ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-02-21 10:01:49 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Removed the validation of the PCRs line by line for the expected PCR values.

Browse Source
This commit is contained in:
Cyrus 2021-06-24 11:46:01 -04:00
parent 94930e981a
commit be3cd2bd32
2 changed files with 21 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -473,24 +473,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
// we have a full set of PCR values // we have a full set of PCR values
int algorithmLength = baseline[0].length(); int algorithmLength = baseline[0].length();
String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength); String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
pcrPolicy.validatePcrs(storedPcrs);
if (storedPcrs[0] == null || storedPcrs[0].isEmpty()) {
// validation fail
fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: "
+ "Client provided PCR "
+ "values are not the same algorithm "
+ "as associated RIM.");
} else {
StringBuilder sb = pcrPolicy.validatePcrs(storedPcrs);
if (sb.length() > 0) {
validationObject = baseReferenceManifest;
level = Level.ERROR;
fwStatus = new AppraisalStatus(FAIL, sb.toString());
} else {
level = Level.INFO;
}
}
// part 2 of firmware validation check: bios measurements // part 2 of firmware validation check: bios measurements
// vs baseline tcg event log // vs baseline tcg event log
// find the measurement // find the measurement
@ -619,7 +603,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
fwStatus = new AppraisalStatus(PASS, fwStatus = new AppraisalStatus(PASS,
SupplyChainCredentialValidator.FIRMWARE_VALID); SupplyChainCredentialValidator.FIRMWARE_VALID);
fwStatus.setMessage("Firmware validation of TPM Quote successful."); fwStatus.setMessage("Firmware validation of TPM Quote successful.");
} else { } else {
fwStatus.setMessage("Firmware validation of TPM Quote failed." fwStatus.setMessage("Firmware validation of TPM Quote failed."
+ "\nPCR hash and Quote hash do not match."); + "\nPCR hash and Quote hash do not match.");

36
HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
View File

@ -72,25 +72,29 @@ public final class PCRPolicy extends Policy {
public StringBuilder validatePcrs(final String[] storedPcrs) { public StringBuilder validatePcrs(final String[] storedPcrs) {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
String failureMsg = "PCR %d does not match%n"; String failureMsg = "PCR %d does not match%n";
if (storedPcrs[0] == null || storedPcrs[0].isEmpty()) {
sb.append("failureMsg");
} else {
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
if (enableIgnoreIma && i == IMA_PCR) {
LOGGER.info("PCR Policy IMA Ignore enabled.");
i += NUM_TO_SKIP;
}
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) { if (enableIgnoretBoot && i == TBOOT_PCR) {
if (enableIgnoreIma && i == IMA_PCR) { LOGGER.info("PCR Policy TBoot Ignore enabled.");
LOGGER.info("PCR Policy IMA Ignore enabled."); i += NUM_OF_TBOOT_PCR;
i += NUM_TO_SKIP; }
}
if (enableIgnoretBoot && i == TBOOT_PCR) { if (enableIgnoreGpt && i == GPT_PCR) {
LOGGER.info("PCR Policy TBoot Ignore enabled."); LOGGER.info("PCR Policy GPT Ignore enabled.");
i += NUM_OF_TBOOT_PCR; i += NUM_TO_SKIP;
} }
if (enableIgnoreGpt && i == GPT_PCR) { if (!baselinePcrs[i].equals(storedPcrs[i])) {
LOGGER.info("PCR Policy GPT Ignore enabled."); LOGGER.error(String.format("%s =/= %s", baselinePcrs[i], storedPcrs[i]));
i += NUM_TO_SKIP; sb.append(String.format(failureMsg, i));
} }
if (!baselinePcrs[i].equals(storedPcrs[i])) {
sb.append(String.format(failureMsg, i));
} }
} }