Unknown"; + }; } /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexDynamicEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexDynamicEventLogData.java index f4318959..44e55233 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexDynamicEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexDynamicEventLogData.java @@ -8,19 +8,19 @@ import java.nio.charset.StandardCharsets; * Class to process the NV_INDEX_DYNAMIC_EVENT_LOG_DATA per PFP. * Per PFP, the first 16 bytes of the structure are a String based identifier (Signature), * which are a NULL-terminated ASCII string "NvIndexDynamic". - * + *

* HEADERS defined by PFP v1.06 Rev 52. * Certain fields are common to both ..HEADER and ..HEADER2, and are noted below the structures. *

* typedef struct tdNV_INDEX_DYNAMIC_EVENT_LOG_DATA { - * BYTE Signature[16]; - * UINT16 Version; - * UINT8[6] Reserved; - * UINT64 UID; - * UINT16 DescriptionSize; - * UINT8 Description[DescriptionSize]; - * UINT16 DataSize; - * DEVICE_SECURITY_EVENT_DATA2 Data[DataSize]; + * BYTE Signature[16]; + * UINT16 Version; + * UINT8[6] Reserved; + * UINT64 UID; + * UINT16 DescriptionSize; + * UINT8 Description[DescriptionSize]; + * UINT16 DataSize; + * DEVICE_SECURITY_EVENT_DATA2 Data[DataSize]; * } NV_INDEX_DYNAMIC_EVENT_LOG_DATA; *

*/ @@ -43,13 +43,16 @@ public class NvIndexDynamicEventLogData { */ public NvIndexDynamicEventLogData(final byte[] eventData) { - byte[] signatureBytes = new byte[16]; - System.arraycopy(eventData, 0, signatureBytes, 0, 16); + final int signatureBytesSize = 16; + byte[] signatureBytes = new byte[signatureBytesSize]; + System.arraycopy(eventData, 0, signatureBytes, 0, signatureBytesSize); signature = new String(signatureBytes, StandardCharsets.UTF_8); signature = signature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters - byte[] versionBytes = new byte[2]; - System.arraycopy(eventData, 16, versionBytes, 0, 2); + final int versionBytesSize = 2; + final int eventDataSrcIndex1 = 16; + byte[] versionBytes = new byte[versionBytesSize]; + System.arraycopy(eventData, eventDataSrcIndex1, versionBytes, 0, versionBytesSize); String nvIndexVersion = HexUtils.byteArrayToHexString(versionBytes); if (nvIndexVersion.isEmpty()) { nvIndexVersion = "version not readable"; @@ -58,23 +61,28 @@ public class NvIndexDynamicEventLogData { nvIndexDynamicInfo += " Nv Index Dynamic Version = " + nvIndexVersion + "\n"; // 6 bytes of Reserved data - - byte[] uidBytes = new byte[8]; - System.arraycopy(eventData, 24, uidBytes, 0, 8); + final int uidBytesSize = 8; + final int eventDataSrcIndex2 = 24; + byte[] uidBytes = new byte[uidBytesSize]; + System.arraycopy(eventData, eventDataSrcIndex2, uidBytes, 0, uidBytesSize); String uid = HexUtils.byteArrayToHexString(uidBytes); nvIndexDynamicInfo += " UID = " + uid + "\n"; - byte[] descriptionSizeBytes = new byte[2]; - System.arraycopy(eventData, 32, descriptionSizeBytes, 0, 2); + final int descriptionSizeBytesLength = 2; + final int eventDataSrcIndex3 = 32; + byte[] descriptionSizeBytes = new byte[descriptionSizeBytesLength]; + System.arraycopy(eventData, eventDataSrcIndex3, descriptionSizeBytes, 0, descriptionSizeBytesLength); int descriptionSize = HexUtils.leReverseInt(descriptionSizeBytes); + final int eventDataSrcIndex4 = 34; byte[] descriptionBytes = new byte[descriptionSize]; - System.arraycopy(eventData, 34, descriptionBytes, 0, descriptionSize); + System.arraycopy(eventData, eventDataSrcIndex4, descriptionBytes, 0, descriptionSize); String description = new String(descriptionBytes, StandardCharsets.UTF_8); description = description.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters nvIndexDynamicInfo += " Description = " + description + "\n"; - int dataSizeStartByte = 34 + descriptionSize; + final int dataSizeOffset = 34; + int dataSizeStartByte = dataSizeOffset + descriptionSize; byte[] dataSizeBytes = new byte[2]; System.arraycopy(eventData, dataSizeStartByte, dataSizeBytes, 0, 2); int dataSize = HexUtils.leReverseInt(dataSizeBytes); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index 1e6e9134..af573ead 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -8,15 +8,15 @@ import java.nio.charset.StandardCharsets; * Class to process the NV_INDEX_INSTANCE_EVENT_LOG_DATA per PFP. * Per PFP, the first 16 bytes of the structure are a String based identifier (Signature), * which are a NULL-terminated ASCII string "NvIndexInstance". - * + *

* HEADERS defined by PFP v1.06 Rev 52. * Certain fields are common to both ..HEADER and ..HEADER2, and are noted below the structures. *

* typedef struct tdNV_INDEX_INSTANCE_EVENT_LOG_DATA { - * BYTE Signature[16]; - * UINT16 Version; - * UINT8[6] Reserved; - * DEVICE_SECURITY_EVENT_DATA2 Data; + * BYTE Signature[16]; + * UINT16 Version; + * UINT8[6] Reserved; + * DEVICE_SECURITY_EVENT_DATA2 Data; * } NV_INDEX_INSTANCE_EVENT_LOG_DATA; *

*/ @@ -45,13 +45,15 @@ public class NvIndexInstanceEventLogData { */ public NvIndexInstanceEventLogData(final byte[] eventData) { - byte[] signatureBytes = new byte[16]; - System.arraycopy(eventData, 0, signatureBytes, 0, 16); + final int signatureBytesSize = 16; + byte[] signatureBytes = new byte[signatureBytesSize]; + System.arraycopy(eventData, 0, signatureBytes, 0, signatureBytesSize); signature = new String(signatureBytes, StandardCharsets.UTF_8); signature = signature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters + final int eventDataSrcIndex1 = 16; byte[] versionBytes = new byte[2]; - System.arraycopy(eventData, 16, versionBytes, 0, 2); + System.arraycopy(eventData, eventDataSrcIndex1, versionBytes, 0, 2); String nvIndexVersion = HexUtils.byteArrayToHexString(versionBytes); if (nvIndexVersion == "") { nvIndexVersion = "version not readable"; @@ -60,14 +62,16 @@ public class NvIndexInstanceEventLogData { nvIndexInstanceInfo += " Nv Index Instance Version = " + nvIndexVersion + "\n"; // 6 bytes of Reserved data - - byte[] dsedSignatureBytes = new byte[16]; - System.arraycopy(eventData, 24, dsedSignatureBytes, 0, 16); + final int eventDataSrcIndex2 = 24; + final int dsedSignatureBytesSize = 16; + byte[] dsedSignatureBytes = new byte[dsedSignatureBytesSize]; + System.arraycopy(eventData, eventDataSrcIndex2, dsedSignatureBytes, 0, dsedSignatureBytesSize); String dsedSignature = new String(dsedSignatureBytes, StandardCharsets.UTF_8); dsedSignature = dsedSignature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters + final int eventDataSrcIndex3 = 40; byte[] dsedVersionBytes = new byte[2]; - System.arraycopy(eventData, 40, dsedVersionBytes, 0, 2); + System.arraycopy(eventData, eventDataSrcIndex3, dsedVersionBytes, 0, 2); String dsedVersion = HexUtils.byteArrayToHexString(dsedVersionBytes); if (dsedVersion == "") { dsedVersion = "version not readable"; @@ -75,9 +79,10 @@ public class NvIndexInstanceEventLogData { if (dsedSignature.contains("SPDM Device Sec2")) { - int dsedEventDataSize = eventData.length - 24; + final int eventDataSrcIndex4 = 24; + final int dsedEventDataSize = eventData.length - eventDataSrcIndex4; byte[] dsedEventData = new byte[dsedEventDataSize]; - System.arraycopy(eventData, 24, dsedEventData, 0, dsedEventDataSize); + System.arraycopy(eventData, eventDataSrcIndex4, dsedEventData, 0, dsedEventDataSize); nvIndexInstanceInfo += " Signature = SPDM Device Sec2\n"; @@ -89,7 +94,7 @@ public class NvIndexInstanceEventLogData { + dsedVersion + "\n"; } } else { - nvIndexInstanceInfo = " Signature error: should be \'SPDM Device Sec2\' but is " + nvIndexInstanceInfo = " Signature error: should be 'SPDM Device Sec2' but is " + signature + "\n"; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index 8d0062c6..7ec8b8ea 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -15,22 +15,22 @@ import java.util.ArrayList; *

* Certificate chain format, defined by SPDM v1.03, Sect 10.6.1, Table 33: * Certificate chain format { - * Length 2 bytes; - * Reserved 2 bytes; - * RootHash bytes; - * Certificates - (4 + ) bytes; + * Length 2 bytes; + * Reserved 2 bytes; + * RootHash bytes; + * Certificates - (4 + ) bytes; * } *

* Length: total length of cert chain including all fields in this block * H: the output size of the hash algorithm selected by the most recent ALGORITHMS response - * this field shall be in hash byte order - * hash algorithm is included in the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN - * structure as the member "SpdmBaseHashAlg" + * this field shall be in hash byte order + * hash algorithm is included in the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN + * structure as the member "SpdmBaseHashAlg" * RootHash: the digest of the Root Certificate. - * size is determined by hash algorithm selected by the most recent SPDM ALGORITHMS response; - * the hash algorithm is the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN SpdmBaseHashAlgo + * size is determined by hash algorithm selected by the most recent SPDM ALGORITHMS response; + * the hash algorithm is the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN SpdmBaseHashAlgo * Certificates: Complete cert chain consisting of 1 or more ASN.1 DER-encoded X.509 v3 certs - * this field shall be in Encoded ASN.1 byte order + * this field shall be in Encoded ASN.1 byte order */ public class SpdmCertificateChain { @@ -38,6 +38,10 @@ public class SpdmCertificateChain { // * Length of the certificate chain to include all fields in this structure. // */ //private int length = 0; + /** + * Array List of certs found in the chain. + */ + private final ArrayList certList = new ArrayList(); /** * Root hash. */ @@ -46,10 +50,6 @@ public class SpdmCertificateChain { * Number of certs in the SPDM cert chain. */ private int numberOfCerts = 0; - /** - * Array List of certs found in the chain. - */ - private ArrayList certList = new ArrayList(); /** * Human-readable description of any error associated with SPDM base hash alg. */ @@ -63,7 +63,7 @@ public class SpdmCertificateChain { * SpdmCertificateChain Constructor. * * @param spdmCertChainBytes byte array holding the SPDM Cert Chain bytes. - * @param rootHashLength length of RootHash. + * @param rootHashLength length of RootHash. */ public SpdmCertificateChain(final byte[] spdmCertChainBytes, final int rootHashLength) { @@ -76,11 +76,13 @@ public class SpdmCertificateChain { // Reserved: 2 bytes + final int spdmCertChainBytesSrcIndex = 4; rootHash = new byte[rootHashLength]; - System.arraycopy(spdmCertChainBytes, 4, rootHash, 0, rootHashLength); + System.arraycopy(spdmCertChainBytes, spdmCertChainBytesSrcIndex, rootHash, 0, rootHashLength); - int certChainStartPos = 4 + rootHashLength; - int certChainLength = spdmCertChainBytes.length - certChainStartPos; + final int offsetForCertChain = 4; + final int certChainStartPos = offsetForCertChain + rootHashLength; + final int certChainLength = spdmCertChainBytes.length - certChainStartPos; byte[] certChainBytes = new byte[certChainLength]; System.arraycopy(spdmCertChainBytes, certChainStartPos, certChainBytes, 0, certChainLength); @@ -93,7 +95,7 @@ public class SpdmCertificateChain { * * @param certChainData Byte array holding the cert chain data */ - private void processCertChain(final byte[] certChainData) { + private void processCertChain(final byte[] certChainData) { UefiX509Cert cert = null; @@ -113,10 +115,11 @@ public class SpdmCertificateChain { byte[] certData = new byte[cLength]; certChainDataIS.read(certData); // put the cert back together - byte[] certBlob = new byte[cLength + 4]; + final int certBlobStartIndex = 4; + byte[] certBlob = new byte[cLength + certBlobStartIndex]; System.arraycopy(certType, 0, certBlob, 0, 2); System.arraycopy(certLength, 0, certBlob, 2, 2); - System.arraycopy(certData, 0, certBlob, 4, cLength); + System.arraycopy(certData, 0, certBlob, certBlobStartIndex, cLength); cert = new UefiX509Cert(certBlob); //cert = new X509Certificate(certBlob); certList.add(cert); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java index ae618926..91414da7 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java @@ -4,7 +4,7 @@ package hirs.utils.tpm.eventlog.spdm; * Class for defining hash algorithms referenced in the DMTF SPDM specification. * SPDM 1.3.0, Table 21, MeasurementHashAlgo. */ -public class SpdmHa { +public final class SpdmHa { /** * Spdm Hash Alg = Raw bit stream. @@ -49,32 +49,16 @@ public class SpdmHa { * @return name of the algorithm */ public static String tcgAlgIdToString(final int algId) { - String alg; - switch (algId) { - case TPM_ALG_RAW: - alg = "Raw Bit Stream"; - break; - case TPM_ALG_SHA_256: - alg = "TPM_ALG_SHA_256"; - break; - case TPM_ALG_SHA_384: - alg = "TPM_ALG_SHA_384"; - break; - case TPM_ALG_SHA_512: - alg = "TPM_ALG_SHA_512"; - break; - case TPM_ALG_SHA3_256: - alg = "TPM_ALG_SHA3_256"; - break; - case TPM_ALG_SHA3_384: - alg = "TPM_ALG_SHA3_384"; - break; - case TPM_ALG_SHA3_512: - alg = "TPM_ALG_SHA3_512"; - break; - default: - alg = "Unknown or invalid Hash"; - } + String alg = switch (algId) { + case TPM_ALG_RAW -> "Raw Bit Stream"; + case TPM_ALG_SHA_256 -> "TPM_ALG_SHA_256"; + case TPM_ALG_SHA_384 -> "TPM_ALG_SHA_384"; + case TPM_ALG_SHA_512 -> "TPM_ALG_SHA_512"; + case TPM_ALG_SHA3_256 -> "TPM_ALG_SHA3_256"; + case TPM_ALG_SHA3_384 -> "TPM_ALG_SHA3_384"; + case TPM_ALG_SHA3_512 -> "TPM_ALG_SHA3_512"; + default -> "Unknown or invalid Hash"; + }; return alg; } @@ -86,26 +70,17 @@ public class SpdmHa { * @return size of the algorithm output */ public static int tcgAlgIdToByteSize(final int algId) { - int byteSize; - switch (algId) { - //case TPM_ALG_RAW: // add this when have more test data - // byteSize = ; - // break; - case TPM_ALG_SHA_256: - byteSize = 32; - break; - case TPM_ALG_SHA_384, TPM_ALG_SHA3_384: - byteSize = 48; - break; - case TPM_ALG_SHA_512, TPM_ALG_SHA3_512: - byteSize = 64; - break; - case TPM_ALG_SHA3_256: - byteSize = 32; - break; - default: - byteSize = -1; - } - return byteSize; + final int byteSize256 = 32; + final int byteSize384 = 48; + final int byteSize512 = 64; + + return switch (algId) { +// case TPM_ALG_RAW: // add this when have more test data +// return ; + case TPM_ALG_SHA_256, TPM_ALG_SHA3_256 -> byteSize256; + case TPM_ALG_SHA_384, TPM_ALG_SHA3_384 -> byteSize384; + case TPM_ALG_SHA_512, TPM_ALG_SHA3_512 -> byteSize512; + default -> -1; + }; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java index b1ed423e..9ef63e94 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java @@ -27,6 +27,61 @@ import lombok.Getter; */ public class SpdmMeasurement { + /** + * MEASUREMENT_VALUE_0 = Immutable ROM. + */ + private static final int MEASUREMENT_VALUE_0 = 0; + + /** + * MEASUREMENT_VALUE_1 = Mutable firmware. + */ + private static final int MEASUREMENT_VALUE_1 = 1; + + /** + * MEASUREMENT_VALUE_2 = Hardware configuration. + */ + private static final int MEASUREMENT_VALUE_2 = 2; + + /** + * MEASUREMENT_VALUE_3 = Firmware configuration. + */ + private static final int MEASUREMENT_VALUE_3 = 3; + + /** + * MEASUREMENT_VALUE_4 = Freeform measurement manifest. + */ + private static final int MEASUREMENT_VALUE_4 = 4; + + /** + * MEASUREMENT_VALUE_5 = Structured representation of debug and device mode. + */ + private static final int MEASUREMENT_VALUE_5 = 5; + + /** + * MEASUREMENT_VALUE_6 = Mutable firmware's version number. + */ + private static final int MEASUREMENT_VALUE_6 = 6; + + /** + * MEASUREMENT_VALUE_7 = Mutable firmware's security version number. + */ + private static final int MEASUREMENT_VALUE_7 = 7; + + /** + * MEASUREMENT_VALUE_8 = Hash-extended measurement. + */ + private static final int MEASUREMENT_VALUE_8 = 8; + + /** + * MEASUREMENT_VALUE_9 = Informational. + */ + private static final int MEASUREMENT_VALUE_9 = 9; + + /** + * MEASUREMENT_VALUE_10 = Structured measurement manifest. + */ + private static final int MEASUREMENT_VALUE_10 = 10; + /** * Measurement value (digest). */ @@ -69,22 +124,20 @@ public class SpdmMeasurement { * @return a description of the measurement value type. */ public String dmtfSpecMeasurementValueTypeToString(final int measValType) { - - String measValTypeStr = switch (measValType) { - case 0 -> "Immutable ROM"; - case 1 -> "Mutable firmware"; - case 2 -> "Hardware configuration"; - case 3 -> "Firmware configuration"; - case 4 -> "Freeform measurement manifest"; - case 5 -> "Structured representation of debug and device mode"; - case 6 -> "Mutable firmware's version number"; - case 7 -> "Mutable firmware's security version number"; - case 8 -> "Hash-extended measurement"; - case 9 -> "Informational"; - case 10 -> "Structured measurement manifest"; + return switch (measValType) { + case MEASUREMENT_VALUE_0 -> "Immutable ROM"; + case MEASUREMENT_VALUE_1 -> "Mutable firmware"; + case MEASUREMENT_VALUE_2 -> "Hardware configuration"; + case MEASUREMENT_VALUE_3 -> "Firmware configuration"; + case MEASUREMENT_VALUE_4 -> "Freeform measurement manifest"; + case MEASUREMENT_VALUE_5 -> "Structured representation of debug and device mode"; + case MEASUREMENT_VALUE_6 -> "Mutable firmware's version number"; + case MEASUREMENT_VALUE_7 -> "Mutable firmware's security version number"; + case MEASUREMENT_VALUE_8 -> "Hash-extended measurement"; + case MEASUREMENT_VALUE_9 -> "Informational"; + case MEASUREMENT_VALUE_10 -> "Structured measurement manifest"; default -> "Unknown or invalid DMTF Spec Measurement Value Type"; }; - return measValTypeStr; } /** diff --git a/HIRS_Utils/src/test/java/hirs/utils/tpm/eventlog/TCGEventLogTest.java b/HIRS_Utils/src/test/java/hirs/utils/tpm/eventlog/TCGEventLogTest.java index b3c81ac5..34f692ba 100644 --- a/HIRS_Utils/src/test/java/hirs/utils/tpm/eventlog/TCGEventLogTest.java +++ b/HIRS_Utils/src/test/java/hirs/utils/tpm/eventlog/TCGEventLogTest.java @@ -58,40 +58,45 @@ public class TCGEventLogTest { NoSuchAlgorithmException { LOGGER.debug("Testing the parsing of a Crypto Agile formatted TCG Event Log"); - // setup - final InputStream log = this.getClass().getResourceAsStream(DEFAULT_EVENT_LOG); - final InputStream pcrs = this.getClass().getResourceAsStream(DEFAULT_EXPECTED_PCRS); - final byte[] rawLogBytes = IOUtils.toByteArray(log); - final TCGEventLog evlog = new TCGEventLog(rawLogBytes, false, false, false); - final String[] pcrFromLog = evlog.getExpectedPCRValues(); - final Object[] pcrObj = IOUtils.readLines(pcrs, "UTF-8").toArray(); - final String[] pcrTxt = Arrays.copyOf(pcrObj, pcrObj.length, String[].class); - boolean testPass = true; + try { + // setup + final InputStream log = this.getClass().getResourceAsStream(DEFAULT_EVENT_LOG); + final InputStream pcrs = this.getClass().getResourceAsStream(DEFAULT_EXPECTED_PCRS); + final byte[] rawLogBytes = IOUtils.toByteArray(log); + final TCGEventLog evlog = new TCGEventLog(rawLogBytes, false, false, false); + final String[] pcrFromLog = evlog.getExpectedPCRValues(); + final Object[] pcrObj = IOUtils.readLines(pcrs, "UTF-8").toArray(); + final String[] pcrTxt = Arrays.copyOf(pcrObj, pcrObj.length, String[].class); - // Test 1 get all PCRs - for (int i = 0; i < PCR_COUNT; i++) { - if (pcrFromLog[i].compareToIgnoreCase(pcrTxt[i]) != 0) { - testPass = false; - LOGGER.error("\ntestTCGEventLogProcessorParser error with PCR {}", i); + boolean testPass = true; + + // Test 1 get all PCRs + for (int i = 0; i < PCR_COUNT; i++) { + if (pcrFromLog[i].compareToIgnoreCase(pcrTxt[i]) != 0) { + testPass = false; + LOGGER.error("\ntestTCGEventLogProcessorParser error with PCR {}", i); + } } + assertTrue(testPass); + + // Test 2 get an individual PCR + final int pcrIndex = 3; + String pcr3 = evlog.getExpectedPCRValue(pcrIndex); + assertThat(pcrFromLog[pcrIndex], equalTo(pcr3)); + + // Test 3 check the Algorithm String Identifier used in the log + String algStr = evlog.getEventLogHashAlgorithm(); + assertThat("TPM_ALG_SHA256", equalTo(algStr)); + + // Test 4 check the Algorithm # Identifier used in the log + int id = evlog.getEventLogHashAlgorithmID(); + assertThat(TcgTpmtHa.TPM_ALG_SHA256, equalTo(id)); + + LOGGER.debug("OK. Parsing of a Crypto Agile Format Success"); + } catch (Throwable throwable) { + throw throwable; } - assertTrue(testPass); - - // Test 2 get an individual PCR - final int pcrIndex = 3; - String pcr3 = evlog.getExpectedPCRValue(pcrIndex); - assertThat(pcrFromLog[pcrIndex], equalTo(pcr3)); - - // Test 3 check the Algorithm String Identifier used in the log - String algStr = evlog.getEventLogHashAlgorithm(); - assertThat("TPM_ALG_SHA256", equalTo(algStr)); - - // Test 4 check the Algorithm # Identifier used in the log - int id = evlog.getEventLogHashAlgorithmID(); - assertThat(TcgTpmtHa.TPM_ALG_SHA256, equalTo(id)); - - LOGGER.debug("OK. Parsing of a Crypto Agile Format Success"); } /** @@ -106,38 +111,42 @@ public class TCGEventLogTest { NoSuchAlgorithmException { LOGGER.debug("Testing the parsing of a SHA1 formated TCG Event Log"); - // setup - final InputStream log = this.getClass().getResourceAsStream(SHA1_EVENT_LOG); - final InputStream pcrs = this.getClass().getResourceAsStream(SHA1_EXPECTED_PCRS); - final byte[] rawLogBytes = IOUtils.toByteArray(log); - final TCGEventLog evlog = new TCGEventLog(rawLogBytes, false, false, false); - final String[] pcrFromLog = evlog.getExpectedPCRValues(); - final Object[] pcrObj = IOUtils.readLines(pcrs, "UTF-8").toArray(); - final String[] pcrTxt = Arrays.copyOf(pcrObj, pcrObj.length, String[].class); + try { + // setup + final InputStream log = this.getClass().getResourceAsStream(SHA1_EVENT_LOG); + final InputStream pcrs = this.getClass().getResourceAsStream(SHA1_EXPECTED_PCRS); + final byte[] rawLogBytes = IOUtils.toByteArray(log); + final TCGEventLog evlog = new TCGEventLog(rawLogBytes, false, false, false); + final String[] pcrFromLog = evlog.getExpectedPCRValues(); + final Object[] pcrObj = IOUtils.readLines(pcrs, "UTF-8").toArray(); + final String[] pcrTxt = Arrays.copyOf(pcrObj, pcrObj.length, String[].class); - boolean testPass = true; + boolean testPass = true; - // Test 1 get all PCRs - for (int i = 0; i < PCR_COUNT; i++) { - if (pcrFromLog[i].compareToIgnoreCase(pcrTxt[i]) != 0) { - testPass = false; - LOGGER.error("\ntestTCGEventLogProcessorParser error with PCR {}", i); + // Test 1 get all PCRs + for (int i = 0; i < PCR_COUNT; i++) { + if (pcrFromLog[i].compareToIgnoreCase(pcrTxt[i]) != 0) { + testPass = false; + LOGGER.error("\ntestTCGEventLogProcessorParser error with PCR {}", i); + } } + assertTrue(testPass); + + // Test 2 get an individual PCR + String pcr0 = evlog.getExpectedPCRValue(0); + assertThat(pcrFromLog[0], equalTo(pcr0)); + + // Test 3 check the Algorithm String Identifier used in the log + String algStr = evlog.getEventLogHashAlgorithm(); + assertThat("TPM_ALG_SHA1", equalTo(algStr)); + + // Test 4 check the Algorithm # Identifier used in the log + int id = evlog.getEventLogHashAlgorithmID(); + assertThat(TcgTpmtHa.TPM_ALG_SHA1, equalTo(id)); + + LOGGER.debug("OK. Parsing of a SHA1 formatted TCG Event Log Success"); + } catch (Throwable throwable) { + throw throwable; } - assertTrue(testPass); - - // Test 2 get an individual PCR - String pcr0 = evlog.getExpectedPCRValue(0); - assertThat(pcrFromLog[0], equalTo(pcr0)); - - // Test 3 check the Algorithm String Identifier used in the log - String algStr = evlog.getEventLogHashAlgorithm(); - assertThat("TPM_ALG_SHA1", equalTo(algStr)); - - // Test 4 check the Algorithm # Identifier used in the log - int id = evlog.getEventLogHashAlgorithmID(); - assertThat(TcgTpmtHa.TPM_ALG_SHA1, equalTo(id)); - - LOGGER.debug("OK. Parsing of a SHA1 formatted TCG Event Log Success"); } } diff --git a/build.gradle b/build.gradle index 5cb5860f..20ff3ab6 100644 --- a/build.gradle +++ b/build.gradle @@ -1,5 +1,4 @@ import java.util.concurrent.TimeUnit -import org.gradle.api.tasks.Copy plugins { // Apply the application plugin to add support for building a CLI application in Java. @@ -8,7 +7,7 @@ plugins { } // Global checkstyle file - ext.checkstyleConfigFile = new File(rootDir, "/config/checkstyle/sun_checks.xml") +ext.checkstyleConfigFile = new File(rootDir, "/config/checkstyle/sun_checks.xml") subprojects { apply plugin: "com.github.spotbugs" @@ -19,13 +18,12 @@ subprojects { tasks.withType(com.github.spotbugs.snom.SpotBugsTask) { reports { - html { - enabled = true - } + html.required = true } } } + dependencies { repositories { // Use Maven Central for resolving dependencies. @@ -36,10 +34,10 @@ dependencies { def projectVersion = rootProject.file('VERSION').text.trim() def buildTime = { -> - Date latestdate = new Date(); - def time = latestdate.getTime(); - long seconds = TimeUnit.MILLISECONDS.toSeconds(time); - return seconds; + Date latestdate = new Date() + def time = latestdate.getTime() + long seconds = TimeUnit.MILLISECONDS.toSeconds(time) + return seconds } def gitHash = { ->