From 1d15a69e30511694539f2b22d8a29ecb21cab060 Mon Sep 17 00:00:00 2001
From: iadgovuser62 <iadgovuser62@empire.eclipse.ncsc.mil>
Date: Tue, 9 Apr 2024 16:36:58 -0400
Subject: [PATCH] Adding Provisioner.Net Dockerfile and script to run inside
 container

---
 .ci/docker/.env                               |   8 +-
 .ci/docker/Dockerfile.tpm2provisioner_dotnet  | 100 ++++++++++++++++++
 .../container/setup_tpm2provisioner_dotnet.sh |  83 +++++++++++++++
 3 files changed, 188 insertions(+), 3 deletions(-)
 create mode 100644 .ci/docker/Dockerfile.tpm2provisioner_dotnet
 create mode 100644 .ci/setup/container/setup_tpm2provisioner_dotnet.sh

diff --git a/.ci/docker/.env b/.ci/docker/.env
index cfa0eeaa..8eca5528 100644
--- a/.ci/docker/.env
+++ b/.ci/docker/.env
@@ -4,12 +4,14 @@ TPM_ENABLED=true
 IMA_ENABLED=false
 
 HIRS_ACA_PORTAL_IP=172.19.0.2
-HIRS_ACA_PORTAL_PORT=8443
+HIRS_ACA_PORTAL_PORT=8444
 HIRS_BROKER_PORT=61616
-HIRS_ACA_PORTAL_CONTAINER_PORT=80
+HIRS_ACA_PORTAL_CONTAINER_PORT=8443
 
 HIRS_ACA_HOSTNAME=hirsaca
 
 HIRS_SUBNET=172.19.0.0/16
 
-TEST_STATUS=0
\ No newline at end of file
+TEST_STATUS=0
+
+BRANCH_NAME='main'
\ No newline at end of file
diff --git a/.ci/docker/Dockerfile.tpm2provisioner_dotnet b/.ci/docker/Dockerfile.tpm2provisioner_dotnet
new file mode 100644
index 00000000..bdf84d03
--- /dev/null
+++ b/.ci/docker/Dockerfile.tpm2provisioner_dotnet
@@ -0,0 +1,100 @@
+FROM rockylinux:9
+LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research
+LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
+LABEL org.opencontainers.image.description Tools for testing the build and deployment of HIRS projects.
+
+# Purpose: This image is designed for HIRS Provisioner.Net testing on Rocky 9.
+# Date Modified: 4/3/24
+# Notes: The image to be built should be named "r9ts".
+#        Use this command to build the image:
+#        $ docker build -f ./Dockerfile.tpm2provisioner_dotnet -t r9ts:latest .
+
+# REF can be specified as a docker run environment variable to select the HIRS branch to work with
+ENV REF=main
+# BUILD, is an environment variable that if not empty, will attempt to run gradle bootWar on the cloned branch
+ENV BUILD=
+
+SHELL ["/bin/bash", "-c"]
+
+# Rocky 9 has a different channel for some apps
+RUN dnf install -y 'dnf-command(config-manager)' && dnf config-manager --set-enabled crb
+
+# Update and install OS-dependencies
+RUN dnf update -y
+# Dependencies were selected for these reasons:
+#   OS setup/Unknown direct impact for HIRS
+ENV HIRS_DNF_OS_SETUP="initscripts firewalld policycoreutils policycoreutils-python-utils net-tools" 
+#   OS tools
+ENV HIRS_DNF_OS_TOOLS="git sudo vim wget"
+#   ACA compile
+ENV HIRS_DNF_ACA_COMPILE="java-17-openjdk-devel"
+#   ACA run
+ENV HIRS_DNF_ACA_RUN="mariadb-server"
+#   IBM TPM simulator compile
+ENV HIRS_DNF_TPM_COMPILE="tpm2-tools gcc cmake openssl-devel"
+#   IBM TSS compile
+ENV HIRS_DNF_TSS_COMPILE="autoconf automake libtool"
+#   .NET SDK
+ENV HIRS_DNF_DOTNET_SDK="dotnet-sdk-6.0"
+# Download and install all dependencies at one time
+RUN dnf -y install $(echo "$HIRS_DNF_OS_SETUP") $(echo "$HIRS_DNF_OS_TOOLS") $(echo "$HIRS_DNF_ACA_COMPILE") $(echo "$HIRS_DNF_ACA_RUN") $(echo "$HIRS_DNF_TPM_COMPILE") $(echo "$HIRS_DNF_TSS_COMPILE") $(echo "$HIRS_DNF_DOTNET_SDK")
+
+# Build IBM TPM Simulator
+RUN git clone https://github.com/kgoldman/ibmswtpm2 /ibmswtpm2
+WORKDIR /ibmswtpm2/src
+RUN make
+
+# Build IBM TPM tools
+RUN git clone https://github.com/kgoldman/ibmtss /ibmtss
+WORKDIR /ibmtss/utils
+RUN make -f makefiletpmc
+
+# The following script tests that the SW TPM and TSS were compiled in the docker image. And documents how to start the SW TPM after container launch using both IBM's tss and TPM2-TOOLS.
+RUN echo "#!/bin/bash" > /tmp/tpm_config && \
+    echo "/ibmswtpm2/src/tpm_server &" >> /tmp/tpm_config && \
+    echo "sleep 5" >> /tmp/tpm_config && \
+    echo "/ibmtss/utils/startup -c" >> /tmp/tpm_config && \
+    echo "tpm2_shutdown" >> /tmp/tpm_config && \
+    echo "tpm2_startup -c" >> /tmp/tpm_config && \
+    echo "/ibmtss/utils/shutdown -c" >> /tmp/tpm_config && \
+    bash /tmp/tpm_config && \
+    rm -rf /tmp/tpm_config
+    
+# Checkout HIRS
+RUN git clone -b main https://github.com/nsacyber/HIRS.git /hirs
+
+# Run bootwar to cache build artifacts
+WORKDIR /hirs
+RUN ./gradlew bootWar
+
+# Install dotnet tools
+RUN dotnet tool install --global dotnet-deb
+RUN dotnet tool install --global dotnet-rpm
+RUN dotnet tool install --global dotnet-zip
+# Add dotnet PATHs
+ENV PATH="/root/.dotnet:/root/.dotnet/tools:$PATH"
+# Build .NET
+WORKDIR /hirs/HIRS_Provisioner.NET
+RUN dotnet restore
+WORKDIR /hirs/HIRS_Provisioner.NET/hirs
+RUN dotnet test
+RUN dotnet deb -r linux-x64 -c Release
+RUN dotnet rpm -r linux-x64 -c Release
+    
+# The following script will clone and copy the referenced branch of HIRS off GitHub
+# If configured, run bootwar to cache build artifacts
+RUN echo "#!/bin/bash" > /tmp/auto_clone_branch && \
+    echo "cd /hirs" >> /tmp/auto_clone_branch && \
+    echo "git fetch origin && git pull origin main && git reset --hard" >> /tmp/auto_clone_branch && \
+    echo 'git checkout $1 && git reset --hard' >> /tmp/auto_clone_branch && \
+    echo 'if [ -n "${2}" ]; then ./gradlew bootWar; fi' >> /tmp/auto_clone_branch && \
+    echo "cd HIRS_Provisioner.NET/hirs" >> /tmp/auto_clone_branch && \
+    echo 'if [ -n "${2}" ]; then dotnet deb -r linux-x64 -c Release && dotnet rpm -r linux-x64 -c Release; fi' >> /tmp/auto_clone_branch && \
+    chmod 755 /tmp/auto_clone_branch
+
+# Reset working directory
+WORKDIR /hirs
+
+# Copy script for running TPM Simulator
+COPY ./.ci/setup/container/setup_tpm2provisioner_dotnet.sh /.ci/setup/container/
+RUN chmod 755 /.ci/setup/container/setup_tpm2provisioner_dotnet.sh
diff --git a/.ci/setup/container/setup_tpm2provisioner_dotnet.sh b/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
new file mode 100644
index 00000000..eb399124
--- /dev/null
+++ b/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+#########################################################################################
+#  Script to setup the TPM Provisioner.NET for System Tests
+#########################################################################################
+
+# Setting configurations
+. ./.ci/docker/.env
+
+set -a
+
+set -e
+echo "*** Setting up TPM emulator for the TPM2 Provisioner *** "
+
+# Wait for ACA to boot
+echo "*** Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
+  until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do
+    sleep 1;
+  done
+  echo "*** ACA is up!"
+
+# Un-package Provisioner.NET RPM
+cd /
+yes | dnf install /hirs/HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm 1> /dev/null
+
+# Start TPM simulator server
+./ibmswtpm2/src/tpm_server 1> /dev/null &
+echo "*** TPM Simulator Server has started"
+
+# Create EK Certificate
+cd /ibmtss/utils || exit
+./startup 1> /dev/null
+./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null
+cd / || exit
+echo "*** EK certificate has been created using IBMTSS CA Key"
+
+# Writing to Provisioner.Net configurations file for modified aca port and efi prefix
+cat <<APPSETTINGS_FILE > /usr/share/hirs/appsettings.json
+{
+  "auto_detect_tpm":  "TRUE",
+  "aca_address_port": "https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}",
+  "efi_prefix": "/boot/efi",
+  "paccor_output_file": "",
+  "event_log_file":  "",
+  "hardware_manifest_collectors": "paccor_scripts",
+
+  "Serilog": {
+    "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
+    "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
+    "MinimumLevel": {
+      "Default": "Debug",
+      "Override": {
+        "Microsoft": "Warning",
+        "System": "Warning"
+      }
+    },
+    "WriteTo": [
+      {
+        "Name": "Console",
+        "Args": {
+          "outputTemplate": "{Message}{NewLine}",
+          "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
+          "restrictedToMinimumLevel": "Information"
+        }
+      },
+      {
+        "Name": "File",
+        "Args": {
+          "path": "hirs.log",
+          "rollingInterval": "Day",
+          "retainedFileCountLimit": 5
+        }
+      }
+    ]
+  }
+}
+APPSETTINGS_FILE
+
+# Uploading CA Certificate to HIRS ACA Portal
+curl -k -s -F "file=@/ibmtss/utils/certificates/cacert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
+echo "*** CA Certificate has been uploaded to HIRS ACA Portal"
+
+# Starting Provisioning
+./usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim
\ No newline at end of file