diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index e2ac1782..ededb82a 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -473,24 +473,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe // we have a full set of PCR values int algorithmLength = baseline[0].length(); String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength); + pcrPolicy.validatePcrs(storedPcrs); - if (storedPcrs[0] == null || storedPcrs[0].isEmpty()) { - // validation fail - fwStatus = new AppraisalStatus(FAIL, - "Firmware validation failed: " - + "Client provided PCR " - + "values are not the same algorithm " - + "as associated RIM."); - } else { - StringBuilder sb = pcrPolicy.validatePcrs(storedPcrs); - if (sb.length() > 0) { - validationObject = baseReferenceManifest; - level = Level.ERROR; - fwStatus = new AppraisalStatus(FAIL, sb.toString()); - } else { - level = Level.INFO; - } - } // part 2 of firmware validation check: bios measurements // vs baseline tcg event log // find the measurement @@ -619,7 +603,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe fwStatus = new AppraisalStatus(PASS, SupplyChainCredentialValidator.FIRMWARE_VALID); fwStatus.setMessage("Firmware validation of TPM Quote successful."); - } else { fwStatus.setMessage("Firmware validation of TPM Quote failed." + "\nPCR hash and Quote hash do not match."); diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java index 15bbf55e..0af19c27 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java @@ -72,25 +72,29 @@ public final class PCRPolicy extends Policy { public StringBuilder validatePcrs(final String[] storedPcrs) { StringBuilder sb = new StringBuilder(); String failureMsg = "PCR %d does not match%n"; + if (storedPcrs[0] == null || storedPcrs[0].isEmpty()) { + sb.append("failureMsg"); + } else { + for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) { + if (enableIgnoreIma && i == IMA_PCR) { + LOGGER.info("PCR Policy IMA Ignore enabled."); + i += NUM_TO_SKIP; + } - for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) { - if (enableIgnoreIma && i == IMA_PCR) { - LOGGER.info("PCR Policy IMA Ignore enabled."); - i += NUM_TO_SKIP; - } + if (enableIgnoretBoot && i == TBOOT_PCR) { + LOGGER.info("PCR Policy TBoot Ignore enabled."); + i += NUM_OF_TBOOT_PCR; + } - if (enableIgnoretBoot && i == TBOOT_PCR) { - LOGGER.info("PCR Policy TBoot Ignore enabled."); - i += NUM_OF_TBOOT_PCR; - } + if (enableIgnoreGpt && i == GPT_PCR) { + LOGGER.info("PCR Policy GPT Ignore enabled."); + i += NUM_TO_SKIP; + } - if (enableIgnoreGpt && i == GPT_PCR) { - LOGGER.info("PCR Policy GPT Ignore enabled."); - i += NUM_TO_SKIP; - } - - if (!baselinePcrs[i].equals(storedPcrs[i])) { - sb.append(String.format(failureMsg, i)); + if (!baselinePcrs[i].equals(storedPcrs[i])) { + LOGGER.error(String.format("%s =/= %s", baselinePcrs[i], storedPcrs[i])); + sb.append(String.format(failureMsg, i)); + } } }