diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java index da86554f..2b788c7c 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java @@ -20,6 +20,9 @@ import java.security.cert.CertificateException; import java.util.Collection; import java.util.LinkedHashMap; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NORMAL; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NOT_ACCESSIBLE; + /** * Class for handling different formats of TCG Event logs. */ @@ -82,6 +85,9 @@ public final class TCGEventLog { * */ @Getter private boolean bVendorTableFileInaccessbile = false; + /** Track status of vendor-table.json */ + @Getter + private String bVendorTableFileStatus = FILE_NORMAL; /** * Default blank object constructor. @@ -155,6 +161,9 @@ public final class TCGEventLog { if(eventList.get(eventNumber-1).isBVendorTableFileInaccessbile()) { bVendorTableFileInaccessbile = true; } + if(eventList.get(eventNumber-1).getBVendorTableFileStatus() == FILE_NOT_ACCESSIBLE) { + bVendorTableFileStatus = FILE_NOT_ACCESSIBLE; + } } calculatePcrValues(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java index 407b681a..89d4a12f 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java @@ -33,6 +33,9 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.util.Arrays; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NORMAL; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NOT_ACCESSIBLE; + /** * Class to process a TCG_PCR_EVENT. * TCG_PCR_EVENT is used when the Event log uses the SHA1 Format as described in the @@ -122,6 +125,9 @@ public class TpmPcrEvent { * */ @Getter private boolean bVendorTableFileInaccessbile = false; + /** Track status of vendor-table.json */ + @Getter + private String bVendorTableFileStatus = FILE_NORMAL; /** * Constructor. @@ -517,6 +523,9 @@ public class TpmPcrEvent { if(efiVar.isBVendorTableFileInaccessbile()) { bVendorTableFileInaccessbile = true; } + if(efiVar.getBVendorTableFileStatus() == FILE_NOT_ACCESSIBLE) { + bVendorTableFileStatus = FILE_NOT_ACCESSIBLE; + } break; case EvConstants.EV_EFI_VARIABLE_BOOT: UefiVariable efiVarBoot = new UefiVariable(content); @@ -524,6 +533,9 @@ public class TpmPcrEvent { if(efiVarBoot.isBVendorTableFileInaccessbile()) { bVendorTableFileInaccessbile = true; } + if(efiVarBoot.getBVendorTableFileStatus() == FILE_NOT_ACCESSIBLE) { + bVendorTableFileStatus = FILE_NOT_ACCESSIBLE; + } break; case EvConstants.EV_EFI_BOOT_SERVICES_APPLICATION: EvEfiBootServicesApp bootServices = new EvEfiBootServicesApp(content); @@ -557,6 +569,9 @@ public class TpmPcrEvent { if(efiVarAuth.isBVendorTableFileInaccessbile()) { bVendorTableFileInaccessbile = true; } + if(efiVarAuth.getBVendorTableFileStatus() == FILE_NOT_ACCESSIBLE) { + bVendorTableFileStatus = FILE_NOT_ACCESSIBLE; + } break; case EvConstants.EV_EFI_SPDM_FIRMWARE_BLOB: description += "Event Content:\n" + new EvEfiSpdmFirmwareBlob(content).toString(); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiConstants.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiConstants.java index 8e1f9dc7..a30dc00a 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiConstants.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiConstants.java @@ -271,4 +271,19 @@ public final class UefiConstants { * standard UEFI partition table lengh. */ public static final int UEFI_PT_LENGTH = 72; + /** + * file status, where file was successfully found on local machine + */ + public static final String FILE_NORMAL = "fileNormal"; + /** + * file status, where file is not accessible + */ + public static final String FILE_NOT_ACCESSIBLE = "fileNotAccessible"; + /** + * file status, where file was not found on the local machine, + * and so file from the code was used. + * For instance, if vendor-table.json is not found in /etc/hirs/aca/default-properties/, + * it will be grabbed from code at HIRS_AttestationCA/src/main/resources/. + */ + public static final String FILE_FROM_CODE_USED = "fileFromCodeUsed"; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java index ebc8f63d..64fdf62d 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java @@ -9,6 +9,9 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.util.ArrayList; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NORMAL; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NOT_ACCESSIBLE; + /** * Class for processing the contents of a Secure Boot DB or DBX contents. * used for EFIVariables associated with Secure Boot @@ -74,6 +77,9 @@ public class UefiSignatureList { * */ @Getter private boolean bVendorTableFileInaccessbile = false; + /** Track status of vendor-table.json */ + @Getter + private String bVendorTableFileStatus = FILE_NORMAL; /** * UefiSignatureList constructor. @@ -121,6 +127,7 @@ public class UefiSignatureList { signatureType = new UefiGuid(guid); if(signatureType.isVendorTableReferenceHandleEmpty()) { bVendorTableFileInaccessbile = true; + bVendorTableFileStatus = FILE_NOT_ACCESSIBLE; } // if signatureType is invalid, don't even process any of the data diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java index ca159cdc..05b4dd17 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java @@ -12,6 +12,9 @@ import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NORMAL; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NOT_ACCESSIBLE; + /** * Class to process a UEFI variable within a TPM Event. * typedef struct tdUEFI_VARIABLE_DATA{ @@ -68,6 +71,9 @@ public class UefiVariable { * */ @Getter private boolean bVendorTableFileInaccessbile = false; + /** Track status of vendor-table.json */ + @Getter + private String bVendorTableFileStatus = FILE_NORMAL; /** * EFIVariable constructor. @@ -156,6 +162,9 @@ public class UefiVariable { if(list.isBVendorTableFileInaccessbile()) { bVendorTableFileInaccessbile = true; } + if(list.getBVendorTableFileStatus() == FILE_NOT_ACCESSIBLE) { + bVendorTableFileStatus = FILE_NOT_ACCESSIBLE; + } if(!list.isSignatureTypeValid()) { invalidSignatureListEncountered = true; invalidSignatureListStatus = list.toString(); diff --git a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java index ce49ccf6..9b2f2fa7 100644 --- a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java +++ b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java @@ -16,6 +16,8 @@ import hirs.utils.tpm.eventlog.TCGEventLog; import hirs.utils.tpm.eventlog.TpmPcrEvent; import hirs.utils.HexUtils; +import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILE_NOT_ACCESSIBLE; + /** * Command-line application for processing TCG Event Logs. * Input arg: path to *.tcglp file @@ -128,6 +130,9 @@ final class Main { + evLog.getEventList().size() + " events:\n\n"); } if (evLog.isBVendorTableFileInaccessbile()) { + writeOut("*** remove this.\n\n"); + } + if (evLog.getBVendorTableFileStatus() == FILE_NOT_ACCESSIBLE) { writeOut("*** WARNING: The file vendor-table.json file was not accessible so data " + "in some Secure Boot PCR 7 events cannot be processed.\n\n"); }