From 3f57b0ab81bf7889cf154ad4025c2ea66a5265a0 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 7 Oct 2020 09:37:53 -0400 Subject: [PATCH 1/8] This is the initial code set up to pull the log file from the provisioner and send it to the ACA. Task 1 of #238. --- ...stractAttestationCertificateAuthority.java | 7 +++++++ .../include/DeviceInfoCollector.h | 2 ++ .../src/DeviceInfoCollector.cpp | 20 +++++++++++++++++++ .../src/ProvisionerTpm2.proto | 1 + HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 1 + 5 files changed, 31 insertions(+) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 8db7100e..b1f14f41 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -10,6 +10,7 @@ import hirs.attestationca.service.SupplyChainValidationService; import hirs.data.persist.AppraisalStatus; import hirs.data.persist.Device; import hirs.data.persist.DeviceInfoReport; +import hirs.data.persist.certificate.CertificateAuthorityCredential; import hirs.data.persist.info.FirmwareInfo; import hirs.data.persist.info.HardwareInfo; import hirs.data.persist.info.NetworkInfo; @@ -723,6 +724,12 @@ public abstract class AbstractAttestationCertificateAuthority this.pcrValues = dv.getPcrslist().toStringUtf8(); } + if (dv.getLogfile() != null && !dv.getLogfile().isEmpty()) { + LOG.error(dv.getLogfile()); + } else { + LOG.error("Didn't find the log file"); + } + // Get TPM info, currently unimplemented TPMInfo tpm; try { diff --git a/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h b/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h index ad368448..8680b690 100644 --- a/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h +++ b/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h @@ -39,5 +39,7 @@ class DeviceInfoCollector { * DeviceInfo object. */ static hirs::pb::DeviceInfo collectDeviceInfo(); + + static std::string collectTcgLog(); }; #endif // HIRS_PROVISIONERTPM2_INCLUDE_DEVICEINFOCOLLECTOR_H_ diff --git a/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp b/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp index d3486c45..acfcd511 100644 --- a/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp +++ b/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp @@ -244,3 +244,23 @@ hirs::pb::OsInfo DeviceInfoCollector::collectOsInfo() { return info; } +// Mimicing above,, open the log, and get all the information and attach that as a byte attribute of....one of the objects, +// not sure which one yet. and it can't be a string line, byte, then add running this method to the CollectDevieInfo + +string DeviceInfoCollector::collectTcgLog() { + ifstream tcgLogFile("/boot/tcg/manifest/rim/Evo.dockerclient.2.rimel", + std::ios::binary | std::ios::ate); + ifstream::pos_type pos = tcgLogFile.tellg(); + + int length = pos; + char *pChars = new char[length]; + + + tcgLogFile.seekg(0, std::ios::beg); + tcgLogFile.read(pChars, length); + + string content(pos); + tcgLogFile.close(); + + return content; +} \ No newline at end of file diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto index 9f34d2a2..6f030111 100644 --- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto +++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto @@ -58,6 +58,7 @@ message DeviceInfo { required NetworkInfo nw = 3; required OsInfo os = 4; optional bytes pcrslist = 5; + optional bytes logfile = 6; } message IdentityClaim { diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 835e4be2..156336ba 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -65,6 +65,7 @@ int provision() { cout << "----> Collecting device information" << endl; hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); + dv.set_logfile(DeviceInfoCollector::collectTcgLog()); // send identity claim cout << "----> Sending identity claim to Attestation CA" << endl; From 4b0bb2df91862ae9d7e9b0c733ffa6e54fcd215c Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 9 Oct 2020 10:48:17 -0400 Subject: [PATCH 2/8] This commit updates the provisioner to pull the rim and swidtag locations from a properties file that will be created during the post install process. The provisioner then pulls the values and sends them to the ACA. The ACA currently just prints out the content and saves the swidtag. --- ...stractAttestationCertificateAuthority.java | 30 +++++++++++++++---- .../ReferenceManifestPageController.java | 2 +- HIRS_ProvisionerTPM2/CMakeLists.txt | 2 ++ .../include/DeviceInfoCollector.h | 2 -- HIRS_ProvisionerTPM2/package/postinst | 4 +++ .../package/rpm-post-install.sh | 4 +++ .../package/set_tcg_properties.sh | 22 ++++++++++++++ .../src/ProvisionerTpm2.proto | 1 + HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 14 ++++++++- .../java/hirs/tpm/eventlog/TCGEventLog.java | 20 ++++++++++++- .../tpm/eventlog/uefi/UefiSignatureList.java | 20 +++++++------ .../hirs/tpm/eventlog/uefi/UefiVariable.java | 14 ++++----- 12 files changed, 108 insertions(+), 27 deletions(-) create mode 100644 HIRS_ProvisionerTPM2/package/set_tcg_properties.sh diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index b1f14f41..8993640b 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -8,9 +8,9 @@ import hirs.attestationca.exceptions.IdentityProcessingException; import hirs.attestationca.exceptions.UnexpectedServerException; import hirs.attestationca.service.SupplyChainValidationService; import hirs.data.persist.AppraisalStatus; +import hirs.data.persist.BaseReferenceManifest; import hirs.data.persist.Device; import hirs.data.persist.DeviceInfoReport; -import hirs.data.persist.certificate.CertificateAuthorityCredential; import hirs.data.persist.info.FirmwareInfo; import hirs.data.persist.info.HardwareInfo; import hirs.data.persist.info.NetworkInfo; @@ -37,6 +37,7 @@ import hirs.structs.elements.tpm.IdentityProof; import hirs.structs.elements.tpm.IdentityRequest; import hirs.structs.elements.tpm.SymmetricKey; import hirs.structs.elements.tpm.SymmetricKeyParams; +import hirs.tpm.eventlog.TCGEventLog; import hirs.utils.HexUtils; import org.apache.commons.codec.binary.Hex; import org.apache.commons.lang3.ArrayUtils; @@ -720,14 +721,31 @@ public abstract class AbstractAttestationCertificateAuthority hwProto.getProductVersion(), hwProto.getSystemSerialNumber(), firstChassisSerialNumber, firstBaseboardSerialNumber); - if (dv.getPcrslist() != null && !dv.getPcrslist().isEmpty()) { + if (dv.hasPcrslist()) { this.pcrValues = dv.getPcrslist().toStringUtf8(); } - if (dv.getLogfile() != null && !dv.getLogfile().isEmpty()) { - LOG.error(dv.getLogfile()); - } else { - LOG.error("Didn't find the log file"); + if (dv.hasLogfile()) { + try { + TCGEventLog tcgEventLog = new TCGEventLog(dv.getLogfile().toByteArray()); + LOG.error(tcgEventLog.toString(true, true, true)); + } catch (CertificateException cEx) { + LOG.error(cEx); + } catch (NoSuchAlgorithmException noSaEx) { + LOG.error(noSaEx); + } catch (IOException ioEx) { + LOG.error(ioEx); + } + } + + if (dv.hasSwidfile()) { + try { + this.referenceManifestManager.save( + new BaseReferenceManifest("blank.swidtag", + dv.getSwidfile().toByteArray())); + } catch (IOException ioEx) { + LOG.error(ioEx); + } } // Get TPM info, currently unimplemented diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java index 2b4fc8f9..6bfd3632 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java @@ -59,7 +59,7 @@ public class ReferenceManifestPageController extends PageController { private static final String BIOS_RELEASE_DATE_FORMAT = "yyyy-MM-dd"; - private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rim|rimel|bin|log))$)"; + private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"; private final BiosDateValidator biosValidator; private final ReferenceManifestManager referenceManifestManager; diff --git a/HIRS_ProvisionerTPM2/CMakeLists.txt b/HIRS_ProvisionerTPM2/CMakeLists.txt index 5b6722d2..c4c8ca50 100644 --- a/HIRS_ProvisionerTPM2/CMakeLists.txt +++ b/HIRS_ProvisionerTPM2/CMakeLists.txt @@ -287,6 +287,7 @@ if (${DISTRIBUTION} STREQUAL "Ubuntu") endif() set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE amd64) set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/postinst) + set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) set(CPACK_PACKAGE_FILE_NAME "${CPACK_DEBIAN_PACKAGE_NAME}_${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}_${CPACK_DEBIAN_PACKAGE_ARCHITECTURE}") elseif (${DISTRIBUTION} STREQUAL "CentOS Linux") # Set variables specific to CPack RPM package generator @@ -297,6 +298,7 @@ elseif (${DISTRIBUTION} STREQUAL "CentOS Linux") set(CPACK_RPM_PACKAGE_GROUP "System Environment/Base") set(CPACK_RPM_PACKAGE_REQUIRES "log4cplus >= 1.1.2, tpm2-tss >= 1.0, tpm2-tools >= 1.1.0, protobuf >= 2.4.1, re2 >= 20160401, libcurl >= 7.0.0, paccor, procps-ng >= 3.3.0") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/rpm-post-install.sh) + set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/local /usr/local/bin /usr/local/include /usr/local/lib) set(CPACK_PACKAGE_FILE_NAME "${CPACK_RPM_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}.${CPACK_RPM_PACKAGE_RELEASE_DIST}.${CMAKE_SYSTEM_PROCESSOR}") endif() diff --git a/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h b/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h index 8680b690..ad368448 100644 --- a/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h +++ b/HIRS_ProvisionerTPM2/include/DeviceInfoCollector.h @@ -39,7 +39,5 @@ class DeviceInfoCollector { * DeviceInfo object. */ static hirs::pb::DeviceInfo collectDeviceInfo(); - - static std::string collectTcgLog(); }; #endif // HIRS_PROVISIONERTPM2_INCLUDE_DEVICEINFOCOLLECTOR_H_ diff --git a/HIRS_ProvisionerTPM2/package/postinst b/HIRS_ProvisionerTPM2/package/postinst index dd6cf38e..a4c3109d 100644 --- a/HIRS_ProvisionerTPM2/package/postinst +++ b/HIRS_ProvisionerTPM2/package/postinst @@ -32,3 +32,7 @@ DEFAULT_SITE_CONFIG_FILE echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system" fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner + +if ! [ -f "set_tcg_properties.sh" ]; then + sh ./set_tcg_properties.sh +fi \ No newline at end of file diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index fae761b6..f18e6190 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -39,3 +39,7 @@ DEFAULT_SITE_CONFIG_FILE echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system" fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner + +if ! [ -f "set_tcg_properties.sh" ]; then + sh ./set_tcg_properties.sh +fi diff --git a/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh b/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh new file mode 100644 index 00000000..f36c0561 --- /dev/null +++ b/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" +MAINFEST_DIRECTORY="/boot/tcg/manifest" +LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/" +TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/" + +if [ ! -f "$TCG_BOOT_FILE" ]; then + touch "$TCG_BOOT_FILE" +fi + +if [ -d "$LOG_FILE_LOCATION" ]; then + RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log') + echo "tcg.rim.file=$RIM_FILE" >> "$TCG_BOOT_FILE" +fi + +if [ -d "$TAG_FILE_LOCATION" ]; then + SWID_FILE=$(find "$TAG_FILE_LOCATION" -name '*.swidtag') + echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" +fi + +chmod -w "$TCG_BOOT_FILE" \ No newline at end of file diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto index 6f030111..96f3d0e5 100644 --- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto +++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto @@ -59,6 +59,7 @@ message DeviceInfo { required OsInfo os = 4; optional bytes pcrslist = 5; optional bytes logfile = 6; + optional bytes swidfile = 7; } message IdentityClaim { diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 156336ba..03826459 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -13,6 +13,8 @@ #include #include #include +#include +#include #include "log4cplus/configurator.h" @@ -31,6 +33,7 @@ using hirs::tpm2::AsymmetricKeyType; using hirs::tpm2::CommandTpm2; using hirs::tpm2_tools_utils::Tpm2ToolsVersion; using hirs::utils::Process; +using hirs::properties::Properties; using std::cout; using std::cerr; using std::endl; @@ -65,7 +68,16 @@ int provision() { cout << "----> Collecting device information" << endl; hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); - dv.set_logfile(DeviceInfoCollector::collectTcgLog()); + // collect TCG Boot files + Properties props("/etc/hirs/tcg_boot.properties"); + const std::string& rim_file = props.get("tcg.rim.file", ""); + const std::string& swid_file = props.get("tcg.swidtag.file", ""); + try { + dv.set_logfile(hirs::file_utils::fileToString(rim_file)); + dv.set_swidfile(hirs::file_utils::fileToString(swid_file)); + } catch (HirsRuntimeException& hirsRuntimeException) { + logger.error(hirsRuntimeException.what()); + } // send identity claim cout << "----> Sending identity claim to Attestation CA" << endl; diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java index a7f43de1..bd5a3b0a 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/TCGEventLog.java @@ -293,10 +293,28 @@ public final class TCGEventLog { StringBuilder sb = new StringBuilder(); for (TpmPcrEvent event : eventList) { sb.append(event.toString(bEvent, bHexEvent, bContent)); - } + } sb.append("Event Log processing completed.\n"); return sb.toString(); } + + /** + * Human readable string representing the contents of the Event Log. + * @param bEvent flag to set + * @param bHexEvent flag to set + * @param bContent flag to set + * @return Description of the log. + */ + public String toString(final boolean bEvent, + final boolean bHexEvent, + final boolean bContent) { + this.bEvent = bEvent; + this.bHexEvent = bHexEvent; + this.bContent = bContent; + + return this.toString(); + } + /** * Returns the TCG Algorithm Registry defined string for the Digest Algorithm * used in the event log. diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java index abdfe464..eab16ae7 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiSignatureList.java @@ -109,7 +109,7 @@ UefiSignatureList(final ByteArrayInputStream lists) /** * Method for processing a set of EFI SignatureList(s). - * @param sigData Byte array holding one or more SignatureLists + * @param efiSigData Byte array holding one or more SignatureLists * @throws CertificateException If there's a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. @@ -131,7 +131,7 @@ private void processSignatureList(final byte[] efiSigData) /** * Method for processing a set of EFI SignatureList(s). - * @param sigData Byte array holding one or more SignatureLists. + * @param sigDataIS Byte array holding one or more SignatureLists. * @throws CertificateException If there's a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. @@ -173,12 +173,14 @@ public int getNumberOfCerts() { */ public boolean isValidSigListGUID(final UefiGuid guid) { switch (guid.getVendorTableReference()) { - case "EFI_CERT_SHA256_GUID": return true; - case "EFI_CERT_X509_SHA256": return true; - case "EFI_CERT_X509_SHA384": return true; - case "EFI_CERT_X509_SHA512": return true; - case "EFI_CERT_X509_GUID": return true; - default: return false; + case "EFI_CERT_SHA256_GUID": + case "EFI_CERT_X509_SHA256": + case "EFI_CERT_X509_SHA384": + case "EFI_CERT_X509_SHA512": + case "EFI_CERT_X509_GUID": + return true; + default: + return false; } } @@ -193,7 +195,7 @@ public String toString() { sigInfo.append("Number if items = " + numberOfItems + "\n"); sigList.iterator(); for (int i = 0; i < sigList.size(); i++) { - UefiSignatureData certData = (UefiSignatureData) sigList.get(i); + UefiSignatureData certData = sigList.get(i); sigInfo.append(certData.toString()); } if (!valid) { diff --git a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java index 64985857..4763328f 100644 --- a/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/tpm/eventlog/uefi/UefiVariable.java @@ -40,12 +40,12 @@ public class UefiVariable { * EFIVariable constructor. * The UEFI_VARIABLE_DATA contains a "VariableName" field which is used to determine * the class used to parse the data within the "VariableData". - * @param varibaleData byte array holding the UEFI Variable. + * @param variableData byte array holding the UEFI Variable. * @throws CertificateException If there a problem parsing the X509 certificate. * @throws NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws IOException If there's a problem parsing the signature data. */ -public UefiVariable(final byte[] varibaleData) +public UefiVariable(final byte[] variableData) throws CertificateException, NoSuchAlgorithmException, IOException { byte[] guid = new byte[UefiConstants.SIZE_16]; byte[] nameLength = new byte[UefiConstants.SIZE_8]; @@ -54,21 +54,21 @@ public UefiVariable(final byte[] varibaleData) byte[] name = null; int variableLength = 0; - System.arraycopy(varibaleData, 0, guid, 0, UefiConstants.SIZE_16); + System.arraycopy(variableData, 0, guid, 0, UefiConstants.SIZE_16); uefiGuid = new UefiGuid(guid); - System.arraycopy(varibaleData, UefiConstants.SIZE_16, nameLength, 0, UefiConstants.SIZE_8); + System.arraycopy(variableData, UefiConstants.SIZE_16, nameLength, 0, UefiConstants.SIZE_8); int nlength = HexUtils.leReverseInt(nameLength); - System.arraycopy(varibaleData, UefiConstants.OFFSET_24, dataLength, 0, UefiConstants.SIZE_8); + System.arraycopy(variableData, UefiConstants.OFFSET_24, dataLength, 0, UefiConstants.SIZE_8); nameTemp = new byte[nlength * UefiConstants.SIZE_2]; - System.arraycopy(varibaleData, UefiConstants.OFFSET_32, + System.arraycopy(variableData, UefiConstants.OFFSET_32, nameTemp, 0, nlength * UefiConstants.SIZE_2); byte[] name1 = UefiDevicePath.convertChar16tobyteArray(nameTemp); name = new byte[nlength]; System.arraycopy(name1, 0, name, 0, nlength); variableLength = HexUtils.leReverseInt(dataLength); uefiVaribelData = new byte[variableLength]; - System.arraycopy(varibaleData, UefiConstants.OFFSET_32 + System.arraycopy(variableData, UefiConstants.OFFSET_32 + nlength * UefiConstants.SIZE_2, uefiVaribelData, 0, variableLength); varName = new String(name, "UTF-8"); String tmpName = varName; From d8da232d6b3774ded7de19be8db9e1a42db18644 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 9 Oct 2020 10:53:42 -0400 Subject: [PATCH 3/8] Removed method that is not used. This is task 1 for #238 --- .../src/DeviceInfoCollector.cpp | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp b/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp index acfcd511..eb8f8742 100644 --- a/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp +++ b/HIRS_ProvisionerTPM2/src/DeviceInfoCollector.cpp @@ -243,24 +243,3 @@ hirs::pb::OsInfo DeviceInfoCollector::collectOsInfo() { return info; } - -// Mimicing above,, open the log, and get all the information and attach that as a byte attribute of....one of the objects, -// not sure which one yet. and it can't be a string line, byte, then add running this method to the CollectDevieInfo - -string DeviceInfoCollector::collectTcgLog() { - ifstream tcgLogFile("/boot/tcg/manifest/rim/Evo.dockerclient.2.rimel", - std::ios::binary | std::ios::ate); - ifstream::pos_type pos = tcgLogFile.tellg(); - - int length = pos; - char *pChars = new char[length]; - - - tcgLogFile.seekg(0, std::ios::beg); - tcgLogFile.read(pChars, length); - - string content(pos); - tcgLogFile.close(); - - return content; -} \ No newline at end of file From 04471c96530df89daf4c6b867bf98f8bd37ffab3 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 9 Oct 2020 11:58:27 -0400 Subject: [PATCH 4/8] Bash if statement with syntax error: exclamation mark was outside of [] --- HIRS_ProvisionerTPM2/package/rpm-post-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index f18e6190..07eaf377 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -40,6 +40,6 @@ DEFAULT_SITE_CONFIG_FILE fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner -if ! [ -f "set_tcg_properties.sh" ]; then +if [ ! -f "set_tcg_properties.sh" ]; then sh ./set_tcg_properties.sh fi From 84df61e4cf50ce04514779771152b2861216fa9e Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 9 Oct 2020 12:34:38 -0400 Subject: [PATCH 5/8] The CPACK variable name for the post rpm install script was the same as the set tcg script included in the cmakelists file. This caused the post install script to never run and never create directories necessary for a successful install. --- HIRS_ProvisionerTPM2/CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/HIRS_ProvisionerTPM2/CMakeLists.txt b/HIRS_ProvisionerTPM2/CMakeLists.txt index c4c8ca50..aa8314dd 100644 --- a/HIRS_ProvisionerTPM2/CMakeLists.txt +++ b/HIRS_ProvisionerTPM2/CMakeLists.txt @@ -287,7 +287,7 @@ if (${DISTRIBUTION} STREQUAL "Ubuntu") endif() set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE amd64) set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/postinst) - set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) + set(CPACK_DEBIAN_PACKAGE_SET_TCG ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) set(CPACK_PACKAGE_FILE_NAME "${CPACK_DEBIAN_PACKAGE_NAME}_${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}_${CPACK_DEBIAN_PACKAGE_ARCHITECTURE}") elseif (${DISTRIBUTION} STREQUAL "CentOS Linux") # Set variables specific to CPack RPM package generator @@ -298,7 +298,7 @@ elseif (${DISTRIBUTION} STREQUAL "CentOS Linux") set(CPACK_RPM_PACKAGE_GROUP "System Environment/Base") set(CPACK_RPM_PACKAGE_REQUIRES "log4cplus >= 1.1.2, tpm2-tss >= 1.0, tpm2-tools >= 1.1.0, protobuf >= 2.4.1, re2 >= 20160401, libcurl >= 7.0.0, paccor, procps-ng >= 3.3.0") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/rpm-post-install.sh) - set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) + set(CPACK_RPM_POST_INSTALL_TCG_FILE ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/local /usr/local/bin /usr/local/include /usr/local/lib) set(CPACK_PACKAGE_FILE_NAME "${CPACK_RPM_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}.${CPACK_RPM_PACKAGE_RELEASE_DIST}.${CMAKE_SYSTEM_PROCESSOR}") endif() From 4e39b6856b119f55b63fc52d3a3bf1b685c6027c Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 9 Oct 2020 13:18:10 -0400 Subject: [PATCH 6/8] post install script was run however that is all that was run. The set tcg properties script was not included. The contents of the new script have been added to the post install script and the set tcg script has been removed. --- HIRS_ProvisionerTPM2/CMakeLists.txt | 2 -- .../package/rpm-post-install.sh | 21 ++++++++++++++++-- .../package/set_tcg_properties.sh | 22 ------------------- 3 files changed, 19 insertions(+), 26 deletions(-) delete mode 100644 HIRS_ProvisionerTPM2/package/set_tcg_properties.sh diff --git a/HIRS_ProvisionerTPM2/CMakeLists.txt b/HIRS_ProvisionerTPM2/CMakeLists.txt index aa8314dd..5b6722d2 100644 --- a/HIRS_ProvisionerTPM2/CMakeLists.txt +++ b/HIRS_ProvisionerTPM2/CMakeLists.txt @@ -287,7 +287,6 @@ if (${DISTRIBUTION} STREQUAL "Ubuntu") endif() set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE amd64) set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/postinst) - set(CPACK_DEBIAN_PACKAGE_SET_TCG ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) set(CPACK_PACKAGE_FILE_NAME "${CPACK_DEBIAN_PACKAGE_NAME}_${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}_${CPACK_DEBIAN_PACKAGE_ARCHITECTURE}") elseif (${DISTRIBUTION} STREQUAL "CentOS Linux") # Set variables specific to CPack RPM package generator @@ -298,7 +297,6 @@ elseif (${DISTRIBUTION} STREQUAL "CentOS Linux") set(CPACK_RPM_PACKAGE_GROUP "System Environment/Base") set(CPACK_RPM_PACKAGE_REQUIRES "log4cplus >= 1.1.2, tpm2-tss >= 1.0, tpm2-tools >= 1.1.0, protobuf >= 2.4.1, re2 >= 20160401, libcurl >= 7.0.0, paccor, procps-ng >= 3.3.0") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/rpm-post-install.sh) - set(CPACK_RPM_POST_INSTALL_TCG_FILE ${CMAKE_SOURCE_DIR}/package/set_tcg_properties.sh) set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/local /usr/local/bin /usr/local/include /usr/local/lib) set(CPACK_PACKAGE_FILE_NAME "${CPACK_RPM_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}.${CPACK_RPM_PACKAGE_RELEASE_DIST}.${CMAKE_SYSTEM_PROCESSOR}") endif() diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index 07eaf377..082fd086 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -40,6 +40,23 @@ DEFAULT_SITE_CONFIG_FILE fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner -if [ ! -f "set_tcg_properties.sh" ]; then - sh ./set_tcg_properties.sh +TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" +MAINFEST_DIRECTORY="/boot/tcg/manifest" +LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/" +TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/" + +if [ ! -f "$TCG_BOOT_FILE" ]; then + touch "$TCG_BOOT_FILE" fi + +if [ -d "$LOG_FILE_LOCATION" ]; then + RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log') + echo "tcg.rim.file=$RIM_FILE" >> "$TCG_BOOT_FILE" +fi + +if [ -d "$TAG_FILE_LOCATION" ]; then + SWID_FILE=$(find "$TAG_FILE_LOCATION" -name '*.swidtag') + echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" +fi + +chmod -w "$TCG_BOOT_FILE" diff --git a/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh b/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh deleted file mode 100644 index f36c0561..00000000 --- a/HIRS_ProvisionerTPM2/package/set_tcg_properties.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" -MAINFEST_DIRECTORY="/boot/tcg/manifest" -LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/" -TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/" - -if [ ! -f "$TCG_BOOT_FILE" ]; then - touch "$TCG_BOOT_FILE" -fi - -if [ -d "$LOG_FILE_LOCATION" ]; then - RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log') - echo "tcg.rim.file=$RIM_FILE" >> "$TCG_BOOT_FILE" -fi - -if [ -d "$TAG_FILE_LOCATION" ]; then - SWID_FILE=$(find "$TAG_FILE_LOCATION" -name '*.swidtag') - echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" -fi - -chmod -w "$TCG_BOOT_FILE" \ No newline at end of file From f9b0ce413d05596d3ead107b019143f58e57034f Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 13 Oct 2020 11:42:50 -0400 Subject: [PATCH 7/8] This commit adds minor tweaks. The first updates the post install script to overwrite, rather than append, the file names to the tcg boot properties file. The next tweak properly loads the Base and Support RIM from the provisioning process into the DB. --- ...stractAttestationCertificateAuthority.java | 35 +++++++++++++++++-- .../package/rpm-post-install.sh | 2 +- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 8993640b..b3bc65f7 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -11,6 +11,8 @@ import hirs.data.persist.AppraisalStatus; import hirs.data.persist.BaseReferenceManifest; import hirs.data.persist.Device; import hirs.data.persist.DeviceInfoReport; +import hirs.data.persist.ReferenceManifest; +import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.info.FirmwareInfo; import hirs.data.persist.info.HardwareInfo; import hirs.data.persist.info.NetworkInfo; @@ -725,8 +727,24 @@ public abstract class AbstractAttestationCertificateAuthority this.pcrValues = dv.getPcrslist().toStringUtf8(); } + // check for RIM Base and Support files, if they don't exists in the database, load them + String clientName; if (dv.hasLogfile()) { try { + ReferenceManifest support = ReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(dv.getSwidfile().hashCode()) + .getRIM(); + if (support == null) { + clientName = String.format("%s_%s.rimel", + dv.getHw().getManufacturer(), + dv.getHw().getProductName()); + this.referenceManifestManager.save( + new SupportReferenceManifest(clientName, + dv.getLogfile().toByteArray())); + } else { + LOG.info("Client provided Support RIM already loaded in database."); + } TCGEventLog tcgEventLog = new TCGEventLog(dv.getLogfile().toByteArray()); LOG.error(tcgEventLog.toString(true, true, true)); } catch (CertificateException cEx) { @@ -740,9 +758,20 @@ public abstract class AbstractAttestationCertificateAuthority if (dv.hasSwidfile()) { try { - this.referenceManifestManager.save( - new BaseReferenceManifest("blank.swidtag", - dv.getSwidfile().toByteArray())); + ReferenceManifest baseRim = ReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(dv.getSwidfile().hashCode()) + .getRIM(); + if (baseRim == null) { + clientName = String.format("%s_%s.swidtag", + dv.getHw().getManufacturer(), + dv.getHw().getProductName()); + this.referenceManifestManager.save( + new BaseReferenceManifest(clientName, + dv.getSwidfile().toByteArray())); + } else { + LOG.info("Client provided Base RIM already loaded in database."); + } } catch (IOException ioEx) { LOG.error(ioEx); } diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index 082fd086..bb8f9182 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -51,7 +51,7 @@ fi if [ -d "$LOG_FILE_LOCATION" ]; then RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log') - echo "tcg.rim.file=$RIM_FILE" >> "$TCG_BOOT_FILE" + echo "tcg.rim.file=$RIM_FILE" > "$TCG_BOOT_FILE" fi if [ -d "$TAG_FILE_LOCATION" ]; then From 2c97666bb9592fb87072a93b4a50520eb3e0c34b Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 13 Oct 2020 13:51:14 -0400 Subject: [PATCH 8/8] This commit adds code to pull the bios measurements file to the ACA --- .../AbstractAttestationCertificateAuthority.java | 4 ++++ HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto | 1 + HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 2 ++ 3 files changed, 7 insertions(+) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index b3bc65f7..ba8a54b5 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -777,6 +777,10 @@ public abstract class AbstractAttestationCertificateAuthority } } + if (dv.hasLivelog()) { + LOG.error("Live Log Exists"); + } + // Get TPM info, currently unimplemented TPMInfo tpm; try { diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto index 96f3d0e5..af38dbac 100644 --- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto +++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto @@ -60,6 +60,7 @@ message DeviceInfo { optional bytes pcrslist = 5; optional bytes logfile = 6; optional bytes swidfile = 7; + optional bytes livelog = 8; } message IdentityClaim { diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 03826459..f280c924 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -75,6 +75,8 @@ int provision() { try { dv.set_logfile(hirs::file_utils::fileToString(rim_file)); dv.set_swidfile(hirs::file_utils::fileToString(swid_file)); + dv.set_livelog(hirs::file_utils::fileToString( + "/sys/kernel/security/tpm0/binary_bios_measurements")); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); }