ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-31 00:24:00 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

added support for FW testing

Browse Source
This commit is contained in:
iadgovuser26 2022-01-25 10:54:54 -05:00
parent 6a83628222
commit 4f37ba76a4
11 changed files with 162 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.ci/setup/certs/RIMCaCert.pem Normal file
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDjDCCAnSgAwIBAgIJALEA1Q472tZoMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwI
UENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVDQTAeFw0yMDAyMTAxNzI2MDdaFw0y
OTEyMTkxNzI2MDdaMFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UE
CgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPN0k+ULqFxdHZ14CCio
HAvn56T1Ca4t3ClmZoHSAiKsqzLV+rErk5SbMTIdi0vHQ+3sPYf9Opy0EeUXzh4J
g6CeGdDn247has1k135KBD9iJCaErJfZPnJ22CjKey8rvJM8fH3CAR7M/5uwYcPH
yRICwGAJMA/Qss4nsMRQpfZg4ReKVW+kAoa9eekG3q1sLu/QlCb0NC766X0ANP+8
AuGuHJmNV22fjvwSNfWbsJElcMrLbK4kliPyy05YVs19p+cBM1ADxGw2fJqsNsUy
34SXL1ATqOp7VCslRR5TJBzhxfM56xZbszry7BaqTSFDRGn1FuMw/4+qtPMAB88u
eXECAwEAAaNjMGEwHQYDVR0OBBYEFEahuO3bpnFf0NLneoo8XW6aw5Y4MB8GA1Ud
IwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MA8GA1UdEwEB/wQFMAMBAf8wDgYD
VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCwCUSV6VjOR+v85z18q5UX
bla0gEsfbc2mx0kGtNqi2im2Xt8UoSJDnfMXzfQq3IP3en943mqgIeYUl3f9UQBT
KgGfyHNbEfa0FzqfKpxJdT37C9ilSQ85GtThffc4I50QgBHaRXOvwBdrGpU2O11V
x35VLyYoycIlg+CizVywEX53aoMil1hEbv0TPtbNnFZGwM/fxvere65GeQld9gEP
9krGtSXYlMktvr66cqPzmG0ciA6dMBZN8dpTgUopmYNz8HVoHDq/KBmXYA7CMzrX
pVNx4kMW/KxA+XAHT82xE7PCiLIJx4z9uPn0O4PBDw0tQ0mxuDpeoi1i9PuBfe6Y
-----END CERTIFICATE-----

22
.ci/setup/certs/RimSignCert.pem Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIJAIKly+6bklZlMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwI
UENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVDQTAeFw0yMDA2MTExNjUzMDFaFw0z
MDA0MjAxNjUzMDFaMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UE
CgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxGzAZBgNVBAMMEmV4YW1wbGUu
UklNLnNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKd1lWGk
SRuxAAY2wHag2GVxUk1dZx2PTpfQOflvLeccAVwa8mQhlsRERq+QK8ilj8Xfqs44
/nBaccZDOjdfIxIUCMfwhGXjxCaqZbgTucNsExDnu4arTGraoAwzHg0cVLiKT/Cx
j9NL4dcMgxRXsPdHfXb0923C7xYd2t2qfW05umgaj7qeQl6c68CFNsGX4JA8rWFQ
ZvvGx5DGlK4KTcjPuQQINs5fxasNKqLY2hq+z82x/rqwr2hmyizD6FpFSyIABPEM
PfB036GEhRwu1WEMkq8yIp2jgRUoFYke9pB3ph9pVow0Hh4mNFSKD4pP41VSKY1n
us83mdkuukPy5o0CAwEAAaNvMG0wHQYDVR0OBBYEFC/euOfQMKIgnaoBhhqWT+3s
8rzBMB8GA1UdIwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUA
A4IBAQC1mG0naE0W4E9vujPhygf7LXHMFkMPs5uWyvkxe4zWgTg0RHTClbOFJQJ+
pGLOcthSG6vIC6xYJxT5EKtB9rzRlEYHOi4MxuwXz9rLWQhA2zdbSo54Fb/BPoca
5K9kxvAanRltEfqEFhCcRmqIX1i6mpOWiZsrdMs7IflHKBsylUTn+v636BAz3p2H
8/lpJbF4LUFUxFU5FWB3tLuasxYTsbeE6YyNAnQIS95ML7c5H8z2aEQs5TCNHZJD
yc0PZT2aPOuEj5lGv9oyBHbYDitszUWSVxF7z86uVGmYR/2oTIj6tqb+IwuvFtnO
wiXFRS5ctLCdESr3SjdQF5wmIN4n
-----END CERTIFICATE-----

24
.ci/setup/setup-tpm2provisioner.sh
View File

@ -19,6 +19,20 @@ function InstallProvisioner {
popd popd
} }
# use ibm tss to properly clear tpm pcr values
function setTpmPcrValues {
mkdir /ibmtss
pushd /ibmtss
echo "Installing IBM TSS to set the TPM simulator intial values correctly..."
wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.5.0.tar.gz > /dev/null
tar -zxvf ibmtss1.5.0.tar.gz > /dev/null
cd utils
make -f makefiletpmc > /dev/null
cd ../utils
./startup
popd
}
# Function to initialize the TPM 2.0 Emulator # Function to initialize the TPM 2.0 Emulator
function InitTpm2Emulator { function InitTpm2Emulator {
echo "===========Initializing TPM 2.0 Emulator...===========" echo "===========Initializing TPM 2.0 Emulator...==========="
@ -42,8 +56,11 @@ function InitTpm2Emulator {
/ibmtpm/src/./tpm_server & /ibmtpm/src/./tpm_server &
echo "TPM Emulator started" echo "TPM Emulator started"
sleep 1
# Use the ibmtss to clear the PCR values (tpm2-abrmd will currupt PCR0)
setTpmPcrValues
# Give tpm_server time to start and register on the DBus # Give tpm_server time to start and register on the DBus
sleep 2 sleep 1
tpm2-abrmd -t socket & tpm2-abrmd -t socket &
echo "TPM2-Abrmd started" echo "TPM2-Abrmd started"
@ -131,13 +148,16 @@ WaitForAca
# Install packages # Install packages
InstallProvisioner InstallProvisioner
# Test to see if provisioner config were set up
echo "TPM2 Provisioner container running:"
echo "Contents of /etc/hirs is $(ls -al /etc/hirs)";
# Install TPM 2.0 Emulator # Install TPM 2.0 Emulator
InitTpm2Emulator InitTpm2Emulator
# Update the hirs-site.config file # Update the hirs-site.config file
UpdateHirsSiteConfigFile UpdateHirsSiteConfigFile
echo "TPM 2.0 Emulator NV RAM list" echo "TPM 2.0 Emulator NV RAM list"
tpm2_nvlist tpm2_nvlist

15
.ci/system-tests/aca_policy_tests.sh
View File

@ -10,23 +10,23 @@ failedTests=0;
# Start ACA Policy Tests # Start ACA Policy Tests
# provision_tpm takes 1 parameter (the expected result): "pass" or "fail" # provision_tpm takes 1 parameter (the expected result): "pass" or "fail"
write_to_logs "ACA POLICY TEST 1: Test ACA default policy " write_to_logs "### ACA POLICY TEST 1: Test ACA default policy ###"
setPlatformCerts "laptop" "empty" setPlatformCerts "laptop" "empty"
provision_tpm2 "pass" provision_tpm2 "pass"
write_to_logs "ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store" write_to_logs "### ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store ###"
setPolicyEkOnly setPolicyEkOnly
provision_tpm2 "fail" provision_tpm2 "fail"
write_to_logs "ACA POLICY TEST 3: Test EK Only Validation Policy" write_to_logs "### ACA POLICY TEST 3: Test EK Only Validation Policy ###"
uploadTrustedCerts uploadTrustedCerts
provision_tpm2 "pass" provision_tpm2 "pass"
write_to_logs "ACA POLICY TEST 4: Test PC Validation Policy with no PC" write_to_logs "### ACA POLICY TEST 4: Test PC Validation Policy with no PC ###"
setPolicyEkPc_noAttCheck setPolicyEkPc_noAttCheck
provision_tpm2 "fail" provision_tpm2 "fail"
write_to_logs "ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC" write_to_logs "### ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC ###"
setPolicyEkPcFw setPolicyEkPcFw
provision_tpm2 "fail" provision_tpm2 "fail"
@ -37,6 +37,11 @@ uploadTrustedCerts
setPlatformCerts "laptop" "default" setPlatformCerts "laptop" "default"
provision_tpm2 "pass" provision_tpm2 "pass"
write_to_logs "### ACA POLICY TEST 7: Test PC with RIM Validation Policy with valid PC and RIM ###"
setPolicyEkPcFw
setRims "laptop" "default"
provision_tpm2 "pass"
# Process Test Results, any single failure will send back a failed result. # Process Test Results, any single failure will send back a failed result.
if [[ $failedTests != 0 ]]; then if [[ $failedTests != 0 ]]; then
export TEST_STATUS=1; export TEST_STATUS=1;

69
.ci/system-tests/container/rim_setup.sh Normal file
View File

@ -0,0 +1,69 @@
#!/bin/bash
#########################################################################################
# Setup for PC Client Reference Integrity Manifest (RIM) tests
#
#########################################################################################
profile=$1
test=$2
tcgDir="/boot/tcg"
testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
mkdir -p $tcgDir/manifest/rim/; # Create the platform cert folder if its not there
rm -f $tcgDir/manifest/rim/*; # clear out any previous data
mkdir -p $tcgDir/manifest/swidtag/; # Create the platform cert folder if its not there
rm -f $tcgDir/manifest/swidtag/*; # clear out any previous data
echo "Test is using RIM files from $profile : $test"
# update tcg_boot.properties to use test specific binary_bios_measurement file
eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
propFile="/etc/hirs/tcg_boot.properties";
#echo "propFile = $propFile"
# tcg_boot_properties is being erased, so recreate for now ......
#echo "tcg.rim.dir=/boot/tcg/manifest/rim/" > $propFile;
#echo "tcg.swidtag.dir=/boot/tcg/manifest/swidtag/" >> $propFile;
#echo "tcg.cert.dir=/boot/tcg/cert/platform/" >> $propFile;
#echo "tcg.event.file=/sys/kernel/security/tpm0/binary_bios_measurements" >> $propFile;
#echo "eventLog = $eventLog"
#echo "Contents of /etc/hirs is $(ls -al /etc/hirs)";
#echo "Contents of $propFile before sed is $(cat $propFile)";
sed -i "s:tcg.event.file=.*:tcg.event.file=$eventLog:g" "$propFile"
#echo "Contents of $propFile after sed is $(cat $propFile)";
#echo "======================"
#echo "Contents of/boot/tcg/cert/platform/ is $(ls /boot/tcg/cert/platform/) : "
# Step 2: Copy Base RIM files to the TCG folder
pushd $testDir/swidtags/ > /dev/null
if [[ ! -f ".gitignore" ]]; then
for swidtag in * ; do
cp -f $swidtag $tcgDir/manifest/swidtag/$swidtag;
done
fi
popd > /dev/null
# Step 3: Copy Support RIM files to the TCG folder
pushd $testDir/rims/ > /dev/null
if [[ ! -f ".gitignore" ]]; then
for rim in * ; do
cp -f $rim $tcgDir/manifest/rim/$rim;
done
fi
popd > /dev/null
# echo "Contents of tcg swidtag folder $tcgDir/manifest/swidtag/ : $(ls $tcgDir/manifest/swidtag/)"
# echo "Contents of tcg rim folder tcgDir/manifest/rim/: $(ls $tcgDir/manifest/rim/)"
#Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
#echo "Setting PCR register 0 - 23 for test $profile : $test"
sh $testDir/"$profile"_"$test"_setpcrs.sh
#tpm2_pcrlist -g sha256
# Done with rim_setup

0
.ci/system-tests/profiles/laptop/default/laptop_binary_bios_measurements → .ci/system-tests/profiles/laptop/default/laptop_default_binary_bios_measurements
View File

0
.ci/system-tests/profiles/laptop/default/platformcerts/oem_platform_v1_Base.cer → .ci/system-tests/profiles/laptop/default/platformcerts/laptop.default.1.base.cer
View File

0
.ci/system-tests/profiles/laptop/default/rims/dell.5580.1.rimel → .ci/system-tests/profiles/laptop/default/rims/laptop.default.1.rimel
View File

0
.ci/system-tests/profiles/laptop/default/swidtags/dell.5580.1.swidtag → .ci/system-tests/profiles/laptop/default/swidtags/laptop.default.1.swidtag
View File

10
.ci/system-tests/run-system-tests.sh
View File

@ -19,12 +19,12 @@ echo "******** Setting up for HIRS System Tests for TPM 2.0 ******** "
# expand dmi files for mounting to the provisioner containers # expand dmi files for mounting to the provisioner containers
unzip -q .ci/system-tests/profiles/laptop/laptop_dmi.zip -d .ci/system-tests/profiles/laptop/ unzip -q .ci/system-tests/profiles/laptop/laptop_dmi.zip -d .ci/system-tests/profiles/laptop/
# Start System Testing Docker Environment # Start System Testing Docker Environment
pushd .ci/docker pushd .ci/docker > /dev/null
docker-compose -f docker-compose-system-test.yml up -d docker-compose -f docker-compose-system-test.yml up -d
popd popd > /dev/null
pushd .ci/system-tests pushd .ci/system-tests > /dev/null
source sys_test_common.sh source sys_test_common.sh
echo "ACA Container info: $(checkContainerStatus $aca_container)"; echo "ACA Container info: $(checkContainerStatus $aca_container)";
@ -59,10 +59,10 @@ echo ""
echo "End of System Tests for TPM 2.0, cleaning up..." echo "End of System Tests for TPM 2.0, cleaning up..."
echo "" echo ""
# Clean up services and network # Clean up services and network
popd popd > /dev/null
pushd .ci/docker pushd .ci/docker
docker-compose -f docker-compose-system-test.yml down -v docker-compose -f docker-compose-system-test.yml down -v
popd popd > /dev/null
# Clean up dangling containers # Clean up dangling containers
echo "Cleaning up dangling containers..." echo "Cleaning up dangling containers..."
echo "" echo ""

26
.ci/system-tests/sys_test_common.sh
View File

@ -61,7 +61,13 @@ docker exec $aca_container mysql -u root -e "use hirs_db; set foreign_key_checks
# Upload Certs to the ACA DB # Upload Certs to the ACA DB
uploadTrustedCerts() { uploadTrustedCerts() {
curl -k -s -F "file=@$issuerCert" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload pushd ../setup/certs > /dev/null
curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
popd > /dev/null
} }
# provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail" # provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail"
@ -98,17 +104,11 @@ setPlatformCerts() {
#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer" #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
} }
# Places platform cert held in the test folder in the provisioners tcg folder # Places RIM files held in the test folder in the provisioners tcg folder
# setRimBundle <profile> <test> # setRims <profile> <test>
setRimBundles() { setRims() {
profile=$1 docker exec $tpm2_container sh /HIRS/.ci/system-tests/scripts/rim_setup.sh $1 $2
test=$2 #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
docker exec $tpm2_container rm /boot/tcg/manifest/rim/*;
docker exec $tpm2_container rm /boot/tcg/manifest/swidtag/*;
docker exec $tpm2_container cp /HIRS/.ci/system-tests/$profile/$test/rims/* /boot/tcg/manifest/rim;
docker exec $tpm2_container cp /HIRS/.ci/system-tests/$profile/$test/swidtags/* /boot/tcg/manifest/swidtag;
docker exec $tpm2_container ls /boot/tcg/manifest/rim/
docker exec $tpm2_container ls /boot/tcg/manifest/swidtag/
} }
# Writes to the Action ouput, ACA log, and Provisioner Log # Writes to the Action ouput, ACA log, and Provisioner Log
@ -118,5 +118,5 @@ write_to_logs() {
line=$1 line=$1
echo $line; echo $line;
docker exec $aca_container sh -c "echo '$line' >> /var/log/tomcat/HIRS_AttestationCA.log" docker exec $aca_container sh -c "echo '$line' >> /var/log/tomcat/HIRS_AttestationCA.log"
docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log" # docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log"
} }