Merge pull request #322 from nsacyber/platform_cert_missing_fix

Platform Certificate Upload Modification
2025-01-31 00:24:00 +00:00 · 2020-12-02 11:01:27 -05:00 · 2020-12-02 11:01:27 -05:00 · a3f5386b21
commit a3f5386b21
parent a3ba12f7b7 70662bddec
7 changed files with 77 additions and 13 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@ -410,8 +410,12 @@ public abstract class AbstractAttestationCertificateAuthority
        // parse the EK Public key from the IdentityClaim once for use in supply chain validation
        // and later tpm20MakeCredential function
        RSAPublicKey ekPub = parsePublicKey(claim.getEkPublicArea().toByteArray());
-
-        AppraisalStatus.Status validationResult = doSupplyChainValidation(claim, ekPub);
+        AppraisalStatus.Status validationResult = AppraisalStatus.Status.FAIL;
+        try {
+            validationResult = doSupplyChainValidation(claim, ekPub);
+        } catch (Exception ex) {
+            LOG.error(ex);
+        }
        if (validationResult == AppraisalStatus.Status.PASS) {

            RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray());
@ -781,6 +785,8 @@ public abstract class AbstractAttestationCertificateAuthority
            } catch (IOException ioEx) {
                LOG.error(ioEx);
            }
+        } else {
+            LOG.warn("Device did not send swid tag file...");
        }

        if (dv.hasLogfile()) {
@ -816,9 +822,12 @@ public abstract class AbstractAttestationCertificateAuthority
            } catch (IOException ioEx) {
                LOG.error(ioEx);
            }
+        } else {
+            LOG.warn("Device did not send support RIM file...");
        }

        if (dv.hasLivelog()) {
+            LOG.info("Device sent bios measurement log...");
            fileName = String.format("%s.measurement",
                    clientName);
            try {
@ -827,6 +836,7 @@ public abstract class AbstractAttestationCertificateAuthority
                        .byManufacturer(dv.getHw().getManufacturer())
                        .includeArchived().getRIM();
                if (support != null) {
+                    LOG.info("Previous bios measurement log found and being replaced...");
                    this.referenceManifestManager.delete(support);
                }
                support = new EventLogMeasurements(fileName,
@ -838,6 +848,8 @@ public abstract class AbstractAttestationCertificateAuthority
            } catch (IOException ioEx) {
                LOG.error(ioEx);
            }
+        } else {
+            LOG.warn("Device did not send bios measurement log...");
        }

        // Get TPM info, currently unimplemented
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@ -369,8 +369,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                .byManufacturer(manufacturer).getRIM();
        supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
                .byManufacturer(manufacturer).getRIM();
-        List<SwidResource> resources =
-                ((BaseReferenceManifest) baseReferenceManifest).parseResource();
        measurement = EventLogMeasurements.select(referenceManifestManager)
                .byManufacturer(manufacturer).includeArchived().getRIM();

@ -390,6 +388,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
        }

        if (passed) {
+            List<SwidResource> resources =
+                    ((BaseReferenceManifest) baseReferenceManifest).parseResource();
            fwStatus = new AppraisalStatus(PASS,
                    SupplyChainCredentialValidator.FIRMWARE_VALID);

--- a/HIRS_ProvisionerTPM2/include/Utils.h
+++ b/HIRS_ProvisionerTPM2/include/Utils.h
@ -5,6 +5,7 @@
 #define HIRS_PROVISIONERTPM2_INCLUDE_UTILS_H_

 #include <string>
+#include <vector>

 namespace hirs {

@ -32,6 +33,8 @@ namespace file_utils {

    std::string getFileAsOneLineOrEmptyString(const std::string& filename);

+    std::vector<std::string> searchDirectory(const std::string& directory);
+
    void writeBinaryFile(const std::string& bytes,
                         const std::string& filename);

--- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh
+++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh
@ -41,9 +41,11 @@ fi
 ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner

 TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties"
-MAINFEST_DIRECTORY="/boot/tcg/manifest"
-LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/"
-TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/"
+TCG_DIRECTORY="/boot/tcg"
+LOG_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/"
+TAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/"
+CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/"
+BINARY_BIOS_MEASUREMENTS="/sys/kernel/security/tpm0/binary_bios_measurements"

 if [ ! -f "$TCG_BOOT_FILE" ]; then
  touch "$TCG_BOOT_FILE"
@ -59,4 +61,12 @@ if [ -d "$TAG_FILE_LOCATION" ]; then
  echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE"
 fi

+if [ -d "$CREDENTIALS_LOCATION" ]; then
+  echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_BOOT_FILE"
+fi
+
+if [ -f "$BINARY_BIOS_MEASUREMENTS" ]; then
+  echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_BOOT_FILE"
+fi
+
 chmod -w "$TCG_BOOT_FILE"
--- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
@ -44,6 +44,7 @@ int provision() {
    Logger logger = Logger::getDefaultLogger();

    CommandTpm2 tpm2;
+    Properties props("/etc/hirs/tcg_boot.properties");
    tpm2.setAuthData();

    // get endorsement credential and endorsement key
@ -62,16 +63,30 @@ int provision() {
    cout << "----> Collecting platform credential from TPM" << endl;
    string platformCredential = tpm2.getPlatformCredentialDefault();
    std::vector<string> platformCredentials;
-    platformCredentials.push_back(platformCredential);
+
+    // if platformCredential is empty, not in TPM
+    // pull from properties file
+    if (platformCredential.empty()) {
+        const std::string& cert_dir = props.get("tcg.cert.dir", "");
+        try {
+            platformCredentials =
+                    hirs::file_utils::searchDirectory(cert_dir);
+        } catch (HirsRuntimeException& hirsRuntimeException) {
+            logger.error(hirsRuntimeException.what());
+        }
+    } else {
+        platformCredentials.push_back(platformCredential);
+    }

    // collect device info
    cout << "----> Collecting device information" << endl;
    hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo();
    dv.set_pcrslist(tpm2.getPcrList());
    // collect TCG Boot files
-    Properties props("/etc/hirs/tcg_boot.properties");
    const std::string& rim_file = props.get("tcg.rim.file", "");
    const std::string& swid_file = props.get("tcg.swidtag.file", "");
+    const std::string& live_log_file = props.get("tcg.event.file", "");
+
    try {
        dv.set_logfile(hirs::file_utils::fileToString(rim_file));
    } catch (HirsRuntimeException& hirsRuntimeException) {
@ -83,8 +98,7 @@ int provision() {
        logger.error(hirsRuntimeException.what());
    }
    try {
-        dv.set_livelog(hirs::file_utils::fileToString(
-        "/sys/kernel/security/tpm0/binary_bios_measurements"));
+        dv.set_livelog(hirs::file_utils::fileToString(live_log_file));
    } catch (HirsRuntimeException& hirsRuntimeException) {
        logger.error(hirsRuntimeException.what());
    }
--- a/HIRS_ProvisionerTPM2/src/Utils.cpp
+++ b/HIRS_ProvisionerTPM2/src/Utils.cpp
@ -6,6 +6,7 @@

 #include <re2/re2.h>

+#include <dirent.h>
 #include <sys/stat.h>
 #include <sstream>
 #include <iomanip>
@ -118,6 +119,30 @@ namespace file_utils {
        return string_utils::trimNewLines(fileToString(filename, ""));
    }

+    vector<string> searchDirectory(const string& directory) {
+        DIR *dr;
+        std::vector<string> platform_credentials;
+        dr = opendir(directory.c_str());
+
+        if (dr) {
+            struct dirent *en;
+            while ((en = readdir(dr)) != NULL) {
+                stringstream ss;
+                ss << directory.c_str();
+                ss << en->d_name;
+                try {
+                    platform_credentials.push_back(fileToString(ss.str()));
+                } catch (HirsRuntimeException& hirsRuntimeException) {
+                    std::cout << hirsRuntimeException.what();
+                }
+            }
+            // close directory
+            closedir(dr);
+        }
+
+        return platform_credentials;
+    }
+
    /**
     * Takes a byte string and writes the contents to a file of the given name.
     * @param bytes string bytes to write
--- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
@ -168,12 +168,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
        }
        try {
            if (trustStore == null || trustStore.size() == 0) {
-                message = baseErrorMessage + "a trust store\n";
+                message = baseErrorMessage + "an Issuer Cert in the Trust Store\n";
                LOGGER.error(message);
                return new AppraisalStatus(FAIL, message);
            }
        } catch (KeyStoreException e) {
-            message = baseErrorMessage + "an intitialized trust store";
+            message = baseErrorMessage + "an initialized trust store";
            LOGGER.error(message);
            return new AppraisalStatus(FAIL, message);
        }