diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 8db7100e..ba8a54b5 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -8,8 +8,11 @@ import hirs.attestationca.exceptions.IdentityProcessingException; import hirs.attestationca.exceptions.UnexpectedServerException; import hirs.attestationca.service.SupplyChainValidationService; import hirs.data.persist.AppraisalStatus; +import hirs.data.persist.BaseReferenceManifest; import hirs.data.persist.Device; import hirs.data.persist.DeviceInfoReport; +import hirs.data.persist.ReferenceManifest; +import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.info.FirmwareInfo; import hirs.data.persist.info.HardwareInfo; import hirs.data.persist.info.NetworkInfo; @@ -36,6 +39,7 @@ import hirs.structs.elements.tpm.IdentityProof; import hirs.structs.elements.tpm.IdentityRequest; import hirs.structs.elements.tpm.SymmetricKey; import hirs.structs.elements.tpm.SymmetricKeyParams; +import hirs.tpm.eventlog.TCGEventLog; import hirs.utils.HexUtils; import org.apache.commons.codec.binary.Hex; import org.apache.commons.lang3.ArrayUtils; @@ -719,10 +723,64 @@ public abstract class AbstractAttestationCertificateAuthority hwProto.getProductVersion(), hwProto.getSystemSerialNumber(), firstChassisSerialNumber, firstBaseboardSerialNumber); - if (dv.getPcrslist() != null && !dv.getPcrslist().isEmpty()) { + if (dv.hasPcrslist()) { this.pcrValues = dv.getPcrslist().toStringUtf8(); } + // check for RIM Base and Support files, if they don't exists in the database, load them + String clientName; + if (dv.hasLogfile()) { + try { + ReferenceManifest support = ReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(dv.getSwidfile().hashCode()) + .getRIM(); + if (support == null) { + clientName = String.format("%s_%s.rimel", + dv.getHw().getManufacturer(), + dv.getHw().getProductName()); + this.referenceManifestManager.save( + new SupportReferenceManifest(clientName, + dv.getLogfile().toByteArray())); + } else { + LOG.info("Client provided Support RIM already loaded in database."); + } + TCGEventLog tcgEventLog = new TCGEventLog(dv.getLogfile().toByteArray()); + LOG.error(tcgEventLog.toString(true, true, true)); + } catch (CertificateException cEx) { + LOG.error(cEx); + } catch (NoSuchAlgorithmException noSaEx) { + LOG.error(noSaEx); + } catch (IOException ioEx) { + LOG.error(ioEx); + } + } + + if (dv.hasSwidfile()) { + try { + ReferenceManifest baseRim = ReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(dv.getSwidfile().hashCode()) + .getRIM(); + if (baseRim == null) { + clientName = String.format("%s_%s.swidtag", + dv.getHw().getManufacturer(), + dv.getHw().getProductName()); + this.referenceManifestManager.save( + new BaseReferenceManifest(clientName, + dv.getSwidfile().toByteArray())); + } else { + LOG.info("Client provided Base RIM already loaded in database."); + } + } catch (IOException ioEx) { + LOG.error(ioEx); + } + } + + if (dv.hasLivelog()) { + LOG.error("Live Log Exists"); + } + // Get TPM info, currently unimplemented TPMInfo tpm; try { diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java index 2b4fc8f9..6bfd3632 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java @@ -59,7 +59,7 @@ public class ReferenceManifestPageController extends PageController { private static final String BIOS_RELEASE_DATE_FORMAT = "yyyy-MM-dd"; - private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rim|rimel|bin|log))$)"; + private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"; private final BiosDateValidator biosValidator; private final ReferenceManifestManager referenceManifestManager; diff --git a/HIRS_ProvisionerTPM2/package/postinst b/HIRS_ProvisionerTPM2/package/postinst index dd6cf38e..a4c3109d 100644 --- a/HIRS_ProvisionerTPM2/package/postinst +++ b/HIRS_ProvisionerTPM2/package/postinst @@ -32,3 +32,7 @@ DEFAULT_SITE_CONFIG_FILE echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system" fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner + +if ! [ -f "set_tcg_properties.sh" ]; then + sh ./set_tcg_properties.sh +fi \ No newline at end of file diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index fae761b6..bb8f9182 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -39,3 +39,24 @@ DEFAULT_SITE_CONFIG_FILE echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system" fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner + +TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" +MAINFEST_DIRECTORY="/boot/tcg/manifest" +LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/" +TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/" + +if [ ! -f "$TCG_BOOT_FILE" ]; then + touch "$TCG_BOOT_FILE" +fi + +if [ -d "$LOG_FILE_LOCATION" ]; then + RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log') + echo "tcg.rim.file=$RIM_FILE" > "$TCG_BOOT_FILE" +fi + +if [ -d "$TAG_FILE_LOCATION" ]; then + SWID_FILE=$(find "$TAG_FILE_LOCATION" -name '*.swidtag') + echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" +fi + +chmod -w "$TCG_BOOT_FILE" diff --git a/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp b/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp index d3486c45..eb8f8742 100644 --- a/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp +++ b/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp @@ -243,4 +243,3 @@ hirs::pb::OsInfo DeviceInfoCollector::collectOsInfo() { return info; } - diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto index 9f34d2a2..af38dbac 100644 --- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto +++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto @@ -58,6 +58,9 @@ message DeviceInfo { required NetworkInfo nw = 3; required OsInfo os = 4; optional bytes pcrslist = 5; + optional bytes logfile = 6; + optional bytes swidfile = 7; + optional bytes livelog = 8; } message IdentityClaim { diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 835e4be2..f280c924 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -13,6 +13,8 @@ #include #include #include +#include +#include #include "log4cplus/configurator.h" @@ -31,6 +33,7 @@ using hirs::tpm2::AsymmetricKeyType; using hirs::tpm2::CommandTpm2; using hirs::tpm2_tools_utils::Tpm2ToolsVersion; using hirs::utils::Process; +using hirs::properties::Properties; using std::cout; using std::cerr; using std::endl; @@ -65,6 +68,18 @@ int provision() { cout << "----> Collecting device information" << endl; hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); + // collect TCG Boot files + Properties props("/etc/hirs/tcg_boot.properties"); + const std::string& rim_file = props.get("tcg.rim.file", ""); + const std::string& swid_file = props.get("tcg.swidtag.file", ""); + try { + dv.set_logfile(hirs::file_utils::fileToString(rim_file)); + dv.set_swidfile(hirs::file_utils::fileToString(swid_file)); + dv.set_livelog(hirs::file_utils::fileToString( + "/sys/kernel/security/tpm0/binary_bios_measurements")); + } catch (HirsRuntimeException& hirsRuntimeException) { + logger.error(hirsRuntimeException.what()); + } // send identity claim cout << "----> Sending identity claim to Attestation CA" << endl; diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java index a7f43de1..bd5a3b0a 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java @@ -293,10 +293,28 @@ public final class TCGEventLog { StringBuilder sb = new StringBuilder(); for (TpmPcrEvent event : eventList) { sb.append(event.toString(bEvent, bHexEvent, bContent)); - } + } sb.append("Event Log processing completed.\n"); return sb.toString(); } + + /** + * Human readable string representing the contents of the Event Log. + * @param bEvent flag to set + * @param bHexEvent flag to set + * @param bContent flag to set + * @return Description of the log. + */ + public String toString(final boolean bEvent, + final boolean bHexEvent, + final boolean bContent) { + this.bEvent = bEvent; + this.bHexEvent = bHexEvent; + this.bContent = bContent; + + return this.toString(); + } + /** * Returns the TCG Algorithm Registry defined string for the Digest Algorithm * used in the event log. diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java index abdfe464..eab16ae7 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java @@ -109,7 +109,7 @@ UefiSignatureList(final ByteArrayInputStream lists) /** * Method for processing a set of EFI SignatureList(s). - * @param sigData Byte array holding one or more SignatureLists + * @param efiSigData Byte array holding one or more SignatureLists * @throws CertificateException If there's a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. @@ -131,7 +131,7 @@ private void processSignatureList(final byte[] efiSigData) /** * Method for processing a set of EFI SignatureList(s). - * @param sigData Byte array holding one or more SignatureLists. + * @param sigDataIS Byte array holding one or more SignatureLists. * @throws CertificateException If there's a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. @@ -173,12 +173,14 @@ public int getNumberOfCerts() { */ public boolean isValidSigListGUID(final UefiGuid guid) { switch (guid.getVendorTableReference()) { - case "EFI_CERT_SHA256_GUID": return true; - case "EFI_CERT_X509_SHA256": return true; - case "EFI_CERT_X509_SHA384": return true; - case "EFI_CERT_X509_SHA512": return true; - case "EFI_CERT_X509_GUID": return true; - default: return false; + case "EFI_CERT_SHA256_GUID": + case "EFI_CERT_X509_SHA256": + case "EFI_CERT_X509_SHA384": + case "EFI_CERT_X509_SHA512": + case "EFI_CERT_X509_GUID": + return true; + default: + return false; } } @@ -193,7 +195,7 @@ public String toString() { sigInfo.append("Number if items = " + numberOfItems + "\n"); sigList.iterator(); for (int i = 0; i < sigList.size(); i++) { - UefiSignatureData certData = (UefiSignatureData) sigList.get(i); + UefiSignatureData certData = sigList.get(i); sigInfo.append(certData.toString()); } if (!valid) { diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java index 64985857..4763328f 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java @@ -40,12 +40,12 @@ public class UefiVariable { * EFIVariable constructor. * The UEFI_VARIABLE_DATA contains a "VariableName" field which is used to determine * the class used to parse the data within the "VariableData". - * @param varibaleData byte array holding the UEFI Variable. + * @param variableData byte array holding the UEFI Variable. * @throws CertificateException If there a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. */ -public UefiVariable(final byte[] varibaleData) +public UefiVariable(final byte[] variableData) throws CertificateException, NoSuchAlgorithmException, IOException { byte[] guid = new byte[UefiConstants.SIZE_16]; byte[] nameLength = new byte[UefiConstants.SIZE_8]; @@ -54,21 +54,21 @@ public UefiVariable(final byte[] varibaleData) byte[] name = null; int variableLength = 0; - System.arraycopy(varibaleData, 0, guid, 0, UefiConstants.SIZE_16); + System.arraycopy(variableData, 0, guid, 0, UefiConstants.SIZE_16); uefiGuid = new UefiGuid(guid); - System.arraycopy(varibaleData, UefiConstants.SIZE_16, nameLength, 0, UefiConstants.SIZE_8); + System.arraycopy(variableData, UefiConstants.SIZE_16, nameLength, 0, UefiConstants.SIZE_8); int nlength = HexUtils.leReverseInt(nameLength); - System.arraycopy(varibaleData, UefiConstants.OFFSET_24, dataLength, 0, UefiConstants.SIZE_8); + System.arraycopy(variableData, UefiConstants.OFFSET_24, dataLength, 0, UefiConstants.SIZE_8); nameTemp = new byte[nlength * UefiConstants.SIZE_2]; - System.arraycopy(varibaleData, UefiConstants.OFFSET_32, + System.arraycopy(variableData, UefiConstants.OFFSET_32, nameTemp, 0, nlength * UefiConstants.SIZE_2); byte[] name1 = UefiDevicePath.convertChar16tobyteArray(nameTemp); name = new byte[nlength]; System.arraycopy(name1, 0, name, 0, nlength); variableLength = HexUtils.leReverseInt(dataLength); uefiVaribelData = new byte[variableLength]; - System.arraycopy(varibaleData, UefiConstants.OFFSET_32 + System.arraycopy(variableData, UefiConstants.OFFSET_32 + nlength * UefiConstants.SIZE_2, uefiVaribelData, 0, variableLength); varName = new String(name, "UTF-8"); String tmpName = varName;