ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-19 21:17:59 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

[#775] Adding Policy Tests to V3 (#776)

Browse Source 
* Adding ACA Policy tests with modifications to related files

* Separating the system tests setup from the tests themselves + Splitting up ACA Policy Tests into different steps in workflow file

* Creating separate script for setting up system tests in workflow, and one script for running system tests locally. Adding details to system test steps.
This commit is contained in:
iadgovuser62 2024-06-07 06:28:25 -04:00 committed by GitHub
parent 4b72d9aee3
commit 7a1a6b73b0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 359 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.ci/docker/Dockerfile.tpm2provisioner-dotnet-ci
View File

@ -5,13 +5,10 @@ LABEL org.opencontainers.image.description Tools for testing the build and deplo
# Purpose: This image is designed for HIRS Provisioner.Net testing on Rocky 9. It is meant to be used in
# the .ci, and does not automatically start the Provisioner upon running the container.
# Date Modified: 4/15/24
# Date Modified: 5/31/24
# Notes: The image to be built should be named "tpm2provisioner-dotnet-ci:latest".
# For local image build, use this command from the /HIRS/ directory to build the image:
# $ docker build -f ./.ci/docker/Dockerfile.tpm2provisioner_dotnet -t tpm2provisioner-dotnet-ci:latest .
# For manually running the Provisioner.Net using the TPM Simulator, first ensure that an ACA
# is running on port 8443. Then, run the setup script within this container using this command:
# $ ./.ci/setup/container/setup_tpm2provisioner_dotnet.sh
# REF can be specified as a docker run environment variable to select the HIRS branch to work with
ENV REF=main
@ -97,8 +94,4 @@ RUN echo "#!/bin/bash" > /tmp/auto_clone_branch && \
chmod 755 /tmp/auto_clone_branch
# Reset working directory
WORKDIR /hirs
# Copy script for running TPM Simulator
COPY ./.ci/setup/container/setup_tpm2provisioner_dotnet.sh /.ci/setup/container/
RUN chmod 755 /.ci/setup/container/setup_tpm2provisioner_dotnet.sh
WORKDIR /hirs

2
.ci/docker/docker-compose-system-test.yml
View File

@ -21,7 +21,7 @@ services:
- aca
volumes:
- ../../:/HIRS
command: ["bash", "-c", "tail -f /dev/null;"]
command: ["bash", "-c", "/ibmswtpm2/src/tpm_server && tail -f /dev/null"]
networks:
hirs_aca_system_tests:
ipv4_address: ${HIRS_ACA_PROVISIONER_TPM2_IP}

81
.ci/setup/container/setup_tpm2provisioner_dotnet.sh Normal file → Executable file
View File

@ -18,27 +18,23 @@ echo "*** Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${
done
echo "*** ACA is up!"
# Un-package Provisioner.NET RPM
cd /
yes | dnf install /hirs/HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm 1> /dev/null
## Un-package Provisioner.NET RPM
yes | dnf install HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm -y > /dev/null
# Start TPM simulator server
./ibmswtpm2/src/tpm_server 1> /dev/null &
echo "*** TPM Simulator Server has started"
# Create EK Certificate
cd /ibmtss/utils || exit
./startup 1> /dev/null
./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null
cd / || exit
echo "*** EK certificate has been created using IBMTSS CA Key"
# Initiate startup for IBMTSS Tools
pushd /ibmtss/utils
tpm2_startup -T mssim -c &
sleep 5
tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002
tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002
popd
# Writing to Provisioner.Net configurations file for modified aca port and efi prefix
cat <<APPSETTINGS_FILE > /usr/share/hirs/appsettings.json
{
"auto_detect_tpm": "TRUE",
"aca_address_port": "https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}",
"efi_prefix": "/boot/efi",
"efi_prefix": "/ci_test/boot/efi",
"paccor_output_file": "",
"event_log_file": "",
"hardware_manifest_collectors": "paccor_scripts",
@ -74,10 +70,57 @@ cat <<APPSETTINGS_FILE > /usr/share/hirs/appsettings.json
}
}
APPSETTINGS_FILE
cp /usr/share/hirs/appsettings.json /usr/share/hirs/appsettings_default.json
cat <<APPSETTINGS_FILE_HW > /usr/share/hirs/appsettings_hw.json
{
"auto_detect_tpm": "TRUE",
"aca_address_port": "https://172.19.0.2:8443",
"efi_prefix": "/ci_test/boot/efi",
"paccor_output_file": "/ci_test/hw.json",
"event_log_file": "/ci_test/binary_bios_measurements",
"hardware_manifest_collectors": "",
"linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor",
"linux_bios_version_file": "/ci_test/dmi/id/bios_version",
"linux_bios_date_file": "/ci_test/dmi/id/bios_date",
"linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor",
"linux_product_name_file": "/ci_test/dmi/id/product_name",
"linux_product_version_file": "/ci_test/dmi/id/product_version",
"linux_product_serial_file": "/ci_test/dmi/id/product_serial",
# Uploading CA Certificate to HIRS ACA Portal
curl -k -s -F "file=@/ibmtss/utils/certificates/cacert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
echo "*** CA Certificate has been uploaded to HIRS ACA Portal"
"Serilog": {
"Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
"Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
"MinimumLevel": {
"Default": "Debug",
"Override": {
"Microsoft": "Warning",
"System": "Warning"
}
},
"WriteTo": [
{
"Name": "Console",
"Args": {
"outputTemplate": "{Message}{NewLine}",
"theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
"restrictedToMinimumLevel": "Information"
}
},
{
"Name": "File",
"Args": {
"path": "hirs.log",
"rollingInterval": "Day",
"retainedFileCountLimit": 5
}
}
]
}
}
APPSETTINGS_FILE_HW
# Starting Provisioning
./usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim
# Triggering a single provision for test
echo "==========="
echo "*** INITIAL TEST: Single Provision with Default Policy:"
echo "==========="
/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim

48
.ci/system-tests/container/pc_setup.sh Normal file → Executable file
View File

@ -7,40 +7,35 @@
profile=$1
test=$2
tcgDir="/boot/tcg"
compscript="$profile"_"$test"_allcomponents.sh
hwlist="$profile"_"$test"_hw.json
testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
pcDir=$testDir/platformcerts
profileDir="/HIRS/.ci/system-tests/profiles/$profile"
ciTestDir="/ci_test"
tcgDir="$ciTestDir/boot/efi/EFI/tcg/cert/platform/"
# Current TCG folder for platform certs, likely to change with release of the next FIM specification
tcgDir=/boot/tcg/cert/platform/
# Profile selections
profileDir="/hirs/.ci/system-tests/profiles/$profile"
testDir="$profileDir/$test"
pcDir="$testDir/platformcerts"
dmiZip="$profileDir/$profile"_dmi.zip
hwJsonFileName="$profile"_"$test"_hw.json
hwJsonFile="$testDir/$hwJsonFileName"
ciTestHwJsonFile="$ciTestDir/hw.json"
# Current TCG folder for platform certs
mkdir -p $tcgDir; # Create the platform cert folder if its not there
rm -f $tcgDir*; # Clear out any previous data
echo "Test is using platform cert(s) from $profile : $test"
# Step 1: Copy allcomponents script to the paccor/scripts folder if there is one.
# Use the default if test does not have a test specific file.
allCompScript=/HIRS/.ci/system-tests/profiles/$profile/$test/$compscript
if [ ! -f "$allCompScript" ]; then
allCompScript=/HIRS/.ci/system-tests/profiles/"$profile"/default/"$profile"_default_allcomponents.sh
# Step 1: Copy hw json file, if it exists.
if [ -f "$hwJsonFile" ]; then
cp "$hwJsonFile" "$ciTestHwJsonFile"
fi
cp -f $allCompScript /opt/paccor/scripts/allcomponents.sh;
# Step 2: Copy allcomponents json file to the paccor/scripts folder if there is one
# Use the default if test does not have a test specific file.
# Can remove this once unzip is added to the image
dnf install -y unzip &> /dev/null
allCompJson=/HIRS/.ci/system-tests/profiles/$profile/$test/$hwlist;
if [ ! -f "$allCompJson" ]; then
allCompJson=/HIRS/.ci/system-tests/profiles/"$profile"/default/"$profile"_default_hw.json
fi
cp -f $allCompJson /opt/paccor/scripts/$hwlist ;
# Step 2: Unpack the dmi files.
unzip -o "$dmiZip" -d "$ciTestDir"
# Step 3: Copy the platform cert to tcg folder on boot drive
# a: See if test specific swidtag folder exists, if not use the defualt folder
# Step 3: Copy the platform cert to tcg folder
if [[ ! -d $pcDir ]]; then
pcDir=$profileDir/default/platformcerts;
fi
@ -53,6 +48,3 @@ if [[ ! -f ".gitignore" ]]; then
fi
popd > /dev/null
# Step 4: Make some data available for debugging
bash /opt/paccor/scripts/allcomponents.sh > /var/log/hirs/provisioner/allcomponents.output.log

30
.ci/system-tests/container/rim_setup.sh
View File

@ -7,9 +7,10 @@
profile=$1
test=$2
options=$3
tcgDir="/boot/tcg"
propFile="/etc/hirs/tcg_boot.properties";
ciTestDir="/ci_test"
tcgDir="$ciTestDir/boot/efi/EFI/tcg"
# Profile selections
profileDir="/HIRS/.ci/system-tests/profiles/$profile"
defaultDir="$profileDir/default"
testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
@ -17,8 +18,7 @@ eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
swidDir="$testDir/swidtags"
rimDir="$testDir/rims"
pcrScript="$testDir/"$profile"_"$test"_setpcrs.sh"
source /HIRS/.ci/setup/container/tpm2_common.sh
ciTestEventLog="$ciTestDir/binary_bios_measurements"
echo "Test is using RIM files from $profile : $test"
@ -29,15 +29,9 @@ rm -f $tcgDir/manifest/rim/*; # clear out any previous data
mkdir -p $tcgDir/manifest/swidtag/; # Create the platform cert folder if its not there
rm -f $tcgDir/manifest/swidtag/*; # clear out any previous data
# Step 1: Update the tcg_boot.properties to use test specific binary_bios_measurement file
# a: if file does not exist in the test folder then use the default measurement file
# b: change the property file to point to the the test file
if [[ ! -f "$eventLog" ]]; then
eventLog="$defaultDir"/"$profile"_default_binary_bios_measurements
fi
sed -i "s:tcg.event.file=.*:tcg.event.file=$eventLog:g" "$propFile"
#echo "eventLog used was $eventLog"
# Step 1: Copy binary_bios_measurement file
echo "eventLog used was $eventLog"
cp "$eventLog" "$ciTestEventLog"
# Step 2: Copy Base RIM files to the TCG folder
# a: See if test specific swidtag folder exists, if not use the defualt folder
@ -64,16 +58,10 @@ pushd $rimDir > /dev/null
fi
popd > /dev/null
# echo "Contents of tcg swidtag folder $tcgDir/manifest/swidtag/ : $(ls $tcgDir/manifest/swidtag/)"
# echo "Contents of tcg rim folder tcgDir/manifest/rim/: $(ls $tcgDir/manifest/rim/)"
#Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
# a: Clear the TPM PCR registers vi a call to the tss clear
# b: Check if a test specific setpcr.sh file exists. If not use the profiles default script
if [[ $options == "clear" ]]; then
resetTpm2Emulator
fi
if [[ ! -f $pcrScript ]]; then
pcrScript="$profileDir/default/"$profile"_default_setpcrs.sh"
@ -82,4 +70,4 @@ sh $pcrScript;
#echo "PCR script was $pcrScript"
#tpm2_pcrlist -g sha256
# Done with rim_setup
# Done with rim_setup

58
.ci/system-tests/profiles/laptop/default/laptop_default_setpcrs.sh
View File

@ -2,44 +2,44 @@
# This file will set the tpm emulators PCR values to match the dell8850 event log.
tpm2_pcrextend 0:sha256=38dc62a7c4ba6f19930538c1704b5a97f20f19e802951aab7e78ced610a3df5f -Q
tpm2_pcrextend 0:sha256=d4720b4009438213b803568017f903093f6bea8ab47d283db32b6eabedbbf155 -Q
tpm2_pcrextend 0:sha256=2649fffc46f2044e2d683712fb59ce10ccfcbeb91d541cbe117d9c2d459da273 -Q
tpm2_pcrextend 0:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
tpm2_pcrextend 0:sha256=38dc62a7c4ba6f19930538c1704b5a97f20f19e802951aab7e78ced610a3df5f -T mssim
tpm2_pcrextend 0:sha256=d4720b4009438213b803568017f903093f6bea8ab47d283db32b6eabedbbf155 -T mssim
tpm2_pcrextend 0:sha256=2649fffc46f2044e2d683712fb59ce10ccfcbeb91d541cbe117d9c2d459da273 -T mssim
tpm2_pcrextend 0:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim
tpm2_pcrextend 1:sha256=cbb15df37b131921890da0973ed097d567123b08e3fa6449e33a6acd15385be0 -Q
tpm2_pcrextend 1:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
tpm2_pcrextend 1:sha256=4e93b6abf5532ff7a4da93769c41874f62cef02a9abc60b6baa62227762e5964 -Q
tpm2_pcrextend 1:sha256=9ad0d8e4e4b6b80386f43e747d0e8f4a55a860bae1fbbf54c588fd474b30a1da -Q
tpm2_pcrextend 1:sha256=fd662842e607c5800389f2d3073cb26100ce4b5f93d9e62e6b139813141a4173 -Q
tpm2_pcrextend 1:sha256=cbb15df37b131921890da0973ed097d567123b08e3fa6449e33a6acd15385be0 -T mssim
tpm2_pcrextend 1:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim
tpm2_pcrextend 1:sha256=4e93b6abf5532ff7a4da93769c41874f62cef02a9abc60b6baa62227762e5964 -T mssim
tpm2_pcrextend 1:sha256=9ad0d8e4e4b6b80386f43e747d0e8f4a55a860bae1fbbf54c588fd474b30a1da -T mssim
tpm2_pcrextend 1:sha256=fd662842e607c5800389f2d3073cb26100ce4b5f93d9e62e6b139813141a4173 -T mssim
tpm2_pcrextend 2:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
tpm2_pcrextend 2:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim
tpm2_pcrextend 3:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
tpm2_pcrextend 3:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim
tpm2_pcrextend 4:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
tpm2_pcrextend 4:sha256=dda0121dcf167db1e2622d10f454701837ac6af304a03ec06b3027904988c56b -Q
tpm2_pcrextend 4:sha256=afb8038e914c99969dd828b58289ff2f820fb785025f21a92cc48651ebc13005 -Q
tpm2_pcrextend 4:sha256=f80bdf3a58ec348742486e439f3c75a962043931f7cacd1e9bb8e6bf0cb2df9a -Q
tpm2_pcrextend 4:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim
tpm2_pcrextend 4:sha256=dda0121dcf167db1e2622d10f454701837ac6af304a03ec06b3027904988c56b -T mssim
tpm2_pcrextend 4:sha256=afb8038e914c99969dd828b58289ff2f820fb785025f21a92cc48651ebc13005 -T mssim
tpm2_pcrextend 4:sha256=f80bdf3a58ec348742486e439f3c75a962043931f7cacd1e9bb8e6bf0cb2df9a -T mssim
tpm2_pcrextend 5:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
tpm2_pcrextend 5:sha256=ef4c76c6a2226cb891be17a65f5a3035889979b5a1b1a246224ee7120dda3efa -Q
tpm2_pcrextend 5:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim
tpm2_pcrextend 5:sha256=ef4c76c6a2226cb891be17a65f5a3035889979b5a1b1a246224ee7120dda3efa -T mssim
tpm2_pcrextend 6:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
tpm2_pcrextend 6:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim
tpm2_pcrextend 7:sha256=ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e -Q
tpm2_pcrextend 7:sha256=2abfe9865a654102acb12f0fefe52dc4d01bce40901410eb3dadaf212700a2b7 -Q
tpm2_pcrextend 7:sha256=63a525134bfbc242058c0e6b42794f8b1d142d13029a9aa38a3272c5ca2390c5 -Q
tpm2_pcrextend 7:sha256=ad1850a4885628d86273bad743779c9e665db060236270b5d24dd98f3a22fe86 -Q
tpm2_pcrextend 7:sha256=f0bf49c6a2d3e170077f1f66875d6cb9b2aa382060cac5c0b645660bb95bc058 -Q
tpm2_pcrextend 7:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
tpm2_pcrextend 7:sha256=4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 -Q
tpm2_pcrextend 7:sha256=87ee47938723178072c0b0ed3ff7575e82ca37f0634a1a67d15d4d5ce53e8dab -Q
tpm2_pcrextend 7:sha256=194c8cf6648963b6574271d6c86d250a381ea0346749a355576fa95f5b6e1dae -Q
tpm2_pcrextend 7:sha256=ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e -T mssim
tpm2_pcrextend 7:sha256=2abfe9865a654102acb12f0fefe52dc4d01bce40901410eb3dadaf212700a2b7 -T mssim
tpm2_pcrextend 7:sha256=63a525134bfbc242058c0e6b42794f8b1d142d13029a9aa38a3272c5ca2390c5 -T mssim
tpm2_pcrextend 7:sha256=ad1850a4885628d86273bad743779c9e665db060236270b5d24dd98f3a22fe86 -T mssim
tpm2_pcrextend 7:sha256=f0bf49c6a2d3e170077f1f66875d6cb9b2aa382060cac5c0b645660bb95bc058 -T mssim
tpm2_pcrextend 7:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim
tpm2_pcrextend 7:sha256=4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 -T mssim
tpm2_pcrextend 7:sha256=87ee47938723178072c0b0ed3ff7575e82ca37f0634a1a67d15d4d5ce53e8dab -T mssim
tpm2_pcrextend 7:sha256=194c8cf6648963b6574271d6c86d250a381ea0346749a355576fa95f5b6e1dae -T mssim
tpm2_pcrextend 14:sha256=9fa163e06ff76a9f0d0262151328aa38f903495bc81ebcbd5bc40fcdbebb4a63 -Q
tpm2_pcrextend 14:sha256=8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0 -Q
tpm2_pcrextend 14:sha256=9fa163e06ff76a9f0d0262151328aa38f903495bc81ebcbd5bc40fcdbebb4a63 -T mssim
tpm2_pcrextend 14:sha256=8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0 -T mssim

38
.ci/system-tests/run_system_tests.sh Normal file → Executable file
View File

@ -1,11 +1,12 @@
#!/bin/bash
#########################################################################################
# Script to run the System Tests for HIRS TPM 2.0 Provisoner
# Notes for running manually/locally (not from GitHub Actions)
# Script to Locally run the System Tests for HIRS TPM 2.0 Provisoner
# *** INTENDED FOR LOCAL SYSTEM TESTING, NOT FOR WORKFLOW RUNS ***
# Notes for running manually/locally
# 1. Uncomment the "cd ../.." line below to make working directory = /HIRS/
# 2. Run with the desired HIRS branch as an argument (i.e. $./run_system_tests.sh main)
#########################################################################################
# cd ../..
#cd ../..
# Setting variables
aca_container=hirs-aca1
@ -16,28 +17,33 @@ echo "******** Setting up for HIRS System Tests for TPM 2.0 ******** "
docker compose -f ./.ci/docker/docker-compose-system-test.yml up -d
# Setting up and Starting ACA + Switching to current/desired branch in ACA Container
docker exec $aca_container sh -c "cd / && ./tmp/auto_clone_branch $1 > /dev/null 2>&1 \
&& cd hirs && echo 'ACA Container Current Branch: ' && git branch \
&& cd / && ./hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \
&& ./tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \
&& cd hirs && ./package/linux/aca/aca_bootRun.sh 1> /dev/null" &
docker exec $aca_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
&& echo 'ACA Container Current Branch: ' && git branch \
&& /hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \
&& /tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \
&& /hirs/package/linux/aca/aca_bootRun.sh 1> /dev/null" &
# Switching to current/desired branch in Provisioner Container
docker exec $tpm2_container sh -c "cd / && ./tmp/auto_clone_branch $1 > /dev/null 2>&1 \
&& cd hirs && echo 'Provisioner Container Current Branch: ' && git branch"
docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
&& echo 'Provisioner Container Current Branch: ' && git branch"
# Install HIRS Provisioner.Net and setup tpm2 simulator.
# In doing so, tests a single provision between Provisioner.Net and ACA.
docker exec $tpm2_container /.ci/setup/container/setup_tpm2provisioner_dotnet.sh
echo "Launching provisioner setup"
docker exec $tpm2_container sh /hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
# Initiating System Tests
echo "******** Setup Complete. Beginning HIRS System Tests. ******** "
./.ci/system-tests/tests/aca_policy_tests.sh
#./.ci/system-tests/tests/platform_cert_tests.sh
#./.ci/system-tests/tests/rim_system_tests.sh
# HERE is where other system tests will be called, including:
# aca_policy_tests.sh, platform_cert_tests.sh, rim_system_tests.sh
echo "******** HIRS System Tests Complete ******** "
# Collecting ACA and Provisioner.Net logs for workflow artifact
echo "*** Extracting ACA and Provisioner.Net logs ..."
docker exec $aca_container sh -c "cd .. && mkdir -p /HIRS/logs/aca/ && cp -arp /var/log/hirs/* /HIRS/logs/aca/"
docker exec $tpm2_container sh -c "cd .. && mkdir -p /HIRS/logs/provisioner/ && cp -ap hirs*.log /HIRS/logs/provisioner/ && chmod -R 777 /HIRS/logs"
docker exec $aca_container sh -c "mkdir -p /HIRS/logs/aca/ && cp -arp /var/log/hirs/* /HIRS/logs/aca/"
docker exec $tpm2_container sh -c "mkdir -p /HIRS/logs/provisioner/ && cp -ap hirs*.log /HIRS/logs/provisioner/ && chmod -R 777 /HIRS/logs"
# Clean up services and network
echo "*** Exiting and removing Docker containers and network ..."
@ -52,4 +58,4 @@ if [[ ${TEST_STATUS} == "0" ]]; then
echo "******** FAILURE: System Tests for TPM 2.0 failed ********"
echo "TEST_STATUS=1" >> $GITHUB_ENV
exit 1
fi
fi

33
.ci/system-tests/setup_system_tests.sh Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
#########################################################################################
# Script to run the System Tests for HIRS TPM 2.0 Provisoner from GitHub Workflow
# *** INTENDED FOR WORKFLOW RUNS, NOT FOR LOCAL SYSTEM TESTING ***
# For local system testing, use run_system_tests.sh instead
#########################################################################################
# Setting variables
aca_container=hirs-aca1
tpm2_container=hirs-provisioner1-tpm2
# Start System Testing Docker Environment
echo "******** Setting up for HIRS System Tests for TPM 2.0 ******** "
docker compose -f ./.ci/docker/docker-compose-system-test.yml up -d
# Setting up and Starting ACA + Switching to current/desired branch in ACA Container
docker exec $aca_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
&& echo 'ACA Container Current Branch: ' && git branch \
&& /hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \
&& /tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \
&& /hirs/package/linux/aca/aca_bootRun.sh 1> /dev/null" &
# Switching to current/desired branch in Provisioner Container
docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
&& echo 'Provisioner Container Current Branch: ' && git branch"
# Install HIRS Provisioner.Net and setup tpm2 simulator.
# In doing so, tests a single provision between Provisioner.Net and ACA.
echo "Launching provisioner setup"
docker exec $tpm2_container sh /hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
# Initiating System Tests
echo "******** Setup Complete. Beginning HIRS System Tests. ******** "

83
.ci/system-tests/sys_test_common.sh
View File

@ -3,6 +3,11 @@
# Common functions used for HIRS system tests
#
#########################################################################################
. ./.ci/docker/.env && set -a
# Setting variables
aca_container=hirs-aca1
tpm2_container=hirs-provisioner1-tpm2
# Check container status and abort if container is not running
checkContainerStatus() {
@ -21,53 +26,57 @@ fi
# clear all policy settings
setPolicyNone() {
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=0, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
}
# Policy Settings for tests ...
setPolicyEkOnly() {
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
}
setPolicyEkPc_noAttCheck() {
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=1,
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
}
setPolicyEkPc() {
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
}
setPolicyEkPcFw() {
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
utcValidationEnabled=0, firmwareValidationEnabled=1, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=1, ignoretBootEnabled=0;"
}
# Clear all ACA DB items including policy
# Clear all ACA DB items excluding policy
clearAcaDb() {
docker exec $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate
ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate
ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate
RepoPackage_IMABaselineRecord;truncate Report;truncate ReportMapper;truncate ReportRequestState;truncate ReportSummary;truncate
State;truncate SupplyChainValidation;truncate SupplyChainValidationSummary;truncate ReferenceManifest;truncate
ReferenceDigestRecord; truncate ReferenceDigestValue; truncate
SupplyChainValidationSummary_SupplyChainValidation;truncate TPM2ProvisionerState;truncate TPMBaselineRecords;truncate
TPMDeviceState;truncate TPMReport;truncate TPMReport_pcrValueList; set foreign_key_checks=1;"
docker exec hirs-aca1 mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Appraiser;
truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate ComponentAttributeResult;
truncate ComponentInfo;truncate ComponentResult;truncate Device;truncate DeviceInfoReport;truncate PortalInfo;
truncate ReferenceDigestValue;truncate ReferenceManifest;truncate Report;truncate SupplyChainValidation;
truncate SupplyChainValidationSummary;truncate SupplyChainValidationSummary_SupplyChainValidation;
truncate TPM2ProvisionerState;set foreign_key_checks=1;"
}
# Upload Certs to the ACA DB
uploadTrustedCerts() {
pushd ../setup/certs > /dev/null
curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
popd > /dev/null
# Create EK Cert from IBMTSS Tools
# docker exec $tpm2_container sh -c "pushd /ibmtss/utils > /dev/null \
# && ./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null \
# && popd > /dev/null"
# Upload CA Cert from IBMTSS Tools
docker exec $tpm2_container sh -c "pushd /ibmtss/utils/certificates > /dev/null \
&& curl -k -s -F 'file=@cacert.pem' https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload \
&& popd > /dev/null"
# Upload Trusted Certs from HIRS
pushd .ci/setup/certs > /dev/null
curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
popd > /dev/null
}
# provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail"
@ -76,23 +85,23 @@ popd > /dev/null
provisionTpm2() {
expected_result=$1
((totalTests++))
provisionOutput=$(docker exec $tpm2_container tpm_aca_provision);
provisionOutput=$(docker exec $tpm2_container sh -c "/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim");
echo "==========="
echo "$provisionOutput";
echo "===========";
if [[ $provisionOutput == *"failed"* ]]; then
if [[ $expected_result == "pass" ]]; then
((failedTests++))
echo "!!! Provisiong failed, but was expected to pass"
echo "!!! Provisioning failed, but was expected to pass"
else
echo "Provisiong failed as expected."
echo "Provisioning failed as expected."
fi
else # provisioning succeeded
if [[ $expected_result == "fail" ]]; then
((failedTests++))
echo "!!! Provisiong passed, but was expected to fail"
echo "!!! Provisioning passed, but was expected to fail"
else
echo "Provisiong passed as expected."
echo "Provisioning passed as expected."
fi
fi
}
@ -100,23 +109,27 @@ provisionTpm2() {
# Places platform cert(s) held in the test folder(s) in the provisioners tcg folder
# setPlatCert <profile> <test>
setPlatformCerts() {
docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/pc_setup.sh $1 $2
docker exec $tpm2_container sh /hirs/.ci/system-tests/container/pc_setup.sh $1 $2
#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
}
# Places RIM files held in the test folder in the provisioners tcg folder
# setRims <profile> <test>
setRims() {
docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/rim_setup.sh $1 $2 $3
docker exec $tpm2_container sh /hirs/.ci/system-tests/container/rim_setup.sh $1 $2 $3
#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
}
setPlatformOutput() {
docker exec $tpm2_container cp /usr/share/hirs/appsettings_hw.json /usr/share/hirs/appsettings.json
}
# Writes to the Action ouput, ACA log, and Provisioner Log
# Used for marking the start of system tests and noting the result
# write_to_logs <log statement>
writeToLogs() {
line=$1
echo $line;
docker exec $aca_container sh -c "echo '$line' >> /var/log/tomcat/HIRS_AttestationCA.log"
docker exec $aca_container sh -c "cd .. && echo '$line' >> /var/log/hirs/HIRS_AttestationCA_Portal.log"
# docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log"
}

94
.ci/system-tests/tests/aca_policy_tests.sh Normal file → Executable file
View File

@ -3,44 +3,76 @@
# HIRS ACA Policy System Tests
#
#########################################################################################
source ./.ci/system-tests/sys_test_common.sh
testResult=false
totalTests=0;
failedTests=0;
test="all"
case $1 in
1) test="1" ;;
2) test="2" ;;
3) test="3" ;;
4) test="4" ;;
5) test="5" ;;
6) test="6" ;;
7) test="7" ;;
8) test="8" ;;
esac
# Start ACA Policy Tests
# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###"
setPlatformCerts "laptop" "empty"
provisionTpm2 "pass"
writeToLogs "### ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store ###"
setPolicyEkOnly
provisionTpm2 "fail"
writeToLogs "### ACA POLICY TEST 3: Test EK Only Validation Policy ###"
uploadTrustedCerts
provisionTpm2 "pass"
writeToLogs "### ACA POLICY TEST 4: Test PC Validation Policy with no PC ###"
setPolicyEkPc_noAttCheck
provisionTpm2 "fail"
writeToLogs "### ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC ###"
setPolicyEkPcFw
provisionTpm2 "fail"
writeToLogs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC ###"
clearAcaDb
setPolicyEkPc
uploadTrustedCerts
setPlatformCerts "laptop" "default"
provisionTpm2 "pass"
writeToLogs "### ACA POLICY TEST 7: Test PC with RIM Validation Policy with valid PC and RIM ###"
setPolicyEkPcFw
setRims "laptop" "default" "none"
provisionTpm2 "pass"
if [ "$test" = "1" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###"
setPlatformCerts "laptop" "empty"
provisionTpm2 "pass"
fi
if [ "$test" = "2" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store ###"
setPolicyEkOnly
provisionTpm2 "fail"
fi
if [ "$test" = "3" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 3: Test EK Only Validation Policy ###"
uploadTrustedCerts
provisionTpm2 "pass"
fi
if [ "$test" = "4" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 4: Test PC Validation Policy with no PC ###"
setPolicyEkPc_noAttCheck
provisionTpm2 "fail"
fi
if [ "$test" = "5" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC ###"
setPolicyEkPcFw
provisionTpm2 "fail"
fi
if [ "$test" = "6" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC with no Attribute Check ###"
clearAcaDb
setPolicyEkPc_noAttCheck
uploadTrustedCerts
setPlatformCerts "laptop" "default"
provisionTpm2 "pass"
fi
if [ "$test" = "7" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 7: Test PC Validation Policy with valid PC with Attribute Check ###"
clearAcaDb
setPolicyEkPc
uploadTrustedCerts
setPlatformCerts "laptop" "default"
setPlatformOutput
provisionTpm2 "pass"
fi
if [ "$test" = "8" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 8: Test PC with RIM Validation Policy with valid PC and RIM ###"
clearAcaDb
setPolicyEkPcFw
uploadTrustedCerts
setPlatformCerts "laptop" "default"
setRims "laptop" "default"
provisionTpm2 "pass"
fi
# Process Test Results, any single failure will send back a failed result.
if [[ $failedTests != 0 ]]; then

73
.github/workflows/system_test.yml vendored
View File

@ -1,5 +1,5 @@
# This workflow will build HIRS, run system tests, and create artifacts consisting of ACA and Provisioner logs.
# Updated: 04/18/2024
# Updated: 06/05/2024
#
name: HIRS System Tests
on:
@ -21,14 +21,81 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: ACA TPM2 Tests
- name: ACA TPM2 System Tests Setup
continue-on-error: true
shell: bash
run: |
# If on a forked repo, ensure that it has a new secret for the PAT
# and replace secrets.GITHUB_TOKEN with the secret in the fork
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
bash .ci/system-tests/run_system_tests.sh ${GITHUB_REF#refs/heads/}
.ci/system-tests/setup_system_tests.sh ${GITHUB_REF#refs/heads/}
- name: ACA POLICY TEST 1 - Test ACA default policy
continue-on-error: true
shell: bash
run: |
.ci/system-tests/tests/aca_policy_tests.sh 1
- name: ACA POLICY TEST 2 - Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store
continue-on-error: true
shell: bash
run: |
.ci/system-tests/tests/aca_policy_tests.sh 2
- name: ACA POLICY TEST 3 - Test EK Only Validation Policy
continue-on-error: true
shell: bash
run: |
.ci/system-tests/tests/aca_policy_tests.sh 3
- name: ACA POLICY TEST 4 - Test PC Validation Policy with no PC
continue-on-error: true
shell: bash
run: |
.ci/system-tests/tests/aca_policy_tests.sh 4
- name: ACA POLICY TEST 5 - Test FW and PC Validation Policy with no PC
continue-on-error: true
shell: bash
run: |
.ci/system-tests/tests/aca_policy_tests.sh 5
- name: ACA POLICY TEST 6 - Test PC Validation Policy with valid PC with no Attribute Check
continue-on-error: true
shell: bash
run: |
.ci/system-tests/tests/aca_policy_tests.sh 6
- name: ACA POLICY TEST 7 - Test PC Validation Policy with valid PC with Attribute Check
continue-on-error: true
shell: bash
run: |
.ci/system-tests/tests/aca_policy_tests.sh 7
- name: ACA POLICY TEST 8 - Test PC with RIM Validation Policy with valid PC and RIM
continue-on-error: true
shell: bash
run: |
.ci/system-tests/tests/aca_policy_tests.sh 8
# - name: All ACA Policy Tests 1-8
# continue-on-error: true
# shell: bash
# run: |
# .ci/system-tests/tests/aca_policy_tests.sh
- name: Copy System Test Log files
continue-on-error: true
shell: bash
run: |
echo "*** Extracting ACA and Provisioner.Net logs ..."
docker exec hirs-aca1 bash -c "mkdir -p /HIRS/logs/aca/ && cp -arp /var/log/hirs/* /HIRS/logs/aca/"
docker exec hirs-provisioner1-tpm2 bash -c "mkdir -p /HIRS/logs/provisioner/ && cp -ap hirs*.log /HIRS/logs/provisioner/ && chmod -R 777 /HIRS/logs"
- name: Docker Compose Down
continue-on-error: true
shell: bash
run: |
echo "*** Exiting and removing Docker containers and network ..."
docker compose -f .ci/docker/docker-compose-system-test.yml down -v
if [[ ${TEST_STATUS} == "0" ]]; then
echo "******** SUCCESS: System Tests for TPM 2.0 passed ********"
echo "TEST_STATUS=0" >> $GITHUB_ENV
exit 0;
else
echo "******** FAILURE: System Tests for TPM 2.0 failed ********"
echo "TEST_STATUS=1" >> $GITHUB_ENV
exit 1
fi
- name: Archive System Test Log files
uses: actions/upload-artifact@v4
with: