[#190] Provision update for quote and pcrs (#196)

* This commit includes functioning TPM quote code that is sent to the ACA.  In addition it has code to also sent the pcrs list results.

Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.

* Changed the requirement for the field into protobuf to optional from required.
This commit is contained in:
Cyrus 2019-10-29 09:33:35 -04:00 committed by GitHub
parent 75b9c2ddf7
commit c7454c945e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 82 additions and 4 deletions

View File

@ -58,6 +58,11 @@ class CommandTpm2 {
static const char* const kDefaultAkNameFilename; static const char* const kDefaultAkNameFilename;
static const char* const kDefaultAkPubFilename; static const char* const kDefaultAkPubFilename;
static const char* const kDefaultEkPubFilename; static const char* const kDefaultEkPubFilename;
static const char* const kTpm2ToolsGetQuoteCommand;
static const char* const kTpm2DefaultQuoteFilename;
static const char* const kTpm2DefaultSigFilename;
static const char* const kTpm2DefaultSigAlgorithm;
static const char* const kTpm2ToolsPcrListCommand;
const hirs::tpm2_tools_utils::Tpm2ToolsVersion version; const hirs::tpm2_tools_utils::Tpm2ToolsVersion version;
@ -129,8 +134,10 @@ class CommandTpm2 {
void storeAKCertificate(const std::string& akCertificateByteString); void storeAKCertificate(const std::string& akCertificateByteString);
void getQuote(const std::string& akLocation, std::string getQuote(const std::string& pcr_selection,
TPML_PCR_SELECTION* pcrSelection); const std::string& nonce);
std::string getPcrsList();
}; };
} // namespace tpm2 } // namespace tpm2

View File

@ -14,6 +14,8 @@
#include <thread> #include <thread>
#include <utility> #include <utility>
#include <vector> #include <vector>
#include <iostream>
#include <iomanip>
using hirs::exception::HirsRuntimeException; using hirs::exception::HirsRuntimeException;
using hirs::file_utils::fileToString; using hirs::file_utils::fileToString;
@ -34,6 +36,7 @@ using std::cout;
using std::endl; using std::endl;
using std::string; using std::string;
using std::stringstream; using std::stringstream;
using std::ifstream;
using std::this_thread::sleep_for; using std::this_thread::sleep_for;
using std::to_string; using std::to_string;
using std::vector; using std::vector;
@ -58,6 +61,8 @@ const char* const CommandTpm2::kTpm2ToolsActivateCredential
= "tpm2_activatecredential"; = "tpm2_activatecredential";
const char* const CommandTpm2::kTpm2ToolsEvictControlCommand const char* const CommandTpm2::kTpm2ToolsEvictControlCommand
= "tpm2_evictcontrol"; = "tpm2_evictcontrol";
const char* const CommandTpm2::kTpm2ToolsGetQuoteCommand = "tpm2_quote";
const char* const CommandTpm2::kTpm2ToolsPcrListCommand = "tpm2_pcrlist";
/** /**
* The value for the TPM_RC_RETRY was obtained from Table 16 (pgs. 37-41) of * The value for the TPM_RC_RETRY was obtained from Table 16 (pgs. 37-41) of
@ -116,6 +121,9 @@ const char* const CommandTpm2::kDefaultIdentityClaimResponseFilename
= "identityClaimResponse"; = "identityClaimResponse";
const char* const CommandTpm2::kDefaultActivatedIdentityFilename const char* const CommandTpm2::kDefaultActivatedIdentityFilename
= "activatedIdentity.secret"; = "activatedIdentity.secret";
const char* const CommandTpm2::kTpm2DefaultQuoteFilename = "/tmp/quote.bin";
const char* const CommandTpm2::kTpm2DefaultSigFilename = "/tmp/sig.bin";
const char* const CommandTpm2::kTpm2DefaultSigAlgorithm = "sha256";
/** /**
* Constructor to create an interface to TPM 2.0 devices. * Constructor to create an interface to TPM 2.0 devices.
@ -517,8 +525,53 @@ string CommandTpm2::createNvWriteCommandArgs(const string& nvIndex,
* @param akLocation location of an activated AK pair * @param akLocation location of an activated AK pair
* @param pcrSelection selection of pcrs to sign * @param pcrSelection selection of pcrs to sign
*/ */
void CommandTpm2::getQuote(const string& akLocation, string CommandTpm2::getQuote(const string& pcr_selection,
TPML_PCR_SELECTION* pcrSelection) { const string& nonce) {
string quote;
stringstream argsStream;
int result = 0;
for (size_t count = 0; count < nonce.length(); ++count) {
result *=2;
result += nonce[count] == '1'? 1 : 0;
}
stringstream ss;
ss << std::hex << std::setw(8) << std::setfill('0') << result;
string hexNonce(ss.str());
argsStream << " -k " << kDefaultAkHandle
<< " -g " << kTpm2DefaultSigAlgorithm
<< " -l " << pcr_selection
<< " -q " << hexNonce // this needs to be a hex string
<< endl;
LOGGER.info("Running tpm2_quote with arguments: " + argsStream.str());
quote = runTpm2CommandWithRetry(kTpm2ToolsGetQuoteCommand,
argsStream.str(),
__LINE__);
LOGGER.info("TPM Quote successful");
return quote;
}
/**
* Method to get the full list of pcrs from the TPM.
*
*/
string CommandTpm2::getPcrsList() {
string pcrslist;
stringstream argsStream;
argsStream << " -g " << kTpm2DefaultSigAlgorithm
<< endl;
LOGGER.info("Running tpm2_pcrlist with arguments: " + argsStream.str());
pcrslist = runTpm2CommandWithRetry(kTpm2ToolsPcrListCommand,
argsStream.str(),
__LINE__);
LOGGER.info("TPM PCRS List successful");
return pcrslist;
} }
/** /**

View File

@ -44,6 +44,14 @@ message OsInfo {
required string distributionRelease = 5; required string distributionRelease = 5;
} }
message TpmInfo {
required string tpmMake = 1;
required string tpmVersionMajor = 2;
required string tpmVersionMinor = 3;
required string tpmRevMajor = 4;
required string tpmRevMinor = 5;
}
message DeviceInfo { message DeviceInfo {
required FirmwareInfo fw = 1; required FirmwareInfo fw = 1;
required HardwareInfo hw = 2; required HardwareInfo hw = 2;
@ -59,7 +67,10 @@ message IdentityClaim {
repeated bytes platform_credential = 5; repeated bytes platform_credential = 5;
optional string client_version = 6; optional string client_version = 6;
optional string paccorOutput = 7; optional string paccorOutput = 7;
}
message TpmQuote {
required string success = 1;
} }
message IdentityClaimResponse { message IdentityClaimResponse {
@ -68,6 +79,8 @@ message IdentityClaimResponse {
message CertificateRequest { message CertificateRequest {
required bytes nonce = 1; required bytes nonce = 1;
optional bytes quote = 2;
optional bytes pcrslist = 3;
} }
message CertificateResponse { message CertificateResponse {

View File

@ -101,6 +101,11 @@ int provision() {
<< "certificate request" << endl; << "certificate request" << endl;
hirs::pb::CertificateRequest certificateRequest; hirs::pb::CertificateRequest certificateRequest;
certificateRequest.set_nonce(decryptedNonce); certificateRequest.set_nonce(decryptedNonce);
certificateRequest.set_quote(tpm2.getQuote(
"0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
"14,15,16,17,18,19,20,21,22,23",
decryptedNonce));
certificateRequest.set_pcrslist(tpm2.getPcrsList());
const string& akCertificateByteString const string& akCertificateByteString
= provisioner.sendAttestationCertificateRequest(certificateRequest); = provisioner.sendAttestationCertificateRequest(certificateRequest);