mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-02-20 17:52:47 +00:00
The main change in this commit adjusts how the base and support rim are pulled for validation in the environment with multiple Base and Support RIMs per device/manufacturer/model.
This commit is contained in:
Cyrus
parent
1b06d956b4
commit
3b33bd60b8
@ -794,7 +794,6 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
.byHashCode(Hex.encodeHexString(messageDigest.digest(
|
||||
logFile.toByteArray())))
|
||||
.getRIM();
|
||||
|
||||
if (support == null) {
|
||||
support = new SupportReferenceManifest(
|
||||
String.format("%s.rimel",
|
||||
@ -837,7 +836,6 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
.byHashCode(Hex.encodeHexString(messageDigest.digest(
|
||||
swidFile.toByteArray())))
|
||||
.getRIM();
|
||||
|
||||
if (dbBaseRim == null) {
|
||||
dbBaseRim = new BaseReferenceManifest(
|
||||
String.format("%s.swidtag",
|
||||
|
||||
@ -370,28 +370,30 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
String model = device.getDeviceInfo()
|
||||
.getHardwareInfo().getProductName();
|
||||
ReferenceManifest validationObject = null;
|
||||
ReferenceManifest baseReferenceManifest = null;
|
||||
Set<BaseReferenceManifest> baseReferenceManifests = null;
|
||||
BaseReferenceManifest baseReferenceManifest = null;
|
||||
ReferenceManifest supportReferenceManifest = null;
|
||||
ReferenceManifest measurement = null;
|
||||
ReferenceDigestRecord digestRecord = null;
|
||||
|
||||
baseReferenceManifest = BaseReferenceManifest.select(referenceManifestManager)
|
||||
.byManufacturer(manufacturer).getRIM();
|
||||
supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
|
||||
.byManufacturer(manufacturer).getRIM();
|
||||
baseReferenceManifests = BaseReferenceManifest.select(referenceManifestManager)
|
||||
.byDeviceName(device.getDeviceInfo().getNetworkInfo().getHostname()).getRIMs();
|
||||
|
||||
measurement = EventLogMeasurements.select(referenceManifestManager)
|
||||
.byManufacturer(manufacturer).includeArchived().getRIM();
|
||||
|
||||
for (BaseReferenceManifest bRim : baseReferenceManifests) {
|
||||
if (!bRim.isSwidSupplemental() && !bRim.isSwidPatch()) {
|
||||
baseReferenceManifest = bRim;
|
||||
}
|
||||
}
|
||||
|
||||
validationObject = baseReferenceManifest;
|
||||
String failedString = "";
|
||||
if (baseReferenceManifest == null) {
|
||||
failedString = "Base Reference Integrity Manifest\n";
|
||||
passed = false;
|
||||
}
|
||||
if (supportReferenceManifest == null) {
|
||||
failedString += "Support Reference Integrity Manifest\n";
|
||||
passed = false;
|
||||
}
|
||||
if (measurement == null) {
|
||||
failedString += "Bios measurement";
|
||||
passed = false;
|
||||
@ -409,13 +411,22 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
new ByteArrayInputStream(baseReferenceManifest.getRimBytes()));
|
||||
|
||||
for (SwidResource swidRes : resources) {
|
||||
supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
|
||||
.byRimHash(swidRes.getHashValue()).getRIM();
|
||||
if (swidRes.getName().equals(supportReferenceManifest.getFileName())) {
|
||||
referenceManifestValidator.validateSupportRimHash(
|
||||
supportReferenceManifest.getRimBytes(), swidRes.getHashValue());
|
||||
} else {
|
||||
supportReferenceManifest = null;
|
||||
}
|
||||
}
|
||||
if (supportReferenceManifest == null) {
|
||||
fwStatus = new AppraisalStatus(FAIL,
|
||||
"Support Reference Integrity Manifest\n");
|
||||
passed = false;
|
||||
}
|
||||
|
||||
if (!referenceManifestValidator.isSignatureValid()) {
|
||||
if (passed && !referenceManifestValidator.isSignatureValid()) {
|
||||
passed = false;
|
||||
fwStatus = new AppraisalStatus(FAIL,
|
||||
"Firmware validation failed: Signature validation "
|
||||
@ -471,7 +482,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
} else {
|
||||
StringBuilder sb = pcrPolicy.validatePcrs(storedPcrs);
|
||||
if (sb.length() > 0) {
|
||||
validationObject = supportReferenceManifest;
|
||||
validationObject = baseReferenceManifest;
|
||||
level = Level.ERROR;
|
||||
fwStatus = new AppraisalStatus(FAIL, sb.toString());
|
||||
} else {
|
||||
|
||||
@ -288,6 +288,8 @@ public class ReferenceManifestDetailsPageController
|
||||
}
|
||||
}
|
||||
|
||||
// Let's pull the supply chain validation
|
||||
|
||||
data.put("associatedRim", baseRim.getAssociatedRim());
|
||||
data.put("swidFiles", resources);
|
||||
if (support != null && (!baseRim.isSwidSupplemental()
|
||||
@ -337,7 +339,8 @@ public class ReferenceManifestDetailsPageController
|
||||
.select(referenceManifestManager)
|
||||
.byRimType(ReferenceManifest.BASE_RIM).getRIMs();
|
||||
for (BaseReferenceManifest baseRim : baseRims) {
|
||||
if (baseRim != null && baseRim.getAssociatedRim().equals(support.getId())) {
|
||||
if (baseRim != null && baseRim.getAssociatedRim() != null
|
||||
&& baseRim.getAssociatedRim().equals(support.getId())) {
|
||||
support.setAssociatedRim(baseRim.getId());
|
||||
try {
|
||||
referenceManifestManager.update(support);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user