From 4b0bb2df91862ae9d7e9b0c733ffa6e54fcd215c Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 9 Oct 2020 10:48:17 -0400 Subject: [PATCH] This commit updates the provisioner to pull the rim and swidtag locations from a properties file that will be created during the post install process. The provisioner then pulls the values and sends them to the ACA. The ACA currently just prints out the content and saves the swidtag. --- ...stractAttestationCertificateAuthority.java | 30 +++++++++++++++---- .../ReferenceManifestPageController.java | 2 +- HIRS_ProvisionerTPM2/CMakeLists.txt | 2 ++ .../include/DeviceInfoCollector.h | 2 -- HIRS_ProvisionerTPM2/package/postinst | 4 +++ .../package/rpm-post-install.sh | 4 +++ .../package/set_tcg_properties.sh | 22 ++++++++++++++ .../src/ProvisionerTpm2.proto | 1 + HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 14 ++++++++- .../java/hirs/tpm/eventlog/TCGEventLog.java | 20 ++++++++++++- .../tpm/eventlog/uefi/UefiSignatureList.java | 20 +++++++------ .../hirs/tpm/eventlog/uefi/UefiVariable.java | 14 ++++----- 12 files changed, 108 insertions(+), 27 deletions(-) create mode 100644 HIRS_ProvisionerTPM2/package/set_tcg_properties.sh diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index b1f14f41..8993640b 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -8,9 +8,9 @@ import hirs.attestationca.exceptions.IdentityProcessingException; import hirs.attestationca.exceptions.UnexpectedServerException; import hirs.attestationca.service.SupplyChainValidationService; import hirs.data.persist.AppraisalStatus; +import hirs.data.persist.BaseReferenceManifest; import hirs.data.persist.Device; import hirs.data.persist.DeviceInfoReport; -import hirs.data.persist.certificate.CertificateAuthorityCredential; import hirs.data.persist.info.FirmwareInfo; import hirs.data.persist.info.HardwareInfo; import hirs.data.persist.info.NetworkInfo; @@ -37,6 +37,7 @@ import hirs.structs.elements.tpm.IdentityProof; import hirs.structs.elements.tpm.IdentityRequest; import hirs.structs.elements.tpm.SymmetricKey; import hirs.structs.elements.tpm.SymmetricKeyParams; +import hirs.tpm.eventlog.TCGEventLog; import hirs.utils.HexUtils; import org.apache.commons.codec.binary.Hex; import org.apache.commons.lang3.ArrayUtils; @@ -720,14 +721,31 @@ public abstract class AbstractAttestationCertificateAuthority hwProto.getProductVersion(), hwProto.getSystemSerialNumber(), firstChassisSerialNumber, firstBaseboardSerialNumber); - if (dv.getPcrslist() != null && !dv.getPcrslist().isEmpty()) { + if (dv.hasPcrslist()) { this.pcrValues = dv.getPcrslist().toStringUtf8(); } - if (dv.getLogfile() != null && !dv.getLogfile().isEmpty()) { - LOG.error(dv.getLogfile()); - } else { - LOG.error("Didn't find the log file"); + if (dv.hasLogfile()) { + try { + TCGEventLog tcgEventLog = new TCGEventLog(dv.getLogfile().toByteArray()); + LOG.error(tcgEventLog.toString(true, true, true)); + } catch (CertificateException cEx) { + LOG.error(cEx); + } catch (NoSuchAlgorithmException noSaEx) { + LOG.error(noSaEx); + } catch (IOException ioEx) { + LOG.error(ioEx); + } + } + + if (dv.hasSwidfile()) { + try { + this.referenceManifestManager.save( + new BaseReferenceManifest("blank.swidtag", + dv.getSwidfile().toByteArray())); + } catch (IOException ioEx) { + LOG.error(ioEx); + } } // Get TPM info, currently unimplemented diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java index 2b4fc8f9..6bfd3632 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java @@ -59,7 +59,7 @@ public class ReferenceManifestPageController extends PageController { private static final String BIOS_RELEASE_DATE_FORMAT = "yyyy-MM-dd"; - private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rim|rimel|bin|log))$)"; + private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"; private final BiosDateValidator biosValidator; private final ReferenceManifestManager referenceManifestManager; diff --git a/HIRS_ProvisionerTPM2/CMakeLists.txt b/HIRS_ProvisionerTPM2/CMakeLists.txt index 5b6722d2..c4c8ca50 100644 --- a/HIRS_ProvisionerTPM2/CMakeLists.txt +++ b/HIRS_ProvisionerTPM2/CMakeLists.txt @@ -287,6 +287,7 @@ if (${DISTRIBUTION} STREQUAL "Ubuntu") endif() set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE amd64) set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/postinst) + set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) set(CPACK_PACKAGE_FILE_NAME "${CPACK_DEBIAN_PACKAGE_NAME}_${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}_${CPACK_DEBIAN_PACKAGE_ARCHITECTURE}") elseif (${DISTRIBUTION} STREQUAL "CentOS Linux") # Set variables specific to CPack RPM package generator @@ -297,6 +298,7 @@ elseif (${DISTRIBUTION} STREQUAL "CentOS Linux") set(CPACK_RPM_PACKAGE_GROUP "System Environment/Base") set(CPACK_RPM_PACKAGE_REQUIRES "log4cplus >= 1.1.2, tpm2-tss >= 1.0, tpm2-tools >= 1.1.0, protobuf >= 2.4.1, re2 >= 20160401, libcurl >= 7.0.0, paccor, procps-ng >= 3.3.0") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/rpm-post-install.sh) + set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/local /usr/local/bin /usr/local/include /usr/local/lib) set(CPACK_PACKAGE_FILE_NAME "${CPACK_RPM_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}.${CPACK_RPM_PACKAGE_RELEASE_DIST}.${CMAKE_SYSTEM_PROCESSOR}") endif() diff --git a/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h b/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h index 8680b690..ad368448 100644 --- a/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h +++ b/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h @@ -39,7 +39,5 @@ class DeviceInfoCollector { * DeviceInfo object. */ static hirs::pb::DeviceInfo collectDeviceInfo(); - - static std::string collectTcgLog(); }; #endif // HIRS_PROVISIONERTPM2_INCLUDE_DEVICEINFOCOLLECTOR_H_ diff --git a/HIRS_ProvisionerTPM2/package/postinst b/HIRS_ProvisionerTPM2/package/postinst index dd6cf38e..a4c3109d 100644 --- a/HIRS_ProvisionerTPM2/package/postinst +++ b/HIRS_ProvisionerTPM2/package/postinst @@ -32,3 +32,7 @@ DEFAULT_SITE_CONFIG_FILE echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system" fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner + +if ! [ -f "set_tcg_properties.sh" ]; then + sh ./set_tcg_properties.sh +fi \ No newline at end of file diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index fae761b6..f18e6190 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -39,3 +39,7 @@ DEFAULT_SITE_CONFIG_FILE echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system" fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner + +if ! [ -f "set_tcg_properties.sh" ]; then + sh ./set_tcg_properties.sh +fi diff --git a/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh b/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh new file mode 100644 index 00000000..f36c0561 --- /dev/null +++ b/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" +MAINFEST_DIRECTORY="/boot/tcg/manifest" +LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/" +TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/" + +if [ ! -f "$TCG_BOOT_FILE" ]; then + touch "$TCG_BOOT_FILE" +fi + +if [ -d "$LOG_FILE_LOCATION" ]; then + RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log') + echo "tcg.rim.file=$RIM_FILE" >> "$TCG_BOOT_FILE" +fi + +if [ -d "$TAG_FILE_LOCATION" ]; then + SWID_FILE=$(find "$TAG_FILE_LOCATION" -name '*.swidtag') + echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" +fi + +chmod -w "$TCG_BOOT_FILE" \ No newline at end of file diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto index 6f030111..96f3d0e5 100644 --- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto +++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto @@ -59,6 +59,7 @@ message DeviceInfo { required OsInfo os = 4; optional bytes pcrslist = 5; optional bytes logfile = 6; + optional bytes swidfile = 7; } message IdentityClaim { diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 156336ba..03826459 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -13,6 +13,8 @@ #include #include #include +#include +#include #include "log4cplus/configurator.h" @@ -31,6 +33,7 @@ using hirs::tpm2::AsymmetricKeyType; using hirs::tpm2::CommandTpm2; using hirs::tpm2_tools_utils::Tpm2ToolsVersion; using hirs::utils::Process; +using hirs::properties::Properties; using std::cout; using std::cerr; using std::endl; @@ -65,7 +68,16 @@ int provision() { cout << "----> Collecting device information" << endl; hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); - dv.set_logfile(DeviceInfoCollector::collectTcgLog()); + // collect TCG Boot files + Properties props("/etc/hirs/tcg_boot.properties"); + const std::string& rim_file = props.get("tcg.rim.file", ""); + const std::string& swid_file = props.get("tcg.swidtag.file", ""); + try { + dv.set_logfile(hirs::file_utils::fileToString(rim_file)); + dv.set_swidfile(hirs::file_utils::fileToString(swid_file)); + } catch (HirsRuntimeException& hirsRuntimeException) { + logger.error(hirsRuntimeException.what()); + } // send identity claim cout << "----> Sending identity claim to Attestation CA" << endl; diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java index a7f43de1..bd5a3b0a 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java @@ -293,10 +293,28 @@ public final class TCGEventLog { StringBuilder sb = new StringBuilder(); for (TpmPcrEvent event : eventList) { sb.append(event.toString(bEvent, bHexEvent, bContent)); - } + } sb.append("Event Log processing completed.\n"); return sb.toString(); } + + /** + * Human readable string representing the contents of the Event Log. + * @param bEvent flag to set + * @param bHexEvent flag to set + * @param bContent flag to set + * @return Description of the log. + */ + public String toString(final boolean bEvent, + final boolean bHexEvent, + final boolean bContent) { + this.bEvent = bEvent; + this.bHexEvent = bHexEvent; + this.bContent = bContent; + + return this.toString(); + } + /** * Returns the TCG Algorithm Registry defined string for the Digest Algorithm * used in the event log. diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java index abdfe464..eab16ae7 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java @@ -109,7 +109,7 @@ UefiSignatureList(final ByteArrayInputStream lists) /** * Method for processing a set of EFI SignatureList(s). - * @param sigData Byte array holding one or more SignatureLists + * @param efiSigData Byte array holding one or more SignatureLists * @throws CertificateException If there's a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. @@ -131,7 +131,7 @@ private void processSignatureList(final byte[] efiSigData) /** * Method for processing a set of EFI SignatureList(s). - * @param sigData Byte array holding one or more SignatureLists. + * @param sigDataIS Byte array holding one or more SignatureLists. * @throws CertificateException If there's a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. @@ -173,12 +173,14 @@ public int getNumberOfCerts() { */ public boolean isValidSigListGUID(final UefiGuid guid) { switch (guid.getVendorTableReference()) { - case "EFI_CERT_SHA256_GUID": return true; - case "EFI_CERT_X509_SHA256": return true; - case "EFI_CERT_X509_SHA384": return true; - case "EFI_CERT_X509_SHA512": return true; - case "EFI_CERT_X509_GUID": return true; - default: return false; + case "EFI_CERT_SHA256_GUID": + case "EFI_CERT_X509_SHA256": + case "EFI_CERT_X509_SHA384": + case "EFI_CERT_X509_SHA512": + case "EFI_CERT_X509_GUID": + return true; + default: + return false; } } @@ -193,7 +195,7 @@ public String toString() { sigInfo.append("Number if items = " + numberOfItems + "\n"); sigList.iterator(); for (int i = 0; i < sigList.size(); i++) { - UefiSignatureData certData = (UefiSignatureData) sigList.get(i); + UefiSignatureData certData = sigList.get(i); sigInfo.append(certData.toString()); } if (!valid) { diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java index 64985857..4763328f 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java @@ -40,12 +40,12 @@ public class UefiVariable { * EFIVariable constructor. * The UEFI_VARIABLE_DATA contains a "VariableName" field which is used to determine * the class used to parse the data within the "VariableData". - * @param varibaleData byte array holding the UEFI Variable. + * @param variableData byte array holding the UEFI Variable. * @throws CertificateException If there a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. */ -public UefiVariable(final byte[] varibaleData) +public UefiVariable(final byte[] variableData) throws CertificateException, NoSuchAlgorithmException, IOException { byte[] guid = new byte[UefiConstants.SIZE_16]; byte[] nameLength = new byte[UefiConstants.SIZE_8]; @@ -54,21 +54,21 @@ public UefiVariable(final byte[] varibaleData) byte[] name = null; int variableLength = 0; - System.arraycopy(varibaleData, 0, guid, 0, UefiConstants.SIZE_16); + System.arraycopy(variableData, 0, guid, 0, UefiConstants.SIZE_16); uefiGuid = new UefiGuid(guid); - System.arraycopy(varibaleData, UefiConstants.SIZE_16, nameLength, 0, UefiConstants.SIZE_8); + System.arraycopy(variableData, UefiConstants.SIZE_16, nameLength, 0, UefiConstants.SIZE_8); int nlength = HexUtils.leReverseInt(nameLength); - System.arraycopy(varibaleData, UefiConstants.OFFSET_24, dataLength, 0, UefiConstants.SIZE_8); + System.arraycopy(variableData, UefiConstants.OFFSET_24, dataLength, 0, UefiConstants.SIZE_8); nameTemp = new byte[nlength * UefiConstants.SIZE_2]; - System.arraycopy(varibaleData, UefiConstants.OFFSET_32, + System.arraycopy(variableData, UefiConstants.OFFSET_32, nameTemp, 0, nlength * UefiConstants.SIZE_2); byte[] name1 = UefiDevicePath.convertChar16tobyteArray(nameTemp); name = new byte[nlength]; System.arraycopy(name1, 0, name, 0, nlength); variableLength = HexUtils.leReverseInt(dataLength); uefiVaribelData = new byte[variableLength]; - System.arraycopy(varibaleData, UefiConstants.OFFSET_32 + System.arraycopy(variableData, UefiConstants.OFFSET_32 + nlength * UefiConstants.SIZE_2, uefiVaribelData, 0, variableLength); varName = new String(name, "UTF-8"); String tmpName = varName;