diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 1469a938..b0ba7123 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -410,8 +410,12 @@ public abstract class AbstractAttestationCertificateAuthority // parse the EK Public key from the IdentityClaim once for use in supply chain validation // and later tpm20MakeCredential function RSAPublicKey ekPub = parsePublicKey(claim.getEkPublicArea().toByteArray()); - - AppraisalStatus.Status validationResult = doSupplyChainValidation(claim, ekPub); + AppraisalStatus.Status validationResult = AppraisalStatus.Status.FAIL; + try { + validationResult = doSupplyChainValidation(claim, ekPub); + } catch (Exception ex) { + LOG.error(ex); + } if (validationResult == AppraisalStatus.Status.PASS) { RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray()); @@ -781,6 +785,8 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send swid tag file..."); } if (dv.hasLogfile()) { @@ -816,9 +822,12 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send support RIM file..."); } if (dv.hasLivelog()) { + LOG.info("Device sent bios measurement log..."); fileName = String.format("%s.measurement", clientName); try { @@ -827,6 +836,7 @@ public abstract class AbstractAttestationCertificateAuthority .byManufacturer(dv.getHw().getManufacturer()) .includeArchived().getRIM(); if (support != null) { + LOG.info("Previous bios measurement log found and being replaced..."); this.referenceManifestManager.delete(support); } support = new EventLogMeasurements(fileName, @@ -838,6 +848,8 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send bios measurement log..."); } // Get TPM info, currently unimplemented diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 02ca8693..9cc6d494 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -369,8 +369,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe .byManufacturer(manufacturer).getRIM(); supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) .byManufacturer(manufacturer).getRIM(); - List resources = - ((BaseReferenceManifest) baseReferenceManifest).parseResource(); measurement = EventLogMeasurements.select(referenceManifestManager) .byManufacturer(manufacturer).includeArchived().getRIM(); @@ -390,6 +388,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } if (passed) { + List resources = + ((BaseReferenceManifest) baseReferenceManifest).parseResource(); fwStatus = new AppraisalStatus(PASS, SupplyChainCredentialValidator.FIRMWARE_VALID); diff --git a/HIRS_ProvisionerTPM2/include/Utils.h b/HIRS_ProvisionerTPM2/include/Utils.h index ca85ff45..acad7f60 100644 --- a/HIRS_ProvisionerTPM2/include/Utils.h +++ b/HIRS_ProvisionerTPM2/include/Utils.h @@ -5,6 +5,7 @@ #define HIRS_PROVISIONERTPM2_INCLUDE_UTILS_H_ #include +#include namespace hirs { @@ -32,6 +33,8 @@ namespace file_utils { std::string getFileAsOneLineOrEmptyString(const std::string& filename); + std::vector searchDirectory(const std::string& directory); + void writeBinaryFile(const std::string& bytes, const std::string& filename); diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index bb8f9182..9562a412 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -41,9 +41,11 @@ fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" -MAINFEST_DIRECTORY="/boot/tcg/manifest" -LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/" -TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/" +TCG_DIRECTORY="/boot/tcg" +LOG_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" +TAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" +CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" +BINARY_BIOS_MEASUREMENTS="/sys/kernel/security/tpm0/binary_bios_measurements" if [ ! -f "$TCG_BOOT_FILE" ]; then touch "$TCG_BOOT_FILE" @@ -59,4 +61,12 @@ if [ -d "$TAG_FILE_LOCATION" ]; then echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" fi +if [ -d "$CREDENTIALS_LOCATION" ]; then + echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_BOOT_FILE" +fi + +if [ -f "$BINARY_BIOS_MEASUREMENTS" ]; then + echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_BOOT_FILE" +fi + chmod -w "$TCG_BOOT_FILE" diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index f30d6588..5a6428b9 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -44,6 +44,7 @@ int provision() { Logger logger = Logger::getDefaultLogger(); CommandTpm2 tpm2; + Properties props("/etc/hirs/tcg_boot.properties"); tpm2.setAuthData(); // get endorsement credential and endorsement key @@ -62,16 +63,30 @@ int provision() { cout << "----> Collecting platform credential from TPM" << endl; string platformCredential = tpm2.getPlatformCredentialDefault(); std::vector platformCredentials; - platformCredentials.push_back(platformCredential); + + // if platformCredential is empty, not in TPM + // pull from properties file + if (platformCredential.empty()) { + const std::string& cert_dir = props.get("tcg.cert.dir", ""); + try { + platformCredentials = + hirs::file_utils::searchDirectory(cert_dir); + } catch (HirsRuntimeException& hirsRuntimeException) { + logger.error(hirsRuntimeException.what()); + } + } else { + platformCredentials.push_back(platformCredential); + } // collect device info cout << "----> Collecting device information" << endl; hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); // collect TCG Boot files - Properties props("/etc/hirs/tcg_boot.properties"); const std::string& rim_file = props.get("tcg.rim.file", ""); const std::string& swid_file = props.get("tcg.swidtag.file", ""); + const std::string& live_log_file = props.get("tcg.event.file", ""); + try { dv.set_logfile(hirs::file_utils::fileToString(rim_file)); } catch (HirsRuntimeException& hirsRuntimeException) { @@ -83,8 +98,7 @@ int provision() { logger.error(hirsRuntimeException.what()); } try { - dv.set_livelog(hirs::file_utils::fileToString( - "/sys/kernel/security/tpm0/binary_bios_measurements")); + dv.set_livelog(hirs::file_utils::fileToString(live_log_file)); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } diff --git a/HIRS_ProvisionerTPM2/src/Utils.cpp b/HIRS_ProvisionerTPM2/src/Utils.cpp index 957e6a5f..75aeccf8 100644 --- a/HIRS_ProvisionerTPM2/src/Utils.cpp +++ b/HIRS_ProvisionerTPM2/src/Utils.cpp @@ -6,6 +6,7 @@ #include +#include #include #include #include @@ -118,6 +119,30 @@ namespace file_utils { return string_utils::trimNewLines(fileToString(filename, "")); } + vector searchDirectory(const string& directory) { + DIR *dr; + std::vector platform_credentials; + dr = opendir(directory.c_str()); + + if (dr) { + struct dirent *en; + while ((en = readdir(dr)) != NULL) { + stringstream ss; + ss << directory.c_str(); + ss << en->d_name; + try { + platform_credentials.push_back(fileToString(ss.str())); + } catch (HirsRuntimeException& hirsRuntimeException) { + std::cout << hirsRuntimeException.what(); + } + } + // close directory + closedir(dr); + } + + return platform_credentials; + } + /** * Takes a byte string and writes the contents to a file of the given name. * @param bytes string bytes to write diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index b449e2de..6aa80ff2 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -168,12 +168,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator } try { if (trustStore == null || trustStore.size() == 0) { - message = baseErrorMessage + "a trust store\n"; + message = baseErrorMessage + "an Issuer Cert in the Trust Store\n"; LOGGER.error(message); return new AppraisalStatus(FAIL, message); } } catch (KeyStoreException e) { - message = baseErrorMessage + "an intitialized trust store"; + message = baseErrorMessage + "an initialized trust store"; LOGGER.error(message); return new AppraisalStatus(FAIL, message); }