From 61359e19205a46332e85cce4b2e822b50a186697 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 27 Nov 2020 13:09:04 -0500 Subject: [PATCH 1/4] Updated the provisioner to look into the tcg properties file for the location of the certificates that are to be uploaded instead of using the tpm (if the file is not in the tpm). --- HIRS_ProvisionerTPM2/include/Utils.h | 3 +++ .../package/rpm-post-install.sh | 11 +++++--- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 17 +++++++++++-- HIRS_ProvisionerTPM2/src/Utils.cpp | 25 +++++++++++++++++++ 4 files changed, 51 insertions(+), 5 deletions(-) diff --git a/HIRS_ProvisionerTPM2/include/Utils.h b/HIRS_ProvisionerTPM2/include/Utils.h index ca85ff45..acad7f60 100644 --- a/HIRS_ProvisionerTPM2/include/Utils.h +++ b/HIRS_ProvisionerTPM2/include/Utils.h @@ -5,6 +5,7 @@ #define HIRS_PROVISIONERTPM2_INCLUDE_UTILS_H_ #include +#include namespace hirs { @@ -32,6 +33,8 @@ namespace file_utils { std::string getFileAsOneLineOrEmptyString(const std::string& filename); + std::vector searchDirectory(const std::string& directory); + void writeBinaryFile(const std::string& bytes, const std::string& filename); diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index bb8f9182..9622dc3d 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -41,9 +41,10 @@ fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" -MAINFEST_DIRECTORY="/boot/tcg/manifest" -LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/" -TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/" +TCG_DIRECTORY="/boot/tcg" +LOG_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" +TAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" +CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" if [ ! -f "$TCG_BOOT_FILE" ]; then touch "$TCG_BOOT_FILE" @@ -59,4 +60,8 @@ if [ -d "$TAG_FILE_LOCATION" ]; then echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" fi +if [ -d "$CREDENTIALS_LOCATION" ]; then + echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_BOOT_FILE" +fi + chmod -w "$TCG_BOOT_FILE" diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index f280c924..705bf01d 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -44,6 +44,7 @@ int provision() { Logger logger = Logger::getDefaultLogger(); CommandTpm2 tpm2; + Properties props("/etc/hirs/tcg_boot.properties"); tpm2.setAuthData(); // get endorsement credential and endorsement key @@ -62,14 +63,26 @@ int provision() { cout << "----> Collecting platform credential from TPM" << endl; string platformCredential = tpm2.getPlatformCredentialDefault(); std::vector platformCredentials; - platformCredentials.push_back(platformCredential); + + // if platformCredential is empty, not in TPM + // pull from properties file + if (platformCredential.empty()) { + const std::string& cert_dir = props.get("tcg.cert.dir", ""); + try { + platformCredentials = + hirs::file_utils::searchDirectory(cert_dir); + } catch (HirsRuntimeException& hirsRuntimeException) { + logger.error(hirsRuntimeException.what()); + } + } else { + platformCredentials.push_back(platformCredential); + } // collect device info cout << "----> Collecting device information" << endl; hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); // collect TCG Boot files - Properties props("/etc/hirs/tcg_boot.properties"); const std::string& rim_file = props.get("tcg.rim.file", ""); const std::string& swid_file = props.get("tcg.swidtag.file", ""); try { diff --git a/HIRS_ProvisionerTPM2/src/Utils.cpp b/HIRS_ProvisionerTPM2/src/Utils.cpp index 957e6a5f..75aeccf8 100644 --- a/HIRS_ProvisionerTPM2/src/Utils.cpp +++ b/HIRS_ProvisionerTPM2/src/Utils.cpp @@ -6,6 +6,7 @@ #include +#include #include #include #include @@ -118,6 +119,30 @@ namespace file_utils { return string_utils::trimNewLines(fileToString(filename, "")); } + vector searchDirectory(const string& directory) { + DIR *dr; + std::vector platform_credentials; + dr = opendir(directory.c_str()); + + if (dr) { + struct dirent *en; + while ((en = readdir(dr)) != NULL) { + stringstream ss; + ss << directory.c_str(); + ss << en->d_name; + try { + platform_credentials.push_back(fileToString(ss.str())); + } catch (HirsRuntimeException& hirsRuntimeException) { + std::cout << hirsRuntimeException.what(); + } + } + // close directory + closedir(dr); + } + + return platform_credentials; + } + /** * Takes a byte string and writes the contents to a file of the given name. * @param bytes string bytes to write From 29b7d466cd8a4bd53af2bdfd30c50ef68509c26f Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 30 Nov 2020 09:23:10 -0500 Subject: [PATCH 2/4] Updated wording in validation for failed trust store --- .../java/hirs/validation/SupplyChainCredentialValidator.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index b449e2de..6aa80ff2 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -168,12 +168,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator } try { if (trustStore == null || trustStore.size() == 0) { - message = baseErrorMessage + "a trust store\n"; + message = baseErrorMessage + "an Issuer Cert in the Trust Store\n"; LOGGER.error(message); return new AppraisalStatus(FAIL, message); } } catch (KeyStoreException e) { - message = baseErrorMessage + "an intitialized trust store"; + message = baseErrorMessage + "an initialized trust store"; LOGGER.error(message); return new AppraisalStatus(FAIL, message); } From 857f1eb0ffb64c63fed26c5b59c79232f3e95d41 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 30 Nov 2020 10:11:25 -0500 Subject: [PATCH 3/4] There was a pull for an object that would be null without any RIMs uploaded. --- .../AbstractAttestationCertificateAuthority.java | 8 ++++++-- .../service/SupplyChainValidationServiceImpl.java | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index e3051ee0..a3a7627f 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -410,8 +410,12 @@ public abstract class AbstractAttestationCertificateAuthority // parse the EK Public key from the IdentityClaim once for use in supply chain validation // and later tpm20MakeCredential function RSAPublicKey ekPub = parsePublicKey(claim.getEkPublicArea().toByteArray()); - - AppraisalStatus.Status validationResult = doSupplyChainValidation(claim, ekPub); + AppraisalStatus.Status validationResult = AppraisalStatus.Status.FAIL; + try { + validationResult = doSupplyChainValidation(claim, ekPub); + } catch (Exception ex) { + LOG.error(ex); + } if (validationResult == AppraisalStatus.Status.PASS) { RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray()); diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 02ca8693..9cc6d494 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -369,8 +369,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe .byManufacturer(manufacturer).getRIM(); supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) .byManufacturer(manufacturer).getRIM(); - List resources = - ((BaseReferenceManifest) baseReferenceManifest).parseResource(); measurement = EventLogMeasurements.select(referenceManifestManager) .byManufacturer(manufacturer).includeArchived().getRIM(); @@ -390,6 +388,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } if (passed) { + List resources = + ((BaseReferenceManifest) baseReferenceManifest).parseResource(); fwStatus = new AppraisalStatus(PASS, SupplyChainCredentialValidator.FIRMWARE_VALID); From 70662bddec2ff3402433a95399caf3b6a3f6dd27 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 1 Dec 2020 11:13:41 -0500 Subject: [PATCH 4/4] Updated how the bios measurement file is uploaded. Changed the code to pull the string from the properties file instead of a hard link in the code. --- .../AbstractAttestationCertificateAuthority.java | 8 ++++++++ HIRS_ProvisionerTPM2/package/rpm-post-install.sh | 5 +++++ HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 5 +++-- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 59fbb719..b0ba7123 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -785,6 +785,8 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send swid tag file..."); } if (dv.hasLogfile()) { @@ -820,9 +822,12 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send support RIM file..."); } if (dv.hasLivelog()) { + LOG.info("Device sent bios measurement log..."); fileName = String.format("%s.measurement", clientName); try { @@ -831,6 +836,7 @@ public abstract class AbstractAttestationCertificateAuthority .byManufacturer(dv.getHw().getManufacturer()) .includeArchived().getRIM(); if (support != null) { + LOG.info("Previous bios measurement log found and being replaced..."); this.referenceManifestManager.delete(support); } support = new EventLogMeasurements(fileName, @@ -842,6 +848,8 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send bios measurement log..."); } // Get TPM info, currently unimplemented diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index 9622dc3d..9562a412 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -45,6 +45,7 @@ TCG_DIRECTORY="/boot/tcg" LOG_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" TAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" +BINARY_BIOS_MEASUREMENTS="/sys/kernel/security/tpm0/binary_bios_measurements" if [ ! -f "$TCG_BOOT_FILE" ]; then touch "$TCG_BOOT_FILE" @@ -64,4 +65,8 @@ if [ -d "$CREDENTIALS_LOCATION" ]; then echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_BOOT_FILE" fi +if [ -f "$BINARY_BIOS_MEASUREMENTS" ]; then + echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_BOOT_FILE" +fi + chmod -w "$TCG_BOOT_FILE" diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 957759e7..5a6428b9 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -85,6 +85,8 @@ int provision() { // collect TCG Boot files const std::string& rim_file = props.get("tcg.rim.file", ""); const std::string& swid_file = props.get("tcg.swidtag.file", ""); + const std::string& live_log_file = props.get("tcg.event.file", ""); + try { dv.set_logfile(hirs::file_utils::fileToString(rim_file)); } catch (HirsRuntimeException& hirsRuntimeException) { @@ -96,8 +98,7 @@ int provision() { logger.error(hirsRuntimeException.what()); } try { - dv.set_livelog(hirs::file_utils::fileToString( - "/sys/kernel/security/tpm0/binary_bios_measurements")); + dv.set_livelog(hirs::file_utils::fileToString(live_log_file)); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); }