From 653acd270eeb96eaafae75055f1279d55d8975b7 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Thu, 1 Oct 2020 12:14:29 -0400 Subject: [PATCH] With the changes to how the ReferenceManifest is represented in the code and the previous firmware validation PR update, this branch wasn't properly updated for quote validation. The code was still pulling information for the baseline from an old source that wouldn't work anymore. Therefore all validations for the quote failed. The update now pulls the baseline information from the support RIM which is now stored in the database. --- .../SupplyChainValidationServiceImpl.java | 68 ++++++++++--------- .../hirs/data/persist/ReferenceManifest.java | 7 ++ 2 files changed, 44 insertions(+), 31 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index e3af160d..8ed6cdf1 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -7,6 +7,7 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import hirs.data.persist.BaseReferenceManifest; +import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.TPMMeasurementRecord; import hirs.data.persist.SwidResource; import hirs.data.persist.PCRPolicy; @@ -411,6 +412,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe Level level = Level.ERROR; AppraisalStatus fwStatus = new AppraisalStatus(FAIL, SupplyChainCredentialValidator.FIRMWARE_VALID); + SupportReferenceManifest sRim = null; // check if the policy is enabled if (policy.isFirmwareValidationEnabled()) { @@ -418,45 +420,49 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe String manufacturer = device.getDeviceInfo() .getHardwareInfo().getManufacturer(); - // need to get pcrs - ReferenceManifest rim = ReferenceManifest.select( - this.referenceManifestManager) - .byManufacturer(manufacturer) - .getRIM(); - if (rim == null) { - fwStatus = new AppraisalStatus(FAIL, - String.format("Firmware Quote validation failed: " - + "No associated RIM file could be found for %s", - manufacturer)); - } else { - BaseReferenceManifest bRim = (BaseReferenceManifest) rim; - List swids = bRim.parseResource(); - for (SwidResource swid : swids) { - baseline = swid.getPcrValues() - .toArray(new String[swid.getPcrValues().size()]); + try { + // need to get pcrs + Set rims = ReferenceManifest.select( + this.referenceManifestManager).getRIMs(); + for (ReferenceManifest r : rims) { + if (r instanceof SupportReferenceManifest + && r.getPlatformManufacturer().equals(manufacturer)) { + sRim = (SupportReferenceManifest) r; + } } - String pcrContent = new String(device.getDeviceInfo().getTPMInfo().getPcrValues()); - String[] storedPcrs = buildStoredPcrs(pcrContent, baseline[0].length()); - PCRPolicy pcrPolicy = policy.getPcrPolicy(); - pcrPolicy.setBaselinePcrs(baseline); - // grab the quote - byte[] hash = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash(); - if (pcrPolicy.validateQuote(hash, storedPcrs)) { - level = Level.INFO; - fwStatus = new AppraisalStatus(PASS, - SupplyChainCredentialValidator.FIRMWARE_VALID); - fwStatus.setMessage("Firmware validation of TPM Quote successful."); - + if (sRim == null) { + fwStatus = new AppraisalStatus(FAIL, + String.format("Firmware Quote validation failed: " + + "No associated RIM file could be found for %s", + manufacturer)); } else { - fwStatus.setMessage("Firmware validation of TPM Quote failed." - + "\nPCR hash and Quote hash do not match."); + baseline = sRim.getExpectedPCRList(); + String pcrContent = new String(device.getDeviceInfo() + .getTPMInfo().getPcrValues()); + String[] storedPcrs = buildStoredPcrs(pcrContent, baseline[0].length()); + PCRPolicy pcrPolicy = policy.getPcrPolicy(); + pcrPolicy.setBaselinePcrs(baseline); + // grab the quote + byte[] hash = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash(); + if (pcrPolicy.validateQuote(hash, storedPcrs)) { + level = Level.INFO; + fwStatus = new AppraisalStatus(PASS, + SupplyChainCredentialValidator.FIRMWARE_VALID); + fwStatus.setMessage("Firmware validation of TPM Quote successful."); + + } else { + fwStatus.setMessage("Firmware validation of TPM Quote failed." + + "\nPCR hash and Quote hash do not match."); + } } + } catch (Exception ex) { + LOGGER.error(ex); } quoteScv = buildValidationRecord(SupplyChainValidation .ValidationType.FIRMWARE, - fwStatus.getAppStatus(), fwStatus.getMessage(), rim, level); + fwStatus.getAppStatus(), fwStatus.getMessage(), sRim, level); // Generate validation summary, save it, and return it. List validations = new ArrayList<>(); diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java index 0a94056c..58f1a69b 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java @@ -338,4 +338,11 @@ public abstract class ReferenceManifest extends ArchivableEntity { && platformModel.equals(that.platformModel) && fileName.equals(that.fileName); } + + @Override + public String toString() { + return String.format("Filename->%s%nPlatform Manufacturer->%s%n" + + "Platform Model->%s%nRIM Type->%s", this.getFileName(), + this.platformManufacturer, this.platformModel, this.getRimType()); + } }