Merge branch 'master' into multiple-rim-upload

HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java

@@ -410,8 +410,12 @@ public abstract class AbstractAttestationCertificateAuthority
         // parse the EK Public key from the IdentityClaim once for use in supply chain validation
         // and later tpm20MakeCredential function
         RSAPublicKey ekPub = parsePublicKey(claim.getEkPublicArea().toByteArray());
-
-        AppraisalStatus.Status validationResult = doSupplyChainValidation(claim, ekPub);
+        AppraisalStatus.Status validationResult = AppraisalStatus.Status.FAIL;
+        try {
+            validationResult = doSupplyChainValidation(claim, ekPub);
+        } catch (Exception ex) {
+            LOG.error(ex);
+        }
         if (validationResult == AppraisalStatus.Status.PASS) {
 
             RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray());
@@ -783,6 +787,8 @@ public abstract class AbstractAttestationCertificateAuthority
                     LOG.error(ioEx);
                 }
             }
+        } else {
+            LOG.warn("Device did not send swid tag file...");
         }
 
         if (dv.getLogfileCount() > 0) {
@@ -820,9 +826,12 @@ public abstract class AbstractAttestationCertificateAuthority
                     LOG.error(ioEx);
                 }
             }
+        } else {
+            LOG.warn("Device did not send support RIM file...");
         }
 
         if (dv.hasLivelog()) {
+            LOG.info("Device sent bios measurement log...");
             fileName = String.format("%s.measurement",
                     clientName);
             try {
@@ -831,6 +840,7 @@ public abstract class AbstractAttestationCertificateAuthority
                         .byManufacturer(dv.getHw().getManufacturer())
                         .includeArchived().getRIM();
                 if (support != null) {
+                    LOG.info("Previous bios measurement log found and being replaced...");
                     this.referenceManifestManager.delete(support);
                 }
                 support = new EventLogMeasurements(fileName,
@@ -842,6 +852,8 @@ public abstract class AbstractAttestationCertificateAuthority
             } catch (IOException ioEx) {
                 LOG.error(ioEx);
             }
+        } else {
+            LOG.warn("Device did not send bios measurement log...");
         }
 
         // Get TPM info, currently unimplemented

HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java

@@ -369,8 +369,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                 .byManufacturer(manufacturer).getRIM();
         supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
                 .byManufacturer(manufacturer).getRIM();
-        List<SwidResource> resources =
-                ((BaseReferenceManifest) baseReferenceManifest).parseResource();
         measurement = EventLogMeasurements.select(referenceManifestManager)
                 .byManufacturer(manufacturer).includeArchived().getRIM();
 
@@ -390,6 +388,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
         }
 
         if (passed) {
+            List<SwidResource> resources =
+                    ((BaseReferenceManifest) baseReferenceManifest).parseResource();
             fwStatus = new AppraisalStatus(PASS,
                     SupplyChainCredentialValidator.FIRMWARE_VALID);
 

HIRS_ProvisionerTPM2/package/rpm-post-install.sh

@@ -45,6 +45,7 @@ TCG_DIRECTORY="/boot/tcg"
 RIM_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/"
 SWIDTAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/"
 CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/"
+BINARY_BIOS_MEASUREMENTS="/sys/kernel/security/tpm0/binary_bios_measurements"
 
 if [ ! -f "$TCG_BOOT_FILE" ]; then
   touch "$TCG_BOOT_FILE"
@@ -62,4 +63,8 @@ if [ -d "$CREDENTIALS_LOCATION" ]; then
   echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_BOOT_FILE"
 fi
 
+if [ -f "$BINARY_BIOS_MEASUREMENTS" ]; then
+  echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_BOOT_FILE"
+fi
+
 chmod -w "$TCG_BOOT_FILE"

HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp

@@ -87,6 +87,8 @@ int provision() {
     std::vector<string> swidtag_files;
     const std::string& rim_dir = props.get("tcg.rim.dir", "");
     const std::string& swid_dir = props.get("tcg.swidtag.dir", "");
+    const std::string& live_log_file = props.get("tcg.event.file", "");
+
     try {
         rim_files = hirs::file_utils::search_directory(rim_dir);
         for (const auto& rims : rim_files) {
@@ -108,8 +110,7 @@ int provision() {
         logger.error(hirsRuntimeException.what());
     }
     try {
-        dv.set_livelog(hirs::file_utils::fileToString(
-        "/sys/kernel/security/tpm0/binary_bios_measurements"));
+        dv.set_livelog(hirs::file_utils::fileToString(live_log_file));
     } catch (HirsRuntimeException& hirsRuntimeException) {
         logger.error(hirsRuntimeException.what());
     }

HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java

@@ -168,12 +168,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
         }
         try {
             if (trustStore == null || trustStore.size() == 0) {
-                message = baseErrorMessage + "a trust store\n";
+                message = baseErrorMessage + "an Issuer Cert in the Trust Store\n";
                 LOGGER.error(message);
                 return new AppraisalStatus(FAIL, message);
             }
         } catch (KeyStoreException e) {
-            message = baseErrorMessage + "an intitialized trust store";
+            message = baseErrorMessage + "an initialized trust store";
             LOGGER.error(message);
             return new AppraisalStatus(FAIL, message);
         }