From 4c46758d9a8eef19e476b5269900b039ab1b7ab7 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Tue, 23 Nov 2021 09:36:00 -0500
Subject: [PATCH] This commit is a feature update.  The IMA PCR enable/diable
 is being enhanced to update the mask the provisioner uses to pull the quote
 from the TPM.  This code will send down a string range of PCR values that
 excludes PCR 10.  The quote that is returned should be a composite without
 the PCR 10.  There will be a log statement in this commit that should be
 removed.

---
 .../AbstractAttestationCertificateAuthority.java | 16 +++++++++++++---
 HIRS_ProvisionerTPM2/include/Utils.h             |  2 ++
 HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto   |  1 +
 .../src/RestfulClientProvisioner.cpp             |  6 +++++-
 HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp    | 12 ++++++++----
 HIRS_ProvisionerTPM2/src/Utils.cpp               | 12 ++++++++++++
 .../main/java/hirs/data/persist/PCRPolicy.java   |  8 +++++++-
 7 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
index 6aeab8d4..99762a96 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@@ -126,6 +126,8 @@ public abstract class AbstractAttestationCertificateAuthority
             = "/webapps/HIRS_AttestationCA/upload/";
     private static final String PCR_UPLOAD_FOLDER
             = CATALINA_HOME + TOMCAT_UPLOAD_DIRECTORY;
+    private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
+            + "14,15,16,17,18,19,20,21,22,23";
 
     /**
      * Number of bytes to include in the TPM2.0 nonce.
@@ -441,6 +443,8 @@ public abstract class AbstractAttestationCertificateAuthority
             RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray());
             byte[] nonce = generateRandomBytes(NONCE_LENGTH);
             ByteString blobStr = tpm20MakeCredential(ekPub, akPub, nonce);
+            SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
+            String pcrQuoteMask = PCR_QUOTE_MASK;
 
             String strNonce = HexUtils.byteArrayToHexString(nonce);
             LOG.info("Sending nonce: " + strNonce);
@@ -448,10 +452,14 @@ public abstract class AbstractAttestationCertificateAuthority
 
             tpm2ProvisionerStateDBManager.save(new TPM2ProvisionerState(nonce, identityClaim));
 
+            if (scp != null && scp.isIgnoreImaEnabled()) {
+                pcrQuoteMask = PCR_QUOTE_MASK.replace("10,", "");
+            }
             // Package response
             ProvisionerTpm2.IdentityClaimResponse response
                     = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
-                    .setCredentialBlob(blobStr).build();
+                    .setCredentialBlob(blobStr).setMask(pcrQuoteMask)
+                    .build();
 
             return response.toByteArray();
         } else {
@@ -622,9 +630,11 @@ public abstract class AbstractAttestationCertificateAuthority
                 tpm2ProvisionerStateDBManager.delete(tpm2ProvisionerState);
 
                 // Package the signed certificate into a response
-                ByteString certificateBytes = ByteString.copyFrom(derEncodedAttestationCertificate);
+                ByteString certificateBytes = ByteString
+                        .copyFrom(derEncodedAttestationCertificate);
                 ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
-                        .newBuilder().setCertificate(certificateBytes).build();
+                        .newBuilder().setCertificate(certificateBytes)
+                        .build();
 
                 saveAttestationCertificate(derEncodedAttestationCertificate, endorsementCredential,
                         platformCredentials, device);
diff --git a/HIRS_ProvisionerTPM2/include/Utils.h b/HIRS_ProvisionerTPM2/include/Utils.h
index 39099750..c02371f5 100644
--- a/HIRS_ProvisionerTPM2/include/Utils.h
+++ b/HIRS_ProvisionerTPM2/include/Utils.h
@@ -151,6 +151,8 @@ namespace string_utils {
     std::string trimWhitespaceFromRight(std::string str);
 
     std::string trimWhitespaceFromBothEnds(std::string str);
+
+    std::vector<std::string> split(const std::string& str, char delim);
 }  // namespace string_utils
 
 }  // namespace hirs
diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
index e8cd5766..62dadc2a 100644
--- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
+++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
@@ -79,6 +79,7 @@ message TpmQuote {
 
 message IdentityClaimResponse {
   required bytes credential_blob = 1;
+  required string mask = 2;
 }
 
 message CertificateRequest {
diff --git a/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp b/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
index e734f588..229a9a87 100644
--- a/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
@@ -60,6 +60,7 @@ string RestfulClientProvisioner::sendIdentityClaim(
     }
 
     string identityClaimByteString;
+    string result;
     identityClaim.SerializeToString(&identityClaimByteString);
 
     // Send serialized Identity Claim to ACA
@@ -86,13 +87,16 @@ string RestfulClientProvisioner::sendIdentityClaim(
         {
             // Convert the nonce blob to hex for logging
             string blobHex = binaryToHex(response.credential_blob());
+            stringstream responses;
+            responses << response.credential_blob() << ";" << response.mask();
             stringstream logStream;
+            result = responses.str();
             logStream << "Received nonce blob: " << blobHex;
             LOGGER.info(logStream.str());
         }
 
         // Return the wrapped nonce blob
-        return response.credential_blob();
+        return result;
 
     } else {
         stringstream errormsg;
diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
index 7d2700e3..63555d63 100644
--- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
@@ -39,6 +39,7 @@ using std::cerr;
 using std::endl;
 using std::string;
 using std::stringstream;
+using std::vector;
 
 int provision() {
     Logger logger = Logger::getDefaultLogger();
@@ -128,8 +129,12 @@ int provision() {
                     "TPM2_Provisioner.cpp", __LINE__);
     identityClaim.set_paccoroutput(paccorOutputString);
     RestfulClientProvisioner provisioner;
-    string nonceBlob = provisioner.sendIdentityClaim(identityClaim);
-    if (nonceBlob == "") {
+    string response = provisioner.sendIdentityClaim(identityClaim);
+    vector<string> response_vector = hirs::string_utils::split(response, ';');
+
+    string nonceBlob = response_vector.at(0);
+    string mask = response_vector.at(1);
+    if (nonceBlob == "" || mask == "") {
         cout << "----> Provisioning failed." << endl;
         cout << "Please refer to the Attestation CA for details." << endl;
         return 0;
@@ -152,8 +157,7 @@ int provision() {
     hirs::pb::CertificateRequest certificateRequest;
     certificateRequest.set_nonce(decryptedNonce);
     certificateRequest.set_quote(tpm2.getQuote(
-                "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
-                "14,15,16,17,18,19,20,21,22,23",
+                mask,
                 decryptedNonce));
 
     const string& akCertificateByteString
diff --git a/HIRS_ProvisionerTPM2/src/Utils.cpp b/HIRS_ProvisionerTPM2/src/Utils.cpp
index d8f10b56..9001bcd1 100644
--- a/HIRS_ProvisionerTPM2/src/Utils.cpp
+++ b/HIRS_ProvisionerTPM2/src/Utils.cpp
@@ -293,6 +293,18 @@ namespace string_utils {
         return trimWhitespaceFromRight(trimWhitespaceFromLeft(str));
     }
 
+    vector<string> split(const string &str, char delim) {
+        vector<string> result;
+        stringstream ss(str);
+        string item;
+
+        while (getline(ss, item, delim)) {
+            result.push_back(item);
+        }
+
+        return result;
+    }
+
 }  // namespace string_utils
 
 }  // namespace hirs
diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
index 228d218c..3f440624 100644
--- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
@@ -40,6 +40,7 @@ public final class PCRPolicy extends Policy {
     private static final int TBOOT_PCR_END = 19;
     // PCR 5
     private static final int GPT_PCR = 5;
+    private static final int IMA_MASK = 0xfffbff;
 
     // Event Log Event Types
     private static final String EVT_EFI_BOOT = "EV_EFI_BOOT_SERVICES_APPLICATION";
@@ -169,6 +170,7 @@ public final class PCRPolicy extends Policy {
         boolean validated = false;
         short localityAtRelease = 0;
         String quoteString = new String(tpmQuote, StandardCharsets.UTF_8);
+        int pcrMaskSelection = PcrSelection.ALL_PCRS_ON;
 
         TPMMeasurementRecord[] measurements = new TPMMeasurementRecord[baselinePcrs.length];
         try {
@@ -179,7 +181,11 @@ public final class PCRPolicy extends Policy {
             LOGGER.error(deEx);
         }
 
-        PcrSelection pcrSelection = new PcrSelection(PcrSelection.ALL_PCRS_ON);
+        if (this.enableIgnoreIma) {
+            pcrMaskSelection = IMA_MASK;
+        }
+
+        PcrSelection pcrSelection = new PcrSelection(pcrMaskSelection);
         PcrComposite pcrComposite = new PcrComposite(
                 pcrSelection,
                 Arrays.asList(measurements));