updated comments for DeviceSecurityEvent files, started processing of new data structure

HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java

@@ -7,7 +7,6 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY
 import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_PCI;
 import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_USB;
 
-
 /**
  * Abstract base class to process the DEVICE_SECURITY_EVENT_DATA or ..DATA2 event.
  * Parses event data per PFP v1.06 Rev52 Tables 20 and 26.
@@ -17,10 +16,10 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY
  * The first 2 fields of the respective headers are the same in both ..DATA and ..DATA2.
  * Field 1:
  *    The first 16 bytes of the event data header MUST be a String based identifier (Signature),
- *    NUL-terminated, per PFP. The only currently defined Signature is "SPDM Device Sec", which
+ *    per PFP. The only currently defined Signatures are "SPDM Device Sec" and "SPDM Device Sec2",
- *    implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2.
+ *    which implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2, respectively.
  * Field 2:
- *    The Version field indicates whether the Device Security Event is ..DATA or ..DATA2.
+ *    The Version field also indicates whether the Device Security Event is ..DATA or ..DATA2.
  *
  * DEVICE SECURITY EVENT structures defined by PFP v1.06 Rev 52:
  * <p>
@@ -39,19 +38,9 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY
  *      UINT8                           Signature[16];
  *      UINT16                          Version;
  *      ...                             ...
+ *      (The rest of the components are different for HEADER vs HEADER2)
  * }
  * <p>
- * Notes:
- * 1. Has an EventType of EV_EFI_SPDM_FIRMWARE_BLOB (0x800000E1)
- * 2. Event content defined as DEVICE_SECURITY_EVENT_DATA Struct.
- * 3. First 16 bytes of the structure header is an ASCII "SPDM Device Sec"
- * <p>
- * Only a few of the Device Security Event Data events have been implemented as there are many,
- * but only those that were reported using the test devices at hand.
- * Without test patterns, the processing may lead to an un-handled exception.
- * For now, the only test pattern uses ..DeviceContext with PCI only, without USB -> assume only 1
- * even though the spec says both are in the data structure. If it is only 1, though, there's no
- * method to tell them apart.
  */
 public abstract class DeviceSecurityEvent {
 

HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java

@@ -2,10 +2,7 @@ package hirs.utils.tpm.eventlog.events;
 
 import hirs.utils.HexUtils;
 import hirs.utils.tpm.eventlog.uefi.UefiConstants;
-import lombok.Getter;
 
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
 import java.nio.charset.StandardCharsets;
 
 /**

HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java

@@ -48,6 +48,8 @@ public class EvNoAction {
         if (signature.contains("Spec ID Event03")) {      // implies CryptAgileFormat
             specIDEvent = new EvEfiSpecIdEvent(eventData);
             bSpecIDEvent = true;
+        } else if (signature.contains("NvIndexInstance")) {
+            System.out.println("XXXX Nv Index Instance");
         }
     }
 

HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java

@@ -0,0 +1,47 @@
+package hirs.utils.tpm.eventlog.events;
+
+
+/**
+ * Class to process the NV_INDEX_INSTANCE_EVENT_LOG_DATA per PFP.
+ * The first 16 bytes of the event data header are a String based identifier (Signature),
+ * NUL-terminated, per PFP. The only currently defined Signature is "SPDM Device Sec",
+ * which implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2.
+ *
+ * HEADERS defined by PFP v1.06 Rev 52.
+ * Certain fields are common to both ..HEADER and ..HEADER2, and are noted below the structures.
+ * <p>
+ * typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER {
+ *      UINT8                           Signature[16];
+ *      UINT16                          Version;
+ *      UINT16                          Length;
+ *      UINT32                          SpdmHashAlg;
+ *      UINT32                          DeviceType;
+ *      SPDM_MEASUREMENT_BLOCK          SpdmMeasurementBlock;
+ *      UINT64                          DevicePathLength;
+ *      UNIT8                           DevicePath[DevicePathLength]
+ * } DEVICE_SECURITY_EVENT_DATA_HEADER;
+ * <p>
+ * typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER2 {        - NOT IMPLEMENTED YET
+ *      UINT8                           Signature[16];
+ *      UINT16                          Version;
+ *      UINT8                           AuthState;
+ *      UINT8                           Reserved;
+ *      UINT32                          Length;
+ *      UINT32                          DeviceType;
+ *      UINT32                          SubHeaderType;
+ *      UINT32                          SubHeaderLength;
+ *      UINT32                          SubHeaderUID;
+ *      UINT64                          DevicePathLength;
+ *      UNIT8                           DevicePath[DevicePathLength]
+ * } DEVICE_SECURITY_EVENT_DATA_HEADER2;
+ * <p>
+ * Fields common to both ..HEADER and ..HEADER2:
+ *    Signature
+ *    Version
+ *    DeviceType
+ *    DevicePathLength
+ *    DevicePath
+ * <p>
+ */
+public class NvIndexInstanceEventLogData {
+}