diff --git a/.github/workflows/dotnet_provisioner_unit_tests.yml b/.github/workflows/dotnet_provisioner_unit_tests.yml index 0149f7a3..436bca1e 100644 --- a/.github/workflows/dotnet_provisioner_unit_tests.yml +++ b/.github/workflows/dotnet_provisioner_unit_tests.yml @@ -21,7 +21,7 @@ jobs: git config --global core.eol lf - name: Checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: recursive @@ -82,14 +82,14 @@ jobs: more $logName - name: Upload Logs Ubuntu - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 if: contains(matrix.os, 'ubuntu') && always() with: name: "${{matrix.os}}-unit-tests-${{steps.ubuntu_result.outputs.result}}.log" path: HIRS_Provisioner.NET/*.log - name: Upload Logs Windows - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 if: contains(matrix.os, 'windows') && always() with: name: "${{matrix.os}}-unit-tests-${{steps.window_result.outputs.result}}.log" diff --git a/.github/workflows/hirs_package_linux.yml b/.github/workflows/hirs_package_linux.yml index 5406ad06..b8f04b06 100644 --- a/.github/workflows/hirs_package_linux.yml +++ b/.github/workflows/hirs_package_linux.yml @@ -17,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' @@ -26,44 +26,57 @@ jobs: - name: directory setup run: | mkdir -p artifacts/jars + mkdir -p artifacts/win + mkdir -p artifacts/win/hirstools - name: install dependencies run: | sudo apt-get update sudo apt-get install git curl nano cron mariadb-server - name: Setup Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/actions/setup-gradle@v3 - name: Execute Gradle build run: | ./gradlew build; ./gradlew bootWar; ./gradlew buildDeb; ./gradlew buildRpm; + ./gradlew buildZip cp HIRS_AttestationCAPortal/build/libs/*.jar artifacts/jars/. cp HIRS_AttestationCA/build/libs/*.jar artifacts/jars/. cp HIRS_Utils/build/libs/*.jar artifacts/jars/. cp HIRS_Structs/build/libs/*.jar artifacts/jars/. + cp tools/tcg_rim_tool/build/distributions/*.zip artifacts/win + cp tools/tcg_eventlog_tool/build/distributions/*.zip artifacts/win + cp package/win/tcg-rim-tool/* artifacts/win/hirstools - name: Archive RPM files - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: RPM_Files path: HIRS_AttestationCAPortal/build/distributions/*.rpm if-no-files-found: error - name: Archive DEB files - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: DEB_Files path: HIRS_AttestationCAPortal/build/distributions/*.deb if-no-files-found: error - name: War files - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: WAR_Files path: HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war if-no-files-found: error - name: JAR_Files - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: JAR_Files path: artifacts/jars/ if-no-files-found: error - \ No newline at end of file + - name: ZIP_Files + uses: actions/upload-artifact@v4 + with: + name: ZIP_Files + path: artifacts/win/ + if-no-files-found: error + + diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java index 8d887c38..2b95045a 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java @@ -1,5 +1,6 @@ package hirs.attestationca.persist.provision; +import com.fasterxml.jackson.databind.ser.Serializers; import com.google.protobuf.ByteString; import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2; import hirs.attestationca.persist.entity.manager.CertificateRepository; @@ -61,6 +62,8 @@ import java.util.HashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.Optional; +import java.util.UUID; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -346,14 +349,79 @@ public class IdentityClaimProcessor extends AbstractProcessor { dv.getHw().getManufacturer(), dv.getHw().getProductName()); BaseReferenceManifest dbBaseRim = null; - SupportReferenceManifest support; + SupportReferenceManifest support = null; EventLogMeasurements measurements; + boolean isReplacement = false; + String replacementRimId = ""; String tagId = ""; String fileName = ""; Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Matcher matcher; MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); + if (dv.getSwidfileCount() > 0) { + for (ByteString swidFile : dv.getSwidfileList()) { + try { + dbBaseRim = (BaseReferenceManifest) referenceManifestRepository + .findByBase64Hash(Base64.getEncoder() + .encodeToString(messageDigest + .digest(swidFile.toByteArray()))); + if (dbBaseRim == null) { + /* + Either the swidFile does not have a corresponding base RIM in the backend + or it was deleted. Check if there is a replacement by comparing tagId against + all other base RIMs, and then set the corresponding support rim's deviceName. + */ + dbBaseRim = new BaseReferenceManifest( + String.format("%s.swidtag", + defaultClientName), + swidFile.toByteArray()); + List baseRims = referenceManifestRepository.findAllBaseRims(); + for (BaseReferenceManifest bRim : baseRims) { + if (bRim.getTagId().equals(dbBaseRim.getTagId())) { + dbBaseRim = bRim; + replacementRimId = dbBaseRim.getAssociatedRim().toString(); + isReplacement = true; + break; + } + } + dbBaseRim.setDeviceName(dv.getNw().getHostname()); + this.referenceManifestRepository.save(dbBaseRim); + } else if (dbBaseRim.isArchived()) { + /* + This block accounts for RIMs that may have been soft-deleted (archived) + in an older version of the ACA. + */ + List rims = referenceManifestRepository.findByArchiveFlag(false); + for (ReferenceManifest rim : rims) { + if (rim.isBase() && rim.getTagId().equals(dbBaseRim.getTagId()) && + rim.getCreateTime().after(dbBaseRim.getCreateTime())) { + dbBaseRim.setDeviceName(null); + dbBaseRim = (BaseReferenceManifest) rim; + dbBaseRim.setDeviceName(dv.getNw().getHostname()); + } + } + if (dbBaseRim.isArchived()) { + throw new Exception("Unable to locate an unarchived base RIM."); + } else { + this.referenceManifestRepository.save(dbBaseRim); + } + } else { + dbBaseRim.setDeviceName(dv.getNw().getHostname()); + this.referenceManifestRepository.save(dbBaseRim); + } + tagId = dbBaseRim.getTagId(); + } catch (UnmarshalException e) { + log.error(e); + } catch (Exception ex) { + log.error(String.format("Failed to load base rim: %s", ex.getMessage())); + } + } + } else { + log.warn(String.format("%s did not send swid tag file...", + dv.getNw().getHostname())); + } + if (dv.getLogfileCount() > 0) { for (ByteString logFile : dv.getLogfileList()) { try { @@ -361,27 +429,59 @@ public class IdentityClaimProcessor extends AbstractProcessor { Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())), ReferenceManifest.SUPPORT_RIM); if (support == null) { - support = new SupportReferenceManifest( - String.format("%s.rimel", - defaultClientName), - logFile.toByteArray()); - // this is a validity check - new TCGEventLog(support.getRimBytes()); - // no issues, continue - support.setPlatformManufacturer(dv.getHw().getManufacturer()); - support.setPlatformModel(dv.getHw().getProductName()); - support.setFileName(String.format("%s_[%s].rimel", defaultClientName, - support.getHexDecHash().substring( - support.getHexDecHash().length() - NUM_OF_VARIABLES))); + /* + Either the logFile does not have a corresponding support RIM in the backend + or it was deleted. The support RIM for a replacement base RIM is handled + in the previous loop block. + */ + if (isReplacement) { + Optional replacementRim = + referenceManifestRepository.findById(UUID.fromString(replacementRimId)); + if (replacementRim.isPresent()) { + support = (SupportReferenceManifest) replacementRim.get(); + support.setDeviceName(dv.getNw().getHostname()); + } else { + throw new Exception("Unable to locate support RIM " + replacementRimId); + } + } else { + support = new SupportReferenceManifest( + String.format("%s.rimel", + defaultClientName), + logFile.toByteArray()); + // this is a validity check + new TCGEventLog(support.getRimBytes()); + // no issues, continue + support.setPlatformManufacturer(dv.getHw().getManufacturer()); + support.setPlatformModel(dv.getHw().getProductName()); + support.setFileName(String.format("%s_[%s].rimel", defaultClientName, + support.getHexDecHash().substring( + support.getHexDecHash().length() - NUM_OF_VARIABLES))); + } support.setDeviceName(dv.getNw().getHostname()); this.referenceManifestRepository.save(support); - } else { - log.info("Client provided Support RIM already loaded in database."); + } else if (support.isArchived()) { + /* + This block accounts for RIMs that may have been soft-deleted (archived) + in an older version of the ACA. + */ + List rims = referenceManifestRepository.findByArchiveFlag(false); + for (ReferenceManifest rim : rims) { + if (rim.isSupport() && + rim.getTagId().equals(support.getTagId()) && + rim.getCreateTime().after(support.getCreateTime())) { + support.setDeviceName(null); + support = (SupportReferenceManifest) rim; + support.setDeviceName(dv.getNw().getHostname()); + } + } if (support.isArchived()) { - support.restore(); - support.resetCreateTime(); + throw new Exception("Unable to locate an unarchived support RIM."); + } else { this.referenceManifestRepository.save(support); } + } else { + support.setDeviceName(dv.getNw().getHostname()); + this.referenceManifestRepository.save(support); } } catch (IOException ioEx) { log.error(ioEx); @@ -394,42 +494,6 @@ public class IdentityClaimProcessor extends AbstractProcessor { dv.getNw().getHostname())); } - if (dv.getSwidfileCount() > 0) { - for (ByteString swidFile : dv.getSwidfileList()) { - try { - dbBaseRim = (BaseReferenceManifest) referenceManifestRepository - .findByBase64Hash(Base64.getEncoder() - .encodeToString(messageDigest - .digest(swidFile.toByteArray()))); - if (dbBaseRim == null) { - dbBaseRim = new BaseReferenceManifest( - String.format("%s.swidtag", - defaultClientName), - swidFile.toByteArray()); - dbBaseRim.setDeviceName(dv.getNw().getHostname()); - this.referenceManifestRepository.save(dbBaseRim); - } else { - log.info("Client provided Base RIM already loaded in database."); - /** - * Leaving this as is for now, however can there be a condition - * in which the provisioner sends swidtags without support rims? - */ - if (dbBaseRim.isArchived()) { - dbBaseRim.restore(); - dbBaseRim.resetCreateTime(); - this.referenceManifestRepository.save(dbBaseRim); - } - } - tagId = dbBaseRim.getTagId(); - } catch (UnmarshalException e) { - log.error(e); - } - } - } else { - log.warn(String.format("%s did not send swid tag file...", - dv.getNw().getHostname())); - } - //update Support RIMs and Base RIMs. for (ByteString swidFile : dv.getSwidfileList()) { dbBaseRim = (BaseReferenceManifest) referenceManifestRepository diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java index f05e2b27..9722ab2d 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java @@ -239,9 +239,7 @@ public class ReferenceManifestPageController extends PageController Exe - net6.0 + net8.0 linux-x64;win-x64 hirs.Program true enable enable - 3.0.0 + 3.0.1 @@ -35,7 +35,7 @@ - + all runtime; build; native; contentfiles; analyzers; buildtransitive diff --git a/HIRS_Provisioner.NET/hirsTest/hirsTest.csproj b/HIRS_Provisioner.NET/hirsTest/hirsTest.csproj index 120dfd60..bd12569c 100644 --- a/HIRS_Provisioner.NET/hirsTest/hirsTest.csproj +++ b/HIRS_Provisioner.NET/hirsTest/hirsTest.csproj @@ -1,7 +1,7 @@  - net6.0 + net8.0 false enable enable diff --git a/package/win/tcg-rim-tool/README.md b/package/win/tcg-rim-tool/README.md new file mode 100644 index 00000000..e77b9858 --- /dev/null +++ b/package/win/tcg-rim-tool/README.md @@ -0,0 +1,29 @@ +This README is part of the ZIP_Files.zip generated from hirs_package_linux.yml the goal of this zip is to have the TCG RIM tool, and the TCG Eventlog tool available on windows. + +To get the tools running on windows follow the instructions below: + +1- Unzip "ZIP_Files" + +2- open powershell as administrator and navigate to the hirstools folder. + +3- run the following command: ```powershell -ExecutionPolicy Bypass -File '.\create_hirstools_desktop_shortcut.ps1'``` + +4- double-click the HIRS_tools shortcut on your desktop. + +To run the rim tool try the following commands: + +> rim -c base -a .\tcg_rim_tool\Base_Rim_Config.json -l .\tcg_rim_tool\TpmLog.bin -k .\tcg_rim_tool\PC_OEM1_rim_signer_rsa_3k_sha384.key -p .\tcg_rim_tool\PC_OEM1_rim_signer_rsa_3k_sha384.pem -o baseRim.swidtag + +> rim -v .\baseRim.swidtag -p .\tcg_rim_tool\PC_OEM1_rim_signer_rsa_3k_sha384.pem -t .\tcg_rim_tool\PC_OEM1_Cert_Chain.pem -l .\tcg_rim_tool\TpmLog.bin + + + +To run the eventlog tool: + +elt -f C:\Windows\Logs\MeasuredBoot\[.log file here] -e + +Eventlog files are found here windows: +C:\Windows\Logs\MeasuredBoot + +Example Command would be: +> elt -f C:\Windows\Logs\MeasuredBoot\000000001-000000001.log -e (file name needs to match on on your system) diff --git a/package/win/tcg-rim-tool/create_hirstools_desktop_shortcut.ps1 b/package/win/tcg-rim-tool/create_hirstools_desktop_shortcut.ps1 new file mode 100644 index 00000000..17332995 --- /dev/null +++ b/package/win/tcg-rim-tool/create_hirstools_desktop_shortcut.ps1 @@ -0,0 +1,11 @@ +# Unzip tools in the working directory +Expand-Archive -Path ..\tcg_rim_tool.zip -DestinationPath .\tcg_rim_tool +Expand-Archive -Path ..\tcg_eventlog_tool.zip -DestinationPath .\tcg_eventlog_tool +# Create a shortcut to start the RIM shell +$WshShell = New-Object -comObject WScript.Shell +$Shortcut = $WshShell.CreateShortcut("$Home\Desktop\HIRS_tools.lnk") +$Shortcut.TargetPath = "powershell.exe" +$ScriptPath = "$PWD\hirsshell.ps1" +$Shortcut.Arguments = "-ExecutionPolicy Bypass -File `"$ScriptPath`"" +$Shortcut.WorkingDirectory = "$PWD" +$Shortcut.Save() diff --git a/package/win/tcg-rim-tool/eventLog.ps1 b/package/win/tcg-rim-tool/eventLog.ps1 new file mode 100644 index 00000000..552289c7 --- /dev/null +++ b/package/win/tcg-rim-tool/eventLog.ps1 @@ -0,0 +1,11 @@ +# Script to run the tcg_rim_tool in java + +$JavaParams = @{ + FilePath = 'java' + ArgumentList = @( + '-jar "{0}"' -f "$PWD\tcg_eventlog_tool/tcg_eventlog_tool.jar" + "$args" + ) +} + +Start-Process @JavaParams -NoNewWindow -Wait \ No newline at end of file diff --git a/package/win/tcg-rim-tool/hirsshell.ps1 b/package/win/tcg-rim-tool/hirsshell.ps1 new file mode 100644 index 00000000..3df0d501 --- /dev/null +++ b/package/win/tcg-rim-tool/hirsshell.ps1 @@ -0,0 +1,14 @@ +# Script to start a new shell with a rim alias +$StartInfo = new-object System.Diagnostics.ProcessStartInfo +$StartInfo.FileName = "$pshome\powershell.exe" +$StartInfo.Arguments = "-NoExit -Command + `$Host.UI.RawUI.WindowTitle=`'TCG RIM TOOL`'; + Set-Alias elt '$PWD\eventlog.ps1'; + Set-Alias rim '$PWD\rim.ps1'; + echo 'The TCG RIM TOOL is intended for testing TCG Defined PC Client Reference Integrity Manifests (RIMs)'; + echo 'for usage type: rim -h'; + echo 'for eventlog usage type: elt -h' + Set-Location -Path $PWD; + function prompt {'HIRS > '};" +[System.Diagnostics.Process]::Start($StartInfo) + diff --git a/package/win/tcg-rim-tool/rim.ps1 b/package/win/tcg-rim-tool/rim.ps1 new file mode 100644 index 00000000..986e2917 --- /dev/null +++ b/package/win/tcg-rim-tool/rim.ps1 @@ -0,0 +1,11 @@ +# Script to run the tcg_rim_tool in java + +$JavaParams = @{ + FilePath = 'java' + ArgumentList = @( + '-jar "{0}"' -f "$PWD\tcg_rim_tool/tcg_rim_tool.jar" + "$args" + ) +} + +Start-Process @JavaParams -NoNewWindow -Wait \ No newline at end of file diff --git a/tools/tcg_eventlog_tool/build.gradle b/tools/tcg_eventlog_tool/build.gradle index 5af411d4..04640f51 100644 --- a/tools/tcg_eventlog_tool/build.gradle +++ b/tools/tcg_eventlog_tool/build.gradle @@ -125,4 +125,22 @@ ospackage { arch = 'amd64' requires('hwdata', '0.314', GREATER | EQUAL) } + } + + +task buildZip(type: Zip){ + dependsOn jar + from(tasks.jar.archiveFile){ + rename( filename -> + "${project.name}.jar") + into '/' + } + + archiveBaseName.set(project.name) + destinationDirectory.set(file("$buildDir/distributions")) + archiveFileName.set("${project.name}.zip") +} + +buildZip.dependsOn jar +//build.dependsOn buildZip \ No newline at end of file diff --git a/tools/tcg_rim_tool/build.gradle b/tools/tcg_rim_tool/build.gradle index fc39524c..92921f72 100644 --- a/tools/tcg_rim_tool/build.gradle +++ b/tools/tcg_rim_tool/build.gradle @@ -131,3 +131,38 @@ buildRpm { buildDeb { arch = 'amd64' } + +task buildZip(type: Zip){ + dependsOn jar + dependsOn jar + from(tasks.jar.archiveFile){ + rename( filename -> + "${project.name}.jar") + into '/' + } + from('./build/resources/test/rim_fields.json'){ + into '/' + } + from('../../.ci/tcg-rim-tool/configs/Base_Rim_Config.json'){ + into '/' + } + from('../../.ci/tcg-rim-tool/eventlogs/TpmLog.bin'){ + into '/' + } + from('../../.ci/tcg-rim-tool/keys/PC_OEM1_rim_signer_rsa_3k_sha384.key'){ + into '/' + } + from('../../.ci/tcg-rim-tool/certs/PC_OEM1_rim_signer_rsa_3k_sha384.pem'){ + into '/' + } + from('../../.ci/tcg-rim-tool/certs/PC_OEM1_Cert_Chain.pem'){ + into '/' + } + + archiveBaseName.set(project.name) + destinationDirectory.set(file("$buildDir/distributions")) + archiveFileName.set("${project.name}.zip") +} + +buildZip.dependsOn jar +//build.dependsOn buildZip \ No newline at end of file