mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-17 10:20:04 +00:00
* Updated code to include an official policy to ignore IMA and TBoot. The policies will disable if firmware validation is disabled.
This commit is contained in:
parent
1448b35e5e
commit
6a62002b05
@ -8,6 +8,7 @@ import java.security.cert.CertificateException;
|
|||||||
|
|
||||||
import hirs.data.persist.TPMMeasurementRecord;
|
import hirs.data.persist.TPMMeasurementRecord;
|
||||||
import hirs.data.persist.SwidResource;
|
import hirs.data.persist.SwidResource;
|
||||||
|
import hirs.data.persist.PCRPolicy;
|
||||||
import hirs.validation.SupplyChainCredentialValidator;
|
import hirs.validation.SupplyChainCredentialValidator;
|
||||||
import org.apache.logging.log4j.LogManager;
|
import org.apache.logging.log4j.LogManager;
|
||||||
import org.apache.logging.log4j.Logger;
|
import org.apache.logging.log4j.Logger;
|
||||||
@ -241,7 +242,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
.select(this.certificateManager)
|
.select(this.certificateManager)
|
||||||
.byDeviceId(device.getId()).getCertificate();
|
.byDeviceId(device.getId()).getCertificate();
|
||||||
|
|
||||||
validations.add(validateFirmware(pc, attCert));
|
validations.add(validateFirmware(pc, attCert, policy.getPcrPolicy()));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate validation summary, save it, and return it.
|
// Generate validation summary, save it, and return it.
|
||||||
@ -314,73 +315,72 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
}
|
}
|
||||||
return subPlatformScv;
|
return subPlatformScv;
|
||||||
}
|
}
|
||||||
private static final int IMA_TEN = 9;
|
|
||||||
|
|
||||||
private SupplyChainValidation validateFirmware(final PlatformCredential pc,
|
private SupplyChainValidation validateFirmware(final PlatformCredential pc,
|
||||||
final IssuedAttestationCertificate attCert) {
|
final IssuedAttestationCertificate attCert, final PCRPolicy pcrPolicy) {
|
||||||
|
|
||||||
ReferenceManifest rim = null;
|
ReferenceManifest rim;
|
||||||
String[] baseline = new String[Integer.SIZE];
|
String[] baseline = new String[Integer.SIZE];
|
||||||
Level level = Level.ERROR;
|
Level level = Level.ERROR;
|
||||||
AppraisalStatus fwStatus;
|
AppraisalStatus fwStatus = null;
|
||||||
|
|
||||||
if (attCert != null) {
|
|
||||||
String[] pcrsSet = attCert.getPcrValues().split("\\+");
|
|
||||||
String[] pcrs1 = pcrsSet[0].split("\\n");
|
|
||||||
String[] pcrs256 = pcrsSet[1].split("\\n");
|
|
||||||
|
|
||||||
|
if (pc != null) {
|
||||||
rim = ReferenceManifest.select(
|
rim = ReferenceManifest.select(
|
||||||
this.referenceManifestManager)
|
this.referenceManifestManager)
|
||||||
.byManufacturer(pc.getManufacturer())
|
.byManufacturer(pc.getManufacturer())
|
||||||
.getRIM();
|
.getRIM();
|
||||||
|
|
||||||
if (rim == null) {
|
if (rim == null) {
|
||||||
fwStatus = new AppraisalStatus(FAIL, String.format("Firmware validation failed: "
|
fwStatus = new AppraisalStatus(FAIL,
|
||||||
+ "No associated RIM file could be found for %s",
|
String.format("Firmware validation failed: "
|
||||||
pc.getManufacturer()));
|
+ "No associated RIM file could be found for %s",
|
||||||
|
pc.getManufacturer()));
|
||||||
} else {
|
} else {
|
||||||
StringBuilder sb = new StringBuilder();
|
|
||||||
fwStatus = new AppraisalStatus(PASS,
|
|
||||||
SupplyChainCredentialValidator.FIRMWARE_VALID);
|
|
||||||
String failureMsg = "Firmware validation failed: PCR %s does not"
|
|
||||||
+ " match%n";
|
|
||||||
|
|
||||||
List<SwidResource> swids = rim.parseResource();
|
List<SwidResource> swids = rim.parseResource();
|
||||||
for (SwidResource swid : swids) {
|
for (SwidResource swid : swids) {
|
||||||
baseline = swid.getPcrValues()
|
baseline = swid.getPcrValues()
|
||||||
.toArray(new String[swid.getPcrValues().size()]);
|
.toArray(new String[swid.getPcrValues().size()]);
|
||||||
}
|
}
|
||||||
|
pcrPolicy.setBaselinePcrs(baseline);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int imaValue = IMA_TEN;
|
if (attCert != null && fwStatus == null) {
|
||||||
String pcrNum;
|
String[] pcrsSet = attCert.getPcrValues().split("\\+");
|
||||||
String pcrValue;
|
String[] pcrs1 = pcrsSet[0].split("\\n");
|
||||||
if (baseline[0].length() == TPMMeasurementRecord.SHA_BYTE_LENGTH) {
|
String[] pcrs256 = pcrsSet[1].split("\\n");
|
||||||
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
|
String[] quote = new String[TPMMeasurementRecord.MAX_PCR_ID + 1];
|
||||||
pcrNum = pcrs1[i + 1].split(":")[0].trim();
|
int offset = 0;
|
||||||
pcrValue = pcrs1[i + 1].split(":")[1].trim();
|
|
||||||
if (i != imaValue) {
|
StringBuilder sb;
|
||||||
if (!baseline[i].equals(pcrValue)) {
|
fwStatus = new AppraisalStatus(PASS,
|
||||||
sb.append(String.format(failureMsg, pcrNum));
|
SupplyChainCredentialValidator.FIRMWARE_VALID);
|
||||||
}
|
|
||||||
}
|
if (baseline[0].length() == TPMMeasurementRecord.SHA_BYTE_LENGTH) {
|
||||||
}
|
// quote from provisioner is formated to indicate the encryption
|
||||||
} else if (baseline[0].length() == TPMMeasurementRecord.SHA_256_BYTE_LENGTH) {
|
if (pcrs1[0].split(":")[0].contains("sha")) {
|
||||||
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
|
offset = 1;
|
||||||
pcrNum = pcrs256[i + 1].split(":")[0].trim();
|
|
||||||
pcrValue = pcrs256[i + 1].split(":")[1].trim();
|
|
||||||
if (i != imaValue) {
|
|
||||||
if (!baseline[i].equals(pcrValue)) {
|
|
||||||
sb.append(String.format(failureMsg, pcrNum));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if (sb.length() > 0) {
|
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
|
||||||
level = Level.ERROR;
|
//update quote with the pcr only, based on offset
|
||||||
fwStatus = new AppraisalStatus(FAIL, sb.toString());
|
quote[i] = pcrs1[i + offset].split(":")[1].trim();
|
||||||
} else {
|
|
||||||
level = Level.INFO;
|
|
||||||
}
|
}
|
||||||
|
} else if (baseline[0].length() == TPMMeasurementRecord.SHA_256_BYTE_LENGTH) {
|
||||||
|
// quote from provisioner is formated to indicate the encryption
|
||||||
|
if (pcrs256[0].split(":")[0].contains("sha")) {
|
||||||
|
offset = 1;
|
||||||
|
}
|
||||||
|
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
|
||||||
|
//update quote with the pcr only, based on offset
|
||||||
|
quote[i] = pcrs256[i + offset].split(":")[1].trim();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
sb = pcrPolicy.validatePcrs(quote);
|
||||||
|
if (sb.length() > 0) {
|
||||||
|
level = Level.ERROR;
|
||||||
|
fwStatus = new AppraisalStatus(FAIL, sb.toString());
|
||||||
|
} else {
|
||||||
|
level = Level.INFO;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fwStatus = new AppraisalStatus(FAIL, "Associated Issued Attestation"
|
fwStatus = new AppraisalStatus(FAIL, "Associated Issued Attestation"
|
||||||
|
@ -13,12 +13,16 @@ public class PolicyPageModel {
|
|||||||
private boolean enablePcCertificateValidation;
|
private boolean enablePcCertificateValidation;
|
||||||
private boolean enablePcCertificateAttributeValidation;
|
private boolean enablePcCertificateAttributeValidation;
|
||||||
private boolean enableFirmwareValidation;
|
private boolean enableFirmwareValidation;
|
||||||
|
private boolean enableIgnoreIma;
|
||||||
|
private boolean enableIgnoreTboot;
|
||||||
|
|
||||||
// Variables to get policy settings from page
|
// Variables to get policy settings from page
|
||||||
private String pcValidate;
|
private String pcValidate;
|
||||||
private String pcAttributeValidate;
|
private String pcAttributeValidate;
|
||||||
private String ecValidate;
|
private String ecValidate;
|
||||||
private String fmValidate;
|
private String fmValidate;
|
||||||
|
private String ignoreIma;
|
||||||
|
private String ignoretBoot;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constructor. Sets fields from policy.
|
* Constructor. Sets fields from policy.
|
||||||
@ -30,6 +34,8 @@ public class PolicyPageModel {
|
|||||||
this.enablePcCertificateValidation = policy.isPcValidationEnabled();
|
this.enablePcCertificateValidation = policy.isPcValidationEnabled();
|
||||||
this.enablePcCertificateAttributeValidation = policy.isPcAttributeValidationEnabled();
|
this.enablePcCertificateAttributeValidation = policy.isPcAttributeValidationEnabled();
|
||||||
this.enableFirmwareValidation = policy.isFirmwareValidationEnabled();
|
this.enableFirmwareValidation = policy.isFirmwareValidationEnabled();
|
||||||
|
this.enableIgnoreIma = policy.isIgnoreImaEnabled();
|
||||||
|
this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -74,6 +80,22 @@ public class PolicyPageModel {
|
|||||||
return enableFirmwareValidation;
|
return enableFirmwareValidation;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the Enable Ignore IMA state.
|
||||||
|
* @return the validation state.
|
||||||
|
*/
|
||||||
|
public boolean getEnableIgnoreIma() {
|
||||||
|
return enableIgnoreIma;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the Enable Ignore TBoot state.
|
||||||
|
* @return the validation state.
|
||||||
|
*/
|
||||||
|
public boolean getEnableIgnoreTboot() {
|
||||||
|
return enableIgnoreTboot;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the EC Validation value.
|
* Gets the EC Validation value.
|
||||||
*
|
*
|
||||||
@ -110,6 +132,24 @@ public class PolicyPageModel {
|
|||||||
return fmValidate;
|
return fmValidate;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the Ignore IMA validation value.
|
||||||
|
*
|
||||||
|
* @return the model string representation of this field (checked or unchecked)
|
||||||
|
*/
|
||||||
|
public String getIgnoreIma() {
|
||||||
|
return ignoreIma;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the Ignore TBoot validation value.
|
||||||
|
*
|
||||||
|
* @return the model string representation of this field (checked or unchecked)
|
||||||
|
*/
|
||||||
|
public String getIgnoretBoot() {
|
||||||
|
return ignoretBoot;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the EC Validation state.
|
* Sets the EC Validation state.
|
||||||
*
|
*
|
||||||
@ -147,6 +187,24 @@ public class PolicyPageModel {
|
|||||||
this.enableFirmwareValidation = enableFirmwareValidation;
|
this.enableFirmwareValidation = enableFirmwareValidation;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the Enable Ignore IMA state.
|
||||||
|
*
|
||||||
|
* @param enableIgnoreIma true if performing validation, false otherwise
|
||||||
|
*/
|
||||||
|
public void setEnableIgnoreIma(final boolean enableIgnoreIma) {
|
||||||
|
this.enableIgnoreIma = enableIgnoreIma;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the Enable Ignore TBoot state.
|
||||||
|
*
|
||||||
|
* @param enableIgnoreTboot true if performing validation, false otherwise
|
||||||
|
*/
|
||||||
|
public void setEnableIgnoreTboot(final boolean enableIgnoreTboot) {
|
||||||
|
this.enableIgnoreTboot = enableIgnoreTboot;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the Platform Certificate Validation state.
|
* Sets the Platform Certificate Validation state.
|
||||||
*
|
*
|
||||||
@ -183,6 +241,24 @@ public class PolicyPageModel {
|
|||||||
this.fmValidate = fmValidate;
|
this.fmValidate = fmValidate;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the Ignore IMA state.
|
||||||
|
*
|
||||||
|
* @param ignoreIma "checked" if enabling validation, false otherwise
|
||||||
|
*/
|
||||||
|
public void setIgnoreIma(final String ignoreIma) {
|
||||||
|
this.ignoreIma = ignoreIma;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the Ignore Tboot state.
|
||||||
|
*
|
||||||
|
* @param ignoretBoot "checked" if enabling validation, false otherwise
|
||||||
|
*/
|
||||||
|
public void setIgnoretBoot(final String ignoretBoot) {
|
||||||
|
this.ignoretBoot = ignoretBoot;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return "PolicyPageModel{"
|
return "PolicyPageModel{"
|
||||||
|
@ -36,35 +36,36 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
private static final Logger LOGGER = getLogger(PolicyPageController.class);
|
private static final Logger LOGGER = getLogger(PolicyPageController.class);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Represents a web request indicating to enable a setting (based on radio buttons from a
|
* Represents a web request indicating to enable a setting (based on radio
|
||||||
* web form).
|
* buttons from a web form).
|
||||||
*/
|
*/
|
||||||
private static final String ENABLED_PARAMETER_VALUE = "checked";
|
private static final String ENABLED_PARAMETER_VALUE = "checked";
|
||||||
|
|
||||||
|
|
||||||
private PolicyManager policyManager;
|
private PolicyManager policyManager;
|
||||||
|
|
||||||
private AppraiserManager appraiserManager;
|
private AppraiserManager appraiserManager;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Model attribute name used by initPage for the initial data passed to the page.
|
* Model attribute name used by initPage for the initial data passed to the
|
||||||
|
* page.
|
||||||
*/
|
*/
|
||||||
public static final String INITIAL_DATA = "initialData";
|
public static final String INITIAL_DATA = "initialData";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Flash attribute name used by initPage and post for the data forwarded during the redirect
|
* Flash attribute name used by initPage and post for the data forwarded
|
||||||
* from the POST operation back to the page.
|
* during the redirect from the POST operation back to the page.
|
||||||
*/
|
*/
|
||||||
public static final String RESULT_DATA = "resultData";
|
public static final String RESULT_DATA = "resultData";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constructor.
|
* Constructor.
|
||||||
|
*
|
||||||
* @param policyManager the policy manager
|
* @param policyManager the policy manager
|
||||||
* @param appraiserManager the appraiser manager
|
* @param appraiserManager the appraiser manager
|
||||||
*/
|
*/
|
||||||
@Autowired
|
@Autowired
|
||||||
public PolicyPageController(final PolicyManager policyManager,
|
public PolicyPageController(final PolicyManager policyManager,
|
||||||
final AppraiserManager appraiserManager) {
|
final AppraiserManager appraiserManager) {
|
||||||
super(POLICY);
|
super(POLICY);
|
||||||
|
|
||||||
this.policyManager = policyManager;
|
this.policyManager = policyManager;
|
||||||
@ -75,7 +76,8 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
* Returns the path for the view and the data model for the page.
|
* Returns the path for the view and the data model for the page.
|
||||||
*
|
*
|
||||||
* @param params The object to map url parameters into.
|
* @param params The object to map url parameters into.
|
||||||
* @param model The data model for the request. Can contain data from redirect.
|
* @param model The data model for the request. Can contain data from
|
||||||
|
* redirect.
|
||||||
* @return the path for the view and data model for the page.
|
* @return the path for the view and data model for the page.
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
@ -96,11 +98,12 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Updates the Platform Cert Validation policy setting and redirects back
|
* Updates the Platform Cert Validation policy setting and redirects back to
|
||||||
* to the original page.
|
* the original page.
|
||||||
*
|
*
|
||||||
* @param ppModel The data posted by the form mapped into an object.
|
* @param ppModel The data posted by the form mapped into an object.
|
||||||
* @param attr RedirectAttributes used to forward data back to the original page.
|
* @param attr RedirectAttributes used to forward data back to the original
|
||||||
|
* page.
|
||||||
* @return View containing the url and parameters
|
* @return View containing the url and parameters
|
||||||
* @throws URISyntaxException if malformed URI
|
* @throws URISyntaxException if malformed URI
|
||||||
*/
|
*/
|
||||||
@ -108,12 +111,11 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
public RedirectView updatePcVal(@ModelAttribute final PolicyPageModel ppModel,
|
public RedirectView updatePcVal(@ModelAttribute final PolicyPageModel ppModel,
|
||||||
final RedirectAttributes attr) throws URISyntaxException {
|
final RedirectAttributes attr) throws URISyntaxException {
|
||||||
|
|
||||||
|
|
||||||
Map<String, Object> model = new HashMap<>();
|
Map<String, Object> model = new HashMap<>();
|
||||||
PageMessages messages = new PageMessages();
|
PageMessages messages = new PageMessages();
|
||||||
String successMessage;
|
String successMessage;
|
||||||
boolean pcValidationOptionEnabled =
|
boolean pcValidationOptionEnabled
|
||||||
ppModel.getPcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
|
= ppModel.getPcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||||
@ -122,8 +124,8 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
if (!isPolicyValid(policy.isEcValidationEnabled(), pcValidationOptionEnabled,
|
if (!isPolicyValid(policy.isEcValidationEnabled(), pcValidationOptionEnabled,
|
||||||
policy.isPcAttributeValidationEnabled())) {
|
policy.isPcAttributeValidationEnabled())) {
|
||||||
handleUserError(model, messages,
|
handleUserError(model, messages,
|
||||||
"Unable to change Platform Validation setting,"
|
"Unable to change Platform Validation setting,"
|
||||||
+ " invalid policy configuration.");
|
+ " invalid policy configuration.");
|
||||||
return redirectToSelf(new NoPageParams(), model, attr);
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
}
|
}
|
||||||
// set the policy option and create display message
|
// set the policy option and create display message
|
||||||
@ -132,11 +134,11 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
successMessage = "Platform certificate validation enabled";
|
successMessage = "Platform certificate validation enabled";
|
||||||
} else {
|
} else {
|
||||||
policy.setPcValidationEnabled(false);
|
policy.setPcValidationEnabled(false);
|
||||||
|
policy.setPcAttributeValidationEnabled(false);
|
||||||
successMessage = "Platform certificate validation disabled";
|
successMessage = "Platform certificate validation disabled";
|
||||||
}
|
}
|
||||||
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
||||||
|
|
||||||
|
|
||||||
} catch (PolicyManagerException e) {
|
} catch (PolicyManagerException e) {
|
||||||
// Log and return any error messages to the user
|
// Log and return any error messages to the user
|
||||||
handlePolicyManagerUpdateError(model, messages, e,
|
handlePolicyManagerUpdateError(model, messages, e,
|
||||||
@ -147,19 +149,19 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Updates the Platform Cert Attribute Validation policy setting and redirects back
|
* Updates the Platform Cert Attribute Validation policy setting and
|
||||||
* to the original page.
|
* redirects back to the original page.
|
||||||
*
|
*
|
||||||
* @param ppModel The data posted by the form mapped into an object.
|
* @param ppModel The data posted by the form mapped into an object.
|
||||||
* @param attr RedirectAttributes used to forward data back to the original page.
|
* @param attr RedirectAttributes used to forward data back to the original
|
||||||
|
* page.
|
||||||
* @return View containing the url and parameters
|
* @return View containing the url and parameters
|
||||||
* @throws URISyntaxException if malformed URI
|
* @throws URISyntaxException if malformed URI
|
||||||
*/
|
*/
|
||||||
@RequestMapping(value = "update-pc-attribute-validation", method = RequestMethod.POST)
|
@RequestMapping(value = "update-pc-attribute-validation", method = RequestMethod.POST)
|
||||||
public RedirectView updatePcAttributeVal(@ModelAttribute final PolicyPageModel ppModel,
|
public RedirectView updatePcAttributeVal(@ModelAttribute final PolicyPageModel ppModel,
|
||||||
final RedirectAttributes attr)
|
final RedirectAttributes attr)
|
||||||
throws URISyntaxException {
|
throws URISyntaxException {
|
||||||
|
|
||||||
|
|
||||||
Map<String, Object> model = new HashMap<>();
|
Map<String, Object> model = new HashMap<>();
|
||||||
PageMessages messages = new PageMessages();
|
PageMessages messages = new PageMessages();
|
||||||
@ -170,14 +172,13 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
try {
|
try {
|
||||||
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||||
|
|
||||||
|
|
||||||
// If PC Attribute Validation is enabled without PC Validation, disallow change
|
// If PC Attribute Validation is enabled without PC Validation, disallow change
|
||||||
if (!isPolicyValid(policy.isEcValidationEnabled(),
|
if (!isPolicyValid(policy.isEcValidationEnabled(),
|
||||||
policy.isPcValidationEnabled(), pcAttributeValidationOptionEnabled)) {
|
policy.isPcValidationEnabled(), pcAttributeValidationOptionEnabled)) {
|
||||||
|
|
||||||
handleUserError(model, messages,
|
handleUserError(model, messages,
|
||||||
"To enable Platform Attribute Validation, Platform Credential Validation"
|
"To enable Platform Attribute Validation, Platform Credential Validation"
|
||||||
+ " must also be enabled.");
|
+ " must also be enabled.");
|
||||||
return redirectToSelf(new NoPageParams(), model, attr);
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
}
|
}
|
||||||
// set the policy option and create display message
|
// set the policy option and create display message
|
||||||
@ -190,7 +191,6 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
}
|
}
|
||||||
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
||||||
|
|
||||||
|
|
||||||
} catch (PolicyManagerException e) {
|
} catch (PolicyManagerException e) {
|
||||||
// Log and return any error messages to the user
|
// Log and return any error messages to the user
|
||||||
handlePolicyManagerUpdateError(model, messages, e,
|
handlePolicyManagerUpdateError(model, messages, e,
|
||||||
@ -201,11 +201,12 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Updates the Endorsement Credential Validation policy setting and redirects back
|
* Updates the Endorsement Credential Validation policy setting and
|
||||||
* to the original page.
|
* redirects back to the original page.
|
||||||
*
|
*
|
||||||
* @param ppModel The data posted by the form mapped into an object.
|
* @param ppModel The data posted by the form mapped into an object.
|
||||||
* @param attr RedirectAttributes used to forward data back to the original page.
|
* @param attr RedirectAttributes used to forward data back to the original
|
||||||
|
* page.
|
||||||
* @return View containing the url and parameters
|
* @return View containing the url and parameters
|
||||||
* @throws URISyntaxException if malformed URI
|
* @throws URISyntaxException if malformed URI
|
||||||
*/
|
*/
|
||||||
@ -217,8 +218,8 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
Map<String, Object> model = new HashMap<>();
|
Map<String, Object> model = new HashMap<>();
|
||||||
PageMessages messages = new PageMessages();
|
PageMessages messages = new PageMessages();
|
||||||
String successMessage;
|
String successMessage;
|
||||||
boolean ecValidationOptionEnabled =
|
boolean ecValidationOptionEnabled
|
||||||
ppModel.getEcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
|
= ppModel.getEcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||||
@ -227,8 +228,8 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
if (!isPolicyValid(ecValidationOptionEnabled, policy.isPcValidationEnabled(),
|
if (!isPolicyValid(ecValidationOptionEnabled, policy.isPcValidationEnabled(),
|
||||||
policy.isPcAttributeValidationEnabled())) {
|
policy.isPcAttributeValidationEnabled())) {
|
||||||
handleUserError(model, messages,
|
handleUserError(model, messages,
|
||||||
"To disable Endorsement Credential Validation, Platform Validation"
|
"To disable Endorsement Credential Validation, Platform Validation"
|
||||||
+ " must also be disabled.");
|
+ " must also be disabled.");
|
||||||
return redirectToSelf(new NoPageParams(), model, attr);
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
}
|
}
|
||||||
// set the policy option and create success message
|
// set the policy option and create success message
|
||||||
@ -254,11 +255,12 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Updates the Endorsement Credential Validation policy setting and redirects back
|
* Updates the Firmware Validation policy setting and
|
||||||
* to the original page.
|
* redirects back to the original page.
|
||||||
*
|
*
|
||||||
* @param ppModel The data posted by the form mapped into an object.
|
* @param ppModel The data posted by the form mapped into an object.
|
||||||
* @param attr RedirectAttributes used to forward data back to the original page.
|
* @param attr RedirectAttributes used to forward data back to the original
|
||||||
|
* page.
|
||||||
* @return View containing the url and parameters
|
* @return View containing the url and parameters
|
||||||
* @throws URISyntaxException if malformed URI
|
* @throws URISyntaxException if malformed URI
|
||||||
*/
|
*/
|
||||||
@ -279,8 +281,8 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
//If firmware is enabled without PC attributes, disallow change
|
//If firmware is enabled without PC attributes, disallow change
|
||||||
if (firmwareValidationOptionEnabled && !policy.isPcAttributeValidationEnabled()) {
|
if (firmwareValidationOptionEnabled && !policy.isPcAttributeValidationEnabled()) {
|
||||||
handleUserError(model, messages,
|
handleUserError(model, messages,
|
||||||
"Firmware validation can not be "
|
"Firmware validation can not be "
|
||||||
+ "enabled without PC Attributes policy enabled.");
|
+ "enabled without PC Attributes policy enabled.");
|
||||||
return redirectToSelf(new NoPageParams(), model, attr);
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -290,13 +292,15 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
successMessage = "Firmware validation enabled";
|
successMessage = "Firmware validation enabled";
|
||||||
} else {
|
} else {
|
||||||
policy.setFirmwareValidationEnabled(false);
|
policy.setFirmwareValidationEnabled(false);
|
||||||
|
policy.getPcrPolicy().setEnableIgnoreIma(false);
|
||||||
|
policy.getPcrPolicy().setEnableIgnoretBoot(false);
|
||||||
successMessage = "Firmware validation disabled";
|
successMessage = "Firmware validation disabled";
|
||||||
}
|
}
|
||||||
|
|
||||||
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
||||||
} catch (PolicyManagerException e) {
|
} catch (PolicyManagerException e) {
|
||||||
handlePolicyManagerUpdateError(model, messages, e,
|
handlePolicyManagerUpdateError(model, messages, e,
|
||||||
"Error changing ACA endorsement validation policy",
|
"Error changing ACA firmware validation policy",
|
||||||
"Error updating policy. \n" + e.getMessage());
|
"Error updating policy. \n" + e.getMessage());
|
||||||
|
|
||||||
}
|
}
|
||||||
@ -305,26 +309,128 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
return redirectToSelf(new NoPageParams(), model, attr);
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Updates the ignore IMA policy setting and
|
||||||
|
* redirects back to the original page.
|
||||||
|
*
|
||||||
|
* @param ppModel The data posted by the form mapped into an object.
|
||||||
|
* @param attr RedirectAttributes used to forward data back to the original
|
||||||
|
* page.
|
||||||
|
* @return View containing the url and parameters
|
||||||
|
* @throws URISyntaxException if malformed URI
|
||||||
|
*/
|
||||||
|
@RequestMapping(value = "update-ima-ignore", method = RequestMethod.POST)
|
||||||
|
public RedirectView updateIgnoreIma(@ModelAttribute final PolicyPageModel ppModel,
|
||||||
|
final RedirectAttributes attr) throws URISyntaxException {
|
||||||
|
// set the data received to be populated back into the form
|
||||||
|
Map<String, Object> model = new HashMap<>();
|
||||||
|
PageMessages messages = new PageMessages();
|
||||||
|
String successMessage;
|
||||||
|
boolean ignoreImaOptionEnabled = ppModel.getIgnoreIma()
|
||||||
|
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
|
||||||
|
|
||||||
|
try {
|
||||||
|
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||||
|
|
||||||
|
//If Ignore IMA is enabled without firmware, disallow change
|
||||||
|
if (ignoreImaOptionEnabled && !policy.isFirmwareValidationEnabled()) {
|
||||||
|
handleUserError(model, messages,
|
||||||
|
"Ignore IMA can not be "
|
||||||
|
+ "enabled without Firmware Valdiation policy enabled.");
|
||||||
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
|
}
|
||||||
|
|
||||||
|
// set the policy option and create success message
|
||||||
|
if (ignoreImaOptionEnabled) {
|
||||||
|
policy.getPcrPolicy().setEnableIgnoreIma(true);
|
||||||
|
successMessage = "Ignore IMA enabled";
|
||||||
|
} else {
|
||||||
|
policy.getPcrPolicy().setEnableIgnoreIma(false);
|
||||||
|
successMessage = "Ignore IMA disabled";
|
||||||
|
}
|
||||||
|
|
||||||
|
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
||||||
|
} catch (PolicyManagerException e) {
|
||||||
|
handlePolicyManagerUpdateError(model, messages, e,
|
||||||
|
"Error changing ACA IMA ignore policy",
|
||||||
|
"Error updating policy. \n" + e.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
// return the redirect
|
||||||
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Updates the ignore TBoot policy setting and
|
||||||
|
* redirects back to the original page.
|
||||||
|
*
|
||||||
|
* @param ppModel The data posted by the form mapped into an object.
|
||||||
|
* @param attr RedirectAttributes used to forward data back to the original
|
||||||
|
* page.
|
||||||
|
* @return View containing the url and parameters
|
||||||
|
* @throws URISyntaxException if malformed URI
|
||||||
|
*/
|
||||||
|
@RequestMapping(value = "update-tboot-ignore", method = RequestMethod.POST)
|
||||||
|
public RedirectView updateIgnoreTboot(@ModelAttribute final PolicyPageModel ppModel,
|
||||||
|
final RedirectAttributes attr) throws URISyntaxException {
|
||||||
|
// set the data received to be populated back into the form
|
||||||
|
Map<String, Object> model = new HashMap<>();
|
||||||
|
PageMessages messages = new PageMessages();
|
||||||
|
String successMessage;
|
||||||
|
boolean ignoreTbootOptionEnabled = ppModel.getIgnoretBoot()
|
||||||
|
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
|
||||||
|
|
||||||
|
try {
|
||||||
|
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||||
|
|
||||||
|
//If Ignore TBoot is enabled without firmware, disallow change
|
||||||
|
if (ignoreTbootOptionEnabled && !policy.isFirmwareValidationEnabled()) {
|
||||||
|
handleUserError(model, messages,
|
||||||
|
"Ignore TBoot can not be "
|
||||||
|
+ "enabled without Firmware Valdiation policy enabled.");
|
||||||
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
|
}
|
||||||
|
|
||||||
|
// set the policy option and create success message
|
||||||
|
if (ignoreTbootOptionEnabled) {
|
||||||
|
policy.getPcrPolicy().setEnableIgnoretBoot(true);
|
||||||
|
successMessage = "Ignore TBoot enabled";
|
||||||
|
} else {
|
||||||
|
policy.getPcrPolicy().setEnableIgnoretBoot(false);
|
||||||
|
successMessage = "Ignore TBoot disabled";
|
||||||
|
}
|
||||||
|
|
||||||
|
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
||||||
|
} catch (PolicyManagerException e) {
|
||||||
|
handlePolicyManagerUpdateError(model, messages, e,
|
||||||
|
"Error changing ACA TBoot ignore policy",
|
||||||
|
"Error updating policy. \n" + e.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
// return the redirect
|
||||||
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
|
}
|
||||||
|
|
||||||
private void handlePolicyManagerUpdateError(final Map<String, Object> model,
|
private void handlePolicyManagerUpdateError(final Map<String, Object> model,
|
||||||
final PageMessages messages,
|
final PageMessages messages,
|
||||||
final PolicyManagerException e,
|
final PolicyManagerException e,
|
||||||
final String message, final String error) {
|
final String message, final String error) {
|
||||||
LOGGER.error(message, e);
|
LOGGER.error(message, e);
|
||||||
messages.addError(error);
|
messages.addError(error);
|
||||||
model.put(MESSAGES_ATTRIBUTE, messages);
|
model.put(MESSAGES_ATTRIBUTE, messages);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void handleUserError(final Map<String, Object> model,
|
private void handleUserError(final Map<String, Object> model,
|
||||||
final PageMessages messages,
|
final PageMessages messages,
|
||||||
final String errorMessage) {
|
final String errorMessage) {
|
||||||
messages.addError(errorMessage);
|
messages.addError(errorMessage);
|
||||||
model.put(MESSAGES_ATTRIBUTE, messages);
|
model.put(MESSAGES_ATTRIBUTE, messages);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Takes in policy setting states and determines if policy configuration is valid or not.
|
* Takes in policy setting states and determines if policy configuration is
|
||||||
* PC Attribute Validation must have PC Validation Enabled
|
* valid or not. PC Attribute Validation must have PC Validation Enabled PC
|
||||||
* PC Validation must have EC Validation enabled
|
* Validation must have EC Validation enabled
|
||||||
*
|
*
|
||||||
* @param isEcEnable EC Validation Policy State
|
* @param isEcEnable EC Validation Policy State
|
||||||
* @param isPcEnable PC Validation Policy State
|
* @param isPcEnable PC Validation Policy State
|
||||||
@ -353,9 +459,10 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
supplyChainAppraiser);
|
supplyChainAppraiser);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the default policy and applies the current values in to the page model.
|
* Gets the default policy and applies the current values in to the page
|
||||||
|
* model.
|
||||||
|
*
|
||||||
* @param ppModel the page model
|
* @param ppModel the page model
|
||||||
* @param model the map of string messages to be displayed on the view
|
* @param model the map of string messages to be displayed on the view
|
||||||
* @return The default Supply Chain Policy
|
* @return The default Supply Chain Policy
|
||||||
@ -371,10 +478,10 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private void savePolicyAndApplySuccessMessage(final PolicyPageModel ppModel,
|
private void savePolicyAndApplySuccessMessage(final PolicyPageModel ppModel,
|
||||||
final Map<String, Object> model,
|
final Map<String, Object> model,
|
||||||
final PageMessages messages,
|
final PageMessages messages,
|
||||||
final String successMessage,
|
final String successMessage,
|
||||||
final SupplyChainPolicy policy) {
|
final SupplyChainPolicy policy) {
|
||||||
// save the policy to the DB
|
// save the policy to the DB
|
||||||
policyManager.updatePolicy(policy);
|
policyManager.updatePolicy(policy);
|
||||||
|
|
||||||
|
@ -48,20 +48,21 @@
|
|||||||
<div class="aca-input-box">
|
<div class="aca-input-box">
|
||||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-pc-attribute-validation">
|
<form:form method="POST" modelAttribute="initialData" action="policy/update-pc-attribute-validation">
|
||||||
<ul>
|
<ul>
|
||||||
<li>Platform Attribute Credential Validation: ${initialData.enablePcCertificateAttributeValidation ? 'Enabled' : 'Disabled'}
|
<li>Platform Attribute Credential Validation: ${initialData.enablePcCertificateAttributeValidation ? 'Enabled' : 'Disabled'}
|
||||||
<my:editor id="pcAttributePolicyEditor" label="Edit Settings">
|
<my:editor id="pcAttributePolicyEditor" label="Edit Settings">
|
||||||
<div class="radio">
|
<div class="radio">
|
||||||
<label><input id="pcAttrTop" type="radio" name="pcAttributeValidate" ${initialData.enablePcCertificateAttributeValidation ? 'checked' : ''} value="checked"/> Platform Credential Attributes will be validated</label>
|
<label><input id="pcAttrTop" type="radio" name="pcAttributeValidate" ${initialData.enablePcCertificateAttributeValidation ? 'checked' : ''} value="checked"/> Platform Credential Attributes will be validated</label>
|
||||||
</div>
|
</div>
|
||||||
<div class="radio">
|
<div class="radio">
|
||||||
<label><input id="pcAttrBot" type="radio" name="pcAttributeValidate" ${initialData.enablePcCertificateAttributeValidation ? '' : 'checked'} value="unchecked"/> Platform Credential Attributes will not be validated</label>
|
<label><input id="pcAttrBot" type="radio" name="pcAttributeValidate" ${initialData.enablePcCertificateAttributeValidation ? '' : 'checked'} value="unchecked"/> Platform Credential Attributes will not be validated</label>
|
||||||
</div>
|
</div>
|
||||||
</my:editor>
|
</my:editor>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</form:form>
|
</form:form>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
<%-- Firmware validation --%>
|
||||||
<div class="aca-input-box">
|
<div class="aca-input-box">
|
||||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-firmware-validation">
|
<form:form method="POST" modelAttribute="initialData" action="policy/update-firmware-validation">
|
||||||
<li>Firmware Validation: ${initialData.enableFirmwareValidation ? 'Enabled' : 'Disabled'}
|
<li>Firmware Validation: ${initialData.enableFirmwareValidation ? 'Enabled' : 'Disabled'}
|
||||||
@ -73,8 +74,34 @@
|
|||||||
<label><input id="firmwareBot" type="radio" name="fmValidate" ${initialData.enableFirmwareValidation ? '' : 'checked'} value="unchecked"/> Firmware will not be validated</label>
|
<label><input id="firmwareBot" type="radio" name="fmValidate" ${initialData.enableFirmwareValidation ? '' : 'checked'} value="unchecked"/> Firmware will not be validated</label>
|
||||||
</div>
|
</div>
|
||||||
</my:editor>
|
</my:editor>
|
||||||
</li>
|
</form:form>
|
||||||
</form:form>
|
<ul>
|
||||||
|
<form:form method="POST" modelAttribute="initialData" action="policy/update-ima-ignore">
|
||||||
|
<li>Ignore IMA PCR Entry: ${initialData.enableIgnoreIma ? 'Enabled' : 'Disabled'}
|
||||||
|
<my:editor id="ignoreImaPolicyEditor" label="Edit Settings">
|
||||||
|
<div class="radio">
|
||||||
|
<label><input id="imaTop" type="radio" name="ignoreIma" ${initialData.enableIgnoreIma ? 'checked' : ''} value="checked"/> Ignore IMA enabled</label>
|
||||||
|
</div>
|
||||||
|
<div class="radio">
|
||||||
|
<label><input id="imaBot" type="radio" name="ignoreIma" ${initialData.enableIgnoreIma ? '' : 'checked'} value="unchecked"/> Ignore IMA disabled</label>
|
||||||
|
</div>
|
||||||
|
</my:editor>
|
||||||
|
</li>
|
||||||
|
</form:form>
|
||||||
|
<form:form method="POST" modelAttribute="initialData" action="policy/update-tboot-ignore">
|
||||||
|
<li>Ignore TBOOT PCRs Entry: ${initialData.enableIgnoreTboot ? 'Enabled' : 'Disabled'}
|
||||||
|
<my:editor id="ignoreTbootPolicyEditor" label="Edit Settings">
|
||||||
|
<div class="radio">
|
||||||
|
<label><input id="tbootTop" type="radio" name="ignoretBoot" ${initialData.enableIgnoreTboot ? 'checked' : ''} value="checked"/> Ignore TBoot enabled</label>
|
||||||
|
</div>
|
||||||
|
<div class="radio">
|
||||||
|
<label><input id="tbootBot" type="radio" name="ignoretBoot" ${initialData.enableIgnoreTboot ? '' : 'checked'} value="unchecked"/> Ignore TBoot disabled</label>
|
||||||
|
</div>
|
||||||
|
</my:editor>
|
||||||
|
</li>
|
||||||
|
</form:form>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
</div>
|
</div>
|
||||||
</ul>
|
</ul>
|
||||||
</jsp:body>
|
</jsp:body>
|
||||||
|
@ -13,7 +13,7 @@ public abstract class ArchivableEntity extends AbstractEntity {
|
|||||||
/**
|
/**
|
||||||
* Defining the size of a message field for error display.
|
* Defining the size of a message field for error display.
|
||||||
*/
|
*/
|
||||||
public static final int MAX_MESSAGE_LENGTH = 520;
|
public static final int MAX_MESSAGE_LENGTH = 1200;
|
||||||
|
|
||||||
@Column(name = "archived_time")
|
@Column(name = "archived_time")
|
||||||
private Date archivedTime;
|
private Date archivedTime;
|
||||||
|
144
HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
Normal file
144
HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
Normal file
@ -0,0 +1,144 @@
|
|||||||
|
package hirs.data.persist;
|
||||||
|
|
||||||
|
import javax.persistence.Column;
|
||||||
|
import javax.persistence.Entity;
|
||||||
|
import static org.apache.logging.log4j.LogManager.getLogger;
|
||||||
|
import org.apache.logging.log4j.Logger;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The class handles the flags that ignore certain PCRs for validation.
|
||||||
|
*/
|
||||||
|
@Entity
|
||||||
|
public final class PCRPolicy extends Policy {
|
||||||
|
|
||||||
|
private static final Logger LOGGER = getLogger(PCRPolicy.class);
|
||||||
|
|
||||||
|
// PCR 10
|
||||||
|
private static final int IMA_PCR = 10;
|
||||||
|
// PCR 17-19
|
||||||
|
private static final int TBOOT_PCR = 17;
|
||||||
|
private static final int NUM_OF_IMA_PCR = 1;
|
||||||
|
private static final int NUM_OF_TBOOT_PCR = 3;
|
||||||
|
|
||||||
|
@Column(nullable = false)
|
||||||
|
private boolean enableIgnoreIma = false;
|
||||||
|
@Column(nullable = false)
|
||||||
|
private boolean enableIgnoretBoot = false;
|
||||||
|
@Column(nullable = false)
|
||||||
|
private boolean linuxOs = false;
|
||||||
|
|
||||||
|
private String[] baselinePcrs;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Default constructor.
|
||||||
|
*/
|
||||||
|
public PCRPolicy() {
|
||||||
|
baselinePcrs = new String[TPMMeasurementRecord.MAX_PCR_ID + 1];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Constructor to parse PCR values.
|
||||||
|
*
|
||||||
|
* @param pcrValues RIM provided baseline PCRs
|
||||||
|
*/
|
||||||
|
public PCRPolicy(final String[] pcrValues) {
|
||||||
|
baselinePcrs = new String[TPMMeasurementRecord.MAX_PCR_ID + 1];
|
||||||
|
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
|
||||||
|
baselinePcrs[i] = pcrValues[i];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Compares the baseline pcr list and the quote pcr list. If the
|
||||||
|
* ignore flags are set, 10 and 17-19 will be skipped for comparison.
|
||||||
|
*
|
||||||
|
* @param quotePcrs non-baseline pcr list
|
||||||
|
* @return a StringBuilder that is empty if everything passes.
|
||||||
|
*/
|
||||||
|
public StringBuilder validatePcrs(final String[] quotePcrs) {
|
||||||
|
StringBuilder sb = new StringBuilder();
|
||||||
|
String failureMsg = "PCR %d does not match%n";
|
||||||
|
|
||||||
|
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
|
||||||
|
if (enableIgnoreIma && i == IMA_PCR) {
|
||||||
|
LOGGER.info("PCR Policy IMA Ignore enabled.");
|
||||||
|
i += NUM_OF_IMA_PCR;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (enableIgnoretBoot && i == TBOOT_PCR) {
|
||||||
|
LOGGER.info("PCR Policy TBoot Ignore enabled.");
|
||||||
|
i += NUM_OF_TBOOT_PCR;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!baselinePcrs[i].equals(quotePcrs[i])) {
|
||||||
|
sb.append(String.format(failureMsg, i));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return sb;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Getter for the array of baseline PCRs.
|
||||||
|
* @return instance of the PCRs.
|
||||||
|
*/
|
||||||
|
public String[] getBaselinePcrs() {
|
||||||
|
return baselinePcrs.clone();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setter for the array of baseline PCRs.
|
||||||
|
* @param baselinePcrs instance of the PCRs.
|
||||||
|
*/
|
||||||
|
public void setBaselinePcrs(final String[] baselinePcrs) {
|
||||||
|
this.baselinePcrs = baselinePcrs.clone();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Getter for the IMA ignore flag.
|
||||||
|
* @return true if IMA is to be ignored.
|
||||||
|
*/
|
||||||
|
public boolean isEnableIgnoreIma() {
|
||||||
|
return enableIgnoreIma;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setter for the IMA ignore flag.
|
||||||
|
* @param enableIgnoreIma true if IMA is to be ignored.
|
||||||
|
*/
|
||||||
|
public void setEnableIgnoreIma(final boolean enableIgnoreIma) {
|
||||||
|
this.enableIgnoreIma = enableIgnoreIma;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Getter for the TBoot ignore flag.
|
||||||
|
* @return true if TBoot is to be ignored.
|
||||||
|
*/
|
||||||
|
public boolean isEnableIgnoretBoot() {
|
||||||
|
return enableIgnoretBoot;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setter for the TBoot ignore flag.
|
||||||
|
* @param enableIgnoretBoot true if TBoot is to be ignored.
|
||||||
|
*/
|
||||||
|
public void setEnableIgnoretBoot(final boolean enableIgnoretBoot) {
|
||||||
|
this.enableIgnoretBoot = enableIgnoretBoot;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Getter for a flag to indicate the type of OS.
|
||||||
|
* @return true if the system is linux.
|
||||||
|
*/
|
||||||
|
public boolean isLinuxOs() {
|
||||||
|
return linuxOs;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setter for the type of OS.
|
||||||
|
* @param linuxOs value of the flag depending on the OS
|
||||||
|
*/
|
||||||
|
public void setLinuxOs(final boolean linuxOs) {
|
||||||
|
this.linuxOs = linuxOs;
|
||||||
|
}
|
||||||
|
}
|
@ -1,6 +1,7 @@
|
|||||||
package hirs.data.persist;
|
package hirs.data.persist;
|
||||||
|
|
||||||
import javax.persistence.Column;
|
import javax.persistence.Column;
|
||||||
|
import javax.persistence.Embedded;
|
||||||
import javax.persistence.Entity;
|
import javax.persistence.Entity;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -36,6 +37,9 @@ public class SupplyChainPolicy extends Policy {
|
|||||||
@Column(nullable = false)
|
@Column(nullable = false)
|
||||||
private boolean replaceEC = false;
|
private boolean replaceEC = false;
|
||||||
|
|
||||||
|
@Embedded
|
||||||
|
private PCRPolicy pcrPolicy = new PCRPolicy();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constructor used to initialize SupplyChainPolicy object.
|
* Constructor used to initialize SupplyChainPolicy object.
|
||||||
*
|
*
|
||||||
@ -147,6 +151,40 @@ public class SupplyChainPolicy extends Policy {
|
|||||||
this.enableFirmwareValidation = enableFirmwareValidation;
|
this.enableFirmwareValidation = enableFirmwareValidation;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns whether or not to validate the ignore ima on the device.
|
||||||
|
*
|
||||||
|
* @return whether or not to validate the ignore imag.
|
||||||
|
*/
|
||||||
|
public boolean isIgnoreImaEnabled() {
|
||||||
|
return this.pcrPolicy.isEnableIgnoreIma();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets whether or not validate the ignore ima on the device.
|
||||||
|
* @param enableIgnoreIma whether or not to validate the ignore ima
|
||||||
|
*/
|
||||||
|
public void setIgnoreImaEnabled(final boolean enableIgnoreIma) {
|
||||||
|
this.pcrPolicy.setEnableIgnoreIma(enableIgnoreIma);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns whether or not to validate the ignore tboot on the device.
|
||||||
|
*
|
||||||
|
* @return whether or not to validate the ignore tboot
|
||||||
|
*/
|
||||||
|
public boolean isIgnoreTbootEnabled() {
|
||||||
|
return this.pcrPolicy.isEnableIgnoretBoot();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets whether or not validate the ignore tboot on the device.
|
||||||
|
* @param enableIgnoreTboot whether or not to validate the ignore tboot
|
||||||
|
*/
|
||||||
|
public void setIgnoreTbootEnabled(final boolean enableIgnoreTboot) {
|
||||||
|
this.pcrPolicy.setEnableIgnoretBoot(enableIgnoreTboot);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns whether or not to allow expired credentials and certificates to be considered
|
* Returns whether or not to allow expired credentials and certificates to be considered
|
||||||
* valid if their supply chain is otherwise verified.
|
* valid if their supply chain is otherwise verified.
|
||||||
@ -193,5 +231,17 @@ public class SupplyChainPolicy extends Policy {
|
|||||||
this.replaceEC = replaceEC;
|
this.replaceEC = replaceEC;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the PCR Policy
|
||||||
|
*/
|
||||||
|
public PCRPolicy getPcrPolicy() {
|
||||||
|
return pcrPolicy;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param pcrPolicy to apply
|
||||||
|
*/
|
||||||
|
public void setPcrPolicy(final PCRPolicy pcrPolicy) {
|
||||||
|
this.pcrPolicy = pcrPolicy;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
121
HIRS_Utils/src/test/java/hirs/data/persist/PCRPolicyTest.java
Normal file
121
HIRS_Utils/src/test/java/hirs/data/persist/PCRPolicyTest.java
Normal file
@ -0,0 +1,121 @@
|
|||||||
|
package hirs.data.persist;
|
||||||
|
|
||||||
|
import org.testng.Assert;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tests for the PCRPolicyTest class.
|
||||||
|
*/
|
||||||
|
public class PCRPolicyTest {
|
||||||
|
|
||||||
|
private static final String[] BASELINE_PCRS = new String[]{
|
||||||
|
"cc8695ee470cd21f32de41df451376d9e751cadb",
|
||||||
|
"b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236",
|
||||||
|
"b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236",
|
||||||
|
"b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236",
|
||||||
|
"e6e2c4ee5c8c79fa9ca827dd2b1b8341872a141f",
|
||||||
|
"e44e1f53a4f2b2eabcdc9f2a450d84c0c3999364",
|
||||||
|
"b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236",
|
||||||
|
"c18a8143298f26eff6b01c1c8d859b6583261467",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"335425f6d34a0a601b1debfd34752f90226253f5",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000"};
|
||||||
|
private static final String[] QUOTE_PCRS = new String[]{
|
||||||
|
"cc8695ee470cd21f32de41df451376d9e751cadb",
|
||||||
|
"b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236",
|
||||||
|
"b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236",
|
||||||
|
"b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236",
|
||||||
|
"e6e2c4ee5c8c79fa9ca827dd2b1b8341872a141f",
|
||||||
|
"e44e1f53a4f2b2eabcdc9f2a450d84c0c3999364",
|
||||||
|
"b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236",
|
||||||
|
"c18a8143298f26eff6b01c1c8d859b6583261467",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"96c28d350ed092531d3f6f27d05a58d9f5dd8765",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"335425f6d34a0a601b1debfd34752f90226253f5",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"ffffffffffffffffffffffffffffffffffffffff",
|
||||||
|
"ffffffffffffffffffffffffffffffffffffffff",
|
||||||
|
"ffffffffffffffffffffffffffffffffffffffff",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000",
|
||||||
|
"0000000000000000000000000000000000000000"};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test of testValidatePcrsPass method, of class PCRPolicy.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testValidatePcrsPass() {
|
||||||
|
PCRPolicy instance = new PCRPolicy(BASELINE_PCRS);
|
||||||
|
instance.setEnableIgnoreIma(false);
|
||||||
|
instance.setEnableIgnoretBoot(false);
|
||||||
|
StringBuilder result = instance.validatePcrs(BASELINE_PCRS);
|
||||||
|
Assert.assertEquals(result.length(), 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test of testValidatePcrsFail method, of class PCRPolicy.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testValidatePcrsFail() {
|
||||||
|
PCRPolicy instance = new PCRPolicy(BASELINE_PCRS);
|
||||||
|
instance.setEnableIgnoreIma(false);
|
||||||
|
instance.setEnableIgnoretBoot(false);
|
||||||
|
StringBuilder result = instance.validatePcrs(QUOTE_PCRS);
|
||||||
|
Assert.assertNotEquals(result.length(), 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test of testValidatePcrsFailIgnoreIma method, of class PCRPolicy.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testValidatePcrsFailIgnoreIma() {
|
||||||
|
PCRPolicy instance = new PCRPolicy(BASELINE_PCRS);
|
||||||
|
instance.setEnableIgnoreIma(true);
|
||||||
|
instance.setEnableIgnoretBoot(false);
|
||||||
|
StringBuilder result = instance.validatePcrs(QUOTE_PCRS);
|
||||||
|
Assert.assertNotEquals(result.length(), 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test of testValidatePcrsFailIgnoreTBoot method, of class PCRPolicy.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testValidatePcrsFailIgnoreTBoot() {
|
||||||
|
PCRPolicy instance = new PCRPolicy(BASELINE_PCRS);
|
||||||
|
instance.setEnableIgnoreIma(false);
|
||||||
|
instance.setEnableIgnoretBoot(true);
|
||||||
|
StringBuilder result = instance.validatePcrs(QUOTE_PCRS);
|
||||||
|
Assert.assertNotEquals(result.length(), 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test of testValidatePcrsPassIgnoreImaAndTBoot method, of class PCRPolicy.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testValidatePcrsPassIgnoreImaAndTBoot() {
|
||||||
|
PCRPolicy instance = new PCRPolicy(BASELINE_PCRS);
|
||||||
|
instance.setEnableIgnoreIma(true);
|
||||||
|
instance.setEnableIgnoretBoot(true);
|
||||||
|
StringBuilder result = instance.validatePcrs(QUOTE_PCRS);
|
||||||
|
Assert.assertEquals(result.length(), 0);
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user