ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-18 20:47:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fixed Device Policy & Authority output with current (limited) test data

Browse Source
This commit is contained in:
iadgovuser58 2024-08-05 18:23:50 -04:00
parent 19716d5819
commit 92042f8698
5 changed files with 96 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java
View File

@ -1,8 +1,6 @@
package hirs.utils.tpm.eventlog.events;
import hirs.utils.HexUtils;
import hirs.utils.tpm.eventlog.uefi.UefiConstants;
import java.nio.charset.StandardCharsets;
@ -35,11 +33,6 @@ public class NvIndexInstanceEventLogData {
*/
private String signature = "";
/**
* Version.
*/
private String version = "";
/**
* Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event.
*/
@ -59,10 +52,12 @@ public class NvIndexInstanceEventLogData {
byte[] versionBytes = new byte[2];
System.arraycopy(eventData, 16, versionBytes, 0, 2);
String version = HexUtils.byteArrayToHexString(versionBytes);
if (version == "") {
version = "version not readable";
String nvIndexVersion = HexUtils.byteArrayToHexString(versionBytes);
if (nvIndexVersion == "") {
nvIndexVersion = "version not readable";
}
nvIndexInstanceInfo = " Nv Index Instance Signature = " + signature + "\n";
nvIndexInstanceInfo += " Nv Index Instance Version = " + nvIndexVersion + "\n";
// 6 bytes of Reserved data
@ -84,7 +79,7 @@ public class NvIndexInstanceEventLogData {
byte[] dsedEventData = new byte[dsedEventDataSize];
System.arraycopy(eventData, 24, dsedEventData, 0, dsedEventDataSize);
nvIndexInstanceInfo = " Signature = SPDM Device Sec2\n";
nvIndexInstanceInfo += " Signature = SPDM Device Sec2\n";
if (dsedVersion.equals("0200")) {
dsed = new DeviceSecurityEventData2(dsedEventData);

10
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java
View File

@ -1,19 +1,13 @@
package hirs.utils.tpm.eventlog.spdm;
import hirs.utils.HexUtils;
import hirs.utils.tpm.eventlog.events.DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock;
import hirs.utils.tpm.eventlog.uefi.UefiConstants;
import hirs.utils.tpm.eventlog.uefi.UefiSignatureData;
import hirs.utils.tpm.eventlog.uefi.UefiSignatureList;
import hirs.utils.tpm.eventlog.uefi.UefiX509Cert;
import lombok.Getter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
/**
@ -153,7 +147,7 @@ public class SpdmCertificateChain {
String spdmCertChainInfo = "";
if(spdmBaseHashAlgoError != "") {
if(!spdmBaseHashAlgoError.isEmpty()) {
spdmCertChainInfo += " *** ERROR with SPDM base hash algorithm size ***\n";
spdmCertChainInfo += " " + spdmBaseHashAlgoError + "\n";
spdmCertChainInfo += " Stopping processing of this cert chain\n";
@ -169,7 +163,7 @@ public class SpdmCertificateChain {
spdmCertChainInfo += cert.toString();
}
if (certProcessingError != "") {
if (!certProcessingError.isEmpty()) {
spdmCertChainInfo += " *** ERROR processing cert ***\n";
spdmCertChainInfo += " " + certProcessingError + "\n";
spdmCertChainInfo += " Stopping processing of this cert chain\n";

4
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java
View File

@ -73,8 +73,8 @@ public class UefiSignatureData {
*
* @param inputStream The Signature data.
* @param sigType UEFI defined signature type.
* @throws java.io.IOException if there's an problem reading the input stream.
* @throws java.security.cert.CertificateException If there a problem parsing the X509 certificate.
* @throws java.io.IOException if there's a problem reading the input stream.
* @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate.
* @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate.
*/
UefiSignatureData(final ByteArrayInputStream inputStream, final UefiGuid sigType)

18
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java
View File

@ -34,9 +34,16 @@ import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILESTATUS_NOT_ACCESSIB
* // EFI_SIGNATURE_DATA Signatures[...][SignatureSize];
* } EFI_SIGNATURE_LIST;
*
* SignatureListHeader (contents common to any Signature Type)
* - SignatureType
* - SignatureListSize
* - SignatureHeaderSize
* - SignatureSize
* SignatureHeader (contents depend on the SignatureType)
* - The format of this header is specified by the SignatureType (SHA256, X509).
* Signatures[][] is an array of signatures.
* - Each signature is SignatureSize bytes in length.
* - The format of the signature is defined by SignatureType (SHA256, X509)
* - The format of the signature is defined by SignatureType (SHA256, X509).
*
* / |-------------------------| ------- SignatureType
* / | Signature List Header | SignatureListSize
@ -54,6 +61,7 @@ import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILESTATUS_NOT_ACCESSIB
* \ |-------------------------|
* \ | Signature #n |
* \ |-------------------------|
*
*/
public class UefiSignatureList {
/**
@ -85,7 +93,7 @@ public class UefiSignatureList {
/**
* Current status of Signature List data.
*/
private String dataStatus = "Signature List data validity is undetermined yet";
private String dataInvalidStatus = "Signature List data validity is undetermined yet";
/**
* Array List of Signature found in the list.
*/
@ -191,7 +199,7 @@ public class UefiSignatureList {
UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType);
if (!tmpSigData.isValid()) {
dataValid = false;
dataStatus = tmpSigData.getStatus();
dataInvalidStatus = tmpSigData.getStatus();
break;
}
sigList.add(tmpSigData);
@ -213,7 +221,7 @@ public class UefiSignatureList {
UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType);
if (!tmpigData.isValid()) {
dataValid = false;
dataStatus = tmpigData.getStatus();
dataInvalidStatus = tmpigData.getStatus();
break;
}
sigList.add(tmpigData);
@ -265,7 +273,7 @@ public class UefiSignatureList {
sigInfo.append(certData.toString());
}
if (!dataValid) {
sigInfo.append(" *** Invalid UEFI Signature data encountered: " + dataStatus + "\n");
sigInfo.append(" *** Invalid UEFI Signature data encountered: " + dataInvalidStatus + "\n");
}
}
return sigInfo.toString();

84
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java
View File

@ -75,6 +75,11 @@ public class UefiVariable {
@Getter
private String vendorTableFileStatus = FILESTATUS_FROM_FILESYSTEM;
/**
* Human-readable description of the data within the SPDM devdc (to be updated with more test data).
*/
String spdmDevdcInfo = "";
/**
* EFIVariable constructor.
* The UEFI_VARIABLE_DATA contains a "VariableName" field which is used to determine
@ -128,10 +133,16 @@ public class UefiVariable {
case "dbx":
processSigList(uefiVariableData);
break;
case "devdb": // Update when test patterns exist
break; // PFP v1.06 Rev 52, Sec 3.3.4.8
case "devdb":
processSigList(uefiVariableData);
break; // Update when test patterns exist
// PFP v1.06 Rev 52, Sec 3.3.4.8
// EV_EFI_SPDM_DEVICE_POLICY: EFI_SIGNATURE_LIST
// EV_EFI_SPDM_DEVICE_AUTHORITY: EFI_SIGNATURE_DATA
// for now, differentiate them by using devdc for ..DEVICE_AUTHORITY
case "devdc":
processSigDataX509(uefiVariableData);
break;
case "Boot00":
bootv = new UefiBootVariable(uefiVariableData);
break;
@ -188,6 +199,52 @@ public class UefiVariable {
}
}
/**
* Method for processing the data in an EFI SignatureList (ex. can be one or more X509 certs)
*
* @param efiSigData Byte array holding the SignatureList data
* @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate.
* @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate.
* @throws java.io.IOException If there's a problem parsing the signature data.
*/
private void processSigDataX509(final byte[] efiSigData)
throws CertificateException, NoSuchAlgorithmException, IOException {
ByteArrayInputStream efiSigDataIS = new ByteArrayInputStream(efiSigData);
ArrayList<UefiSignatureData> sigList = new ArrayList<UefiSignatureData>();
spdmDevdcInfo += "";
// for now, use signature type for X509
// in future with more test data, update this
byte[] guid = HexUtils.hexStringToByteArray("A159C0A5E494A74A87B5AB155C2BF072");
UefiGuid signatureType = new UefiGuid(guid);
int numberOfCerts = 0;
boolean dataValid = true;
String dataInvalidStatus = "Signature data validity is undetermined yet";
while (efiSigDataIS.available() > 0) {
UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType);
if (!tmpSigData.isValid()) {
dataValid = false;
dataInvalidStatus = tmpSigData.getStatus();
break;
}
sigList.add(tmpSigData);
numberOfCerts++;
}
spdmDevdcInfo += " Number of X509 Certs in UEFI Signature Data = " + numberOfCerts + "\n";
int certCnt = 0;
for (int i = 0; i < sigList.size(); i++) {
certCnt++;
spdmDevdcInfo += " Cert # " + certCnt + " of " + numberOfCerts + ": ------------------\n";
UefiSignatureData certData = sigList.get(i);
spdmDevdcInfo += certData.toString();
}
if (!dataValid) {
spdmDevdcInfo += " *** Invalid UEFI Signature data encountered: " + dataInvalidStatus + "\n";
}
}
/**
* Print out all the interesting characteristics available on this UEFI Variable.
*
@ -216,11 +273,11 @@ public class UefiVariable {
case "KEK":
case "db":
case "dbx":
break;
case "devdb": // SPDM_DEVICE_POLICY and SPDM_DEVICE_AUTHORITY
case "devdc": // for now use devdb and devdc
// (update when test patterns exist)
efiVariable.append(" EV_EFI_SPDM_DEVICE_POLICY and EV_EFI_SPDM_DEVICE_AUTHORITY: " +
"To be processed once more test patterns exist");
//efiVariable.append(" EV_EFI_SPDM_DEVICE_POLICY and EV_EFI_SPDM_DEVICE_AUTHORITY: " +
// "To be processed once more test patterns exist");
break;
case "Boot00":
efiVariable.append(bootv.toString());
@ -243,12 +300,12 @@ public class UefiVariable {
// Signature List output (if there are any Signature Lists)
if (certSuperList.size() > 0){
efiVariable.append("Number of UEFI Signature Lists = " + certSuperList.size() + "\n");
}
int certSuperListCnt = 1;
for (UefiSignatureList uefiSigList : certSuperList) {
efiVariable.append("UEFI Signature List # " + certSuperListCnt++ + " of " +
certSuperList.size() + ": ------------------\n");
efiVariable.append(uefiSigList.toString());
int certSuperListCnt = 1;
for (UefiSignatureList uefiSigList : certSuperList) {
efiVariable.append("UEFI Signature List # " + certSuperListCnt++ + " of " +
certSuperList.size() + ": ------------------\n");
efiVariable.append(uefiSigList.toString());
}
}
if(invalidSignatureListEncountered) {
efiVariable.append(invalidSignatureListStatus);
@ -256,6 +313,11 @@ public class UefiVariable {
"Stopped processing of this event data\n");
}
// Signature Data output (if there is a Signature Data)
if(!spdmDevdcInfo.isEmpty()) {
efiVariable.append(spdmDevdcInfo);
}
return efiVariable.toString();
}