mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-30 01:39:05 +00:00
* This commit includes functioning TPM quote code that is sent to the ACA. In addition it has code to also sent the pcrs list results. Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA.Additional changes to correct code for sending the pcr list over to the ACA. * Changed the requirement for the field into protobuf to optional from required.
This commit is contained in:
parent
75b9c2ddf7
commit
c7454c945e
@ -58,6 +58,11 @@ class CommandTpm2 {
|
||||
static const char* const kDefaultAkNameFilename;
|
||||
static const char* const kDefaultAkPubFilename;
|
||||
static const char* const kDefaultEkPubFilename;
|
||||
static const char* const kTpm2ToolsGetQuoteCommand;
|
||||
static const char* const kTpm2DefaultQuoteFilename;
|
||||
static const char* const kTpm2DefaultSigFilename;
|
||||
static const char* const kTpm2DefaultSigAlgorithm;
|
||||
static const char* const kTpm2ToolsPcrListCommand;
|
||||
|
||||
const hirs::tpm2_tools_utils::Tpm2ToolsVersion version;
|
||||
|
||||
@ -129,8 +134,10 @@ class CommandTpm2 {
|
||||
|
||||
void storeAKCertificate(const std::string& akCertificateByteString);
|
||||
|
||||
void getQuote(const std::string& akLocation,
|
||||
TPML_PCR_SELECTION* pcrSelection);
|
||||
std::string getQuote(const std::string& pcr_selection,
|
||||
const std::string& nonce);
|
||||
|
||||
std::string getPcrsList();
|
||||
};
|
||||
|
||||
} // namespace tpm2
|
||||
|
@ -14,6 +14,8 @@
|
||||
#include <thread>
|
||||
#include <utility>
|
||||
#include <vector>
|
||||
#include <iostream>
|
||||
#include <iomanip>
|
||||
|
||||
using hirs::exception::HirsRuntimeException;
|
||||
using hirs::file_utils::fileToString;
|
||||
@ -34,6 +36,7 @@ using std::cout;
|
||||
using std::endl;
|
||||
using std::string;
|
||||
using std::stringstream;
|
||||
using std::ifstream;
|
||||
using std::this_thread::sleep_for;
|
||||
using std::to_string;
|
||||
using std::vector;
|
||||
@ -58,6 +61,8 @@ const char* const CommandTpm2::kTpm2ToolsActivateCredential
|
||||
= "tpm2_activatecredential";
|
||||
const char* const CommandTpm2::kTpm2ToolsEvictControlCommand
|
||||
= "tpm2_evictcontrol";
|
||||
const char* const CommandTpm2::kTpm2ToolsGetQuoteCommand = "tpm2_quote";
|
||||
const char* const CommandTpm2::kTpm2ToolsPcrListCommand = "tpm2_pcrlist";
|
||||
|
||||
/**
|
||||
* The value for the TPM_RC_RETRY was obtained from Table 16 (pgs. 37-41) of
|
||||
@ -116,6 +121,9 @@ const char* const CommandTpm2::kDefaultIdentityClaimResponseFilename
|
||||
= "identityClaimResponse";
|
||||
const char* const CommandTpm2::kDefaultActivatedIdentityFilename
|
||||
= "activatedIdentity.secret";
|
||||
const char* const CommandTpm2::kTpm2DefaultQuoteFilename = "/tmp/quote.bin";
|
||||
const char* const CommandTpm2::kTpm2DefaultSigFilename = "/tmp/sig.bin";
|
||||
const char* const CommandTpm2::kTpm2DefaultSigAlgorithm = "sha256";
|
||||
|
||||
/**
|
||||
* Constructor to create an interface to TPM 2.0 devices.
|
||||
@ -517,8 +525,53 @@ string CommandTpm2::createNvWriteCommandArgs(const string& nvIndex,
|
||||
* @param akLocation location of an activated AK pair
|
||||
* @param pcrSelection selection of pcrs to sign
|
||||
*/
|
||||
void CommandTpm2::getQuote(const string& akLocation,
|
||||
TPML_PCR_SELECTION* pcrSelection) {
|
||||
string CommandTpm2::getQuote(const string& pcr_selection,
|
||||
const string& nonce) {
|
||||
string quote;
|
||||
stringstream argsStream;
|
||||
int result = 0;
|
||||
for (size_t count = 0; count < nonce.length(); ++count) {
|
||||
result *=2;
|
||||
result += nonce[count] == '1'? 1 : 0;
|
||||
}
|
||||
|
||||
stringstream ss;
|
||||
ss << std::hex << std::setw(8) << std::setfill('0') << result;
|
||||
string hexNonce(ss.str());
|
||||
|
||||
argsStream << " -k " << kDefaultAkHandle
|
||||
<< " -g " << kTpm2DefaultSigAlgorithm
|
||||
<< " -l " << pcr_selection
|
||||
<< " -q " << hexNonce // this needs to be a hex string
|
||||
<< endl;
|
||||
|
||||
LOGGER.info("Running tpm2_quote with arguments: " + argsStream.str());
|
||||
quote = runTpm2CommandWithRetry(kTpm2ToolsGetQuoteCommand,
|
||||
argsStream.str(),
|
||||
__LINE__);
|
||||
LOGGER.info("TPM Quote successful");
|
||||
|
||||
return quote;
|
||||
}
|
||||
|
||||
/**
|
||||
* Method to get the full list of pcrs from the TPM.
|
||||
*
|
||||
*/
|
||||
string CommandTpm2::getPcrsList() {
|
||||
string pcrslist;
|
||||
stringstream argsStream;
|
||||
|
||||
argsStream << " -g " << kTpm2DefaultSigAlgorithm
|
||||
<< endl;
|
||||
|
||||
LOGGER.info("Running tpm2_pcrlist with arguments: " + argsStream.str());
|
||||
pcrslist = runTpm2CommandWithRetry(kTpm2ToolsPcrListCommand,
|
||||
argsStream.str(),
|
||||
__LINE__);
|
||||
LOGGER.info("TPM PCRS List successful");
|
||||
|
||||
return pcrslist;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -44,6 +44,14 @@ message OsInfo {
|
||||
required string distributionRelease = 5;
|
||||
}
|
||||
|
||||
message TpmInfo {
|
||||
required string tpmMake = 1;
|
||||
required string tpmVersionMajor = 2;
|
||||
required string tpmVersionMinor = 3;
|
||||
required string tpmRevMajor = 4;
|
||||
required string tpmRevMinor = 5;
|
||||
}
|
||||
|
||||
message DeviceInfo {
|
||||
required FirmwareInfo fw = 1;
|
||||
required HardwareInfo hw = 2;
|
||||
@ -59,7 +67,10 @@ message IdentityClaim {
|
||||
repeated bytes platform_credential = 5;
|
||||
optional string client_version = 6;
|
||||
optional string paccorOutput = 7;
|
||||
}
|
||||
|
||||
message TpmQuote {
|
||||
required string success = 1;
|
||||
}
|
||||
|
||||
message IdentityClaimResponse {
|
||||
@ -68,6 +79,8 @@ message IdentityClaimResponse {
|
||||
|
||||
message CertificateRequest {
|
||||
required bytes nonce = 1;
|
||||
optional bytes quote = 2;
|
||||
optional bytes pcrslist = 3;
|
||||
}
|
||||
|
||||
message CertificateResponse {
|
||||
|
@ -101,6 +101,11 @@ int provision() {
|
||||
<< "certificate request" << endl;
|
||||
hirs::pb::CertificateRequest certificateRequest;
|
||||
certificateRequest.set_nonce(decryptedNonce);
|
||||
certificateRequest.set_quote(tpm2.getQuote(
|
||||
"0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
|
||||
"14,15,16,17,18,19,20,21,22,23",
|
||||
decryptedNonce));
|
||||
certificateRequest.set_pcrslist(tpm2.getPcrsList());
|
||||
const string& akCertificateByteString
|
||||
= provisioner.sendAttestationCertificateRequest(certificateRequest);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user