Merge pull request #457 from iadgovuser26/fw_sys_test

Fw sys test

.ci/docker/docker-compose-system-test.yml

@@ -9,7 +9,7 @@ services:
       ports:
          - "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
       entrypoint: /bin/bash -c
-      command: [HIRS/.ci/setup/setup_aca.sh]
+      command: [HIRS/.ci/setup/container/setup_aca.sh]
       hostname: ${HIRS_ACA_HOSTNAME}
       networks:
          hirs_aca_system_tests:

.ci/setup/container/setup_tpm2provisioner.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+#########################################################################################
+#  Script to setup the TPM 2.0 Provisioner for System Tests
+#  Initial setup only  use resetTpm2Emulator to reset PCR values in subsequent tests
+#########################################################################################
+set -e
+pushd /  > /dev/null
+echo "Setting up TPM emulator for the TPM2 Provisioner"
+ 
+source /HIRS/.ci/setup/container/tpm2_common.sh
+
+#Wait for the ACA to spin up, if it hasnt already
+waitForAca
+
+# Install packages
+installProvisioner
+
+# set location of tcg artifacts
+setTcgProperties
+#echo "Contents of /etc/hirs is $(ls -al /etc/hirs)";
+
+# Install TPM 2.0 Emulator
+initTpm2Emulator
+
+# Update the hirs-site.config file
+updateHirsSiteConfigFile
+
+echo "TPM 2.0 Emulator NV RAM list"
+tpm2_nvlist
+
+echo ""
+echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!==========="
+
+popd > /dev/null
+
+#tpm2_pcrlist -g sha256 

.ci/setup/container/tpm2_common.sh

@@ -1,11 +1,8 @@
 #!/bin/bash
 #########################################################################################
-#  Script to setup the TPM 2.0 Provisioner Docker Image for System Tests
+#  Support scripts for the TPM 2.0 Provisioner System Tests
 #
 #########################################################################################
-set -e
-pushd /  > /dev/null
-echo "Setting up TPM emulator for the TPM2 Provisioner"
 
 # Function to make and install TPM 2.0 Provisioner packages
 function installProvisioner {
@@ -24,8 +21,8 @@ function setTpmPcrValues {
   mkdir /ibmtss
   pushd /ibmtss  > /dev/null
     echo "Installing IBM TSS to set the TPM simulator intial values correctly..."
-    wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.5.0.tar.gz > /dev/null
-    tar -zxvf ibmtss1.5.0.tar.gz > /dev/null
+    wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.6.0.tar.gz > /dev/null
+    tar -zxvf ibmtss1.6.0.tar.gz > /dev/null
     cd utils
     make -f makefiletpmc > /dev/null
     cd ../utils
@@ -61,7 +58,7 @@ function initTpm2Emulator {
    echo "DBus started"
 
    # Give DBus time to start up
-   sleep 5
+   sleep 3
 
    /ibmtpm/src/./tpm_server &
    echo "TPM Emulator started"
@@ -76,7 +73,7 @@ function initTpm2Emulator {
    echo "TPM2-Abrmd started"
 
    # Give ABRMD time to start and register on the DBus
-   sleep 2
+   sleep 1
 
    # Certificates
    ek_cert="/HIRS/.ci/setup/certs/ek_cert.der"
@@ -112,10 +109,25 @@ function initTpm2Emulator {
    sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini
 }
 
+# Clear out existing TPM PCR values by restarting the ibm tpm simulator
+function resetTpm2Emulator {
+   echo "clearing the TPM PCR values"
+   # Stop tpm2-abrmd and the tpm server
+   pkill -f "tpm2-abrmd"
+   pkill -f "tpm_server"
+   # restart the tpm server and tpm2-abrmd
+   /ibmtpm/src/./tpm_server &
+   pushd /ibmtss/utils  > /dev/null
+     ./startup
+   popd > /dev/null
+   tpm2-abrmd -t socket &
+   sleep 1
+   # tpm2_pcrlist -g sha256
+}
+
 # Function to update the hirs-site.config file
 function updateHirsSiteConfigFile {
    HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
-
    echo ""
    echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...==========="
    cat /HIRS/.ci/docker/.env
@@ -142,8 +154,8 @@ DEFAULT_SITE_CONFIG_FILE
    cat /etc/hirs/hirs-site.config
 }
 
-function waitForAca {
 # Wait for ACA to boot
+function waitForAca {
   echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
   until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
     sleep 1;
@@ -151,27 +163,3 @@ function waitForAca {
   done
   echo "ACA is up!"
 }
-
-#Wait for the ACA to spin up, if it hasnt already
-waitForAca
-
-# Install packages
-installProvisioner
-
-# set location of tcg artifacts
-setTcgProperties
-#echo "Contents of /etc/hirs is $(ls -al /etc/hirs)";
-
-# Install TPM 2.0 Emulator
-initTpm2Emulator
-
-# Update the hirs-site.config file
-updateHirsSiteConfigFile
-
-echo "TPM 2.0 Emulator NV RAM list"
-tpm2_nvlist
-
-echo ""
-echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!==========="
-
-popd > /dev/null

.ci/system-tests/container/pc_setup.sh

@@ -2,12 +2,18 @@
 #########################################################################################
 #   Setup for platform certificates for testing
 #   Copies platform certs (Base and Delta) to the tcg directory
+#   usage pc_setup.sh <profile> <test>
 #########################################################################################
 
 profile=$1
 test=$2
+tcgDir="/boot/tcg"
 compscript="$profile"_"$test"_allcomponents.sh
 hwlist="$profile"_"$test"_hw.json
+testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
+pcDir=$testDir/platformcerts
+profileDir="/HIRS/.ci/system-tests/profiles/$profile"
+
 # Current TCG folder for platform certs, likely to change with release of the next FIM specification
 tcgDir=/boot/tcg/cert/platform/
 mkdir -p $tcgDir;  # Create the platform cert folder if its not there
@@ -34,7 +40,11 @@ fi
 cp  -f $allCompJson /opt/paccor/scripts/$hwlist ;
 
 # Step 3: Copy the platform cert to tcg folder on boot drive
-pushd /HIRS/.ci/system-tests/profiles/$profile/$test/platformcerts/ > /dev/null
+#      a: See if test specific swidtag folder exists, if not use the defualt folder
+if [[ ! -d $pcDir ]]; then
+    pcDir=$profileDir/default/platformcerts;
+fi
+pushd $pcDir > /dev/null
 # Skip copy of platform cert if .gitigore exists (empty profile)
 if [[ ! -f ".gitignore" ]]; then
     for cert in * ; do

.ci/system-tests/container/rim_setup.sh

@@ -1,40 +1,61 @@
 #!/bin/bash
 #########################################################################################
 #   Setup for PC Client Reference Integrity Manifest (RIM) tests
-#
+#   usage rim_setup.sh <profile> <test> <option>
+#   use "clear" option to clear existing TPM PCR values
 #########################################################################################
 
 profile=$1
 test=$2
+options=$3
 tcgDir="/boot/tcg"
-testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
 propFile="/etc/hirs/tcg_boot.properties";
+profileDir="/HIRS/.ci/system-tests/profiles/$profile"
+defaultDir="$profileDir/default"
+testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
 eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
+swidDir="$testDir/swidtags"
+rimDir="$testDir/rims"
+pcrScript="$testDir/"$profile"_"$test"_setpcrs.sh"
 
+source /HIRS/.ci/setup/container/tpm2_common.sh
+
+echo "Test is using RIM files from $profile : $test"
+
+# Make sure TCG defined RIM folders exist and are cleared out
 mkdir -p $tcgDir/manifest/rim/;  # Create the platform cert folder if its not there
-rm -f $tcgDir/manifest/rim/*;   # clear out any previous data
+rm -f $tcgDir/manifest/rim/*;    # clear out any previous data
 
 mkdir -p $tcgDir/manifest/swidtag/;  # Create the platform cert folder if its not there
 rm -f $tcgDir/manifest/swidtag/*;   # clear out any previous data
 
-echo "Test is using RIM files from $profile : $test"
+# Step 1: Update the tcg_boot.properties to use test specific binary_bios_measurement file
+#      a: if file does not exist in the test folder then use the default measurement file
+#      b: change the property file to point to the the test file
 
-# update tcg_boot.properties to use test specific binary_bios_measurement file
+if [[ ! -f "$eventLog" ]]; then
+    eventLog="$defaultDir"/"$profile"_default_binary_bios_measurements
+fi    
 sed -i "s:tcg.event.file=.*:tcg.event.file=$eventLog:g" "$propFile"
-
-#echo "Contents of $propFile after sed is $(cat $propFile)";
+#echo "eventLog used was  $eventLog"
 
 # Step 2: Copy Base RIM files to the TCG folder
-pushd $testDir/swidtags/ > /dev/null
-
+#      a: See if test specific swidtag folder exists, if not use the defualt folder
+if [[ ! -d $swidDir ]]; then
+    swidDir=$defaultDir/swidtags;
+fi
+pushd $swidDir > /dev/null
   if [[ ! -f ".gitignore" ]]; then
     for swidtag in * ; do
           cp -f $swidtag $tcgDir/manifest/swidtag/$swidtag;
     done
   fi
 popd > /dev/null
-# Step 3: Copy Support RIM files to the TCG folder
-pushd $testDir/rims/ > /dev/null
+# Step 3: Copy Support RIM files to the TCG folder in the same mannor
+if [[ ! -d $rimDir ]]; then 
+    rimDir=$defaultDir/rims;
+fi
+pushd $rimDir > /dev/null
 
   if [[ ! -f ".gitignore" ]]; then
     for rim in * ; do
@@ -47,7 +68,18 @@ popd > /dev/null
 #  echo "Contents of tcg rim folder tcgDir/manifest/rim/: $(ls $tcgDir/manifest/rim/)"
 
 #Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
-sh $testDir/"$profile"_"$test"_setpcrs.sh
+#     a: Clear the TPM PCR registers vi a call to the tss clear 
+#     b: Check if a test specific setpcr.sh file exists. If not use the profiles default script
+
+if [[ $options == "clear" ]]; then
+   resetTpm2Emulator
+fi
+
+if [[ ! -f $pcrScript ]]; then
+    pcrScript="$profileDir/default/"$profile"_default_setpcrs.sh"
+fi
+sh $pcrScript;
+#echo "PCR script was $pcrScript"
 #tpm2_pcrlist -g sha256 
 
-# Done with rim_setup 
+# Done with rim_setup

.ci/system-tests/profiles/laptop/badOemInstall/swidtags/laptop_badOemInstall_oem.1.swidtag

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="false" tagId="hirs.swid.SwidTags.dell5580.oem" tagVersion="1" version="0.1" versionScheme="multipartnumeric" xml:lang="en">
+  <Entity name="OEM1" regid="www.example.com" role="softwareCreator tagCreator"/>
+  <Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
+  <Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580"/>
+  <Payload>
+    <Directory name="/boot/tcg/rim/support">
+      <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="103309beb735da6cc95b9ad7d7e4b25c7d2e510eab945424af533ee46096d678" name="dell5580_varOSInstall_oem.1.rimel" size="17569"/>
+    </Directory>
+  </Payload>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <DigestValue>yoxwnTQu9jI+5TSG6c2hR/xI2rpxzGA5f9fu6bq7KD0=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>NUxJ8hcDDSvneXnwxCLHSbBa7hTs4MsuQDQI7/arITl3vMAYPYgmWI7uvKNqhdSvs4fzG5c5GZ+q
+boe/0Lh7gkeX6rl12nxe6ormoRFqK6vuCxQLtSgyHAsoh4mI5evxMS9oijucJHJNOeVP1y2g9x+P
+lfgyYJjvU6f1X6Zv4C4Qb3JrzB1vZaYbJNJD3tEMnvGPjh5X1FtMYkFldhM9jYf7PAHy8QJHh8x+
+b16n+OgE2pEOUGH/I+7xuk+fFtl+DYYSn8f9vwwqIRspXqTBI4uWoFu1xozw+yAPf7bKMYgQ1KYP
+PvBgcXHR5UZWmfJdDDF09GWwkCh9EF+Wpmj3Bw==</SignatureValue>
+    <KeyInfo>
+      <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
+      <KeyValue>
+        <RSAKeyValue>
+          <Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
+xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
+dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
+otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
+jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
+          <Exponent>AQAB</Exponent>
+        </RSAKeyValue>
+      </KeyValue>
+    </KeyInfo>
+  </Signature>
+</SoftwareIdentity>

.ci/system-tests/profiles/laptop/badOemInstall/swidtags/laptop_badOemInstall_var.1.swidtag

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="true" tagId="hirs.swid.SwidTags.dell5580.var" tagVersion="1" version="0.1" xml:lang="en">
+  <Entity name="VAR1" regid="www.example.com" role="softwareCreator tagCreator"/>
+  <Link href="hirs.swid.SwidTags.dell5580.oem" rel="requires"/>
+  <Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580" rim:rimLinkHash="4Jocgla7QhDNd0Fs+nDfBUTLQsltTgd6Yob5ChlDg74="/>
+  <Payload>
+    <Directory name="/boot/tcg/rim/support">
+      <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="aad27380fa51f42130057cdc524f16da3e5cd959a59fc2b3574470069b95a15e" name="dell5580_varOSInstall_var.1.rimel" size="2613"/>
+    </Directory>
+  </Payload>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <DigestValue>F5FruNNKqjgKSP6BOF7YUaBs9dSN8+HnYdpuYoBSWF8=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>mXABBSi1haZdZZKg3OzdaLi0jZFp0A78YmFqMtaTdSTNBI/xwrzy1rIIdEc7JWqy5emAcfr2abgc
+4AgOIkmcJgYD8AECcmWVloANi7uT03l4e4FMVmDL8l/Cu/93yt/+5MJeWcu3HQvwbIPkYqOqXTNu
+kWVvLr8KG0v42t+TRn38O1+EDGwHlDL/705SYZwvNP12Z7+b7FKizUisn5WZC77mzJ1/9m49aiqn
+mqf56NxmHuA3uhFShfjaIwoljWVLDCt3/fkrM9WSsk3tX7c8g+QhKn4ygqiMn7gI48HH0PGbbA5q
+mg5c9Farqs0mbGR4WTvXjXioSFV5NYkcdoFfmQ==</SignatureValue>
+    <KeyInfo>
+      <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
+      <KeyValue>
+        <RSAKeyValue>
+          <Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
+xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
+dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
+otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
+jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
+          <Exponent>AQAB</Exponent>
+        </RSAKeyValue>
+      </KeyValue>
+    </KeyInfo>
+  </Signature>
+</SoftwareIdentity>

.ci/system-tests/profiles/laptop/badVarInstall/swidtags/laptop_badVarInstall_oem.1.swidtag

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="false" tagId="hirs.swid.SwidTags.dell5580.oem" tagVersion="1" version="0.1" versionScheme="multipartnumeric" xml:lang="en">
+  <Entity name="OEM1" regid="www.example.com" role="softwareCreator tagCreator"/>
+  <Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
+  <Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580"/>
+  <Payload>
+    <Directory name="/boot/tcg/rim/support">
+      <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="a1704e9cd5727c5429d16bc2829e2890aa358c59b4f3d2e191c3eaa751520ce8" name="dell5580_varOSInstall_oem.1.rimel" size="17569"/>
+    </Directory>
+  </Payload>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <DigestValue>YwIGXKSKuII5sXcCa9fcwU6kr7u6HwTYHp58jfPJ5ic=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>KiCrZx3Pe//AJv97y9a7/APfNB24AWhOMvd4mcxPzMdkz7XEKvi93CWHqvGXmzoLthHwy6O6pPEO
+2vl8fgt8URZdx7FGRWNZMmOep91KsVvTnm64//BU+/4yvwvDSGwnDrZOWugeDYg8G+hAnVY/KFMb
+WM+pyND8K6Qw0HkIDh3iitk/luE2TElGNZEx30VUa/5W4DxL2NYPMlquJYD4nZorqU/uEpSo2HED
+T7qF9UV5tJWnrOclJH7DkCy/b1u+mcxmjfRmRemwBUHS3bbG11prgLwTMvV5jYJnDct+O/mc7CF3
+X0DP//wO4qziqK04kXLPZewB1wD2zknM35hORw==</SignatureValue>
+    <KeyInfo>
+      <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
+      <KeyValue>
+        <RSAKeyValue>
+          <Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
+xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
+dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
+otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
+jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
+          <Exponent>AQAB</Exponent>
+        </RSAKeyValue>
+      </KeyValue>
+    </KeyInfo>
+  </Signature>
+</SoftwareIdentity>

.ci/system-tests/profiles/laptop/badVarInstall/swidtags/laptop_badVarInstall_var.1.swidtag

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="true" tagId="hirs.swid.SwidTags.dell5580.var" tagVersion="1" version="0.1" xml:lang="en">
+  <Entity name="VAR1" regid="www.example.com" role="softwareCreator tagCreator"/>
+  <Link href="hirs.swid.SwidTags.dell5580.oem" rel="requires"/>
+  <Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580" rim:rimLinkHash="4Jocgla7QhDNd0Fs+nDfBUTLQsltTgd6Yob5ChlDg74="/>
+  <Payload>
+    <Directory name="/boot/tcg/rim/support">
+      <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="d83a6208cc647e6bf42ecfd8bf559d6c7845d352f1e05ca90ffc3048fad1509e" name="dell5580_varOSInstall_var.1.rimel" size="2613"/>
+    </Directory>
+  </Payload>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <DigestValue>jRkKkYQ4oDpP/H6AEj1/xwE1mI65v6jmAHIZFtSrO0Y=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>h3bDGaljFAoof24cyU/L/ln3I419ov5iYm/I6Fvn4MHu7xfS85dSARkHarXn8yjegUSGrcGpCMbV
+qAjZYK0Ljq95JETlVLc46/dAM98c/LOhE3WqcqMSvv7gMdOn2IsoRXfnUAnYNd7jGxnxlyGqS0UN
+XDFXOi4rGY1km2DFGT7QHCRswy3GHhoPY8IocdrhaIN98aNFSEDzeLwIl8AtJHDmSEsmgxUCDMEL
+1RvAbX1Fvjt6FE9gWbo/EY/Oj9cSNS+QXJR2CjEmsNe9KxUAMWVNpQJlXfGFZ2mJvjGmhKxfYYHN
+EOb+D341sGCP4/TPH3wEQuTyQN4c/yNxwsIxpg==</SignatureValue>
+    <KeyInfo>
+      <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
+      <KeyValue>
+        <RSAKeyValue>
+          <Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
+xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
+dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
+otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
+jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
+          <Exponent>AQAB</Exponent>
+        </RSAKeyValue>
+      </KeyValue>
+    </KeyInfo>
+  </Signature>
+</SoftwareIdentity>

.ci/system-tests/profiles/laptop/varOsInstall/swidtags/laptop_varOsInstall_oem.1.swidtag

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="false" tagId="hirs.swid.SwidTags.dell5580.oem" tagVersion="1" version="0.1" versionScheme="multipartnumeric" xml:lang="en">
+  <Entity name="OEM1" regid="www.example.com" role="softwareCreator tagCreator"/>
+  <Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
+  <Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580"/>
+  <Payload>
+    <Directory name="/boot/tcg/rim/support">
+      <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="a1704e9cd5727c5429d16bc2829e2890aa358c59b4f3d2e191c3eaa751520ce8" name="dell5580_varOSInstall_oem.1.rimel" size="17569"/>
+    </Directory>
+  </Payload>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <DigestValue>YwIGXKSKuII5sXcCa9fcwU6kr7u6HwTYHp58jfPJ5ic=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>KiCrZx3Pe//AJv97y9a7/APfNB24AWhOMvd4mcxPzMdkz7XEKvi93CWHqvGXmzoLthHwy6O6pPEO
+2vl8fgt8URZdx7FGRWNZMmOep91KsVvTnm64//BU+/4yvwvDSGwnDrZOWugeDYg8G+hAnVY/KFMb
+WM+pyND8K6Qw0HkIDh3iitk/luE2TElGNZEx30VUa/5W4DxL2NYPMlquJYD4nZorqU/uEpSo2HED
+T7qF9UV5tJWnrOclJH7DkCy/b1u+mcxmjfRmRemwBUHS3bbG11prgLwTMvV5jYJnDct+O/mc7CF3
+X0DP//wO4qziqK04kXLPZewB1wD2zknM35hORw==</SignatureValue>
+    <KeyInfo>
+      <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
+      <KeyValue>
+        <RSAKeyValue>
+          <Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
+xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
+dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
+otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
+jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
+          <Exponent>AQAB</Exponent>
+        </RSAKeyValue>
+      </KeyValue>
+    </KeyInfo>
+  </Signature>
+</SoftwareIdentity>

.ci/system-tests/profiles/laptop/varOsInstall/swidtags/laptop_varOsInstall_var.1.swidtag

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="true" tagId="hirs.swid.SwidTags.dell5580.var" tagVersion="1" version="0.1" xml:lang="en">
+  <Entity name="VAR1" regid="www.example.com" role="softwareCreator tagCreator"/>
+  <Link href="hirs.swid.SwidTags.dell5580.oem" rel="requires"/>
+  <Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580" rim:rimLinkHash="4Jocgla7QhDNd0Fs+nDfBUTLQsltTgd6Yob5ChlDg74="/>
+  <Payload>
+    <Directory name="/boot/tcg/rim/support">
+      <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="aad27380fa51f42130057cdc524f16da3e5cd959a59fc2b3574470069b95a15e" name="dell5580_varOSInstall_var.1.rimel" size="2613"/>
+    </Directory>
+  </Payload>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <DigestValue>F5FruNNKqjgKSP6BOF7YUaBs9dSN8+HnYdpuYoBSWF8=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>mXABBSi1haZdZZKg3OzdaLi0jZFp0A78YmFqMtaTdSTNBI/xwrzy1rIIdEc7JWqy5emAcfr2abgc
+4AgOIkmcJgYD8AECcmWVloANi7uT03l4e4FMVmDL8l/Cu/93yt/+5MJeWcu3HQvwbIPkYqOqXTNu
+kWVvLr8KG0v42t+TRn38O1+EDGwHlDL/705SYZwvNP12Z7+b7FKizUisn5WZC77mzJ1/9m49aiqn
+mqf56NxmHuA3uhFShfjaIwoljWVLDCt3/fkrM9WSsk3tX7c8g+QhKn4ygqiMn7gI48HH0PGbbA5q
+mg5c9Farqs0mbGR4WTvXjXioSFV5NYkcdoFfmQ==</SignatureValue>
+    <KeyInfo>
+      <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
+      <KeyValue>
+        <RSAKeyValue>
+          <Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
+xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
+dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
+otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
+jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
+          <Exponent>AQAB</Exponent>
+        </RSAKeyValue>
+      </KeyValue>
+    </KeyInfo>
+  </Signature>
+</SoftwareIdentity>

.ci/system-tests/run_system_tests.sh

@@ -16,7 +16,7 @@ set -a
 
 echo "********  Setting up for HIRS System Tests for TPM 2.0 ******** "
 
-# expand dmi files for mounting to the provisioner containers
+# Expand linux dmi files to mount to the provisioner container to simulate device component
 unzip -q .ci/system-tests/profiles/laptop/laptop_dmi.zip -d .ci/system-tests/profiles/laptop/
 # Start System Testing Docker Environment
 pushd .ci/docker > /dev/null
@@ -31,14 +31,14 @@ echo "ACA Container info: $(checkContainerStatus $aca_container)";
 echo "TPM2 Provisioner Container info: $(checkContainerStatus $tpm2_container)";
 
 # Install HIRS provioner and setup tpm2 emulator
-docker exec $tpm2_container /HIRS/.ci/setup/setup_tpm2provisioner.sh
+docker exec $tpm2_container /HIRS/.ci/setup/container/setup_tpm2provisioner.sh
 
 # ********* Execute system tests here, add tests as needed ************* 
 echo "******** Setup Complete Begin HIRS System Tests ******** "
 
-source aca_policy_tests.sh
-source platform_cert_tests.sh
-
+source tests/aca_policy_tests.sh
+source tests/platform_cert_tests.sh
+source tests/rim_system_tests.sh
 
 echo "******** HIRS System Tests Complete ******** "
 
@@ -52,7 +52,6 @@ docker exec $tpm2_container mkdir -p /HIRS/logs/provisioner/;
 docker exec $tpm2_container cp -a /var/log/hirs/provisioner/. /HIRS/logs/provisioner/;
 docker exec $tpm2_container chmod -R 777 /HIRS/logs/;
 
-# Display container log
 echo ""
 echo "===========HIRS Tests and Log collection complete ==========="
 
@@ -61,7 +60,7 @@ echo "End of System Tests for TPM 2.0, cleaning up..."
 echo ""
 # Clean up services and network
 popd > /dev/null
-pushd .ci/docker
+pushd .ci/docker > /dev/null
 docker-compose -f docker-compose-system-test.yml down -v
 popd > /dev/null
 # Clean up dangling containers

.ci/system-tests/sys_test_common.sh

@@ -43,7 +43,7 @@ docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy
 
 setPolicyEkPcFw() {
 docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
-           enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
+           enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
 }
 
 # Clear all ACA DB items including policy
@@ -107,7 +107,7 @@ setPlatformCerts() {
 # Places RIM files held in the test folder in the provisioners tcg folder
 # setRims <profile> <test>
 setRims() {
-docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/rim_setup.sh $1 $2 
+docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/rim_setup.sh $1 $2 $3
 #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
 }
 

.ci/system-tests/tests/aca_policy_tests.sh

@@ -8,7 +8,7 @@ totalTests=0;
 failedTests=0;
 
 # Start ACA Policy Tests
-# provision_tpm takes 1 parameter (the expected result): "pass" or "fail"
+# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
 
 writeToLogs "### ACA POLICY TEST 1: Test ACA default policy  ###"
 setPlatformCerts "laptop" "empty"
@@ -39,7 +39,7 @@ provisionTpm2 "pass"
 
 writeToLogs "### ACA POLICY TEST 7: Test PC with RIM Validation Policy with valid PC and RIM ###"
 setPolicyEkPcFw
-setRims "laptop" "default"
+setRims "laptop" "default" "none"
 provisionTpm2 "pass"
 
 #  Process Test Results, any single failure will send back a failed result.

.ci/system-tests/tests/platform_cert_tests.sh

@@ -8,7 +8,7 @@ totalTests=0;
 failedTests=0;
 
 # Start ACA Platform Certificate Tests
-# provision_tpm takes 1 parameter (the expected result): "pass" or "fail"
+# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
 # Note that the aca_policy_tests have already run several Platform Certificate system tests
 
 writeToLogs "### ACA PLATFORM CERTIFICATE TEST 1: Test a delta Platform Certificate that adds a new memory component ###"

.ci/system-tests/tests/rim_system_tests.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+#########################################################################################
+#    HIRS Reference Integrity Manifest System Tests
+#
+#########################################################################################
+testResult=false
+totalTests=0;
+failedTests=0;
+
+# Start ACA Reference Integrity Manifest Tests
+# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
+# Note that the aca_policy_tests have already run several RIM system tests
+
+writeToLogs "### ACA RIM TEST 1: Test a RIM from an OEM and a Supplemental RIM from a VAR ###"
+clearAcaDb
+uploadTrustedCerts
+setPolicyEkPcFw
+setPlatformCerts "laptop" "varOsInstall"
+setRims "laptop" "varOsInstall" "clear"
+provisionTpm2 "pass"
+
+writeToLogs "### ACA RIM TEST 2: Test a RIM from an OEM with a bad reference measurement and a Supplemental RIM from a VAR ###"
+clearAcaDb
+uploadTrustedCerts
+setPolicyEkPcFw
+setPlatformCerts "laptop" "badOemInstall"
+setRims "laptop" "badOemInstall" "clear"
+provisionTpm2 "fail"
+
+writeToLogs "### ACA RIM TEST 3: Test a RIM from an OEM and a Supplemental RIM from a VAR with a bad reference measurement ###"
+clearAcaDb
+uploadTrustedCerts
+setPolicyEkPcFw
+setPlatformCerts "laptop" "badVarInstall"
+setRims "laptop" "badVarInstall" "clear"
+provisionTpm2 "fail"
+
+#  Process Test Results, any single failure will send back a failed result.
+if [[ $failedTests != 0 ]]; then
+    export TEST_STATUS=1;
+    echo "****  $failedTests out of $totalTests ACA RIM Tests Failed! ****"
+  else
+    echo "****  $totalTests ACA RIM Tests Passed! ****"
+fi