ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-30 01:39:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added ACA tests using uploaded artifacts

Browse Source
This commit is contained in:
iadgovuser29 2024-07-12 14:36:49 -04:00
parent 621f0b3e4f
commit c15ee45459
5 changed files with 47 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.ci/docker/.env
View File

@ -33,6 +33,9 @@ HIRS_CI_TEST_DEFAULT_DMI_ZIP=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/laptop_dmi.zip
HIRS_CI_TEST_DEFAULT_HW_JSON_FILE=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_hw.json HIRS_CI_TEST_DEFAULT_HW_JSON_FILE=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_hw.json
HIRS_CI_TEST_DEFAULT_EVENT_LOG=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_binary_bios_measurements HIRS_CI_TEST_DEFAULT_EVENT_LOG=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_binary_bios_measurements
HIRS_CI_TEST_DEFAULT_SETPCRS_SH=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_setpcrs.sh HIRS_CI_TEST_DEFAULT_SETPCRS_SH=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_setpcrs.sh
HIRS_CI_TEST_DEFAULT_PLATFORMCERTS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/platformcerts
HIRS_CI_TEST_DEFAULT_RIMS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/rims
HIRS_CI_TEST_DEFAULT_SWIDTAGS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/swidtags
HIRS_CI_TPM_EK_CERT_FILE=/hirs/.ci/setup/certs/ek_cert.der HIRS_CI_TPM_EK_CERT_FILE=/hirs/.ci/setup/certs/ek_cert.der
HIRS_CI_TPM_EK_CERT_NV_ATTR="0x2000A" HIRS_CI_TPM_EK_CERT_NV_ATTR="0x2000A"

9
.ci/system-tests/container/pc_setup.sh
View File

@ -12,7 +12,6 @@
profile=laptop profile=laptop
test=default test=default
ciTestDir=$HIRS_CI_TEST_ROOT
ciTestHwJsonFile=$HIRS_CI_TEST_HW_JSON_FILE ciTestHwJsonFile=$HIRS_CI_TEST_HW_JSON_FILE
# By default save the artifacts in EFI and do not upload to the ACA # By default save the artifacts in EFI and do not upload to the ACA
@ -75,7 +74,7 @@ fi
# Ensure platform folder under efi is set up and cleared # Ensure platform folder under efi is set up and cleared
$HIRS_CI_REPO_ROOT/.ci/system-tests/container/efi_setup.sh -p $HIRS_CI_REPO_ROOT/.ci/system-tests/container/efi_setup.sh -p
echo "Test is using platform cert(s) from $profile : $test" echo "Platform certs selected from profile: $profile : $test"
# Step 1: Copy hw json file, if it exists. # Step 1: Copy hw json file, if it exists.
if [ -f "$hwJsonFile" ]; then if [ -f "$hwJsonFile" ]; then
echo "hw file used was $hwJsonFile" echo "hw file used was $hwJsonFile"
@ -87,11 +86,11 @@ dnf install -y unzip &> /dev/null
# Step 2: Unpack the dmi files. # Step 2: Unpack the dmi files.
echo "dmi file used was $dmiZip" echo "dmi file used was $dmiZip"
unzip -o "$dmiZip" -d "$ciTestDir" unzip -o "$dmiZip" -d $HIRS_CI_TEST_ROOT
# Step 3: Copy the platform cert to tcg folder and or upload it to the ACA # Step 3: Copy the platform cert to tcg folder and or upload it to the ACA
if [[ ! -d $pcDir ]]; then if [[ ! -d $pcDir ]]; then
pcDir=$profileDir/default/platformcerts; pcDir=$profileDir/default/platformcerts
fi fi
pushd $pcDir > /dev/null pushd $pcDir > /dev/null
@ -99,9 +98,11 @@ pushd $pcDir > /dev/null
if [[ ! -f ".gitignore" ]]; then if [[ ! -f ".gitignore" ]]; then
for cert in * ; do for cert in * ; do
if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
echo "Saving $cert to $HIRS_CI_EFI_PATH_PLATFORM"
cp $cert $HIRS_CI_EFI_PATH_PLATFORM cp $cert $HIRS_CI_EFI_PATH_PLATFORM
fi fi
if [ "$UPLOAD_ARTIFACTS" = YES ]; then if [ "$UPLOAD_ARTIFACTS" = YES ]; then
echo "Uploading $cert to $SERVER_PCERT_POST"
curl -k -F "file=@$cert" $SERVER_PCERT_POST curl -k -F "file=@$cert" $SERVER_PCERT_POST
fi fi
done done

12
.ci/system-tests/container/rim_setup.sh
View File

@ -9,11 +9,7 @@
profile=laptop profile=laptop
test=default test=default
ciTestDir=$HIRS_CI_TEST_ROOT
ciTestEventLog=$HIRS_CI_TEST_EVENT_LOG_FILE ciTestEventLog=$HIRS_CI_TEST_EVENT_LOG_FILE
tcgDir=$HIRS_CI_EFI_PATH_TCG
tcgSwidDir=$HIRS_CI_EFI_PATH_SWIDTAG
tcgRimDir=$HIRS_CI_EFI_PATH_RIM
# By default save the artifacts in EFI and do not upload to the ACA # By default save the artifacts in EFI and do not upload to the ACA
UPLOAD_ARTIFACTS=NO UPLOAD_ARTIFACTS=NO
@ -83,9 +79,11 @@ pushd $swidDir > /dev/null
if [[ ! -f ".gitignore" ]]; then if [[ ! -f ".gitignore" ]]; then
for swidtag in * ; do for swidtag in * ; do
if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
cp $swidtag $tcgSwidDir echo "Saving $swidtag to $HIRS_CI_EFI_PATH_SWIDTAG"
cp $swidtag $HIRS_CI_EFI_PATH_SWIDTAG
fi fi
if [ "$UPLOAD_ARTIFACTS" = YES ]; then if [ "$UPLOAD_ARTIFACTS" = YES ]; then
echo "Uploading $swidtag to $SERVER_RIM_POST"
curl -k -F "file=@$swidtag" $SERVER_RIM_POST curl -k -F "file=@$swidtag" $SERVER_RIM_POST
fi fi
done done
@ -99,9 +97,11 @@ pushd $rimDir > /dev/null
if [[ ! -f ".gitignore" ]]; then if [[ ! -f ".gitignore" ]]; then
for rim in * ; do for rim in * ; do
if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then if [ "$PUT_ARTIFACTS_IN_ESP" = YES ]; then
cp $rim $tcgRimDir echo "Saving $rim to $HIRS_CI_EFI_PATH_RIM"
cp $rim $HIRS_CI_EFI_PATH_RIM
fi fi
if [ "$UPLOAD_ARTIFACTS" = YES ]; then if [ "$UPLOAD_ARTIFACTS" = YES ]; then
echo "Uploading $rim to $SERVER_RIM_POST"
curl -k -F "file=@$rim" $SERVER_RIM_POST curl -k -F "file=@$rim" $SERVER_RIM_POST
fi fi
done done

12
.ci/system-tests/sys_test_common.sh
View File

@ -115,16 +115,22 @@ resetTpmForNewTest() {
# Places platform cert(s) held in the test folder(s) in the provisioners tcg folder # Places platform cert(s) held in the test folder(s) in the provisioners tcg folder
setPlatformCerts() { setPlatformCerts() {
docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/pc_setup.sh $@" OPTIONS="$@"
echo "Asking container $tpm2_container to run pc_setup.sh $OPTIONS"
docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/pc_setup.sh $OPTIONS"
} }
# Places RIM files held in the test folder in the provisioners tcg folder # Places RIM files held in the test folder in the provisioners tcg folder
setRims() { setRims() {
docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/rim_setup.sh $@" OPTIONS="$@"
echo "Asking container $tpm2_container to run rim_setup.sh $OPTIONS"
docker exec -i $tpm2_container /bin/bash -c "$HIRS_CI_REPO_ROOT/.ci/system-tests/container/rim_setup.sh $OPTIONS"
} }
setAppsettings() { setAppsettings() {
docker exec -i $tpm2_container /bin/bash -c "source $HIRS_CI_REPO_ROOT/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $@" OPTIONS="$@"
echo "Asking container $tpm2_container to set the appsettings file with options: $OPTIONS"
docker exec -i $tpm2_container /bin/bash -c "source $HIRS_CI_REPO_ROOT/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $OPTIONS"
} }
# Writes to the Action ouput, ACA log, and Provisioner Log # Writes to the Action ouput, ACA log, and Provisioner Log

24
.ci/system-tests/tests/aca_policy_tests.sh
View File

@ -25,6 +25,10 @@ esac
if [ "$test" = "1" ] || [ "$test" = "all" ]; then if [ "$test" = "1" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###" writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###"
writeToLogs "Now using default appsettings" writeToLogs "Now using default appsettings"
clearAcaDb
resetTpmForNewTest
setAppsettings
setPolicyNone
setPlatformCerts -p "laptop" -t "empty" setPlatformCerts -p "laptop" -t "empty"
provisionTpm2 "pass" provisionTpm2 "pass"
fi fi
@ -78,6 +82,26 @@ if [ "$test" = "8" ] || [ "$test" = "all" ]; then
setRims -p "laptop" -t "default" setRims -p "laptop" -t "default"
provisionTpm2 "pass" provisionTpm2 "pass"
fi fi
if [ "$test" = "9" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 9: Test valid PC and RIM with PC only uploaded ###"
clearAcaDb
resetTpmForNewTest
setPolicyEkPcFw
uploadTrustedCerts
setPlatformCerts -p "laptop" -t "default" -u -n
setRims -p "laptop" -t "default"
provisionTpm2 "pass"
fi
if [ "$test" = "10" ] || [ "$test" = "all" ]; then
writeToLogs "### ACA POLICY TEST 10: Test valid PC and RIM with RIM only uploaded ###"
clearAcaDb
resetTpmForNewTest
setPolicyEkPcFw
uploadTrustedCerts
setPlatformCerts -p "laptop" -t "default"
setRims -p "laptop" -t "default" -u -n
provisionTpm2 "pass"
fi
# Process Test Results, any single failure will send back a failed result. # Process Test Results, any single failure will send back a failed result.
if [[ $failedTests != 0 ]]; then if [[ $failedTests != 0 ]]; then