ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-19 04:58:00 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into issue-448

Browse Source
This commit is contained in:
Cyrus 2022-03-24 07:27:50 -04:00
commit b266a97175
49 changed files with 1083 additions and 425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.ci/docker/docker-compose-system-test.yml
View File

@ -9,7 +9,7 @@ services:
ports:
- "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
entrypoint: /bin/bash -c
command: [HIRS/.ci/setup/setup_aca.sh]
command: [HIRS/.ci/setup/container/setup_aca.sh]
hostname: ${HIRS_ACA_HOSTNAME}
networks:
hirs_aca_system_tests:

0
.ci/setup/setup_aca.sh → .ci/setup/container/setup_aca.sh
View File

36
.ci/setup/container/setup_tpm2provisioner.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
#########################################################################################
# Script to setup the TPM 2.0 Provisioner for System Tests
# Initial setup only use resetTpm2Emulator to reset PCR values in subsequent tests
#########################################################################################
set -e
pushd / > /dev/null
echo "Setting up TPM emulator for the TPM2 Provisioner"
source /HIRS/.ci/setup/container/tpm2_common.sh
#Wait for the ACA to spin up, if it hasnt already
waitForAca
# Install packages
installProvisioner
# set location of tcg artifacts
setTcgProperties
#echo "Contents of /etc/hirs is $(ls -al /etc/hirs)";
# Install TPM 2.0 Emulator
initTpm2Emulator
# Update the hirs-site.config file
updateHirsSiteConfigFile
echo "TPM 2.0 Emulator NV RAM list"
tpm2_nvlist
echo ""
echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!==========="
popd > /dev/null
#tpm2_pcrlist -g sha256

0
.ci/setup/setup_tpmprovisioner.sh → .ci/setup/container/setup_tpmprovisioner.sh
View File

56
.ci/setup/setup_tpm2provisioner.sh → .ci/setup/container/tpm2_common.sh
View File

@ -1,11 +1,8 @@
#!/bin/bash
#########################################################################################
# Script to setup the TPM 2.0 Provisioner Docker Image for System Tests
# Support scripts for the TPM 2.0 Provisioner System Tests
#
#########################################################################################
set -e
pushd / > /dev/null
echo "Setting up TPM emulator for the TPM2 Provisioner"
# Function to make and install TPM 2.0 Provisioner packages
function installProvisioner {
@ -24,8 +21,8 @@ function setTpmPcrValues {
mkdir /ibmtss
pushd /ibmtss > /dev/null
echo "Installing IBM TSS to set the TPM simulator intial values correctly..."
wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.5.0.tar.gz > /dev/null
tar -zxvf ibmtss1.5.0.tar.gz > /dev/null
wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.6.0.tar.gz > /dev/null
tar -zxvf ibmtss1.6.0.tar.gz > /dev/null
cd utils
make -f makefiletpmc > /dev/null
cd ../utils
@ -61,7 +58,7 @@ function initTpm2Emulator {
echo "DBus started"
# Give DBus time to start up
sleep 5
sleep 3
/ibmtpm/src/./tpm_server &
echo "TPM Emulator started"
@ -76,7 +73,7 @@ function initTpm2Emulator {
echo "TPM2-Abrmd started"
# Give ABRMD time to start and register on the DBus
sleep 2
sleep 1
# Certificates
ek_cert="/HIRS/.ci/setup/certs/ek_cert.der"
@ -112,10 +109,25 @@ function initTpm2Emulator {
sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini
}
# Clear out existing TPM PCR values by restarting the ibm tpm simulator
function resetTpm2Emulator {
echo "clearing the TPM PCR values"
# Stop tpm2-abrmd and the tpm server
pkill -f "tpm2-abrmd"
pkill -f "tpm_server"
# restart the tpm server and tpm2-abrmd
/ibmtpm/src/./tpm_server &
pushd /ibmtss/utils > /dev/null
./startup
popd > /dev/null
tpm2-abrmd -t socket &
sleep 1
# tpm2_pcrlist -g sha256
}
# Function to update the hirs-site.config file
function updateHirsSiteConfigFile {
HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
echo ""
echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...==========="
cat /HIRS/.ci/docker/.env
@ -142,8 +154,8 @@ DEFAULT_SITE_CONFIG_FILE
cat /etc/hirs/hirs-site.config
}
function waitForAca {
# Wait for ACA to boot
function waitForAca {
echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
sleep 1;
@ -151,27 +163,3 @@ function waitForAca {
done
echo "ACA is up!"
}
#Wait for the ACA to spin up, if it hasnt already
waitForAca
# Install packages
installProvisioner
# set location of tcg artifacts
setTcgProperties
#echo "Contents of /etc/hirs is $(ls -al /etc/hirs)";
# Install TPM 2.0 Emulator
initTpm2Emulator
# Update the hirs-site.config file
updateHirsSiteConfigFile
echo "TPM 2.0 Emulator NV RAM list"
tpm2_nvlist
echo ""
echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!==========="
popd > /dev/null

12
.ci/system-tests/container/pc_setup.sh
View File

@ -2,12 +2,18 @@
#########################################################################################
# Setup for platform certificates for testing
# Copies platform certs (Base and Delta) to the tcg directory
# usage pc_setup.sh <profile> <test>
#########################################################################################
profile=$1
test=$2
tcgDir="/boot/tcg"
compscript="$profile"_"$test"_allcomponents.sh
hwlist="$profile"_"$test"_hw.json
testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
pcDir=$testDir/platformcerts
profileDir="/HIRS/.ci/system-tests/profiles/$profile"
# Current TCG folder for platform certs, likely to change with release of the next FIM specification
tcgDir=/boot/tcg/cert/platform/
mkdir -p $tcgDir; # Create the platform cert folder if its not there
@ -34,7 +40,11 @@ fi
cp -f $allCompJson /opt/paccor/scripts/$hwlist ;
# Step 3: Copy the platform cert to tcg folder on boot drive
pushd /HIRS/.ci/system-tests/profiles/$profile/$test/platformcerts/ > /dev/null
# a: See if test specific swidtag folder exists, if not use the defualt folder
if [[ ! -d $pcDir ]]; then
pcDir=$profileDir/default/platformcerts;
fi
pushd $pcDir > /dev/null
# Skip copy of platform cert if .gitigore exists (empty profile)
if [[ ! -f ".gitignore" ]]; then
for cert in * ; do

58
.ci/system-tests/container/rim_setup.sh
View File

@ -1,40 +1,61 @@
#!/bin/bash
#########################################################################################
# Setup for PC Client Reference Integrity Manifest (RIM) tests
#
# usage rim_setup.sh <profile> <test> <option>
# use "clear" option to clear existing TPM PCR values
#########################################################################################
profile=$1
test=$2
options=$3
tcgDir="/boot/tcg"
testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
propFile="/etc/hirs/tcg_boot.properties";
profileDir="/HIRS/.ci/system-tests/profiles/$profile"
defaultDir="$profileDir/default"
testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
swidDir="$testDir/swidtags"
rimDir="$testDir/rims"
pcrScript="$testDir/"$profile"_"$test"_setpcrs.sh"
source /HIRS/.ci/setup/container/tpm2_common.sh
echo "Test is using RIM files from $profile : $test"
# Make sure TCG defined RIM folders exist and are cleared out
mkdir -p $tcgDir/manifest/rim/; # Create the platform cert folder if its not there
rm -f $tcgDir/manifest/rim/*; # clear out any previous data
rm -f $tcgDir/manifest/rim/*; # clear out any previous data
mkdir -p $tcgDir/manifest/swidtag/; # Create the platform cert folder if its not there
rm -f $tcgDir/manifest/swidtag/*; # clear out any previous data
echo "Test is using RIM files from $profile : $test"
# Step 1: Update the tcg_boot.properties to use test specific binary_bios_measurement file
# a: if file does not exist in the test folder then use the default measurement file
# b: change the property file to point to the the test file
# update tcg_boot.properties to use test specific binary_bios_measurement file
if [[ ! -f "$eventLog" ]]; then
eventLog="$defaultDir"/"$profile"_default_binary_bios_measurements
fi
sed -i "s:tcg.event.file=.*:tcg.event.file=$eventLog:g" "$propFile"
#echo "Contents of $propFile after sed is $(cat $propFile)";
#echo "eventLog used was $eventLog"
# Step 2: Copy Base RIM files to the TCG folder
pushd $testDir/swidtags/ > /dev/null
# a: See if test specific swidtag folder exists, if not use the defualt folder
if [[ ! -d $swidDir ]]; then
swidDir=$defaultDir/swidtags;
fi
pushd $swidDir > /dev/null
if [[ ! -f ".gitignore" ]]; then
for swidtag in * ; do
cp -f $swidtag $tcgDir/manifest/swidtag/$swidtag;
done
fi
popd > /dev/null
# Step 3: Copy Support RIM files to the TCG folder
pushd $testDir/rims/ > /dev/null
# Step 3: Copy Support RIM files to the TCG folder in the same mannor
if [[ ! -d $rimDir ]]; then
rimDir=$defaultDir/rims;
fi
pushd $rimDir > /dev/null
if [[ ! -f ".gitignore" ]]; then
for rim in * ; do
@ -47,7 +68,18 @@ popd > /dev/null
# echo "Contents of tcg rim folder tcgDir/manifest/rim/: $(ls $tcgDir/manifest/rim/)"
#Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
sh $testDir/"$profile"_"$test"_setpcrs.sh
# a: Clear the TPM PCR registers vi a call to the tss clear
# b: Check if a test specific setpcr.sh file exists. If not use the profiles default script
if [[ $options == "clear" ]]; then
resetTpm2Emulator
fi
if [[ ! -f $pcrScript ]]; then
pcrScript="$profileDir/default/"$profile"_default_setpcrs.sh"
fi
sh $pcrScript;
#echo "PCR script was $pcrScript"
#tpm2_pcrlist -g sha256
# Done with rim_setup
# Done with rim_setup

BIN
.ci/system-tests/profiles/laptop/badOemInstall/rims/laptop_badOemInstall_oem.1.rimel Normal file
View File

Binary file not shown.

BIN
.ci/system-tests/profiles/laptop/badOemInstall/rims/laptop_badOemInstall_var.1.rimel Executable file
View File

Binary file not shown.

42
.ci/system-tests/profiles/laptop/badOemInstall/swidtags/laptop_badOemInstall_oem.1.swidtag Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="false" tagId="hirs.swid.SwidTags.dell5580.oem" tagVersion="1" version="0.1" versionScheme="multipartnumeric" xml:lang="en">
<Entity name="OEM1" regid="www.example.com" role="softwareCreator tagCreator"/>
<Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
<Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580"/>
<Payload>
<Directory name="/boot/tcg/rim/support">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="103309beb735da6cc95b9ad7d7e4b25c7d2e510eab945424af533ee46096d678" name="dell5580_varOSInstall_oem.1.rimel" size="17569"/>
</Directory>
</Payload>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>yoxwnTQu9jI+5TSG6c2hR/xI2rpxzGA5f9fu6bq7KD0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NUxJ8hcDDSvneXnwxCLHSbBa7hTs4MsuQDQI7/arITl3vMAYPYgmWI7uvKNqhdSvs4fzG5c5GZ+q
boe/0Lh7gkeX6rl12nxe6ormoRFqK6vuCxQLtSgyHAsoh4mI5evxMS9oijucJHJNOeVP1y2g9x+P
lfgyYJjvU6f1X6Zv4C4Qb3JrzB1vZaYbJNJD3tEMnvGPjh5X1FtMYkFldhM9jYf7PAHy8QJHh8x+
b16n+OgE2pEOUGH/I+7xuk+fFtl+DYYSn8f9vwwqIRspXqTBI4uWoFu1xozw+yAPf7bKMYgQ1KYP
PvBgcXHR5UZWmfJdDDF09GWwkCh9EF+Wpmj3Bw==</SignatureValue>
<KeyInfo>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
<KeyValue>
<RSAKeyValue>
<Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</SoftwareIdentity>

42
.ci/system-tests/profiles/laptop/badOemInstall/swidtags/laptop_badOemInstall_var.1.swidtag Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="true" tagId="hirs.swid.SwidTags.dell5580.var" tagVersion="1" version="0.1" xml:lang="en">
<Entity name="VAR1" regid="www.example.com" role="softwareCreator tagCreator"/>
<Link href="hirs.swid.SwidTags.dell5580.oem" rel="requires"/>
<Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580" rim:rimLinkHash="4Jocgla7QhDNd0Fs+nDfBUTLQsltTgd6Yob5ChlDg74="/>
<Payload>
<Directory name="/boot/tcg/rim/support">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="aad27380fa51f42130057cdc524f16da3e5cd959a59fc2b3574470069b95a15e" name="dell5580_varOSInstall_var.1.rimel" size="2613"/>
</Directory>
</Payload>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>F5FruNNKqjgKSP6BOF7YUaBs9dSN8+HnYdpuYoBSWF8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>mXABBSi1haZdZZKg3OzdaLi0jZFp0A78YmFqMtaTdSTNBI/xwrzy1rIIdEc7JWqy5emAcfr2abgc
4AgOIkmcJgYD8AECcmWVloANi7uT03l4e4FMVmDL8l/Cu/93yt/+5MJeWcu3HQvwbIPkYqOqXTNu
kWVvLr8KG0v42t+TRn38O1+EDGwHlDL/705SYZwvNP12Z7+b7FKizUisn5WZC77mzJ1/9m49aiqn
mqf56NxmHuA3uhFShfjaIwoljWVLDCt3/fkrM9WSsk3tX7c8g+QhKn4ygqiMn7gI48HH0PGbbA5q
mg5c9Farqs0mbGR4WTvXjXioSFV5NYkcdoFfmQ==</SignatureValue>
<KeyInfo>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
<KeyValue>
<RSAKeyValue>
<Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</SoftwareIdentity>

BIN
.ci/system-tests/profiles/laptop/badVarInstall/rims/laptop_badVarInstall_oem.1.rimel Normal file
View File

Binary file not shown.

BIN
.ci/system-tests/profiles/laptop/badVarInstall/rims/laptop_badVarInstall_var.1.rimel Normal file
View File

Binary file not shown.

42
.ci/system-tests/profiles/laptop/badVarInstall/swidtags/laptop_badVarInstall_oem.1.swidtag Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="false" tagId="hirs.swid.SwidTags.dell5580.oem" tagVersion="1" version="0.1" versionScheme="multipartnumeric" xml:lang="en">
<Entity name="OEM1" regid="www.example.com" role="softwareCreator tagCreator"/>
<Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
<Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580"/>
<Payload>
<Directory name="/boot/tcg/rim/support">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="a1704e9cd5727c5429d16bc2829e2890aa358c59b4f3d2e191c3eaa751520ce8" name="dell5580_varOSInstall_oem.1.rimel" size="17569"/>
</Directory>
</Payload>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>YwIGXKSKuII5sXcCa9fcwU6kr7u6HwTYHp58jfPJ5ic=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>KiCrZx3Pe//AJv97y9a7/APfNB24AWhOMvd4mcxPzMdkz7XEKvi93CWHqvGXmzoLthHwy6O6pPEO
2vl8fgt8URZdx7FGRWNZMmOep91KsVvTnm64//BU+/4yvwvDSGwnDrZOWugeDYg8G+hAnVY/KFMb
WM+pyND8K6Qw0HkIDh3iitk/luE2TElGNZEx30VUa/5W4DxL2NYPMlquJYD4nZorqU/uEpSo2HED
T7qF9UV5tJWnrOclJH7DkCy/b1u+mcxmjfRmRemwBUHS3bbG11prgLwTMvV5jYJnDct+O/mc7CF3
X0DP//wO4qziqK04kXLPZewB1wD2zknM35hORw==</SignatureValue>
<KeyInfo>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
<KeyValue>
<RSAKeyValue>
<Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</SoftwareIdentity>

42
.ci/system-tests/profiles/laptop/badVarInstall/swidtags/laptop_badVarInstall_var.1.swidtag Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="true" tagId="hirs.swid.SwidTags.dell5580.var" tagVersion="1" version="0.1" xml:lang="en">
<Entity name="VAR1" regid="www.example.com" role="softwareCreator tagCreator"/>
<Link href="hirs.swid.SwidTags.dell5580.oem" rel="requires"/>
<Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580" rim:rimLinkHash="4Jocgla7QhDNd0Fs+nDfBUTLQsltTgd6Yob5ChlDg74="/>
<Payload>
<Directory name="/boot/tcg/rim/support">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="d83a6208cc647e6bf42ecfd8bf559d6c7845d352f1e05ca90ffc3048fad1509e" name="dell5580_varOSInstall_var.1.rimel" size="2613"/>
</Directory>
</Payload>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>jRkKkYQ4oDpP/H6AEj1/xwE1mI65v6jmAHIZFtSrO0Y=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>h3bDGaljFAoof24cyU/L/ln3I419ov5iYm/I6Fvn4MHu7xfS85dSARkHarXn8yjegUSGrcGpCMbV
qAjZYK0Ljq95JETlVLc46/dAM98c/LOhE3WqcqMSvv7gMdOn2IsoRXfnUAnYNd7jGxnxlyGqS0UN
XDFXOi4rGY1km2DFGT7QHCRswy3GHhoPY8IocdrhaIN98aNFSEDzeLwIl8AtJHDmSEsmgxUCDMEL
1RvAbX1Fvjt6FE9gWbo/EY/Oj9cSNS+QXJR2CjEmsNe9KxUAMWVNpQJlXfGFZ2mJvjGmhKxfYYHN
EOb+D341sGCP4/TPH3wEQuTyQN4c/yNxwsIxpg==</SignatureValue>
<KeyInfo>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
<KeyValue>
<RSAKeyValue>
<Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</SoftwareIdentity>

BIN
.ci/system-tests/profiles/laptop/varOsInstall/rims/laptop_varOsInstall_oem.1.rimel Normal file
View File

Binary file not shown.

BIN
.ci/system-tests/profiles/laptop/varOsInstall/rims/laptop_varOsInstall_var.1.rimel Executable file
View File

Binary file not shown.

42
.ci/system-tests/profiles/laptop/varOsInstall/swidtags/laptop_varOsInstall_oem.1.swidtag Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="false" tagId="hirs.swid.SwidTags.dell5580.oem" tagVersion="1" version="0.1" versionScheme="multipartnumeric" xml:lang="en">
<Entity name="OEM1" regid="www.example.com" role="softwareCreator tagCreator"/>
<Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
<Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580"/>
<Payload>
<Directory name="/boot/tcg/rim/support">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="a1704e9cd5727c5429d16bc2829e2890aa358c59b4f3d2e191c3eaa751520ce8" name="dell5580_varOSInstall_oem.1.rimel" size="17569"/>
</Directory>
</Payload>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>YwIGXKSKuII5sXcCa9fcwU6kr7u6HwTYHp58jfPJ5ic=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>KiCrZx3Pe//AJv97y9a7/APfNB24AWhOMvd4mcxPzMdkz7XEKvi93CWHqvGXmzoLthHwy6O6pPEO
2vl8fgt8URZdx7FGRWNZMmOep91KsVvTnm64//BU+/4yvwvDSGwnDrZOWugeDYg8G+hAnVY/KFMb
WM+pyND8K6Qw0HkIDh3iitk/luE2TElGNZEx30VUa/5W4DxL2NYPMlquJYD4nZorqU/uEpSo2HED
T7qF9UV5tJWnrOclJH7DkCy/b1u+mcxmjfRmRemwBUHS3bbG11prgLwTMvV5jYJnDct+O/mc7CF3
X0DP//wO4qziqK04kXLPZewB1wD2zknM35hORw==</SignatureValue>
<KeyInfo>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
<KeyValue>
<RSAKeyValue>
<Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</SoftwareIdentity>

42
.ci/system-tests/profiles/laptop/varOsInstall/swidtags/laptop_varOsInstall_var.1.swidtag Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="true" tagId="hirs.swid.SwidTags.dell5580.var" tagVersion="1" version="0.1" xml:lang="en">
<Entity name="VAR1" regid="www.example.com" role="softwareCreator tagCreator"/>
<Link href="hirs.swid.SwidTags.dell5580.oem" rel="requires"/>
<Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580" rim:rimLinkHash="4Jocgla7QhDNd0Fs+nDfBUTLQsltTgd6Yob5ChlDg74="/>
<Payload>
<Directory name="/boot/tcg/rim/support">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="aad27380fa51f42130057cdc524f16da3e5cd959a59fc2b3574470069b95a15e" name="dell5580_varOSInstall_var.1.rimel" size="2613"/>
</Directory>
</Payload>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>F5FruNNKqjgKSP6BOF7YUaBs9dSN8+HnYdpuYoBSWF8=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>mXABBSi1haZdZZKg3OzdaLi0jZFp0A78YmFqMtaTdSTNBI/xwrzy1rIIdEc7JWqy5emAcfr2abgc
4AgOIkmcJgYD8AECcmWVloANi7uT03l4e4FMVmDL8l/Cu/93yt/+5MJeWcu3HQvwbIPkYqOqXTNu
kWVvLr8KG0v42t+TRn38O1+EDGwHlDL/705SYZwvNP12Z7+b7FKizUisn5WZC77mzJ1/9m49aiqn
mqf56NxmHuA3uhFShfjaIwoljWVLDCt3/fkrM9WSsk3tX7c8g+QhKn4ygqiMn7gI48HH0PGbbA5q
mg5c9Farqs0mbGR4WTvXjXioSFV5NYkcdoFfmQ==</SignatureValue>
<KeyInfo>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
<KeyValue>
<RSAKeyValue>
<Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</SoftwareIdentity>

13
.ci/system-tests/run_system_tests.sh
View File

@ -16,7 +16,7 @@ set -a
echo "******** Setting up for HIRS System Tests for TPM 2.0 ******** "
# expand dmi files for mounting to the provisioner containers
# Expand linux dmi files to mount to the provisioner container to simulate device component
unzip -q .ci/system-tests/profiles/laptop/laptop_dmi.zip -d .ci/system-tests/profiles/laptop/
# Start System Testing Docker Environment
pushd .ci/docker > /dev/null
@ -31,14 +31,14 @@ echo "ACA Container info: $(checkContainerStatus $aca_container)";
echo "TPM2 Provisioner Container info: $(checkContainerStatus $tpm2_container)";
# Install HIRS provioner and setup tpm2 emulator
docker exec $tpm2_container /HIRS/.ci/setup/setup_tpm2provisioner.sh
docker exec $tpm2_container /HIRS/.ci/setup/container/setup_tpm2provisioner.sh
# ********* Execute system tests here, add tests as needed *************
echo "******** Setup Complete Begin HIRS System Tests ******** "
source aca_policy_tests.sh
source platform_cert_tests.sh
source tests/aca_policy_tests.sh
source tests/platform_cert_tests.sh
source tests/rim_system_tests.sh
echo "******** HIRS System Tests Complete ******** "
@ -52,7 +52,6 @@ docker exec $tpm2_container mkdir -p /HIRS/logs/provisioner/;
docker exec $tpm2_container cp -a /var/log/hirs/provisioner/. /HIRS/logs/provisioner/;
docker exec $tpm2_container chmod -R 777 /HIRS/logs/;
# Display container log
echo ""
echo "===========HIRS Tests and Log collection complete ==========="
@ -61,7 +60,7 @@ echo "End of System Tests for TPM 2.0, cleaning up..."
echo ""
# Clean up services and network
popd > /dev/null
pushd .ci/docker
pushd .ci/docker > /dev/null
docker-compose -f docker-compose-system-test.yml down -v
popd > /dev/null
# Clean up dangling containers

4
.ci/system-tests/sys_test_common.sh
View File

@ -43,7 +43,7 @@ docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy
setPolicyEkPcFw() {
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
}
# Clear all ACA DB items including policy
@ -107,7 +107,7 @@ setPlatformCerts() {
# Places RIM files held in the test folder in the provisioners tcg folder
# setRims <profile> <test>
setRims() {
docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/rim_setup.sh $1 $2
docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/rim_setup.sh $1 $2 $3
#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
}

4
.ci/system-tests/aca_policy_tests.sh → .ci/system-tests/tests/aca_policy_tests.sh
View File

@ -8,7 +8,7 @@ totalTests=0;
failedTests=0;
# Start ACA Policy Tests
# provision_tpm takes 1 parameter (the expected result): "pass" or "fail"
# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###"
setPlatformCerts "laptop" "empty"
@ -39,7 +39,7 @@ provisionTpm2 "pass"
writeToLogs "### ACA POLICY TEST 7: Test PC with RIM Validation Policy with valid PC and RIM ###"
setPolicyEkPcFw
setRims "laptop" "default"
setRims "laptop" "default" "none"
provisionTpm2 "pass"
# Process Test Results, any single failure will send back a failed result.

2
.ci/system-tests/platform_cert_tests.sh → .ci/system-tests/tests/platform_cert_tests.sh
View File

@ -8,7 +8,7 @@ totalTests=0;
failedTests=0;
# Start ACA Platform Certificate Tests
# provision_tpm takes 1 parameter (the expected result): "pass" or "fail"
# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
# Note that the aca_policy_tests have already run several Platform Certificate system tests
writeToLogs "### ACA PLATFORM CERTIFICATE TEST 1: Test a delta Platform Certificate that adds a new memory component ###"

44
.ci/system-tests/tests/rim_system_tests.sh Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
#########################################################################################
# HIRS Reference Integrity Manifest System Tests
#
#########################################################################################
testResult=false
totalTests=0;
failedTests=0;
# Start ACA Reference Integrity Manifest Tests
# provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail"
# Note that the aca_policy_tests have already run several RIM system tests
writeToLogs "### ACA RIM TEST 1: Test a RIM from an OEM and a Supplemental RIM from a VAR ###"
clearAcaDb
uploadTrustedCerts
setPolicyEkPcFw
setPlatformCerts "laptop" "varOsInstall"
setRims "laptop" "varOsInstall" "clear"
provisionTpm2 "pass"
writeToLogs "### ACA RIM TEST 2: Test a RIM from an OEM with a bad reference measurement and a Supplemental RIM from a VAR ###"
clearAcaDb
uploadTrustedCerts
setPolicyEkPcFw
setPlatformCerts "laptop" "badOemInstall"
setRims "laptop" "badOemInstall" "clear"
provisionTpm2 "fail"
writeToLogs "### ACA RIM TEST 3: Test a RIM from an OEM and a Supplemental RIM from a VAR with a bad reference measurement ###"
clearAcaDb
uploadTrustedCerts
setPolicyEkPcFw
setPlatformCerts "laptop" "badVarInstall"
setRims "laptop" "badVarInstall" "clear"
provisionTpm2 "fail"
# Process Test Results, any single failure will send back a failed result.
if [[ $failedTests != 0 ]]; then
export TEST_STATUS=1;
echo "**** $failedTests out of $totalTests ACA RIM Tests Failed! ****"
else
echo "**** $totalTests ACA RIM Tests Passed! ****"
fi

2
HIRS_AttestationCA/build.gradle
View File

@ -43,7 +43,7 @@ war.dependsOn copyVersion
ext.configDir = new File(projectDir, 'config')
ext.checkstyleConfigDir = "$configDir/checkstyle"
checkstyle {
toolVersion = '5.7'
toolVersion = '8.10.1'
configFile = checkstyleConfigFile
configProperties.put('basedir', checkstyleConfigDir)
ignoreFailures = false

225
HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
View File

@ -12,7 +12,6 @@ import hirs.data.persist.BaseReferenceManifest;
import hirs.data.persist.Device;
import hirs.data.persist.DeviceInfoReport;
import hirs.data.persist.EventLogMeasurements;
import hirs.data.persist.ReferenceDigestRecord;
import hirs.data.persist.ReferenceDigestValue;
import hirs.data.persist.ReferenceManifest;
import hirs.data.persist.SupplyChainPolicy;
@ -94,12 +93,15 @@ import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.RSAPublicKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@ -926,8 +928,7 @@ public abstract class AbstractAttestationCertificateAuthority
listOfSavedRims.add(dbBaseRim);
}
generateDigestRecords(hw.getManufacturer(), hw.getProductName(),
dv.getNw().getHostname());
generateDigestRecords(hw.getManufacturer(), hw.getProductName());
if (dv.hasLivelog()) {
LOG.info("Device sent bios measurement log...");
@ -938,31 +939,38 @@ public abstract class AbstractAttestationCertificateAuthority
dv.getLivelog().toByteArray());
// find previous version.
measurements = EventLogMeasurements.select(referenceManifestManager)
.byHexDecHash(temp.getHexDecHash()).includeArchived().getRIM();
if (measurements == null) {
measurements = temp;
measurements.setPlatformManufacturer(dv.getHw().getManufacturer());
measurements.setPlatformModel(dv.getHw().getProductName());
measurements.setTagId(tagId);
measurements.setDeviceName(dv.getNw().getHostname());
this.referenceManifestManager.save(measurements);
}
// now save the hash to the base and support rims associated
for (ReferenceManifest rim : listOfSavedRims) {
if (rim != null) {
rim.setEventLogHash(temp.getHexDecHash());
this.referenceManifestManager.update(rim);
}
.byDeviceName(dv.getNw().getHostname())
.includeArchived()
.getRIM();
if (measurements != null) {
// Find previous log and delete it
referenceManifestManager.deleteReferenceManifest(measurements);
}
for (BaseReferenceManifest baseRim : BaseReferenceManifest
.select(referenceManifestManager).getRIMs()) {
if (baseRim.getPlatformManufacturer().equals(dv.getHw().getManufacturer())
&& baseRim.getPlatformModel().equals(dv.getHw().getProductName())) {
baseRim.setEventLogHash(temp.getHexDecHash());
this.referenceManifestManager.update(baseRim);
}
}
BaseReferenceManifest baseRim = BaseReferenceManifest
.select(referenceManifestManager)
.byManufacturerModelBase(dv.getHw().getManufacturer(),
dv.getHw().getProductName())
.getRIM();
measurements = temp;
measurements.setPlatformManufacturer(dv.getHw().getManufacturer());
measurements.setPlatformModel(dv.getHw().getProductName());
measurements.setTagId(tagId);
measurements.setDeviceName(dv.getNw().getHostname());
measurements.setAssociatedRim(baseRim.getAssociatedRim());
this.referenceManifestManager.save(measurements);
// pull the base versions of the swidtag and rimel and set the
// event log hash for use during provision
SupportReferenceManifest sBaseRim = SupportReferenceManifest
.select(referenceManifestManager)
.byEntityId(baseRim.getAssociatedRim())
.getRIM();
baseRim.setEventLogHash(temp.getHexDecHash());
sBaseRim.setEventLogHash(temp.getHexDecHash());
referenceManifestManager.update(baseRim);
referenceManifestManager.update(sBaseRim);
} catch (IOException ioEx) {
LOG.error(ioEx);
}
@ -990,84 +998,105 @@ public abstract class AbstractAttestationCertificateAuthority
return dvReport;
}
private boolean generateDigestRecords(final String manufacturer, final String model,
final String deviceName) {
List<ReferenceDigestValue> rdValues;
private boolean generateDigestRecords(final String manufacturer, final String model) {
List<ReferenceDigestValue> rdValues = new LinkedList<>();
SupportReferenceManifest baseSupportRim = null;
List<SupportReferenceManifest> supplementalRims = new ArrayList<>();
List<SupportReferenceManifest> patchRims = new ArrayList<>();
Set<SupportReferenceManifest> dbSupportRims = SupportReferenceManifest
.select(referenceManifestManager).byManufacturer(manufacturer).getRIMs();
.select(referenceManifestManager)
.byManufacturerModel(manufacturer, model).getRIMs();
List<ReferenceDigestValue> sourcedValues = referenceEventManager
.getValueByManufacturerModel(manufacturer, model);
Map<String, ReferenceDigestValue> digestValueMap = new HashMap<>();
sourcedValues.stream().forEach((rdv) -> {
digestValueMap.put(rdv.getDigestValue(), rdv);
});
for (SupportReferenceManifest dbSupport : dbSupportRims) {
if (dbSupport.getPlatformModel().equals(model)) {
ReferenceDigestRecord dbObj = new ReferenceDigestRecord(dbSupport,
manufacturer, model);
dbObj.setDeviceName(deviceName);
// this is where we update or create the log
ReferenceDigestRecord rdr = this.referenceDigestManager.getRecord(dbObj);
if (dbSupport.isBaseSupport()) {
// Handle baseline digest records
if (rdr == null) {
// doesn't exist, store
rdr = referenceDigestManager.saveRecord(dbObj);
} // right now this will not deal with updating
if (dbSupport.isSwidPatch()) {
patchRims.add(dbSupport);
} else if (dbSupport.isSwidSupplemental()) {
supplementalRims.add(dbSupport);
} else {
// we have a base support rim (verify this is getting set)
baseSupportRim = dbSupport;
}
}
if (this.referenceEventManager.getValuesByRimId(dbSupport).isEmpty()) {
try {
TCGEventLog logProcessor = new TCGEventLog(dbSupport.getRimBytes());
ReferenceDigestValue rdv;
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
rdv = new ReferenceDigestValue(dbSupport.getAssociatedRim(),
dbSupport.getId(), manufacturer, model, tpe.getPcrIndex(),
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
false, false, tpe.getEventContent());
this.referenceEventManager.saveValue(rdv);
}
} catch (CertificateException cEx) {
LOG.error(cEx);
} catch (NoSuchAlgorithmException noSaEx) {
LOG.error(noSaEx);
} catch (IOException ioEx) {
LOG.error(ioEx);
}
}
} else if (dbSupport.isSwidPatch()) {
if (rdr != null) {
// have to have something to patch
try {
rdValues = this.referenceEventManager.getValuesByRecordId(rdr);
TCGEventLog logProcessor = new TCGEventLog(dbSupport.getRimBytes());
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
LOG.error(tpe);
}
for (ReferenceDigestValue rdv : rdValues) {
LOG.error(rdv);
}
} catch (CertificateException cEx) {
LOG.error(cEx);
} catch (NoSuchAlgorithmException noSaEx) {
LOG.error(noSaEx);
} catch (IOException ioEx) {
LOG.error(ioEx);
}
}
} else if (dbSupport.isSwidSupplemental() && !dbSupport.isProcessed()) {
try {
TCGEventLog logProcessor = new TCGEventLog(dbSupport.getRimBytes());
ReferenceDigestValue rdv;
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
rdv = new ReferenceDigestValue(dbSupport.getAssociatedRim(),
dbSupport.getId(), manufacturer, model, tpe.getPcrIndex(),
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
false, false, tpe.getEventContent());
this.referenceEventManager.saveValue(rdv);
}
} catch (CertificateException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
if (baseSupportRim != null
&& referenceEventManager.getValuesByRimId(baseSupportRim).isEmpty()) {
try {
TCGEventLog logProcessor = new TCGEventLog(baseSupportRim.getRimBytes());
ReferenceDigestValue rdv;
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
rdv = new ReferenceDigestValue(baseSupportRim.getAssociatedRim(),
baseSupportRim.getId(), manufacturer, model, tpe.getPcrIndex(),
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
false, false, true, tpe.getEventContent());
rdValues.add(rdv);
}
// since I have the base already I don't have to care about the backward
// linkage
for (SupportReferenceManifest supplemental : supplementalRims) {
logProcessor = new TCGEventLog(supplemental.getRimBytes());
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
// all RDVs will have the same base rim
rdv = new ReferenceDigestValue(baseSupportRim.getAssociatedRim(),
supplemental.getId(), manufacturer, model, tpe.getPcrIndex(),
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
false, false, true, tpe.getEventContent());
rdValues.add(rdv);
}
}
// Save all supplemental values
ReferenceDigestValue tempRdv;
for (ReferenceDigestValue subRdv : rdValues) {
// check if the value already exists
if (digestValueMap.containsKey(subRdv.getDigestValue())) {
tempRdv = digestValueMap.get(subRdv.getDigestValue());
if (tempRdv.getPcrIndex() != subRdv.getPcrIndex()
&& !tempRdv.getEventType().equals(subRdv.getEventType())) {
referenceEventManager.saveValue(subRdv);
} else {
// will this be a problem down the line?
referenceEventManager.updateEvent(subRdv);
}
} else {
referenceEventManager.saveValue(subRdv);
}
digestValueMap.put(subRdv.getDigestValue(), subRdv);
}
// if a patch value doesn't exist, error?
ReferenceDigestValue dbRdv;
String patchedValue;
for (SupportReferenceManifest patch : patchRims) {
logProcessor = new TCGEventLog(patch.getRimBytes());
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
patchedValue = tpe.getEventDigestStr();
dbRdv = digestValueMap.get(patchedValue);
if (dbRdv == null) {
LOG.error(String.format("Patching value does not exist (%s)",
patchedValue));
} else {
/**
* Until we get patch examples, this is WIP
*/
dbRdv.setPatched(true);
}
}
}
} catch (CertificateException cEx) {
LOG.error(cEx);
} catch (NoSuchAlgorithmException noSaEx) {
LOG.error(noSaEx);
} catch (IOException ioEx) {
LOG.error(ioEx);
}
}

7
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -537,7 +537,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
if (measurement.getPlatformManufacturer().equals(manufacturer)) {
tcgMeasurementLog = new TCGEventLog(measurement.getRimBytes());
eventValue = this.referenceEventManager
.getValuesByRimId(supportReferenceManifest);
.getValuesByRimId(baseReferenceManifest);
for (ReferenceDigestValue rdv : eventValue) {
eventValueMap.put(rdv.getDigestValue(), rdv);
}
@ -621,7 +621,10 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
try {
Set<SupportReferenceManifest> supportRims = SupportReferenceManifest
.select(this.referenceManifestManager)
.byDeviceName(deviceName).getRIMs();
.byManufacturerModel(
device.getDeviceInfo().getHardwareInfo().getManufacturer(),
device.getDeviceInfo().getHardwareInfo().getProductName())
.getRIMs();
for (SupportReferenceManifest support : supportRims) {
if (support.isBaseSupport()) {
sRim = support;

2
HIRS_AttestationCAPortal/build.gradle
View File

@ -77,7 +77,7 @@ ext.configDir = new File(projectDir, 'config')
ext.checkstyleConfigDir = "$configDir/checkstyle"
checkstyle {
toolVersion = '5.7'
toolVersion = '8.10.1'
configFile = checkstyleConfigFile
configProperties.put('basedir', checkstyleConfigDir)
ignoreFailures = false

2
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/PageController.java
View File

@ -71,7 +71,7 @@ public abstract class PageController<P extends PageParams> {
* @return the path for the view and data model for the page.
*/
@RequestMapping
public abstract ModelAndView initPage(@ModelAttribute final P params, final Model model);
public abstract ModelAndView initPage(@ModelAttribute P params, Model model);
/**
* Creates a generic ModelAndView containing this page's configuration and

6
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/CertificateDetailsPageController.java
View File

@ -4,6 +4,7 @@ import hirs.attestationca.portal.page.PageController;
import hirs.attestationca.portal.page.PageMessages;
import hirs.attestationca.portal.page.params.CertificateDetailsPageParams;
import hirs.attestationca.portal.util.CertificateStringMapBuilder;
import hirs.persist.CertificateManager;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
@ -12,12 +13,11 @@ import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
import java.io.IOException;
import java.util.HashMap;
import java.util.UUID;
import static hirs.attestationca.portal.page.Page.CERTIFICATE_DETAILS;
import hirs.persist.CertificateManager;
import java.io.IOException;
/**
* Controller for the Certificate Details page.
@ -76,7 +76,7 @@ public class CertificateDetailsPageController extends PageController<Certificate
try {
String type = params.getType().toLowerCase();
UUID uuid = UUID.fromString(params.getId());
switch(type) {
switch (type) {
case "certificateauthority":
data.putAll(CertificateStringMapBuilder.getCertificateAuthorityInformation(
uuid, certificateManager));

359
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
View File

@ -10,6 +10,7 @@ import hirs.attestationca.portal.page.PageController;
import hirs.attestationca.portal.page.PageMessages;
import hirs.attestationca.portal.page.params.NoPageParams;
import hirs.data.persist.BaseReferenceManifest;
import hirs.data.persist.EventLogMeasurements;
import hirs.data.persist.ReferenceDigestValue;
import hirs.data.persist.ReferenceManifest;
import hirs.data.persist.SupportReferenceManifest;
@ -50,6 +51,7 @@ import java.security.cert.CertificateException;
import java.text.DateFormat;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
@ -95,7 +97,7 @@ public class ReferenceManifestPageController
*
* @param dateFormat
*/
public BiosDateValidator(final String dateFormat) {
BiosDateValidator(final String dateFormat) {
this.dateFormat = dateFormat;
}
@ -182,29 +184,6 @@ public class ReferenceManifestPageController
referenceManifestManager,
input, orderColumnName, criteriaModifier);
SupportReferenceManifest support;
// List<ReferenceDigestValue> events;
// for (ReferenceManifest rim : records) {
// if (rim instanceof SupportReferenceManifest) {
// support = (SupportReferenceManifest) rim;
// events = referenceEventManager.getValuesByRimId(support);
//
// for (ReferenceDigestValue rdv : events) {
// // the selector isn't giving me what I want
// if (support.getPlatformManufacturer() != null) {
// rdv.setManufacturer(support.getPlatformManufacturer());
// }
// if (support.getPlatformModel() != null) {
// rdv.setModel(support.getPlatformModel());
// }
// if (support.getAssociatedRim() != null) {
// rdv.setBaseRimId(support.getAssociatedRim());
// }
// referenceEventManager.updateRecord(rdv);
// }
// }
// }
LOGGER.debug("Returning list of size: " + records.size());
return new DataTableResponse<>(records, input);
}
@ -228,8 +207,8 @@ public class ReferenceManifestPageController
Pattern logPattern = Pattern.compile(LOG_FILE_PATTERN);
Matcher matcher;
boolean supportRIM = false;
BaseReferenceManifest base;
SupportReferenceManifest support;
List<BaseReferenceManifest> baseRims = new ArrayList<>();
List<SupportReferenceManifest> supportRims = new ArrayList<>();
// loop through the files
for (MultipartFile file : files) {
@ -238,64 +217,50 @@ public class ReferenceManifestPageController
supportRIM = matcher.matches();
//Parse reference manifests
ReferenceManifest rim = parseRIM(file, supportRIM, messages);
parseRIM(file, supportRIM, messages, baseRims, supportRims);
}
baseRims.stream().forEach((rim) -> {
LOGGER.info(String.format("Storing swidtag %s", rim.getFileName()));
storeManifest(messages, rim, false);
});
supportRims.stream().forEach((rim) -> {
LOGGER.info(String.format("Storing event log %s", rim.getFileName()));
storeManifest(messages, rim, false);
});
for (ReferenceManifest rim : baseRims) {
// store first then update
ReferenceManifest referenceManifest = storeManifest(file.getOriginalFilename(),
messages,
rim,
supportRIM);
//Store only if it was parsed
if (rim != null) {
if (supportRIM) {
// look for associated base/support
// if I am the support rim, my hash is in the meta data of the swidtag
Set<BaseReferenceManifest> rims = BaseReferenceManifest
.select(referenceManifestManager).getRIMs();
support = (SupportReferenceManifest) rim;
// update information for associated support rim
for (BaseReferenceManifest bRim : rims) {
for (SwidResource swid : bRim.parseResource()) {
if (support.getHexDecHash().equals(swid.getHashValue())) {
updateSupportRimInfo(bRim, support);
referenceManifestManager.update(support);
}
}
if (support.isUpdated()) {
for (ReferenceDigestValue rdv : referenceEventManager
.getValuesByRimId(support)) {
rdv.updateInfo(support);
referenceEventManager.updateRecord(rdv);
}
break;
}
}
} else {
base = (BaseReferenceManifest) referenceManifest;
// the base can find the support rim by the meta data hash
for (SwidResource swid : base.parseResource()) {
support = SupportReferenceManifest.select(referenceManifestManager)
.byHexDecHash(swid.getHashValue()).getRIM();
if (support != null) {
base.setAssociatedRim(support.getId());
if (support.isUpdated()) {
// this is separate because I want to break if we found it
// instead of finding it, it is uptodate but still search
break;
} else {
updateSupportRimInfo(base, support);
updateTpmEvents(support);
try {
referenceManifestManager.update(support);
} catch (DBManagerException dbmEx) {
LOGGER.warn("Failed to update Support RIM");
}
}
}
}
}
storeManifest(messages, rim, false);
}
for (ReferenceManifest rim : supportRims) {
// store the rimels
storeManifest(messages, rim, true);
}
// Prep a map to associated the swidtag payload hash to the swidtag.
// pass it in to update support rims that either were uploaded
// or already exist
// create a map of the supports rims in case an uploaded swidtag
// isn't one to one with the uploaded support rims.
Map<String, SupportReferenceManifest> updatedSupportRims
= updateSupportRimInfo(generatePayloadHashMap(baseRims));
// look for missing uploaded support rims
for (SupportReferenceManifest support : supportRims) {
if (!updatedSupportRims.containsKey(support.getHexDecHash())) {
// Make sure we are getting the db version of the file
updatedSupportRims.put(support.getHexDecHash(),
SupportReferenceManifest
.select(referenceManifestManager)
.byHexDecHash(support.getHexDecHash())
.getRIM());
}
}
// pass in the updated support rims
// and either update or add the events
processTpmEvents(new ArrayList<SupportReferenceManifest>(updatedSupportRims.values()));
//Add messages to the model
model.put(MESSAGES_ATTRIBUTE, messages);
@ -342,7 +307,7 @@ public class ReferenceManifestPageController
for (ReferenceDigestValue rdv : rdvs) {
rdv.archive("Support RIM was deleted");
referenceEventManager.updateRecord(rdv);
referenceEventManager.updateEvent(rdv);
}
}
}
@ -471,6 +436,11 @@ public class ReferenceManifestPageController
.byEntityId(uuid).getRIM();
}
if (rim == null) {
rim = EventLogMeasurements.select(referenceManifestManager)
.byEntityId(uuid).getRIM();
}
return rim;
}
@ -479,15 +449,19 @@ public class ReferenceManifestPageController
* object.
*
* @param file the provide user file via browser.
* @param supportRIM matcher result
* @param messages the object that handles displaying information to the
* user.
* @param baseRims object to store multiple files
* @param supportRims object to store multiple files
* @return a single or collection of reference manifest files.
*/
private ReferenceManifest parseRIM(
private void parseRIM(
final MultipartFile file, final boolean supportRIM,
final PageMessages messages) {
final PageMessages messages, final List<BaseReferenceManifest> baseRims,
final List<SupportReferenceManifest> supportRims) {
byte[] fileBytes;
byte[] fileBytes = new byte[0];
String fileName = file.getOriginalFilename();
// build the manifest from the uploaded bytes
@ -498,43 +472,37 @@ public class ReferenceManifestPageController
= String.format("Failed to read uploaded file (%s): ", fileName);
LOGGER.error(failMessage, e);
messages.addError(failMessage + e.getMessage());
return null;
}
try {
if (supportRIM) {
return new SupportReferenceManifest(fileName, fileBytes);
supportRims.add(new SupportReferenceManifest(fileName, fileBytes));
} else {
return new BaseReferenceManifest(fileName, fileBytes);
baseRims.add(new BaseReferenceManifest(fileName, fileBytes));
}
// the this is a List<Object> is object is a JaxBElement that can
// be matched up to the QName
} catch (IOException ioEx) {
final String failMessage
= String.format("Failed to parse uploaded file (%s): ", fileName);
LOGGER.error(failMessage, ioEx);
messages.addError(failMessage + ioEx.getMessage());
return null;
}
}
/**
* Stores the {@link ReferenceManifest} objects.
*
* @param fileName name of the file given
* @param messages message object for user display of statuses
* @param referenceManifest the object to store
* @param supportRim boolean flag indicating if this is a support RIM
* process.
*/
private ReferenceManifest storeManifest(
final String fileName,
private void storeManifest(
final PageMessages messages,
final ReferenceManifest referenceManifest,
final boolean supportRim) {
ReferenceManifest existingManifest;
ReferenceManifest existingManifest = null;
String fileName = referenceManifest.getFileName();
MessageDigest digest = null;
String rimHash = "";
try {
@ -570,32 +538,29 @@ public class ReferenceManifestPageController
+ "failed (%s): ", fileName);
messages.addError(failMessage + e.getMessage());
LOGGER.error(failMessage, e);
return null;
}
try {
// save the new certificate if no match is found
if (existingManifest == null) {
saveTpmEvents(referenceManifestManager.save(referenceManifest));
referenceManifestManager.save(referenceManifest);
final String successMsg = String.format("RIM successfully uploaded (%s): ",
fileName);
messages.addSuccess(successMsg);
LOGGER.info(successMsg);
return referenceManifest;
}
} catch (DBManagerException dbmEx) {
final String failMessage = String.format("Storing RIM failed (%s): ", fileName);
final String failMessage = String.format("Storing RIM failed (%s): ",
fileName);
messages.addError(failMessage + dbmEx.getMessage());
LOGGER.error(failMessage, dbmEx);
return null;
}
try {
// if an identical RIM is archived, update the existing RIM to
// unarchive it and change the creation date
if (existingManifest.isArchived()) {
if (existingManifest != null && existingManifest.isArchived()) {
existingManifest.restore();
existingManifest.resetCreateTime();
referenceManifestManager.update(existingManifest);
@ -604,98 +569,124 @@ public class ReferenceManifestPageController
= String.format("Pre-existing RIM found and unarchived (%s): ", fileName);
messages.addSuccess(successMsg);
LOGGER.info(successMsg);
return existingManifest;
}
} catch (DBManagerException dbmEx) {
final String failMessage = String.format("Found an identical pre-existing RIM in the "
+ "archive, but failed to unarchive it (%s): ", fileName);
messages.addError(failMessage + dbmEx.getMessage());
LOGGER.error(failMessage, dbmEx);
return null;
}
return referenceManifest;
}
private void updateSupportRimInfo(final BaseReferenceManifest dbBaseRim,
final SupportReferenceManifest supportRim) {
// I have to assume the baseRim is from the database
// Updating the id values, manufacturer, model
if (supportRim != null) {
supportRim.setSwidTagVersion(dbBaseRim.getSwidTagVersion());
supportRim.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer());
supportRim.setPlatformModel(dbBaseRim.getPlatformModel());
supportRim.setTagId(dbBaseRim.getTagId());
supportRim.setAssociatedRim(dbBaseRim.getId());
supportRim.setUpdated(true);
}
}
private void updateTpmEvents(final ReferenceManifest referenceManifest) {
String manufacturer;
String model;
if (referenceManifest.getPlatformManufacturer() == null) {
manufacturer = "";
} else {
manufacturer = referenceManifest.getPlatformManufacturer();
}
if (referenceManifest.getPlatformModel() == null) {
model = "";
} else {
model = referenceManifest.getPlatformModel();
}
List<ReferenceDigestValue> rdvs = referenceEventManager
.getValuesByRimId(referenceManifest);
for (ReferenceDigestValue rdv : rdvs) {
rdv.setModel(model);
rdv.setManufacturer(manufacturer);
rdv.setBaseRimId(referenceManifest.getAssociatedRim());
referenceEventManager.updateRecord(rdv);
}
}
private void saveTpmEvents(final ReferenceManifest referenceManifest) {
SupportReferenceManifest dbSupport;
String manufacturer;
String model;
if (referenceManifest instanceof SupportReferenceManifest) {
dbSupport = (SupportReferenceManifest) referenceManifest;
} else {
return;
}
TCGEventLog logProcessor = null;
if (dbSupport.getPlatformManufacturer() == null) {
manufacturer = "";
} else {
manufacturer = dbSupport.getPlatformManufacturer();
}
if (dbSupport.getPlatformModel() == null) {
model = "";
} else {
model = dbSupport.getPlatformModel();
}
try {
logProcessor = new TCGEventLog(dbSupport.getRimBytes());
ReferenceDigestValue rdv;
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
rdv = new ReferenceDigestValue(dbSupport.getAssociatedRim(),
dbSupport.getId(), manufacturer,
model, tpe.getPcrIndex(),
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
false, false, tpe.getEventContent());
this.referenceEventManager.saveValue(rdv);
private Map<String, BaseReferenceManifest> generatePayloadHashMap(
final List<BaseReferenceManifest> uploadedBaseRims) {
BaseReferenceManifest dbBaseRim;
HashMap<String, BaseReferenceManifest> tempMap = new HashMap<>();
for (BaseReferenceManifest base : uploadedBaseRims) {
// this is done to make sure we have the version with the UUID
dbBaseRim = BaseReferenceManifest.select(referenceManifestManager)
.byBase64Hash(base.getBase64Hash()).getRIM();
if (dbBaseRim != null) {
for (SwidResource swid : dbBaseRim.parseResource()) {
tempMap.put(swid.getHashValue(), dbBaseRim);
}
}
}
return tempMap;
}
private Map<String, SupportReferenceManifest> updateSupportRimInfo(
final Map<String, BaseReferenceManifest> dbBaseRims) {
BaseReferenceManifest dbBaseRim;
SupportReferenceManifest supportRim;
Map<String, SupportReferenceManifest> updatedSupportRims = new HashMap<>();
List<String> hashValues = new LinkedList<>(dbBaseRims.keySet());
for (String supportHash : hashValues) {
supportRim = SupportReferenceManifest.select(referenceManifestManager)
.byHexDecHash(supportHash).getRIM();
// I have to assume the baseRim is from the database
// Updating the id values, manufacturer, model
if (supportRim != null && !supportRim.isUpdated()) {
dbBaseRim = dbBaseRims.get(supportHash);
supportRim.setSwidTagVersion(dbBaseRim.getSwidTagVersion());
supportRim.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer());
supportRim.setPlatformModel(dbBaseRim.getPlatformModel());
supportRim.setTagId(dbBaseRim.getTagId());
supportRim.setAssociatedRim(dbBaseRim.getId());
supportRim.setUpdated(true);
referenceManifestManager.update(supportRim);
updatedSupportRims.put(supportHash, supportRim);
}
}
return updatedSupportRims;
}
/**
* If the support rim is a supplemental or base, this method looks for the
* original oem base rim to associate with each event.
* @param supportRim assumed db object
* @return reference to the base rim
*/
private ReferenceManifest findBaseRim(final SupportReferenceManifest supportRim) {
if (supportRim != null && (supportRim.getId() != null
&& !supportRim.getId().toString().equals(""))) {
Set<BaseReferenceManifest> baseRims = BaseReferenceManifest
.select(referenceManifestManager)
.byManufacturerModel(supportRim.getPlatformManufacturer(),
supportRim.getPlatformModel()).getRIMs();
for (BaseReferenceManifest base : baseRims) {
if (base.isBase()) {
// there should be only one
return base;
}
}
}
return null;
}
private void processTpmEvents(final List<SupportReferenceManifest> dbSupportRims) {
boolean updated = true;
List<ReferenceDigestValue> tpmEvents;
TCGEventLog logProcessor = null;
ReferenceManifest baseRim;
for (SupportReferenceManifest dbSupport : dbSupportRims) {
// So first we'll have to pull values based on support rim
// get by support rim id NEXT
tpmEvents = referenceEventManager.getValuesByRimId(dbSupport);
baseRim = findBaseRim(dbSupport);
if (tpmEvents.isEmpty()) {
ReferenceDigestValue rdv;
try {
logProcessor = new TCGEventLog(dbSupport.getRimBytes());
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
rdv = new ReferenceDigestValue(baseRim.getId(),
dbSupport.getId(), dbSupport.getPlatformManufacturer(),
dbSupport.getPlatformModel(), tpe.getPcrIndex(),
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
false, false, updated, tpe.getEventContent());
this.referenceEventManager.saveValue(rdv);
}
} catch (CertificateException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
} else {
for (ReferenceDigestValue rdv : tpmEvents) {
if (!rdv.isUpdated()) {
rdv.updateInfo(dbSupport, baseRim.getId());
this.referenceEventManager.updateEvent(rdv);
}
}
}
} catch (CertificateException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}

4
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/RimDatabasePageController.java
View File

@ -70,7 +70,7 @@ public class RimDatabasePageController
*
* @param dateFormat
*/
public BiosDateValidator(final String dateFormat) {
BiosDateValidator(final String dateFormat) {
this.dateFormat = dateFormat;
}
@ -172,7 +172,7 @@ public class RimDatabasePageController
if (support != null) {
rdv.setBaseRimId(support.getAssociatedRim());
try {
referenceEventManager.updateRecord(rdv);
referenceEventManager.updateEvent(rdv);
} catch (DBManagerException e) {
LOGGER.error("Failed to update TPM Event with Base RIM ID");
LOGGER.error(rdv);

3
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/util/PciIds.java
View File

@ -24,8 +24,7 @@ public final class PciIds {
* This pci ids file can be in different places on different distributions.
*/
public static final List<String> PCI_IDS_PATH =
Collections.unmodifiableList(new Vector<String>()
{
Collections.unmodifiableList(new Vector<String>() {
private static final long serialVersionUID = 1L;
{
add("/usr/share/hwdata/pci.ids");

4
HIRS_Utils/src/main/java/hirs/data/persist/ArchivableEntity.java
View File

@ -1,8 +1,8 @@
package hirs.data.persist;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.MappedSuperclass;
import java.util.Date;
/**
* An abstract archivable entity that can be deleted.
@ -13,7 +13,7 @@ public abstract class ArchivableEntity extends AbstractEntity {
/**
* Defining the size of a message field for error display.
*/
public static final int MAX_MESSAGE_LENGTH = 1200;
public static final int MAX_MESSAGE_LENGTH = 2400;
@Column(name = "archived_time")
private Date archivedTime;

38
HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java
View File

@ -121,6 +121,35 @@ public class BaseReferenceManifest extends ReferenceManifest {
return this;
}
/**
* Specify the platform manufacturer/model that rims must have to be considered
* as matching.
* @param manufacturer string for the manufacturer
* @param model string for the model
* @return this instance
*/
public Selector byManufacturerModel(final String manufacturer, final String model) {
setFieldValue(PLATFORM_MANUFACTURER, manufacturer);
setFieldValue(PLATFORM_MODEL, model);
return this;
}
/**
* Specify the platform manufacturer/model/base flag that rims must have to be considered
* as matching.
* @param manufacturer string for the manufacturer
* @param model string for the model
* @return this instance
*/
public Selector byManufacturerModelBase(final String manufacturer, final String model) {
setFieldValue(PLATFORM_MANUFACTURER, manufacturer);
setFieldValue(PLATFORM_MODEL, model);
setFieldValue("swidPatch", false);
setFieldValue("swidSupplemental", false);
//setFieldValue("", false); //corpus?
return this;
}
/**
* Specify the device name that rims must have to be considered
* as matching.
@ -492,6 +521,15 @@ public class BaseReferenceManifest extends ReferenceManifest {
this.swidCorpus = swidCorpus;
}
/**
* The assumed requirement for being the initial swidtag.
* @return flag for the status
*/
public boolean isBase() {
return !this.isSwidPatch() && !this.isSwidSupplemental()
&& (this.isSwidCorpus() == 0);
}
/**
* Getter for the Entity Name.
*

46
HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestValue.java
View File

@ -47,6 +47,8 @@ public class ReferenceDigestValue extends ArchivableEntity {
private boolean matchFail;
@Column(nullable = false)
private boolean patched = false;
@Column(nullable = false)
private boolean updated = false;
/**
* Default constructor necessary for Hibernate.
@ -62,6 +64,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.eventType = "";
this.matchFail = false;
this.patched = false;
this.updated = false;
this.contentBlob = null;
}
@ -75,14 +78,16 @@ public class ReferenceDigestValue extends ArchivableEntity {
* @param digestValue the key digest value
* @param eventType the event type to store
* @param matchFail the status of the baseline check
* @param patched the status of the value being updated to to patch
* @param patched the status of the value being updated to patch
* @param updated the status of the value being updated with info
* @param contentBlob the data value of the content
*/
public ReferenceDigestValue(final UUID baseRimId, final UUID supportRimId,
final String manufacturer, final String model,
final int pcrIndex, final String digestValue,
final String eventType, final boolean matchFail,
final boolean patched, final byte[] contentBlob) {
final boolean patched, final boolean updated,
final byte[] contentBlob) {
this.baseRimId = baseRimId;
this.supportRimId = supportRimId;
this.manufacturer = manufacturer;
@ -92,6 +97,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.eventType = eventType;
this.matchFail = matchFail;
this.patched = patched;
this.updated = updated;
this.contentBlob = Arrays.clone(contentBlob);
}
@ -239,6 +245,22 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.patched = patched;
}
/**
* Getter for the status of the updated state.
* @return updated flag
*/
public boolean isUpdated() {
return updated;
}
/**
* Setter for the status of the updated state.
* @param updated the flag to set
*/
public void setUpdated(final boolean updated) {
this.updated = updated;
}
/**
* Getter for the byte array of event values.
* @return a clone of the byte array
@ -260,12 +282,19 @@ public class ReferenceDigestValue extends ArchivableEntity {
/**
* Helper method to update the attributes of this object.
* @param support the associated RIM.
* @param baseRimId the main id to update
*/
public void updateInfo(final SupportReferenceManifest support) {
if (support != null && support.getId().equals(getSupportRimId())) {
setBaseRimId(support.getAssociatedRim());
public void updateInfo(final SupportReferenceManifest support, final UUID baseRimId) {
if (support != null) {
setBaseRimId(baseRimId);
setManufacturer(support.getPlatformManufacturer());
setModel(support.getPlatformModel());
setUpdated(true);
if (support.isSwidPatch()) {
// come back to this later, how does this get
// identified to be patched
setPatched(true);
}
}
}
@ -288,7 +317,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
@Override
public int hashCode() {
int result = Objects.hash(pcrIndex, digestValue, manufacturer, model,
eventType, matchFail, patched);
eventType, matchFail, patched, updated);
return result;
}
@ -297,7 +326,8 @@ public class ReferenceDigestValue extends ArchivableEntity {
* @return a string
*/
public String toString() {
return String.format("ReferenceDigestValue: {%s, %d, %s, %s, %b}",
model, pcrIndex, digestValue, eventType, matchFail);
return String.format("ReferenceDigestValue: {%s, %d, %s, %s, "
+ "matchFail - %b, updated - %b, patched - %b}",
model, pcrIndex, digestValue, eventType, matchFail, updated, patched);
}
}

13
HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java
View File

@ -58,6 +58,19 @@ public class SupportReferenceManifest extends ReferenceManifest {
return this;
}
/**
* Specify the platform model that rims must have to be considered
* as matching.
* @param manufacturer string for the manufacturer
* @param model string for the model
* @return this instance
*/
public Selector byManufacturerModel(final String manufacturer, final String model) {
setFieldValue(PLATFORM_MANUFACTURER, manufacturer);
setFieldValue(PLATFORM_MODEL, model);
return this;
}
/**
* Specify the device name that rims must have to be considered
* as matching.

33
HIRS_Utils/src/main/java/hirs/persist/DBReferenceEventManager.java
View File

@ -135,6 +135,35 @@ public class DBReferenceEventManager extends DBManager<ReferenceDigestValue>
return dbRecord;
}
@Override
public ReferenceDigestValue getValueByDigest(final String eventDigest) {
if (eventDigest == null) {
LOGGER.error("null event digest argument");
throw new NullPointerException("null event digest argument");
}
ReferenceDigestValue dbRecord;
Transaction tx = null;
Session session = getFactory().getCurrentSession();
try {
LOGGER.debug("retrieving referenceDigestValue from db");
tx = session.beginTransaction();
dbRecord = (ReferenceDigestValue) session.createCriteria(ReferenceDigestValue.class)
.add(Restrictions.eq("digestValue",
eventDigest)).uniqueResult();
tx.commit();
} catch (Exception ex) {
final String msg = "unable to retrieve object";
LOGGER.error(msg, ex);
if (tx != null) {
LOGGER.debug("rolling back transaction");
tx.rollback();
}
throw new DBManagerException(msg, ex);
}
return dbRecord;
}
@Override
public List<ReferenceDigestValue> getValueByManufacturer(final String manufacturer) {
if (manufacturer == null) {
@ -271,7 +300,7 @@ public class DBReferenceEventManager extends DBManager<ReferenceDigestValue>
}
@Override
public void updateRecord(final ReferenceDigestValue referenceDigestValue) {
public void updateEvent(final ReferenceDigestValue referenceDigestValue) {
try {
super.update(referenceDigestValue);
} catch (DBManagerException dbMEx) {
@ -280,7 +309,7 @@ public class DBReferenceEventManager extends DBManager<ReferenceDigestValue>
}
@Override
public boolean deleteRecord(final ReferenceDigestValue referenceDigestValue) {
public boolean deleteEvent(final ReferenceDigestValue referenceDigestValue) {
boolean result;
LOGGER.info(String.format("Deleting reference to %s",
referenceDigestValue.getId()));

12
HIRS_Utils/src/main/java/hirs/persist/ReferenceEventManager.java
View File

@ -36,6 +36,14 @@ public interface ReferenceEventManager extends OrderedListQuerier<ReferenceDiges
*/
ReferenceDigestValue getValueById(ReferenceDigestValue referenceDigestValue);
/**
* Gets a value associated with the passed in digest.
*
* @param eventDigest the ReferenceDigestValue
* @return the persisted ReferenceDigestValue
*/
ReferenceDigestValue getValueByDigest(String eventDigest);
/**
* Persists a new Reference Digest Value.
*
@ -98,7 +106,7 @@ public interface ReferenceEventManager extends OrderedListQuerier<ReferenceDiges
* Updates an existing ReferenceDigestRecord.
* @param referenceDigestValue the Reference Event update
*/
void updateRecord(ReferenceDigestValue referenceDigestValue);
void updateEvent(ReferenceDigestValue referenceDigestValue);
/**
* Delete the given value.
@ -106,5 +114,5 @@ public interface ReferenceEventManager extends OrderedListQuerier<ReferenceDiges
* @param referenceDigestValue the digest record delete
* @return true if the deletion succeeded, false otherwise.
*/
boolean deleteRecord(ReferenceDigestValue referenceDigestValue);
boolean deleteEvent(ReferenceDigestValue referenceDigestValue);
}

8
HIRS_Utils/src/main/java/hirs/persist/ReferenceManifestManager.java
View File

@ -41,4 +41,12 @@ public interface ReferenceManifestManager extends OrderedListQuerier<ReferenceMa
* @return true if the deletion succeeded, false otherwise.
*/
boolean delete(ReferenceManifest referenceManifest);
/**
* Remove a ReferenceManifest from the database.
*
* @param referenceManifest the referenceManifest to delete
* @return true if deletion was successful, false otherwise
*/
boolean deleteReferenceManifest(ReferenceManifest referenceManifest);
}

94
NOTICE
View File

@ -12,7 +12,8 @@ jandex, javassist, jboss-logging, joda-time, log4j2, Embedded tomcat,
xml_rpc_client, taglibs, gson, guava, Json-simple, HikariCP, Jackson-core,
Jadira Framework, Jcommander, powermock, Selenium, Spring, snmp4j, Testng,
usertype, validation-api, ws-commons-util, xml-apis, rendersnake, log4cplus,
and spring-data-jpa-datatables.
spring-data-jpa-datatables, xunit, serilog, Serilog.Settings.Configuration,
Serilog.Sinks.Console, and Serilog.Sinks.File.
Apache License
Version 2.0, January 2004
@ -2266,4 +2267,93 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
SOFTWARE.
CommandLineParser is copyrighted under MIT License
Copyright (c) 2005 - 2015 Giacomo Stelluti Scala & Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies
or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
dotnet is copyrighted under MIT License
Copyright (c) .NET Foundation and Contributors
All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
TSS.MSR is copyrighted under MIT License
Copyright (c) Microsoft Corporation. All rights reserved.
The MIT License (MIT)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Newtonsoft.Json is copyrighted under MIT License
The MIT License (MIT)
Copyright (c) 2007 James Newton-King
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or
substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

3
tools/tcg_rim_tool/build.gradle
View File

@ -1,12 +1,11 @@
apply plugin: 'java'
version = '2.1.0'
repositories {
mavenCentral()
}
dependencies {
compile 'javax.json:javax.json-api:1.1.4', 'org.glassfish:javax.json:1.1.4', 'com.beust:jcommander:1.72', 'org.bouncycastle:bcmail-jdk15on:1.59'
compile 'javax.json:javax.json-api:1.1.4', 'org.glassfish:javax.json:1.1.4', 'com.beust:jcommander:1.72', 'org.bouncycastle:bcmail-jdk15on:1.59'
testCompile 'org.testng:testng:6.8.8'
}

13
tools/tcg_rim_tool/package.sh
View File

@ -1,17 +1,20 @@
#!/bin/bash
VERSION=2.1.0
GIT_HASH=`git rev-parse HEAD | head -c6`
GIT_COMMIT_UNIX_TIMESTAMP=`git show -s --format=%ct | xargs echo -n`
RELEASE="$((GIT_COMMIT_UNIX_TIMESTAMP)).$GIT_HASH"
name="tcg_rim_tool"
# Enter package directory
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
pushd $SCRIPT_DIR
name="tcg_rim_tool"
tar -cf $name.tar build.gradle gradle* src/ docs/ rim_fields.json keystore.jks scripts/
gzip -f $name.tar
tar -cf "$name-$VERSION.$RELEASE".tar build.gradle gradle* src/ docs/ rim_fields.json keystore.jks scripts/
gzip -f "$name-$VERSION.$RELEASE".tar
if [ -d rpmbuild ]; then
rm -rf rpmbuild
fi
mkdir -p rpmbuild/BUILD rpmbuild/BUILDROOT rpmbuild/SOURCES rpmbuild/RPMS rpmbuild/SPECS rpmbuild/SRPMS
rpmbuild -bb $name.spec --define "_sourcedir $PWD" --define "_topdir $PWD/rpmbuild"
rpmbuild -bb $name.spec --define "_sourcedir $PWD" --define "_topdir $PWD/rpmbuild" --define 'RELEASE '$RELEASE --define 'VERSION '$VERSION
popd

1
tools/tcg_rim_tool/rim_fields.json
View File

@ -30,6 +30,7 @@
},
"Payload": {
"Directory": {
"supportRIMFormat": "TCG_EventLog_Assertion",
"name": "iotBase",
"File": {
"name": "TpmLog.bin"

3
tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java
View File

@ -67,6 +67,9 @@ public class SwidTagConstants {
public static final String HASH = "hash";
public static final String SUPPORT_RIM_TYPE = "supportRIMType";
public static final String SUPPORT_RIM_FORMAT = "supportRIMFormat";
public static final String TCG_EVENTLOG_ASSERTION = "TCG_EventLog_Assertion";
public static final String TPM_PCR_ASSERTION = "TPM_PCR_Assertion";
public static final String SUPPORT_RIM_FORMAT_MISSING = "supportRIMFormat missing";
public static final String SUPPORT_RIM_URI_GLOBAL = "supportRIMURIGlobal";
public static final QName _SHA256_HASH = new QName(

109
tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
View File

@ -162,7 +162,8 @@ public class SwidTagGateway {
JsonObject configProperties = reader.readObject();
reader.close();
//SoftwareIdentity
swidTag = createSwidTag(configProperties.getJsonObject(SwidTagConstants.SOFTWARE_IDENTITY));
swidTag = createSwidTag(
configProperties.getJsonObject(SwidTagConstants.SOFTWARE_IDENTITY));
//Entity
JAXBElement<Entity> entity = objectFactory.createSoftwareIdentityEntity(
createEntity(configProperties.getJsonObject(SwidTagConstants.ENTITY)));
@ -199,7 +200,8 @@ public class SwidTagGateway {
System.out.println(e.getMessage());
}
Document signedSoftwareIdentity = signXMLDocument(objectFactory.createSoftwareIdentity(swidTag));
Document signedSoftwareIdentity = signXMLDocument(
objectFactory.createSoftwareIdentity(swidTag));
writeSwidTagFile(signedSoftwareIdentity, filename);
}
@ -247,14 +249,16 @@ public class SwidTagGateway {
if (!tagId.isEmpty()) {
swidTag.setTagId(tagId);
}
swidTag.setTagVersion(new BigInteger(jsonObject.getString(SwidTagConstants.TAGVERSION, "0")));
swidTag.setTagVersion(new BigInteger(
jsonObject.getString(SwidTagConstants.TAGVERSION, "0")));
swidTag.setVersion(jsonObject.getString(SwidTagConstants.VERSION, "0.0"));
swidTag.setCorpus(jsonObject.getBoolean(SwidTagConstants.CORPUS, false));
swidTag.setPatch(jsonObject.getBoolean(SwidTagConstants.PATCH, false));
swidTag.setSupplemental(jsonObject.getBoolean(SwidTagConstants.SUPPLEMENTAL, false));
if (!swidTag.isCorpus() && !swidTag.isPatch()
&& !swidTag.isSupplemental() && swidTag.getVersion() != "0.0") {
swidTag.setVersionScheme(jsonObject.getString(SwidTagConstants.VERSION_SCHEME, "multipartnumeric"));
swidTag.setVersionScheme(
jsonObject.getString(SwidTagConstants.VERSION_SCHEME, "multipartnumeric"));
}
return swidTag;
@ -329,24 +333,42 @@ public class SwidTagGateway {
private SoftwareMeta createSoftwareMeta(JsonObject jsonObject) {
SoftwareMeta softwareMeta = objectFactory.createSoftwareMeta();
Map<QName, String> attributes = softwareMeta.getOtherAttributes();
addNonNullAttribute(attributes, SwidTagConstants._COLLOQUIAL_VERSION, jsonObject.getString(SwidTagConstants.COLLOQUIAL_VERSION, ""));
addNonNullAttribute(attributes, SwidTagConstants._EDITION, jsonObject.getString(SwidTagConstants.EDITION, ""));
addNonNullAttribute(attributes, SwidTagConstants._PRODUCT, jsonObject.getString(SwidTagConstants.PRODUCT, ""));
addNonNullAttribute(attributes, SwidTagConstants._REVISION, jsonObject.getString(SwidTagConstants.REVISION, ""));
addNonNullAttribute(attributes, SwidTagConstants._PAYLOAD_TYPE, jsonObject.getString(SwidTagConstants.PAYLOAD_TYPE, ""));
addNonNullAttribute(attributes, SwidTagConstants._PLATFORM_MANUFACTURER_STR, jsonObject.getString(SwidTagConstants.PLATFORM_MANUFACTURER_STR, ""));
addNonNullAttribute(attributes, SwidTagConstants._PLATFORM_MANUFACTURER_ID, jsonObject.getString(SwidTagConstants.PLATFORM_MANUFACTURER_ID, ""));
addNonNullAttribute(attributes, SwidTagConstants._PLATFORM_MODEL, jsonObject.getString(SwidTagConstants.PLATFORM_MODEL, ""));
addNonNullAttribute(attributes, SwidTagConstants._PLATFORM_VERSION, jsonObject.getString(SwidTagConstants.PLATFORM_VERSION, ""));
addNonNullAttribute(attributes, SwidTagConstants._FIRMWARE_MANUFACTURER_STR, jsonObject.getString(SwidTagConstants.FIRMWARE_MANUFACTURER_STR, ""));
addNonNullAttribute(attributes, SwidTagConstants._FIRMWARE_MANUFACTURER_ID, jsonObject.getString(SwidTagConstants.FIRMWARE_MANUFACTURER_ID, ""));
addNonNullAttribute(attributes, SwidTagConstants._FIRMWARE_MODEL, jsonObject.getString(SwidTagConstants.FIRMWARE_MODEL, ""));
addNonNullAttribute(attributes, SwidTagConstants._FIRMWARE_VERSION, jsonObject.getString(SwidTagConstants.FIRMWARE_VERSION, ""));
addNonNullAttribute(attributes, SwidTagConstants._BINDING_SPEC, jsonObject.getString(SwidTagConstants.BINDING_SPEC, ""));
addNonNullAttribute(attributes, SwidTagConstants._BINDING_SPEC_VERSION, jsonObject.getString(SwidTagConstants.BINDING_SPEC_VERSION, ""));
addNonNullAttribute(attributes, SwidTagConstants._PC_URI_LOCAL, jsonObject.getString(SwidTagConstants.PC_URI_LOCAL, ""));
addNonNullAttribute(attributes, SwidTagConstants._PC_URI_GLOBAL, jsonObject.getString(SwidTagConstants.PC_URI_GLOBAL, ""));
addNonNullAttribute(attributes, SwidTagConstants._RIM_LINK_HASH, jsonObject.getString(SwidTagConstants.RIM_LINK_HASH, ""));
addNonNullAttribute(attributes, SwidTagConstants._COLLOQUIAL_VERSION,
jsonObject.getString(SwidTagConstants.COLLOQUIAL_VERSION, ""));
addNonNullAttribute(attributes, SwidTagConstants._EDITION,
jsonObject.getString(SwidTagConstants.EDITION, ""));
addNonNullAttribute(attributes, SwidTagConstants._PRODUCT,
jsonObject.getString(SwidTagConstants.PRODUCT, ""));
addNonNullAttribute(attributes, SwidTagConstants._REVISION,
jsonObject.getString(SwidTagConstants.REVISION, ""));
addNonNullAttribute(attributes, SwidTagConstants._PAYLOAD_TYPE,
jsonObject.getString(SwidTagConstants.PAYLOAD_TYPE, ""));
addNonNullAttribute(attributes, SwidTagConstants._PLATFORM_MANUFACTURER_STR,
jsonObject.getString(SwidTagConstants.PLATFORM_MANUFACTURER_STR, ""));
addNonNullAttribute(attributes, SwidTagConstants._PLATFORM_MANUFACTURER_ID,
jsonObject.getString(SwidTagConstants.PLATFORM_MANUFACTURER_ID, ""));
addNonNullAttribute(attributes, SwidTagConstants._PLATFORM_MODEL,
jsonObject.getString(SwidTagConstants.PLATFORM_MODEL, ""));
addNonNullAttribute(attributes, SwidTagConstants._PLATFORM_VERSION,
jsonObject.getString(SwidTagConstants.PLATFORM_VERSION, ""));
addNonNullAttribute(attributes, SwidTagConstants._FIRMWARE_MANUFACTURER_STR,
jsonObject.getString(SwidTagConstants.FIRMWARE_MANUFACTURER_STR, ""));
addNonNullAttribute(attributes, SwidTagConstants._FIRMWARE_MANUFACTURER_ID,
jsonObject.getString(SwidTagConstants.FIRMWARE_MANUFACTURER_ID, ""));
addNonNullAttribute(attributes, SwidTagConstants._FIRMWARE_MODEL,
jsonObject.getString(SwidTagConstants.FIRMWARE_MODEL, ""));
addNonNullAttribute(attributes, SwidTagConstants._FIRMWARE_VERSION,
jsonObject.getString(SwidTagConstants.FIRMWARE_VERSION, ""));
addNonNullAttribute(attributes, SwidTagConstants._BINDING_SPEC,
jsonObject.getString(SwidTagConstants.BINDING_SPEC, ""));
addNonNullAttribute(attributes, SwidTagConstants._BINDING_SPEC_VERSION,
jsonObject.getString(SwidTagConstants.BINDING_SPEC_VERSION, ""));
addNonNullAttribute(attributes, SwidTagConstants._PC_URI_LOCAL,
jsonObject.getString(SwidTagConstants.PC_URI_LOCAL, ""));
addNonNullAttribute(attributes, SwidTagConstants._PC_URI_GLOBAL,
jsonObject.getString(SwidTagConstants.PC_URI_GLOBAL, ""));
addNonNullAttribute(attributes, SwidTagConstants._RIM_LINK_HASH,
jsonObject.getString(SwidTagConstants.RIM_LINK_HASH, ""));
return softwareMeta;
}
@ -360,12 +382,12 @@ public class SwidTagGateway {
private ResourceCollection createPayload(JsonObject jsonObject) {
ResourceCollection payload = objectFactory.createResourceCollection();
Map<QName, String> attributes = payload.getOtherAttributes();
addNonNullAttribute(attributes, SwidTagConstants._N8060_ENVVARPREFIX, jsonObject.getString(SwidTagConstants._N8060_ENVVARPREFIX.getLocalPart(), ""));
addNonNullAttribute(attributes, SwidTagConstants._N8060_ENVVARSUFFIX, jsonObject.getString(SwidTagConstants._N8060_ENVVARSUFFIX.getLocalPart(), ""));
addNonNullAttribute(attributes, SwidTagConstants._N8060_PATHSEPARATOR, jsonObject.getString(SwidTagConstants._N8060_PATHSEPARATOR.getLocalPart(), ""));
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_FORMAT, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_FORMAT, ""));
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_TYPE, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, ""));
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, ""));
addNonNullAttribute(attributes, SwidTagConstants._N8060_ENVVARPREFIX,
jsonObject.getString(SwidTagConstants._N8060_ENVVARPREFIX.getLocalPart(), ""));
addNonNullAttribute(attributes, SwidTagConstants._N8060_ENVVARSUFFIX,
jsonObject.getString(SwidTagConstants._N8060_ENVVARSUFFIX.getLocalPart(), ""));
addNonNullAttribute(attributes, SwidTagConstants._N8060_PATHSEPARATOR,
jsonObject.getString(SwidTagConstants._N8060_PATHSEPARATOR.getLocalPart(), ""));
return payload;
}
@ -379,6 +401,21 @@ public class SwidTagGateway {
private Directory createDirectory(JsonObject jsonObject) {
Directory directory = objectFactory.createDirectory();
directory.setName(jsonObject.getString(SwidTagConstants.NAME, ""));
Map<QName, String> attributes = directory.getOtherAttributes();
String supportRimFormat = jsonObject.getString(SwidTagConstants.SUPPORT_RIM_FORMAT,
SwidTagConstants.SUPPORT_RIM_FORMAT_MISSING);
if (!supportRimFormat.equals(SwidTagConstants.SUPPORT_RIM_FORMAT_MISSING)) {
if (supportRimFormat.isEmpty()) {
attributes.put(SwidTagConstants._SUPPORT_RIM_FORMAT,
SwidTagConstants.TCG_EVENTLOG_ASSERTION);
} else {
attributes.put(SwidTagConstants._SUPPORT_RIM_FORMAT, supportRimFormat);
}
}
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_TYPE,
jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, ""));
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL,
jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, ""));
return directory;
}
@ -394,9 +431,23 @@ public class SwidTagGateway {
private hirs.swid.xjc.File createFile(JsonObject jsonObject) {
hirs.swid.xjc.File file = objectFactory.createFile();
file.setName(jsonObject.getString(SwidTagConstants.NAME, ""));
Map<QName, String> attributes = file.getOtherAttributes();
String supportRimFormat = jsonObject.getString(SwidTagConstants.SUPPORT_RIM_FORMAT,
SwidTagConstants.SUPPORT_RIM_FORMAT_MISSING);
if (!supportRimFormat.equals(SwidTagConstants.SUPPORT_RIM_FORMAT_MISSING)) {
if (supportRimFormat.isEmpty()) {
attributes.put(SwidTagConstants._SUPPORT_RIM_FORMAT,
SwidTagConstants.TCG_EVENTLOG_ASSERTION);
} else {
attributes.put(SwidTagConstants._SUPPORT_RIM_FORMAT, supportRimFormat);
}
}
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_TYPE,
jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, ""));
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL,
jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, ""));
File rimEventLogFile = new File(rimEventLog);
file.setSize(new BigInteger(Long.toString(rimEventLogFile.length())));
Map<QName, String> attributes = file.getOtherAttributes();
addNonNullAttribute(attributes, SwidTagConstants._SHA256_HASH, HashSwid.get256Hash(rimEventLog));
return file;

14
tools/tcg_rim_tool/src/test/resources/generated_no_cert.swidtag
View File

@ -3,7 +3,7 @@
<Entity name="Example Inc" regid="http://Example.com" role="softwareCreator tagCreator"/>
<Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
<Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="Firmware_2019" n8060:edition="12" n8060:product="ProductA" n8060:revision="r2" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:PayloadType="direct" rim:firmwareManufacturerId="00213022" rim:firmwareManufacturerStr="BIOSVendorA" rim:firmwareModel="A0" rim:firmwareVersion="12" rim:pcURIGlobal="https://Example.com/support/ProductA/" rim:pcURILocal="/boot/tcg/manifest/switag/" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Example.com" rim:platformModel="ProductA" rim:platformVersion="01"/>
<Payload xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" rim:supportRIMFormat="TCG_EventLog_Assertion" rim:supportRIMURIGlobal="https://Example.com/support/ProductA/firmware/rims/">
<Payload>
<Directory name="rim">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" name="Example.com.BIOS.01.rimel" size="7549"/>
</Directory>
@ -17,14 +17,14 @@
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>97uWB7zSsO5WaGbrcQrlKd1Bju0aDTjK1/ktUYBje8A=</DigestValue>
<DigestValue>K3XoBeYvgJBAKl8z273sL7z38qLLVBKLfUPt/gPUzBI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>N1YtTeo2Ryuj+CtlXIpICEay+ni7vt8+4J7tAsYpa3efnLwtea69PIqEylPWm9LdA8Eo8XDdpgxV&#13;
7h3hi2LTOU+Wxq3bLiLamo99T1EtIwl+ZPcOv8bsfEkmShHdMC0dlfcj6r7x4tc0XkNAhhJgfRNz&#13;
FsmPWKJb6FYcsHFbHO/Uw1hSokbAGcWWTshEOqvKHMa8UVkrFMUPnrnMtdyJqZlhDBrZHNi4rWth&#13;
8TjlUnQVSCF9s9I04FxJ1cUAdeVMHtXKM8Pvjv68PaJMJK73dW5Yd3SbcgoKLesf/HPWeeZL0rr4&#13;
TNjlqJ/wq61Ons45MFG9bIscVbnd+XxFHx8Skw==</SignatureValue>
<SignatureValue>cIl1gPsUyEj2gDv3HTWNFDVxtcBjz4Revxxf2LJejtOXQW8mGepZH8CnvgO7zCAbZYlYUZXjYZ9M&#13;
jONVv8dcsAjVHRnP6YHywFfmSm8LUCwxsfuZQqn5jClqzu5VaqLzBhuJYvCpiEdIDJwDINQuORUB&#13;
nzul1CWc3Sm1Ms2wjlIq5ctWWJcddhdyIOjl8/oD4EC5E2rOSfNcRMZxldXtie9iinFGVbr0YNE+&#13;
+lQ7hAU+SyV8RMx9tGnnsO8otwV4ddF+OfemcbzWGYBenLs3A8ZqWZyTvWphCgGqDUbOLssYciCC&#13;
mnYm5QOeh4QcE9H2kqTgZvcyCgPL/hDC7xhyjQ==</SignatureValue>
<KeyInfo>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
</KeyInfo>

14
tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
View File

@ -3,7 +3,7 @@
<Entity name="Example Inc" regid="http://Example.com" role="softwareCreator tagCreator"/>
<Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
<Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="Firmware_2019" n8060:edition="12" n8060:product="ProductA" n8060:revision="r2" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:PayloadType="direct" rim:firmwareManufacturerId="00213022" rim:firmwareManufacturerStr="BIOSVendorA" rim:firmwareModel="A0" rim:firmwareVersion="12" rim:pcURIGlobal="https://Example.com/support/ProductA/" rim:pcURILocal="/boot/tcg/manifest/switag/" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Example.com" rim:platformModel="ProductA" rim:platformVersion="01"/>
<Payload xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" rim:supportRIMFormat="TCG_EventLog_Assertion" rim:supportRIMURIGlobal="https://Example.com/support/ProductA/firmware/rims/">
<Payload>
<Directory name="rim">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" name="Example.com.BIOS.01.rimel" size="7549"/>
</Directory>
@ -17,14 +17,14 @@
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>97uWB7zSsO5WaGbrcQrlKd1Bju0aDTjK1/ktUYBje8A=</DigestValue>
<DigestValue>K3XoBeYvgJBAKl8z273sL7z38qLLVBKLfUPt/gPUzBI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>N1YtTeo2Ryuj+CtlXIpICEay+ni7vt8+4J7tAsYpa3efnLwtea69PIqEylPWm9LdA8Eo8XDdpgxV&#13;
7h3hi2LTOU+Wxq3bLiLamo99T1EtIwl+ZPcOv8bsfEkmShHdMC0dlfcj6r7x4tc0XkNAhhJgfRNz&#13;
FsmPWKJb6FYcsHFbHO/Uw1hSokbAGcWWTshEOqvKHMa8UVkrFMUPnrnMtdyJqZlhDBrZHNi4rWth&#13;
8TjlUnQVSCF9s9I04FxJ1cUAdeVMHtXKM8Pvjv68PaJMJK73dW5Yd3SbcgoKLesf/HPWeeZL0rr4&#13;
TNjlqJ/wq61Ons45MFG9bIscVbnd+XxFHx8Skw==</SignatureValue>
<SignatureValue>cIl1gPsUyEj2gDv3HTWNFDVxtcBjz4Revxxf2LJejtOXQW8mGepZH8CnvgO7zCAbZYlYUZXjYZ9M&#13;
jONVv8dcsAjVHRnP6YHywFfmSm8LUCwxsfuZQqn5jClqzu5VaqLzBhuJYvCpiEdIDJwDINQuORUB&#13;
nzul1CWc3Sm1Ms2wjlIq5ctWWJcddhdyIOjl8/oD4EC5E2rOSfNcRMZxldXtie9iinFGVbr0YNE+&#13;
+lQ7hAU+SyV8RMx9tGnnsO8otwV4ddF+OfemcbzWGYBenLs3A8ZqWZyTvWphCgGqDUbOLssYciCC&#13;
mnYm5QOeh4QcE9H2kqTgZvcyCgPL/hDC7xhyjQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName>CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US</X509SubjectName>

10
tools/tcg_rim_tool/tcg_rim_tool.spec
View File

@ -1,17 +1,19 @@
Name: tcg_rim_tool
Version: 2.1.0
Release: 1%{?dist}
Version: %{?VERSION}
Release: %{?RELEASE}
Summary: A java command-line tool to create PC client root RIM
License: ASL 2.0
URL: https://github.com/nsacyber/HIRS
Source0: %{name}.tar.gz
Source0: %{name}-%{version}.%{release}.tar.gz
BuildRequires: java-headless >= 1:1.8.0
%description
This tool will generate a base RIM file for PC clients in accordance with the schema located at http://standards.iso.org/iso/19770/-2/2015/schema.xsd. The generated RIM can either be empty if no arguments are given, or contain a payload if an input file is provided. The tool can also verify a given RIMfile against the schema. Use -h or --help to see a list of commands and uses.
%global __os_install_post %{nil}
%prep
%setup -q -c -n %{name}
@ -19,7 +21,7 @@ This tool will generate a base RIM file for PC clients in accordance with the sc
rm -f /opt/hirs/rimtool/%{name}*.jar
%build
./gradlew build
./gradlew -Pversion=%{version} build
%install
mkdir -p %{buildroot}/opt/hirs/rimtool/ %{buildroot}/usr/local/bin