set ima policy for fw validation

added tpm clear testing tpm clear testing tpm clear testing tpm clear testing tpm clear testing tpm clear update ibmtss
2025-04-14 14:36:51 +00:00 · 2022-02-03 18:52:12 -05:00 · 2022-02-03 18:52:12 -05:00 · 9100206cc3
commit 9100206cc3
parent 212007c971
3 changed files with 12 additions and 5 deletions
--- a/.ci/setup/setup_tpm2provisioner.sh
+++ b/.ci/setup/setup_tpm2provisioner.sh
@ -24,8 +24,8 @@ function setTpmPcrValues {
  mkdir /ibmtss
  pushd /ibmtss  > /dev/null
    echo "Installing IBM TSS to set the TPM simulator intial values correctly..."
-    wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.5.0.tar.gz > /dev/null
-    tar -zxvf ibmtss1.5.0.tar.gz > /dev/null
+    wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.6.0.tar.gz > /dev/null
+    tar -zxvf ibmtss1.6.0.tar.gz > /dev/null
    cd utils
    make -f makefiletpmc > /dev/null
    cd ../utils
--- a/.ci/system-tests/container/rim_setup.sh
+++ b/.ci/system-tests/container/rim_setup.sh
@ -64,12 +64,19 @@ popd > /dev/null
  echo "Contents of tcg rim folder tcgDir/manifest/rim/: $(ls $tcgDir/manifest/rim/)"

 #Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
-#     a: Check if a test specific setpcr.sh file exists. If not use the profiles default script
+#     a: Clear the TPM PCR registers vi a call to the tss clear 
+#     b: Check if a test specific setpcr.sh file exists. If not use the profiles default script
+pushd /ibmtss/utils/
+echo "accessing the ibmtss"
+./pcrreset -ha 16
+echo "attemping to clear PCRs"
+popd
+
 if [[ ! -f $pcrScript ]]; then
    pcrScript="$profileDir/default/"$profile"_default_setpcrs.sh"
 fi
 sh $pcrScript;
 echo "PCR script was $pcrScript"
-#tpm2_pcrlist -g sha256 
+tpm2_pcrlist -g sha256 

 # Done with rim_setup
--- a/.ci/system-tests/sys_test_common.sh
+++ b/.ci/system-tests/sys_test_common.sh
@ -43,7 +43,7 @@ docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy

 setPolicyEkPcFw() {
 docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
-           enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
+           enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
 }

 # Clear all ACA DB items including policy