From 5acc393541b5624daa9de8c5d996244991ecfcd6 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Thu, 6 May 2021 08:43:26 -0400 Subject: [PATCH 01/11] This commit adds several changes that updates how the RIM files are accessed and made accessible from the DB as well as what is shown visually when there is a validation failure and the measurement log is shown. --- ...stractAttestationCertificateAuthority.java | 29 +++++--- .../SupplyChainValidationServiceImpl.java | 6 +- ...eferenceManifestDetailsPageController.java | 70 +++++++++++++------ .../main/webapp/WEB-INF/jsp/rim-details.jsp | 29 ++------ .../data/persist/BaseReferenceManifest.java | 19 ++--- .../data/persist/EventLogMeasurements.java | 19 ++--- .../hirs/data/persist/ReferenceManifest.java | 19 +++++ .../persist/SupportReferenceManifest.java | 19 ++--- 8 files changed, 110 insertions(+), 100 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 767ba188..13c6c81e 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -99,6 +99,7 @@ import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.UUID; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -806,6 +807,7 @@ public abstract class AbstractAttestationCertificateAuthority support.setFileName(String.format("%s_[%s].rimel", defaultClientName, support.getRimHash().substring( support.getRimHash().length() - NUM_OF_VARIABLES))); + support.setDeviceName(dv.getNw().getHostname()); this.referenceManifestManager.save(support); } else { LOG.info("Client provided Support RIM already loaded in database."); @@ -828,6 +830,7 @@ public abstract class AbstractAttestationCertificateAuthority if (dv.getSwidfileCount() > 0) { for (ByteString swidFile : dv.getSwidfileList()) { + UUID baseId = null; fileName = ""; try { dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) @@ -841,6 +844,7 @@ public abstract class AbstractAttestationCertificateAuthority String.format("%s.swidtag", defaultClientName), swidFile.toByteArray()); + dbBaseRim.setDeviceName(dv.getNw().getHostname()); // get file name to use for (SwidResource swid : dbBaseRim.parseResource()) { @@ -849,10 +853,8 @@ public abstract class AbstractAttestationCertificateAuthority //found the file name int dotIndex = swid.getName().lastIndexOf("."); fileName = swid.getName().substring(0, dotIndex); - dbBaseRim = new BaseReferenceManifest( - String.format("%s.swidtag", - fileName), - swidFile.toByteArray()); + dbBaseRim.setFileName(String.format("%s.swidtag", + fileName)); } // now update support rim @@ -862,8 +864,6 @@ public abstract class AbstractAttestationCertificateAuthority if (dbSupport != null && !dbSupport.isUpdated()) { dbSupport.setFileName(swid.getName()); dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); - // I might create a get for the bytes of the swidtag file - // so that I can set that instead of the rim ID dbSupport.setTagId(dbBaseRim.getTagId()); dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); dbSupport.setSwidVersion(dbBaseRim.getSwidVersion()); @@ -875,7 +875,8 @@ public abstract class AbstractAttestationCertificateAuthority break; } } - this.referenceManifestManager.save(dbBaseRim); + baseId = this.referenceManifestManager.save(dbBaseRim).getId(); + LOG.error(baseId); } else { LOG.info("Client provided Base RIM already loaded in database."); /** @@ -889,6 +890,17 @@ public abstract class AbstractAttestationCertificateAuthority } } + // sync up associated IDs + if (dbBaseRim.getAssociatedRim() != null) { + SupportReferenceManifest dbSupport = SupportReferenceManifest + .select(referenceManifestManager) + .byEntityId(dbBaseRim.getAssociatedRim()).getRIM(); + + if (dbSupport != null && dbSupport.getAssociatedRim() == null) { + dbSupport.setAssociatedRim(baseId); + this.referenceManifestManager.update(dbSupport); + } + } } catch (IOException ioEx) { LOG.error(ioEx); } @@ -906,7 +918,7 @@ public abstract class AbstractAttestationCertificateAuthority try { // find previous version. If it exists, delete it measurements = EventLogMeasurements.select(referenceManifestManager) - .byManufacturer(dv.getHw().getManufacturer()) + .byDeviceName(dv.getNw().getHostname()) .includeArchived().getRIM(); if (measurements != null) { LOG.info("Previous bios measurement log found and being replaced..."); @@ -917,6 +929,7 @@ public abstract class AbstractAttestationCertificateAuthority measurements.setPlatformManufacturer(dv.getHw().getManufacturer()); measurements.setPlatformModel(dv.getHw().getProductName()); measurements.setTagId(tagId); + measurements.setDeviceName(dv.getNw().getHostname()); this.referenceManifestManager.save(measurements); } catch (IOException ioEx) { LOG.error(ioEx); diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index af085ca6..77f0bee0 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -512,9 +512,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe if (!tpmPcrEvents.isEmpty()) { StringBuilder sb = new StringBuilder(); validationObject = measurement; + sb.append(String.format("%d digest(s) were not found:%n", + tpmPcrEvents.size())); for (TpmPcrEvent tpe : tpmPcrEvents) { - sb.append(String.format("Event %s - %s%n", - tpe.getEventNumber(), + sb.append(String.format("PCR Index %d - %s%n", + tpe.getPcrIndex(), tpe.getEventTypeStr())); } if (fwStatus.getAppStatus().equals(FAIL)) { diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index b57127ef..cdd873b7 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -6,12 +6,16 @@ import hirs.attestationca.portal.page.PageMessages; import hirs.attestationca.portal.page.params.ReferenceManifestDetailsPageParams; import hirs.data.persist.BaseReferenceManifest; import hirs.data.persist.EventLogMeasurements; +import hirs.data.persist.ReferenceDigestRecord; +import hirs.data.persist.ReferenceDigestValue; import hirs.data.persist.ReferenceManifest; import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.SwidResource; import hirs.data.persist.certificate.CertificateAuthorityCredential; import hirs.persist.CertificateManager; import hirs.persist.DBManagerException; +import hirs.persist.ReferenceDigestManager; +import hirs.persist.ReferenceEventManager; import hirs.persist.ReferenceManifestManager; import hirs.tpm.eventlog.TCGEventLog; import hirs.tpm.eventlog.TpmPcrEvent; @@ -32,6 +36,7 @@ import java.util.Arrays; import java.util.HashMap; import java.util.LinkedList; import java.util.List; +import java.util.Map; import java.util.Set; import java.util.UUID; @@ -44,6 +49,8 @@ public class ReferenceManifestDetailsPageController extends PageController { private final ReferenceManifestManager referenceManifestManager; + private final ReferenceDigestManager referenceDigestManager; + private final ReferenceEventManager referenceEventManager; private final CertificateManager certificateManager; private static final ReferenceManifestValidator RIM_VALIDATOR = new ReferenceManifestValidator(); @@ -54,14 +61,20 @@ public class ReferenceManifestDetailsPageController * Constructor providing the Page's display and routing specification. * * @param referenceManifestManager the reference manifest manager. + * @param referenceDigestManager the reference digest manager. + * @param referenceEventManager the reference event manager. * @param certificateManager the certificate manager. */ @Autowired public ReferenceManifestDetailsPageController( final ReferenceManifestManager referenceManifestManager, + final ReferenceDigestManager referenceDigestManager, + final ReferenceEventManager referenceEventManager, final CertificateManager certificateManager) { super(Page.RIM_DETAILS); this.referenceManifestManager = referenceManifestManager; + this.referenceDigestManager = referenceDigestManager; + this.referenceEventManager = referenceEventManager; this.certificateManager = certificateManager; } @@ -92,7 +105,8 @@ public class ReferenceManifestDetailsPageController } else { try { UUID uuid = UUID.fromString(params.getId()); - data.putAll(getRimDetailInfo(uuid, referenceManifestManager, certificateManager)); + data.putAll(getRimDetailInfo(uuid, referenceManifestManager, + referenceDigestManager, referenceEventManager, certificateManager)); } catch (IllegalArgumentException iaEx) { String uuidError = "Failed to parse ID from: " + params.getId(); messages.addError(uuidError); @@ -123,6 +137,8 @@ public class ReferenceManifestDetailsPageController * * @param uuid database reference for the requested RIM. * @param referenceManifestManager the reference manifest manager. + * @param referenceDigestManager the reference digest manager. + * @param referenceEventManager the reference event manager. * @param certificateManager the certificate manager. * @return mapping of the RIM information from the database. * @throws java.io.IOException error for reading file bytes. @@ -131,6 +147,8 @@ public class ReferenceManifestDetailsPageController */ public static HashMap getRimDetailInfo(final UUID uuid, final ReferenceManifestManager referenceManifestManager, + final ReferenceDigestManager referenceDigestManager, + final ReferenceEventManager referenceEventManager, final CertificateManager certificateManager) throws IOException, CertificateException, NoSuchAlgorithmException { HashMap data = new HashMap<>(); @@ -153,7 +171,8 @@ public class ReferenceManifestDetailsPageController .byEntityId(uuid).getRIM(); if (bios != null) { - data.putAll(getMeasurementsRimInfo(bios, referenceManifestManager)); + data.putAll(getMeasurementsRimInfo(bios, referenceManifestManager, + referenceDigestManager, referenceEventManager)); } return data; @@ -457,6 +476,8 @@ public class ReferenceManifestDetailsPageController * * @param measurements established ReferenceManifest Type. * @param referenceManifestManager the reference manifest manager. + * @param referenceDigestManager the reference digest manager. + * @param referenceEventManager the reference event manager. * @return mapping of the RIM information from the database. * @throws java.io.IOException error for reading file bytes. * @throws NoSuchAlgorithmException If an unknown Algorithm is encountered. @@ -464,56 +485,65 @@ public class ReferenceManifestDetailsPageController */ private static HashMap getMeasurementsRimInfo( final EventLogMeasurements measurements, - final ReferenceManifestManager referenceManifestManager) + final ReferenceManifestManager referenceManifestManager, + final ReferenceDigestManager referenceDigestManager, + final ReferenceEventManager referenceEventManager) throws IOException, CertificateException, NoSuchAlgorithmException { HashMap data = new HashMap<>(); - LinkedList supportEvents = new LinkedList<>(); LinkedList livelogEvents = new LinkedList<>(); BaseReferenceManifest base = null; SupportReferenceManifest support = null; TCGEventLog supportLog = null; + ReferenceDigestRecord digestRecord = null; data.put("supportFilename", "Blank"); data.put("supportId", ""); - data.put("tagId", measurements.getTagId()); data.put("baseId", ""); data.put("rimType", measurements.getRimType()); + data.put("hostName", measurements.getDeviceName()); if (measurements.getPlatformManufacturer() != null) { + digestRecord = referenceDigestManager.getRecord(measurements + .getPlatformManufacturer(), + measurements.getPlatformModel()); support = SupportReferenceManifest .select(referenceManifestManager) .byManufacturer(measurements .getPlatformManufacturer()).getRIM(); if (support != null) { - supportLog = new TCGEventLog(support.getRimBytes()); data.put("supportFilename", support.getFileName()); data.put("supportId", support.getId()); - } - base = BaseReferenceManifest - .select(referenceManifestManager) - .byManufacturer(measurements - .getPlatformManufacturer()).getRIM(); - if (base != null) { - data.put("baseId", base.getId()); + base = BaseReferenceManifest + .select(referenceManifestManager) + .byEntityId(support.getAssociatedRim()) + .getRIM(); + data.put("tagId", support.getTagId()); + + if (base != null) { + data.put("baseId", base.getId()); + } } } TCGEventLog measurementLog = new TCGEventLog(measurements.getRimBytes()); - if (supportLog != null) { - TpmPcrEvent measurementEvent; - for (TpmPcrEvent tpe : supportLog.getEventList()) { - measurementEvent = measurementLog.getEventByNumber(tpe.getEventNumber()); - if (!tpe.eventCompare(measurementEvent)) { - supportEvents.add(tpe); + List eventValue; + Map eventValueMap = new HashMap<>(); + if (digestRecord != null) { + eventValue = referenceEventManager + .getValuesByRecordId(digestRecord); + for (ReferenceDigestValue rdv : eventValue) { + eventValueMap.put(rdv.getDigestValue(), rdv); + } + for (TpmPcrEvent measurementEvent : measurementLog.getEventList()) { + if (!eventValueMap.containsKey(measurementEvent.getEventDigestStr())) { livelogEvents.add(measurementEvent); } } } - data.put("supportEvents", supportEvents); data.put("livelogEvents", livelogEvents); return data; diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp index b4cf5dc0..a32e72b6 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp @@ -241,6 +241,10 @@
Base/Support
+ +
${initialData.hostName} +
+ @@ -253,31 +257,6 @@

-
-
Support
- - -
-
-
Event#:
-
${sEvent.getEventNumber()+1}
-
-
-
PCR Index:
-
${sEvent.getPcrIndex()}
-
-
-
Digest:
-
${sEvent.getEventDigestStr()}
-
-
-
Content:
-
${sEvent.getEventContentStr()}
-
-
- - -
Client Log
diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java index b0b42ba5..34fc95db 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java @@ -100,24 +100,13 @@ public class BaseReferenceManifest extends ReferenceManifest { } /** - * Specify the platform manufacturer id that rims must have to be considered + * Specify the device name that rims must have to be considered * as matching. - * @param manufacturerId string for the id of the manufacturer + * @param deviceName string for the deviceName * @return this instance */ - public Selector byManufacturerId(final String manufacturerId) { - setFieldValue(PLATFORM_MANUFACTURER_ID, manufacturerId); - return this; - } - - /** - * Specify the platform model that rims must have to be considered - * as matching. - * @param model string for the model - * @return this instance - */ - public Selector byModel(final String model) { - setFieldValue(PLATFORM_MODEL, model); + public Selector byDeviceName(final String deviceName) { + setFieldValue("deviceName", deviceName); return this; } } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java b/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java index 11f63d32..cf226377 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java @@ -58,24 +58,13 @@ public class EventLogMeasurements extends ReferenceManifest { } /** - * Specify the platform manufacturer id that rims must have to be considered + * Specify the device name that rims must have to be considered * as matching. - * @param manufacturerId string for the id of the manufacturer + * @param deviceName string for the deviceName * @return this instance */ - public Selector byManufacturerId(final String manufacturerId) { - setFieldValue(PLATFORM_MANUFACTURER_ID, manufacturerId); - return this; - } - - /** - * Specify the platform model that rims must have to be considered - * as matching. - * @param model string for the model - * @return this instance - */ - public Selector byModel(final String model) { - setFieldValue(PLATFORM_MODEL, model); + public Selector byDeviceName(final String deviceName) { + setFieldValue("deviceName", deviceName); return this; } } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java index 1e107011..2368a88c 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java @@ -97,6 +97,9 @@ public abstract class ReferenceManifest extends ArchivableEntity { @Type(type = "uuid-char") @Column private UUID associatedRim; + @Column + @JsonIgnore + private String deviceName; /** * Default constructor necessary for Hibernate. @@ -335,6 +338,22 @@ public abstract class ReferenceManifest extends ArchivableEntity { this.associatedRim = associatedRim; } + /** + * Getter for the Device Name. + * @return string value of the device associated with this log. + */ + public String getDeviceName() { + return deviceName; + } + + /** + * Setter for the Device Name. + * @param deviceName new value to assign. + */ + public void setDeviceName(final String deviceName) { + this.deviceName = deviceName; + } + /** * Getter for the Reference Integrity Manifest as a byte array. * diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java index e180ca64..27616e49 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java @@ -60,24 +60,13 @@ public class SupportReferenceManifest extends ReferenceManifest { } /** - * Specify the platform manufacturer id that rims must have to be considered + * Specify the device name that rims must have to be considered * as matching. - * @param manufacturerId string for the id of the manufacturer + * @param deviceName string for the deviceName * @return this instance */ - public Selector byManufacturerId(final String manufacturerId) { - setFieldValue(PLATFORM_MANUFACTURER_ID, manufacturerId); - return this; - } - - /** - * Specify the platform model that rims must have to be considered - * as matching. - * @param model string for the model - * @return this instance - */ - public Selector byModel(final String model) { - setFieldValue(PLATFORM_MODEL, model); + public Selector byDeviceName(final String deviceName) { + setFieldValue("deviceName", deviceName); return this; } From 1b06d956b4065446d908668deea04817fff5fced Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 7 May 2021 10:57:19 -0400 Subject: [PATCH 02/11] Updated how the swidtags and support files are updated when imported. --- ...stractAttestationCertificateAuthority.java | 91 +++++++++---------- ...eferenceManifestDetailsPageController.java | 2 +- 2 files changed, 45 insertions(+), 48 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 13c6c81e..f2df3250 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -94,12 +94,12 @@ import java.security.interfaces.RSAPublicKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.MGF1ParameterSpec; import java.security.spec.RSAPublicKeySpec; +import java.util.ArrayList; import java.util.Calendar; import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Set; -import java.util.UUID; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -784,6 +784,7 @@ public abstract class AbstractAttestationCertificateAuthority Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Matcher matcher; MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); + List baseLogFiles = new ArrayList<>(); if (dv.getLogfileCount() > 0) { for (ByteString logFile : dv.getLogfileList()) { @@ -830,8 +831,6 @@ public abstract class AbstractAttestationCertificateAuthority if (dv.getSwidfileCount() > 0) { for (ByteString swidFile : dv.getSwidfileList()) { - UUID baseId = null; - fileName = ""; try { dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) .includeArchived() @@ -845,38 +844,7 @@ public abstract class AbstractAttestationCertificateAuthority defaultClientName), swidFile.toByteArray()); dbBaseRim.setDeviceName(dv.getNw().getHostname()); - - // get file name to use - for (SwidResource swid : dbBaseRim.parseResource()) { - matcher = pattern.matcher(swid.getName()); - if (matcher.matches()) { - //found the file name - int dotIndex = swid.getName().lastIndexOf("."); - fileName = swid.getName().substring(0, dotIndex); - dbBaseRim.setFileName(String.format("%s.swidtag", - fileName)); - } - - // now update support rim - SupportReferenceManifest dbSupport = SupportReferenceManifest - .select(referenceManifestManager) - .byRimHash(swid.getHashValue()).getRIM(); - if (dbSupport != null && !dbSupport.isUpdated()) { - dbSupport.setFileName(swid.getName()); - dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); - dbSupport.setTagId(dbBaseRim.getTagId()); - dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); - dbSupport.setSwidVersion(dbBaseRim.getSwidVersion()); - dbSupport.setSwidPatch(dbBaseRim.isSwidPatch()); - dbSupport.setSwidSupplemental(dbBaseRim.isSwidSupplemental()); - dbBaseRim.setAssociatedRim(dbSupport.getId()); - dbSupport.setUpdated(true); - this.referenceManifestManager.update(dbSupport); - break; - } - } - baseId = this.referenceManifestManager.save(dbBaseRim).getId(); - LOG.error(baseId); + this.referenceManifestManager.save(dbBaseRim); } else { LOG.info("Client provided Base RIM already loaded in database."); /** @@ -889,26 +857,55 @@ public abstract class AbstractAttestationCertificateAuthority this.referenceManifestManager.update(dbBaseRim); } } - - // sync up associated IDs - if (dbBaseRim.getAssociatedRim() != null) { - SupportReferenceManifest dbSupport = SupportReferenceManifest - .select(referenceManifestManager) - .byEntityId(dbBaseRim.getAssociatedRim()).getRIM(); - - if (dbSupport != null && dbSupport.getAssociatedRim() == null) { - dbSupport.setAssociatedRim(baseId); - this.referenceManifestManager.update(dbSupport); - } - } } catch (IOException ioEx) { LOG.error(ioEx); } } + baseLogFiles.addAll(dv.getSwidfileList()); } else { LOG.warn("Device did not send swid tag file..."); } + //update Support RIMs and Base RIMs. + for (ByteString swidFile : dv.getSwidfileList()) { + dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(Hex.encodeHexString(messageDigest.digest( + swidFile.toByteArray()))) + .getRIM(); + + // get file name to use + for (SwidResource swid : dbBaseRim.parseResource()) { + matcher = pattern.matcher(swid.getName()); + if (matcher.matches()) { + //found the file name + int dotIndex = swid.getName().lastIndexOf("."); + fileName = swid.getName().substring(0, dotIndex); + dbBaseRim.setFileName(String.format("%s.swidtag", + fileName)); + } + + // now update support rim + SupportReferenceManifest dbSupport = SupportReferenceManifest + .select(referenceManifestManager) + .byRimHash(swid.getHashValue()).getRIM(); + if (dbSupport != null) { + dbSupport.setFileName(swid.getName()); + dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); + dbSupport.setTagId(dbBaseRim.getTagId()); + dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); + dbSupport.setSwidVersion(dbBaseRim.getSwidVersion()); + dbSupport.setSwidPatch(dbBaseRim.isSwidPatch()); + dbSupport.setSwidSupplemental(dbBaseRim.isSwidSupplemental()); + dbBaseRim.setAssociatedRim(dbSupport.getId()); + dbSupport.setUpdated(true); + dbSupport.setAssociatedRim(dbBaseRim.getId()); + this.referenceManifestManager.update(dbSupport); + } + } + this.referenceManifestManager.update(dbBaseRim); + } + generateDigestRecords(hw.getManufacturer(), hw.getProductName()); if (dv.hasLivelog()) { diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index cdd873b7..f6eb53d9 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -114,7 +114,7 @@ public class ReferenceManifestDetailsPageController } catch (Exception ioEx) { LOGGER.error(ioEx); for (StackTraceElement ste : ioEx.getStackTrace()) { - LOGGER.debug(ste.toString()); + LOGGER.error(ste.toString()); } } if (data.isEmpty()) { From 3b33bd60b8f787a49e6c6211b84188cb0604a71c Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 11 May 2021 09:44:10 -0400 Subject: [PATCH 03/11] The main change in this commit adjusts how the base and support rim are pulled for validation in the environment with multiple Base and Support RIMs per device/manufacturer/model. --- ...stractAttestationCertificateAuthority.java | 2 -- .../SupplyChainValidationServiceImpl.java | 33 ++++++++++++------- ...eferenceManifestDetailsPageController.java | 5 ++- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index f2df3250..acd3d396 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -794,7 +794,6 @@ public abstract class AbstractAttestationCertificateAuthority .byHashCode(Hex.encodeHexString(messageDigest.digest( logFile.toByteArray()))) .getRIM(); - if (support == null) { support = new SupportReferenceManifest( String.format("%s.rimel", @@ -837,7 +836,6 @@ public abstract class AbstractAttestationCertificateAuthority .byHashCode(Hex.encodeHexString(messageDigest.digest( swidFile.toByteArray()))) .getRIM(); - if (dbBaseRim == null) { dbBaseRim = new BaseReferenceManifest( String.format("%s.swidtag", diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 77f0bee0..efa273b6 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -370,28 +370,30 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe String model = device.getDeviceInfo() .getHardwareInfo().getProductName(); ReferenceManifest validationObject = null; - ReferenceManifest baseReferenceManifest = null; + Set baseReferenceManifests = null; + BaseReferenceManifest baseReferenceManifest = null; ReferenceManifest supportReferenceManifest = null; ReferenceManifest measurement = null; ReferenceDigestRecord digestRecord = null; - baseReferenceManifest = BaseReferenceManifest.select(referenceManifestManager) - .byManufacturer(manufacturer).getRIM(); - supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) - .byManufacturer(manufacturer).getRIM(); + baseReferenceManifests = BaseReferenceManifest.select(referenceManifestManager) + .byDeviceName(device.getDeviceInfo().getNetworkInfo().getHostname()).getRIMs(); + measurement = EventLogMeasurements.select(referenceManifestManager) .byManufacturer(manufacturer).includeArchived().getRIM(); + for (BaseReferenceManifest bRim : baseReferenceManifests) { + if (!bRim.isSwidSupplemental() && !bRim.isSwidPatch()) { + baseReferenceManifest = bRim; + } + } + validationObject = baseReferenceManifest; String failedString = ""; if (baseReferenceManifest == null) { failedString = "Base Reference Integrity Manifest\n"; passed = false; } - if (supportReferenceManifest == null) { - failedString += "Support Reference Integrity Manifest\n"; - passed = false; - } if (measurement == null) { failedString += "Bios measurement"; passed = false; @@ -409,13 +411,22 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe new ByteArrayInputStream(baseReferenceManifest.getRimBytes())); for (SwidResource swidRes : resources) { + supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) + .byRimHash(swidRes.getHashValue()).getRIM(); if (swidRes.getName().equals(supportReferenceManifest.getFileName())) { referenceManifestValidator.validateSupportRimHash( supportReferenceManifest.getRimBytes(), swidRes.getHashValue()); + } else { + supportReferenceManifest = null; } } + if (supportReferenceManifest == null) { + fwStatus = new AppraisalStatus(FAIL, + "Support Reference Integrity Manifest\n"); + passed = false; + } - if (!referenceManifestValidator.isSignatureValid()) { + if (passed && !referenceManifestValidator.isSignatureValid()) { passed = false; fwStatus = new AppraisalStatus(FAIL, "Firmware validation failed: Signature validation " @@ -471,7 +482,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } else { StringBuilder sb = pcrPolicy.validatePcrs(storedPcrs); if (sb.length() > 0) { - validationObject = supportReferenceManifest; + validationObject = baseReferenceManifest; level = Level.ERROR; fwStatus = new AppraisalStatus(FAIL, sb.toString()); } else { diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index f6eb53d9..e257ec7a 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -288,6 +288,8 @@ public class ReferenceManifestDetailsPageController } } + // Let's pull the supply chain validation + data.put("associatedRim", baseRim.getAssociatedRim()); data.put("swidFiles", resources); if (support != null && (!baseRim.isSwidSupplemental() @@ -337,7 +339,8 @@ public class ReferenceManifestDetailsPageController .select(referenceManifestManager) .byRimType(ReferenceManifest.BASE_RIM).getRIMs(); for (BaseReferenceManifest baseRim : baseRims) { - if (baseRim != null && baseRim.getAssociatedRim().equals(support.getId())) { + if (baseRim != null && baseRim.getAssociatedRim() != null + && baseRim.getAssociatedRim().equals(support.getId())) { support.setAssociatedRim(baseRim.getId()); try { referenceManifestManager.update(support); From ddc36d81f44555c90c7814a45c12c03a16e6eb25 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 17 May 2021 12:44:03 -0400 Subject: [PATCH 04/11] This set of code changes deals with the displaying of failed digests values from the validation process. The way there were displayed before was going to be unsustainable because event numbers will never match up. There for a direct compare to a failed event would never be accurate. --- ...stractAttestationCertificateAuthority.java | 4 -- ...eferenceManifestDetailsPageController.java | 18 +++++++- .../main/webapp/WEB-INF/jsp/rim-details.jsp | 44 ++++++++++++------- .../src/main/webapp/common/rim_details.css | 24 ++++++++++ .../java/hirs/tpm/eventlog/TpmPcrEvent.java | 30 ++++++++----- 5 files changed, 87 insertions(+), 33 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index acd3d396..09b2f78a 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -94,7 +94,6 @@ import java.security.interfaces.RSAPublicKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.MGF1ParameterSpec; import java.security.spec.RSAPublicKeySpec; -import java.util.ArrayList; import java.util.Calendar; import java.util.Date; import java.util.HashSet; @@ -681,7 +680,6 @@ public abstract class AbstractAttestationCertificateAuthority for (String line : lines) { if (!line.isEmpty() && !line.contains(TPM_SIGNATURE_ALG)) { - LOG.error(line); pcrs[counter++] = line.split(":")[1].trim(); } } @@ -784,7 +782,6 @@ public abstract class AbstractAttestationCertificateAuthority Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Matcher matcher; MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); - List baseLogFiles = new ArrayList<>(); if (dv.getLogfileCount() > 0) { for (ByteString logFile : dv.getLogfileList()) { @@ -859,7 +856,6 @@ public abstract class AbstractAttestationCertificateAuthority LOG.error(ioEx); } } - baseLogFiles.addAll(dv.getSwidfileList()); } else { LOG.warn("Device did not send swid tag file..."); } diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index e257ec7a..df6c5b3c 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -32,6 +32,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; +import java.util.ArrayList; import java.util.Arrays; import java.util.HashMap; import java.util.LinkedList; @@ -288,8 +289,6 @@ public class ReferenceManifestDetailsPageController } } - // Let's pull the supply chain validation - data.put("associatedRim", baseRim.getAssociatedRim()); data.put("swidFiles", resources); if (support != null && (!baseRim.isSwidSupplemental() @@ -547,6 +546,21 @@ public class ReferenceManifestDetailsPageController } } + if (support != null) { + Map> baselineLogEvents = new HashMap<>(); + List baselines = null; + for (TpmPcrEvent tpe : livelogEvents) { + baselines = new ArrayList<>(); + for (TpmPcrEvent supports : support.getEventLog()) { + if (supports.getEventType() == tpe.getEventType()) { + baselines.add(supports); + } + } + baselineLogEvents.put(tpe.getEventDigestStr(), baselines); + } + data.put("eventTypeMap", baselineLogEvents); + } + data.put("livelogEvents", livelogEvents); return data; diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp index a32e72b6..0fba0572 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp @@ -260,25 +260,37 @@
Client Log
+ -
-
-
Event#:
-
${lEvent.getEventNumber()+1}
-
-
-
PCR Index:
-
${lEvent.getPcrIndex()}
-
-
-
Digest:
-
${lEvent.getEventDigestStr()}
-
-
-
Content:
-
${lEvent.getEventContentStr()}
+
+
+
Failed
Digest:
+
+ ${lEvent.getEventDigestStr()}
${lEvent.getEventContentStr()} +
+
+
+ Baseline Events of Type:
+ ${lEvent.getEventTypeString()} +
+
+ + + + +
+
PCR Index: ${event.getPcrIndex()}
+
Digest: ${event.getEventDigestStr()}
+
Event Content: ${event.getEventContentStr()}
+
+ + + +
+
+
diff --git a/HIRS_AttestationCAPortal/src/main/webapp/common/rim_details.css b/HIRS_AttestationCAPortal/src/main/webapp/common/rim_details.css index 9c49a253..55d68caa 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/common/rim_details.css +++ b/HIRS_AttestationCAPortal/src/main/webapp/common/rim_details.css @@ -81,4 +81,28 @@ .data-value { flex: 5 +} + +.mappedType { + display: flex 1; + padding: 1rem; + width: 20rem; + font-weight: bold +} + +.mappedOverhead { + display: flex; + flex-direction: column; + padding: 1rem; +} + +.mappedData { + font-weight: bold; +} + +.mappedButton { + display: flex 1; + padding: 1rem; + width: 20rem; + font-weight: bold; } \ No newline at end of file diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TpmPcrEvent.java index ca2d5098..e99f42ba 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TpmPcrEvent.java @@ -1,17 +1,7 @@ package hirs.tpm.eventlog; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.UnsupportedEncodingException; -import java.math.BigInteger; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import java.util.Arrays; - -import hirs.tpm.eventlog.events.EvConstants; import hirs.tpm.eventlog.events.EvCompactHash; +import hirs.tpm.eventlog.events.EvConstants; import hirs.tpm.eventlog.events.EvEfiBootServicesApp; import hirs.tpm.eventlog.events.EvEfiGptPartition; import hirs.tpm.eventlog.events.EvEfiHandoffTable; @@ -30,6 +20,16 @@ import org.apache.commons.codec.binary.Hex; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.math.BigInteger; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.util.Arrays; + /** * Class to process a TCG_PCR_EVENT. * TCG_PCR_EVENT is used when the Event log uses the SHA1 Format as described in the @@ -211,6 +211,14 @@ public class TpmPcrEvent { return String.format("0x%s %s", Long.toHexString(eventType), eventString((int) eventType)); } + /** + * Returns a formatted string of the type for the event minus the byte code + * @return a string formatted to be human readable + */ + public String getEventTypeString() { + return eventString((int) eventType); + } + /** * Returns the version of the TCG Log Event specification pertaining to the log. * only updated if the event is a TCG_EfiSpecIdEvent. From 65d596a756cc122c04069cca06374e2623caf66b Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Thu, 20 May 2021 06:26:07 -0400 Subject: [PATCH 05/11] Some additional updates that included deviceNames as a means to pull RIM information. In addition updated the display of the failures, adding filters for like events from the baseline. --- ...stractAttestationCertificateAuthority.java | 9 ++- ...eferenceManifestDetailsPageController.java | 78 ++++++++++++------- .../data/persist/ReferenceDigestRecord.java | 22 +++++- .../persist/DBReferenceDigestManager.java | 22 ++++++ .../hirs/persist/ReferenceDigestManager.java | 8 ++ .../java/hirs/tpm/eventlog/TpmPcrEvent.java | 2 +- 6 files changed, 107 insertions(+), 34 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 09b2f78a..63527556 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -900,12 +900,13 @@ public abstract class AbstractAttestationCertificateAuthority this.referenceManifestManager.update(dbBaseRim); } - generateDigestRecords(hw.getManufacturer(), hw.getProductName()); + generateDigestRecords(hw.getManufacturer(), hw.getProductName(), + dv.getNw().getHostname()); if (dv.hasLivelog()) { LOG.info("Device sent bios measurement log..."); fileName = String.format("%s.measurement", - defaultClientName); + dv.getNw().getHostname()); try { // find previous version. If it exists, delete it measurements = EventLogMeasurements.select(referenceManifestManager) @@ -948,7 +949,8 @@ public abstract class AbstractAttestationCertificateAuthority return dvReport; } - private boolean generateDigestRecords(final String manufacturer, final String model) { + private boolean generateDigestRecords(final String manufacturer, final String model, + final String deviceName) { List rdValues; Set dbSupportRims = SupportReferenceManifest .select(referenceManifestManager).byManufacturer(manufacturer).getRIMs(); @@ -957,6 +959,7 @@ public abstract class AbstractAttestationCertificateAuthority if (dbSupport.getPlatformModel().equals(model)) { ReferenceDigestRecord dbObj = new ReferenceDigestRecord(dbSupport, manufacturer, model); + dbObj.setDeviceName(deviceName); // this is where we update or create the log ReferenceDigestRecord rdr = this.referenceDigestManager.getRecord(dbObj); if (dbSupport.isBaseSupport()) { diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index df6c5b3c..76bcc5d8 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -101,7 +101,7 @@ public class ReferenceManifestDetailsPageController if (params.getId() == null) { String typeError = "ID was not provided"; messages.addError(typeError); - LOGGER.error(typeError); + LOGGER.debug(typeError); mav.addObject(MESSAGES_ATTRIBUTE, messages); } else { try { @@ -494,9 +494,9 @@ public class ReferenceManifestDetailsPageController HashMap data = new HashMap<>(); LinkedList livelogEvents = new LinkedList<>(); BaseReferenceManifest base = null; - SupportReferenceManifest support = null; - TCGEventLog supportLog = null; - ReferenceDigestRecord digestRecord = null; + List supports = new ArrayList<>(); + SupportReferenceManifest baseSupport = null; + List digestRecords = new LinkedList<>(); data.put("supportFilename", "Blank"); data.put("supportId", ""); @@ -504,25 +504,28 @@ public class ReferenceManifestDetailsPageController data.put("rimType", measurements.getRimType()); data.put("hostName", measurements.getDeviceName()); - if (measurements.getPlatformManufacturer() != null) { - digestRecord = referenceDigestManager.getRecord(measurements - .getPlatformManufacturer(), - measurements.getPlatformModel()); - support = SupportReferenceManifest + if (measurements.getDeviceName() != null) { + digestRecords = referenceDigestManager + .getRecordsByDeviceName(measurements.getDeviceName()); + supports.addAll(SupportReferenceManifest .select(referenceManifestManager) - .byManufacturer(measurements - .getPlatformManufacturer()).getRIM(); - - if (support != null) { - data.put("supportFilename", support.getFileName()); - data.put("supportId", support.getId()); + .byDeviceName(measurements + .getDeviceName()).getRIMs()); + for (SupportReferenceManifest support : supports) { + if (support.isBaseSupport()) { + baseSupport = support; + } + } + if (baseSupport != null) { + data.put("supportFilename", baseSupport.getFileName()); + data.put("supportId", baseSupport.getId()); base = BaseReferenceManifest .select(referenceManifestManager) - .byEntityId(support.getAssociatedRim()) + .byEntityId(baseSupport.getAssociatedRim()) .getRIM(); - data.put("tagId", support.getTagId()); + data.put("tagId", baseSupport.getTagId()); if (base != null) { data.put("baseId", base.getId()); @@ -531,11 +534,13 @@ public class ReferenceManifestDetailsPageController } TCGEventLog measurementLog = new TCGEventLog(measurements.getRimBytes()); - List eventValue; + List eventValue = new ArrayList<>(); Map eventValueMap = new HashMap<>(); - if (digestRecord != null) { - eventValue = referenceEventManager - .getValuesByRecordId(digestRecord); + if (!digestRecords.isEmpty()) { + for (ReferenceDigestRecord rdr : digestRecords) { + eventValue.addAll(referenceEventManager + .getValuesByRecordId(rdr)); + } for (ReferenceDigestValue rdv : eventValue) { eventValueMap.put(rdv.getDigestValue(), rdv); } @@ -546,17 +551,34 @@ public class ReferenceManifestDetailsPageController } } - if (support != null) { + if (!supports.isEmpty()) { Map> baselineLogEvents = new HashMap<>(); - List baselines = null; + List matchedEvents = null; + List combinedBaselines = new LinkedList<>(); + for (SupportReferenceManifest support : supports) { + combinedBaselines.addAll(support.getEventLog()); + } + String bootVariable; + String variablePrefix = "Variable Name:"; + String variableSuffix = "UEFI_GUID"; for (TpmPcrEvent tpe : livelogEvents) { - baselines = new ArrayList<>(); - for (TpmPcrEvent supports : support.getEventLog()) { - if (supports.getEventType() == tpe.getEventType()) { - baselines.add(supports); + matchedEvents = new ArrayList<>(); + for (TpmPcrEvent tpmPcrEvent : combinedBaselines) { + if (tpmPcrEvent.getEventType() == tpe.getEventType()) { + if (tpe.getEventContentStr().contains(variablePrefix)) { + bootVariable = tpe.getEventContentStr().substring(( + tpe.getEventContentStr().indexOf(variablePrefix) + + variablePrefix.length()), + tpe.getEventContentStr().indexOf(variableSuffix)); + if (tpmPcrEvent.getEventContentStr().contains(bootVariable)) { + matchedEvents.add(tpmPcrEvent); + } + } else { + matchedEvents.add(tpmPcrEvent); + } } } - baselineLogEvents.put(tpe.getEventDigestStr(), baselines); + baselineLogEvents.put(tpe.getEventDigestStr(), matchedEvents); } data.put("eventTypeMap", baselineLogEvents); } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestRecord.java b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestRecord.java index ee24e340..43cec77d 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestRecord.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestRecord.java @@ -28,6 +28,8 @@ public class ReferenceDigestRecord extends ArchivableEntity { private String manufacturer; @Column(nullable = false) private String model; + @Column(nullable = false) + private String deviceName; @Column(columnDefinition = "blob", nullable = true) private byte[] valueBlob; @@ -134,6 +136,22 @@ public class ReferenceDigestRecord extends ArchivableEntity { this.model = model; } + /** + * Getter for the deviceName associated. + * @return the string of the deviceName + */ + public String getDeviceName() { + return deviceName; + } + + /** + * Setter for the deviceName associated. + * @param deviceName the string of the model + */ + public void setDeviceName(final String deviceName) { + this.deviceName = deviceName; + } + /** * Getter for the byte array of event values. * @return a clone of the byte array @@ -158,7 +176,7 @@ public class ReferenceDigestRecord extends ArchivableEntity { */ @Override public String toString() { - return String.format("ReferenceDigestRecord: %s%n%s -> %s", - super.toString(), this.manufacturer, this.model); + return String.format("ReferenceDigestRecord: %s%n%s::%s::%s", + super.toString(), this.manufacturer, this.model, this.deviceName); } } diff --git a/HIRS_Utils/src/main/java/hirs/persist/DBReferenceDigestManager.java b/HIRS_Utils/src/main/java/hirs/persist/DBReferenceDigestManager.java index a7177511..31cb6c71 100644 --- a/HIRS_Utils/src/main/java/hirs/persist/DBReferenceDigestManager.java +++ b/HIRS_Utils/src/main/java/hirs/persist/DBReferenceDigestManager.java @@ -108,6 +108,28 @@ public class DBReferenceDigestManager extends DBManager return dbRecord; } + @Override + public List getRecordsByDeviceName(final String deviceName) { + LOGGER.debug("Getting record for {}", deviceName); + if (deviceName == null) { + LOGGER.error("No deviceName to get record from db"); + return null; + } + + List dbRecords = new ArrayList<>(); + try { + List dbTempList = super.getList(ReferenceDigestRecord.class); + for (ReferenceDigestRecord rdr : dbTempList) { + if (rdr.getDeviceName().equals(deviceName)) { + dbRecords.add(rdr); + } + } + } catch (DBManagerException dbMEx) { + throw new RuntimeException(dbMEx); + } + return dbRecords; + } + @Override public ReferenceDigestRecord getRecordById(final ReferenceDigestRecord referenceDigestRecord) { LOGGER.debug("Getting record for {}", referenceDigestRecord); diff --git a/HIRS_Utils/src/main/java/hirs/persist/ReferenceDigestManager.java b/HIRS_Utils/src/main/java/hirs/persist/ReferenceDigestManager.java index b65cb4d8..83b4d67a 100644 --- a/HIRS_Utils/src/main/java/hirs/persist/ReferenceDigestManager.java +++ b/HIRS_Utils/src/main/java/hirs/persist/ReferenceDigestManager.java @@ -37,6 +37,14 @@ public interface ReferenceDigestManager { */ ReferenceDigestRecord getRecord(String manufacturer, String model); + /** + * Persists a new Reference Digest. + * + * @param deviceName the string of the network hostname + * @return the persisted ReferenceDigestRecord list + */ + List getRecordsByDeviceName(String deviceName); + /** * Persists a new Reference Digest. * diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TpmPcrEvent.java index e99f42ba..28996a62 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TpmPcrEvent.java @@ -212,7 +212,7 @@ public class TpmPcrEvent { } /** - * Returns a formatted string of the type for the event minus the byte code + * Returns a formatted string of the type for the event minus the byte code. * @return a string formatted to be human readable */ public String getEventTypeString() { From 7c86b6d0dbfbc14063d5f662e7627a9967f1751f Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Thu, 20 May 2021 15:24:28 -0400 Subject: [PATCH 06/11] Changed the pcr value check from the baseline expected pcr values to the measurement live log --- .../attestationca/service/SupplyChainValidationServiceImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index efa273b6..691d1703 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -443,7 +443,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe if (passed) { TCGEventLog logProcessor; try { - logProcessor = new TCGEventLog(supportReferenceManifest.getRimBytes()); + logProcessor = new TCGEventLog(measurement.getRimBytes()); baseline = logProcessor.getExpectedPCRValues(); } catch (CertificateException cEx) { LOGGER.error(cEx); From 5162f7b1874f19e1744c23c255b47d202befa83f Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 21 May 2021 05:56:21 -0400 Subject: [PATCH 07/11] Updated the details page for RIMs to check if the rim hash link entry exists, if not don't display valid check. --- .../src/main/webapp/WEB-INF/jsp/rim-details.jsp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp index 0fba0572..fee09571 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp @@ -367,6 +367,7 @@
PC URI Local: ${initialData.pcUriLocal}
Rim Link Hash: ${initialData.rimLinkHash} + @@ -377,6 +378,7 @@ +
From efa2cada2d513ec53049e68b521efa5ad5aca9c8 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 21 May 2021 06:40:06 -0400 Subject: [PATCH 08/11] Updated the Rel Link References for the swid tag details pages. The previous set up didn't discern between a tag id and an actual url. --- .../src/main/webapp/WEB-INF/jsp/rim-details.jsp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp index fee09571..a1db77c5 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp @@ -334,7 +334,17 @@
Link