This commit updates the provisioner to pull the rim and swidtag locations from a properties file that will be created during the post install process. The provisioner then pulls the values and sends them to the ACA. The ACA currently just prints out the content and saves the swidtag.

HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java

@@ -8,9 +8,9 @@ import hirs.attestationca.exceptions.IdentityProcessingException;
 import hirs.attestationca.exceptions.UnexpectedServerException;
 import hirs.attestationca.service.SupplyChainValidationService;
 import hirs.data.persist.AppraisalStatus;
+import hirs.data.persist.BaseReferenceManifest;
 import hirs.data.persist.Device;
 import hirs.data.persist.DeviceInfoReport;
-import hirs.data.persist.certificate.CertificateAuthorityCredential;
 import hirs.data.persist.info.FirmwareInfo;
 import hirs.data.persist.info.HardwareInfo;
 import hirs.data.persist.info.NetworkInfo;
@@ -37,6 +37,7 @@ import hirs.structs.elements.tpm.IdentityProof;
 import hirs.structs.elements.tpm.IdentityRequest;
 import hirs.structs.elements.tpm.SymmetricKey;
 import hirs.structs.elements.tpm.SymmetricKeyParams;
+import hirs.tpm.eventlog.TCGEventLog;
 import hirs.utils.HexUtils;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.lang3.ArrayUtils;
@@ -720,14 +721,31 @@ public abstract class AbstractAttestationCertificateAuthority
                 hwProto.getProductVersion(), hwProto.getSystemSerialNumber(),
                 firstChassisSerialNumber, firstBaseboardSerialNumber);
 
-        if (dv.getPcrslist() != null && !dv.getPcrslist().isEmpty()) {
+        if (dv.hasPcrslist()) {
             this.pcrValues = dv.getPcrslist().toStringUtf8();
         }
 
-        if (dv.getLogfile() != null && !dv.getLogfile().isEmpty()) {
-            LOG.error(dv.getLogfile());
-        } else {
-            LOG.error("Didn't find the log file");
+        if (dv.hasLogfile()) {
+            try {
+                TCGEventLog tcgEventLog = new TCGEventLog(dv.getLogfile().toByteArray());
+                LOG.error(tcgEventLog.toString(true, true, true));
+            } catch (CertificateException cEx) {
+                LOG.error(cEx);
+            } catch (NoSuchAlgorithmException noSaEx) {
+                LOG.error(noSaEx);
+            } catch (IOException ioEx) {
+                LOG.error(ioEx);
+            }
+        }
+
+        if (dv.hasSwidfile()) {
+            try {
+                this.referenceManifestManager.save(
+                        new BaseReferenceManifest("blank.swidtag",
+                                dv.getSwidfile().toByteArray()));
+            } catch (IOException ioEx) {
+                LOG.error(ioEx);
+            }
         }
 
         // Get TPM info, currently unimplemented

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java

@@ -59,7 +59,7 @@ public class ReferenceManifestPageController
         extends PageController<NoPageParams> {
 
     private static final String BIOS_RELEASE_DATE_FORMAT = "yyyy-MM-dd";
-    private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rim|rimel|bin|log))$)";
+    private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)";
 
     private final BiosDateValidator biosValidator;
     private final ReferenceManifestManager referenceManifestManager;

HIRS_ProvisionerTPM2/CMakeLists.txt

@@ -287,6 +287,7 @@ if (${DISTRIBUTION} STREQUAL "Ubuntu")
     endif()
     set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE amd64)
     set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/postinst)
+    set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh)
     set(CPACK_PACKAGE_FILE_NAME "${CPACK_DEBIAN_PACKAGE_NAME}_${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}_${CPACK_DEBIAN_PACKAGE_ARCHITECTURE}")
 elseif (${DISTRIBUTION} STREQUAL "CentOS Linux")
     # Set variables specific to CPack RPM package generator
@@ -297,6 +298,7 @@ elseif (${DISTRIBUTION} STREQUAL "CentOS Linux")
     set(CPACK_RPM_PACKAGE_GROUP "System Environment/Base")
     set(CPACK_RPM_PACKAGE_REQUIRES "log4cplus >= 1.1.2, tpm2-tss >= 1.0, tpm2-tools >= 1.1.0, protobuf >= 2.4.1, re2 >= 20160401, libcurl >= 7.0.0, paccor, procps-ng >= 3.3.0")
     set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/rpm-post-install.sh)
+    set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh)
     set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/local /usr/local/bin /usr/local/include /usr/local/lib)
     set(CPACK_PACKAGE_FILE_NAME "${CPACK_RPM_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}.${CPACK_RPM_PACKAGE_RELEASE_DIST}.${CMAKE_SYSTEM_PROCESSOR}")
 endif()

HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h

@@ -39,7 +39,5 @@ class DeviceInfoCollector {
      * DeviceInfo object.
      */
     static hirs::pb::DeviceInfo collectDeviceInfo();
-
-    static std::string collectTcgLog();
 };
 #endif  // HIRS_PROVISIONERTPM2_INCLUDE_DEVICEINFOCOLLECTOR_H_

HIRS_ProvisionerTPM2/package/postinst

@@ -32,3 +32,7 @@ DEFAULT_SITE_CONFIG_FILE
     echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system"
 fi
 ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner
+
+if ! [ -f "set_tcg_properties.sh" ]; then
+  sh ./set_tcg_properties.sh
+fi

HIRS_ProvisionerTPM2/package/rpm-post-install.sh

@@ -39,3 +39,7 @@ DEFAULT_SITE_CONFIG_FILE
     echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system"
 fi
 ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner
+
+if ! [ -f "set_tcg_properties.sh" ]; then
+  sh ./set_tcg_properties.sh
+fi

HIRS_ProvisionerTPM2/package/set_tcg_properties.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties"
+MAINFEST_DIRECTORY="/boot/tcg/manifest"
+LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/"
+TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/"
+
+if [ ! -f "$TCG_BOOT_FILE" ]; then
+  touch "$TCG_BOOT_FILE"
+fi
+
+if [ -d "$LOG_FILE_LOCATION" ]; then
+  RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log')
+  echo "tcg.rim.file=$RIM_FILE" >> "$TCG_BOOT_FILE"
+fi
+
+if [ -d "$TAG_FILE_LOCATION" ]; then
+  SWID_FILE=$(find "$TAG_FILE_LOCATION" -name '*.swidtag')
+  echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE"
+fi
+
+chmod -w "$TCG_BOOT_FILE"

HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto

@@ -59,6 +59,7 @@ message DeviceInfo {
   required OsInfo os = 4;
   optional bytes pcrslist = 5;
   optional bytes logfile = 6;
+  optional bytes swidfile = 7;
 }
 
 message IdentityClaim {

HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp

@@ -13,6 +13,8 @@
 #include <string>
 #include <vector>
 #include <Process.h>
+#include <Properties.h>
+#include <regex>
 
 #include "log4cplus/configurator.h"
 
@@ -31,6 +33,7 @@ using hirs::tpm2::AsymmetricKeyType;
 using hirs::tpm2::CommandTpm2;
 using hirs::tpm2_tools_utils::Tpm2ToolsVersion;
 using hirs::utils::Process;
+using hirs::properties::Properties;
 using std::cout;
 using std::cerr;
 using std::endl;
@@ -65,7 +68,16 @@ int provision() {
     cout << "----> Collecting device information" << endl;
     hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo();
     dv.set_pcrslist(tpm2.getPcrList());
-    dv.set_logfile(DeviceInfoCollector::collectTcgLog());
+    // collect TCG Boot files
+    Properties props("/etc/hirs/tcg_boot.properties");
+    const std::string& rim_file = props.get("tcg.rim.file", "");
+    const std::string& swid_file = props.get("tcg.swidtag.file", "");
+    try {
+        dv.set_logfile(hirs::file_utils::fileToString(rim_file));
+        dv.set_swidfile(hirs::file_utils::fileToString(swid_file));
+    } catch (HirsRuntimeException& hirsRuntimeException) {
+        logger.error(hirsRuntimeException.what());
+    }
 
     // send identity claim
     cout << "----> Sending identity claim to Attestation CA" << endl;

HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java

@@ -293,10 +293,28 @@ public final class TCGEventLog {
         StringBuilder sb = new StringBuilder();
         for (TpmPcrEvent event : eventList) {
             sb.append(event.toString(bEvent, bHexEvent, bContent));
-       }
+        }
         sb.append("Event Log processing completed.\n");
        return sb.toString();
     }
+
+    /**
+     * Human readable string representing the contents of the Event Log.
+     * @param bEvent flag to set
+     * @param bHexEvent flag to set
+     * @param bContent flag to set
+     * @return Description of the log.
+     */
+    public String toString(final boolean bEvent,
+                           final boolean bHexEvent,
+                           final boolean bContent) {
+        this.bEvent = bEvent;
+        this.bHexEvent = bHexEvent;
+        this.bContent = bContent;
+
+        return this.toString();
+    }
+
     /**
      * Returns the TCG Algorithm Registry defined string for the Digest Algorithm
      * used in the event log.

HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java

@@ -109,7 +109,7 @@ UefiSignatureList(final ByteArrayInputStream lists)
 
 /**
  * Method for processing a set of EFI SignatureList(s).
- * @param sigData  Byte array holding one or more SignatureLists
+ * @param efiSigData  Byte array holding one or more SignatureLists
  * @throws CertificateException If there's a problem parsing the X509 certificate.
  * @throws NoSuchAlgorithmException if there's a problem hashing the certificate.
  * @throws IOException If there's a problem parsing the signature data.
@@ -131,7 +131,7 @@ private void processSignatureList(final byte[] efiSigData)
 
 /**
  * Method for processing a set of EFI SignatureList(s).
- * @param sigData  Byte array holding one or more SignatureLists.
+ * @param sigDataIS  Byte array holding one or more SignatureLists.
  * @throws CertificateException If there's a problem parsing the X509 certificate.
  * @throws NoSuchAlgorithmException if there's a problem hashing the certificate.
  * @throws IOException If there's a problem parsing the signature data.
@@ -173,12 +173,14 @@ public int getNumberOfCerts() {
  */
 public boolean isValidSigListGUID(final UefiGuid guid) {
   switch (guid.getVendorTableReference()) {
-    case "EFI_CERT_SHA256_GUID": return true;
-    case "EFI_CERT_X509_SHA256": return true;
-    case "EFI_CERT_X509_SHA384": return true;
-    case "EFI_CERT_X509_SHA512": return true;
-    case "EFI_CERT_X509_GUID":   return true;
-    default: return false;
+    case "EFI_CERT_SHA256_GUID":
+    case "EFI_CERT_X509_SHA256":
+    case "EFI_CERT_X509_SHA384":
+    case "EFI_CERT_X509_SHA512":
+    case "EFI_CERT_X509_GUID":
+        return true;
+    default:
+        return false;
   }
 }
 
@@ -193,7 +195,7 @@ public String toString() {
   sigInfo.append("Number if items = " + numberOfItems + "\n");
   sigList.iterator();
   for (int i = 0; i < sigList.size(); i++) {
-    UefiSignatureData certData = (UefiSignatureData) sigList.get(i);
+    UefiSignatureData certData = sigList.get(i);
     sigInfo.append(certData.toString());
   }
   if (!valid) {

HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java

@@ -40,12 +40,12 @@ public class UefiVariable {
  * EFIVariable constructor.
  * The UEFI_VARIABLE_DATA contains a "VariableName" field which is used to determine
  * the class used to parse the data within the "VariableData".
- * @param varibaleData byte array holding the UEFI Variable.
+ * @param variableData byte array holding the UEFI Variable.
  * @throws CertificateException If there a problem parsing the X509 certificate.
  * @throws NoSuchAlgorithmException if there's a problem hashing the certificate.
  * @throws IOException If there's a problem parsing the signature data.
  */
-public UefiVariable(final byte[] varibaleData)
+public UefiVariable(final byte[] variableData)
         throws CertificateException, NoSuchAlgorithmException, IOException {
   byte[] guid = new byte[UefiConstants.SIZE_16];
   byte[] nameLength = new byte[UefiConstants.SIZE_8];
@@ -54,21 +54,21 @@ public UefiVariable(final byte[] varibaleData)
   byte[] name = null;
   int variableLength = 0;
 
-  System.arraycopy(varibaleData, 0, guid, 0, UefiConstants.SIZE_16);
+  System.arraycopy(variableData, 0, guid, 0, UefiConstants.SIZE_16);
   uefiGuid = new UefiGuid(guid);
-  System.arraycopy(varibaleData, UefiConstants.SIZE_16, nameLength, 0, UefiConstants.SIZE_8);
+  System.arraycopy(variableData, UefiConstants.SIZE_16, nameLength, 0, UefiConstants.SIZE_8);
   int nlength = HexUtils.leReverseInt(nameLength);
-  System.arraycopy(varibaleData, UefiConstants.OFFSET_24, dataLength, 0, UefiConstants.SIZE_8);
+  System.arraycopy(variableData, UefiConstants.OFFSET_24, dataLength, 0, UefiConstants.SIZE_8);
   nameTemp = new byte[nlength * UefiConstants.SIZE_2];
 
-  System.arraycopy(varibaleData, UefiConstants.OFFSET_32,
+  System.arraycopy(variableData, UefiConstants.OFFSET_32,
                    nameTemp, 0, nlength * UefiConstants.SIZE_2);
   byte[] name1 = UefiDevicePath.convertChar16tobyteArray(nameTemp);
   name = new byte[nlength];
   System.arraycopy(name1, 0, name, 0, nlength);
   variableLength = HexUtils.leReverseInt(dataLength);
   uefiVaribelData = new byte[variableLength];
-  System.arraycopy(varibaleData, UefiConstants.OFFSET_32
+  System.arraycopy(variableData, UefiConstants.OFFSET_32
                    + nlength * UefiConstants.SIZE_2, uefiVaribelData, 0, variableLength);
   varName = new String(name, "UTF-8");
   String tmpName = varName;