From bfeff6c867b2cc29df681eb153306694aed82454 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 30 Nov 2020 08:38:46 -0500 Subject: [PATCH 1/3] initial commit --- HIRS_ProvisionerTPM2/include/Utils.h | 2 +- HIRS_ProvisionerTPM2/package/rpm-post-install.sh | 12 +++++------- HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto | 4 ++-- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 14 +++++++++----- HIRS_ProvisionerTPM2/src/Utils.cpp | 8 ++++---- 5 files changed, 21 insertions(+), 19 deletions(-) diff --git a/HIRS_ProvisionerTPM2/include/Utils.h b/HIRS_ProvisionerTPM2/include/Utils.h index acad7f60..39099750 100644 --- a/HIRS_ProvisionerTPM2/include/Utils.h +++ b/HIRS_ProvisionerTPM2/include/Utils.h @@ -33,7 +33,7 @@ namespace file_utils { std::string getFileAsOneLineOrEmptyString(const std::string& filename); - std::vector searchDirectory(const std::string& directory); + std::vector search_directory(const std::string& directory); void writeBinaryFile(const std::string& bytes, const std::string& filename); diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index 9622dc3d..ce08f17d 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -42,22 +42,20 @@ ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" TCG_DIRECTORY="/boot/tcg" -LOG_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" -TAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" +RIM_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" +SWIDTAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" if [ ! -f "$TCG_BOOT_FILE" ]; then touch "$TCG_BOOT_FILE" fi -if [ -d "$LOG_FILE_LOCATION" ]; then - RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log') - echo "tcg.rim.file=$RIM_FILE" > "$TCG_BOOT_FILE" +if [ -d "$RIM_FILE_LOCATION" ]; then + echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_BOOT_FILE" fi if [ -d "$TAG_FILE_LOCATION" ]; then - SWID_FILE=$(find "$TAG_FILE_LOCATION" -name '*.swidtag') - echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" + echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_BOOT_FILE" fi if [ -d "$CREDENTIALS_LOCATION" ]; then diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto index af38dbac..e8cd5766 100644 --- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto +++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto @@ -58,8 +58,8 @@ message DeviceInfo { required NetworkInfo nw = 3; required OsInfo os = 4; optional bytes pcrslist = 5; - optional bytes logfile = 6; - optional bytes swidfile = 7; + repeated bytes logfile = 6; + repeated bytes swidfile = 7; optional bytes livelog = 8; } diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 957759e7..cd86e0a1 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -70,7 +70,7 @@ int provision() { const std::string& cert_dir = props.get("tcg.cert.dir", ""); try { platformCredentials = - hirs::file_utils::searchDirectory(cert_dir); + hirs::file_utils::search_directory(cert_dir); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } @@ -83,15 +83,19 @@ int provision() { hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); // collect TCG Boot files - const std::string& rim_file = props.get("tcg.rim.file", ""); - const std::string& swid_file = props.get("tcg.swidtag.file", ""); + std::vector rim_files; + std::vector swidtag_files; + const std::string& rim_dir = props.get("tcg.rim.dir", ""); + const std::string& swid_dir = props.get("tcg.swidtag.dir", ""); try { - dv.set_logfile(hirs::file_utils::fileToString(rim_file)); + rim_files = hirs::file_utils::search_directory(rim_dir); + dv.set_logfile(rim_files); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } try { - dv.set_swidfile(hirs::file_utils::fileToString(swid_file)); + swidtag_files = hirs::file_utils::search_directory(swid_dir); + dv.set_swidfile(swidtag_files); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } diff --git a/HIRS_ProvisionerTPM2/src/Utils.cpp b/HIRS_ProvisionerTPM2/src/Utils.cpp index 75aeccf8..d8f10b56 100644 --- a/HIRS_ProvisionerTPM2/src/Utils.cpp +++ b/HIRS_ProvisionerTPM2/src/Utils.cpp @@ -119,9 +119,9 @@ namespace file_utils { return string_utils::trimNewLines(fileToString(filename, "")); } - vector searchDirectory(const string& directory) { + vector search_directory(const string& directory) { DIR *dr; - std::vector platform_credentials; + std::vector files; dr = opendir(directory.c_str()); if (dr) { @@ -131,7 +131,7 @@ namespace file_utils { ss << directory.c_str(); ss << en->d_name; try { - platform_credentials.push_back(fileToString(ss.str())); + files.push_back(fileToString(ss.str())); } catch (HirsRuntimeException& hirsRuntimeException) { std::cout << hirsRuntimeException.what(); } @@ -140,7 +140,7 @@ namespace file_utils { closedir(dr); } - return platform_credentials; + return files; } /** From 6eefb393a37fc95a8450aa8951f7274485f7496e Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 30 Nov 2020 14:16:57 -0500 Subject: [PATCH 2/3] Updated the code to pull all the files from a swid tag file directory and a rim log file directory, instead of a single file. --- ...stractAttestationCertificateAuthority.java | 126 +++++++++--------- .../package/rpm-post-install.sh | 2 +- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 12 +- 3 files changed, 76 insertions(+), 64 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 1469a938..02165d56 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -743,78 +743,82 @@ public abstract class AbstractAttestationCertificateAuthority Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Matcher matcher; - if (dv.hasSwidfile()) { - try { - dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) - .includeArchived() - .byHashCode(Arrays.hashCode(dv.getSwidfile().toByteArray())) - .getRIM(); + if (dv.getSwidfileCount() > 0) { + for (ByteString swidFile : dv.getSwidfileList()) { + try { + dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(Arrays.hashCode(swidFile.toByteArray())) + .getRIM(); - if (dbBaseRim == null) { - dbBaseRim = new BaseReferenceManifest( - String.format("%s.swidtag", - clientName), - dv.getSwidfile().toByteArray()); + if (dbBaseRim == null) { + dbBaseRim = new BaseReferenceManifest( + String.format("%s.swidtag", + clientName), + swidFile.toByteArray()); - BaseReferenceManifest base = (BaseReferenceManifest) dbBaseRim; - for (SwidResource swid : base.parseResource()) { - matcher = pattern.matcher(swid.getName()); - if (matcher.matches()) { - //found the file name - int dotIndex = swid.getName().lastIndexOf("."); - clientName = swid.getName().substring(0, dotIndex); - dbBaseRim = new BaseReferenceManifest( - String.format("%s.swidtag", - clientName), - dv.getSwidfile().toByteArray()); - break; + BaseReferenceManifest base = (BaseReferenceManifest) dbBaseRim; + for (SwidResource swid : base.parseResource()) { + matcher = pattern.matcher(swid.getName()); + if (matcher.matches()) { + //found the file name + int dotIndex = swid.getName().lastIndexOf("."); + clientName = swid.getName().substring(0, dotIndex); + dbBaseRim = new BaseReferenceManifest( + String.format("%s.swidtag", + clientName), + swidFile.toByteArray()); + break; + } } + this.referenceManifestManager.save(dbBaseRim); + } else { + LOG.info("Client provided Base RIM already loaded in database."); + dbBaseRim.restore(); + dbBaseRim.resetCreateTime(); } - this.referenceManifestManager.save(dbBaseRim); - } else { - LOG.info("Client provided Base RIM already loaded in database."); - dbBaseRim.restore(); - dbBaseRim.resetCreateTime(); - } - tagId = dbBaseRim.getTagId(); - } catch (IOException ioEx) { - LOG.error(ioEx); + tagId = dbBaseRim.getTagId(); + } catch (IOException ioEx) { + LOG.error(ioEx); + } } } - if (dv.hasLogfile()) { - try { - support = SupportReferenceManifest.select(referenceManifestManager) - .includeArchived() - .byHashCode(Arrays.hashCode(dv.getLogfile().toByteArray())) - .getRIM(); + if (dv.getLogfileCount() > 0) { + for (ByteString logFile : dv.getLogfileList()) { + try { + support = SupportReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(Arrays.hashCode(logFile.toByteArray())) + .getRIM(); - if (support == null) { - support = new SupportReferenceManifest( - String.format("%s.rimel", - clientName), - dv.getLogfile().toByteArray()); - support.setPlatformManufacturer(dv.getHw().getManufacturer()); - support.setPlatformModel(dv.getHw().getProductName()); - support.setTagId(tagId); - this.referenceManifestManager.save(support); - } else { - LOG.info("Client provided Support RIM already loaded in database."); - if (dbBaseRim != null) { - support.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer()); - support.setPlatformModel(dbBaseRim.getPlatformModel()); - support.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); - support.setAssociatedRim(dbBaseRim.getId()); - support.setTagId(dbBaseRim.getTagId()); + if (support == null) { + support = new SupportReferenceManifest( + String.format("%s.rimel", + clientName), + logFile.toByteArray()); + support.setPlatformManufacturer(dv.getHw().getManufacturer()); + support.setPlatformModel(dv.getHw().getProductName()); + support.setTagId(tagId); + this.referenceManifestManager.save(support); + } else { + LOG.info("Client provided Support RIM already loaded in database."); + if (dbBaseRim != null) { + support.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer()); + support.setPlatformModel(dbBaseRim.getPlatformModel()); + support.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); + support.setAssociatedRim(dbBaseRim.getId()); + support.setTagId(dbBaseRim.getTagId()); + } + + support.restore(); + support.resetCreateTime(); + this.referenceManifestManager.update(support); } - - support.restore(); - support.resetCreateTime(); - this.referenceManifestManager.update(support); + } catch (IOException ioEx) { + LOG.error(ioEx); } - } catch (IOException ioEx) { - LOG.error(ioEx); } } diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index ce08f17d..f1eac4c1 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -54,7 +54,7 @@ if [ -d "$RIM_FILE_LOCATION" ]; then echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_BOOT_FILE" fi -if [ -d "$TAG_FILE_LOCATION" ]; then +if [ -d "$SWIDTAG_FILE_LOCATION" ]; then echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_BOOT_FILE" fi diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index cd86e0a1..e53d1331 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -89,13 +89,21 @@ int provision() { const std::string& swid_dir = props.get("tcg.swidtag.dir", ""); try { rim_files = hirs::file_utils::search_directory(rim_dir); - dv.set_logfile(rim_files); + for (const auto& rims : rim_files) { + if (rims != "") { + dv.add_logfile(rims); + } + } } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } try { swidtag_files = hirs::file_utils::search_directory(swid_dir); - dv.set_swidfile(swidtag_files); + for (const auto& swidtag : swidtag_files) { + if (swidtag != "") { + dv.add_swidfile(swidtag); + } + } } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } From a07fbbd847c4054b6cfc74cd6d50416a2bdab48b Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 2 Dec 2020 11:46:42 -0500 Subject: [PATCH 3/3] In a previous pull request, the reference manifest manager was not called to update the unarchived base rim. So it appears to never have been uploaded. --- .../attestationca/AbstractAttestationCertificateAuthority.java | 1 + 1 file changed, 1 insertion(+) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index ab70e628..25ea3f5b 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -780,6 +780,7 @@ public abstract class AbstractAttestationCertificateAuthority LOG.info("Client provided Base RIM already loaded in database."); dbBaseRim.restore(); dbBaseRim.resetCreateTime(); + this.referenceManifestManager.update(dbBaseRim); } tagId = dbBaseRim.getTagId();