mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-02 03:06:47 +00:00
* This commit includes functioning TPM quote code that is sent to the ACA. In addition it has code to also sent the pcrs list results. Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA. * Changed the requirement for the field into protobuf to optional from required.
This commit is contained in:
parent
75b9c2ddf7
commit
c7454c945e
@ -58,6 +58,11 @@ class CommandTpm2 {
|
|||||||
static const char* const kDefaultAkNameFilename;
|
static const char* const kDefaultAkNameFilename;
|
||||||
static const char* const kDefaultAkPubFilename;
|
static const char* const kDefaultAkPubFilename;
|
||||||
static const char* const kDefaultEkPubFilename;
|
static const char* const kDefaultEkPubFilename;
|
||||||
|
static const char* const kTpm2ToolsGetQuoteCommand;
|
||||||
|
static const char* const kTpm2DefaultQuoteFilename;
|
||||||
|
static const char* const kTpm2DefaultSigFilename;
|
||||||
|
static const char* const kTpm2DefaultSigAlgorithm;
|
||||||
|
static const char* const kTpm2ToolsPcrListCommand;
|
||||||
|
|
||||||
const hirs::tpm2_tools_utils::Tpm2ToolsVersion version;
|
const hirs::tpm2_tools_utils::Tpm2ToolsVersion version;
|
||||||
|
|
||||||
@ -129,8 +134,10 @@ class CommandTpm2 {
|
|||||||
|
|
||||||
void storeAKCertificate(const std::string& akCertificateByteString);
|
void storeAKCertificate(const std::string& akCertificateByteString);
|
||||||
|
|
||||||
void getQuote(const std::string& akLocation,
|
std::string getQuote(const std::string& pcr_selection,
|
||||||
TPML_PCR_SELECTION* pcrSelection);
|
const std::string& nonce);
|
||||||
|
|
||||||
|
std::string getPcrsList();
|
||||||
};
|
};
|
||||||
|
|
||||||
} // namespace tpm2
|
} // namespace tpm2
|
||||||
|
@ -14,6 +14,8 @@
|
|||||||
#include <thread>
|
#include <thread>
|
||||||
#include <utility>
|
#include <utility>
|
||||||
#include <vector>
|
#include <vector>
|
||||||
|
#include <iostream>
|
||||||
|
#include <iomanip>
|
||||||
|
|
||||||
using hirs::exception::HirsRuntimeException;
|
using hirs::exception::HirsRuntimeException;
|
||||||
using hirs::file_utils::fileToString;
|
using hirs::file_utils::fileToString;
|
||||||
@ -34,6 +36,7 @@ using std::cout;
|
|||||||
using std::endl;
|
using std::endl;
|
||||||
using std::string;
|
using std::string;
|
||||||
using std::stringstream;
|
using std::stringstream;
|
||||||
|
using std::ifstream;
|
||||||
using std::this_thread::sleep_for;
|
using std::this_thread::sleep_for;
|
||||||
using std::to_string;
|
using std::to_string;
|
||||||
using std::vector;
|
using std::vector;
|
||||||
@ -58,6 +61,8 @@ const char* const CommandTpm2::kTpm2ToolsActivateCredential
|
|||||||
= "tpm2_activatecredential";
|
= "tpm2_activatecredential";
|
||||||
const char* const CommandTpm2::kTpm2ToolsEvictControlCommand
|
const char* const CommandTpm2::kTpm2ToolsEvictControlCommand
|
||||||
= "tpm2_evictcontrol";
|
= "tpm2_evictcontrol";
|
||||||
|
const char* const CommandTpm2::kTpm2ToolsGetQuoteCommand = "tpm2_quote";
|
||||||
|
const char* const CommandTpm2::kTpm2ToolsPcrListCommand = "tpm2_pcrlist";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The value for the TPM_RC_RETRY was obtained from Table 16 (pgs. 37-41) of
|
* The value for the TPM_RC_RETRY was obtained from Table 16 (pgs. 37-41) of
|
||||||
@ -116,6 +121,9 @@ const char* const CommandTpm2::kDefaultIdentityClaimResponseFilename
|
|||||||
= "identityClaimResponse";
|
= "identityClaimResponse";
|
||||||
const char* const CommandTpm2::kDefaultActivatedIdentityFilename
|
const char* const CommandTpm2::kDefaultActivatedIdentityFilename
|
||||||
= "activatedIdentity.secret";
|
= "activatedIdentity.secret";
|
||||||
|
const char* const CommandTpm2::kTpm2DefaultQuoteFilename = "/tmp/quote.bin";
|
||||||
|
const char* const CommandTpm2::kTpm2DefaultSigFilename = "/tmp/sig.bin";
|
||||||
|
const char* const CommandTpm2::kTpm2DefaultSigAlgorithm = "sha256";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constructor to create an interface to TPM 2.0 devices.
|
* Constructor to create an interface to TPM 2.0 devices.
|
||||||
@ -517,8 +525,53 @@ string CommandTpm2::createNvWriteCommandArgs(const string& nvIndex,
|
|||||||
* @param akLocation location of an activated AK pair
|
* @param akLocation location of an activated AK pair
|
||||||
* @param pcrSelection selection of pcrs to sign
|
* @param pcrSelection selection of pcrs to sign
|
||||||
*/
|
*/
|
||||||
void CommandTpm2::getQuote(const string& akLocation,
|
string CommandTpm2::getQuote(const string& pcr_selection,
|
||||||
TPML_PCR_SELECTION* pcrSelection) {
|
const string& nonce) {
|
||||||
|
string quote;
|
||||||
|
stringstream argsStream;
|
||||||
|
int result = 0;
|
||||||
|
for (size_t count = 0; count < nonce.length(); ++count) {
|
||||||
|
result *=2;
|
||||||
|
result += nonce[count] == '1'? 1 : 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
stringstream ss;
|
||||||
|
ss << std::hex << std::setw(8) << std::setfill('0') << result;
|
||||||
|
string hexNonce(ss.str());
|
||||||
|
|
||||||
|
argsStream << " -k " << kDefaultAkHandle
|
||||||
|
<< " -g " << kTpm2DefaultSigAlgorithm
|
||||||
|
<< " -l " << pcr_selection
|
||||||
|
<< " -q " << hexNonce // this needs to be a hex string
|
||||||
|
<< endl;
|
||||||
|
|
||||||
|
LOGGER.info("Running tpm2_quote with arguments: " + argsStream.str());
|
||||||
|
quote = runTpm2CommandWithRetry(kTpm2ToolsGetQuoteCommand,
|
||||||
|
argsStream.str(),
|
||||||
|
__LINE__);
|
||||||
|
LOGGER.info("TPM Quote successful");
|
||||||
|
|
||||||
|
return quote;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Method to get the full list of pcrs from the TPM.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
string CommandTpm2::getPcrsList() {
|
||||||
|
string pcrslist;
|
||||||
|
stringstream argsStream;
|
||||||
|
|
||||||
|
argsStream << " -g " << kTpm2DefaultSigAlgorithm
|
||||||
|
<< endl;
|
||||||
|
|
||||||
|
LOGGER.info("Running tpm2_pcrlist with arguments: " + argsStream.str());
|
||||||
|
pcrslist = runTpm2CommandWithRetry(kTpm2ToolsPcrListCommand,
|
||||||
|
argsStream.str(),
|
||||||
|
__LINE__);
|
||||||
|
LOGGER.info("TPM PCRS List successful");
|
||||||
|
|
||||||
|
return pcrslist;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -44,6 +44,14 @@ message OsInfo {
|
|||||||
required string distributionRelease = 5;
|
required string distributionRelease = 5;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
message TpmInfo {
|
||||||
|
required string tpmMake = 1;
|
||||||
|
required string tpmVersionMajor = 2;
|
||||||
|
required string tpmVersionMinor = 3;
|
||||||
|
required string tpmRevMajor = 4;
|
||||||
|
required string tpmRevMinor = 5;
|
||||||
|
}
|
||||||
|
|
||||||
message DeviceInfo {
|
message DeviceInfo {
|
||||||
required FirmwareInfo fw = 1;
|
required FirmwareInfo fw = 1;
|
||||||
required HardwareInfo hw = 2;
|
required HardwareInfo hw = 2;
|
||||||
@ -59,7 +67,10 @@ message IdentityClaim {
|
|||||||
repeated bytes platform_credential = 5;
|
repeated bytes platform_credential = 5;
|
||||||
optional string client_version = 6;
|
optional string client_version = 6;
|
||||||
optional string paccorOutput = 7;
|
optional string paccorOutput = 7;
|
||||||
|
}
|
||||||
|
|
||||||
|
message TpmQuote {
|
||||||
|
required string success = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
message IdentityClaimResponse {
|
message IdentityClaimResponse {
|
||||||
@ -68,6 +79,8 @@ message IdentityClaimResponse {
|
|||||||
|
|
||||||
message CertificateRequest {
|
message CertificateRequest {
|
||||||
required bytes nonce = 1;
|
required bytes nonce = 1;
|
||||||
|
optional bytes quote = 2;
|
||||||
|
optional bytes pcrslist = 3;
|
||||||
}
|
}
|
||||||
|
|
||||||
message CertificateResponse {
|
message CertificateResponse {
|
||||||
|
@ -101,6 +101,11 @@ int provision() {
|
|||||||
<< "certificate request" << endl;
|
<< "certificate request" << endl;
|
||||||
hirs::pb::CertificateRequest certificateRequest;
|
hirs::pb::CertificateRequest certificateRequest;
|
||||||
certificateRequest.set_nonce(decryptedNonce);
|
certificateRequest.set_nonce(decryptedNonce);
|
||||||
|
certificateRequest.set_quote(tpm2.getQuote(
|
||||||
|
"0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
|
||||||
|
"14,15,16,17,18,19,20,21,22,23",
|
||||||
|
decryptedNonce));
|
||||||
|
certificateRequest.set_pcrslist(tpm2.getPcrsList());
|
||||||
const string& akCertificateByteString
|
const string& akCertificateByteString
|
||||||
= provisioner.sendAttestationCertificateRequest(certificateRequest);
|
= provisioner.sendAttestationCertificateRequest(certificateRequest);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user