diff --git a/.ci/docker/docker-compose-system-test.yml b/.ci/docker/docker-compose-system-test.yml index fa6a5af1..13eeeddf 100644 --- a/.ci/docker/docker-compose-system-test.yml +++ b/.ci/docker/docker-compose-system-test.yml @@ -7,6 +7,7 @@ services: command: ["bash", "-c", "tail -f /dev/null;"] ports: - "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}" + - 9123:9123 hostname: ${HIRS_ACA_HOSTNAME} networks: hirs_aca_system_tests: @@ -21,7 +22,7 @@ services: - aca volumes: - ../../:/HIRS - command: ["bash", "-c", "/ibmswtpm2/src/tpm_server && tail -f /dev/null"] + command: ["bash", "-c", "tail -f /dev/null"] networks: hirs_aca_system_tests: ipv4_address: ${HIRS_ACA_PROVISIONER_TPM2_IP} @@ -32,4 +33,4 @@ networks: ipam: driver: default config: - - subnet: ${HIRS_SUBNET} \ No newline at end of file + - subnet: ${HIRS_SUBNET} diff --git a/.ci/setup/container/setup_tpm2provisioner_dotnet.sh b/.ci/setup/container/setup_tpm2provisioner_dotnet.sh index 6ccb9055..7c838d44 100755 --- a/.ci/setup/container/setup_tpm2provisioner_dotnet.sh +++ b/.ci/setup/container/setup_tpm2provisioner_dotnet.sh @@ -4,7 +4,8 @@ ######################################################################################### # Setting configurations -. ./.ci/docker/.env +. /HIRS/.ci/docker/.env +source /HIRS/.ci/setup/container/tpm2_common.sh set -a @@ -12,112 +13,17 @@ set -e echo "*** Setting up TPM emulator for the TPM2 Provisioner *** " # Wait for ACA to boot -echo "*** Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..." - until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do - sleep 1; - done - echo "*** ACA is up!" +waitForAca ## Un-package Provisioner.NET RPM yes | dnf install HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm -y > /dev/null # Initiate startup for IBMTSS Tools -pushd /ibmtss/utils -tpm2_startup -T mssim -c & -sleep 5 -tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002 -tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002 -popd +startFreshTpmServer -f +startupTpm +installEkCert -# Writing to Provisioner.Net configurations file for modified aca port and efi prefix -cat < /usr/share/hirs/appsettings.json -{ - "auto_detect_tpm": "TRUE", - "aca_address_port": "https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}", - "efi_prefix": "/ci_test/boot/efi", - "paccor_output_file": "", - "event_log_file": "", - "hardware_manifest_collectors": "paccor_scripts", - - "Serilog": { - "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ], - "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ], - "MinimumLevel": { - "Default": "Debug", - "Override": { - "Microsoft": "Warning", - "System": "Warning" - } - }, - "WriteTo": [ - { - "Name": "Console", - "Args": { - "outputTemplate": "{Message}{NewLine}", - "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console", - "restrictedToMinimumLevel": "Information" - } - }, - { - "Name": "File", - "Args": { - "path": "hirs.log", - "rollingInterval": "Day", - "retainedFileCountLimit": 5 - } - } - ] - } -} -APPSETTINGS_FILE -cp /usr/share/hirs/appsettings.json /usr/share/hirs/appsettings_default.json -cat < /usr/share/hirs/appsettings_hw.json -{ - "auto_detect_tpm": "TRUE", - "aca_address_port": "https://172.19.0.2:8443", - "efi_prefix": "/ci_test/boot/efi", - "paccor_output_file": "/ci_test/hw.json", - "event_log_file": "/ci_test/binary_bios_measurements", - "hardware_manifest_collectors": "", - "linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor", - "linux_bios_version_file": "/ci_test/dmi/id/bios_version", - "linux_bios_date_file": "/ci_test/dmi/id/bios_date", - "linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor", - "linux_product_name_file": "/ci_test/dmi/id/product_name", - "linux_product_version_file": "/ci_test/dmi/id/product_version", - "linux_product_serial_file": "/ci_test/dmi/id/product_serial", - - "Serilog": { - "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ], - "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ], - "MinimumLevel": { - "Default": "Debug", - "Override": { - "Microsoft": "Warning", - "System": "Warning" - } - }, - "WriteTo": [ - { - "Name": "Console", - "Args": { - "outputTemplate": "{Message}{NewLine}", - "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console", - "restrictedToMinimumLevel": "Information" - } - }, - { - "Name": "File", - "Args": { - "path": "hirs.log", - "rollingInterval": "Day", - "retainedFileCountLimit": 5 - } - } - ] - } -} -APPSETTINGS_FILE_HW +setCiHirsAppsettingsFile # Triggering a single provision for test echo "===========" diff --git a/.ci/setup/container/tpm2_common.sh b/.ci/setup/container/tpm2_common.sh index 900a2afc..11523b07 100755 --- a/.ci/setup/container/tpm2_common.sh +++ b/.ci/setup/container/tpm2_common.sh @@ -149,12 +149,198 @@ DEFAULT_SITE_CONFIG_FILE cat /etc/hirs/hirs-site.config } +# Function to update the hirs-site.config file +function setCiHirsAppsettingsFile { + # Setting configurations + . /HIRS/.ci/docker/.env + + HIRS_APPSETTINGS_FILE="/usr/share/hirs/appsettings.json" + ACA_ADDRESS="https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}" + EFI_PREFIX_PATH="/ci_test/boot/efi" + PACCOR_OUTPUT_FILE="" + EVENT_LOG_FILE="" + HARDWARE_MANIFEST_COLLECTORS="paccor_scripts" + + # Process parameters Argument handling + POSITIONAL_ARGS=() + ORIGINAL_ARGS=("$@") + while [[ $# -gt 0 ]]; do + case $1 in + --aca-address) + shift # past argument + ACA_ADDRESS=$1 + shift # past parameter + ;; + --efi-prefix) + shift # past argument + EFI_PREFIX_PATH=$1 + shift # past parameter + ;; + --paccor-output-file) + shift # past argument + PACCOR_OUTPUT_FILE=$1 + HARDWARE_MANIFEST_COLLECTORS="" + shift # past parameter + ;; + --event-log-file) + shift # past argument + EVENT_LOG_FILE=$1 + shift # past argument + ;; + --linux-dmi) + USE_LINUX_DMI=YES + shift # past argument + ;; + -*|--*) + echo "setCiHirsAppsettingsFile: Unknown option $1" + shift # past argument + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + # shift # past argument + break + ;; + esac + done + echo "" + echo "===========Updating ${HIRS_APPSETTINGS_FILE}, using values from /HIRS/.ci/docker/.env file...===========" + + cat < $HIRS_APPSETTINGS_FILE +{ + "auto_detect_tpm": "TRUE", + "aca_address_port": "$ACA_ADDRESS", + "efi_prefix": "$EFI_PREFIX_PATH", + "paccor_output_file": "$PACCOR_OUTPUT_FILE", + "event_log_file": "$EVENT_LOG_FILE", + "hardware_manifest_collectors": "$HARDWARE_MANIFEST_COLLECTORS", +DEFAULT_APPSETTINGS_FILE + if [ "$USE_LINUX_DMI" = YES ]; then + cat <> $HIRS_APPSETTINGS_FILE + "linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor", + "linux_bios_version_file": "/ci_test/dmi/id/bios_version", + "linux_bios_date_file": "/ci_test/dmi/id/bios_date", + "linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor", + "linux_product_name_file": "/ci_test/dmi/id/product_name", + "linux_product_version_file": "/ci_test/dmi/id/product_version", + "linux_product_serial_file": "/ci_test/dmi/id/product_serial", +DEFAULT_APPSETTINGS_FILE + fi + cat <> $HIRS_APPSETTINGS_FILE + "Serilog": { + "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ], + "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ], + "MinimumLevel": { + "Default": "Debug", + "Override": { + "Microsoft": "Warning", + "System": "Warning" + } + }, + "WriteTo": [ + { + "Name": "Console", + "Args": { + "outputTemplate": "{Message}{NewLine}", + "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console", + "restrictedToMinimumLevel": "Information" + } + }, + { + "Name": "File", + "Args": { + "path": "hirs.log", + "rollingInterval": "Day", + "retainedFileCountLimit": 5 + } + } + ] + } +} +DEFAULT_APPSETTINGS_FILE +} + +# These functions work on the tpm2provisioner_dotnet image +# They assume the IBM sw tpm server repo is cloned to /ibmswtpm2 +# They assume the IBM tss repo is cloned to /ibmtss +# They assume tpm2-tools are installed. +# They assume the HIRS repo is cloned to /hirs. +function startFreshTpmServer { + # Process parameters Argument handling + POSITIONAL_ARGS=() + ORIGINAL_ARGS=("$@") + while [[ $# -gt 0 ]]; do + case $1 in + -f|--force|--restart) + echo "Forcing a restart of the TPM server." + stopTpmServer + sleep 5 + shift # past argument + ;; + -*|--*) + echo "setCiHirsAppsettingsFile: Unknown option $1" + shift # past argument + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + # shift # past argument + break + ;; + esac + done + + if isTpmServerRunning ; then + echo "TPM server already running." + else + echo -n "Starting TPM server..." + /ibmswtpm2/src/tpm_server -rm &> /dev/null & + sleep 5 + pid=$(findTpmServerPid) + echo "...running with pid: $pid" + fi +} + +function startupTpm { + echo "Running tpm2_startup" + tpm2_startup -T mssim -c + sleep 5 +} + +function installEkCert { + echo "Installing EK Cert /hirs/.ci/setup/certs/ek_cert.der into TPM NVRAM at index 0x1c00002" + tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002 + tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002 + echo "Finished installing EK cert." +} + +function findTpmServerPid { + pid=$(pgrep -f /ibmswtpm2/src/tpm_server 2> /dev/null) + echo -n "$pid" +} + +# ex usage: isTpmServerRunning && echo "up" || echo "down" +function isTpmServerRunning { + tpmUp=$(findTpmServerPid) + if [ -n "$tpmUp" ]; then + return 0 + else + return 1 + fi +} + +function stopTpmServer { + tpmUp=$(findTpmServerPid) + if [ -n "$tpmUp" ]; then + echo "Stopping TPM server with pid: $tpmUp" + kill -9 $tpmUp + fi +} + # Wait for ACA to boot function waitForAca { echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..." - until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do + until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do sleep 1; - #echo "Checking on the ACA..." done echo "ACA is up!" } + diff --git a/.ci/system-tests/container/rim_setup.sh b/.ci/system-tests/container/rim_setup.sh old mode 100755 new mode 100644 diff --git a/.ci/system-tests/setup_system_tests.sh b/.ci/system-tests/setup_system_tests.sh index 2b9361e2..fc75d36d 100755 --- a/.ci/system-tests/setup_system_tests.sh +++ b/.ci/system-tests/setup_system_tests.sh @@ -18,16 +18,18 @@ docker exec $aca_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \ && echo 'ACA Container Current Branch: ' && git branch \ && /hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \ && /tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \ - && /hirs/package/linux/aca/aca_bootRun.sh 1> /dev/null" & + && /hirs/package/linux/aca/aca_bootRun.sh -d 1> /dev/null" & # Switching to current/desired branch in Provisioner Container docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \ && echo 'Provisioner Container Current Branch: ' && git branch" - + +echo "Copying temporary changes to files in $tpm2_container" +docker cp ./.ci/setup/container/setup_tpm2provisioner_dotnet.sh $tpm2_container:/hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh # Install HIRS Provisioner.Net and setup tpm2 simulator. # In doing so, tests a single provision between Provisioner.Net and ACA. echo "Launching provisioner setup" docker exec $tpm2_container sh /hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh # Initiating System Tests -echo "******** Setup Complete. Beginning HIRS System Tests. ******** " \ No newline at end of file +echo "******** Setup Complete. Beginning HIRS System Tests. ******** " diff --git a/.ci/system-tests/sys_test_common.sh b/.ci/system-tests/sys_test_common.sh index eb3a160a..1814d3e0 100644 --- a/.ci/system-tests/sys_test_common.sh +++ b/.ci/system-tests/sys_test_common.sh @@ -106,6 +106,10 @@ provisionTpm2() { fi } +resetTpmForNewTest() { + docker exec $tpm2_container -it bash -c "source /hirs/.ci/setup/container/tpm2_common.sh; startFreshTpmServer -f; startupTpm; installEkCert" +} + # Places platform cert(s) held in the test folder(s) in the provisioners tcg folder # setPlatCert setPlatformCerts() { @@ -120,8 +124,9 @@ docker exec $tpm2_container sh /hirs/.ci/system-tests/container/rim_setup.sh $1 #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer" } -setPlatformOutput() { - docker exec $tpm2_container cp /usr/share/hirs/appsettings_hw.json /usr/share/hirs/appsettings.json +setAppsettings() { + OPTIONS=$@ + docker exec $tpm2_container -it bash -c "source /hirs/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $OPTIONS" } # Writes to the Action ouput, ACA log, and Provisioner Log diff --git a/.ci/system-tests/tests/aca_policy_tests.sh b/.ci/system-tests/tests/aca_policy_tests.sh index ad752979..16d8679e 100755 --- a/.ci/system-tests/tests/aca_policy_tests.sh +++ b/.ci/system-tests/tests/aca_policy_tests.sh @@ -24,6 +24,7 @@ esac if [ "$test" = "1" ] || [ "$test" = "all" ]; then writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###" + writeToLogs "Now using default appsettings" setPlatformCerts "laptop" "empty" provisionTpm2 "pass" fi @@ -57,11 +58,12 @@ if [ "$test" = "6" ] || [ "$test" = "all" ]; then fi if [ "$test" = "7" ] || [ "$test" = "all" ]; then writeToLogs "### ACA POLICY TEST 7: Test PC Validation Policy with valid PC with Attribute Check ###" + writeToLog "Now using appsettings with hardware information" clearAcaDb setPolicyEkPc uploadTrustedCerts setPlatformCerts "laptop" "default" - setPlatformOutput + setAppsettings --paccor-output-file /ci_test/hw.json --event-log-file /ci_test/binary_bios_measurements --linux-dmi provisionTpm2 "pass" fi if [ "$test" = "8" ] || [ "$test" = "all" ]; then @@ -80,4 +82,4 @@ if [[ $failedTests != 0 ]]; then echo "**** $failedTests out of $totalTests ACA Policy Tests Failed! ****" else echo "**** $totalTests ACA Policy Tests Passed! ****" -fi \ No newline at end of file +fi diff --git a/.ci/system-tests/tests/rim_system_tests.sh b/.ci/system-tests/tests/rim_system_tests.sh index 2f7159be..e16ae5c3 100755 --- a/.ci/system-tests/tests/rim_system_tests.sh +++ b/.ci/system-tests/tests/rim_system_tests.sh @@ -21,6 +21,7 @@ esac if [ "$test" = "1" ] || [ "$test" = "all" ]; then writeToLogs "### ACA RIM TEST 1: Test a RIM from an OEM and a Supplemental RIM from a VAR ###" clearAcaDb + resetTpmForNewTest uploadTrustedCerts setPolicyEkPcFw setPlatformCerts "laptop" "varOsInstall" @@ -52,4 +53,4 @@ if [[ $failedTests != 0 ]]; then echo "**** $failedTests out of $totalTests ACA RIM Tests Failed! ****" else echo "**** $totalTests ACA RIM Tests Passed! ****" -fi \ No newline at end of file +fi