mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-18 20:47:58 +00:00
supplychainvalidationsummary will look up rims by ID (#805)
* Lookup here needed summary id from device object * Portal linkage issue * CertificatesUsed not working properly with RIM * Maybe need to link to base rim * Rim test 1 needed hw file * Working on CI * Connecting new tpm2_common * Edited the way scripts called in docker exec * TPM for reset each test * Defining efi paths in CI env file * Forgot to close while loops * Connecting default test files * Variable was wrong [no ci] * Added ACA tests using uploaded artifacts * Trying to chmod rim_setup.sh * rim_setup chmod issues * Added aca tests 9 and 10 to workflow * Added cases 9 and 10 for aca policy tests * Exit test scripts with error if one test fails * Attempt to solve uploaded rim linkup * Try only setting tagId if not null * updateSupportRimInfo was not setting associated rim on base * Attempt alternate lookup of rim by device name * Trouble with event log archived * Used wrong variable * Fix spotbugs * Try again * Change SupplyChainValidation.message size to MAX_MESSAGE_LENGTH
This commit is contained in:
parent
315d3a2f02
commit
7c99b81b10
@ -13,3 +13,40 @@ HIRS_ACA_HOSTNAME=hirsaca
|
|||||||
HIRS_SUBNET=172.19.0.0/16
|
HIRS_SUBNET=172.19.0.0/16
|
||||||
|
|
||||||
TEST_STATUS=0
|
TEST_STATUS=0
|
||||||
|
|
||||||
|
HIRS_DEFAULT_APPSETTINGS_FILE=/usr/share/hirs/appsettings.json
|
||||||
|
|
||||||
|
HIRS_CI_REPO_ROOT=/hirs
|
||||||
|
|
||||||
|
HIRS_CI_TEST_ROOT=/ci_test
|
||||||
|
HIRS_CI_EFI_PATH_ROOT=$HIRS_CI_TEST_ROOT/boot/efi
|
||||||
|
HIRS_CI_EFI_PATH_TCG=$HIRS_CI_EFI_PATH_ROOT/EFI/tcg
|
||||||
|
HIRS_CI_EFI_PATH_PLATFORM=$HIRS_CI_EFI_PATH_TCG/cert/platform
|
||||||
|
HIRS_CI_EFI_PATH_RIM=$HIRS_CI_EFI_PATH_TCG/manifest/rim
|
||||||
|
HIRS_CI_EFI_PATH_SWIDTAG=$HIRS_CI_EFI_PATH_TCG/manifest/swidtag
|
||||||
|
HIRS_CI_TEST_HW_JSON_FILE=$HIRS_CI_TEST_ROOT/hw.json
|
||||||
|
HIRS_CI_TEST_EVENT_LOG_FILE=$HIRS_CI_TEST_ROOT/binary_bios_measurements
|
||||||
|
|
||||||
|
HIRS_CI_TEST_DEFAULT_PROFILE_DIR=$HIRS_CI_REPO_ROOT/.ci/system-tests/profiles/laptop
|
||||||
|
HIRS_CI_TEST_DEFAULT_TEST_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/default
|
||||||
|
HIRS_CI_TEST_DEFAULT_DMI_ZIP=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/laptop_dmi.zip
|
||||||
|
HIRS_CI_TEST_DEFAULT_HW_JSON_FILE=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_hw.json
|
||||||
|
HIRS_CI_TEST_DEFAULT_EVENT_LOG=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_binary_bios_measurements
|
||||||
|
HIRS_CI_TEST_DEFAULT_SETPCRS_SH=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_setpcrs.sh
|
||||||
|
HIRS_CI_TEST_DEFAULT_PLATFORMCERTS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/platformcerts
|
||||||
|
HIRS_CI_TEST_DEFAULT_RIMS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/rims
|
||||||
|
HIRS_CI_TEST_DEFAULT_SWIDTAGS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/swidtags
|
||||||
|
|
||||||
|
HIRS_CI_TPM_EK_CERT_FILE=/hirs/.ci/setup/certs/ek_cert.der
|
||||||
|
HIRS_CI_TPM_EK_CERT_NV_ATTR="0x2000A"
|
||||||
|
HIRS_CI_TPM_EK_CERT_NV_INDEX="0x1c00002"
|
||||||
|
|
||||||
|
HIRS_ACA_POST_POINT_EK=HIRS_AttestationCAPortal/portal/certificate-request/endorsement-key-credentials/upload
|
||||||
|
HIRS_ACA_POST_POINT_PLATFORM=HIRS_AttestationCAPortal/portal/certificate-request/platform-credentials/upload
|
||||||
|
HIRS_ACA_POST_POINT_RIM=HIRS_AttestationCAPortal/portal/reference-manifests/upload
|
||||||
|
HIRS_ACA_POST_POINT_TRUST=HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
|
||||||
|
|
||||||
|
SERVER_ECERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_EK"
|
||||||
|
SERVER_PCERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_PLATFORM"
|
||||||
|
SERVER_CACERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_TRUST"
|
||||||
|
SERVER_RIM_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_RIM"
|
||||||
|
@ -7,6 +7,7 @@ services:
|
|||||||
command: ["bash", "-c", "tail -f /dev/null;"]
|
command: ["bash", "-c", "tail -f /dev/null;"]
|
||||||
ports:
|
ports:
|
||||||
- "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
|
- "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
|
||||||
|
- 9123:9123
|
||||||
hostname: ${HIRS_ACA_HOSTNAME}
|
hostname: ${HIRS_ACA_HOSTNAME}
|
||||||
networks:
|
networks:
|
||||||
hirs_aca_system_tests:
|
hirs_aca_system_tests:
|
||||||
@ -21,7 +22,7 @@ services:
|
|||||||
- aca
|
- aca
|
||||||
volumes:
|
volumes:
|
||||||
- ../../:/HIRS
|
- ../../:/HIRS
|
||||||
command: ["bash", "-c", "/ibmswtpm2/src/tpm_server && tail -f /dev/null"]
|
command: ["bash", "-c", "tail -f /dev/null"]
|
||||||
networks:
|
networks:
|
||||||
hirs_aca_system_tests:
|
hirs_aca_system_tests:
|
||||||
ipv4_address: ${HIRS_ACA_PROVISIONER_TPM2_IP}
|
ipv4_address: ${HIRS_ACA_PROVISIONER_TPM2_IP}
|
||||||
|
@ -4,7 +4,8 @@
|
|||||||
#########################################################################################
|
#########################################################################################
|
||||||
|
|
||||||
# Setting configurations
|
# Setting configurations
|
||||||
. ./.ci/docker/.env
|
. /hirs/.ci/docker/.env
|
||||||
|
source /hirs/.ci/setup/container/tpm2_common.sh
|
||||||
|
|
||||||
set -a
|
set -a
|
||||||
|
|
||||||
@ -12,112 +13,17 @@ set -e
|
|||||||
echo "*** Setting up TPM emulator for the TPM2 Provisioner *** "
|
echo "*** Setting up TPM emulator for the TPM2 Provisioner *** "
|
||||||
|
|
||||||
# Wait for ACA to boot
|
# Wait for ACA to boot
|
||||||
echo "*** Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
|
waitForAca
|
||||||
until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do
|
|
||||||
sleep 1;
|
|
||||||
done
|
|
||||||
echo "*** ACA is up!"
|
|
||||||
|
|
||||||
## Un-package Provisioner.NET RPM
|
## Un-package Provisioner.NET RPM
|
||||||
yes | dnf install HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm -y > /dev/null
|
yes | dnf install HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm -y > /dev/null
|
||||||
|
|
||||||
# Initiate startup for IBMTSS Tools
|
# Initiate startup for IBMTSS Tools
|
||||||
pushd /ibmtss/utils
|
startFreshTpmServer -f
|
||||||
tpm2_startup -T mssim -c &
|
startupTpm
|
||||||
sleep 5
|
installEkCert
|
||||||
tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002
|
|
||||||
tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002
|
|
||||||
popd
|
|
||||||
|
|
||||||
# Writing to Provisioner.Net configurations file for modified aca port and efi prefix
|
setCiHirsAppsettingsFile
|
||||||
cat <<APPSETTINGS_FILE > /usr/share/hirs/appsettings.json
|
|
||||||
{
|
|
||||||
"auto_detect_tpm": "TRUE",
|
|
||||||
"aca_address_port": "https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}",
|
|
||||||
"efi_prefix": "/ci_test/boot/efi",
|
|
||||||
"paccor_output_file": "",
|
|
||||||
"event_log_file": "",
|
|
||||||
"hardware_manifest_collectors": "paccor_scripts",
|
|
||||||
|
|
||||||
"Serilog": {
|
|
||||||
"Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
|
|
||||||
"Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
|
|
||||||
"MinimumLevel": {
|
|
||||||
"Default": "Debug",
|
|
||||||
"Override": {
|
|
||||||
"Microsoft": "Warning",
|
|
||||||
"System": "Warning"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"WriteTo": [
|
|
||||||
{
|
|
||||||
"Name": "Console",
|
|
||||||
"Args": {
|
|
||||||
"outputTemplate": "{Message}{NewLine}",
|
|
||||||
"theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
|
|
||||||
"restrictedToMinimumLevel": "Information"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"Name": "File",
|
|
||||||
"Args": {
|
|
||||||
"path": "hirs.log",
|
|
||||||
"rollingInterval": "Day",
|
|
||||||
"retainedFileCountLimit": 5
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
APPSETTINGS_FILE
|
|
||||||
cp /usr/share/hirs/appsettings.json /usr/share/hirs/appsettings_default.json
|
|
||||||
cat <<APPSETTINGS_FILE_HW > /usr/share/hirs/appsettings_hw.json
|
|
||||||
{
|
|
||||||
"auto_detect_tpm": "TRUE",
|
|
||||||
"aca_address_port": "https://172.19.0.2:8443",
|
|
||||||
"efi_prefix": "/ci_test/boot/efi",
|
|
||||||
"paccor_output_file": "/ci_test/hw.json",
|
|
||||||
"event_log_file": "/ci_test/binary_bios_measurements",
|
|
||||||
"hardware_manifest_collectors": "",
|
|
||||||
"linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor",
|
|
||||||
"linux_bios_version_file": "/ci_test/dmi/id/bios_version",
|
|
||||||
"linux_bios_date_file": "/ci_test/dmi/id/bios_date",
|
|
||||||
"linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor",
|
|
||||||
"linux_product_name_file": "/ci_test/dmi/id/product_name",
|
|
||||||
"linux_product_version_file": "/ci_test/dmi/id/product_version",
|
|
||||||
"linux_product_serial_file": "/ci_test/dmi/id/product_serial",
|
|
||||||
|
|
||||||
"Serilog": {
|
|
||||||
"Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
|
|
||||||
"Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
|
|
||||||
"MinimumLevel": {
|
|
||||||
"Default": "Debug",
|
|
||||||
"Override": {
|
|
||||||
"Microsoft": "Warning",
|
|
||||||
"System": "Warning"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"WriteTo": [
|
|
||||||
{
|
|
||||||
"Name": "Console",
|
|
||||||
"Args": {
|
|
||||||
"outputTemplate": "{Message}{NewLine}",
|
|
||||||
"theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
|
|
||||||
"restrictedToMinimumLevel": "Information"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"Name": "File",
|
|
||||||
"Args": {
|
|
||||||
"path": "hirs.log",
|
|
||||||
"rollingInterval": "Day",
|
|
||||||
"retainedFileCountLimit": 5
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
APPSETTINGS_FILE_HW
|
|
||||||
|
|
||||||
# Triggering a single provision for test
|
# Triggering a single provision for test
|
||||||
echo "==========="
|
echo "==========="
|
||||||
|
@ -149,12 +149,200 @@ DEFAULT_SITE_CONFIG_FILE
|
|||||||
cat /etc/hirs/hirs-site.config
|
cat /etc/hirs/hirs-site.config
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Function to update the hirs-site.config file
|
||||||
|
function setCiHirsAppsettingsFile {
|
||||||
|
# Setting configurations
|
||||||
|
. /hirs/.ci/docker/.env
|
||||||
|
|
||||||
|
HIRS_APPSETTINGS_FILE=$HIRS_DEFAULT_APPSETTINGS_FILE
|
||||||
|
ACA_ADDRESS="https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}"
|
||||||
|
EFI_PREFIX_PATH=$HIRS_CI_EFI_PATH_ROOT
|
||||||
|
PACCOR_OUTPUT_FILE=""
|
||||||
|
EVENT_LOG_FILE=""
|
||||||
|
HARDWARE_MANIFEST_COLLECTORS="paccor_scripts"
|
||||||
|
|
||||||
|
# Process parameters Argument handling
|
||||||
|
POSITIONAL_ARGS=()
|
||||||
|
ORIGINAL_ARGS=("$@")
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
case $1 in
|
||||||
|
--aca-address)
|
||||||
|
shift # past argument
|
||||||
|
ACA_ADDRESS=$1
|
||||||
|
shift # past parameter
|
||||||
|
;;
|
||||||
|
--efi-prefix)
|
||||||
|
shift # past argument
|
||||||
|
EFI_PREFIX_PATH=$1
|
||||||
|
shift # past parameter
|
||||||
|
;;
|
||||||
|
--paccor-output-file)
|
||||||
|
shift # past argument
|
||||||
|
PACCOR_OUTPUT_FILE=$1
|
||||||
|
HARDWARE_MANIFEST_COLLECTORS=""
|
||||||
|
shift # past parameter
|
||||||
|
;;
|
||||||
|
--event-log-file)
|
||||||
|
shift # past argument
|
||||||
|
EVENT_LOG_FILE=$1
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
--linux-dmi)
|
||||||
|
USE_LINUX_DMI=YES
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-*|--*)
|
||||||
|
echo "setCiHirsAppsettingsFile: Unknown option $1"
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||||
|
# shift # past argument
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
|
echo "===========Updating ${HIRS_APPSETTINGS_FILE}, using values from /HIRS/.ci/docker/.env file...==========="
|
||||||
|
|
||||||
|
cat <<DEFAULT_APPSETTINGS_FILE > $HIRS_APPSETTINGS_FILE
|
||||||
|
{
|
||||||
|
"auto_detect_tpm": "TRUE",
|
||||||
|
"aca_address_port": "$ACA_ADDRESS",
|
||||||
|
"efi_prefix": "$EFI_PREFIX_PATH",
|
||||||
|
"paccor_output_file": "$PACCOR_OUTPUT_FILE",
|
||||||
|
"event_log_file": "$EVENT_LOG_FILE",
|
||||||
|
"hardware_manifest_collectors": "$HARDWARE_MANIFEST_COLLECTORS",
|
||||||
|
DEFAULT_APPSETTINGS_FILE
|
||||||
|
if [ "$USE_LINUX_DMI" = YES ]; then
|
||||||
|
cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
|
||||||
|
"linux_bios_vendor_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_vendor",
|
||||||
|
"linux_bios_version_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_version",
|
||||||
|
"linux_bios_date_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_date",
|
||||||
|
"linux_sys_vendor_file": "$HIRS_CI_TEST_ROOT/dmi/id/sys_vendor",
|
||||||
|
"linux_product_name_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_name",
|
||||||
|
"linux_product_version_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_version",
|
||||||
|
"linux_product_serial_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_serial",
|
||||||
|
DEFAULT_APPSETTINGS_FILE
|
||||||
|
fi
|
||||||
|
cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
|
||||||
|
"Serilog": {
|
||||||
|
"Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
|
||||||
|
"Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
|
||||||
|
"MinimumLevel": {
|
||||||
|
"Default": "Debug",
|
||||||
|
"Override": {
|
||||||
|
"Microsoft": "Warning",
|
||||||
|
"System": "Warning"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"WriteTo": [
|
||||||
|
{
|
||||||
|
"Name": "Console",
|
||||||
|
"Args": {
|
||||||
|
"outputTemplate": "{Message}{NewLine}",
|
||||||
|
"theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
|
||||||
|
"restrictedToMinimumLevel": "Information"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "File",
|
||||||
|
"Args": {
|
||||||
|
"path": "hirs.log",
|
||||||
|
"rollingInterval": "Day",
|
||||||
|
"retainedFileCountLimit": 5
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
DEFAULT_APPSETTINGS_FILE
|
||||||
|
}
|
||||||
|
|
||||||
|
# These functions work on the tpm2provisioner_dotnet image
|
||||||
|
# They assume the IBM sw tpm server repo is cloned to /ibmswtpm2
|
||||||
|
# They assume the IBM tss repo is cloned to /ibmtss
|
||||||
|
# They assume tpm2-tools are installed.
|
||||||
|
# They assume the HIRS repo is cloned to /hirs.
|
||||||
|
function startFreshTpmServer {
|
||||||
|
# Process parameters Argument handling
|
||||||
|
POSITIONAL_ARGS=()
|
||||||
|
ORIGINAL_ARGS=("$@")
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
case $1 in
|
||||||
|
-f|--force|--restart)
|
||||||
|
stopTpmServer
|
||||||
|
sleep 5
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-*|--*)
|
||||||
|
echo "setCiHirsAppsettingsFile: Unknown option $1"
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||||
|
# shift # past argument
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if isTpmServerRunning ; then
|
||||||
|
echo "TPM server already running."
|
||||||
|
else
|
||||||
|
echo -n "Starting TPM server..."
|
||||||
|
/ibmswtpm2/src/tpm_server -rm &> /dev/null &
|
||||||
|
sleep 2
|
||||||
|
pid=$(findTpmServerPid)
|
||||||
|
echo "...running with pid: $pid"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function startupTpm {
|
||||||
|
echo "Running tpm2_startup"
|
||||||
|
tpm2_startup -T mssim -c
|
||||||
|
sleep 2
|
||||||
|
}
|
||||||
|
|
||||||
|
function installEkCert {
|
||||||
|
# Setting configurations
|
||||||
|
. /hirs/.ci/docker/.env
|
||||||
|
|
||||||
|
echo "Installing EK Cert $HIRS_CI_TPM_EK_CERT_FILE into TPM NVRAM at index $HIRS_CI_TPM_EK_CERT_NV_INDEX"
|
||||||
|
tpm2_nvdefine -T mssim -C o -a $HIRS_CI_TPM_EK_CERT_NV_ATTR -s $(cat $HIRS_CI_TPM_EK_CERT_FILE | wc -c) $HIRS_CI_TPM_EK_CERT_NV_INDEX
|
||||||
|
tpm2_nvwrite -T mssim -C o -i $HIRS_CI_TPM_EK_CERT_FILE $HIRS_CI_TPM_EK_CERT_NV_INDEX
|
||||||
|
echo "Finished installing EK cert."
|
||||||
|
}
|
||||||
|
|
||||||
|
function findTpmServerPid {
|
||||||
|
pid=$(pgrep -f /ibmswtpm2/src/tpm_server 2> /dev/null)
|
||||||
|
echo -n "$pid"
|
||||||
|
}
|
||||||
|
|
||||||
|
# ex usage: isTpmServerRunning && echo "up" || echo "down"
|
||||||
|
function isTpmServerRunning {
|
||||||
|
tpmUp=$(findTpmServerPid)
|
||||||
|
if [ -n "$tpmUp" ]; then
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function stopTpmServer {
|
||||||
|
tpmUp=$(findTpmServerPid)
|
||||||
|
if [ -n "$tpmUp" ]; then
|
||||||
|
echo "Stopping TPM server with pid: $tpmUp"
|
||||||
|
kill -9 $tpmUp
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Wait for ACA to boot
|
# Wait for ACA to boot
|
||||||
function waitForAca {
|
function waitForAca {
|
||||||
echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
|
echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
|
||||||
until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
|
until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do
|
||||||
sleep 1;
|
sleep 1;
|
||||||
#echo "Checking on the ACA..."
|
|
||||||
done
|
done
|
||||||
echo "ACA is up!"
|
echo "ACA is up!"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
52
.ci/system-tests/container/efi_setup.sh
Executable file
52
.ci/system-tests/container/efi_setup.sh
Executable file
@ -0,0 +1,52 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#########################################################################################
|
||||||
|
# Setup a local directory to act as the ESP for testing
|
||||||
|
# This just creates the directory structure.
|
||||||
|
# usage efi_setup.sh [-c] [-p] [-r]
|
||||||
|
# -c: clear all artifact directories
|
||||||
|
# -p: clear only the platform directory
|
||||||
|
# -r: clear only the rim directories
|
||||||
|
#########################################################################################
|
||||||
|
|
||||||
|
# Load env variables
|
||||||
|
. /hirs/.ci/docker/.env
|
||||||
|
|
||||||
|
# Process parameters Argument handling
|
||||||
|
POSITIONAL_ARGS=()
|
||||||
|
ORIGINAL_ARGS=("$@")
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
case $1 in
|
||||||
|
-c|--clear-all)
|
||||||
|
CLEAR_ALL=YES
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-p|--clear-platform)
|
||||||
|
CLEAR_PLATFORM=YES
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-r|--clear-rim)
|
||||||
|
CLEAR_RIM=YES
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||||
|
# shift # past argument
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
# Ensure file structure is there
|
||||||
|
mkdir -p $HIRS_CI_EFI_PATH_PLATFORM
|
||||||
|
mkdir -p $HIRS_CI_EFI_PATH_RIM
|
||||||
|
mkdir -p $HIRS_CI_EFI_PATH_SWIDTAG
|
||||||
|
|
||||||
|
# Clear out any previous artifacts
|
||||||
|
|
||||||
|
if [ "$CLEAR_ALL" = YES ] || [ "$CLEAR_PLATFORM" = YES ] ; then
|
||||||
|
rm -f $HIRS_CI_EFI_PATH_PLATFORM/*
|
||||||
|
fi
|
||||||
|
if [ "$CLEAR_ALL" = YES ] || [ "$CLEAR_RIM" = YES ] ; then
|
||||||
|
rm -f $HIRS_CI_EFI_PATH_RIM/*
|
||||||
|
rm -f $HIRS_CI_EFI_PATH_SWIDTAG/*
|
||||||
|
fi
|
||||||
|
|
@ -1,50 +1,111 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#########################################################################################
|
#########################################################################################
|
||||||
# Setup for platform certificates for testing
|
# Setup for platform certificates for testing
|
||||||
# Copies platform certs (Base and Delta) to the tcg directory
|
# usage pc_setup.sh -p <profile> -t <test> [-u] [-n]
|
||||||
# usage pc_setup.sh <profile> <test>
|
# By default, copies platform certs (Base and Delta) to the tcg directory.
|
||||||
|
# -u: upload the certs to the ACA directly.
|
||||||
|
# -n: disable copy of certs to the tcg directory.
|
||||||
#########################################################################################
|
#########################################################################################
|
||||||
|
|
||||||
profile=$1
|
# Load env variables
|
||||||
test=$2
|
. /hirs/.ci/docker/.env
|
||||||
ciTestDir="/ci_test"
|
|
||||||
tcgDir="$ciTestDir/boot/efi/EFI/tcg/cert/platform/"
|
|
||||||
|
|
||||||
|
profile=laptop
|
||||||
|
test=default
|
||||||
|
ciTestHwJsonFile=$HIRS_CI_TEST_HW_JSON_FILE
|
||||||
|
|
||||||
|
# By default save the artifacts in EFI and do not upload to the ACA
|
||||||
|
UPLOAD_ARTIFACTS=NO
|
||||||
|
PUT_ARTIFACTS_IN_ESP=YES
|
||||||
|
|
||||||
|
# Process parameters Argument handling
|
||||||
|
POSITIONAL_ARGS=()
|
||||||
|
ORIGINAL_ARGS=("$@")
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
case $1 in
|
||||||
|
-p|--profile)
|
||||||
|
shift # past argument
|
||||||
|
profile=$1
|
||||||
|
shift # past parameter
|
||||||
|
;;
|
||||||
|
-t|--test)
|
||||||
|
shift # past argument
|
||||||
|
test=$1
|
||||||
|
shift # past parameter
|
||||||
|
;;
|
||||||
|
-u|--upload)
|
||||||
|
UPLOAD_ARTIFACTS=YES
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-n|--no-efi)
|
||||||
|
PUT_ARTIFACTS_IN_ESP=NO
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-*|--*)
|
||||||
|
echo "pc_setup.sh: Unknown option $1"
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||||
|
# shift # past argument
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
# Profile selections
|
# Profile selections
|
||||||
profileDir="/hirs/.ci/system-tests/profiles/$profile"
|
profileDir="$HIRS_CI_REPO_ROOT/.ci/system-tests/profiles/$profile"
|
||||||
testDir="$profileDir/$test"
|
testDir="$profileDir/$test"
|
||||||
pcDir="$testDir/platformcerts"
|
pcDir="$testDir/platformcerts"
|
||||||
dmiZip="$profileDir/$profile"_dmi.zip
|
dmiZip="$profileDir/$profile"_dmi.zip
|
||||||
hwJsonFileName="$profile"_"$test"_hw.json
|
hwJsonFileName="$profile"_"$test"_hw.json
|
||||||
hwJsonFile="$testDir/$hwJsonFileName"
|
hwJsonFile="$testDir/$hwJsonFileName"
|
||||||
ciTestHwJsonFile="$ciTestDir/hw.json"
|
|
||||||
|
|
||||||
# Current TCG folder for platform certs
|
# Use default settings if profile does not have specific changes
|
||||||
mkdir -p $tcgDir; # Create the platform cert folder if its not there
|
if [ ! -f "$hwJsonFile" ]; then
|
||||||
rm -f $tcgDir*; # Clear out any previous data
|
echo "Test is using a profile with no hardware manifest file. Using default."
|
||||||
|
hwJsonFile=$HIRS_CI_TEST_DEFAULT_HW_JSON_FILE
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Test is using platform cert(s) from $profile : $test"
|
if [ ! -f "$dmiZip" ]; then
|
||||||
|
echo "Test is using a profile with no DMI data. Using default."
|
||||||
|
dmiZip=$HIRS_CI_TEST_DEFAULT_DMI_ZIP
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Ensure platform folder under efi is set up and cleared
|
||||||
|
$HIRS_CI_REPO_ROOT/.ci/system-tests/container/efi_setup.sh -p
|
||||||
|
|
||||||
|
echo "Platform certs selected from profile: $profile : $test"
|
||||||
# Step 1: Copy hw json file, if it exists.
|
# Step 1: Copy hw json file, if it exists.
|
||||||
if [ -f "$hwJsonFile" ]; then
|
if [ -f "$hwJsonFile" ]; then
|
||||||
cp "$hwJsonFile" "$ciTestHwJsonFile"
|
echo "hw file used was $hwJsonFile"
|
||||||
|
cp "$hwJsonFile" "$ciTestHwJsonFile"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Can remove this once unzip is added to the image
|
# Can remove this once unzip is added to the image
|
||||||
dnf install -y unzip &> /dev/null
|
dnf install -y unzip &> /dev/null
|
||||||
|
|
||||||
# Step 2: Unpack the dmi files.
|
# Step 2: Unpack the dmi files.
|
||||||
unzip -o "$dmiZip" -d "$ciTestDir"
|
echo "dmi file used was $dmiZip"
|
||||||
|
unzip -o "$dmiZip" -d $HIRS_CI_TEST_ROOT
|
||||||
|
|
||||||
# Step 3: Copy the platform cert to tcg folder
|
# Step 3: Copy the platform cert to tcg folder and or upload it to the ACA
|
||||||
if [[ ! -d $pcDir ]]; then
|
if [[ ! -d $pcDir ]]; then
|
||||||
pcDir=$profileDir/default/platformcerts;
|
pcDir=$profileDir/default/platformcerts
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pushd $pcDir > /dev/null
|
pushd $pcDir > /dev/null
|
||||||
# Skip copy of platform cert if .gitigore exists (empty profile)
|
# Skip copy of platform cert if .gitigore exists (empty profile)
|
||||||
if [[ ! -f ".gitignore" ]]; then
|
if [[ ! -f ".gitignore" ]]; then
|
||||||
for cert in * ; do
|
for cert in * ; do
|
||||||
cp -f $cert $tcgDir$cert;
|
if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
|
||||||
|
echo "Saving $cert to $HIRS_CI_EFI_PATH_PLATFORM"
|
||||||
|
cp $cert $HIRS_CI_EFI_PATH_PLATFORM
|
||||||
|
fi
|
||||||
|
if [ "$UPLOAD_ARTIFACTS" = YES ]; then
|
||||||
|
echo "Uploading $cert to $SERVER_PCERT_POST"
|
||||||
|
curl -k -F "file=@$cert" $SERVER_PCERT_POST
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
popd > /dev/null
|
popd > /dev/null
|
||||||
|
|
||||||
|
98
.ci/system-tests/container/rim_setup.sh
Normal file → Executable file
98
.ci/system-tests/container/rim_setup.sh
Normal file → Executable file
@ -1,76 +1,116 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#########################################################################################
|
#########################################################################################
|
||||||
# Setup for PC Client Reference Integrity Manifest (RIM) tests
|
# Setup for PC Client Reference Integrity Manifest (RIM) tests
|
||||||
# usage rim_setup.sh <profile> <test> <option>
|
# usage rim_setup.sh -p <profile> -t <test> [-u] [-n]
|
||||||
# use "clear" option to clear existing TPM PCR values
|
|
||||||
#########################################################################################
|
#########################################################################################
|
||||||
|
|
||||||
profile=$1
|
# Load env variables
|
||||||
test=$2
|
. /hirs/.ci/docker/.env
|
||||||
ciTestDir="/ci_test"
|
|
||||||
tcgDir="$ciTestDir/boot/efi/EFI/tcg"
|
|
||||||
|
|
||||||
|
profile=laptop
|
||||||
|
test=default
|
||||||
|
ciTestEventLog=$HIRS_CI_TEST_EVENT_LOG_FILE
|
||||||
|
|
||||||
|
# By default save the artifacts in EFI and do not upload to the ACA
|
||||||
|
UPLOAD_ARTIFACTS=NO
|
||||||
|
PUT_ARTIFACTS_IN_ESP=YES
|
||||||
|
|
||||||
|
# Process parameters Argument handling
|
||||||
|
POSITIONAL_ARGS=()
|
||||||
|
ORIGINAL_ARGS=("$@")
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
case $1 in
|
||||||
|
-p|--profile)
|
||||||
|
shift # past argument
|
||||||
|
profile=$1
|
||||||
|
shift # past parameter
|
||||||
|
;;
|
||||||
|
-t|--test)
|
||||||
|
shift # past argument
|
||||||
|
test=$1
|
||||||
|
shift # past parameter
|
||||||
|
;;
|
||||||
|
-u|--upload)
|
||||||
|
UPLOAD_ARTIFACTS=YES
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-n|--no-efi)
|
||||||
|
PUT_ARTIFACTS_IN_ESP=NO
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
-*|--*)
|
||||||
|
echo "rim_setup.sh: Unknown option $1"
|
||||||
|
shift # past argument
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||||
|
# shift # past argument
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
# Profile selections
|
# Profile selections
|
||||||
profileDir="/hirs/.ci/system-tests/profiles/$profile"
|
profileDir="$HIRS_CI_REPO_ROOT/.ci/system-tests/profiles/$profile"
|
||||||
defaultDir="$profileDir/default"
|
defaultDir="$profileDir/default"
|
||||||
testDir="/hirs/.ci/system-tests/profiles/$profile/$test"
|
testDir="$profileDir/$test"
|
||||||
eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
|
eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
|
||||||
swidDir="$testDir/swidtags"
|
swidDir="$testDir/swidtags"
|
||||||
rimDir="$testDir/rims"
|
rimDir="$testDir/rims"
|
||||||
pcrScript="$testDir/"$profile"_"$test"_setpcrs.sh"
|
pcrScript="$testDir/"$profile"_"$test"_setpcrs.sh"
|
||||||
ciTestEventLog="$ciTestDir/binary_bios_measurements"
|
|
||||||
|
|
||||||
echo "Test is using RIM files from $profile : $test"
|
echo "Test is using RIM files from $profile : $test"
|
||||||
|
|
||||||
# Make sure TCG defined RIM folders exist and are cleared out
|
# Ensure rim folders under efi are set up and cleared
|
||||||
mkdir -p $tcgDir/manifest/rim/; # Create the platform cert folder if its not there
|
$HIRS_CI_REPO_ROOT/.ci/system-tests/container/efi_setup.sh -r
|
||||||
rm -f $tcgDir/manifest/rim/*; # clear out any previous data
|
|
||||||
|
|
||||||
mkdir -p $tcgDir/manifest/swidtag/; # Create the platform cert folder if its not there
|
|
||||||
rm -f $tcgDir/manifest/swidtag/*; # clear out any previous data
|
|
||||||
|
|
||||||
# Step 1: Copy binary_bios_measurement file
|
# Step 1: Copy binary_bios_measurement file
|
||||||
if [ ! -e "$eventLog" ]; then
|
if [ ! -e "$eventLog" ]; then
|
||||||
eventLog="$defaultDir"/laptop_default_binary_bios_measurements
|
eventLog=$HIRS_CI_TEST_DEFAULT_EVENT_LOG
|
||||||
fi
|
fi
|
||||||
echo "eventLog used was $eventLog"
|
echo "eventLog used was $eventLog"
|
||||||
cp "$eventLog" "$ciTestEventLog"
|
cp "$eventLog" "$ciTestEventLog"
|
||||||
|
|
||||||
# Step 2: Copy Base RIM files to the TCG folder
|
# Step 2: Copy Base RIM files to the TCG folder
|
||||||
# a: See if test specific swidtag folder exists, if not use the defualt folder
|
# a: See if test specific swidtag folder exists, if not use the default folder
|
||||||
if [[ ! -d $swidDir ]]; then
|
if [[ ! -d $swidDir ]]; then
|
||||||
swidDir=$defaultDir/swidtags;
|
swidDir=$defaultDir/swidtags;
|
||||||
fi
|
fi
|
||||||
pushd $swidDir > /dev/null
|
pushd $swidDir > /dev/null
|
||||||
if [[ ! -f ".gitignore" ]]; then
|
if [[ ! -f ".gitignore" ]]; then
|
||||||
for swidtag in * ; do
|
for swidtag in * ; do
|
||||||
cp -f $swidtag $tcgDir/manifest/swidtag/$swidtag;
|
if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
|
||||||
|
echo "Saving $swidtag to $HIRS_CI_EFI_PATH_SWIDTAG"
|
||||||
|
cp $swidtag $HIRS_CI_EFI_PATH_SWIDTAG
|
||||||
|
fi
|
||||||
|
if [ "$UPLOAD_ARTIFACTS" = YES ]; then
|
||||||
|
echo "Uploading $swidtag to $SERVER_RIM_POST"
|
||||||
|
curl -k -F "file=@$swidtag" $SERVER_RIM_POST
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
popd > /dev/null
|
popd > /dev/null
|
||||||
# Step 3: Copy Support RIM files to the TCG folder in the same mannor
|
# Step 3: Copy Support RIM files to the TCG folder in the same manner
|
||||||
if [[ ! -d $rimDir ]]; then
|
if [[ ! -d $rimDir ]]; then
|
||||||
rimDir=$defaultDir/rims;
|
rimDir=$defaultDir/rims;
|
||||||
fi
|
fi
|
||||||
pushd $rimDir > /dev/null
|
pushd $rimDir > /dev/null
|
||||||
|
|
||||||
if [[ ! -f ".gitignore" ]]; then
|
if [[ ! -f ".gitignore" ]]; then
|
||||||
for rim in * ; do
|
for rim in * ; do
|
||||||
cp -f $rim $tcgDir/manifest/rim/$rim;
|
if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
|
||||||
|
echo "Saving $rim to $HIRS_CI_EFI_PATH_RIM"
|
||||||
|
cp $rim $HIRS_CI_EFI_PATH_RIM
|
||||||
|
fi
|
||||||
|
if [ "$UPLOAD_ARTIFACTS" = YES ]; then
|
||||||
|
echo "Uploading $rim to $SERVER_RIM_POST"
|
||||||
|
curl -k -F "file=@$rim" $SERVER_RIM_POST
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
popd > /dev/null
|
popd > /dev/null
|
||||||
|
|
||||||
#Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
|
#Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
|
||||||
# a: Clear the TPM PCR registers vi a call to the tss clear
|
|
||||||
# b: Check if a test specific setpcr.sh file exists. If not use the profiles default script
|
|
||||||
|
|
||||||
|
|
||||||
if [[ ! -f $pcrScript ]]; then
|
if [[ ! -f $pcrScript ]]; then
|
||||||
pcrScript="$profileDir/default/"$profile"_default_setpcrs.sh"
|
pcrScript=$HIRS_CI_TEST_DEFAULT_SETPCRS_SH
|
||||||
fi
|
fi
|
||||||
sh $pcrScript;
|
sh $pcrScript;
|
||||||
#echo "PCR script was $pcrScript"
|
|
||||||
#tpm2_pcrlist -g sha256
|
|
||||||
|
|
||||||
# Done with rim_setup
|
|
||||||
|
@ -18,7 +18,7 @@ docker exec $aca_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
|
|||||||
&& echo 'ACA Container Current Branch: ' && git branch \
|
&& echo 'ACA Container Current Branch: ' && git branch \
|
||||||
&& /hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \
|
&& /hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \
|
||||||
&& /tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \
|
&& /tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \
|
||||||
&& /hirs/package/linux/aca/aca_bootRun.sh 1> /dev/null" &
|
&& /hirs/package/linux/aca/aca_bootRun.sh -d 1> /dev/null" &
|
||||||
|
|
||||||
# Switching to current/desired branch in Provisioner Container
|
# Switching to current/desired branch in Provisioner Container
|
||||||
docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
|
docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
|
||||||
@ -27,7 +27,7 @@ docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
|
|||||||
# Install HIRS Provisioner.Net and setup tpm2 simulator.
|
# Install HIRS Provisioner.Net and setup tpm2 simulator.
|
||||||
# In doing so, tests a single provision between Provisioner.Net and ACA.
|
# In doing so, tests a single provision between Provisioner.Net and ACA.
|
||||||
echo "Launching provisioner setup"
|
echo "Launching provisioner setup"
|
||||||
docker exec $tpm2_container sh /hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
|
docker exec -i $tpm2_container /bin/bash -c "/hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh"
|
||||||
|
|
||||||
# Initiating System Tests
|
# Initiating System Tests
|
||||||
echo "******** Setup Complete. Beginning HIRS System Tests. ******** "
|
echo "******** Setup Complete. Beginning HIRS System Tests. ******** "
|
@ -26,34 +26,34 @@ fi
|
|||||||
|
|
||||||
# clear all policy settings
|
# clear all policy settings
|
||||||
setPolicyNone() {
|
setPolicyNone() {
|
||||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=0, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
|
docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=0, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
|
||||||
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
|
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Policy Settings for tests ...
|
# Policy Settings for tests ...
|
||||||
setPolicyEkOnly() {
|
setPolicyEkOnly() {
|
||||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
|
docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=0,
|
||||||
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
|
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
setPolicyEkPc_noAttCheck() {
|
setPolicyEkPc_noAttCheck() {
|
||||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=1,
|
docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=1,
|
||||||
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
|
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
setPolicyEkPc() {
|
setPolicyEkPc() {
|
||||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
|
docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
|
||||||
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
|
utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
setPolicyEkPcFw() {
|
setPolicyEkPcFw() {
|
||||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
|
docker exec -i $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1,
|
||||||
utcValidationEnabled=0, firmwareValidationEnabled=1, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=1, ignoretBootEnabled=0;"
|
utcValidationEnabled=0, firmwareValidationEnabled=1, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=1, ignoretBootEnabled=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Clear all ACA DB items excluding policy
|
# Clear all ACA DB items excluding policy
|
||||||
clearAcaDb() {
|
clearAcaDb() {
|
||||||
docker exec hirs-aca1 mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Appraiser;
|
docker exec -i $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Appraiser;
|
||||||
truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate ComponentAttributeResult;
|
truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate ComponentAttributeResult;
|
||||||
truncate ComponentInfo;truncate ComponentResult;truncate Device;truncate DeviceInfoReport;truncate PortalInfo;
|
truncate ComponentInfo;truncate ComponentResult;truncate Device;truncate DeviceInfoReport;truncate PortalInfo;
|
||||||
truncate ReferenceDigestValue;truncate ReferenceManifest;truncate Report;truncate SupplyChainValidation;
|
truncate ReferenceDigestValue;truncate ReferenceManifest;truncate Report;truncate SupplyChainValidation;
|
||||||
@ -68,15 +68,18 @@ uploadTrustedCerts() {
|
|||||||
# && ./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null \
|
# && ./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null \
|
||||||
# && popd > /dev/null"
|
# && popd > /dev/null"
|
||||||
# Upload CA Cert from IBMTSS Tools
|
# Upload CA Cert from IBMTSS Tools
|
||||||
docker exec $tpm2_container sh -c "pushd /ibmtss/utils/certificates > /dev/null \
|
echo "Uploading Trust Certificates to ${HIRS_ACA_HOSTNAME}:${HIRS_ACA_PORTAL_PORT}"
|
||||||
&& curl -k -s -F 'file=@cacert.pem' https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload \
|
echo "Uploading the EK Certificate CA(s)..."
|
||||||
&& popd > /dev/null"
|
docker exec -i $tpm2_container /bin/bash -c "curl -k -F 'file=@/ibmtss/utils/certificates/cacert.pem' $SERVER_CACERT_POST"
|
||||||
|
echo "...done"
|
||||||
# Upload Trusted Certs from HIRS
|
# Upload Trusted Certs from HIRS
|
||||||
pushd .ci/setup/certs > /dev/null
|
echo "Uploading the Platform Certificate CA(s)..."
|
||||||
curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
|
docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/ca.crt' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
|
||||||
curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
|
echo "...done"
|
||||||
curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
|
echo "Uploading the RIM CA(s)..."
|
||||||
popd > /dev/null
|
docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/RIMCaCert.pem' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
|
||||||
|
docker exec -i $aca_container /bin/bash -c "curl -k -F 'file=@$HIRS_CI_REPO_ROOT/.ci/setup/certs/RimSignCert.pem' https://localhost:${HIRS_ACA_PORTAL_PORT}/$HIRS_ACA_POST_POINT_TRUST"
|
||||||
|
echo "...done"
|
||||||
}
|
}
|
||||||
|
|
||||||
# provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail"
|
# provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail"
|
||||||
@ -85,7 +88,7 @@ uploadTrustedCerts() {
|
|||||||
provisionTpm2() {
|
provisionTpm2() {
|
||||||
expected_result=$1
|
expected_result=$1
|
||||||
((totalTests++))
|
((totalTests++))
|
||||||
provisionOutput=$(docker exec $tpm2_container sh -c "/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim");
|
provisionOutput=$(docker exec -i $tpm2_container /bin/bash -c "/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim");
|
||||||
echo "==========="
|
echo "==========="
|
||||||
echo "$provisionOutput";
|
echo "$provisionOutput";
|
||||||
echo "===========";
|
echo "===========";
|
||||||
@ -106,22 +109,28 @@ provisionTpm2() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resetTpmForNewTest() {
|
||||||
|
docker exec -i $tpm2_container /bin/bash -c "source $HIRS_CI_REPO_ROOT/.ci/setup/container/tpm2_common.sh; startFreshTpmServer -f; startupTpm; installEkCert"
|
||||||
|
}
|
||||||
|
|
||||||
# Places platform cert(s) held in the test folder(s) in the provisioners tcg folder
|
# Places platform cert(s) held in the test folder(s) in the provisioners tcg folder
|
||||||
# setPlatCert <profile> <test>
|
|
||||||
setPlatformCerts() {
|
setPlatformCerts() {
|
||||||
docker exec $tpm2_container sh /hirs/.ci/system-tests/container/pc_setup.sh $1 $2
|
OPTIONS="$@"
|
||||||
#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
|
echo "Asking container $tpm2_container to run pc_setup.sh $OPTIONS"
|
||||||
|
docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/pc_setup.sh $OPTIONS"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Places RIM files held in the test folder in the provisioners tcg folder
|
# Places RIM files held in the test folder in the provisioners tcg folder
|
||||||
# setRims <profile> <test>
|
|
||||||
setRims() {
|
setRims() {
|
||||||
docker exec $tpm2_container sh /hirs/.ci/system-tests/container/rim_setup.sh $1 $2 $3
|
OPTIONS="$@"
|
||||||
#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
|
echo "Asking container $tpm2_container to run rim_setup.sh $OPTIONS"
|
||||||
|
docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/rim_setup.sh $OPTIONS"
|
||||||
}
|
}
|
||||||
|
|
||||||
setPlatformOutput() {
|
setAppsettings() {
|
||||||
docker exec $tpm2_container cp /usr/share/hirs/appsettings_hw.json /usr/share/hirs/appsettings.json
|
OPTIONS="$@"
|
||||||
|
echo "Asking container $tpm2_container to set the appsettings file with options: $OPTIONS"
|
||||||
|
docker exec -i $tpm2_container /bin/bash -c "source $HIRS_CI_REPO_ROOT/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $OPTIONS"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Writes to the Action ouput, ACA log, and Provisioner Log
|
# Writes to the Action ouput, ACA log, and Provisioner Log
|
||||||
@ -130,6 +139,5 @@ setPlatformOutput() {
|
|||||||
writeToLogs() {
|
writeToLogs() {
|
||||||
line=$1
|
line=$1
|
||||||
echo $line;
|
echo $line;
|
||||||
docker exec $aca_container sh -c "cd .. && echo '$line' >> /var/log/hirs/HIRS_AttestationCA_Portal.log"
|
docker exec -i $aca_container /bin/bash -c "cd .. && echo '$line' >> /var/log/hirs/HIRS_AttestationCA_Portal.log"
|
||||||
# docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log"
|
|
||||||
}
|
}
|
||||||
|
@ -17,6 +17,8 @@ case $1 in
|
|||||||
6) test="6" ;;
|
6) test="6" ;;
|
||||||
7) test="7" ;;
|
7) test="7" ;;
|
||||||
8) test="8" ;;
|
8) test="8" ;;
|
||||||
|
9) test="9" ;;
|
||||||
|
10) test="10" ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Start ACA Policy Tests
|
# Start ACA Policy Tests
|
||||||
@ -24,7 +26,12 @@ esac
|
|||||||
|
|
||||||
if [ "$test" = "1" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "1" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###"
|
writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###"
|
||||||
setPlatformCerts "laptop" "empty"
|
writeToLogs "Now using default appsettings"
|
||||||
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
|
setAppsettings
|
||||||
|
setPolicyNone
|
||||||
|
setPlatformCerts -p "laptop" -t "empty"
|
||||||
provisionTpm2 "pass"
|
provisionTpm2 "pass"
|
||||||
fi
|
fi
|
||||||
if [ "$test" = "2" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "2" ] || [ "$test" = "all" ]; then
|
||||||
@ -47,37 +54,62 @@ if [ "$test" = "5" ] || [ "$test" = "all" ]; then
|
|||||||
setPolicyEkPcFw
|
setPolicyEkPcFw
|
||||||
provisionTpm2 "fail"
|
provisionTpm2 "fail"
|
||||||
fi
|
fi
|
||||||
|
writeToLogs "Now using appsettings with hardware information"
|
||||||
|
setAppsettings --paccor-output-file /ci_test/hw.json --event-log-file /ci_test/binary_bios_measurements --linux-dmi
|
||||||
if [ "$test" = "6" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "6" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC with no Attribute Check ###"
|
writeToLogs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC with no Attribute Check ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
setPolicyEkPc_noAttCheck
|
setPolicyEkPc_noAttCheck
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPlatformCerts "laptop" "default"
|
setPlatformCerts -p "laptop" -t "default"
|
||||||
provisionTpm2 "pass"
|
provisionTpm2 "pass"
|
||||||
fi
|
fi
|
||||||
if [ "$test" = "7" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "7" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA POLICY TEST 7: Test PC Validation Policy with valid PC with Attribute Check ###"
|
writeToLogs "### ACA POLICY TEST 7: Test PC Validation Policy with valid PC with Attribute Check ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
setPolicyEkPc
|
setPolicyEkPc
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPlatformCerts "laptop" "default"
|
setPlatformCerts -p "laptop" -t "default"
|
||||||
setPlatformOutput
|
|
||||||
provisionTpm2 "pass"
|
provisionTpm2 "pass"
|
||||||
fi
|
fi
|
||||||
if [ "$test" = "8" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "8" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA POLICY TEST 8: Test PC with RIM Validation Policy with valid PC and RIM ###"
|
writeToLogs "### ACA POLICY TEST 8: Test PC with RIM Validation Policy with valid PC and RIM ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
setPolicyEkPcFw
|
setPolicyEkPcFw
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPlatformCerts "laptop" "default"
|
setPlatformCerts -p "laptop" -t "default"
|
||||||
setRims "laptop" "default"
|
setRims -p "laptop" -t "default"
|
||||||
|
provisionTpm2 "pass"
|
||||||
|
fi
|
||||||
|
if [ "$test" = "9" ] || [ "$test" = "all" ]; then
|
||||||
|
writeToLogs "### ACA POLICY TEST 9: Test valid PC and RIM with PC only uploaded ###"
|
||||||
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
|
setPolicyEkPcFw
|
||||||
|
uploadTrustedCerts
|
||||||
|
setPlatformCerts -p "laptop" -t "default" -u -n
|
||||||
|
setRims -p "laptop" -t "default"
|
||||||
|
provisionTpm2 "pass"
|
||||||
|
fi
|
||||||
|
if [ "$test" = "10" ] || [ "$test" = "all" ]; then
|
||||||
|
writeToLogs "### ACA POLICY TEST 10: Test valid PC and RIM with RIM only uploaded ###"
|
||||||
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
|
setPolicyEkPcFw
|
||||||
|
uploadTrustedCerts
|
||||||
|
setPlatformCerts -p "laptop" -t "default"
|
||||||
|
setRims -p "laptop" -t "default" -u -n
|
||||||
provisionTpm2 "pass"
|
provisionTpm2 "pass"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Process Test Results, any single failure will send back a failed result.
|
# Process Test Results, any single failure will send back a failed result.
|
||||||
if [[ $failedTests != 0 ]]; then
|
if [[ $failedTests != 0 ]]; then
|
||||||
export TEST_STATUS=1;
|
export TEST_STATUS=1
|
||||||
echo "**** $failedTests out of $totalTests ACA Policy Tests Failed! ****"
|
echo "**** $failedTests out of $totalTests ACA Policy Tests Failed! ****"
|
||||||
|
exit 1
|
||||||
else
|
else
|
||||||
echo "**** $totalTests ACA Policy Tests Passed! ****"
|
echo "**** $totalTests ACA Policy Tests Passed! ****"
|
||||||
fi
|
fi
|
@ -18,33 +18,39 @@ esac
|
|||||||
# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
|
# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
|
||||||
# Note that the aca_policy_tests have already run several Platform Certificate system tests
|
# Note that the aca_policy_tests have already run several Platform Certificate system tests
|
||||||
|
|
||||||
|
setAppsettings --paccor-output-file /ci_test/hw.json --event-log-file /ci_test/binary_bios_measurements --linux-dmi
|
||||||
|
|
||||||
if [ "$test" = "1" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "1" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA PLATFORM CERTIFICATE TEST 1: Test a delta Platform Certificate that adds a new memory component ###"
|
writeToLogs "### ACA PLATFORM CERTIFICATE TEST 1: Test a delta Platform Certificate that adds a new memory component ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPolicyEkPc
|
setPolicyEkPc
|
||||||
setPlatformCerts "laptop" "deltaPlatMem"
|
setPlatformCerts -p "laptop" -t "deltaPlatMem"
|
||||||
provisionTpm2 "pass"
|
provisionTpm2 "pass"
|
||||||
fi
|
fi
|
||||||
if [ "$test" = "2" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "2" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA PLATFORM CERTIFICATE TEST 2: Test a Platform Certificate that is missing a memory component ###"
|
writeToLogs "### ACA PLATFORM CERTIFICATE TEST 2: Test a Platform Certificate that is missing a memory component ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPlatformCerts "laptop" "platCertLight"
|
setPlatformCerts -p "laptop" -t "platCertLight"
|
||||||
provisionTpm2 "pass"
|
provisionTpm2 "pass"
|
||||||
fi
|
fi
|
||||||
if [ "$test" = "3" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "3" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA PLATFORM CERTIFICATE TEST 3: Test a Delta Platform Certificate that has a wrong a memory component ###"
|
writeToLogs "### ACA PLATFORM CERTIFICATE TEST 3: Test a Delta Platform Certificate that has a wrong a memory component ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPlatformCerts "laptop" "badDeltaMem"
|
setPlatformCerts -p "laptop" -t "badDeltaMem"
|
||||||
provisionTpm2 "fail"
|
provisionTpm2 "fail"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Process Test Results, any single failure will send back a failed result.
|
# Process Test Results, any single failure will send back a failed result.
|
||||||
if [[ $failedTests != 0 ]]; then
|
if [[ $failedTests != 0 ]]; then
|
||||||
export TEST_STATUS=1;
|
export TEST_STATUS=1
|
||||||
echo "**** $failedTests out of $totalTests Platform Certificate Tests Failed! ****"
|
echo "**** $failedTests out of $totalTests Platform Certificate Tests Failed! ****"
|
||||||
|
exit 1
|
||||||
else
|
else
|
||||||
echo "**** $totalTests Platform Certificate Tests Passed! ****"
|
echo "**** $totalTests Platform Certificate Tests Passed! ****"
|
||||||
fi
|
fi
|
@ -21,35 +21,39 @@ esac
|
|||||||
if [ "$test" = "1" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "1" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA RIM TEST 1: Test a RIM from an OEM and a Supplemental RIM from a VAR ###"
|
writeToLogs "### ACA RIM TEST 1: Test a RIM from an OEM and a Supplemental RIM from a VAR ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPolicyEkPcFw
|
setPolicyEkPcFw
|
||||||
setPlatformCerts "laptop" "varOsInstall"
|
setPlatformCerts -p "laptop" -t "varOsInstall"
|
||||||
setRims "laptop" "varOsInstall" "clear"
|
setRims -p "laptop" -t "varOsInstall"
|
||||||
provisionTpm2 "pass"
|
provisionTpm2 "pass"
|
||||||
fi
|
fi
|
||||||
if [ "$test" = "2" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "2" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA RIM TEST 2: Test a RIM from an OEM with a bad reference measurement and a Supplemental RIM from a VAR ###"
|
writeToLogs "### ACA RIM TEST 2: Test a RIM from an OEM with a bad reference measurement and a Supplemental RIM from a VAR ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPolicyEkPcFw
|
setPolicyEkPcFw
|
||||||
setPlatformCerts "laptop" "badOemInstall"
|
setPlatformCerts -p "laptop" -t "badOemInstall"
|
||||||
setRims "laptop" "badOemInstall" "clear"
|
setRims -p "laptop" -t "badOemInstall"
|
||||||
provisionTpm2 "fail"
|
provisionTpm2 "fail"
|
||||||
fi
|
fi
|
||||||
if [ "$test" = "3" ] || [ "$test" = "all" ]; then
|
if [ "$test" = "3" ] || [ "$test" = "all" ]; then
|
||||||
writeToLogs "### ACA RIM TEST 3: Test a RIM from an OEM and a Supplemental RIM from a VAR with a bad reference measurement ###"
|
writeToLogs "### ACA RIM TEST 3: Test a RIM from an OEM and a Supplemental RIM from a VAR with a bad reference measurement ###"
|
||||||
clearAcaDb
|
clearAcaDb
|
||||||
|
resetTpmForNewTest
|
||||||
uploadTrustedCerts
|
uploadTrustedCerts
|
||||||
setPolicyEkPcFw
|
setPolicyEkPcFw
|
||||||
setPlatformCerts "laptop" "badVarInstall"
|
setPlatformCerts -p "laptop" -t "badVarInstall"
|
||||||
setRims "laptop" "badVarInstall" "clear"
|
setRims -p "laptop" -t "badVarInstall"
|
||||||
provisionTpm2 "fail"
|
provisionTpm2 "fail"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Process Test Results, any single failure will send back a failed result.
|
# Process Test Results, any single failure will send back a failed result.
|
||||||
if [[ $failedTests != 0 ]]; then
|
if [[ $failedTests != 0 ]]; then
|
||||||
export TEST_STATUS=1;
|
export TEST_STATUS=1
|
||||||
echo "**** $failedTests out of $totalTests ACA RIM Tests Failed! ****"
|
echo "**** $failedTests out of $totalTests ACA RIM Tests Failed! ****"
|
||||||
|
exit 1
|
||||||
else
|
else
|
||||||
echo "**** $totalTests ACA RIM Tests Passed! ****"
|
echo "**** $totalTests ACA RIM Tests Passed! ****"
|
||||||
fi
|
fi
|
10
.github/workflows/system_test.yml
vendored
10
.github/workflows/system_test.yml
vendored
@ -69,6 +69,16 @@ jobs:
|
|||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
.ci/system-tests/tests/aca_policy_tests.sh 8
|
.ci/system-tests/tests/aca_policy_tests.sh 8
|
||||||
|
- name: ACA POLICY TEST 9 - Test valid PC and RIM with PC only uploaded
|
||||||
|
continue-on-error: true
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
.ci/system-tests/tests/aca_policy_tests.sh 9
|
||||||
|
- name: ACA POLICY TEST 10 - Test valid PC and RIM with RIM only uploaded
|
||||||
|
continue-on-error: true
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
.ci/system-tests/tests/aca_policy_tests.sh 10
|
||||||
# - name: All ACA Policy Tests 1-8
|
# - name: All ACA Policy Tests 1-8
|
||||||
# continue-on-error: true
|
# continue-on-error: true
|
||||||
# shell: bash
|
# shell: bash
|
||||||
|
@ -19,6 +19,7 @@ public interface ReferenceManifestRepository extends JpaRepository<ReferenceMani
|
|||||||
ReferenceManifest findByHexDecHash(String hexDecHash);
|
ReferenceManifest findByHexDecHash(String hexDecHash);
|
||||||
ReferenceManifest findByBase64Hash(String base64Hash);
|
ReferenceManifest findByBase64Hash(String base64Hash);
|
||||||
ReferenceManifest findByHexDecHashAndRimType(String hexDecHash, String rimType);
|
ReferenceManifest findByHexDecHashAndRimType(String hexDecHash, String rimType);
|
||||||
|
ReferenceManifest findByEventLogHashAndRimType(String hexDecHash, String rimType);
|
||||||
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Base'", nativeQuery = true)
|
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Base'", nativeQuery = true)
|
||||||
List<BaseReferenceManifest> getBaseByManufacturerModel(String manufacturer, String model);
|
List<BaseReferenceManifest> getBaseByManufacturerModel(String manufacturer, String model);
|
||||||
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2", nativeQuery = true)
|
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2", nativeQuery = true)
|
||||||
|
@ -60,7 +60,7 @@ public class SupplyChainValidation extends ArchivableEntity {
|
|||||||
private final List<Certificate> certificatesUsed;
|
private final List<Certificate> certificatesUsed;
|
||||||
|
|
||||||
@Getter
|
@Getter
|
||||||
@Column(length = MAX_MESSAGE_LENGTH)
|
@Column(length = RESULT_MESSAGE_LENGTH)
|
||||||
private final String message;
|
private final String message;
|
||||||
|
|
||||||
@Getter
|
@Getter
|
||||||
@ -105,8 +105,8 @@ public class SupplyChainValidation extends ArchivableEntity {
|
|||||||
this.certificatesUsed = new ArrayList<>();
|
this.certificatesUsed = new ArrayList<>();
|
||||||
this.rimId = "";
|
this.rimId = "";
|
||||||
for (ArchivableEntity ae : certificatesUsed) {
|
for (ArchivableEntity ae : certificatesUsed) {
|
||||||
if (ae instanceof ReferenceManifest) {
|
if (ae instanceof BaseReferenceManifest rm) {
|
||||||
this.rimId = ae.getId().toString();
|
this.rimId = rm.getId().toString();
|
||||||
break;
|
break;
|
||||||
} else if (ae instanceof Certificate) {
|
} else if (ae instanceof Certificate) {
|
||||||
this.certificatesUsed.add((Certificate) ae);
|
this.certificatesUsed.add((Certificate) ae);
|
||||||
|
@ -492,7 +492,9 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
|||||||
measurements = temp;
|
measurements = temp;
|
||||||
measurements.setPlatformManufacturer(dv.getHw().getManufacturer());
|
measurements.setPlatformManufacturer(dv.getHw().getManufacturer());
|
||||||
measurements.setPlatformModel(dv.getHw().getProductName());
|
measurements.setPlatformModel(dv.getHw().getProductName());
|
||||||
measurements.setTagId(tagId);
|
if (tagId != null && !tagId.trim().isEmpty()) {
|
||||||
|
measurements.setTagId(tagId);
|
||||||
|
}
|
||||||
measurements.setDeviceName(dv.getNw().getHostname());
|
measurements.setDeviceName(dv.getNw().getHostname());
|
||||||
measurements.archive();
|
measurements.archive();
|
||||||
|
|
||||||
|
@ -17,6 +17,7 @@ import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCred
|
|||||||
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
|
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
|
||||||
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentAttributeResult;
|
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentAttributeResult;
|
||||||
import hirs.attestationca.persist.entity.userdefined.info.ComponentInfo;
|
import hirs.attestationca.persist.entity.userdefined.info.ComponentInfo;
|
||||||
|
import hirs.attestationca.persist.entity.userdefined.rim.BaseReferenceManifest;
|
||||||
import hirs.attestationca.persist.entity.userdefined.rim.EventLogMeasurements;
|
import hirs.attestationca.persist.entity.userdefined.rim.EventLogMeasurements;
|
||||||
import hirs.attestationca.persist.entity.userdefined.rim.SupportReferenceManifest;
|
import hirs.attestationca.persist.entity.userdefined.rim.SupportReferenceManifest;
|
||||||
import hirs.attestationca.persist.enums.AppraisalStatus;
|
import hirs.attestationca.persist.enums.AppraisalStatus;
|
||||||
@ -35,6 +36,7 @@ import java.util.Iterator;
|
|||||||
import java.util.LinkedList;
|
import java.util.LinkedList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.Optional;
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
|
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
|
||||||
@ -353,32 +355,47 @@ public class SupplyChainValidationService {
|
|||||||
log.error(ex);
|
log.error(ex);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
BaseReferenceManifest bRim = null;
|
||||||
|
if (sRim != null && sRim.getAssociatedRim() != null) {
|
||||||
|
Optional<ReferenceManifest> oRim = referenceManifestRepository.findById(sRim.getAssociatedRim());
|
||||||
|
if (oRim.isPresent()) {
|
||||||
|
ReferenceManifest rim = oRim.get();
|
||||||
|
if (rim instanceof BaseReferenceManifest) {
|
||||||
|
bRim = (BaseReferenceManifest) rim;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
quoteScv = ValidationService.buildValidationRecord(SupplyChainValidation
|
quoteScv = ValidationService.buildValidationRecord(SupplyChainValidation
|
||||||
.ValidationType.FIRMWARE,
|
.ValidationType.FIRMWARE,
|
||||||
fwStatus.getAppStatus(), fwStatus.getMessage(), eventLog, level);
|
fwStatus.getAppStatus(), fwStatus.getMessage(), bRim != null ? bRim : eventLog, level);
|
||||||
|
|
||||||
// Generate validation summary, save it, and return it.
|
// Generate validation summary, save it, and return it.
|
||||||
List<SupplyChainValidation> validations = new ArrayList<>();
|
List<SupplyChainValidation> validations = new ArrayList<>();
|
||||||
SupplyChainValidationSummary previous
|
Optional<SupplyChainValidationSummary> previousOpt
|
||||||
//= this.supplyChainValidationSummaryRepository.findByDevice(deviceName);
|
//= this.supplyChainValidationSummaryRepository.findByDevice(deviceName);
|
||||||
= this.supplyChainValidationSummaryRepository.findByDevice(device);
|
//= this.supplyChainValidationSummaryRepository.findByDevice(device);
|
||||||
for (SupplyChainValidation scv : previous.getValidations()) {
|
= this.supplyChainValidationSummaryRepository.findById(UUID.fromString(device.getSummaryId()));
|
||||||
if (scv.getValidationType() != SupplyChainValidation.ValidationType.FIRMWARE) {
|
if (previousOpt.isPresent()) {
|
||||||
validations.add(ValidationService.buildValidationRecord(scv.getValidationType(),
|
SupplyChainValidationSummary previous = previousOpt.get();
|
||||||
scv.getValidationResult(), scv.getMessage(),
|
for (SupplyChainValidation scv : previous.getValidations()) {
|
||||||
scv.getCertificatesUsed().get(0), Level.INFO));
|
if (scv.getValidationType() != SupplyChainValidation.ValidationType.FIRMWARE) {
|
||||||
|
validations.add(ValidationService.buildValidationRecord(scv.getValidationType(),
|
||||||
|
scv.getValidationResult(), scv.getMessage(),
|
||||||
|
scv.getCertificatesUsed().get(0), Level.INFO));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
validations.add(quoteScv);
|
||||||
validations.add(quoteScv);
|
previous.archive();
|
||||||
previous.archive();
|
supplyChainValidationSummaryRepository.save(previous);
|
||||||
supplyChainValidationSummaryRepository.save(previous);
|
summary = new SupplyChainValidationSummary(device, validations);
|
||||||
summary = new SupplyChainValidationSummary(device, validations);
|
|
||||||
|
|
||||||
// try removing the supply chain validation as well and resaving that
|
// try removing the supply chain validation as well and resaving that
|
||||||
try {
|
try {
|
||||||
supplyChainValidationSummaryRepository.save(summary);
|
supplyChainValidationSummaryRepository.save(summary);
|
||||||
} catch (DBManagerException dbEx) {
|
} catch (DBManagerException dbEx) {
|
||||||
log.error("Failed to save Supply Chain Summary", dbEx);
|
log.error("Failed to save Supply Chain Summary", dbEx);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -59,20 +59,32 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
|
|||||||
ReferenceManifest supportReferenceManifest = null;
|
ReferenceManifest supportReferenceManifest = null;
|
||||||
EventLogMeasurements measurement = null;
|
EventLogMeasurements measurement = null;
|
||||||
|
|
||||||
baseReferenceManifests = referenceManifestRepository.findAllBaseRims();
|
//baseReferenceManifests = referenceManifestRepository.findAllBaseRims();
|
||||||
|
|
||||||
for (BaseReferenceManifest bRim : baseReferenceManifests) {
|
// This block was looking for a base RIM matching the device name
|
||||||
if (bRim.getDeviceName().equals(hostName)
|
// The base rim might not have a device name associated with it- i.e. if it's uploaded to the ACA prior to provisioning
|
||||||
&& !bRim.isSwidSupplemental() && !bRim.isSwidPatch()) {
|
// In this case, try to look up the event log associated with the device, then get the base rim associated by event log hash
|
||||||
baseReferenceManifest = bRim;
|
List<ReferenceManifest> deviceRims = referenceManifestRepository.findByDeviceName(hostName);
|
||||||
|
for (ReferenceManifest deviceRim : deviceRims) {
|
||||||
|
if (deviceRim instanceof BaseReferenceManifest && !deviceRim.isSwidSupplemental() && !deviceRim.isSwidPatch()) {
|
||||||
|
baseReferenceManifest = (BaseReferenceManifest) deviceRim;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (deviceRim instanceof EventLogMeasurements) {
|
||||||
|
measurement = (EventLogMeasurements) deviceRim;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Attempt to get an event log from the database matching the expected hash
|
||||||
|
if (baseReferenceManifest == null && measurement != null) {
|
||||||
|
baseReferenceManifest = (BaseReferenceManifest)referenceManifestRepository.findByEventLogHashAndRimType(measurement.getHexDecHash(), ReferenceManifest.BASE_RIM);
|
||||||
}
|
}
|
||||||
|
|
||||||
String failedString = "";
|
String failedString = "";
|
||||||
if (baseReferenceManifest == null) {
|
if (baseReferenceManifest == null) {
|
||||||
failedString = "Base Reference Integrity Manifest\n";
|
failedString = "Base Reference Integrity Manifest\n";
|
||||||
passed = false;
|
passed = false;
|
||||||
} else {
|
} else if (measurement == null) {
|
||||||
measurement = (EventLogMeasurements) referenceManifestRepository.findByHexDecHashAndRimType(
|
measurement = (EventLogMeasurements) referenceManifestRepository.findByHexDecHashAndRimType(
|
||||||
baseReferenceManifest.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM);
|
baseReferenceManifest.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM);
|
||||||
|
|
||||||
|
@ -462,12 +462,14 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
|
|||||||
supportRim.setPlatformModel(dbBaseRim.getPlatformModel());
|
supportRim.setPlatformModel(dbBaseRim.getPlatformModel());
|
||||||
supportRim.setTagId(dbBaseRim.getTagId());
|
supportRim.setTagId(dbBaseRim.getTagId());
|
||||||
supportRim.setAssociatedRim(dbBaseRim.getId());
|
supportRim.setAssociatedRim(dbBaseRim.getId());
|
||||||
|
dbBaseRim.setAssociatedRim(supportRim.getId());
|
||||||
supportRim.setUpdated(true);
|
supportRim.setUpdated(true);
|
||||||
referenceManifestRepository.save(supportRim);
|
referenceManifestRepository.save(supportRim);
|
||||||
updatedSupportRims.put(supportHash, supportRim);
|
updatedSupportRims.put(supportHash, supportRim);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
referenceManifestRepository.save(dbBaseRim);
|
||||||
}
|
}
|
||||||
|
|
||||||
return updatedSupportRims;
|
return updatedSupportRims;
|
||||||
|
Loading…
Reference in New Issue
Block a user