From 9d837f9b4d56ef35d1ff2e129f7f41061c5c28f3 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:46:59 -0400 Subject: [PATCH] updated comments for DeviceSecurityEvent files, started processing of new data structure --- .../eventlog/events/DeviceSecurityEvent.java | 19 ++------ .../events/EvEfiSpdmDeviceSecurityEvent.java | 3 -- .../utils/tpm/eventlog/events/EvNoAction.java | 2 + .../events/NvIndexInstanceEventLogData.java | 47 +++++++++++++++++++ 4 files changed, 53 insertions(+), 18 deletions(-) create mode 100644 HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java index 49cf9555..161f7a7a 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java @@ -7,7 +7,6 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_PCI; import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_USB; - /** * Abstract base class to process the DEVICE_SECURITY_EVENT_DATA or ..DATA2 event. * Parses event data per PFP v1.06 Rev52 Tables 20 and 26. @@ -17,10 +16,10 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY * The first 2 fields of the respective headers are the same in both ..DATA and ..DATA2. * Field 1: * The first 16 bytes of the event data header MUST be a String based identifier (Signature), - * NUL-terminated, per PFP. The only currently defined Signature is "SPDM Device Sec", which - * implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2. + * per PFP. The only currently defined Signatures are "SPDM Device Sec" and "SPDM Device Sec2", + * which implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2, respectively. * Field 2: - * The Version field indicates whether the Device Security Event is ..DATA or ..DATA2. + * The Version field also indicates whether the Device Security Event is ..DATA or ..DATA2. * * DEVICE SECURITY EVENT structures defined by PFP v1.06 Rev 52: *
@@ -39,19 +38,9 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY * UINT8 Signature[16]; * UINT16 Version; * ... ... + * (The rest of the components are different for HEADER vs HEADER2) * } *
- * Notes: - * 1. Has an EventType of EV_EFI_SPDM_FIRMWARE_BLOB (0x800000E1) - * 2. Event content defined as DEVICE_SECURITY_EVENT_DATA Struct. - * 3. First 16 bytes of the structure header is an ASCII "SPDM Device Sec" - *
- * Only a few of the Device Security Event Data events have been implemented as there are many, - * but only those that were reported using the test devices at hand. - * Without test patterns, the processing may lead to an un-handled exception. - * For now, the only test pattern uses ..DeviceContext with PCI only, without USB -> assume only 1 - * even though the spec says both are in the data structure. If it is only 1, though, there's no - * method to tell them apart. */ public abstract class DeviceSecurityEvent { diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index 8da93b23..f686e560 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -2,10 +2,7 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import hirs.utils.tpm.eventlog.uefi.UefiConstants; -import lombok.Getter; -import java.io.IOException; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 2b058187..3da56ae0 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -48,6 +48,8 @@ public class EvNoAction { if (signature.contains("Spec ID Event03")) { // implies CryptAgileFormat specIDEvent = new EvEfiSpecIdEvent(eventData); bSpecIDEvent = true; + } else if (signature.contains("NvIndexInstance")) { + System.out.println("XXXX Nv Index Instance"); } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java new file mode 100644 index 00000000..295fb119 --- /dev/null +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -0,0 +1,47 @@ +package hirs.utils.tpm.eventlog.events; + + +/** + * Class to process the NV_INDEX_INSTANCE_EVENT_LOG_DATA per PFP. + * The first 16 bytes of the event data header are a String based identifier (Signature), + * NUL-terminated, per PFP. The only currently defined Signature is "SPDM Device Sec", + * which implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2. + * + * HEADERS defined by PFP v1.06 Rev 52. + * Certain fields are common to both ..HEADER and ..HEADER2, and are noted below the structures. + *
+ * typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER { + * UINT8 Signature[16]; + * UINT16 Version; + * UINT16 Length; + * UINT32 SpdmHashAlg; + * UINT32 DeviceType; + * SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock; + * UINT64 DevicePathLength; + * UNIT8 DevicePath[DevicePathLength] + * } DEVICE_SECURITY_EVENT_DATA_HEADER; + *
+ * typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER2 { - NOT IMPLEMENTED YET + * UINT8 Signature[16]; + * UINT16 Version; + * UINT8 AuthState; + * UINT8 Reserved; + * UINT32 Length; + * UINT32 DeviceType; + * UINT32 SubHeaderType; + * UINT32 SubHeaderLength; + * UINT32 SubHeaderUID; + * UINT64 DevicePathLength; + * UNIT8 DevicePath[DevicePathLength] + * } DEVICE_SECURITY_EVENT_DATA_HEADER2; + *
+ * Fields common to both ..HEADER and ..HEADER2: + * Signature + * Version + * DeviceType + * DevicePathLength + * DevicePath + *
+ */ +public class NvIndexInstanceEventLogData { +}