diff --git a/.ci/docker/docker-compose.yml b/.ci/docker/docker-compose.yml index b5ae6717..3f2805a4 100644 --- a/.ci/docker/docker-compose.yml +++ b/.ci/docker/docker-compose.yml @@ -25,13 +25,8 @@ services: volumes: - ../../:/HIRS entrypoint: /bin/bash -c - command: [yum list installed|grep paccor; - yum info dmidecode; - dmidecode -u; - lshw -c disk -numeric; - lshw -c display -numeric; - lshw -c network -numeric; - HIRS/.ci/setup/setup-tpmprovisioner.sh] + command: [HIRS/.ci/setup/setup-tpmprovisioner.sh; + HIRS/.ci/system-tests/systems-test-centos7-tpm1-2.sh] devices: - "/dev/mem:/dev/mem" cap_add: diff --git a/.ci/setup/setup-tpm2provisioner-base-delta-bad.sh b/.ci/setup/setup-tpm2provisioner-base-delta-bad.sh index 3563aed6..c2f4cad2 100755 --- a/.ci/setup/setup-tpm2provisioner-base-delta-bad.sh +++ b/.ci/setup/setup-tpm2provisioner-base-delta-bad.sh @@ -10,150 +10,150 @@ until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}: done echo "ACA is up!" -# Function to install TPM2 Provisioner packages. +# Function to install TPM 2.0 Provisioner packages function InstallProvisioner { - echo "===========Installing TPM2 Provisioner Packages...===========" + echo "===========Installing TPM 2.0 Provisioner Packages...===========" - pushd /HIRS - if [ ! -d package/rpm/RPMS ]; then - ./package/package.centos.sh - fi - yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm - popd + pushd /HIRS + if [ ! -d package/rpm/RPMS ]; then + ./package/package.centos.sh + fi + yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm + popd } -# Function to initialize the TPM2 Emulator with a bad base certificate +# Function to initialize the TPM 2.0 Emulator with a bad base certificate function InitTpm2Emulator { - echo "===========Initializing TPM2 Emulator with bad base certificate...===========" + echo "===========Initializing TPM 2.0 Emulator with bad base certificate...===========" - mkdir -p /var/run/dbus - if [ -e /var/run/dbus/pid ]; then - rm /var/run/dbus/pid - fi + mkdir -p /var/run/dbus + if [ -e /var/run/dbus/pid ]; then + rm /var/run/dbus/pid + fi - if [ -e /var/run/dbus/system_bus_socket ]; then - rm /var/run/dbus/system_bus_socket - fi + if [ -e /var/run/dbus/system_bus_socket ]; then + rm /var/run/dbus/system_bus_socket + fi - # Start the DBus - dbus-daemon --fork --system - echo "DBus started" + # Start the DBus + dbus-daemon --fork --system + echo "DBus started" - # Give DBus time to start up - sleep 5 + # Give DBus time to start up + sleep 5 - /ibmtpm/src/./tpm_server & - echo "TPM Emulator started" + /ibmtpm/src/./tpm_server & + echo "TPM Emulator started" - # Give tpm_server time to start and register on the DBus - sleep 5 + # Give tpm_server time to start and register on the DBus + sleep 5 - tpm2-abrmd -t socket & - echo "TPM2-Abrmd started" + tpm2-abrmd -t socket & + echo "TPM2-Abrmd started" - # Give ABRMD time to start and register on the DBus - sleep 5 + # Give ABRMD time to start and register on the DBus + sleep 5 - # Certificates - ek_cert="/HIRS/.ci/setup/certs/ek_cert.der" - ca_key="/HIRS/.ci/setup/certs/ca.key" - ca_cert="/HIRS/.ci/setup/certs/ca.crt" - platform_cert="PBaseCertB.der" - si_delta_cert_B1="SIDeltaCertB1.der" - var_delta_cert_B1="VARDeltaCertB1.der" + # Certificates + ek_cert="/HIRS/.ci/setup/certs/ek_cert.der" + ca_key="/HIRS/.ci/setup/certs/ca.key" + ca_cert="/HIRS/.ci/setup/certs/ca.crt" + platform_cert="PBaseCertB.der" + si_delta_cert_B1="SIDeltaCertB1.der" + var_delta_cert_B1="VARDeltaCertB1.der" - # PACCOR directory - PC_DIR=/var/hirs/pc_generation - mkdir -p $PC_DIR + # PACCOR directory + PC_DIR=/var/hirs/pc_generation + mkdir -p $PC_DIR - echo "Running PACCOR to generate local component information..." - # Use specific PACCOR script for system testing. - # Will provide default component SN#s when needed. - cp -f /opt/paccor/scripts/allcomponents_hirs_system_tests.sh /opt/paccor/scripts/allcomponents.sh - /opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile - echo + echo "Running PACCOR to generate local component information..." + # Use specific PACCOR script for system testing. + # Will provide default component SN#s when needed. + cp -f /opt/paccor/scripts/allcomponents_hirs_system_tests.sh /opt/paccor/scripts/allcomponents.sh + /opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile + echo - # Add faulty component JSON files needed to generate the certificates - python /HIRS/.ci/setup/addFaultyComponentsForPBaseCertB.py - echo + # Add faulty component JSON files needed to generate the certificates + python /HIRS/.ci/setup/addFaultyComponentsForPBaseCertB.py + echo - # Generate certificates in the order they'll be used in the system tests. - # And stager the begin dates properly (the -b option for the /opt/paccor/bin/signer) + # Generate certificates in the order they'll be used in the system tests. + # And stager the begin dates properly (the -b option for the /opt/paccor/bin/signer) - # Generate the bad base certificate - echo "Generating certificates..." - echo "Generating $platform_cert..." - /opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile - /opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile - /opt/paccor/bin/observer -c $PC_DIR/PBaseCertB.componentlist.json -p $PC_DIR/optionsFile -e $ek_cert -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/PBaseCertB.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -f $PC_DIR/$platform_cert - echo "Done" + # Generate the bad base certificate + echo "Generating certificates..." + echo "Generating $platform_cert..." + /opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile + /opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile + /opt/paccor/bin/observer -c $PC_DIR/PBaseCertB.componentlist.json -p $PC_DIR/optionsFile -e $ek_cert -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/PBaseCertB.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -f $PC_DIR/$platform_cert + echo "Done" - # Create good delta component and create SIDeltaCertB1.componentlist.json - python /HIRS/.ci/setup/createDeltaComponentsForPBaseCertB.py - echo + # Create good delta component and create SIDeltaCertB1.componentlist.json + python /HIRS/.ci/setup/createDeltaComponentsForPBaseCertB.py + echo - # Generate the SIDeltaCertB1certificate - echo "Generating $si_delta_cert_B1..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertB1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$platform_cert -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertB1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180201 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$platform_cert -f $PC_DIR/$si_delta_cert_B1 - echo "Done" + # Generate the SIDeltaCertB1certificate + echo "Generating $si_delta_cert_B1..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertB1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$platform_cert -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertB1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180201 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$platform_cert -f $PC_DIR/$si_delta_cert_B1 + echo "Done" - # Generate the VARDeltaCertB1 certificate - echo "Generating $var_delta_cert_B1..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertB1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$platform_cert -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertB1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180301 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$platform_cert -f $PC_DIR/$var_delta_cert_B1 - echo "Done" + # Generate the VARDeltaCertB1 certificate + echo "Generating $var_delta_cert_B1..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertB1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$platform_cert -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertB1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180301 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$platform_cert -f $PC_DIR/$var_delta_cert_B1 + echo "Done" - # Release EK nvram - if tpm2_nvlist | grep -q 0x1c00002; then - echo "Released NVRAM for EK." - tpm2_nvrelease -x 0x1c00002 -a 0x40000001 - fi + # Release EK nvram + if tpm2_nvlist | grep -q 0x1c00002; then + echo "Released NVRAM for EK." + tpm2_nvrelease -x 0x1c00002 -a 0x40000001 + fi - # Define nvram space to enable loading of EK cert (-x NV Index, -a handle to - # authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t - # specifies attribute value in publicInfo struct - # [0x2000A = ownerread|ownerwrite|policywrite]) - size=$(cat $ek_cert | wc -c) - echo "Define NVRAM location for EK cert of size $size." - tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size + # Define nvram space to enable loading of EK cert (-x NV Index, -a handle to + # authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t + # specifies attribute value in publicInfo struct + # [0x2000A = ownerread|ownerwrite|policywrite]) + size=$(cat $ek_cert | wc -c) + echo "Define NVRAM location for EK cert of size $size." + tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size - # Load key into TPM nvram - echo "Loading EK cert $ek_cert into NVRAM." - tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert + # Load key into TPM nvram + echo "Loading EK cert $ek_cert into NVRAM." + tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert - # Release PC nvram - if tpm2_nvlist | grep -q 0x1c90000; then - echo "Released NVRAM for PC." - tpm2_nvrelease -x 0x1c90000 -a 0x40000001 - fi + # Release PC nvram + if tpm2_nvlist | grep -q 0x1c90000; then + echo "Released NVRAM for PC." + tpm2_nvrelease -x 0x1c90000 -a 0x40000001 + fi - # Store the platform certificate in the TPM's NVRAM - size=$(cat $PC_DIR/$platform_cert | wc -c) - echo "Define NVRAM location for PC cert of size $size." - tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size + # Store the platform certificate in the TPM's NVRAM + size=$(cat $PC_DIR/$platform_cert | wc -c) + echo "Define NVRAM location for PC cert of size $size." + tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size - echo "Loading PC cert $PC_DIR/$platform_cert into NVRAM." - tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert + echo "Loading PC cert $PC_DIR/$platform_cert into NVRAM." + tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert - echo "===========TPM2 Emulator Initialization Complete!===========" + echo "===========TPM 2.0 Emulator Initialization Complete!===========" - # Set Logging to INFO Level - sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini + # Set Logging to INFO Level + sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini } # Function to update the hirs-site.config file function UpdateHirsSiteConfigFile { - HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" + HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" - echo "" - echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" - cat /HIRS/.ci/docker/.env + echo "" + echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" + cat /HIRS/.ci/docker/.env - cat < $HIRS_SITE_CONFIG + cat < $HIRS_SITE_CONFIG #******************************************* #* HIRS site configuration properties file #******************************************* @@ -171,22 +171,22 @@ PORTAL_PORT=${HIRS_ACA_PORTAL_PORT} DEFAULT_SITE_CONFIG_FILE - echo "===========New HIRS Config File===========" - cat /etc/hirs/hirs-site.config + echo "===========New HIRS Config File===========" + cat /etc/hirs/hirs-site.config } # Install packages InstallProvisioner -# Install TPM2 Emulator +# Install TPM 2.0 Emulator InitTpm2Emulator # Update the hirs-site.config file UpdateHirsSiteConfigFile echo "" -echo "TPM2 Emulator NV RAM list" +echo "TPM 2.0 Emulator NV RAM list" tpm2_nvlist echo "" -echo "===========HIRS ACA TPM2 Provisioner Setup Complete!===========" +echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!===========" diff --git a/.ci/setup/setup-tpm2provisioner-base-delta-good.sh b/.ci/setup/setup-tpm2provisioner-base-delta-good.sh index 1f34033a..b0fe9cdf 100755 --- a/.ci/setup/setup-tpm2provisioner-base-delta-good.sh +++ b/.ci/setup/setup-tpm2provisioner-base-delta-good.sh @@ -10,189 +10,189 @@ until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}: done echo "ACA is up!" -# Function to install TPM2 Provisioner packages. +# Function to install TPM 2.0 Provisioner packages function InstallProvisioner { - echo "===========Installing TPM2 Provisioner Packages...===========" + echo "===========Installing TPM 2.0 Provisioner Packages...===========" - pushd /HIRS - if [ ! -d package/rpm/RPMS ]; then - ./package/package.centos.sh - fi - yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm - popd + pushd /HIRS + if [ ! -d package/rpm/RPMS ]; then + ./package/package.centos.sh + fi + yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm + popd } -# Function to initialize the TPM2 Emulator with a good base certificate +# Function to initialize the TPM 2.0 Emulator with a good base certificate function InitTpm2Emulator { - echo "===========Initializing TPM2 Emulator with good base certificate...===========" + echo "===========Initializing TPM 2.0 Emulator with good base certificate...===========" - mkdir -p /var/run/dbus - if [ -e /var/run/dbus/pid ]; then - rm /var/run/dbus/pid - fi + mkdir -p /var/run/dbus + if [ -e /var/run/dbus/pid ]; then + rm /var/run/dbus/pid + fi - if [ -e /var/run/dbus/system_bus_socket ]; then - rm /var/run/dbus/system_bus_socket - fi + if [ -e /var/run/dbus/system_bus_socket ]; then + rm /var/run/dbus/system_bus_socket + fi - # Start the DBus - dbus-daemon --fork --system - echo "DBus started" + # Start the DBus + dbus-daemon --fork --system + echo "DBus started" - # Give DBus time to start up - sleep 5 + # Give DBus time to start up + sleep 5 - /ibmtpm/src/./tpm_server & - echo "TPM Emulator started" + /ibmtpm/src/./tpm_server & + echo "TPM Emulator started" - # Give tpm_server time to start and register on the DBus - sleep 5 + # Give tpm_server time to start and register on the DBus + sleep 5 - tpm2-abrmd -t socket & - echo "TPM2-Abrmd started" + tpm2-abrmd -t socket & + echo "TPM2-Abrmd started" - # Give ABRMD time to start and register on the DBus - sleep 5 + # Give ABRMD time to start and register on the DBus + sleep 5 - # Certificates - ek_cert="/HIRS/.ci/setup/certs/ek_cert.der" - ca_key="/HIRS/.ci/setup/certs/ca.key" - ca_cert="/HIRS/.ci/setup/certs/ca.crt" - pBase_certA="PBaseCertA.der" - pBase_certB="PBaseCertB.der" - si_delta_cert_A1="SIDeltaCertA1.der" - si_delta_cert_A2="SIDeltaCertA2.der" - si_delta_cert_A2_resolved="SIDeltaCertA2_resolved.der" - si_delta_cert_A3="SIDeltaCertA3.der" - var_delta_cert_A1="VARDeltaCertA1.der" - var_delta_cert_A2="VARDeltaCertA2.der" - var_delta_cert_A2_resolved="VARDeltaCertA2_resolved.der" + # Certificates + ek_cert="/HIRS/.ci/setup/certs/ek_cert.der" + ca_key="/HIRS/.ci/setup/certs/ca.key" + ca_cert="/HIRS/.ci/setup/certs/ca.crt" + pBase_certA="PBaseCertA.der" + pBase_certB="PBaseCertB.der" + si_delta_cert_A1="SIDeltaCertA1.der" + si_delta_cert_A2="SIDeltaCertA2.der" + si_delta_cert_A2_resolved="SIDeltaCertA2_resolved.der" + si_delta_cert_A3="SIDeltaCertA3.der" + var_delta_cert_A1="VARDeltaCertA1.der" + var_delta_cert_A2="VARDeltaCertA2.der" + var_delta_cert_A2_resolved="VARDeltaCertA2_resolved.der" - # PACCOR directory - PC_DIR=/var/hirs/pc_generation - mkdir -p $PC_DIR + # PACCOR directory + PC_DIR=/var/hirs/pc_generation + mkdir -p $PC_DIR - echo "Running PACCOR to generate local component information..." - # Use specific PACCOR script for system testing. - # Will provide default component SN#s when needed. - cp -f /opt/paccor/scripts/allcomponents_hirs_system_tests.sh /opt/paccor/scripts/allcomponents.sh - /opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile + echo "Running PACCOR to generate local component information..." + # Use specific PACCOR script for system testing. + # Will provide default component SN#s when needed. + cp -f /opt/paccor/scripts/allcomponents_hirs_system_tests.sh /opt/paccor/scripts/allcomponents.sh + /opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile - # Split into JSON files needed to generate the certificates - python /HIRS/.ci/setup/createDeltaComponentsForPBaseCertA.py - echo + # Split into JSON files needed to generate the certificates + python /HIRS/.ci/setup/createDeltaComponentsForPBaseCertA.py + echo - # Generate certificates in the order they'll be used in the system tests. - # And stager the begin dates properly (the -b option for the /opt/paccor/bin/signer) - echo "Generating certificates..." - echo "Generating $pBase_certA..." - /opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile - /opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile - /opt/paccor/bin/observer -c $PC_DIR/PBaseCertA.componentlist.json -p $PC_DIR/optionsFile -e $ek_cert -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/PBaseCertA.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -f $PC_DIR/$pBase_certA - echo "Done" + # Generate certificates in the order they'll be used in the system tests. + # And stager the begin dates properly (the -b option for the /opt/paccor/bin/signer) + echo "Generating certificates..." + echo "Generating $pBase_certA..." + /opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile + /opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile + /opt/paccor/bin/observer -c $PC_DIR/PBaseCertA.componentlist.json -p $PC_DIR/optionsFile -e $ek_cert -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/PBaseCertA.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -f $PC_DIR/$pBase_certA + echo "Done" - # Generate the PBaseCertB certificate. Just need to copy from PBaseCertA. - echo "Generating $pBase_certB..." - cp $PC_DIR/$pBase_certA $PC_DIR/$pBase_certB - echo "Done" + # Generate the PBaseCertB certificate. Just need to copy from PBaseCertA. + echo "Generating $pBase_certB..." + cp $PC_DIR/$pBase_certA $PC_DIR/$pBase_certB + echo "Done" - # Generate the SIDeltaCertA1 certificate - echo "Generating $si_delta_cert_A1, using $pBase_certA..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180201 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A1 - echo "Done" + # Generate the SIDeltaCertA1 certificate + echo "Generating $si_delta_cert_A1, using $pBase_certA..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180201 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A1 + echo "Done" - # Generate the VARDeltaCertA1 certificate - echo "Generating $var_delta_cert_A1, using $pBase_certA..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180301 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A1 - echo "Done" + # Generate the VARDeltaCertA1 certificate + echo "Generating $var_delta_cert_A1, using $pBase_certA..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180301 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A1 + echo "Done" - # Generate the SIDeltaCertA2 certificate - echo "Generating $si_delta_cert_A2, using $pBase_certA..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA2.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA2.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180401 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A2 - echo "Done" + # Generate the SIDeltaCertA2 certificate + echo "Generating $si_delta_cert_A2, using $pBase_certA..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA2.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA2.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180401 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A2 + echo "Done" - # Generate the SIDeltaCertA2_resolved certificate - echo "Generating $si_delta_cert_A2_resolved, using $pBase_certA..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA2.resolved.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA2.resolved.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180501 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A2_resolved - echo "Done" + # Generate the SIDeltaCertA2_resolved certificate + echo "Generating $si_delta_cert_A2_resolved, using $pBase_certA..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA2.resolved.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA2.resolved.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180501 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A2_resolved + echo "Done" - # Generate the VARDeltaCertA2 certificate - echo "Generating $var_delta_cert_A2, using $pBase_certA..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA2.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA2.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180601 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A2 - echo "Done" + # Generate the VARDeltaCertA2 certificate + echo "Generating $var_delta_cert_A2, using $pBase_certA..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA2.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA2.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180601 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A2 + echo "Done" - # Generate the VARDeltaCertA2_resolved certificate - echo "Generating $var_delta_cert_A2_resolved, using $pBase_certA..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA2.resolved.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA2.resolved.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180701 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A2_resolved - echo "Done" + # Generate the VARDeltaCertA2_resolved certificate + echo "Generating $var_delta_cert_A2_resolved, using $pBase_certA..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA2.resolved.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA2.resolved.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180701 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A2_resolved + echo "Done" - # Generate the SIDeltaCertA3 certificate - echo "Generating $si_delta_cert_A3, using $si_delta_cert_A1 as Base..." - rm -f $PC_DIR/observerFile - /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA3.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$si_delta_cert_A1 -f $PC_DIR/observerFile - /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA3.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180801 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$si_delta_cert_A1 -f $PC_DIR/$si_delta_cert_A3 - echo "Done" + # Generate the SIDeltaCertA3 certificate + echo "Generating $si_delta_cert_A3, using $si_delta_cert_A1 as Base..." + rm -f $PC_DIR/observerFile + /opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA3.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$si_delta_cert_A1 -f $PC_DIR/observerFile + /opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA3.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180801 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$si_delta_cert_A1 -f $PC_DIR/$si_delta_cert_A3 + echo "Done" - # Release EK nvram - if tpm2_nvlist | grep -q 0x1c00002; then - echo "Released NVRAM for EK." - tpm2_nvrelease -x 0x1c00002 -a 0x40000001 - fi + # Release EK nvram + if tpm2_nvlist | grep -q 0x1c00002; then + echo "Released NVRAM for EK." + tpm2_nvrelease -x 0x1c00002 -a 0x40000001 + fi - # Define nvram space to enable loading of EK cert (-x NV Index, -a handle to - # authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t - # specifies attribute value in publicInfo struct - # [0x2000A = ownerread|ownerwrite|policywrite]) - size=$(cat $ek_cert | wc -c) - echo "Define NVRAM location for EK cert of size $size." - tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size + # Define nvram space to enable loading of EK cert (-x NV Index, -a handle to + # authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t + # specifies attribute value in publicInfo struct + # [0x2000A = ownerread|ownerwrite|policywrite]) + size=$(cat $ek_cert | wc -c) + echo "Define NVRAM location for EK cert of size $size." + tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size - # Load key into TPM nvram - echo "Loading EK cert $ek_cert into NVRAM." - tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert + # Load key into TPM nvram + echo "Loading EK cert $ek_cert into NVRAM." + tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert - # Release PC nvram - if tpm2_nvlist | grep -q 0x1c90000; then - echo "Released NVRAM for PC." - tpm2_nvrelease -x 0x1c90000 -a 0x40000001 - fi + # Release PC nvram + if tpm2_nvlist | grep -q 0x1c90000; then + echo "Released NVRAM for PC." + tpm2_nvrelease -x 0x1c90000 -a 0x40000001 + fi - # Store the platform certificate in the TPM's NVRAM - size=$(cat $PC_DIR/$pBase_certA | wc -c) - echo "Define NVRAM location for PC cert of size $size." - tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size + # Store the platform certificate in the TPM's NVRAM + size=$(cat $PC_DIR/$pBase_certA | wc -c) + echo "Define NVRAM location for PC cert of size $size." + tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size - echo "Loading PC cert $PC_DIR/$pBase_certA into NVRAM." - tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$pBase_certA + echo "Loading PC cert $PC_DIR/$pBase_certA into NVRAM." + tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$pBase_certA - echo "===========TPM2 Emulator Initialization Complete!===========" + echo "===========TPM 2.0 Emulator Initialization Complete!===========" - # Set Logging to INFO Level - sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini + # Set Logging to INFO Level + sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini } # Function to update the hirs-site.config file function UpdateHirsSiteConfigFile { - HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" + HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" - echo "" - echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" - cat /HIRS/.ci/docker/.env + echo "" + echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" + cat /HIRS/.ci/docker/.env - cat < $HIRS_SITE_CONFIG + cat < $HIRS_SITE_CONFIG #******************************************* #* HIRS site configuration properties file #******************************************* @@ -210,22 +210,22 @@ PORTAL_PORT=${HIRS_ACA_PORTAL_PORT} DEFAULT_SITE_CONFIG_FILE - echo "===========New HIRS Config File===========" - cat /etc/hirs/hirs-site.config + echo "===========New HIRS Config File===========" + cat /etc/hirs/hirs-site.config } # Install packages InstallProvisioner -# Install TPM2 Emulator +# Install TPM 2.0 Emulator InitTpm2Emulator # Update the hirs-site.config file UpdateHirsSiteConfigFile echo "" -echo "TPM2 Emulator NV RAM list" +echo "TPM 2.0 Emulator NV RAM list" tpm2_nvlist echo "" -echo "===========HIRS ACA TPM2 Provisioner Setup Complete!===========" +echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!===========" diff --git a/.ci/setup/setup-tpm2provisioner.sh b/.ci/setup/setup-tpm2provisioner.sh index cdfe363d..23910c4e 100755 --- a/.ci/setup/setup-tpm2provisioner.sh +++ b/.ci/setup/setup-tpm2provisioner.sh @@ -10,117 +10,117 @@ until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}: done echo "ACA is up!" -# Function to install TPM2 Provisioner packages. +# Function to install TPM 2.0 Provisioner packages function InstallProvisioner { - echo "===========Installing TPM2 Provisioner Packages...===========" + echo "===========Installing TPM 2.0 Provisioner Packages...===========" - pushd /HIRS - if [ ! -d package/rpm/RPMS ]; then - ./package/package.centos.sh - fi - yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm - popd + pushd /HIRS + if [ ! -d package/rpm/RPMS ]; then + ./package/package.centos.sh + fi + yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm + popd } -# Function to initialize the TPM2 Emulator +# Function to initialize the TPM 2.0 Emulator function InitTpm2Emulator { - echo "===========Initializing TPM2 Emulator...===========" + echo "===========Initializing TPM 2.0 Emulator...===========" - mkdir -p /var/run/dbus - if [ -e /var/run/dbus/pid ]; then - rm /var/run/dbus/pid - fi + mkdir -p /var/run/dbus + if [ -e /var/run/dbus/pid ]; then + rm /var/run/dbus/pid + fi - if [ -e /var/run/dbus/system_bus_socket ]; then - rm /var/run/dbus/system_bus_socket - fi + if [ -e /var/run/dbus/system_bus_socket ]; then + rm /var/run/dbus/system_bus_socket + fi - # Start the DBus - dbus-daemon --fork --system - echo "DBus started" + # Start the DBus + dbus-daemon --fork --system + echo "DBus started" - # Give DBus time to start up - sleep 5 + # Give DBus time to start up + sleep 5 - /ibmtpm/src/./tpm_server & - echo "TPM Emulator started" + /ibmtpm/src/./tpm_server & + echo "TPM Emulator started" - # Give tpm_server time to start and register on the DBus - sleep 5 + # Give tpm_server time to start and register on the DBus + sleep 5 - tpm2-abrmd -t socket & - echo "TPM2-Abrmd started" + tpm2-abrmd -t socket & + echo "TPM2-Abrmd started" - # Give ABRMD time to start and register on the DBus - sleep 5 + # Give ABRMD time to start and register on the DBus + sleep 5 - # Certificates - ek_cert="/HIRS/.ci/setup/certs/ek_cert.der" - ca_key="/HIRS/.ci/setup/certs/ca.key" - ca_cert="/HIRS/.ci/setup/certs/ca.crt" - platform_cert="platformAttributeCertificate.der" + # Certificates + ek_cert="/HIRS/.ci/setup/certs/ek_cert.der" + ca_key="/HIRS/.ci/setup/certs/ca.key" + ca_cert="/HIRS/.ci/setup/certs/ca.crt" + platform_cert="platformAttributeCertificate.der" - # PACCOR directory - PC_DIR=/var/hirs/pc_generation - mkdir -p $PC_DIR + # PACCOR directory + PC_DIR=/var/hirs/pc_generation + mkdir -p $PC_DIR - echo "Running PACCOR to generate local component information..." - # Use specific PACCOR script for system testing. - # Will provide default component SN#s when needed. - cp -f /opt/paccor/scripts/allcomponents_hirs_system_tests.sh /opt/paccor/scripts/allcomponents.sh - /opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile - /opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile - /opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile + echo "Running PACCOR to generate local component information..." + # Use specific PACCOR script for system testing. + # Will provide default component SN#s when needed. + cp -f /opt/paccor/scripts/allcomponents_hirs_system_tests.sh /opt/paccor/scripts/allcomponents.sh + /opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile + /opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile + /opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile - echo "Generating $platform_cert..." - /opt/paccor/bin/observer -c $PC_DIR/componentsFile -p $PC_DIR/optionsFile -e $ek_cert -f $PC_DIR/observerFile - /opt/paccor/bin/signer -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280201 -N $RANDOM -k $ca_key -P $ca_cert -f $PC_DIR/$platform_cert + echo "Generating $platform_cert..." + /opt/paccor/bin/observer -c $PC_DIR/componentsFile -p $PC_DIR/optionsFile -e $ek_cert -f $PC_DIR/observerFile + /opt/paccor/bin/signer -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280201 -N $RANDOM -k $ca_key -P $ca_cert -f $PC_DIR/$platform_cert - if tpm2_nvlist | grep -q 0x1c00002; then - echo "Released NVRAM for EK." - tpm2_nvrelease -x 0x1c00002 -a 0x40000001 - fi + if tpm2_nvlist | grep -q 0x1c00002; then + echo "Released NVRAM for EK." + tpm2_nvrelease -x 0x1c00002 -a 0x40000001 + fi - # Define nvram space to enable loading of EK cert (-x NV Index, -a handle to - # authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t - # specifies attribute value in publicInfo struct - # [0x2000A = ownerread|ownerwrite|policywrite]) - size=$(cat $ek_cert | wc -c) - echo "Define NVRAM location for EK cert of size $size." - tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size + # Define nvram space to enable loading of EK cert (-x NV Index, -a handle to + # authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t + # specifies attribute value in publicInfo struct + # [0x2000A = ownerread|ownerwrite|policywrite]) + size=$(cat $ek_cert | wc -c) + echo "Define NVRAM location for EK cert of size $size." + tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size - # Load key into TPM nvram - echo "Loading EK cert $ek_cert into NVRAM." - tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert + # Load key into TPM nvram + echo "Loading EK cert $ek_cert into NVRAM." + tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert - if tpm2_nvlist | grep -q 0x1c90000; then - echo "Released NVRAM for PC." - tpm2_nvrelease -x 0x1c90000 -a 0x40000001 - fi + if tpm2_nvlist | grep -q 0x1c90000; then + echo "Released NVRAM for PC." + tpm2_nvrelease -x 0x1c90000 -a 0x40000001 + fi - # Store the platform certificate in the TPM's NVRAM - size=$(cat $PC_DIR/$platform_cert | wc -c) - echo "Define NVRAM location for PC cert of size $size." - tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size + # Store the platform certificate in the TPM's NVRAM + size=$(cat $PC_DIR/$platform_cert | wc -c) + echo "Define NVRAM location for PC cert of size $size." + tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size - echo "Loading PC cert $PC_DIR/$platform_cert into NVRAM." - tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert + echo "Loading PC cert $PC_DIR/$platform_cert into NVRAM." + tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert - echo "===========TPM2 Emulator Initialization Complete!===========" + echo "===========TPM 2.0 Emulator Initialization Complete!===========" - # Set Logging to INFO Level - sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini + # Set Logging to INFO Level + sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini } # Function to update the hirs-site.config file function UpdateHirsSiteConfigFile { - HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" + HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" - echo "" - echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" - cat /HIRS/.ci/docker/.env + echo "" + echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" + cat /HIRS/.ci/docker/.env - cat < $HIRS_SITE_CONFIG + cat < $HIRS_SITE_CONFIG #******************************************* #* HIRS site configuration properties file #******************************************* @@ -138,22 +138,22 @@ PORTAL_PORT=${HIRS_ACA_PORTAL_PORT} DEFAULT_SITE_CONFIG_FILE - echo "===========New HIRS Config File===========" - cat /etc/hirs/hirs-site.config + echo "===========New HIRS Config File===========" + cat /etc/hirs/hirs-site.config } # Install packages InstallProvisioner -# Install TPM2 Emulator +# Install TPM 2.0 Emulator InitTpm2Emulator # Update the hirs-site.config file UpdateHirsSiteConfigFile echo "" -echo "TPM2 Emulator NV RAM list" +echo "TPM 2.0 Emulator NV RAM list" tpm2_nvlist echo "" -echo "===========HIRS ACA TPM2 Provisioner Setup Complete!===========" +echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!===========" diff --git a/.ci/setup/setup-tpmprovisioner.sh b/.ci/setup/setup-tpmprovisioner.sh index 864cea78..ba037824 100755 --- a/.ci/setup/setup-tpmprovisioner.sh +++ b/.ci/setup/setup-tpmprovisioner.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Script to setup the TPM Provisioner Docker Image for Integration Tests +# Script to setup the TPM 1.2 Provisioner Docker Image for Integration Tests set -e # Wait for ACA to boot @@ -10,72 +10,85 @@ until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}: done echo "ACA is up!" -# Function to install Provisioner packages. +# Function to install TPM 1.2 Provisioner packages function InstallProvisioner { - echo "===========Installing Provisioner Packages...===========" + echo "===========Installing TPM 1.2 Provisioner Packages...===========" - pushd /HIRS - if [ ! -d package/rpm/RPMS ]; then - ./package/package.centos.sh - fi - yum install -y package/rpm/RPMS/noarch/HIRS_Provisioner_TPM_1_2*.el7.noarch.rpm - popd + pushd /HIRS + + if [ ! -d package/rpm/RPMS ]; then + ./package/package.centos.sh + fi + + yum install -y package/rpm/RPMS/noarch/HIRS_Provisioner_TPM_1_2*.el7.noarch.rpm + + popd } -# Function to initialize the TPM Emulator +# Function to initialize the TPM 1.2 Emulator function InitTpmEmulator { - echo "===========Initializing TPM Emulator...===========" + echo "===========Initializing TPM 1.2 Emulator...===========" - # Set variables for server - export TPM_PATH=/tpm_emulator/tpm_storage - export TPM_PORT=6543 + # Set variables for server + export TPM_PATH=/tpm_emulator/tpm_storage + export TPM_PORT=6543 - # Set variables for client utils - export TPM_SERVER_NAME=localhost - export TPM_SERVER_PORT=6543 + # Set variables for client utils + export TPM_SERVER_NAME=localhost + export TPM_SERVER_PORT=6543 - # Set variable for TrouSerS - export TCSD_TCP_DEVICE_PORT=6543 + # Set variable for TrouSerS + export TCSD_TCP_DEVICE_PORT=6543 - mkdir -p $TPM_PATH + mkdir -p $TPM_PATH - pushd /tpm_emulator + pushd /tpm_emulator - # Activate Software TPM - ./tpm/tpm_server > tpm.log 2>&1 & - ./libtpm/utils/tpmbios + echo "Activate Software TPM..." + # Activate Software TPM + ./tpm/tpm_server > tpm.log 2>&1 & + ./libtpm/utils/tpmbios - # Restart Software TPM after Activation - pkill tpm_server - ./tpm/tpm_server > tpm.log 2>&1 & - ./libtpm/utils/tpmbios + echo "Restarting Software TPM after Activation..." + # Restart Software TPM after Activation + pkill tpm_server + ./tpm/tpm_server > tpm.log 2>&1 & + ./libtpm/utils/tpmbios - # Create EK on Software TPM - ./libtpm/utils/createek + echo "Creating EK on Software TPM..." + # Create EK on Software TPM + ./libtpm/utils/createek - # Initialize last memory address - ./libtpm/utils/nv_definespace -in ffffffff -sz 0 + echo "Initializing last memory address..." + # Initialize last memory address + ./libtpm/utils/nv_definespace -in ffffffff -sz 0 - popd + popd - echo "Starting TrouSerS Daemon" - tcsd -e + echo "Starting TrouSerS Daemon..." + tcsd -e - echo "Testing TPM Connectivity" - tpm_selftest + echo "Taking TPM 1.2 Ownership..." + tpm_takeownership -y -z - echo "===========TPM Emulator Initialization Complete!===========" + echo "Testing TPM 1.2 Connectivity..." + tpm_selftest + + echo "TPM 1.2 NV info..." + tpm_nvinfo + + echo "===========TPM 1.2 Emulator Initialization Complete!===========" } # Function to update the hirs-site.config file function UpdateHirsSiteConfigFile { - HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" + HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" - echo "" - echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" - cat /HIRS/.ci/docker/.env + echo "" + echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" + cat /HIRS/.ci/docker/.env - cat < $HIRS_SITE_CONFIG + cat < $HIRS_SITE_CONFIG #******************************************* #* HIRS site configuration properties file #******************************************* @@ -93,18 +106,43 @@ PORTAL_PORT=${HIRS_ACA_PORTAL_PORT} DEFAULT_SITE_CONFIG_FILE - echo "===========New HIRS Config File===========" - cat /etc/hirs/hirs-site.config + echo "===========New HIRS Config File===========" + cat /etc/hirs/hirs-site.config +} + +function UpdateLoggingConfigFile { + LOGGING_CONFIG="/etc/hirs/logging.properties" + + echo "" + echo "===========Updating ${LOGGING_CONFIG} file...===========" + cat /etc/hirs/logging.properties + + cat < $LOGGING_CONFIG +root.level=DEBUG +hirs.level=DEBUG +org.hibernate.level= +org.springframework.level= +org.apache.activemq.level= +tpm2_provisioner.level=DEBUG + +DEFAULT_LOGGING_CONFIG_FILE + + echo "" + echo "===========New Logging Properties File===========" + cat /etc/hirs/logging.properties } # Install packages InstallProvisioner -# Install TPM Emulator +# Install TPM 1.2 Emulator InitTpmEmulator # Update the hirs-site.config file UpdateHirsSiteConfigFile +# Update the logging.properties file +UpdateLoggingConfigFile + echo "" -echo "===========HIRS ACA Provisioner Setup Complete!===========" +echo "===========HIRS ACA TPM 1.2 Provisioner Setup Complete!===========" diff --git a/.ci/system-tests/run-system-tests-tpm2-base-delta-bad.sh b/.ci/system-tests/run-system-tests-tpm2-base-delta-bad.sh index d76f24f3..c2a0a65f 100755 --- a/.ci/system-tests/run-system-tests-tpm2-base-delta-bad.sh +++ b/.ci/system-tests/run-system-tests-tpm2-base-delta-bad.sh @@ -14,10 +14,10 @@ cd .ci/docker docker-compose -f docker-compose-tpm2-base-delta-bad.yml up -d tpm2_container_id="$(docker ps -aqf "name=hirs-aca-provisioner-tpm2")" -echo "TPM2 Container ID: $tpm2_container_id" +echo "TPM 2.0 Container ID: $tpm2_container_id" tpm2_container_status="$(docker inspect $tpm2_container_id --format='{{.State.Status}}')" -echo "TPM2 Container Status: $tpm2_container_status" +echo "TPM 2.0 Container Status: $tpm2_container_status" while [[ $tpm2_container_status == "running" ]] do @@ -32,7 +32,7 @@ done # Store container exit code tpm2_container_exit_code="$(docker inspect $tpm2_container_id --format='{{.State.ExitCode}}')" -echo "TPM2 Container Exit Code: $tpm2_container_exit_code" +echo "TPM 2.0 Container Exit Code: $tpm2_container_exit_code" # Display container log echo "" diff --git a/.ci/system-tests/run-system-tests-tpm2-base-delta-good.sh b/.ci/system-tests/run-system-tests-tpm2-base-delta-good.sh index dce7474b..5c86318b 100755 --- a/.ci/system-tests/run-system-tests-tpm2-base-delta-good.sh +++ b/.ci/system-tests/run-system-tests-tpm2-base-delta-good.sh @@ -14,10 +14,10 @@ cd .ci/docker docker-compose -f docker-compose-tpm2-base-delta-good.yml up -d tpm2_container_id="$(docker ps -aqf "name=hirs-aca-provisioner-tpm2")" -echo "TPM2 Container ID: $tpm2_container_id" +echo "TPM 2.0 Container ID: $tpm2_container_id" tpm2_container_status="$(docker inspect $tpm2_container_id --format='{{.State.Status}}')" -echo "TPM2 Container Status: $tpm2_container_status" +echo "TPM 2.0 Container Status: $tpm2_container_status" while [[ $tpm2_container_status == "running" ]] do @@ -32,7 +32,7 @@ done # Store container exit code tpm2_container_exit_code="$(docker inspect $tpm2_container_id --format='{{.State.ExitCode}}')" -echo "TPM2 Container Exit Code: $tpm2_container_exit_code" +echo "TPM 2.0 Container Exit Code: $tpm2_container_exit_code" # Display container log echo "" diff --git a/.ci/system-tests/run-system-tests-tpm2.sh b/.ci/system-tests/run-system-tests-tpm2.sh index c1798735..63be4b43 100755 --- a/.ci/system-tests/run-system-tests-tpm2.sh +++ b/.ci/system-tests/run-system-tests-tpm2.sh @@ -14,10 +14,10 @@ cd .ci/docker docker-compose -f docker-compose-tpm2.yml up -d tpm2_container_id="$(docker ps -aqf "name=hirs-aca-provisioner-tpm2")" -echo "TPM2 Container ID: $tpm2_container_id" +echo "TPM 2.0 Container ID: $tpm2_container_id" tpm2_container_status="$(docker inspect $tpm2_container_id --format='{{.State.Status}}')" -echo "TPM2 Container Status: $tpm2_container_status" +echo "TPM 2.0 Container Status: $tpm2_container_status" while [[ $tpm2_container_status == "running" ]] do @@ -32,7 +32,7 @@ done # Store container exit code tpm2_container_exit_code="$(docker inspect $tpm2_container_id --format='{{.State.ExitCode}}')" -echo "TPM2 Container Exit Code: $tpm2_container_exit_code" +echo "TPM 2.0 Container Exit Code: $tpm2_container_exit_code" # Display container log echo "" diff --git a/.ci/system-tests/run-system-tests.sh b/.ci/system-tests/run-system-tests.sh index 97abd5ee..bd6a1a27 100755 --- a/.ci/system-tests/run-system-tests.sh +++ b/.ci/system-tests/run-system-tests.sh @@ -5,7 +5,7 @@ set -e echo "" -echo "System Tests Starting..." +echo "System Tests TPM 1.2 Starting..." echo "" # Start System Testing Docker Environment @@ -14,16 +14,16 @@ cd .ci/docker docker-compose up -d tpm_container_id="$(docker ps -aqf "name=hirs-aca-provisioner")" -echo "TPM Container ID: $tpm_container_id" +echo "TPM 1.2 Container ID: $tpm_container_id" tpm_container_status="$(docker inspect $tpm_container_id --format='{{.State.Status}}')" -echo "TPM Container Status: $tpm_container_status" +echo "TPM 1.2 Container Status: $tpm_container_status" while [[ $tpm_container_status == "running" ]] do sleep 20 - # Add status message, so Travis will not time out. + # Add status message, so Travis will not time out. # It may timeout if it hasn't received output for more than 10 minutes. echo "Still running tests, please wait..." @@ -32,7 +32,7 @@ done # Store container exit codes tpm_container_exit_code="$(docker inspect $tpm_container_id --format='{{.State.ExitCode}}')" -echo "TPM Container Exit Code: $tpm_container_exit_code" +echo "TPM 1.2 Container Exit Code: $tpm_container_exit_code" # Display container logs echo "" @@ -40,7 +40,7 @@ echo "===========hirs-aca-provisioner System Tests Log:===========" docker logs $tpm_container_id echo "" -echo "End of TPM 1.2 System Tests, cleaning up..." +echo "End of System Tests TPM 1.2, cleaning up..." echo "" # Clean up services and network docker-compose down @@ -48,9 +48,9 @@ docker-compose down # Return container exit codes if [[ $tpm_container_exit_code == 0 ]] then - echo "SUCCESS: TPM 1.2 System tests passed" + echo "SUCCESS: System Tests TPM 1.2 passed" exit 0 fi -echo "ERROR: System tests failed" +echo "ERROR: System Tests TPM 1.2 failed" exit 1 diff --git a/.ci/system-tests/system_test.py b/.ci/system-tests/system_test.py index af33e04f..7a001a49 100644 --- a/.ci/system-tests/system_test.py +++ b/.ci/system-tests/system_test.py @@ -23,17 +23,22 @@ import sys import argparse from system_test_core import HIRSPortal, AttestationCAPortal, collectors, \ - send_command, send_command_sha1sum, run_hirs_report, \ - run_hirs_provisioner_tpm2, parse_xml_with_stripped_namespaces, get_current_timestamp, \ - get_all_nodes_recursively, touch_random_file_and_remove, get_random_pcr_hex_value, \ - is_ubuntu_client, is_tpm2,\ - DEFAULT_IMA_POLICY, DEFAULT_TPM_POLICY + send_command, send_command_sha1sum, run_hirs_report, run_hirs_provisioner_tpm_1_2, \ + run_hirs_provisioner_tpm_2_0, parse_xml_with_stripped_namespaces, \ + get_all_nodes_recursively, touch_random_file_and_remove, get_random_pcr_hex_value, \ + get_current_timestamp, is_ubuntu_client, is_tpm_2_0, is_tpm_1_2, \ + DEFAULT_IMA_POLICY, DEFAULT_TPM_POLICY, \ + make_simple_ima_baseline, make_baseline_from_xml, \ + make_simple_ima_blacklist_baseline, \ + make_simple_ima_blacklist_baseline_with_hash, \ + make_simple_ima_blacklist_baseline_with_file_and_hash, \ + make_simple_ima_blacklist_baseline_with_updated_file_and_hash NUMBER_OF_PCRS = 24 suffix = os.environ.get('RANDOM_SYS_TEST_ID') if suffix != None: - print "Configuring with suffix " + suffix + print("Configuring with suffix: %s" % suffix) suffix = "-" + suffix else: suffix = "" @@ -44,9 +49,9 @@ CLIENT_OS = os.environ.get('CLIENT_OS') TPM_VERSION = os.environ.get('TPM_VERSION') HIRS_SERVER_URL = "https://TBD/HIRS_Portal/" HIRS_ATTESTATION_CA_PORTAL_URL = "https://" + \ - os.environ.get('HIRS_ACA_PORTAL_IP') +":" + \ - os.environ.get('HIRS_ACA_PORTAL_PORT') + \ - "/HIRS_AttestationCAPortal/" + os.environ.get('HIRS_ACA_PORTAL_IP') +":" + \ + os.environ.get('HIRS_ACA_PORTAL_PORT') + \ + "/HIRS_AttestationCAPortal/" TEST_LOG_FILE = os.environ.get('TEST_LOG') LOG_LEVEL = os.environ.get('LOG_LEVEL') @@ -70,7 +75,7 @@ FORMAT = "%(asctime)-15s %(message)s" provisioner_out = None logging.basicConfig(filename=TEST_LOG_FILE,level=eval(LOG_LEVEL), format=FORMAT) -logging.info("*****************beginning of system_test.py*****************") +logging.info("***************** Beginning of system_test.py *****************") logging.info("The ACA Portal is: " + HIRS_ATTESTATION_CA_PORTAL_URL) Portal = HIRSPortal(HIRS_SERVER_URL) @@ -80,56 +85,62 @@ requests.packages.urllib3.disable_warnings() class SystemTest(unittest.TestCase): - @classmethod - def setUpClass(self): - """Set the class up""" + @classmethod + def setUpClass(self): + """Set the class up""" - def setUp(self): - """Set the systems tests state up for testing""" - AcaPortal.disable_supply_chain_validations() + def setUp(self): + """Set the systems tests state up for testing""" + AcaPortal.disable_supply_chain_validations() - def tearDown(self): - """Tears down the state for testing""" + def tearDown(self): + """Tears down the state for testing""" - @collectors(['IMA', 'TPM'], COLLECTOR_LIST) - def test_01_empty_baselines(self): - """Test that appraisal succeeds with empty IMA and TPM baselines""" - logging.info("*****************beginning of empty baseline test*****************") + def test_01_attestation_ca_portal_online(self): + """Test that the Attestation CA Portal is online and accessible by making a GET request. + If not online, an exception will be raised since the response code is non-200""" + logging.info("***************** Beginning of attestation ca portal online test *****************") + AcaPortal.check_is_online() + + @collectors(['IMA', 'TPM'], COLLECTOR_LIST) + def test_02_empty_baselines(self): + """Test that appraisal succeeds with empty IMA and TPM baselines""" + logging.info("***************** Beginning of empty baseline test *****************") # Portal.set_default_policies(ima_policy=DEFAULT_IMA_POLICY, tpm_policy=DEFAULT_TPM_POLICY) # result = run_hirs_report(CLIENT) # self.assertTrue(result) # self.assertEqual(0, Portal.get_alert_count_from_latest_report()) - @collectors(['IMA'], COLLECTOR_LIST) - def test_02_small_ima_appraisal(self): - """Test that appraisal works with a small hard-coded IMA baseline + @collectors(['IMA'], COLLECTOR_LIST) + def test_03_small_ima_appraisal(self): + """Test that appraisal works with a small hard-coded IMA baseline - steps: - - upload a small hard-coded required set (two records) - - make a policy that points to that baseline as its required set - - set the default device group to point to that policy - - run a report from the client machine using vagrant ssh - """ - logging.info("*****************beginning of small IMA appraisal test*****************") + steps: + - upload a small hard-coded required set (two records) + - make a policy that points to that baseline as its required set + - set the default device group to point to that policy + - run a report from the client machine using vagrant ssh + """ + logging.info("***************** Beginning of small IMA appraisal test *****************") # baseline = make_simple_ima_baseline() # policy_name = Portal.add_ima_policy(required_set=baseline, policy_name_prefix='small_ima') # Portal.set_default_policies(ima_policy=policy_name) # result = run_hirs_report(CLIENT) # self.assertTrue(result) - @collectors(['IMA'], COLLECTOR_LIST) - def test_03_large_ima_appraisal(self): - """Test that appraisal works with a full-size IMA baseline + @collectors(['IMA'], COLLECTOR_LIST) + def test_04_large_ima_appraisal(self): + """Test that appraisal works with a full-size IMA baseline - steps: - - generate an XML report or use a cached one - - convert the IMA part of the report into a csv baseline - - upload the csv file as an IMA baseline - - make a policy that points to that baseline as its required set - - set the default device group to point to that policy - - run a report from the client machine using vagrant ssh - """ - logging.info("*****************beginning of large IMA appraisal test*****************") + steps: + - generate an XML report or use a cached one + - convert the IMA part of the report into a csv baseline + - upload the csv file as an IMA baseline + - make a policy that points to that baseline as its required set + - set the default device group to point to that policy + - run a report from the client machine using vagrant ssh + """ + logging.info("***************** Beginning of large IMA appraisal test *****************") # empty_ima_policy = Portal.add_ima_policy(required_set=None, policy_name_prefix="empty") # Portal.set_default_policies(ima_policy=empty_ima_policy, # tpm_policy=DEFAULT_TPM_POLICY) @@ -147,19 +158,19 @@ class SystemTest(unittest.TestCase): # #logging.debug("new alerts:\n{0}".format(pprint.pformat(after_alerts['data'][0:new_alert_count]))) # self.assertTrue(True) - @collectors(['IMA'], COLLECTOR_LIST) - def test_04_small_ima_appraisal_required_set_missing(self): - """Test that appraisal results in an appropriate alert generation when a required set file is missing + @collectors(['IMA'], COLLECTOR_LIST) + def test_05_small_ima_appraisal_required_set_missing(self): + """Test that appraisal results in an appropriate alert generation when a required set file is missing - steps: - - upload a small hard-coded required set (two records) - - add a fictitious file to the baseline - - make a policy that points to that baseline as its required set - - set the default device group to point to that policy - - run a report from the client machine using vagrant ssh - - make sure it failed and that one appropriate alert was thrown - """ - logging.info("*****************beginning of small IMA appraisal test with required set missing*****************") + steps: + - upload a small hard-coded required set (two records) + - add a fictitious file to the baseline + - make a policy that points to that baseline as its required set + - set the default device group to point to that policy + - run a report from the client machine using vagrant ssh + - make sure it failed and that one appropriate alert was thrown + """ + logging.info("***************** Beginning of small IMA appraisal test with required set missing *****************") # baseline = make_simple_ima_baseline() # baseline["name"] = "ima_baseline_missing_required_record_{0}".format(get_current_timestamp()) # random_hash = str(hashlib.sha1(str(random.random())).hexdigest()) @@ -180,19 +191,19 @@ class SystemTest(unittest.TestCase): # self.assertTrue(random_hash in latest_alert['expected']) # self.assertTrue(missing_file in latest_alert['expected']) - @collectors(['TPM'], COLLECTOR_LIST) - def test_05_tpm_white_list_appraisal(self): - """Test that appraisal works with a TPM white list baseline + @collectors(['IMA'], COLLECTOR_LIST) + def test_06_tpm_white_list_appraisal(self): + """Test that appraisal works with a TPM white list baseline - steps: - - run hirs report to generate an XML report for baseline creation - - download the latest report in XML format - - convert the TPM part of the report into a json baseline - - make a policy that points to that json TPM white list baseline - - set the default device group to point to that policy - - run a report from the client machine - """ - logging.info("*****************beginning of TPM white list appraisal test*****************") + steps: + - run hirs report to generate an XML report for baseline creation + - download the latest report in XML format + - convert the TPM part of the report into a json baseline + - make a policy that points to that json TPM white list baseline + - set the default device group to point to that policy + - run a report from the client machine + """ + logging.info("***************** Beginning of TPM white list appraisal test *****************") # empty_ima_policy = Portal.add_ima_policy(required_set=None) # Portal.set_default_policies(ima_policy=empty_ima_policy, # tpm_policy=DEFAULT_TPM_POLICY) @@ -237,20 +248,20 @@ class SystemTest(unittest.TestCase): # self.assertTrue(baseline_hash in pcr_alert['expected']) # self.assertTrue(reported_hash in pcr_alert['received']) - @collectors(['IMA'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_06_ima_blacklist_appraisal(self): - """Test that appraisal works with a small IMA blacklist baseline + @collectors(['IMA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_07_ima_blacklist_appraisal(self): + """Test that appraisal works with a small IMA blacklist baseline - steps: - - upload a policy with a small hard-coded blacklist baseline - - set the default device group to point to that policy - - run a report from the client machine and ensure the appraisal passes - - touch a file on the client that is contained in the blacklist - - run another report from the client machine and ensure the appraisal fails - """ - logging.info("*****************beginning of blacklist IMA appraisal test*****************") -# baseline = make_simple_ima_blacklist_baseline() + steps: + - upload a policy with a small hard-coded blacklist baseline + - set the default device group to point to that policy + - run a report from the client machine and ensure the appraisal passes + - touch a file on the client that is contained in the blacklist + - run another report from the client machine and ensure the appraisal fails + """ + logging.info("***************** Beginning of blacklist IMA appraisal test *****************") +# baseline = make_simple_ima_blacklist_baseline() # policy_name = Portal.add_ima_policy(blacklist=baseline, policy_name_prefix='small_ima_blacklist') # Portal.set_default_policies(ima_policy=policy_name) # @@ -349,30 +360,30 @@ class SystemTest(unittest.TestCase): # result = run_hirs_report(CLIENT) # self.assertTrue(result) - @collectors(['IMA'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_07_delta_reports_required_set(self): - """Test that appraisal works with delta reports and required sets. + @collectors(['IMA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_08_delta_reports_required_set(self): + """Test that appraisal works with delta reports and required sets. - steps: - - Run hirs report with an empty required set and delta reports - enabled - - Check first report for success and to make sure the test files - are not there - - Add the two test files (foo-file and foo-bar-file) to the required - set with a hashes that indicates the files are empty - - create foo-file and read it as root so it is measured by IMA - - Run second hirs report - - Check for failed appraisal (foo-bar-file hasn't been created yet) - - Check that the report includes foo-file, but not foo-bar-file - - Create foo-bar-file and read it as root - - Run third hirs report - - Check for failed appraisal (foo-file was in the previous report, - so it won't be included in this one. - - Check that foo-bar-file is in this report, but not foo-file - """ + steps: + - Run hirs report with an empty required set and delta reports + enabled + - Check first report for success and to make sure the test files + are not there + - Add the two test files (foo-file and foo-bar-file) to the required + set with a hashes that indicates the files are empty + - create foo-file and read it as root so it is measured by IMA + - Run second hirs report + - Check for failed appraisal (foo-bar-file hasn't been created yet) + - Check that the report includes foo-file, but not foo-bar-file + - Create foo-bar-file and read it as root + - Run third hirs report + - Check for failed appraisal (foo-file was in the previous report, + so it won't be included in this one. + - Check that foo-bar-file is in this report, but not foo-file + """ - logging.info("*****************beginning of Delta Reports required set appraisal test*****************") + logging.info("***************** Beginning of Delta Reports required set appraisal test *****************") # unique_name = uuid.uuid4().hex # baseline_name = 'delta-reports-required-baseline-' + unique_name # foo_file_name = 'foo-file-' + unique_name @@ -423,34 +434,34 @@ class SystemTest(unittest.TestCase): # send_vagrant_command('rm {0}'.format(foo_file_name), CLIENT) # send_vagrant_command('rm {0}'.format(foo_bar_file_name), CLIENT) - @collectors(['IMA'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_08_delta_reports_whitelist(self): - """Test that appraisal works with delta reports. Each report should be - appraised individually. Checks that a failed appraisal can be followed - by a successful appraisal if there are no errors in the second delta - report. + @collectors(['IMA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_09_delta_reports_whitelist(self): + """Test that appraisal works with delta reports. Each report should be + appraised individually. Checks that a failed appraisal can be followed + by a successful appraisal if there are no errors in the second delta + report. - steps: - - Run hirs report with an empty required set and delta reports - enabled - - Check first report for success and to make sure the test files - are not there - - Add a test file (foo-file) to the whitelist with a hash that - indicates the file is empty - - Create foo-file with contents and read it as root so it is - measured by IMA - - Run second hirs report - - Check for failed appraisal (foo-file should be a whitelist - mismatch because the file isn't empty) - - Check that the report includes foo-file - - Run third hirs report - - Check for successful appraisal (the mismatch was in the previous - report so it won't be included in this one. - - Check that foo-file is not in this report - """ + steps: + - Run hirs report with an empty required set and delta reports + enabled + - Check first report for success and to make sure the test files + are not there + - Add a test file (foo-file) to the whitelist with a hash that + indicates the file is empty + - Create foo-file with contents and read it as root so it is + measured by IMA + - Run second hirs report + - Check for failed appraisal (foo-file should be a whitelist + mismatch because the file isn't empty) + - Check that the report includes foo-file + - Run third hirs report + - Check for successful appraisal (the mismatch was in the previous + report so it won't be included in this one. + - Check that foo-file is not in this report + """ - logging.info("*****************beginning of Delta Reports whitelist appraisal test*****************") + logging.info("***************** Beginning of Delta Reports whitelist appraisal test *****************") # unique_name = uuid.uuid4().hex # baseline_name = 'delta-reports-whitelist-baseline-' + unique_name # foo_file_name = 'foo-file-' + unique_name @@ -489,23 +500,23 @@ class SystemTest(unittest.TestCase): # # send_vagrant_command('rm {0}'.format(foo_file_name), CLIENT) - @collectors(['IMA', 'TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_09_on_demand(self): - """Test that on-demand (server-initiated) appraisal works. + @collectors(['IMA', 'TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_10_on_demand(self): + """Test that on-demand (server-initiated) appraisal works. - steps: - - push a simple ima baseline - - set the policy - - touch a random file, take the hash, then remove it - - kick off an on-demand report on the server for the default device group - - sleep to let the appraisal finish - - pull the generated report - - check that it passed appraisal - - check that it has the random filename and hash - - check that it contains a TPM Report - """ - logging.info("*****************beginning of on-demand test*****************") + steps: + - push a simple ima baseline + - set the policy + - touch a random file, take the hash, then remove it + - kick off an on-demand report on the server for the default device group + - sleep to let the appraisal finish + - pull the generated report + - check that it passed appraisal + - check that it has the random filename and hash + - check that it contains a TPM Report + """ + logging.info("***************** Beginning of on-demand test *****************") # baseline = make_simple_ima_baseline() # policy_name = Portal.add_ima_policy(required_set=baseline, delta_reports_enabled="false", policy_name_prefix='on_demand') # logging.info('on demand policy name: %s', policy_name) @@ -536,19 +547,19 @@ class SystemTest(unittest.TestCase): # self.assertTrue(any(sr for sr in sub_reports if 'TPMReport' in sr['reportType']), # "report summary should contain a TPMReport as a sub-report") - @collectors(['IMA'], COLLECTOR_LIST) - @unittest.skip("SELinux issues are preventing repo sync from working") - def test_10_failing_ima_appraisal_broad_repo_baseline(self): - """Test that an appraisal not containing expected packages in a broad repo IMA baseline fails. + @collectors(['IMA'], COLLECTOR_LIST) + @unittest.skip("SELinux issues are preventing repo sync from working") + def test_11_failing_ima_appraisal_broad_repo_baseline(self): + """Test that an appraisal not containing expected packages in a broad repo IMA baseline fails. - steps: - - Create a Yum repository with a local file URL and sync it - - Create a broad baseline using the Yum repository - - Add the baseline to the required set for the default IMA policy - - Run a HIRS report and ensure it fails - - Ensure that at least one of the expected alerts has been generated - """ - logging.info("*****************beginning of broad repo failing appraisal test*****************") + steps: + - Create a Yum repository with a local file URL and sync it + - Create a broad baseline using the Yum repository + - Add the baseline to the required set for the default IMA policy + - Run a HIRS report and ensure it fails + - Ensure that at least one of the expected alerts has been generated + """ + logging.info("***************** Beginning of broad repo failing appraisal test *****************") # repo_name = "Test Yum Repository" # baseline_name = "Test Broad Baseline" # policy_name = "Test Broad Repo IMA Policy" @@ -568,22 +579,22 @@ class SystemTest(unittest.TestCase): # 'expected': '(/usr/lib64/glusterfs/3.7.6/xlator/features/quota.so, SHA-1 - 0xc9b5e8df6b50f2f58ea55fd41a962393d9eeec94)', # })) - @collectors(['IMA'], COLLECTOR_LIST) - @unittest.skip("SELinux issues are preventing repo sync from working") - @unittest.skipIf(is_ubuntu_client(CLIENT_OS), "Skipping this test due to client OS " + CLIENT_OS) - def test_11_successful_ima_appraisal_broad_repo_baseline(self): - """Test that an appraisal containing expected packages in a broad repo IMA baseline passes. - This test only works on CentOS 6 and 7. + @collectors(['IMA'], COLLECTOR_LIST) + @unittest.skip("SELinux issues are preventing repo sync from working") + @unittest.skipIf(is_ubuntu_client(CLIENT_OS), "Skipping this test due to client OS " + CLIENT_OS) + def test_12_successful_ima_appraisal_broad_repo_baseline(self): + """Test that an appraisal containing expected packages in a broad repo IMA baseline passes. + This test only works on CentOS 6 and 7. - steps: - - Create a Yum repository with a local file URL and sync it - - Create a broad baseline using the Yum repository - - Add the baseline to the required set for the default IMA policy - - Install RPMs in repository to client machine and read them with root to ensure their placement in the IMA log - - Run a HIRS report and ensure it passes - - Ensure that there are no new alerts - """ - logging.info("*****************beginning of broad repo successful appraisal test*****************") + steps: + - Create a Yum repository with a local file URL and sync it + - Create a broad baseline using the Yum repository + - Add the baseline to the required set for the default IMA policy + - Install RPMs in repository to client machine and read them with root to ensure their placement in the IMA log + - Run a HIRS report and ensure it passes + - Ensure that there are no new alerts + """ + logging.info("***************** Beginning of broad repo successful appraisal test *****************") # repo_name = "Test Yum Repository" # baseline_name = "Test Broad Baseline" # policy_name = "Test Broad Repo IMA Policy" @@ -607,213 +618,212 @@ class SystemTest(unittest.TestCase): # self.assertTrue(run_hirs_report(CLIENT)) # self.assertEqual(Portal.get_alert_count_from_latest_report(), 0) - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_12_attestation_ca_portal_online(self): - """Test that the Attestation CA Portal is online and accessible by making a GET request. - If not online, an exception will be raised since the response code is non-200""" - logging.info("*****************beginning of attestation ca portal online test *****************") - AcaPortal.check_is_online() +# @collectors(['TPM'], COLLECTOR_LIST) +# @unittest.skipIf(not is_tpm_1_2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) +# def test_13_tpm_1_2_initial_provision(self): +# """Test that running the TPM 1.2 hirs provisioner works""" +# logging.info("***************** Beginning of initial TPM 1.2 provisioner run *****************") +# +# # Run the provisioner to ensure that it provisions successfully +# provisioner_out = run_hirs_provisioner_tpm_1_2(CLIENT) +# print("Initial TPM 1.2 provisioner run output: {0}".format(provisioner_out)) - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_13_tpm2_initial_provision(self): - """Test that running the tpm2 hirs provisioner works""" - logging.info("*****************beginning of initial provisioner run *****************") - # Run the provisioner to ensure that it provisions successfully - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) - print("Initial provisioner run output: {0}".format(provisioner_out)) + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_14_tpm_2_0_initial_provision(self): + """Test that running the TPM 2.0 hirs provisioner works""" + logging.info("***************** Beginning of initial TPM 2.0 provisioner run *****************") - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_14_device_info_report_stored_after_provisioning(self): - """Test that running the hirs provisioner results in storing a device info report for - the device in the DB""" - logging.info("*****************beginning of provisioner + device info report test *****************") - logging.info("getting devices from ACA portal") - aca_portal_devices = AcaPortal.get_devices() - self.assertEqual(aca_portal_devices['recordsTotal'], 1) + # Run the provisioner to ensure that it provisions successfully + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) + print("Initial TPM 2.0 provisioner run output: {0}".format(provisioner_out)) - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_15_supply_chain_validation_summary_stored_after_second_provisioning(self): - """Test that running the hirs provisioner, a second time, results in storing a supply chain validation - record in the database""" - logging.info("*****************beginning of provisioner + supply chain validation summary test *****************") - if is_tpm2(TPM_VERSION): - logging.info("Using TPM 2.0") - logging.info("Uploading CA cert: " + CA_CERT_LOCATION) - AcaPortal.upload_ca_cert(CA_CERT_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) - else: - # Supply chain validation only supported on CentOS 7 - if CLIENT_OS == "centos7": - AcaPortal.upload_ca_cert(EK_CA_CERT_LOCATION) - AcaPortal.enable_ec_validation() - provisioner_out = run_hirs_provisioner(CLIENT) + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_15_device_info_report_stored_after_provisioning(self): + """Test that running the hirs provisioner results in storing a device info report for + the device in the DB""" + logging.info("***************** Beginning of device info report test *****************") - print("Second provisioner run output: {0}".format(provisioner_out)) - supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() - # verify this is one SCVS record indicating PASS - self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 2) - self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") - self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") - # verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + logging.info("Getting devices from ACA portal...") + aca_portal_devices = AcaPortal.get_devices() + self.assertEqual(aca_portal_devices['recordsTotal'], 1) - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_16_ek_info_report(self): - """Test that running the hirs provisioner results in storing EK certs info report for - the device in the DB""" - logging.info("*****************beginning of provisioner + Endorsement certs info report test *****************") - logging.info("getting ek certs from ACA portal") - cert_list = AcaPortal.get_ek_certs() - self.assertEqual(cert_list['recordsTotal'], 1) - self.assertEqual(cert_list['data'][0]['credentialType'], "TCPA Trusted Platform Module Endorsement") + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_16_supply_chain_validation_summary_stored_after_second_provisioning(self): + """Test that running the hirs provisioner, a second time, results in storing a supply chain validation + record in the database""" + logging.info("***************** Beginning of supply chain validation summary test *****************") - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_17_pk_info_report(self): - """Test that running the hirs provisioner results in storing PK certs info report for - the device in the DB""" - logging.info("*****************beginning of provisioner + Platform certs info report test *****************") - logging.info("getting pk certs from ACA portal") - cert_list = AcaPortal.get_pk_certs() - self.assertEqual(cert_list['recordsTotal'], 1) - self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") + logging.info("Uploading CA cert: " + CA_CERT_LOCATION) + AcaPortal.upload_ca_cert(CA_CERT_LOCATION) + AcaPortal.enable_supply_chain_validations() - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_18_trust_chain_info_report(self): - """Test that running the hirs provisioner results in storing trust chains info report for - the device in the DB""" - logging.info("*****************beginning of provisioner + Trust chains info report test *****************") - logging.info("getting trust chains from ACA portal") - trust_chain_list = AcaPortal.get_trust_chains() - self.assertEqual(trust_chain_list['recordsTotal'], 1) + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) + print("Second provisioner run output: {0}".format(provisioner_out)) - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A1_base_delta(self): - """Test Delta Certificates A1 - Provisioning with Good Base Platform Cert (via Platform Cert on TPM Emulator)""" - logging.info("*****************test_19_A1 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform Cert (via Platform Cert on TPM Emulator)") + supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() + # verify this is one SCVS record indicating PASS + self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 2) + self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") + self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") - logging.info("Check if ACA is online...") - AcaPortal.check_is_online() + # verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - logging.info("Uploading CA cert: " + CA_CERT_LOCATION) - AcaPortal.upload_ca_cert(CA_CERT_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_17_ek_info_report(self): + """Test that running the hirs provisioner results in storing EK certs info report for + the device in the DB""" + logging.info("***************** Beginning of Endorsement Certs info report test *****************") - print("test_19_A1_base_delta run output: {0}".format(provisioner_out)) + logging.info("Getting EK Certs from ACA portal...") + cert_list = AcaPortal.get_ek_certs() + self.assertEqual(cert_list['recordsTotal'], 1) + self.assertEqual(cert_list['data'][0]['credentialType'], "TCPA Trusted Platform Module Endorsement") - # Verify device supply chain appraisal result is PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_18_pk_info_report(self): + """Test that running the hirs provisioner results in storing PK certs info report for + the device in the DB""" + logging.info("***************** Beginning Platform Certs info report test *****************") - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A2_base_delta(self): - """Test Delta Certificates A2 - Attempt to upload Base cert with holder already having a Base Platform Cert associated with it""" - logging.info("*****************test_19_A2 - beginning of delta certificate test *****************") - logging.info("Attempt to upload PBaseCertB, with PBaseCertA already loaded in the ACA.") + logging.info("Getting PK Certs from ACA portal...") + cert_list = AcaPortal.get_pk_certs() + self.assertEqual(cert_list['recordsTotal'], 1) + self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") - print("test_19_A2_base_delta. PBaseCertA has already been loaded. Attempting to upload second Platform Cert: %s" % (PBaseCertB_LOCATION)) + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_trust_chain_info_report(self): + """Test that running the hirs provisioner results in storing trust chains info report for + the device in the DB""" + logging.info("***************** Beginning of Trust Chain info report test *****************") + logging.info("Getting Trust Chains from ACA portal...") + trust_chain_list = AcaPortal.get_trust_chains() + self.assertEqual(trust_chain_list['recordsTotal'], 1) - # Confirm there is one Platform Base Cert already loaded - cert_list = AcaPortal.get_pk_certs() - self.assertEqual(cert_list['recordsTotal'], 1) - print("Number of Platform certs: %d" % (cert_list['recordsTotal'])) - self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") - self.assertEqual(cert_list['data'][0]['platformType'], "Base") + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A1_base_delta(self): + """Test Delta Certificates A1 - Provisioning with Good Base Platform Cert (via Platform Cert on TPM Emulator)""" + logging.info("***************** test_20_A1 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert (via Platform Cert on TPM Emulator)") - # Try uploading a second Platform Base Cert - print("Attempting to upload a second Platform Base Cert...") - AcaPortal.upload_pk_cert(PBaseCertB_LOCATION) + logging.info("Check if ACA is online...") + AcaPortal.check_is_online() - # Confirm Platform Base Cert has not been loaded - cert_list = AcaPortal.get_pk_certs() - self.assertEqual(cert_list['recordsTotal'], 1) - print("Number of Platform certs: %d" % (cert_list['recordsTotal'])) - self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") - self.assertEqual(cert_list['data'][0]['platformType'], "Base") + logging.info("Uploading CA Cert: " + CA_CERT_LOCATION) + AcaPortal.upload_ca_cert(CA_CERT_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - if (cert_list['recordsTotal'] == 1): - print ("SUCCESS.") - print ("") - else: - print ("FAILED.") - print ("") + print("test_20_A1_base_delta run output: {0}".format(provisioner_out)) - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A3_base_delta(self): - """Test Delta Certificates A3 - Provisioning with Good Base Platform Cert Base and 1 Delta Cert""" - logging.info("*****************test_19_A3 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform Cert Base and 1 Delta Cert") + # Verify device supply chain appraisal result is PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - # Verify device supply chain appraisal result is PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A2_base_delta(self): + """Test Delta Certificates A2 - Attempt to upload Base cert with holder already having a Base Platform Cert associated with it""" + logging.info("***************** test_20_A2 - Beginning of delta certificate test *****************") + logging.info("Attempt to upload PBaseCertB, with PBaseCertA already loaded in the ACA.") - # Upload the SIDeltaCertA1 and provision - AcaPortal.upload_pk_cert(SIDeltaCertA1_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) - print("test_19_A3_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A2_base_delta. PBaseCertA has already been loaded. Attempting to upload second Platform Cert: %s" % (PBaseCertB_LOCATION)) - supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() - # Verify this is one SCVS record indicating PASS - self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 2) - self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") - self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") + # Confirm there is one Platform Base Cert already loaded + cert_list = AcaPortal.get_pk_certs() + self.assertEqual(cert_list['recordsTotal'], 1) + print("Number of Platform Certs: %d" % (cert_list['recordsTotal'])) + self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") + self.assertEqual(cert_list['data'][0]['platformType'], "Base") - # Verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Try uploading a second Platform Base Cert + print("Attempting to upload a second Platform Base Cert...") + AcaPortal.upload_pk_cert(PBaseCertB_LOCATION) - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A4_base_delta(self): - """Test Delta Certificates A4 - Provisioning with Good Base Platform Cert Base and 2 Delta Certs""" - logging.info("*****************test_19_A4 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform Cert Base and 2 Delta Certs") + # Confirm Platform Base Cert has not been loaded + cert_list = AcaPortal.get_pk_certs() + self.assertEqual(cert_list['recordsTotal'], 1) + print("Number of Platform Certs: %d" % (cert_list['recordsTotal'])) + self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") + self.assertEqual(cert_list['data'][0]['platformType'], "Base") - # Verify device supply chain appraisal result is PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + if (cert_list['recordsTotal'] == 1): + print ("SUCCESS.\n") + else: + print ("FAILED.\n") - # Upload the VARDeltaCertA1 and provision - AcaPortal.upload_pk_cert(VARDeltaCertA1_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A3_base_delta(self): + """Test Delta Certificates A3 - Provisioning with Good Base Platform Cert Base and 1 Delta Cert""" + logging.info("***************** test_20_A3 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert Base and 1 Delta Cert") - print("test_19_A4_base_delta run output: {0}".format(provisioner_out)) - supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() + # Verify device supply chain appraisal result is PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - # Verify this is one SCVS record indicating PASS - self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 3) - self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") - self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") - self.assertEqual(supply_chain_validation_summaries['data'][2]['overallValidationResult'], "PASS") + # Upload the SIDeltaCertA1 and provision + AcaPortal.upload_pk_cert(SIDeltaCertA1_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) + print("test_20_A3_base_delta run output: {0}".format(provisioner_out)) - # Verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() + # Verify this is one SCVS record indicating PASS + self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 2) + self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") + self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A5_base_delta(self): - """Test Delta Certificates A5 - Provisioning with Good Base Platform Cert and 1 Bad Delta Cert""" - logging.info("*****************test_19_A5 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform Cert and 1 Bad Delta Cert") + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - # TODO: Determine if we need this test + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A4_base_delta(self): + """Test Delta Certificates A4 - Provisioning with Good Base Platform Cert Base and 2 Delta Certs""" + logging.info("***************** test_20_A4 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert Base and 2 Delta Certs") + + # Verify device supply chain appraisal result is PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + + # Upload the VARDeltaCertA1 and provision + AcaPortal.upload_pk_cert(VARDeltaCertA1_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) + + print("test_20_A4_base_delta run output: {0}".format(provisioner_out)) + supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() + + # Verify this is one SCVS record indicating PASS + self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 3) + self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") + self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") + self.assertEqual(supply_chain_validation_summaries['data'][2]['overallValidationResult'], "PASS") + + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A5_base_delta(self): + """Test Delta Certificates A5 - Provisioning with Good Base Platform Cert and 1 Bad Delta Cert""" + logging.info("***************** test_20_A5 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert and 1 Bad Delta Cert") + + # TODO: Determine if we need this test # # Verify device supply chain appraisal result is PASS # devices = AcaPortal.get_devices() @@ -822,7 +832,7 @@ class SystemTest(unittest.TestCase): # # Upload the VARDelta cert and provision # AcaPortal.upload_pk_cert(SIDeltaCertA2_LOCATION) # AcaPortal.enable_supply_chain_validations() -# provisioner_out = run_hirs_provisioner_tpm2(CLIENT) +# provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) # # print("test_19_A4_base_delta SHOULD FAIL provisioning!!") # print("test_19_A4_base_delta run output: {0}".format(provisioner_out)) @@ -830,244 +840,154 @@ class SystemTest(unittest.TestCase): # # Provisioning should fail since the Delta contains a bad component. # self.assertIn("Provisioning failed", format(provisioner_out)) - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A6_base_delta(self): - """Test Delta Certificates A6 - Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert""" - logging.info("*****************test_19_A6 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert") + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A6_base_delta(self): + """Test Delta Certificates A6 - Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert""" + logging.info("***************** test_20_A6 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert") - # Verify device supply chain appraisal result is PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device supply chain appraisal result is PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - # Upload the SIDeltaCertA2 and provision - AcaPortal.upload_pk_cert(SIDeltaCertA2_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the SIDeltaCertA2 and provision + AcaPortal.upload_pk_cert(SIDeltaCertA2_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A6_base_delta SHOULD FAIL provisioning using: %s" % (SIDeltaCertA2_LOCATION)) - print("test_19_A6_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A6_base_delta SHOULD FAIL provisioning using: %s" % (SIDeltaCertA2_LOCATION)) + print("test_20_A6_base_delta run output: {0}".format(provisioner_out)) - # Provisioning should fail since the Delta contains a bad component. - self.assertIn("Provisioning failed", format(provisioner_out)) + # Provisioning should fail since the Delta contains a bad component. + self.assertIn("Provisioning failed", format(provisioner_out)) - # Upload the SIDeltaCertA2_resolved and provision - AcaPortal.upload_pk_cert(SIDeltaCertA2_resolved_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the SIDeltaCertA2_resolved and provision + AcaPortal.upload_pk_cert(SIDeltaCertA2_resolved_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A6_base_delta SHOULD PASS provisioning using: %s" % (SIDeltaCertA2_resolved_LOCATION)) - print("test_19_A6_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A6_base_delta SHOULD PASS provisioning using: %s" % (SIDeltaCertA2_resolved_LOCATION)) + print("test_20_A6_base_delta run output: {0}".format(provisioner_out)) - # Verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A7_base_delta(self): - """Test Delta Certificates A7 - Provisioning with Good Base Platform, 2 Good Delta Certs and - 1 Bad Delta Cert with non present component""" - logging.info("*****************test_19_A7 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert with non present component") + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A7_base_delta(self): + """Test Delta Certificates A7 - Provisioning with Good Base Platform, 2 Good Delta Certs and + 1 Bad Delta Cert with non present component""" + logging.info("***************** test_20_A7 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert with non present component") - # Upload the VARDeltaCertA2 and provision - AcaPortal.upload_pk_cert(VARDeltaCertA2_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the VARDeltaCertA2 and provision + AcaPortal.upload_pk_cert(VARDeltaCertA2_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A7_base_delta SHOULD FAIL provisioning using: %s" % (VARDeltaCertA2_LOCATION)) - print("test_19_A7_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A7_base_delta SHOULD FAIL provisioning using: %s" % (VARDeltaCertA2_LOCATION)) + print("test_20_A7_base_delta run output: {0}".format(provisioner_out)) - # Provisioning should fail since the Delta contains a component thats not in the Base - self.assertIn("Provisioning failed", format(provisioner_out)) + # Provisioning should fail since the Delta contains a component thats not in the Base + self.assertIn("Provisioning failed", format(provisioner_out)) - # Upload the VARDeltaCertA2_resolved and provision - AcaPortal.upload_pk_cert(VARDeltaCertA2_resolved_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the VARDeltaCertA2_resolved and provision + AcaPortal.upload_pk_cert(VARDeltaCertA2_resolved_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A7_base_delta SHOULD PASS provisioning using: %s" % (VARDeltaCertA2_resolved_LOCATION)) - print("test_19_A7_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A7_base_delta SHOULD PASS provisioning using: %s" % (VARDeltaCertA2_resolved_LOCATION)) + print("test_20_A7_base_delta run output: {0}".format(provisioner_out)) - # Verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A8_base_delta(self): - """Test Delta Certificates A8 - Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert - replacing component from previous, using the Delta as a base certificate""" - logging.info("*****************test_19_A8 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert replacing component from previous, using the Delta as a base certificate") + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A8_base_delta(self): + """Test Delta Certificates A8 - Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert + replacing component from previous, using the Delta as a base certificate""" + logging.info("***************** test_20_A8 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert replacing component from previous, using the Delta as a base certificate") - # Upload the SIDeltaCertA3 and provision - AcaPortal.upload_pk_cert(SIDeltaCertA3_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the SIDeltaCertA3 and provision + AcaPortal.upload_pk_cert(SIDeltaCertA3_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A8_base_delta run output: {0}".format(provisioner_out)) - supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() + print("test_20_A8_base_delta run output: {0}".format(provisioner_out)) - # Verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_B1_base_delta(self): - """Test Base/Delta Certificates B1 - Provisioning with Bad Platform Cert Base """ - logging.info("*****************test_19_B1 - beginning of delta certificate test *****************") - logging.info("Provisioning with Bad Platform Cert Base") + @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_B1_base_delta(self): + """Test Base/Delta Certificates B1 - Provisioning with Bad Platform Cert Base """ + logging.info("***************** test_20_B1 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base") - logging.info("Check if ACA is online...") - AcaPortal.check_is_online() + logging.info("Check if ACA is online...") + AcaPortal.check_is_online() - logging.info("Uploading CA cert: " + CA_CERT_LOCATION) - AcaPortal.upload_ca_cert(CA_CERT_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + logging.info("Uploading CA cert: " + CA_CERT_LOCATION) + AcaPortal.upload_ca_cert(CA_CERT_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_B1_base_delta SHOULD FAIL provisioning using: %s" % (PBaseCertB_LOCATION)) - print("test_19_B1_base_delta run output: {0}".format(provisioner_out)) + print("test_20_B1_base_delta SHOULD FAIL provisioning using: %s" % (PBaseCertB_LOCATION)) + print("test_20_B1_base_delta run output: {0}".format(provisioner_out)) - # Provisioning should fail since the PC contains FAULTY components. - self.assertIn("Provisioning failed", format(provisioner_out)) + # Provisioning should fail since the PC contains FAULTY components. + self.assertIn("Provisioning failed", format(provisioner_out)) - @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_B2_base_delta(self): - """Test Base/Delta Certificates B2 - Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved""" - logging.info("*****************test_19_B2 - beginning of delta certificate test *****************") - logging.info("Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved") + @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_B2_base_delta(self): + """Test Base/Delta Certificates B2 - Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved""" + logging.info("***************** test_20_B2 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved") - # Verify device supply chain appraisal result is FAIL - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "FAIL") + # Verify device supply chain appraisal result is FAIL + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "FAIL") - # Upload the SIDeltaCertB1 and provision - AcaPortal.upload_pk_cert(SIDeltaCertB1_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the SIDeltaCertB1 and provision + AcaPortal.upload_pk_cert(SIDeltaCertB1_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_B2_base_delta SHOULD FAIL provisioning using: %s" % (SIDeltaCertB1_LOCATION)) - print("test_19_B2_base_delta run output: {0}".format(provisioner_out)) + print("test_20_B2_base_delta SHOULD FAIL provisioning using: %s" % (SIDeltaCertB1_LOCATION)) + print("test_20_B2_base_delta run output: {0}".format(provisioner_out)) - # Provisioning should fail since the delta contains FAULTY component. - self.assertIn("Provisioning failed", format(provisioner_out)) + # Provisioning should fail since the delta contains FAULTY component. + self.assertIn("Provisioning failed", format(provisioner_out)) - @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_B3_base_delta(self): - """Test Base/Delta Certificates B3 - Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved""" - logging.info("*****************test_19_B3 - beginning of delta certificate test *****************") - logging.info("Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved") + @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_B3_base_delta(self): + """Test Base/Delta Certificates B3 - Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved""" + logging.info("***************** test_20_B3 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved") - # Verify device supply chain appraisal result is FAIL - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "FAIL") + # Verify device supply chain appraisal result is FAIL + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "FAIL") - # Upload the VARDeltaCertB1 and provision - AcaPortal.upload_pk_cert(VARDeltaCertB1_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the VARDeltaCertB1 and provision + AcaPortal.upload_pk_cert(VARDeltaCertB1_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_B3_base_delta run output: {0}".format(provisioner_out)) + print("test_20_B3_base_delta run output: {0}".format(provisioner_out)) - # Verify device has been updated with supply chain appraisal of PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - -def make_simple_ima_baseline(): - timestamp = get_current_timestamp() - - if CLIENT_OS == "centos6": - records = [{"path": "/lib/udev/console_init", - "hash": send_command_sha1sum("sha1sum /lib/udev/console_init")}, - {"path": "/bin/mknod", - "hash": send_command_sha1sum("sha1sum /bin/mknod")}] - elif CLIENT_OS == "centos7": - records = [{"path": "/lib/systemd/rhel-readonly", - "hash": send_command_sha1sum("sha1sum /lib/systemd/rhel-readonly")}, - {"path": "/bin/sort", - "hash": send_command_sha1sum("sha1sum /bin/sort")}] - elif CLIENT_OS == "ubuntu16": - records = [{"path": "/lib/systemd/systemd-udevd", - "hash": send_command_sha1sum("sha1sum /lib/systemd/systemd-udevd")}, - {"path": "/bin/udevadm", - "hash": send_command_sha1sum("sha1sum /bin/udevadm")}] - else: - logging.error("unsupported client os type: %s", CLIENT_OS) - - simple_baseline = {"name": "simple_ima_baseline_{0}".format(timestamp), - "description": "a simple hard-coded ima baseline for systems testing", - "records": records} - return simple_baseline - -def make_baseline_from_xml(xml_report, appraiser_type): - """search the xml for records and add each one to a dictionary.""" - timestamp = get_current_timestamp() - baseline_name = "full_{0}_baseline_{1}".format(appraiser_type, timestamp) - baseline_description = "{0} baseline created by parsing an xml report and uploaded for systems testing".format(appraiser_type) - baseline = {"name": baseline_name, "description": baseline_description} - baseline["records"] = [] - tree = parse_xml_with_stripped_namespaces(xml_report) - - if appraiser_type == "TPM": - pcr_tags = get_all_nodes_recursively(tree, "PcrValue") - for pcr_tag in pcr_tags: - tpm_digest = get_all_nodes_recursively(pcr_tag, "digest")[0].text - parsed_record = {} - parsed_record["pcr"] = pcr_tag.attrib['PcrNumber'] - parsed_record["hash"] = binascii.hexlify(binascii.a2b_base64(tpm_digest)) - baseline["records"].append(parsed_record) - if appraiser_type == "IMA": - ima_records = get_all_nodes_recursively(tree, "imaRecords") - for ima_record in ima_records: - ima_path = get_all_nodes_recursively(ima_record, "path")[0].text - ima_digest = get_all_nodes_recursively(ima_record, "digest")[0].text - parsed_record = {} - parsed_record['path'] = ima_path - hash64 = ima_digest - parsed_record["hash"] = ( - binascii.hexlify(binascii.a2b_base64(hash64))) - baseline["records"].append(parsed_record) - logging.info("created {0} baseline from xml with {1} records".format( - appraiser_type, str(len(baseline["records"])))) - return baseline - -def make_simple_ima_blacklist_baseline(): - return { - "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), - "description": "a simple blacklist ima baseline for systems testing", - "records": [{"path": "/boot/usb-storage-foo.ko"}] - #"records": [{"path": "usb-storage-foo.ko"}] - } - -def make_simple_ima_blacklist_baseline_with_hash(): - return { - "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), - "description": "a simple blacklist ima baseline for systems testing", - "records": [{"hash": USB_STORAGE_FILE_HASH}] - } - -def make_simple_ima_blacklist_baseline_with_file_and_hash(): - return { - "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), - "description": "a simple blacklist ima baseline for systems testing", - "records": [{"path": "usb-storage_2.ko", - "hash": USB_STORAGE_FILE_HASH}] - } - -def make_simple_ima_blacklist_baseline_with_updated_file_and_hash(): - return { - "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), - "description": "a simple blacklist ima baseline for systems testing", - "records": [{"path": "test-file", - "hash": USB_STORAGE_FILE_HASH_2}] - } + # Verify device has been updated with supply chain appraisal of PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") if __name__ == '__main__': suite = unittest.TestLoader().loadTestsFromTestCase(SystemTest) diff --git a/.ci/system-tests/system_test_Driver.py b/.ci/system-tests/system_test_Driver.py index 11e8c62c..e6af58fe 100644 --- a/.ci/system-tests/system_test_Driver.py +++ b/.ci/system-tests/system_test_Driver.py @@ -20,17 +20,17 @@ import sys import argparse from system_test_core import HIRSPortal, AttestationCAPortal, collectors, \ - send_command, send_command_sha1sum, run_hirs_report, \ - run_hirs_provisioner_tpm2, parse_xml_with_stripped_namespaces, get_current_timestamp, \ + send_command, send_command_sha1sum, run_hirs_report, run_hirs_provisioner_tpm_1_2, \ + run_hirs_provisioner_tpm_2_0, parse_xml_with_stripped_namespaces, get_current_timestamp, \ get_all_nodes_recursively, touch_random_file_and_remove, get_random_pcr_hex_value, \ - is_ubuntu_client, is_tpm2, \ + is_ubuntu_client, is_tpm_2_0, is_tpm_1_2, \ DEFAULT_IMA_POLICY, DEFAULT_TPM_POLICY NUMBER_OF_PCRS = 24 suffix = os.environ.get('RANDOM_SYS_TEST_ID') if suffix != None: - print "Configuring with suffix " + suffix + print("Configuring with suffix: %s" % suffix) suffix = "-" + suffix else: suffix = "" @@ -38,13 +38,14 @@ else: # Change to point to your HIRS directory HOME_DIR = "/HIRS/" HIRS_ACA_PORTAL_IP="172.17.0.2" - +TPM_VERSION="2.0" +#TPM_VERSION="1.2" # Change accordingly #COLLECTOR_LIST = None #COLLECTOR_LIST = ["IMA"] -#COLLECTOR_LIST = ["TPM"] +COLLECTOR_LIST = ["TPM"] #COLLECTOR_LIST = ["IMA", "TPM"] -COLLECTOR_LIST = ["BASE_DELTA_GOOD"] +#COLLECTOR_LIST = ["BASE_DELTA_GOOD"] #COLLECTOR_LIST = ["BASE_DELTA_BAD"] FORMAT = "%(asctime)-15s %(message)s" @@ -65,7 +66,7 @@ CLIENT_HOSTNAME="hirs-client-"+ CLIENT_OS + "-tpm2" CLIENT=CLIENT_HOSTNAME SERVER_OS="$CLIENT_OS" SERVER_HOSTNAME="hirs-appraiser-$SERVER_OS" -TPM_VERSION="2.0" + HIRS_ATTESTATION_CA_PORTAL_URL = "https://" + \ HIRS_ACA_PORTAL_IP + ":" + \ HIRS_ACA_PORTAL_PORT + \ @@ -116,23 +117,29 @@ class SystemTest(unittest.TestCase): def tearDown(self): """Tears down the state for testing""" + def test_01_attestation_ca_portal_online(self): + """Test that the Attestation CA Portal is online and accessible by making a GET request. + If not online, an exception will be raised since the response code is non-200""" + logging.info("***************** Beginning of attestation ca portal online test *****************") + AcaPortal.check_is_online() + @collectors(['IMA', 'TPM'], COLLECTOR_LIST) - def test_01_empty_baselines(self): + def test_02_empty_baselines(self): """Test that appraisal succeeds with empty IMA and TPM baselines""" - logging.info("*****************test_01 - beginning of empty baseline test*****************") + logging.info("***************** Beginning of empty baseline test *****************") @collectors(['IMA'], COLLECTOR_LIST) - def test_02_small_ima_appraisal(self): + def test_03_small_ima_appraisal(self): """Test that appraisal works with a small hard-coded IMA baseline""" - logging.info("*****************test_02 - beginning of small IMA appraisal test*****************") + logging.info("***************** Beginning of small IMA appraisal test *****************") @collectors(['IMA'], COLLECTOR_LIST) - def test_03_large_ima_appraisal(self): + def test_04_large_ima_appraisal(self): """Test that appraisal works with a full-size IMA baseline""" - logging.info("*****************test_03 - beginning of large IMA appraisal test*****************") + logging.info("***************** Beginning of large IMA appraisal test *****************") @collectors(['IMA'], COLLECTOR_LIST) - def test_04_small_ima_appraisal_required_set_missing(self): + def test_05_small_ima_appraisal_required_set_missing(self): """Test that appraisal results in an appropriate alert generation when a required set file is missing steps: @@ -143,10 +150,10 @@ class SystemTest(unittest.TestCase): - run a report from the client machine using vagrant ssh - make sure it failed and that one appropriate alert was thrown """ - logging.info("*****************test_04 - beginning of small IMA appraisal test with required set missing*****************") + logging.info("***************** Beginning of small IMA appraisal test with required set missing *****************") @collectors(['TPM', 'IMA'], COLLECTOR_LIST) - def test_05_tpm_white_list_appraisal(self): + def test_06_tpm_white_list_appraisal(self): """Test that appraisal works with a TPM white list baseline steps: @@ -157,11 +164,11 @@ class SystemTest(unittest.TestCase): - set the default device group to point to that policy - run a report from the client machine """ - logging.info("*****************test_05 - beginning of TPM white list appraisal test*****************") + logging.info("***************** Beginning of TPM white list appraisal test *****************") @collectors(['IMA'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_06_ima_blacklist_appraisal(self): + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_07_ima_blacklist_appraisal(self): """Test that appraisal works with a small IMA blacklist baseline steps: @@ -171,11 +178,11 @@ class SystemTest(unittest.TestCase): - touch a file on the client that is contained in the blacklist - run another report from the client machine and ensure the appraisal fails """ - logging.info("*****************test_06 - beginning of blacklist IMA appraisal test*****************") + logging.info("***************** Beginning of blacklist IMA appraisal test *****************") @collectors(['IMA'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_07_delta_reports_required_set(self): + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_08_delta_reports_required_set(self): """Test that appraisal works with delta reports and required sets. steps: @@ -195,11 +202,11 @@ class SystemTest(unittest.TestCase): so it won't be included in this one. - Check that foo-bar-file is in this report, but not foo-file """ - logging.info("*****************test_07 - beginning of Delta Reports required set appraisal test*****************") + logging.info("***************** Beginning of Delta Reports required set appraisal test *****************") @collectors(['IMA'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_08_delta_reports_whitelist(self): + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_09_delta_reports_whitelist(self): """Test that appraisal works with delta reports. Each report should be appraised individually. Checks that a failed appraisal can be followed by a successful appraisal if there are no errors in the second delta @@ -223,11 +230,11 @@ class SystemTest(unittest.TestCase): report so it won't be included in this one. - Check that foo-file is not in this report """ - logging.info("*****************test_08 - beginning of Delta Reports whitelist appraisal test*****************") + logging.info("***************** Beginning of Delta Reports whitelist appraisal test *****************") @collectors(['IMA', 'TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_09_on_demand(self): + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_10_on_demand(self): """Test that on-demand (server-initiated) appraisal works. steps: @@ -241,11 +248,11 @@ class SystemTest(unittest.TestCase): - check that it has the random filename and hash - check that it contains a TPM Report """ - logging.info("*****************test_09 - beginning of on-demand test*****************") + logging.info("***************** Beginning of on-demand test *****************") @collectors(['IMA'], COLLECTOR_LIST) @unittest.skip("SELinux issues are preventing repo sync from working") - def test_10_failing_ima_appraisal_broad_repo_baseline(self): + def test_11_failing_ima_appraisal_broad_repo_baseline(self): """Test that an appraisal not containing expected packages in a broad repo IMA baseline fails. steps: @@ -255,12 +262,12 @@ class SystemTest(unittest.TestCase): - Run a HIRS report and ensure it fails - Ensure that at least one of the expected alerts has been generated """ - logging.info("*****************test_10 - beginning of broad repo failing appraisal test*****************") + logging.info("***************** Beginning of broad repo failing appraisal test *****************") @collectors(['IMA'], COLLECTOR_LIST) @unittest.skip("SELinux issues are preventing repo sync from working") @unittest.skipIf(is_ubuntu_client(CLIENT_OS), "Skipping this test due to client OS " + CLIENT_OS) - def test_11_successful_ima_appraisal_broad_repo_baseline(self): + def test_12_successful_ima_appraisal_broad_repo_baseline(self): """Test that an appraisal containing expected packages in a broad repo IMA baseline passes. This test only works on CentOS 6 and 7. @@ -272,358 +279,364 @@ class SystemTest(unittest.TestCase): - Run a HIRS report and ensure it passes - Ensure that there are no new alerts """ - logging.info("*****************test_11 - beginning of broad repo successful appraisal test*****************") + logging.info("***************** Beginning of broad repo successful appraisal test *****************") @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_12_attestation_ca_portal_online(self): - """Test that the Attestation CA Portal is online and accessible by making a GET request. - If not online, an exception will be raised since the response code is non-200""" - logging.info("*****************test_12 - beginning of attestation ca portal online test *****************") - AcaPortal.check_is_online() + @unittest.skipIf(not is_tpm_1_2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_13_tpm_1_2_initial_provision(self): + """Test that running the TPM 1.2 hirs provisioner works""" + logging.info("***************** Beginning of initial TPM 1.2 provisioner run *****************") + + # Run the provisioner to ensure that it provisions successfully + provisioner_out = run_hirs_provisioner_tpm_1_2(CLIENT) + print("Initial TPM 1.2 provisioner run output: {0}".format(provisioner_out)) @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_13_tpm2_initial_provision(self): - """Test that running the tpm2 hirs provisioner works""" - logging.info("*****************test_13 - beginning of initial provisioner run *****************") + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_14_tpm_2_0_initial_provision(self): + """Test that running the TPM 2.0 hirs provisioner works""" + logging.info("***************** Beginning of initial TPM 2.0 provisioner run *****************") + # Run the provisioner to ensure that it provisions successfully provisioner_out = run_hirs_provisioner_tpm2(CLIENT) print("Initial provisioner run output: {0}".format(provisioner_out)) @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_14_device_info_report_stored_after_provisioning(self): + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_15_device_info_report_stored_after_provisioning(self): """Test that running the hirs provisioner results in storing a device info report for - the device in the DB""" - logging.info("*****************test_14 - beginning of provisioner + device info report test *****************") - logging.info("getting devices from ACA portal") + the device in the DB""" + logging.info("***************** Beginning of device info report test *****************") + + logging.info("Getting devices from ACA portal...") aca_portal_devices = AcaPortal.get_devices() self.assertEqual(aca_portal_devices['recordsTotal'], 1) @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_15_supply_chain_validation_summary_stored_after_second_provisioning(self): + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_16_supply_chain_validation_summary_stored_after_second_provisioning(self): """Test that running the hirs provisioner, a second time, results in storing a supply chain validation record in the database""" - logging.info("*****************test_15 - beginning of provisioner + supply chain validation summary test *****************") - if is_tpm2(TPM_VERSION): - logging.info("Using TPM 2.0") - logging.info("Uploading CA cert: " + CA_CERT_LOCATION) - AcaPortal.upload_ca_cert(CA_CERT_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) - else: - # Supply chain validation only supported on CentOS 7 - if CLIENT_OS == "centos7": - AcaPortal.upload_ca_cert(EK_CA_CERT_LOCATION) - AcaPortal.enable_ec_validation() - provisioner_out = run_hirs_provisioner(CLIENT) - - print("Second provisioner run output: {0}".format(provisioner_out)) - supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() - # verify this is one SCVS record indicating PASS - self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 2) - self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") - self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") - # verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_16_ek_info_report(self): - """Test that running the hirs provisioner results in storing EK certs info report for - the device in the DB""" - logging.info("*****************test_16 - beginning of provisioner + Endorsement certs info report test *****************") - logging.info("getting ek certs from ACA portal") - cert_list = AcaPortal.get_ek_certs() - self.assertEqual(cert_list['recordsTotal'], 1) - self.assertEqual(cert_list['data'][0]['credentialType'], "TCPA Trusted Platform Module Endorsement") - - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_17_pk_info_report(self): - """Test that running the hirs provisioner results in storing PK certs info report for - the device in the DB""" - logging.info("*****************test_17 - beginning of provisioner + Platform certs info report test *****************") - logging.info("getting pk certs from ACA portal") - cert_list = AcaPortal.get_pk_certs() - self.assertEqual(cert_list['recordsTotal'], 1) - self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") - - @collectors(['TPM'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_18_trust_chain_info_report(self): - """Test that running the hirs provisioner results in storing trust chains info report for - the device in the DB""" - logging.info("*****************test_18 - beginning of provisioner + Trust chains info report test *****************") - logging.info("getting trust chains from ACA portal") - trust_chain_list = AcaPortal.get_trust_chains() - self.assertEqual(trust_chain_list['recordsTotal'], 1) - - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A1_base_delta(self): - """Test Delta Certificates A1 - Provisioning with Good Base Platform Cert Base (via Platform Cert on TPM)""" - logging.info("*****************test_19_A1 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform Cert (via Platform Cert on TPM Emulator)") - - logging.info("Check if ACA is online...") - AcaPortal.check_is_online() + logging.info("***************** Beginning of supply chain validation summary test *****************") logging.info("Uploading CA cert: " + CA_CERT_LOCATION) AcaPortal.upload_ca_cert(CA_CERT_LOCATION) AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) - print("test_19_A1_base_delta run output: {0}".format(provisioner_out)) + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) + print("Second provisioner run output: {0}".format(provisioner_out)) - # Verify device supply chain appraisal result is PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A2_base_delta(self): - """Test Delta Certificates A2 - Attempt to upload Base cert with holder already having a Base Platform Cert associated with it""" - logging.info("*****************test_19_A8 - beginning of delta certificate test *****************") - logging.info("Attempt to upload PBaseCertA, with PBaseCertA already loaded in the ACA.") - - print("test_19_A2_base_delta Platform Cert has already been loaded. Attempting to upload second Platform Cert: %s" % (PBaseCertA_LOCATION)) - - # Confirm there is a Platform Cert already loaded - cert_list = AcaPortal.get_pk_certs() - self.assertEqual(cert_list['recordsTotal'], 1) - self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") - self.assertEqual(cert_list['data'][0]['platformType'], "Base") - - # Try uploading a second Platform Base Cert - AcaPortal.upload_pk_cert(PBaseCertA_LOCATION) - - # Confirm Platform Base Cert has not been loaded - cert_list = AcaPortal.get_pk_certs() - self.assertEqual(cert_list['recordsTotal'], 1) - self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") - self.assertEqual(cert_list['data'][0]['platformType'], "Base") - - if (cert_list['recordsTotal'] == 1): - print ("SUCCESS.") - else: - print ("FAILED.") - - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A3_base_delta(self): - """Test Delta Certificates A3 - Provisioning with Good Base Platform Cert Base and 1 Delta Cert""" - logging.info("*****************test_19_A3 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform Cert Base and 1 Delta Cert") - - # Verify device supply chain appraisal result is PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - - # Upload the SIDelta cert and provision - AcaPortal.upload_pk_cert(SIDeltaCertA1_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) - - print("test_19_A3_base_delta run output: {0}".format(provisioner_out)) supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() # verify this is one SCVS record indicating PASS self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 2) self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") + # verify device has been updated with supply chain appraisal result devices = AcaPortal.get_devices() self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A4_base_delta(self): - """Test Delta Certificates A4 - Provisioning with Good Base Platform Cert Base and 2 Delta Certs""" - logging.info("*****************test_19_A4 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform Cert Base and 2 Delta Certs") + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_17_ek_info_report(self): + """Test that running the hirs provisioner results in storing EK certs info report for + the device in the DB""" + logging.info("***************** Beginning of Endorsement Certs info report test *****************") - # Verify device supply chain appraisal result is PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + logging.info("Getting EK Certs from ACA portal...") + cert_list = AcaPortal.get_ek_certs() + self.assertEqual(cert_list['recordsTotal'], 1) + self.assertEqual(cert_list['data'][0]['credentialType'], "TCPA Trusted Platform Module Endorsement") - # Upload the VARDelta cert and provision - AcaPortal.upload_pk_cert(VARDeltaCertA1_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_18_pk_info_report(self): + """Test that running the hirs provisioner results in storing PK certs info report for + the device in the DB""" + logging.info("***************** Beginning Platform Certs info report test *****************") - print("test_19_A4_base_delta run output: {0}".format(provisioner_out)) - supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() - # verify this is one SCVS record indicating PASS - self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 3) - self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") - self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") - self.assertEqual(supply_chain_validation_summaries['data'][2]['overallValidationResult'], "PASS") - # verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + logging.info("Getting PK Certs from ACA portal...") + cert_list = AcaPortal.get_pk_certs() + self.assertEqual(cert_list['recordsTotal'], 1) + self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") + + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_trust_chain_info_report(self): + """Test that running the hirs provisioner results in storing trust chains info report for + the device in the DB""" + logging.info("***************** Beginning of Trust Chain info report test *****************") + + logging.info("Getting Trust Chains from ACA portal...") + trust_chain_list = AcaPortal.get_trust_chains() + self.assertEqual(trust_chain_list['recordsTotal'], 1) @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A5_base_delta(self): - """Test Delta Certificates A5 - Provisioning with Good Base Platform Cert and 1 Bad Delta Cert""" - logging.info("*****************test_19_A5 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform Cert and 1 Bad Delta Cert") + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A1_base_delta(self): + """Test Delta Certificates A1 - Provisioning with Good Base Platform Cert (via Platform Cert on TPM Emulator)""" + logging.info("***************** test_20_A1 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert (via Platform Cert on TPM Emulator)") + + logging.info("Check if ACA is online...") + AcaPortal.check_is_online() + + logging.info("Uploading CA Cert: " + CA_CERT_LOCATION) + AcaPortal.upload_ca_cert(CA_CERT_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) + + print("test_20_A1_base_delta run output: {0}".format(provisioner_out)) + + # Verify device supply chain appraisal result is PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A2_base_delta(self): + """Test Delta Certificates A2 - Attempt to upload Base cert with holder already having a Base Platform Cert associated with it""" + logging.info("***************** test_20_A2 - Beginning of delta certificate test *****************") + logging.info("Attempt to upload PBaseCertB, with PBaseCertA already loaded in the ACA.") + + print("test_20_A2_base_delta. PBaseCertA has already been loaded. Attempting to upload second Platform Cert: %s" % (PBaseCertB_LOCATION)) + + # Confirm there is one Platform Base Cert already loaded + cert_list = AcaPortal.get_pk_certs() + self.assertEqual(cert_list['recordsTotal'], 1) + print("Number of Platform Certs: %d" % (cert_list['recordsTotal'])) + self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") + self.assertEqual(cert_list['data'][0]['platformType'], "Base") + + # Try uploading a second Platform Base Cert + print("Attempting to upload a second Platform Base Cert...") + AcaPortal.upload_pk_cert(PBaseCertB_LOCATION) + + # Confirm Platform Base Cert has not been loaded + cert_list = AcaPortal.get_pk_certs() + self.assertEqual(cert_list['recordsTotal'], 1) + print("Number of Platform Certs: %d" % (cert_list['recordsTotal'])) + self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") + self.assertEqual(cert_list['data'][0]['platformType'], "Base") + + if (cert_list['recordsTotal'] == 1): + print ("SUCCESS.\n") + else: + print ("FAILED.\n") + + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A3_base_delta(self): + """Test Delta Certificates A3 - Provisioning with Good Base Platform Cert Base and 1 Delta Cert""" + logging.info("***************** test_20_A3 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert Base and 1 Delta Cert") + + # Verify device supply chain appraisal result is PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + + # Upload the SIDeltaCertA1 and provision + AcaPortal.upload_pk_cert(SIDeltaCertA1_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) + print("test_20_A3_base_delta run output: {0}".format(provisioner_out)) + + supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() + # Verify this is one SCVS record indicating PASS + self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 2) + self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") + self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") + + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A4_base_delta(self): + """Test Delta Certificates A4 - Provisioning with Good Base Platform Cert Base and 2 Delta Certs""" + logging.info("***************** test_20_A4 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert Base and 2 Delta Certs") + + # Verify device supply chain appraisal result is PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + + # Upload the VARDeltaCertA1 and provision + AcaPortal.upload_pk_cert(VARDeltaCertA1_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) + + print("test_20_A4_base_delta run output: {0}".format(provisioner_out)) + supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() + + # Verify this is one SCVS record indicating PASS + self.assertEqual(supply_chain_validation_summaries['recordsTotal'], 3) + self.assertEqual(supply_chain_validation_summaries['data'][0]['overallValidationResult'], "PASS") + self.assertEqual(supply_chain_validation_summaries['data'][1]['overallValidationResult'], "PASS") + self.assertEqual(supply_chain_validation_summaries['data'][2]['overallValidationResult'], "PASS") + + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + + @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A5_base_delta(self): + """Test Delta Certificates A5 - Provisioning with Good Base Platform Cert and 1 Bad Delta Cert""" + logging.info("***************** test_20_A5 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert and 1 Bad Delta Cert") # TODO: Determine if we need this test @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A6_base_delta(self): - """Test Delta Certificates A6 - Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert""" - logging.info("*****************test_19_A6 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert") + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A6_base_delta(self): + """Test Delta Certificates A6 - Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert""" + logging.info("***************** test_20_A6 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert") - # Verify device supply chain appraisal result is PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device supply chain appraisal result is PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - # Upload the SIDeltaCertA2 and provision - AcaPortal.upload_pk_cert(SIDeltaCertA2_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the SIDeltaCertA2 and provision + AcaPortal.upload_pk_cert(SIDeltaCertA2_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A6_base_delta SHOULD FAIL provisioning using: %s" % (SIDeltaCertA2_LOCATION)) - print("test_19_A6_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A6_base_delta SHOULD FAIL provisioning using: %s" % (SIDeltaCertA2_LOCATION)) + print("test_20_A6_base_delta run output: {0}".format(provisioner_out)) - # Provisioning should fail since the Delta contains a bad component. - self.assertIn("Provisioning failed", format(provisioner_out)) + # Provisioning should fail since the Delta contains a bad component. + self.assertIn("Provisioning failed", format(provisioner_out)) - # Upload the SIDeltaCertA2_resolved cert and provision - AcaPortal.upload_pk_cert(SIDeltaCertA2_resolved_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the SIDeltaCertA2_resolved and provision + AcaPortal.upload_pk_cert(SIDeltaCertA2_resolved_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A6_base_delta SHOULD PASS provisioning using: %s" % (SIDeltaCertA2_resolved_LOCATION)) - print("test_19_A6_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A6_base_delta SHOULD PASS provisioning using: %s" % (SIDeltaCertA2_resolved_LOCATION)) + print("test_20_A6_base_delta run output: {0}".format(provisioner_out)) - # verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A7_base_delta(self): - """Test Delta Certificates A7 - Provisioning with Good Base Platform, 2 Good Delta Certs and - 1 Bad Delta Cert with non present component""" - logging.info("*****************test_19_A7 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert with non present component") + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A7_base_delta(self): + """Test Delta Certificates A7 - Provisioning with Good Base Platform, 2 Good Delta Certs and + 1 Bad Delta Cert with non present component""" + logging.info("***************** test_20_A7 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert with non present component") - # Upload the VARDeltaCertA2 and provision - AcaPortal.upload_pk_cert(VARDeltaCertA2_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the VARDeltaCertA2 and provision + AcaPortal.upload_pk_cert(VARDeltaCertA2_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A7_base_delta SHOULD FAIL provisioning using: %s" % (VARDeltaCertA2_LOCATION)) - print("test_19_A7_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A7_base_delta SHOULD FAIL provisioning using: %s" % (VARDeltaCertA2_LOCATION)) + print("test_20_A7_base_delta run output: {0}".format(provisioner_out)) - # Provisioning should fail since the Delta contains a component thats not in the Base - self.assertIn("Provisioning failed", format(provisioner_out)) + # Provisioning should fail since the Delta contains a component thats not in the Base + self.assertIn("Provisioning failed", format(provisioner_out)) - # Upload the VARDeltaCertA2_resolved and provision - AcaPortal.upload_pk_cert(VARDeltaCertA2_resolved_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the VARDeltaCertA2_resolved and provision + AcaPortal.upload_pk_cert(VARDeltaCertA2_resolved_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A7_base_delta SHOULD PASS provisioning using: %s" % (VARDeltaCertA2_resolved_LOCATION)) - print("test_19_A7_base_delta run output: {0}".format(provisioner_out)) + print("test_20_A7_base_delta SHOULD PASS provisioning using: %s" % (VARDeltaCertA2_resolved_LOCATION)) + print("test_20_A7_base_delta run output: {0}".format(provisioner_out)) - # verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") @collectors(['BASE_DELTA_GOOD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_A8_base_delta(self): - """Test Delta Certificates A8 - Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert - replacing component from previous, using the Delta as a base certificate""" - logging.info("*****************test_19_A8 - beginning of delta certificate test *****************") - logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert replacing component from previous, using the Delta as a base certificate") + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_A8_base_delta(self): + """Test Delta Certificates A8 - Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert + replacing component from previous, using the Delta as a base certificate""" + logging.info("***************** test_20_A8 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert replacing component from previous, using the Delta as a base certificate") - # Upload the SIDeltaCertA3 and provision - AcaPortal.upload_pk_cert(SIDeltaCertA3_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the SIDeltaCertA3 and provision + AcaPortal.upload_pk_cert(SIDeltaCertA3_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_A8_base_delta run output: {0}".format(provisioner_out)) - supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() + print("test_20_A8_base_delta run output: {0}".format(provisioner_out)) - # Verify device has been updated with supply chain appraisal result - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device has been updated with supply chain appraisal result + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_B1_base_delta(self): - """Test Delta Certificates B1 - Provisioning with Bad Platform Cert Base (ACA upload)""" - logging.info("*****************test_19_B1 - beginning of delta certificate test *****************") - logging.info("Provisioning with Bad Platform Cert Base") - logging.info("Check if ACA is online...") - AcaPortal.check_is_online() + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_B1_base_delta(self): + """Test Base/Delta Certificates B1 - Provisioning with Bad Platform Cert Base """ + logging.info("***************** test_20_B1 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base") - if is_tpm2(TPM_VERSION): - logging.info("Using TPM 2.0") - logging.info("Uploading CA cert: " + CA_CERT_LOCATION) - AcaPortal.upload_ca_cert(CA_CERT_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + logging.info("Check if ACA is online...") + AcaPortal.check_is_online() - print("test_19_B1_base_delta run output: {0}".format(provisioner_out)) + logging.info("Uploading CA cert: " + CA_CERT_LOCATION) + AcaPortal.upload_ca_cert(CA_CERT_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - # Provisioning should fail since the PC contains FAULTY component. - self.assertIn("Provisioning failed", format(provisioner_out)) + print("test_20_B1_base_delta SHOULD FAIL provisioning using: %s" % (PBaseCertB_LOCATION)) + print("test_20_B1_base_delta run output: {0}".format(provisioner_out)) + + # Provisioning should fail since the PC contains FAULTY components. + self.assertIn("Provisioning failed", format(provisioner_out)) @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_B2_base_delta(self): - """Test Delta Certificates B2 - Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved""" - logging.info("*****************test_19_B2 - beginning of delta certificate test *****************") - logging.info("Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved") - logging.info("Uploading Delta Platform Cert: " + SIDeltaCertB1_LOCATION) + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_B2_base_delta(self): + """Test Base/Delta Certificates B2 - Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved""" + logging.info("***************** test_20_B2 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved") - # Verify device supply chain appraisal result is FAIL - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "FAIL") + # Verify device supply chain appraisal result is FAIL + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "FAIL") - # Upload the SIDeltaCertB1 and provision - AcaPortal.upload_pk_cert(SIDeltaCertB1_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the SIDeltaCertB1 and provision + AcaPortal.upload_pk_cert(SIDeltaCertB1_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_B2_base_delta SHOULD FAIL provisioning using: %s" % (SIDeltaCertB1_LOCATION)) - print("test_19_B2_base_delta run output: {0}".format(provisioner_out)) + print("test_20_B2_base_delta SHOULD FAIL provisioning using: %s" % (SIDeltaCertB1_LOCATION)) + print("test_20_B2_base_delta run output: {0}".format(provisioner_out)) - # Provisioning should fail since the delta contains FAULTY component. - self.assertIn("Provisioning failed", format(provisioner_out)) + # Provisioning should fail since the delta contains FAULTY component. + self.assertIn("Provisioning failed", format(provisioner_out)) @collectors(['BASE_DELTA_BAD'], COLLECTOR_LIST) - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) - def test_19_B3_base_delta(self): - """Test Delta Certificates B3 - Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved""" - logging.info("*****************test_19_B3 - beginning of delta certificate test *****************") - logging.info("Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved") + @unittest.skipIf(not is_tpm_2_0(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_20_B3_base_delta(self): + """Test Base/Delta Certificates B3 - Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved""" + logging.info("***************** test_20_B3 - Beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved") - # Verify device supply chain appraisal result is FAIL - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "FAIL") + # Verify device supply chain appraisal result is FAIL + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "FAIL") - # Upload the VARDeltaCertB1 and provision - AcaPortal.upload_pk_cert(VARDeltaCertB1_LOCATION) - AcaPortal.enable_supply_chain_validations() - provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + # Upload the VARDeltaCertB1 and provision + AcaPortal.upload_pk_cert(VARDeltaCertB1_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm_2_0(CLIENT) - print("test_19_B3_base_delta run output: {0}".format(provisioner_out)) + print("test_20_B3_base_delta run output: {0}".format(provisioner_out)) - # Verify device has been updated with supply chain appraisal of PASS - devices = AcaPortal.get_devices() - self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") + # Verify device has been updated with supply chain appraisal of PASS + devices = AcaPortal.get_devices() + self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") if __name__ == '__main__': suite = unittest.TestLoader().loadTestsFromTestCase(SystemTest) diff --git a/.ci/system-tests/system_test_core.py b/.ci/system-tests/system_test_core.py index 4c097533..f2dc49b7 100644 --- a/.ci/system-tests/system_test_core.py +++ b/.ci/system-tests/system_test_core.py @@ -290,8 +290,8 @@ class AttestationCAPortal: def disable_supply_chain_validations(self): - # the initial POST request goes through, but the redirect from the server is attempted which results in a 404, - # or possibly a 200 on centos7, apparently. + # The initial POST request goes through, but the redirect from the server is attempted + # which results in a 404, or possibly a 200 on centos7, apparently. self.request("post", "portal/policy/update-ec-validation", expected_status_codes=[404, 200], params={'ecValidate': "unchecked",}) self.request("post", "portal/policy/update-pc-validation", @@ -301,8 +301,8 @@ class AttestationCAPortal: def enable_supply_chain_validations(self): - # the initial POST request goes through, but the redirect from the server is attempted which results in a 404, - # or possibly a 200 on centos7, apparently. + # The initial POST request goes through, but the redirect from the server is attempted + # which results in a 404, or possibly a 200 on centos7, apparently. self.request("post", "portal/policy/update-ec-validation", expected_status_codes=[404, 200], params={'ecValidate': "checked",}) self.request("post", "portal/policy/update-pc-validation", @@ -422,10 +422,16 @@ def run_hirs_report_and_clear_cache(client_hostname): CACHED_XML_REPORT = None return client_out -def run_hirs_provisioner_tpm2(client_hostname): - """Runs the hirs provisioner TPM2 +def run_hirs_provisioner_tpm_1_2(client_hostname): + """Runs the hirs provisioner TPM 1.2""" + logging.info("running hirs provisioner TPM 1.2 on {0}".format(client_hostname)) + client_out = send_command("hirs-provisioner provision") + return client_out + +def run_hirs_provisioner_tpm_2_0(client_hostname): + """Runs the hirs provisioner TPM 2.0 """ - logging.info("running hirs provisioner tpm2 on {0}".format(client_hostname)) + logging.info("running hirs provisioner TPM 2.0 on {0}".format(client_hostname)) client_out = send_command("hirs-provisioner-tpm2 provision") return client_out @@ -448,7 +454,6 @@ def parse_xml_with_stripped_namespaces(raw_xml_string): def get_all_nodes_recursively(tree_node, node_name): return tree_node.findall('.//' + node_name) - def touch_random_file_and_remove(client_hostname): """Write a random string to a random filename in /tmp/, read it as root, then delete it. """ @@ -461,11 +466,99 @@ def touch_random_file_and_remove(client_hostname): rm_command = "rm {}".format(filename) combined_command = "{};{};{};{}".format(echo_command, cat_command, sha_command, rm_command) -# command_output = send_vagrant_command(combined_command, client_hostname) sha_hash = command_output.split()[1] return (filename, sha_hash) +def make_simple_ima_baseline(): + timestamp = get_current_timestamp() + + if CLIENT_OS == "centos6": + records = [{"path": "/lib/udev/console_init", + "hash": send_command_sha1sum("sha1sum /lib/udev/console_init")}, + {"path": "/bin/mknod", + "hash": send_command_sha1sum("sha1sum /bin/mknod")}] + elif CLIENT_OS == "centos7": + records = [{"path": "/lib/systemd/rhel-readonly", + "hash": send_command_sha1sum("sha1sum /lib/systemd/rhel-readonly")}, + {"path": "/bin/sort", + "hash": send_command_sha1sum("sha1sum /bin/sort")}] + elif CLIENT_OS == "ubuntu16": + records = [{"path": "/lib/systemd/systemd-udevd", + "hash": send_command_sha1sum("sha1sum /lib/systemd/systemd-udevd")}, + {"path": "/bin/udevadm", + "hash": send_command_sha1sum("sha1sum /bin/udevadm")}] + else: + logging.error("unsupported client os type: %s", CLIENT_OS) + + simple_baseline = {"name": "simple_ima_baseline_{0}".format(timestamp), + "description": "a simple hard-coded ima baseline for systems testing", + "records": records} + return simple_baseline + +def make_baseline_from_xml(xml_report, appraiser_type): + """search the xml for records and add each one to a dictionary.""" + timestamp = get_current_timestamp() + baseline_name = "full_{0}_baseline_{1}".format(appraiser_type, timestamp) + baseline_description = "{0} baseline created by parsing an xml report and uploaded for systems testing".format(appraiser_type) + baseline = {"name": baseline_name, "description": baseline_description} + baseline["records"] = [] + tree = parse_xml_with_stripped_namespaces(xml_report) + + if appraiser_type == "TPM": + pcr_tags = get_all_nodes_recursively(tree, "PcrValue") + for pcr_tag in pcr_tags: + tpm_digest = get_all_nodes_recursively(pcr_tag, "digest")[0].text + parsed_record = {} + parsed_record["pcr"] = pcr_tag.attrib['PcrNumber'] + parsed_record["hash"] = binascii.hexlify(binascii.a2b_base64(tpm_digest)) + baseline["records"].append(parsed_record) + if appraiser_type == "IMA": + ima_records = get_all_nodes_recursively(tree, "imaRecords") + for ima_record in ima_records: + ima_path = get_all_nodes_recursively(ima_record, "path")[0].text + ima_digest = get_all_nodes_recursively(ima_record, "digest")[0].text + parsed_record = {} + parsed_record['path'] = ima_path + hash64 = ima_digest + parsed_record["hash"] = ( + binascii.hexlify(binascii.a2b_base64(hash64))) + baseline["records"].append(parsed_record) + logging.info("created {0} baseline from xml with {1} records".format( + appraiser_type, str(len(baseline["records"])))) + return baseline + +def make_simple_ima_blacklist_baseline(): + return { + "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), + "description": "a simple blacklist ima baseline for systems testing", + "records": [{"path": "/boot/usb-storage-foo.ko"}] + #"records": [{"path": "usb-storage-foo.ko"}] + } + +def make_simple_ima_blacklist_baseline_with_hash(): + return { + "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), + "description": "a simple blacklist ima baseline for systems testing", + "records": [{"hash": USB_STORAGE_FILE_HASH}] + } + +def make_simple_ima_blacklist_baseline_with_file_and_hash(): + return { + "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), + "description": "a simple blacklist ima baseline for systems testing", + "records": [{"path": "usb-storage_2.ko", + "hash": USB_STORAGE_FILE_HASH}] + } + +def make_simple_ima_blacklist_baseline_with_updated_file_and_hash(): + return { + "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), + "description": "a simple blacklist ima baseline for systems testing", + "records": [{"path": "test-file", + "hash": USB_STORAGE_FILE_HASH_2}] + } + def get_random_pcr_hex_value(): """ Gets a random TPM PCR value by combining 2 UUIDs and getting a substring """ @@ -479,5 +572,8 @@ def get_current_timestamp(): def is_ubuntu_client(client_os): return client_os in ["ubuntu14", "ubuntu16"] -def is_tpm2(tpm_version): +def is_tpm_1_2(tpm_version): + return tpm_version in ["1.2"] + +def is_tpm_2_0(tpm_version): return tpm_version in ["2.0", "2"] diff --git a/.ci/system-tests/systems-test-centos7-tpm1-2.sh b/.ci/system-tests/systems-test-centos7-tpm1-2.sh new file mode 100755 index 00000000..1383eb34 --- /dev/null +++ b/.ci/system-tests/systems-test-centos7-tpm1-2.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +export CLIENT_OS=centos7 +export CLIENT_HOSTNAME=hirs-client-$CLIENT_OS-tpm1_2 + +export SERVER_OS=$CLIENT_OS +export SERVER_HOSTNAME=hirs-appraiser-$SERVER_OS + +export ENABLED_COLLECTORS=TPM +export TPM_VERSION=1.2 + +$SCRIPT_DIR/systems-test.core.sh diff --git a/.ci/system-tests/systems-test.core.sh b/.ci/system-tests/systems-test.core.sh index 839b423b..530b58c4 100755 --- a/.ci/system-tests/systems-test.core.sh +++ b/.ci/system-tests/systems-test.core.sh @@ -20,9 +20,9 @@ SYSTEM_TEST_EXIT_CODE=$PIPESTATUS # Check result if [[ $SYSTEM_TEST_EXIT_CODE == 0 ]] then - echo "SUCCESS: System tests passed" + echo "SUCCESS: System tests TPM $TPM_VERSION passed" exit 0 fi -echo "ERROR: System tests failed" +echo "ERROR: System tests TPM $TPM_VERSION failed" exit 1 diff --git a/.travis.yml b/.travis.yml index a1faa97b..5d5a3fd7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -43,16 +43,16 @@ jobs: - stage: Packaging and System Tests script: .ci/system-tests/./run-system-tests.sh env: null - name: "System Tests" + name: "System Tests TPM 1.2" - stage: Packaging and System Tests script: .ci/system-tests/./run-system-tests-tpm2.sh env: null - name: "System Tests TPM2" + name: "System Tests TPM 2.0" - stage: Packaging and System Tests script: .ci/system-tests/./run-system-tests-tpm2-base-delta-bad.sh env: null - name: "System Tests TPM2 Base/Delta Bad" + name: "System Tests TPM 2.0 Base/Delta(Bad)" - stage: Packaging and System Tests script: .ci/system-tests/./run-system-tests-tpm2-base-delta-good.sh env: null - name: "System Tests TPM2 Base/Delta Good" + name: "System Tests TPM 2.0 Base/Delta(Good)" diff --git a/HIRS_Utils/src/main/java/hirs/utils/VersionHelper.java b/HIRS_Utils/src/main/java/hirs/utils/VersionHelper.java index 36d4f9be..f4659ccb 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/VersionHelper.java +++ b/HIRS_Utils/src/main/java/hirs/utils/VersionHelper.java @@ -1,13 +1,12 @@ package hirs.utils; +import com.google.common.base.Charsets; +import com.google.common.io.Resources; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import java.io.BufferedReader; -import java.io.FileInputStream; -import java.io.InputStreamReader; -import java.io.File; import java.io.IOException; +import java.net.URL; /** * Utility class to get the current version from the VERSION file. @@ -59,16 +58,7 @@ public final class VersionHelper { * @throws IOException */ private static String getFileContents(final String filename) throws IOException { - - File versionFileLink = new File(VersionHelper.class.getClassLoader() - .getResource(filename).getFile()); - String versionFilePath = versionFileLink.getCanonicalPath(); - BufferedReader reader = new BufferedReader( - new InputStreamReader( - new FileInputStream(versionFilePath), "UTF-8")); - String version = reader.readLine(); - reader.close(); - - return version; + URL url = Resources.getResource(filename); + return Resources.toString(url, Charsets.UTF_8).trim(); } } diff --git a/HIRS_Utils/src/test/java/hirs/utils/VersionHelperTest.java b/HIRS_Utils/src/test/java/hirs/utils/VersionHelperTest.java index 364a0b55..74f05c40 100644 --- a/HIRS_Utils/src/test/java/hirs/utils/VersionHelperTest.java +++ b/HIRS_Utils/src/test/java/hirs/utils/VersionHelperTest.java @@ -14,8 +14,8 @@ public class VersionHelperTest { @Test public void testGetVersionFail() { - String version = VersionHelper.getVersion("somefile"); - Assert.assertEquals(version, ""); + String actual = VersionHelper.getVersion("somefile"); + Assert.assertTrue(actual.startsWith("")); } /**