Defining efi paths in CI env file

2025-04-14 14:36:51 +00:00 · 2024-07-12 11:37:10 -04:00 · 2024-07-12 11:37:10 -04:00 · 48203a84a6
commit 48203a84a6
parent 2235b6ab66
9 changed files with 261 additions and 96 deletions
--- a/.ci/docker/.env
+++ b/.ci/docker/.env
@ -12,4 +12,31 @@ HIRS_ACA_HOSTNAME=hirsaca

 HIRS_SUBNET=172.19.0.0/16

-TEST_STATUS=0
+TEST_STATUS=0
+
+HIRS_DEFAULT_APPSETTINGS_FILE=/usr/share/hirs/appsettings.json
+
+HIRS_CI_REPO_ROOT=/hirs
+
+HIRS_CI_TEST_ROOT=/ci_test
+HIRS_CI_EFI_PATH_ROOT=$HIRS_CI_TEST_ROOT/boot/efi
+HIRS_CI_EFI_PATH_TCG=$HIRS_CI_EFI_PATH_ROOT/EFI/tcg
+HIRS_CI_EFI_PATH_PLATFORM=$HIRS_CI_EFI_PATH_TCG/cert/platform
+HIRS_CI_EFI_PATH_RIM=$HIRS_CI_EFI_PATH_TCG/manifest/rim
+HIRS_CI_EFI_PATH_SWIDTAG=$HIRS_CI_EFI_PATH_TCG/manifest/swidtag
+HIRS_CI_TEST_HW_JSON_FILE=$HIRS_CI_TEST_ROOT/hw.json
+HIRS_CI_TEST_EVENT_LOG_FILE=$HIRS_CI_TEST_ROOT/binary_bios_measurements
+
+HIRS_CI_TPM_EK_CERT_FILE=/hirs/.ci/setup/certs/ek_cert.der
+HIRS_CI_TPM_EK_CERT_NV_ATTR="0x2000A"
+HIRS_CI_TPM_EK_CERT_NV_INDEX="0x1c00002"
+
+HIRS_ACA_POST_POINT_EK=HIRS_AttestationCAPortal/portal/certificate-request/endorsement-key-credentials/upload
+HIRS_ACA_POST_POINT_PLATFORM=HIRS_AttestationCAPortal/portal/certificate-request/platform-credentials/upload
+HIRS_ACA_POST_POINT_RIM=HIRS_AttestationCAPortal/portal/reference-manifests/upload
+HIRS_ACA_POST_POINT_TRUST=HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
+
+SERVER_ECERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_EK"
+SERVER_PCERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_PLATFORM"
+SERVER_CACERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_TRUST"
+SERVER_RIM_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_RIM"
--- a/.ci/setup/container/tpm2_common.sh
+++ b/.ci/setup/container/tpm2_common.sh
@ -152,11 +152,11 @@ DEFAULT_SITE_CONFIG_FILE
 # Function to update the hirs-site.config file
 function setCiHirsAppsettingsFile {
  # Setting configurations
-  . /HIRS/.ci/docker/.env
+  . /hirs/.ci/docker/.env

-  HIRS_APPSETTINGS_FILE="/usr/share/hirs/appsettings.json"
+  HIRS_APPSETTINGS_FILE=$HIRS_DEFAULT_APPSETTINGS_FILE
  ACA_ADDRESS="https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}"
-  EFI_PREFIX_PATH="/ci_test/boot/efi"
+  EFI_PREFIX_PATH=$HIRS_CI_EFI_PATH_ROOT
  PACCOR_OUTPUT_FILE=""
  EVENT_LOG_FILE=""
  HARDWARE_MANIFEST_COLLECTORS="paccor_scripts"
@ -216,13 +216,13 @@ function setCiHirsAppsettingsFile {
 DEFAULT_APPSETTINGS_FILE
  if [ "$USE_LINUX_DMI" = YES ]; then
    cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
-  "linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor",
-  "linux_bios_version_file": "/ci_test/dmi/id/bios_version",
-  "linux_bios_date_file": "/ci_test/dmi/id/bios_date",
-  "linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor",
-  "linux_product_name_file": "/ci_test/dmi/id/product_name",
-  "linux_product_version_file": "/ci_test/dmi/id/product_version",
-  "linux_product_serial_file": "/ci_test/dmi/id/product_serial",
+  "linux_bios_vendor_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_vendor",
+  "linux_bios_version_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_version",
+  "linux_bios_date_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_date",
+  "linux_sys_vendor_file": "$HIRS_CI_TEST_ROOT/dmi/id/sys_vendor",
+  "linux_product_name_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_name",
+  "linux_product_version_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_version",
+  "linux_product_serial_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_serial",
 DEFAULT_APPSETTINGS_FILE
  fi
  cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
@ -305,9 +305,12 @@ function startupTpm {
 }

 function installEkCert {
-  echo "Installing EK Cert /hirs/.ci/setup/certs/ek_cert.der into TPM NVRAM at index 0x1c00002"
-  tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002
-  tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002
+  # Setting configurations
+  . /hirs/.ci/docker/.env
+  
+  echo "Installing EK Cert $HIRS_CI_TPM_EK_CERT_FILE into TPM NVRAM at index $HIRS_CI_TPM_EK_CERT_NV_INDEX"
+  tpm2_nvdefine -T mssim -C o -a $HIRS_CI_TPM_EK_CERT_NV_ATTR -s $(cat $HIRS_CI_TPM_EK_CERT_FILE | wc -c) $HIRS_CI_TPM_EK_CERT_NV_INDEX
+  tpm2_nvwrite -T mssim -C o -i $HIRS_CI_TPM_EK_CERT_FILE $HIRS_CI_TPM_EK_CERT_NV_INDEX
  echo "Finished installing EK cert."
 }

--- a/.ci/system-tests/container/efi_setup.sh
+++ b/.ci/system-tests/container/efi_setup.sh
@ -0,0 +1,52 @@
+#!/bin/bash
+#########################################################################################
+#   Setup a local directory to act as the ESP for testing
+#   This just creates the directory structure.
+#   usage efi_setup.sh [-c] [-p] [-r]
+#   -c: clear all artifact directories
+#   -p: clear only the platform directory
+#   -r: clear only the rim directories
+#########################################################################################
+
+# Load env variables
+. /hirs/.ci/docker/.env
+
+# Process parameters Argument handling 
+POSITIONAL_ARGS=()
+ORIGINAL_ARGS=("$@")
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -c|--clear-all)
+      CLEAR_ALL=YES
+      shift # past argument
+      ;;
+    -p|--clear-platform)
+      CLEAR_PLATFORM=YES
+      shift # past argument
+      ;;
+    -r|--clear-rim)
+      CLEAR_RIM=YES
+      shift # past argument
+      ;;
+    *)
+     POSITIONAL_ARGS+=("$1") # save positional arg
+     # shift # past argument
+     break
+      ;;
+  esac
+  
+# Ensure file structure is there
+mkdir -p $HIRS_CI_EFI_PATH_PLATFORM
+mkdir -p $HIRS_CI_EFI_PATH_RIM
+mkdir -p $HIRS_CI_EFI_PATH_SWIDTAG
+
+# Clear out any previous artifacts
+
+if [ "$CLEAR_ALL" = YES ] || [ "$CLEAR_PLATFORM" = YES ] ; then
+  rm -f $HIRS_CI_EFI_PATH_PLATFORM/*
+fi
+if [ "$CLEAR_ALL" = YES ] || [ "$CLEAR_RIM" = YES ] ; then
+  rm -f $HIRS_CI_EFI_PATH_RIM/*
+  rm -f $HIRS_CI_EFI_PATH_SWIDTAG/*
+fi
+
--- a/.ci/system-tests/container/pc_setup.sh
+++ b/.ci/system-tests/container/pc_setup.sh
@ -1,23 +1,65 @@
 #!/bin/bash
 #########################################################################################
 #   Setup for platform certificates for testing
-#   Copies platform certs (Base and Delta) to the tcg directory
-#   usage pc_setup.sh <profile> <test>
+#   usage pc_setup.sh -p <profile> -t <test> [-u] [-n]
+#   By default, copies platform certs (Base and Delta) to the tcg directory.
+#   -u: upload the certs to the ACA directly.
+#   -n: disable copy of certs to the tcg directory.
 #########################################################################################

-profile=$1
-test=$2
-ciTestDir="/ci_test"
-tcgDir="$ciTestDir/boot/efi/EFI/tcg/cert/platform/"
+# Load env variables
+. ./.ci/docker/.env
+
+profile=laptop
+test=default
+ciTestDir=$HIRS_CI_TEST_ROOT
+ciTestHwJsonFile=$HIRS_CI_TEST_HW_JSON_FILE
+
+# By default save the artifacts in EFI and do not upload to the ACA
+UPLOAD_ARTIFACTS=NO
+PUT_ARTIFACTS_IN_ESP=YES
+
+# Process parameters Argument handling 
+POSITIONAL_ARGS=()
+ORIGINAL_ARGS=("$@")
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--profile)
+      shift # past argument
+      profile=$1
+      shift # past parameter
+      ;;
+    -t|--test)
+      shift # past argument
+      test=$1
+      shift # past parameter
+      ;;
+    -u|--upload)
+      UPLOAD_ARTIFACTS=YES
+      shift # past argument
+      ;;
+    -n|--no-efi)
+      PUT_ARTIFACTS_IN_ESP=NO
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "pc_setup.sh: Unknown option $1"
+      shift # past argument
+      ;;
+    *)
+     POSITIONAL_ARGS+=("$1") # save positional arg
+     # shift # past argument
+     break
+      ;;
+  esac

 # Profile selections
-profileDir="/hirs/.ci/system-tests/profiles/$profile"
+profileDir="$HIRS_CI_REPO_ROOT/.ci/system-tests/profiles/$profile"
 testDir="$profileDir/$test"
 pcDir="$testDir/platformcerts"
 dmiZip="$profileDir/$profile"_dmi.zip
 hwJsonFileName="$profile"_"$test"_hw.json
 hwJsonFile="$testDir/$hwJsonFileName"
-ciTestHwJsonFile="$ciTestDir/hw.json"

 # Use default settings if profile does not have specific changes
 if [ ! -f "$hwJsonFile" ]; then
@ -30,9 +72,8 @@ if [ ! -f "$dmiZip" ]; then
    dmiZip="$profileDir"/default/laptop_dmi.zip
 fi

-# Current TCG folder for platform certs
-mkdir -p $tcgDir;  # Create the platform cert folder if its not there
-rm -f $tcgDir*;    # Clear out any previous data
+# Ensure platform folder under efi is set up and cleared
+$HIRS_CI_REPO_ROOT/.ci/system-tests/container/efi_setup.sh -p

 echo "Test is using platform cert(s) from $profile : $test"
 # Step 1: Copy hw json file, if it exists.
@ -48,16 +89,21 @@ dnf install -y unzip &> /dev/null
 echo "dmi file used was $dmiZip"
 unzip -o "$dmiZip" -d "$ciTestDir"

-# Step 3: Copy the platform cert to tcg folder 
+# Step 3: Copy the platform cert to tcg folder and or upload it to the ACA
 if [[ ! -d $pcDir ]]; then
    pcDir=$profileDir/default/platformcerts;
 fi
+
 pushd $pcDir > /dev/null
 # Skip copy of platform cert if .gitigore exists (empty profile)
-if [[ ! -f ".gitignore" ]]; then
+  if [[ ! -f ".gitignore" ]]; then
    for cert in * ; do
-          cp -f $cert $tcgDir$cert;
+      if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
+        cp $cert $HIRS_CI_EFI_PATH_PLATFORM
+      fi
+      if [ "$UPLOAD_ARTIFACTS" = YES ]; then
+        curl -k -F "file=@$cert" $SERVER_PCERT_POST
+      fi
    done
-fi
-
+  fi
 popd > /dev/null
--- a/.ci/system-tests/container/rim_setup.sh
+++ b/.ci/system-tests/container/rim_setup.sh
@ -1,33 +1,71 @@
 #!/bin/bash
 #########################################################################################
 #   Setup for PC Client Reference Integrity Manifest (RIM) tests
-#   usage rim_setup.sh <profile> <test> <option>
-#   use "clear" option to clear existing TPM PCR values
+#   usage rim_setup.sh -p <profile> -t <test> [-u] [-n]
 #########################################################################################

-profile=$1
-test=$2
-ciTestDir="/ci_test"
-tcgDir="$ciTestDir/boot/efi/EFI/tcg"
+# Load env variables
+. ./.ci/docker/.env
+
+profile=laptop
+test=default
+ciTestDir=$HIRS_CI_TEST_ROOT
+ciTestEventLog=$HIRS_CI_TEST_EVENT_LOG_FILE
+tcgDir=$HIRS_CI_EFI_PATH_TCG
+tcgSwidDir=$HIRS_CI_EFI_PATH_SWIDTAG
+tcgRimDir=$HIRS_CI_EFI_PATH_RIM
+
+# By default save the artifacts in EFI and do not upload to the ACA
+UPLOAD_ARTIFACTS=NO
+PUT_ARTIFACTS_IN_ESP=YES
+
+# Process parameters Argument handling 
+POSITIONAL_ARGS=()
+ORIGINAL_ARGS=("$@")
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--profile)
+      shift # past argument
+      profile=$1
+      shift # past parameter
+      ;;
+    -t|--test)
+      shift # past argument
+      test=$1
+      shift # past parameter
+      ;;
+    -u|--upload)
+      UPLOAD_ARTIFACTS=YES
+      shift # past argument
+      ;;
+    -n|--no-efi)
+      PUT_ARTIFACTS_IN_ESP=NO
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "rim_setup.sh: Unknown option $1"
+      shift # past argument
+      ;;
+    *)
+     POSITIONAL_ARGS+=("$1") # save positional arg
+     # shift # past argument
+     break
+      ;;
+  esac

 # Profile selections
-profileDir="/hirs/.ci/system-tests/profiles/$profile"
+profileDir="$HIRS_CI_REPO_ROOT/.ci/system-tests/profiles/$profile"
 defaultDir="$profileDir/default"
-testDir="/hirs/.ci/system-tests/profiles/$profile/$test"
+testDir="$profileDir/$test"
 eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
 swidDir="$testDir/swidtags"
 rimDir="$testDir/rims"
 pcrScript="$testDir/"$profile"_"$test"_setpcrs.sh"
-ciTestEventLog="$ciTestDir/binary_bios_measurements"

 echo "Test is using RIM files from $profile : $test"

-# Make sure TCG defined RIM folders exist and are cleared out
-mkdir -p $tcgDir/manifest/rim/;  # Create the platform cert folder if its not there
-rm -f $tcgDir/manifest/rim/*;    # clear out any previous data
-
-mkdir -p $tcgDir/manifest/swidtag/;  # Create the platform cert folder if its not there
-rm -f $tcgDir/manifest/swidtag/*;   # clear out any previous data
+# Ensure rim folders under efi are set up and cleared
+$HIRS_CI_REPO_ROOT/.ci/system-tests/container/efi_setup.sh -r

 # Step 1: Copy binary_bios_measurement file
 if [ ! -e "$eventLog" ]; then
@ -37,40 +75,42 @@ echo "eventLog used was  $eventLog"
 cp "$eventLog" "$ciTestEventLog"

 # Step 2: Copy Base RIM files to the TCG folder
-#      a: See if test specific swidtag folder exists, if not use the defualt folder
+#      a: See if test specific swidtag folder exists, if not use the default folder
 if [[ ! -d $swidDir ]]; then
    swidDir=$defaultDir/swidtags;
 fi
 pushd $swidDir > /dev/null
  if [[ ! -f ".gitignore" ]]; then
    for swidtag in * ; do
-          cp -f $swidtag $tcgDir/manifest/swidtag/$swidtag;
+      if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
+        cp $swidtag $tcgSwidDir
+      fi
+      if [ "$UPLOAD_ARTIFACTS" = YES ]; then
+        curl -k -F "file=@$swidtag" $SERVER_RIM_POST
+      fi
    done
  fi
 popd > /dev/null
-# Step 3: Copy Support RIM files to the TCG folder in the same mannor
+# Step 3: Copy Support RIM files to the TCG folder in the same manner
 if [[ ! -d $rimDir ]]; then 
    rimDir=$defaultDir/rims;
 fi
 pushd $rimDir > /dev/null
-
  if [[ ! -f ".gitignore" ]]; then
    for rim in * ; do
-          cp -f $rim $tcgDir/manifest/rim/$rim;
+      if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
+        cp $rim $tcgRimDir
+      fi
+      if [ "$UPLOAD_ARTIFACTS" = YES ]; then
+        curl -k -F "file=@$rim" $SERVER_RIM_POST
+      fi
    done
  fi
 popd > /dev/null

 #Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
-#     a: Clear the TPM PCR registers vi a call to the tss clear 
-#     b: Check if a test specific setpcr.sh file exists. If not use the profiles default script
-
-
 if [[ ! -f $pcrScript ]]; then
    pcrScript="$profileDir/default/"$profile"_default_setpcrs.sh"
 fi
 sh $pcrScript;
-#echo "PCR script was $pcrScript"
-#tpm2_pcrlist -g sha256 

-# Done with rim_setup
--- a/.ci/system-tests/sys_test_common.sh
+++ b/.ci/system-tests/sys_test_common.sh
@ -26,34 +26,34 @@ fi

 # clear all policy settings
 setPolicyNone() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=0, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=0, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
           utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
 }

 # Policy Settings for tests ...
 setPolicyEkOnly() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
           utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
 }

 setPolicyEkPc_noAttCheck() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=1,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=1,
           utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
 }

 setPolicyEkPc() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
           utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
 }

 setPolicyEkPcFw() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
           utcValidationEnabled=0, firmwareValidationEnabled=1, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=1, ignoretBootEnabled=0;"
 }

 # Clear all ACA DB items excluding policy
 clearAcaDb() {
-docker exec hirs-aca1 mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Appraiser;
+docker exec -i $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Appraiser;
 truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate ComponentAttributeResult;
 truncate ComponentInfo;truncate ComponentResult;truncate Device;truncate DeviceInfoReport;truncate PortalInfo;
 truncate ReferenceDigestValue;truncate ReferenceManifest;truncate Report;truncate SupplyChainValidation;
@ -68,15 +68,18 @@ uploadTrustedCerts() {
 #                                     && ./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null \
 #                                     && popd > /dev/null"
  # Upload CA Cert from IBMTSS Tools
-  docker exec $tpm2_container sh -c "pushd /ibmtss/utils/certificates > /dev/null \
-                                     && curl -k -s -F 'file=@cacert.pem' https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload \
-                                     && popd > /dev/null"
+  echo "Uploading Trust Certificates to ${HIRS_ACA_HOSTNAME}:${HIRS_ACA_PORTAL_PORT}"
+  echo "Uploading the EK Certificate CA(s)..."
+  docker exec -i $tpm2_container /bin/bash -c "curl -k -F 'file=@/ibmtss/utils/certificates/cacert.pem' $SERVER_CACERT_POST"
+  echo "...done"
  # Upload Trusted Certs from HIRS
-  pushd .ci/setup/certs > /dev/null
-    curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
-    curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
-    curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
-  popd > /dev/null
+  echo "Uploading the Platform Certificate CA(s)..."
+  docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/ca.crt' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
+  echo "...done"
+  echo "Uploading the RIM CA(s)..."
+  docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/RIMCaCert.pem' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
+  docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/RimSignCert.pem' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
+  echo "...done"
 }

 # provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail"
@ -85,7 +88,7 @@ uploadTrustedCerts() {
 provisionTpm2() {
   expected_result=$1
   ((totalTests++))
-   provisionOutput=$(docker exec $tpm2_container sh -c "/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim");
+   provisionOutput=$(docker exec -i $tpm2_container /bin/bash -c "/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim");
    echo "==========="
    echo "$provisionOutput";
    echo "===========";
@ -107,26 +110,21 @@ provisionTpm2() {
 }

 resetTpmForNewTest() {
-  docker exec -i $tpm2_container /bin/bash -c "source /hirs/.ci/setup/container/tpm2_common.sh; startFreshTpmServer -f; startupTpm; installEkCert"
+  docker exec -i $tpm2_container /bin/bash -c "source $HIRS_CI_REPO_ROOT/.ci/setup/container/tpm2_common.sh; startFreshTpmServer -f; startupTpm; installEkCert"
 }

 # Places platform cert(s) held in the test folder(s) in the provisioners tcg folder
-# setPlatCert <profile> <test>
 setPlatformCerts() {
-  docker exec $tpm2_container sh /hirs/.ci/system-tests/container/pc_setup.sh $1 $2
-  #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
+  docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/pc_setup.sh $@"
 }

 # Places RIM files held in the test folder in the provisioners tcg folder
-# setRims <profile> <test>
 setRims() {
-docker exec $tpm2_container sh /hirs/.ci/system-tests/container/rim_setup.sh $1 $2 $3
-#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
+  docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/rim_setup.sh $@"
 }

 setAppsettings() {
-  OPTIONS=$@
-  docker exec -i $tpm2_container /bin/bash -c "source /hirs/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $OPTIONS"
+  docker exec -i $tpm2_container /bin/bash -c "source $HIRS_CI_REPO_ROOT/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $@"
 }

 # Writes to the Action ouput, ACA log, and Provisioner Log
@ -135,6 +133,5 @@ setAppsettings() {
 writeToLogs() {
  line=$1
  echo $line;
-  docker exec $aca_container sh -c "cd .. && echo '$line' >> /var/log/hirs/HIRS_AttestationCA_Portal.log"
- # docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log"
+  docker exec -i $aca_container /bin/bash -c "cd .. && echo '$line' >> /var/log/hirs/HIRS_AttestationCA_Portal.log"
 }
--- a/.ci/system-tests/tests/aca_policy_tests.sh
+++ b/.ci/system-tests/tests/aca_policy_tests.sh
@ -54,7 +54,7 @@ if [ "$test" = "6" ] || [ "$test" = "all" ]; then
    resetTpmForNewTest
    setPolicyEkPc_noAttCheck
    uploadTrustedCerts
-    setPlatformCerts "laptop" "default"
+    setPlatformCerts -p "laptop" -t "default"
    provisionTpm2 "pass"
 fi
 if [ "$test" = "7" ] || [ "$test" = "all" ]; then
@ -64,7 +64,7 @@ if [ "$test" = "7" ] || [ "$test" = "all" ]; then
    resetTpmForNewTest
    setPolicyEkPc
    uploadTrustedCerts
-    setPlatformCerts "laptop" "default"
+    setPlatformCerts -p "laptop" -t "default"
    setAppsettings --paccor-output-file /ci_test/hw.json --event-log-file /ci_test/binary_bios_measurements --linux-dmi
    provisionTpm2 "pass"
 fi
@ -74,8 +74,8 @@ if [ "$test" = "8" ] || [ "$test" = "all" ]; then
    resetTpmForNewTest
    setPolicyEkPcFw
    uploadTrustedCerts
-    setPlatformCerts "laptop" "default"
-    setRims "laptop" "default"
+    setPlatformCerts -p "laptop" -t "default"
+    setRims -p "laptop" -t "default"
    provisionTpm2 "pass"
 fi

--- a/.ci/system-tests/tests/platform_cert_tests.sh
+++ b/.ci/system-tests/tests/platform_cert_tests.sh
@ -26,7 +26,7 @@ if [ "$test" = "1" ] || [ "$test" = "all" ]; then
    resetTpmForNewTest
    uploadTrustedCerts
    setPolicyEkPc
-    setPlatformCerts "laptop" "deltaPlatMem"
+    setPlatformCerts -p "laptop" -t "deltaPlatMem"
    provisionTpm2 "pass"
 fi
 if [ "$test" = "2" ] || [ "$test" = "all" ]; then
@ -34,7 +34,7 @@ if [ "$test" = "2" ] || [ "$test" = "all" ]; then
    clearAcaDb
    resetTpmForNewTest
    uploadTrustedCerts
-    setPlatformCerts "laptop" "platCertLight"
+    setPlatformCerts -p "laptop" -t "platCertLight"
    provisionTpm2 "pass"
 fi
 if [ "$test" = "3" ] || [ "$test" = "all" ]; then
@ -42,7 +42,7 @@ if [ "$test" = "3" ] || [ "$test" = "all" ]; then
    clearAcaDb
    resetTpmForNewTest
    uploadTrustedCerts
-    setPlatformCerts "laptop" "badDeltaMem"
+    setPlatformCerts -p "laptop" -t "badDeltaMem"
    provisionTpm2 "fail"
 fi

--- a/.ci/system-tests/tests/rim_system_tests.sh
+++ b/.ci/system-tests/tests/rim_system_tests.sh
@ -24,8 +24,8 @@ if [ "$test" = "1" ] || [ "$test" = "all" ]; then
    resetTpmForNewTest
    uploadTrustedCerts
    setPolicyEkPcFw
-    setPlatformCerts "laptop" "varOsInstall"
-    setRims "laptop" "varOsInstall" "clear"
+    setPlatformCerts -p "laptop" -t "varOsInstall"
+    setRims -p "laptop" -t "varOsInstall"
    provisionTpm2 "pass"
 fi
 if [ "$test" = "2" ] || [ "$test" = "all" ]; then
@ -34,8 +34,8 @@ if [ "$test" = "2" ] || [ "$test" = "all" ]; then
    resetTpmForNewTest
    uploadTrustedCerts
    setPolicyEkPcFw
-    setPlatformCerts "laptop" "badOemInstall"
-    setRims "laptop" "badOemInstall" "clear"
+    setPlatformCerts -p "laptop" -t "badOemInstall"
+    setRims -p "laptop" -t "badOemInstall"
    provisionTpm2 "fail"
 fi
 if [ "$test" = "3" ] || [ "$test" = "all" ]; then
@ -44,8 +44,8 @@ if [ "$test" = "3" ] || [ "$test" = "all" ]; then
    resetTpmForNewTest
    uploadTrustedCerts
    setPolicyEkPcFw
-    setPlatformCerts "laptop" "badVarInstall"
-    setRims "laptop" "badVarInstall" "clear"
+    setPlatformCerts -p "laptop" -t "badVarInstall"
+    setRims -p "laptop" -t "badVarInstall"
    provisionTpm2 "fail"
 fi