mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-03-16 00:55:25 +00:00
Merge branch 'master' into devid-class-impl
This commit is contained in:
Cyrus
commit
b14941f8ad
@ -183,7 +183,6 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
private final ReferenceEventManager referenceEventManager;
|
||||
private String tpmQuoteHash = "";
|
||||
private String tpmQuoteSignature = "";
|
||||
private String pcrValues;
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
@ -733,6 +732,7 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim claim)
|
||||
throws NoSuchAlgorithmException {
|
||||
ProvisionerTpm2.DeviceInfo dv = claim.getDv();
|
||||
String pcrValues = "";
|
||||
|
||||
// Get network info
|
||||
ProvisionerTpm2.NetworkInfo nwProto = dv.getNw();
|
||||
@ -783,7 +783,7 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
firstChassisSerialNumber, firstBaseboardSerialNumber);
|
||||
|
||||
if (dv.hasPcrslist()) {
|
||||
this.pcrValues = dv.getPcrslist().toStringUtf8();
|
||||
pcrValues = dv.getPcrslist().toStringUtf8();
|
||||
}
|
||||
|
||||
// check for RIM Base and Support files, if they don't exists in the database, load them
|
||||
@ -960,7 +960,7 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
(short) 0,
|
||||
(short) 0,
|
||||
(short) 0,
|
||||
this.pcrValues.getBytes(StandardCharsets.UTF_8),
|
||||
pcrValues.getBytes(StandardCharsets.UTF_8),
|
||||
this.tpmQuoteHash.getBytes(StandardCharsets.UTF_8),
|
||||
this.tpmQuoteSignature.getBytes(StandardCharsets.UTF_8));
|
||||
|
||||
|
||||
@ -543,11 +543,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
eventValueMap.put(rdv.getDigestValue(), rdv);
|
||||
}
|
||||
|
||||
for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) {
|
||||
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
|
||||
tpmPcrEvents.add(tpe);
|
||||
}
|
||||
}
|
||||
tpmPcrEvents.addAll(pcrPolicy.validateTpmEvents(
|
||||
tcgMeasurementLog, eventValueMap));
|
||||
}
|
||||
} catch (CertificateException cEx) {
|
||||
LOGGER.error(cEx);
|
||||
@ -579,14 +576,15 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found.");
|
||||
}
|
||||
}
|
||||
|
||||
EventLogMeasurements eventLog = (EventLogMeasurements) measurement;
|
||||
eventLog.setOverallValidationResult(fwStatus.getAppStatus());
|
||||
this.referenceManifestManager.update(eventLog);
|
||||
} else {
|
||||
fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: "
|
||||
+ "%s for %s can not be found", failedString, manufacturer));
|
||||
}
|
||||
|
||||
EventLogMeasurements eventLog = (EventLogMeasurements) measurement;
|
||||
eventLog.setOverallValidationResult(fwStatus.getAppStatus());
|
||||
this.referenceManifestManager.update(eventLog);
|
||||
return buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE,
|
||||
fwStatus.getAppStatus(), fwStatus.getMessage(), validationObject, level);
|
||||
}
|
||||
|
||||
@ -20,6 +20,7 @@ public class PolicyPageModel {
|
||||
private boolean enableIgnoreIma;
|
||||
private boolean enableIgnoreTboot;
|
||||
private boolean enableIgnoreGpt;
|
||||
private boolean enableIgnoreOsEvt;
|
||||
|
||||
// Variables to get policy settings from page
|
||||
private String pcValidate;
|
||||
@ -36,6 +37,7 @@ public class PolicyPageModel {
|
||||
private String ignoreIma;
|
||||
private String ignoretBoot;
|
||||
private String ignoreGpt;
|
||||
private String ignoreOsEvt;
|
||||
private String expirationValue;
|
||||
private String devIdExpirationValue;
|
||||
private String thresholdValue;
|
||||
@ -60,6 +62,7 @@ public class PolicyPageModel {
|
||||
this.enableIgnoreIma = policy.isIgnoreImaEnabled();
|
||||
this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
|
||||
this.enableIgnoreGpt = policy.isIgnoreGptEnabled();
|
||||
this.enableIgnoreOsEvt = policy.isIgnoreOsEvtEnabled();
|
||||
this.expirationValue = policy.getValidityDays();
|
||||
this.thresholdValue = policy.getReissueThreshold();
|
||||
this.devIdExpirationValue = policy.getDevIdValidityDays();
|
||||
@ -160,6 +163,14 @@ public class PolicyPageModel {
|
||||
return enableIgnoreGpt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the Enable Ignore Os Events state.
|
||||
* @return the validation state.
|
||||
*/
|
||||
public boolean getEnableIgnoreOsEvt() {
|
||||
return enableIgnoreOsEvt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the EC Validation value.
|
||||
*
|
||||
@ -268,6 +279,15 @@ public class PolicyPageModel {
|
||||
return ignoreGpt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the Ignore Os Evt validation value.
|
||||
*
|
||||
* @return the model string representation of this field (checked or unchecked)
|
||||
*/
|
||||
public String getIgnoreOsEvt() {
|
||||
return ignoreOsEvt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the EC Validation state.
|
||||
*
|
||||
@ -359,6 +379,15 @@ public class PolicyPageModel {
|
||||
this.enableIgnoreGpt = enableIgnoreGpt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the Enable Ignore Os Events state.
|
||||
*
|
||||
* @param enableIgnoreOsEvt true if performing validation, false otherwise
|
||||
*/
|
||||
public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) {
|
||||
this.enableIgnoreOsEvt = enableIgnoreOsEvt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the Platform Certificate Validation state.
|
||||
*
|
||||
@ -497,6 +526,15 @@ public class PolicyPageModel {
|
||||
this.ignoreGpt = ignoreGpt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the Ignore Os Events state.
|
||||
*
|
||||
* @param ignoreOsEvt "checked" if enabling validation, false otherwise
|
||||
*/
|
||||
public void setIgnoreOsEvt(final String ignoreOsEvt) {
|
||||
this.ignoreOsEvt = ignoreOsEvt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for the expiration value.
|
||||
* @return the value
|
||||
@ -577,6 +615,7 @@ public class PolicyPageModel {
|
||||
+ ", enableIgnoreIma=" + enableIgnoreIma
|
||||
+ ", enableIgnoreTboot=" + enableIgnoreTboot
|
||||
+ ", enableIgnoreGpt=" + enableIgnoreGpt
|
||||
+ ", enableIgnoreOsEvt=" + enableIgnoreOsEvt
|
||||
+ ", expirationValue=" + expirationValue
|
||||
+ ", thresholdValue=" + thresholdValue
|
||||
+ ", devIdExpirationValue=" + devIdExpirationValue
|
||||
|
||||
@ -92,7 +92,6 @@ public abstract class PageController<P extends PageParams> {
|
||||
* @return A generic ModelAndView containing basic information for the page.
|
||||
*/
|
||||
protected final ModelAndView getBaseModelAndView(final Page newPage) {
|
||||
|
||||
ModelMap modelMap = new ExtendedModelMap();
|
||||
|
||||
// add page information
|
||||
@ -110,7 +109,6 @@ public abstract class PageController<P extends PageParams> {
|
||||
}
|
||||
|
||||
return new ModelAndView(newPage.getViewName(), modelMap);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
@ -170,7 +168,5 @@ public abstract class PageController<P extends PageParams> {
|
||||
}
|
||||
|
||||
return redirect;
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -90,7 +90,6 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
||||
ModelAndView mav = getBaseModelAndView();
|
||||
|
||||
SupplyChainPolicy policy = getDefaultPolicy();
|
||||
|
||||
PolicyPageModel pageModel = new PolicyPageModel(policy);
|
||||
mav.addObject(INITIAL_DATA, pageModel);
|
||||
|
||||
@ -662,6 +661,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
||||
policy.setFirmwareValidationEnabled(false);
|
||||
policy.getPcrPolicy().setEnableIgnoreIma(false);
|
||||
policy.getPcrPolicy().setEnableIgnoretBoot(false);
|
||||
policy.setIgnoreOsEvtEnabled(false);
|
||||
successMessage = "Firmware validation disabled";
|
||||
}
|
||||
|
||||
@ -805,7 +805,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
||||
//If Ignore TBoot is enabled without firmware, disallow change
|
||||
if (ignoreGptOptionEnabled && !policy.isFirmwareValidationEnabled()) {
|
||||
handleUserError(model, messages,
|
||||
"Ignore TBoot can not be "
|
||||
"Ignore GPT Events can not be "
|
||||
+ "enabled without Firmware Validation policy enabled.");
|
||||
return redirectToSelf(new NoPageParams(), model, attr);
|
||||
}
|
||||
@ -830,6 +830,60 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
||||
return redirectToSelf(new NoPageParams(), model, attr);
|
||||
}
|
||||
|
||||
/**
|
||||
* Updates the ignore Os Events policy setting and
|
||||
* redirects back to the original page.
|
||||
*
|
||||
* @param ppModel The data posted by the form mapped into an object.
|
||||
* @param attr RedirectAttributes used to forward data back to the original
|
||||
* page.
|
||||
* @return View containing the url and parameters
|
||||
* @throws URISyntaxException if malformed URI
|
||||
*/
|
||||
@RequestMapping(value = "update-os-evt-ignore", method = RequestMethod.POST)
|
||||
public RedirectView updateIgnoreOsEvents(
|
||||
@ModelAttribute final PolicyPageModel ppModel,
|
||||
final RedirectAttributes attr)
|
||||
throws URISyntaxException {
|
||||
// set the data received to be populated back into the form
|
||||
Map<String, Object> model = new HashMap<>();
|
||||
PageMessages messages = new PageMessages();
|
||||
String successMessage;
|
||||
boolean ignoreOsEvtOptionEnabled = ppModel.getIgnoreOsEvt()
|
||||
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
|
||||
|
||||
try {
|
||||
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||
|
||||
//If Ignore TBoot is enabled without firmware, disallow change
|
||||
if (ignoreOsEvtOptionEnabled && !policy.isFirmwareValidationEnabled()) {
|
||||
handleUserError(model, messages,
|
||||
"Ignore Os Events can not be "
|
||||
+ "enabled without Firmware Validation policy enabled.");
|
||||
return redirectToSelf(new NoPageParams(), model, attr);
|
||||
}
|
||||
|
||||
// set the policy option and create success message
|
||||
if (ignoreOsEvtOptionEnabled) {
|
||||
policy.getPcrPolicy().setEnableIgnoreOsEvt(true);
|
||||
policy.getPcrPolicy().setEnableIgnoreGpt(true);
|
||||
successMessage = "Ignore OS Events enabled";
|
||||
} else {
|
||||
policy.getPcrPolicy().setEnableIgnoreOsEvt(false);
|
||||
successMessage = "Ignore OS Events disabled";
|
||||
}
|
||||
|
||||
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
||||
} catch (PolicyManagerException e) {
|
||||
handlePolicyManagerUpdateError(model, messages, e,
|
||||
"Error changing ACA OS Events ignore policy",
|
||||
"Error updating policy. \n" + e.getMessage());
|
||||
}
|
||||
|
||||
// return the redirect
|
||||
return redirectToSelf(new NoPageParams(), model, attr);
|
||||
}
|
||||
|
||||
private void handlePolicyManagerUpdateError(final Map<String, Object> model,
|
||||
final PageMessages messages,
|
||||
final PolicyManagerException e,
|
||||
|
||||
@ -231,13 +231,11 @@ public class ReferenceManifestDetailsPageController
|
||||
data.put("entityThumbprint", baseRim.getEntityThumbprint());
|
||||
// Link
|
||||
data.put("linkHref", baseRim.getLinkHref());
|
||||
data.put("linkHrefLink", "");
|
||||
for (BaseReferenceManifest bRim : BaseReferenceManifest
|
||||
.select(referenceManifestManager).getRIMs()) {
|
||||
if (baseRim.getLinkHref().contains(bRim.getTagId())) {
|
||||
data.put("linkHrefLink", bRim.getId().toString());
|
||||
break;
|
||||
} else {
|
||||
data.put("linkHrefLink", "");
|
||||
data.put("linkHrefLink", bRim.getId());
|
||||
}
|
||||
}
|
||||
data.put("linkRel", baseRim.getLinkRel());
|
||||
@ -255,16 +253,16 @@ public class ReferenceManifestDetailsPageController
|
||||
data.put("pcUriGlobal", baseRim.getPcURIGlobal());
|
||||
data.put("pcUriLocal", baseRim.getPcURILocal());
|
||||
data.put("rimLinkHash", baseRim.getRimLinkHash());
|
||||
boolean hashLinked = false;
|
||||
if (baseRim.getRimLinkHash() != null) {
|
||||
ReferenceManifest rim = BaseReferenceManifest.select(referenceManifestManager)
|
||||
.byBase64Hash(baseRim.getRimLinkHash()).getRIM();
|
||||
hashLinked = (rim != null);
|
||||
if (hashLinked) {
|
||||
.byHexDecHash(baseRim.getRimLinkHash()).getRIM();
|
||||
if (rim != null) {
|
||||
data.put("rimLinkId", rim.getId());
|
||||
data.put("linkHashValid", true);
|
||||
} else {
|
||||
data.put("linkHashValid", false);
|
||||
}
|
||||
}
|
||||
data.put("linkHashValid", hashLinked);
|
||||
data.put("rimType", baseRim.getRimType());
|
||||
|
||||
List<SwidResource> resources = baseRim.parseResource();
|
||||
@ -285,8 +283,8 @@ public class ReferenceManifestDetailsPageController
|
||||
// going to have to pull the filename and grab that from the DB
|
||||
// to get the id to make the link
|
||||
for (SwidResource swidRes : resources) {
|
||||
if (support != null && swidRes.getName()
|
||||
.equals(support.getFileName())) {
|
||||
if (support != null && swidRes.getHashValue()
|
||||
.equalsIgnoreCase(support.getHexDecHash())) {
|
||||
RIM_VALIDATOR.validateSupportRimHash(support.getRimBytes(),
|
||||
swidRes.getHashValue());
|
||||
if (RIM_VALIDATOR.isSupportRimValid()) {
|
||||
@ -385,7 +383,7 @@ public class ReferenceManifestDetailsPageController
|
||||
// starts off checking if associated rim is null; that is irrelevant for
|
||||
// this statement.
|
||||
measurements = EventLogMeasurements.select(referenceManifestManager)
|
||||
.byHexDecHash(support.getEventLogHash()).getRIM();
|
||||
.byHexDecHash(support.getHexDecHash()).getRIM();
|
||||
|
||||
if (support.isSwidPatch()) {
|
||||
data.put("swidPatch", "True");
|
||||
|
||||
@ -160,7 +160,6 @@ public class ReferenceManifestPageController
|
||||
@Override
|
||||
public void modify(final Criteria criteria) {
|
||||
criteria.add(Restrictions.isNull(Certificate.ARCHIVE_FIELD));
|
||||
|
||||
}
|
||||
};
|
||||
FilteredRecordsList<ReferenceManifest> records
|
||||
|
||||
@ -107,7 +107,19 @@
|
||||
<label><input id="gptTop" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? 'checked' : ''} value="checked"/> Ignore GPT enabled</label>
|
||||
</div>
|
||||
<div class="radio">
|
||||
<label><input id="gptBot" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? '' : 'checked'} value="unchecked"/> Ignore GPT disabled</label>
|
||||
<label><input id="gptBot" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? '' : 'checked'} value="unchecked"/> Ignore GPT disabled</label>
|
||||
</div>
|
||||
</my:editor>
|
||||
</li>
|
||||
</form:form>
|
||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-os-evt-ignore">
|
||||
<li>Ignore OS Events: ${initialData.enableIgnoreOsEvt ? 'Enabled' : 'Disabled'}
|
||||
<my:editor id="ignoreOsEvtPolicyEditor" label="Edit Settings">
|
||||
<div class="radio">
|
||||
<label><input id="osTop" type="radio" name="ignoreOsEvt" ${initialData.enableIgnoreOsEvt ? 'checked' : ''} value="checked"/> Ignore Os Events enabled</label>
|
||||
</div>
|
||||
<div class="radio">
|
||||
<label><input id="osBot" type="radio" name="ignoreOsEvt" ${initialData.enableIgnoreOsEvt ? '' : 'checked'} value="unchecked"/> Ignore Os Events disabled</label>
|
||||
</div>
|
||||
</my:editor>
|
||||
</li>
|
||||
@ -162,10 +174,10 @@
|
||||
</div>
|
||||
<br />
|
||||
|
||||
<%-- Generate DevID Certificate--%>
|
||||
<%-- Generate LDevID Certificate--%>
|
||||
<div class="aca-input-box">
|
||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-issue-devid">
|
||||
<li>Generate DevID Certificate: ${initialData.issueDevIdCertificate ? 'Enabled' : 'Disabled'}
|
||||
<li>Generate LDevID Certificate: ${initialData.issueDevIdCertificate ? 'Enabled' : 'Disabled'}
|
||||
<my:editor id="issuedDevIdCertificatePolicyEditor" label="Edit Settings">
|
||||
<div class="radio">
|
||||
<label><input id="devIdTop" type="radio" name="devIdCertificateIssued" ${initialData.issueDevIdCertificate ? '' : 'checked'} value="unchecked"/> Never generate a DevID Certificate</label>
|
||||
@ -177,7 +189,7 @@
|
||||
</form:form>
|
||||
<ul>
|
||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-devid-expire-on">
|
||||
<li>DevID Certificate Validity period: ${initialData.devIdExpirationFlag ? 'Enabled' : 'Disabled'}
|
||||
<li>LDevID Certificate Validity period: ${initialData.devIdExpirationFlag ? 'Enabled' : 'Disabled'}
|
||||
<my:editor id="issuedDevIdCertificatePolicyExpirationEditor" label="Edit Settings">
|
||||
<div class="radio">
|
||||
<label>
|
||||
@ -190,12 +202,12 @@
|
||||
</li>
|
||||
</form:form>
|
||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-devid-threshold">
|
||||
<li>DevID Certificate Renewal period: ${initialData.devIdExpirationFlag ? 'Enabled' : 'Disabled'}
|
||||
<li>LDevID Certificate Renewal period: ${initialData.devIdExpirationFlag ? 'Enabled' : 'Disabled'}
|
||||
<my:editor id="issuedDevIdCertificatePolicyGenerateEditor" label="Edit Settings">
|
||||
<div class="radio">
|
||||
<label>
|
||||
<input id="devIdBot" type="checkbox" name="devIdExpirationChecked" ${initialData.devIdExpirationFlag ? 'checked' : ''} value="checked" />
|
||||
Renew 'n' days before DevID Certificate's 'Not After' Validity date (Default 365 days)<br />
|
||||
Renew 'n' days before LDevID Certificate's 'Not After' Validity date (Default 365 days)<br />
|
||||
Select 'n' period in days: <input id="devIdThresholdValue" type="text" name="devIdThresholdValue" value="${initialData.devIdThresholdValue}" />
|
||||
</label>
|
||||
</div>
|
||||
|
||||
@ -371,7 +371,7 @@
|
||||
<div>
|
||||
<span>
|
||||
<c:choose>
|
||||
<c:when test="${initialData.linkRel=='requires'}">
|
||||
<c:when test="${not empty initialData.linkHrefLink}">
|
||||
<a href="${portal}/rim-details?id=${initialData.linkHrefLink}" rel="${initialData.linkRel}">${initialData.linkHref}</a>
|
||||
</c:when>
|
||||
<c:otherwise>
|
||||
|
||||
@ -208,15 +208,18 @@ hirs::pb::OsInfo DeviceInfoCollector::collectOsInfo() {
|
||||
while (getline(releaseFile, line)) {
|
||||
stringstream ss(line);
|
||||
string item;
|
||||
vector<string> tokens;
|
||||
std::vector<string> tokens;
|
||||
char* delim = const_cast<char*>("=");
|
||||
while (getline(ss, item, *delim)) {
|
||||
tokens.push_back(item);
|
||||
}
|
||||
if (tokens.size() > 0 && tokens.at(0) == "ID") {
|
||||
info.set_distribution(tokens.at(1));
|
||||
} else if (tokens.size() > 0 && tokens.at(0) == "VERSION_ID") {
|
||||
info.set_distributionrelease(tokens.at(1));
|
||||
for (int i=0; i < tokens.size(); i++) {
|
||||
if (tokens[i] == "ID") {
|
||||
info.set_distribution(tokens[i+1]);
|
||||
}
|
||||
if (tokens[i] == "VERSION_ID") {
|
||||
info.set_distributionrelease(tokens[i+1]);
|
||||
}
|
||||
}
|
||||
}
|
||||
releaseFile.close();
|
||||
|
||||
@ -181,7 +181,7 @@ void printHelp() {
|
||||
cout << helpMessage.str() << endl;
|
||||
}
|
||||
|
||||
int main(int argc, char** argv) {
|
||||
int main(int argc, const char** argv) {
|
||||
string log_directory = "/var/log/hirs/provisioner";
|
||||
|
||||
// directory should be created by rpm install
|
||||
|
||||
@ -130,6 +130,16 @@ public class BaseReferenceManifest extends ReferenceManifest {
|
||||
setFieldValue(BASE_64_HASH_FIELD, base64Hash);
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Specify the RIM hash associated with the base RIM.
|
||||
* @param hexDecHash the hash of the file associated with the rim
|
||||
* @return this instance
|
||||
*/
|
||||
public Selector byHexDecHash(final String hexDecHash) {
|
||||
setFieldValue(HEX_DEC_HASH_FIELD, hexDecHash);
|
||||
return this;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -3,6 +3,8 @@ package hirs.data.persist;
|
||||
import hirs.data.persist.tpm.PcrComposite;
|
||||
import hirs.data.persist.tpm.PcrInfoShort;
|
||||
import hirs.data.persist.tpm.PcrSelection;
|
||||
import hirs.tpm.eventlog.TCGEventLog;
|
||||
import hirs.tpm.eventlog.TpmPcrEvent;
|
||||
import org.apache.commons.codec.DecoderException;
|
||||
import org.apache.commons.codec.binary.Hex;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
@ -12,6 +14,9 @@ import javax.persistence.Entity;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.Arrays;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import static org.apache.logging.log4j.LogManager.getLogger;
|
||||
|
||||
@ -24,14 +29,24 @@ public final class PCRPolicy extends Policy {
|
||||
private static final Logger LOGGER = getLogger(PCRPolicy.class);
|
||||
|
||||
private static final int NUM_TO_SKIP = 1;
|
||||
private static final int NUM_OF_TBOOT_PCR = 3;
|
||||
// PCR 5-16
|
||||
private static final int PXE_PCR_START = 5;
|
||||
private static final int PXE_PCR_END = 16;
|
||||
// PCR 10
|
||||
private static final int IMA_PCR = 10;
|
||||
// PCR 17-19
|
||||
private static final int TBOOT_PCR = 17;
|
||||
private static final int NUM_OF_TBOOT_PCR = 3;
|
||||
private static final int TBOOT_PCR_START = 17;
|
||||
private static final int TBOOT_PCR_END = 19;
|
||||
// PCR 5
|
||||
private static final int GPT_PCR = 5;
|
||||
|
||||
// Event Log Event Types
|
||||
private static final String EVT_EFI_BOOT = "EV_EFI_BOOT_SERVICES_APPLICATION";
|
||||
private static final String EVT_EFI_VAR = "EV_EFI_VARIABLE_BOOT";
|
||||
private static final String EVT_EFI_GPT = "EV_EFI_GPT_EVENT";
|
||||
private static final String EVT_EFI_CFG = "EV_EFI_VARIABLE_DRIVER_CONFIG";
|
||||
|
||||
@Column(nullable = false)
|
||||
private boolean enableIgnoreIma = false;
|
||||
@Column(nullable = false)
|
||||
@ -40,6 +55,8 @@ public final class PCRPolicy extends Policy {
|
||||
private boolean linuxOs = false;
|
||||
@Column(nullable = false)
|
||||
private boolean enableIgnoreGpt = true;
|
||||
@Column(nullable = false)
|
||||
private boolean enableIgnoreOsEvt = false;
|
||||
|
||||
private String[] baselinePcrs;
|
||||
|
||||
@ -81,7 +98,7 @@ public final class PCRPolicy extends Policy {
|
||||
i += NUM_TO_SKIP;
|
||||
}
|
||||
|
||||
if (enableIgnoretBoot && i == TBOOT_PCR) {
|
||||
if (enableIgnoretBoot && i == TBOOT_PCR_START) {
|
||||
LOGGER.info("PCR Policy TBoot Ignore enabled.");
|
||||
i += NUM_OF_TBOOT_PCR;
|
||||
}
|
||||
@ -101,6 +118,45 @@ public final class PCRPolicy extends Policy {
|
||||
return sb;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks that the expected FM events occurring. There are policy options that
|
||||
* will ignore certin PCRs, Event Types and Event Variables present.
|
||||
* @param tcgMeasurementLog Measurement log from the client
|
||||
* @param eventValueMap The events stored as baseline to compare
|
||||
* @return the events that didn't pass
|
||||
*/
|
||||
public List<TpmPcrEvent> validateTpmEvents(final TCGEventLog tcgMeasurementLog,
|
||||
final Map<String, ReferenceDigestValue> eventValueMap) {
|
||||
List<TpmPcrEvent> tpmPcrEvents = new LinkedList<>();
|
||||
for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) {
|
||||
if (enableIgnoreIma && tpe.getPcrIndex() == IMA_PCR) {
|
||||
LOGGER.info(String.format("IMA Ignored -> %s", tpe));
|
||||
} else if (enableIgnoretBoot && (tpe.getPcrIndex() >= TBOOT_PCR_START
|
||||
&& tpe.getPcrIndex() <= TBOOT_PCR_END)) {
|
||||
LOGGER.info(String.format("TBOOT Ignored -> %s", tpe));
|
||||
} else if (enableIgnoreOsEvt && (tpe.getPcrIndex() >= PXE_PCR_START
|
||||
&& tpe.getPcrIndex() <= PXE_PCR_END)) {
|
||||
LOGGER.info(String.format("OS Evt Ignored -> %s", tpe));
|
||||
} else {
|
||||
if (enableIgnoreGpt && tpe.getEventTypeStr().contains(EVT_EFI_GPT)) {
|
||||
LOGGER.info(String.format("GPT Ignored -> %s", tpe));
|
||||
} else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT)
|
||||
|| tpe.getEventTypeStr().contains(EVT_EFI_VAR))) {
|
||||
LOGGER.info(String.format("OS Evt Ignored -> %s", tpe));
|
||||
} else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_CFG)
|
||||
&& tpe.getEventContentStr().contains("SecureBoot"))) {
|
||||
LOGGER.info(String.format("OS Evt Config Ignored -> %s", tpe));
|
||||
} else {
|
||||
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
|
||||
tpmPcrEvents.add(tpe);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return tpmPcrEvents;
|
||||
}
|
||||
|
||||
/**
|
||||
* Compares hashs to validate the quote from the client.
|
||||
*
|
||||
@ -122,6 +178,7 @@ public final class PCRPolicy extends Policy {
|
||||
} catch (DecoderException deEx) {
|
||||
LOGGER.error(deEx);
|
||||
}
|
||||
|
||||
PcrSelection pcrSelection = new PcrSelection(PcrSelection.ALL_PCRS_ON);
|
||||
PcrComposite pcrComposite = new PcrComposite(
|
||||
pcrSelection,
|
||||
@ -211,6 +268,22 @@ public final class PCRPolicy extends Policy {
|
||||
this.enableIgnoreGpt = enableIgnoreGpt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for the Os Events ignore flag.
|
||||
* @return true if Os Events is to be ignored.
|
||||
*/
|
||||
public boolean isEnableIgnoreOsEvt() {
|
||||
return enableIgnoreOsEvt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for the Os Evt ignore flag.
|
||||
* @param enableIgnoreOsEvt true if Os Evt is to be ignored.
|
||||
*/
|
||||
public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) {
|
||||
this.enableIgnoreOsEvt = enableIgnoreOsEvt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for a flag to indicate the type of OS.
|
||||
* @return true if the system is linux.
|
||||
|
||||
@ -226,6 +226,15 @@ public class SupplyChainPolicy extends Policy {
|
||||
return this.pcrPolicy.isEnableIgnoreGpt();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether or not to validate the ignore Os Events on the device.
|
||||
*
|
||||
* @return whether or not to validate the ignore Os Events
|
||||
*/
|
||||
public boolean isIgnoreOsEvtEnabled() {
|
||||
return this.pcrPolicy.isEnableIgnoreOsEvt();
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether or not validate the ignore GPT on the device.
|
||||
* @param enableIgnoreGpt whether or not to validate the ignore GPT
|
||||
@ -234,6 +243,14 @@ public class SupplyChainPolicy extends Policy {
|
||||
this.pcrPolicy.setEnableIgnoreGpt(enableIgnoreGpt);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether or not validate the ignore Os Events on the device.
|
||||
* @param enableIgnoreOsEvt whether or not to validate the ignore Os Events
|
||||
*/
|
||||
public void setIgnoreOsEvtEnabled(final boolean enableIgnoreOsEvt) {
|
||||
this.pcrPolicy.setEnableIgnoreOsEvt(enableIgnoreOsEvt);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns whether or not to allow expired credentials and certificates to be considered
|
||||
* valid if their supply chain is otherwise verified.
|
||||
|
||||
@ -5,6 +5,8 @@ import org.bouncycastle.asn1.DERBitString;
|
||||
import org.bouncycastle.asn1.DERIA5String;
|
||||
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||
|
||||
/**
|
||||
*
|
||||
* Basic class that handle a URIReference object.
|
||||
@ -19,6 +21,7 @@ import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
|
||||
public class URIReference {
|
||||
private DERIA5String uniformResourceIdentifier;
|
||||
private AlgorithmIdentifier hashAlgorithm;
|
||||
@JsonIgnore
|
||||
private DERBitString hashValue;
|
||||
|
||||
private static final int PLATFORM_PROPERTIES_URI_MAX = 3;
|
||||
@ -66,13 +69,15 @@ public class URIReference {
|
||||
for (int j = 0; j < sequence.size(); j++) {
|
||||
if (sequence.getObjectAt(j) instanceof DERIA5String) {
|
||||
this.uniformResourceIdentifier = DERIA5String.getInstance(sequence.getObjectAt(j));
|
||||
} else if (sequence.getObjectAt(j) instanceof AlgorithmIdentifier) {
|
||||
} else if ((sequence.getObjectAt(j) instanceof AlgorithmIdentifier)
|
||||
|| (sequence.getObjectAt(j) instanceof ASN1Sequence)) {
|
||||
this.hashAlgorithm =
|
||||
AlgorithmIdentifier.getInstance(sequence.getObjectAt(j));
|
||||
} else if (sequence.getObjectAt(j) instanceof DERBitString) {
|
||||
this.hashValue = DERBitString.getInstance(sequence.getObjectAt(j));
|
||||
} else {
|
||||
throw new IllegalArgumentException("PlatformPropertiesURI contains invalid type.");
|
||||
throw new IllegalArgumentException("Unexpected DER type found. "
|
||||
+ sequence.getObjectAt(j).getClass().getName() + " found at index " + j + ".");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -84,7 +84,7 @@ public final class JsonUtils {
|
||||
JsonObject jsonObject = new JsonObject();
|
||||
|
||||
if (Files.notExists(jsonPath)) {
|
||||
LOGGER.error(String.format("No file found at %s.", jsonPath.toString()));
|
||||
LOGGER.warn(String.format("No file found at %s.", jsonPath.toString()));
|
||||
} else {
|
||||
try {
|
||||
InputStream inputStream = new FileInputStream(jsonPath.toString());
|
||||
|
||||
@ -655,18 +655,15 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
|
||||
.getValue());
|
||||
if (classFound) {
|
||||
if (isMatch(ciV2, baseCiV2)) {
|
||||
if (ciV2.isAdded()) {
|
||||
// error
|
||||
resultMessage.append("ADDED attempted with prior instance\n");
|
||||
deltaSb.append(String.format("%s;", ci.hashCode()));
|
||||
}
|
||||
if (ciV2.isModified()) {
|
||||
if (ciV2.isAdded() || ciV2.isModified()) {
|
||||
// since the base list doesn't have this ci
|
||||
// just add the delta
|
||||
baseCompList.add(deltaCi);
|
||||
break;
|
||||
}
|
||||
if (ciV2.isRemoved()) {
|
||||
baseCompList.remove(ciV2);
|
||||
break;
|
||||
}
|
||||
// if it is a remove
|
||||
// we do nothing because baseCompList doesn't have it
|
||||
@ -1494,10 +1491,10 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
|
||||
failureMsg.append(scv.getMessage());
|
||||
}
|
||||
deltaMapping.put(delta, new SupplyChainValidation(
|
||||
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
|
||||
AppraisalStatus.Status.FAIL,
|
||||
certificateList,
|
||||
failureMsg.toString()));
|
||||
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
|
||||
AppraisalStatus.Status.FAIL,
|
||||
certificateList,
|
||||
failureMsg.toString()));
|
||||
}
|
||||
} else if (ciV2.isRemoved()) {
|
||||
if (!chainCiMapping.containsKey(ciSerial)) {
|
||||
@ -1546,9 +1543,40 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// found a delta ci with no serial
|
||||
// add to list
|
||||
leftOvers.add(ci);
|
||||
if (ci.isVersion2() && ((ComponentIdentifierV2) ci).isModified()) {
|
||||
ComponentIdentifierV2 ciV2 = (ComponentIdentifierV2) ci;
|
||||
// Look for singular component of same make/model/class
|
||||
ComponentIdentifier candidate = null;
|
||||
for (ComponentIdentifier search : absentSerials) {
|
||||
if (!search.isVersion2()) {
|
||||
continue;
|
||||
}
|
||||
ComponentIdentifierV2 noSerialV2 = (ComponentIdentifierV2) search;
|
||||
|
||||
if (noSerialV2.getComponentClass().getValue().equals(
|
||||
ciV2.getComponentClass().getValue())
|
||||
&& isMatch(noSerialV2, ciV2)) {
|
||||
if (candidate == null) {
|
||||
candidate = noSerialV2;
|
||||
} else {
|
||||
// This only works if there is one matching component
|
||||
candidate = null;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (candidate != null) {
|
||||
absentSerials.remove(candidate);
|
||||
absentSerials.add(ciV2);
|
||||
} else {
|
||||
leftOvers.add(ci);
|
||||
}
|
||||
} else {
|
||||
// found a delta ci with no serial
|
||||
// add to list
|
||||
leftOvers.add(ci);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -260,7 +260,7 @@ fi
|
||||
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/banner.properties
|
||||
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/persistence.properties
|
||||
%attr(664, root, tomcat) /opt/hirs/default-properties/component-class.json
|
||||
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/vendor-table.json
|
||||
%attr(664, root, tomcat) /opt/hirs/default-properties/vendor-table.json
|
||||
%attr(774, root, tomcat) /opt/hirs/scripts/common/aca
|
||||
%attr(774, root, tomcat) /opt/hirs/scripts/aca
|
||||
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
|
||||
@ -330,7 +330,7 @@ cp HIRS_Utils/src/main/resources/persistence.properties %{buildroot}/opt/hirs/de
|
||||
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/attestationca/
|
||||
cp HIRS_Utils/src/main/resources/banner.properties %{buildroot}/opt/hirs/default-properties/attestationca/
|
||||
cp HIRS_Utils/src/main/resources/component-class.json %{buildroot}/opt/hirs/default-properties/
|
||||
cp HIRS_Utils/src/main/resources/vendor-table.json %{buildroot}/opt/hirs/default-properties/attestationca/
|
||||
cp -n HIRS_Utils/src/main/resources/vendor-table.json %{buildroot}/opt/hirs/default-properties/
|
||||
|
||||
# install extras
|
||||
mkdir -p %{buildroot}/opt/hirs/extras
|
||||
|
||||
@ -31,7 +31,7 @@ In both cases the tcg_eventlog_tool-X.X.jar file should have been placed in the
|
||||
Currenty only a install file for Linux RPM is supported.
|
||||
|
||||
To create an RPM on a linux device use the following command in the dame directory:
|
||||
> ./gradlew builRPM
|
||||
> ./gradlew buildRPM
|
||||
|
||||
# Installing
|
||||
Currenty only a install package for Linux is supported.
|
||||
|
||||
@ -108,7 +108,7 @@ ospackage {
|
||||
link("/usr/local/bin/elt", "/opt/hirs/eventlog/scripts/eventlog.sh", 0x755)
|
||||
}
|
||||
|
||||
into('/opt/hirs/default-properties/eventlogtool') {
|
||||
into('/tmp/') {
|
||||
fileMode 0664
|
||||
from ('../../HIRS_Utils/src/main/resources/vendor-table.json') {
|
||||
addParentDirs true
|
||||
@ -116,6 +116,8 @@ ospackage {
|
||||
}
|
||||
}
|
||||
|
||||
postInstall file('scripts/vendor-table.sh')
|
||||
|
||||
buildRpm {
|
||||
arch = I386
|
||||
}
|
||||
|
||||
22
tools/tcg_eventlog_tool/scripts/vendor-table.sh
Normal file
22
tools/tcg_eventlog_tool/scripts/vendor-table.sh
Normal file
@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
HIRS_DIR="/opt/hirs/default-properties"
|
||||
VENDOR_FILE="vendor-table.json"
|
||||
|
||||
# check that the directory exists
|
||||
if [ ! -d "$HIRS_DIR" ]; then
|
||||
mkdir -p $HIRS_DIR
|
||||
fi
|
||||
|
||||
# in case there was a problem, still check and if all is well
|
||||
# move the file with no-clobber
|
||||
if [ -d "$HIRS_DIR" ]; then
|
||||
# if the file doesn't exist
|
||||
if [ ! -f "$HIRS_DIR/$VENDOR_FILE" ]; then
|
||||
mv -n "/tmp/$VENDOR_FILE" $HIRS_DIR
|
||||
chmod 0644 "$HIRS_DIR/$VENDOR_FILE"
|
||||
else
|
||||
# if it does, then just remove the tmp folder version
|
||||
rm "/tmp/$VENDOR_FILE"
|
||||
fi
|
||||
fi
|
||||
Loading…
x
Reference in New Issue
Block a user