From 48203a84a626d3926d616d94fbb1ac23c3fd487a Mon Sep 17 00:00:00 2001
From: iadgovuser29 <33426478+iadgovuser29@users.noreply.github.com>
Date: Fri, 12 Jul 2024 11:37:10 -0400
Subject: [PATCH] Defining efi paths in CI env file

---
 .ci/docker/.env                               | 29 +++++-
 .ci/setup/container/tpm2_common.sh            | 29 +++---
 .ci/system-tests/container/efi_setup.sh       | 52 ++++++++++
 .ci/system-tests/container/pc_setup.sh        | 78 +++++++++++----
 .ci/system-tests/container/rim_setup.sh       | 94 +++++++++++++------
 .ci/system-tests/sys_test_common.sh           | 49 +++++-----
 .ci/system-tests/tests/aca_policy_tests.sh    |  8 +-
 .ci/system-tests/tests/platform_cert_tests.sh |  6 +-
 .ci/system-tests/tests/rim_system_tests.sh    | 12 +--
 9 files changed, 261 insertions(+), 96 deletions(-)
 create mode 100755 .ci/system-tests/container/efi_setup.sh

diff --git a/.ci/docker/.env b/.ci/docker/.env
index 0fea64ca..e5846636 100644
--- a/.ci/docker/.env
+++ b/.ci/docker/.env
@@ -12,4 +12,31 @@ HIRS_ACA_HOSTNAME=hirsaca
 
 HIRS_SUBNET=172.19.0.0/16
 
-TEST_STATUS=0
\ No newline at end of file
+TEST_STATUS=0
+
+HIRS_DEFAULT_APPSETTINGS_FILE=/usr/share/hirs/appsettings.json
+
+HIRS_CI_REPO_ROOT=/hirs
+
+HIRS_CI_TEST_ROOT=/ci_test
+HIRS_CI_EFI_PATH_ROOT=$HIRS_CI_TEST_ROOT/boot/efi
+HIRS_CI_EFI_PATH_TCG=$HIRS_CI_EFI_PATH_ROOT/EFI/tcg
+HIRS_CI_EFI_PATH_PLATFORM=$HIRS_CI_EFI_PATH_TCG/cert/platform
+HIRS_CI_EFI_PATH_RIM=$HIRS_CI_EFI_PATH_TCG/manifest/rim
+HIRS_CI_EFI_PATH_SWIDTAG=$HIRS_CI_EFI_PATH_TCG/manifest/swidtag
+HIRS_CI_TEST_HW_JSON_FILE=$HIRS_CI_TEST_ROOT/hw.json
+HIRS_CI_TEST_EVENT_LOG_FILE=$HIRS_CI_TEST_ROOT/binary_bios_measurements
+
+HIRS_CI_TPM_EK_CERT_FILE=/hirs/.ci/setup/certs/ek_cert.der
+HIRS_CI_TPM_EK_CERT_NV_ATTR="0x2000A"
+HIRS_CI_TPM_EK_CERT_NV_INDEX="0x1c00002"
+
+HIRS_ACA_POST_POINT_EK=HIRS_AttestationCAPortal/portal/certificate-request/endorsement-key-credentials/upload
+HIRS_ACA_POST_POINT_PLATFORM=HIRS_AttestationCAPortal/portal/certificate-request/platform-credentials/upload
+HIRS_ACA_POST_POINT_RIM=HIRS_AttestationCAPortal/portal/reference-manifests/upload
+HIRS_ACA_POST_POINT_TRUST=HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
+
+SERVER_ECERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_EK"
+SERVER_PCERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_PLATFORM"
+SERVER_CACERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_TRUST"
+SERVER_RIM_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_RIM"
diff --git a/.ci/setup/container/tpm2_common.sh b/.ci/setup/container/tpm2_common.sh
index 517ee260..a3fa98b2 100755
--- a/.ci/setup/container/tpm2_common.sh
+++ b/.ci/setup/container/tpm2_common.sh
@@ -152,11 +152,11 @@ DEFAULT_SITE_CONFIG_FILE
 # Function to update the hirs-site.config file
 function setCiHirsAppsettingsFile {
   # Setting configurations
-  . /HIRS/.ci/docker/.env
+  . /hirs/.ci/docker/.env
 
-  HIRS_APPSETTINGS_FILE="/usr/share/hirs/appsettings.json"
+  HIRS_APPSETTINGS_FILE=$HIRS_DEFAULT_APPSETTINGS_FILE
   ACA_ADDRESS="https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}"
-  EFI_PREFIX_PATH="/ci_test/boot/efi"
+  EFI_PREFIX_PATH=$HIRS_CI_EFI_PATH_ROOT
   PACCOR_OUTPUT_FILE=""
   EVENT_LOG_FILE=""
   HARDWARE_MANIFEST_COLLECTORS="paccor_scripts"
@@ -216,13 +216,13 @@ function setCiHirsAppsettingsFile {
 DEFAULT_APPSETTINGS_FILE
   if [ "$USE_LINUX_DMI" = YES ]; then
     cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
-  "linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor",
-  "linux_bios_version_file": "/ci_test/dmi/id/bios_version",
-  "linux_bios_date_file": "/ci_test/dmi/id/bios_date",
-  "linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor",
-  "linux_product_name_file": "/ci_test/dmi/id/product_name",
-  "linux_product_version_file": "/ci_test/dmi/id/product_version",
-  "linux_product_serial_file": "/ci_test/dmi/id/product_serial",
+  "linux_bios_vendor_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_vendor",
+  "linux_bios_version_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_version",
+  "linux_bios_date_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_date",
+  "linux_sys_vendor_file": "$HIRS_CI_TEST_ROOT/dmi/id/sys_vendor",
+  "linux_product_name_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_name",
+  "linux_product_version_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_version",
+  "linux_product_serial_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_serial",
 DEFAULT_APPSETTINGS_FILE
   fi
   cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
@@ -305,9 +305,12 @@ function startupTpm {
 }
 
 function installEkCert {
-  echo "Installing EK Cert /hirs/.ci/setup/certs/ek_cert.der into TPM NVRAM at index 0x1c00002"
-  tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002
-  tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002
+  # Setting configurations
+  . /hirs/.ci/docker/.env
+  
+  echo "Installing EK Cert $HIRS_CI_TPM_EK_CERT_FILE into TPM NVRAM at index $HIRS_CI_TPM_EK_CERT_NV_INDEX"
+  tpm2_nvdefine -T mssim -C o -a $HIRS_CI_TPM_EK_CERT_NV_ATTR -s $(cat $HIRS_CI_TPM_EK_CERT_FILE | wc -c) $HIRS_CI_TPM_EK_CERT_NV_INDEX
+  tpm2_nvwrite -T mssim -C o -i $HIRS_CI_TPM_EK_CERT_FILE $HIRS_CI_TPM_EK_CERT_NV_INDEX
   echo "Finished installing EK cert."
 }
 
diff --git a/.ci/system-tests/container/efi_setup.sh b/.ci/system-tests/container/efi_setup.sh
new file mode 100755
index 00000000..44027215
--- /dev/null
+++ b/.ci/system-tests/container/efi_setup.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+#########################################################################################
+#   Setup a local directory to act as the ESP for testing
+#   This just creates the directory structure.
+#   usage efi_setup.sh [-c] [-p] [-r]
+#   -c: clear all artifact directories
+#   -p: clear only the platform directory
+#   -r: clear only the rim directories
+#########################################################################################
+
+# Load env variables
+. /hirs/.ci/docker/.env
+
+# Process parameters Argument handling 
+POSITIONAL_ARGS=()
+ORIGINAL_ARGS=("$@")
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -c|--clear-all)
+      CLEAR_ALL=YES
+      shift # past argument
+      ;;
+    -p|--clear-platform)
+      CLEAR_PLATFORM=YES
+      shift # past argument
+      ;;
+    -r|--clear-rim)
+      CLEAR_RIM=YES
+      shift # past argument
+      ;;
+    *)
+     POSITIONAL_ARGS+=("$1") # save positional arg
+     # shift # past argument
+     break
+      ;;
+  esac
+  
+# Ensure file structure is there
+mkdir -p $HIRS_CI_EFI_PATH_PLATFORM
+mkdir -p $HIRS_CI_EFI_PATH_RIM
+mkdir -p $HIRS_CI_EFI_PATH_SWIDTAG
+
+# Clear out any previous artifacts
+
+if [ "$CLEAR_ALL" = YES ] || [ "$CLEAR_PLATFORM" = YES ] ; then
+  rm -f $HIRS_CI_EFI_PATH_PLATFORM/*
+fi
+if [ "$CLEAR_ALL" = YES ] || [ "$CLEAR_RIM" = YES ] ; then
+  rm -f $HIRS_CI_EFI_PATH_RIM/*
+  rm -f $HIRS_CI_EFI_PATH_SWIDTAG/*
+fi
+
diff --git a/.ci/system-tests/container/pc_setup.sh b/.ci/system-tests/container/pc_setup.sh
index 17f88b44..4cc0621c 100755
--- a/.ci/system-tests/container/pc_setup.sh
+++ b/.ci/system-tests/container/pc_setup.sh
@@ -1,23 +1,65 @@
 #!/bin/bash
 #########################################################################################
 #   Setup for platform certificates for testing
-#   Copies platform certs (Base and Delta) to the tcg directory
-#   usage pc_setup.sh <profile> <test>
+#   usage pc_setup.sh -p <profile> -t <test> [-u] [-n]
+#   By default, copies platform certs (Base and Delta) to the tcg directory.
+#   -u: upload the certs to the ACA directly.
+#   -n: disable copy of certs to the tcg directory.
 #########################################################################################
 
-profile=$1
-test=$2
-ciTestDir="/ci_test"
-tcgDir="$ciTestDir/boot/efi/EFI/tcg/cert/platform/"
+# Load env variables
+. ./.ci/docker/.env
+
+profile=laptop
+test=default
+ciTestDir=$HIRS_CI_TEST_ROOT
+ciTestHwJsonFile=$HIRS_CI_TEST_HW_JSON_FILE
+
+# By default save the artifacts in EFI and do not upload to the ACA
+UPLOAD_ARTIFACTS=NO
+PUT_ARTIFACTS_IN_ESP=YES
+
+# Process parameters Argument handling 
+POSITIONAL_ARGS=()
+ORIGINAL_ARGS=("$@")
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--profile)
+      shift # past argument
+      profile=$1
+      shift # past parameter
+      ;;
+    -t|--test)
+      shift # past argument
+      test=$1
+      shift # past parameter
+      ;;
+    -u|--upload)
+      UPLOAD_ARTIFACTS=YES
+      shift # past argument
+      ;;
+    -n|--no-efi)
+      PUT_ARTIFACTS_IN_ESP=NO
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "pc_setup.sh: Unknown option $1"
+      shift # past argument
+      ;;
+    *)
+     POSITIONAL_ARGS+=("$1") # save positional arg
+     # shift # past argument
+     break
+      ;;
+  esac
 
 # Profile selections
-profileDir="/hirs/.ci/system-tests/profiles/$profile"
+profileDir="$HIRS_CI_REPO_ROOT/.ci/system-tests/profiles/$profile"
 testDir="$profileDir/$test"
 pcDir="$testDir/platformcerts"
 dmiZip="$profileDir/$profile"_dmi.zip
 hwJsonFileName="$profile"_"$test"_hw.json
 hwJsonFile="$testDir/$hwJsonFileName"
-ciTestHwJsonFile="$ciTestDir/hw.json"
 
 # Use default settings if profile does not have specific changes
 if [ ! -f "$hwJsonFile" ]; then
@@ -30,9 +72,8 @@ if [ ! -f "$dmiZip" ]; then
     dmiZip="$profileDir"/default/laptop_dmi.zip
 fi
 
-# Current TCG folder for platform certs
-mkdir -p $tcgDir;  # Create the platform cert folder if its not there
-rm -f $tcgDir*;    # Clear out any previous data
+# Ensure platform folder under efi is set up and cleared
+$HIRS_CI_REPO_ROOT/.ci/system-tests/container/efi_setup.sh -p
 
 echo "Test is using platform cert(s) from $profile : $test"
 # Step 1: Copy hw json file, if it exists.
@@ -48,16 +89,21 @@ dnf install -y unzip &> /dev/null
 echo "dmi file used was $dmiZip"
 unzip -o "$dmiZip" -d "$ciTestDir"
 
-# Step 3: Copy the platform cert to tcg folder 
+# Step 3: Copy the platform cert to tcg folder and or upload it to the ACA
 if [[ ! -d $pcDir ]]; then
     pcDir=$profileDir/default/platformcerts;
 fi
+
 pushd $pcDir > /dev/null
 # Skip copy of platform cert if .gitigore exists (empty profile)
-if [[ ! -f ".gitignore" ]]; then
+  if [[ ! -f ".gitignore" ]]; then
     for cert in * ; do
-          cp -f $cert $tcgDir$cert;
+      if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
+        cp $cert $HIRS_CI_EFI_PATH_PLATFORM
+      fi
+      if [ "$UPLOAD_ARTIFACTS" = YES ]; then
+        curl -k -F "file=@$cert" $SERVER_PCERT_POST
+      fi
     done
-fi
-
+  fi
 popd > /dev/null
diff --git a/.ci/system-tests/container/rim_setup.sh b/.ci/system-tests/container/rim_setup.sh
index cf284932..2bb8d659 100644
--- a/.ci/system-tests/container/rim_setup.sh
+++ b/.ci/system-tests/container/rim_setup.sh
@@ -1,33 +1,71 @@
 #!/bin/bash
 #########################################################################################
 #   Setup for PC Client Reference Integrity Manifest (RIM) tests
-#   usage rim_setup.sh <profile> <test> <option>
-#   use "clear" option to clear existing TPM PCR values
+#   usage rim_setup.sh -p <profile> -t <test> [-u] [-n]
 #########################################################################################
 
-profile=$1
-test=$2
-ciTestDir="/ci_test"
-tcgDir="$ciTestDir/boot/efi/EFI/tcg"
+# Load env variables
+. ./.ci/docker/.env
+
+profile=laptop
+test=default
+ciTestDir=$HIRS_CI_TEST_ROOT
+ciTestEventLog=$HIRS_CI_TEST_EVENT_LOG_FILE
+tcgDir=$HIRS_CI_EFI_PATH_TCG
+tcgSwidDir=$HIRS_CI_EFI_PATH_SWIDTAG
+tcgRimDir=$HIRS_CI_EFI_PATH_RIM
+
+# By default save the artifacts in EFI and do not upload to the ACA
+UPLOAD_ARTIFACTS=NO
+PUT_ARTIFACTS_IN_ESP=YES
+
+# Process parameters Argument handling 
+POSITIONAL_ARGS=()
+ORIGINAL_ARGS=("$@")
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--profile)
+      shift # past argument
+      profile=$1
+      shift # past parameter
+      ;;
+    -t|--test)
+      shift # past argument
+      test=$1
+      shift # past parameter
+      ;;
+    -u|--upload)
+      UPLOAD_ARTIFACTS=YES
+      shift # past argument
+      ;;
+    -n|--no-efi)
+      PUT_ARTIFACTS_IN_ESP=NO
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "rim_setup.sh: Unknown option $1"
+      shift # past argument
+      ;;
+    *)
+     POSITIONAL_ARGS+=("$1") # save positional arg
+     # shift # past argument
+     break
+      ;;
+  esac
 
 # Profile selections
-profileDir="/hirs/.ci/system-tests/profiles/$profile"
+profileDir="$HIRS_CI_REPO_ROOT/.ci/system-tests/profiles/$profile"
 defaultDir="$profileDir/default"
-testDir="/hirs/.ci/system-tests/profiles/$profile/$test"
+testDir="$profileDir/$test"
 eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
 swidDir="$testDir/swidtags"
 rimDir="$testDir/rims"
 pcrScript="$testDir/"$profile"_"$test"_setpcrs.sh"
-ciTestEventLog="$ciTestDir/binary_bios_measurements"
 
 echo "Test is using RIM files from $profile : $test"
 
-# Make sure TCG defined RIM folders exist and are cleared out
-mkdir -p $tcgDir/manifest/rim/;  # Create the platform cert folder if its not there
-rm -f $tcgDir/manifest/rim/*;    # clear out any previous data
-
-mkdir -p $tcgDir/manifest/swidtag/;  # Create the platform cert folder if its not there
-rm -f $tcgDir/manifest/swidtag/*;   # clear out any previous data
+# Ensure rim folders under efi are set up and cleared
+$HIRS_CI_REPO_ROOT/.ci/system-tests/container/efi_setup.sh -r
 
 # Step 1: Copy binary_bios_measurement file
 if [ ! -e "$eventLog" ]; then
@@ -37,40 +75,42 @@ echo "eventLog used was  $eventLog"
 cp "$eventLog" "$ciTestEventLog"
 
 # Step 2: Copy Base RIM files to the TCG folder
-#      a: See if test specific swidtag folder exists, if not use the defualt folder
+#      a: See if test specific swidtag folder exists, if not use the default folder
 if [[ ! -d $swidDir ]]; then
     swidDir=$defaultDir/swidtags;
 fi
 pushd $swidDir > /dev/null
   if [[ ! -f ".gitignore" ]]; then
     for swidtag in * ; do
-          cp -f $swidtag $tcgDir/manifest/swidtag/$swidtag;
+      if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
+        cp $swidtag $tcgSwidDir
+      fi
+      if [ "$UPLOAD_ARTIFACTS" = YES ]; then
+        curl -k -F "file=@$swidtag" $SERVER_RIM_POST
+      fi
     done
   fi
 popd > /dev/null
-# Step 3: Copy Support RIM files to the TCG folder in the same mannor
+# Step 3: Copy Support RIM files to the TCG folder in the same manner
 if [[ ! -d $rimDir ]]; then 
     rimDir=$defaultDir/rims;
 fi
 pushd $rimDir > /dev/null
-
   if [[ ! -f ".gitignore" ]]; then
     for rim in * ; do
-          cp -f $rim $tcgDir/manifest/rim/$rim;
+      if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
+        cp $rim $tcgRimDir
+      fi
+      if [ "$UPLOAD_ARTIFACTS" = YES ]; then
+        curl -k -F "file=@$rim" $SERVER_RIM_POST
+      fi
     done
   fi
 popd > /dev/null
 
 #Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
-#     a: Clear the TPM PCR registers vi a call to the tss clear 
-#     b: Check if a test specific setpcr.sh file exists. If not use the profiles default script
-
-
 if [[ ! -f $pcrScript ]]; then
     pcrScript="$profileDir/default/"$profile"_default_setpcrs.sh"
 fi
 sh $pcrScript;
-#echo "PCR script was $pcrScript"
-#tpm2_pcrlist -g sha256 
 
-# Done with rim_setup
diff --git a/.ci/system-tests/sys_test_common.sh b/.ci/system-tests/sys_test_common.sh
index 58b8b39c..d88dc630 100644
--- a/.ci/system-tests/sys_test_common.sh
+++ b/.ci/system-tests/sys_test_common.sh
@@ -26,34 +26,34 @@ fi
 
 # clear all policy settings
 setPolicyNone() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=0, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=0, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
            utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
 }
 
 # Policy Settings for tests ...
 setPolicyEkOnly() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
            utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
 }
 
 setPolicyEkPc_noAttCheck() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=1,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=1,
            utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
 }
 
 setPolicyEkPc() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
            utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
 }
 
 setPolicyEkPcFw() {
-docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
+docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
            utcValidationEnabled=0, firmwareValidationEnabled=1, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=1, ignoretBootEnabled=0;"
 }
 
 # Clear all ACA DB items excluding policy
 clearAcaDb() {
-docker exec hirs-aca1 mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Appraiser;
+docker exec -i $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Appraiser;
  truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate ComponentAttributeResult;
  truncate ComponentInfo;truncate ComponentResult;truncate Device;truncate DeviceInfoReport;truncate PortalInfo;
  truncate ReferenceDigestValue;truncate ReferenceManifest;truncate Report;truncate SupplyChainValidation;
@@ -68,15 +68,18 @@ uploadTrustedCerts() {
 #                                     && ./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null \
 #                                     && popd > /dev/null"
   # Upload CA Cert from IBMTSS Tools
-  docker exec $tpm2_container sh -c "pushd /ibmtss/utils/certificates > /dev/null \
-                                     && curl -k -s -F 'file=@cacert.pem' https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload \
-                                     && popd > /dev/null"
+  echo "Uploading Trust Certificates to ${HIRS_ACA_HOSTNAME}:${HIRS_ACA_PORTAL_PORT}"
+  echo "Uploading the EK Certificate CA(s)..."
+  docker exec -i $tpm2_container /bin/bash -c "curl -k -F 'file=@/ibmtss/utils/certificates/cacert.pem' $SERVER_CACERT_POST"
+  echo "...done"
   # Upload Trusted Certs from HIRS
-  pushd .ci/setup/certs > /dev/null
-    curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
-    curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
-    curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
-  popd > /dev/null
+  echo "Uploading the Platform Certificate CA(s)..."
+  docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/ca.crt' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
+  echo "...done"
+  echo "Uploading the RIM CA(s)..."
+  docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/RIMCaCert.pem' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
+  docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/RimSignCert.pem' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
+  echo "...done"
 }
 
 # provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail"
@@ -85,7 +88,7 @@ uploadTrustedCerts() {
 provisionTpm2() {
    expected_result=$1
    ((totalTests++))
-   provisionOutput=$(docker exec $tpm2_container sh -c "/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim");
+   provisionOutput=$(docker exec -i $tpm2_container /bin/bash -c "/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim");
     echo "==========="
     echo "$provisionOutput";
     echo "===========";
@@ -107,26 +110,21 @@ provisionTpm2() {
 }
 
 resetTpmForNewTest() {
-  docker exec -i $tpm2_container /bin/bash -c "source /hirs/.ci/setup/container/tpm2_common.sh; startFreshTpmServer -f; startupTpm; installEkCert"
+  docker exec -i $tpm2_container /bin/bash -c "source $HIRS_CI_REPO_ROOT/.ci/setup/container/tpm2_common.sh; startFreshTpmServer -f; startupTpm; installEkCert"
 }
 
 # Places platform cert(s) held in the test folder(s) in the provisioners tcg folder
-# setPlatCert <profile> <test>
 setPlatformCerts() {
-  docker exec $tpm2_container sh /hirs/.ci/system-tests/container/pc_setup.sh $1 $2
-  #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
+  docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/pc_setup.sh $@"
 }
 
 # Places RIM files held in the test folder in the provisioners tcg folder
-# setRims <profile> <test>
 setRims() {
-docker exec $tpm2_container sh /hirs/.ci/system-tests/container/rim_setup.sh $1 $2 $3
-#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
+  docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/rim_setup.sh $@"
 }
 
 setAppsettings() {
-  OPTIONS=$@
-  docker exec -i $tpm2_container /bin/bash -c "source /hirs/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $OPTIONS"
+  docker exec -i $tpm2_container /bin/bash -c "source $HIRS_CI_REPO_ROOT/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $@"
 }
 
 # Writes to the Action ouput, ACA log, and Provisioner Log
@@ -135,6 +133,5 @@ setAppsettings() {
 writeToLogs() {
   line=$1
   echo $line;
-  docker exec $aca_container sh -c "cd .. && echo '$line' >> /var/log/hirs/HIRS_AttestationCA_Portal.log"
- # docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log"
+  docker exec -i $aca_container /bin/bash -c "cd .. && echo '$line' >> /var/log/hirs/HIRS_AttestationCA_Portal.log"
 }
diff --git a/.ci/system-tests/tests/aca_policy_tests.sh b/.ci/system-tests/tests/aca_policy_tests.sh
index 88599ef3..def45ea8 100755
--- a/.ci/system-tests/tests/aca_policy_tests.sh
+++ b/.ci/system-tests/tests/aca_policy_tests.sh
@@ -54,7 +54,7 @@ if [ "$test" = "6" ] || [ "$test" = "all" ]; then
     resetTpmForNewTest
     setPolicyEkPc_noAttCheck
     uploadTrustedCerts
-    setPlatformCerts "laptop" "default"
+    setPlatformCerts -p "laptop" -t "default"
     provisionTpm2 "pass"
 fi
 if [ "$test" = "7" ] || [ "$test" = "all" ]; then
@@ -64,7 +64,7 @@ if [ "$test" = "7" ] || [ "$test" = "all" ]; then
     resetTpmForNewTest
     setPolicyEkPc
     uploadTrustedCerts
-    setPlatformCerts "laptop" "default"
+    setPlatformCerts -p "laptop" -t "default"
     setAppsettings --paccor-output-file /ci_test/hw.json --event-log-file /ci_test/binary_bios_measurements --linux-dmi
     provisionTpm2 "pass"
 fi
@@ -74,8 +74,8 @@ if [ "$test" = "8" ] || [ "$test" = "all" ]; then
     resetTpmForNewTest
     setPolicyEkPcFw
     uploadTrustedCerts
-    setPlatformCerts "laptop" "default"
-    setRims "laptop" "default"
+    setPlatformCerts -p "laptop" -t "default"
+    setRims -p "laptop" -t "default"
     provisionTpm2 "pass"
 fi
 
diff --git a/.ci/system-tests/tests/platform_cert_tests.sh b/.ci/system-tests/tests/platform_cert_tests.sh
index 6d4db639..5a6371cf 100755
--- a/.ci/system-tests/tests/platform_cert_tests.sh
+++ b/.ci/system-tests/tests/platform_cert_tests.sh
@@ -26,7 +26,7 @@ if [ "$test" = "1" ] || [ "$test" = "all" ]; then
     resetTpmForNewTest
     uploadTrustedCerts
     setPolicyEkPc
-    setPlatformCerts "laptop" "deltaPlatMem"
+    setPlatformCerts -p "laptop" -t "deltaPlatMem"
     provisionTpm2 "pass"
 fi
 if [ "$test" = "2" ] || [ "$test" = "all" ]; then
@@ -34,7 +34,7 @@ if [ "$test" = "2" ] || [ "$test" = "all" ]; then
     clearAcaDb
     resetTpmForNewTest
     uploadTrustedCerts
-    setPlatformCerts "laptop" "platCertLight"
+    setPlatformCerts -p "laptop" -t "platCertLight"
     provisionTpm2 "pass"
 fi
 if [ "$test" = "3" ] || [ "$test" = "all" ]; then
@@ -42,7 +42,7 @@ if [ "$test" = "3" ] || [ "$test" = "all" ]; then
     clearAcaDb
     resetTpmForNewTest
     uploadTrustedCerts
-    setPlatformCerts "laptop" "badDeltaMem"
+    setPlatformCerts -p "laptop" -t "badDeltaMem"
     provisionTpm2 "fail"
 fi
 
diff --git a/.ci/system-tests/tests/rim_system_tests.sh b/.ci/system-tests/tests/rim_system_tests.sh
index 69ca2c66..1f74e0db 100755
--- a/.ci/system-tests/tests/rim_system_tests.sh
+++ b/.ci/system-tests/tests/rim_system_tests.sh
@@ -24,8 +24,8 @@ if [ "$test" = "1" ] || [ "$test" = "all" ]; then
     resetTpmForNewTest
     uploadTrustedCerts
     setPolicyEkPcFw
-    setPlatformCerts "laptop" "varOsInstall"
-    setRims "laptop" "varOsInstall" "clear"
+    setPlatformCerts -p "laptop" -t "varOsInstall"
+    setRims -p "laptop" -t "varOsInstall"
     provisionTpm2 "pass"
 fi
 if [ "$test" = "2" ] || [ "$test" = "all" ]; then
@@ -34,8 +34,8 @@ if [ "$test" = "2" ] || [ "$test" = "all" ]; then
     resetTpmForNewTest
     uploadTrustedCerts
     setPolicyEkPcFw
-    setPlatformCerts "laptop" "badOemInstall"
-    setRims "laptop" "badOemInstall" "clear"
+    setPlatformCerts -p "laptop" -t "badOemInstall"
+    setRims -p "laptop" -t "badOemInstall"
     provisionTpm2 "fail"
 fi
 if [ "$test" = "3" ] || [ "$test" = "all" ]; then
@@ -44,8 +44,8 @@ if [ "$test" = "3" ] || [ "$test" = "all" ]; then
     resetTpmForNewTest
     uploadTrustedCerts
     setPolicyEkPcFw
-    setPlatformCerts "laptop" "badVarInstall"
-    setRims "laptop" "badVarInstall" "clear"
+    setPlatformCerts -p "laptop" -t "badVarInstall"
+    setRims -p "laptop" -t "badVarInstall"
     provisionTpm2 "fail"
 fi