From aae68457300e92d8c6b72bb84c7ccea9f852d1e3 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 29 Oct 2021 14:55:23 -0400 Subject: [PATCH 1/6] Initial Commit. This adds the visual object to the policy page. --- .../portal/model/PolicyPageModel.java | 39 +++++++++++++ .../controllers/PolicyPageController.java | 57 ++++++++++++++++++- .../src/main/webapp/WEB-INF/jsp/policy.jsp | 14 ++++- .../java/hirs/data/persist/PCRPolicy.java | 18 ++++++ .../hirs/data/persist/SupplyChainPolicy.java | 17 ++++++ 5 files changed, 142 insertions(+), 3 deletions(-) diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java index 310872ba..78b529ec 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java @@ -20,6 +20,7 @@ public class PolicyPageModel { private boolean enableIgnoreIma; private boolean enableIgnoreTboot; private boolean enableIgnoreGpt; + private boolean enableIgnoreOsEvt; // Variables to get policy settings from page private String pcValidate; @@ -36,6 +37,7 @@ public class PolicyPageModel { private String ignoreIma; private String ignoretBoot; private String ignoreGpt; + private String ignoreOsEvt; private String expirationValue; private String devIdExpirationValue; private String thresholdValue; @@ -60,6 +62,7 @@ public class PolicyPageModel { this.enableIgnoreIma = policy.isIgnoreImaEnabled(); this.enableIgnoreTboot = policy.isIgnoreTbootEnabled(); this.enableIgnoreGpt = policy.isIgnoreGptEnabled(); + this.enableIgnoreOsEvt = policy.isIgnoreOsEvtEnabled(); this.expirationValue = policy.getValidityDays(); this.thresholdValue = policy.getReissueThreshold(); this.devIdExpirationValue = policy.getDevIdValidityDays(); @@ -160,6 +163,14 @@ public class PolicyPageModel { return enableIgnoreGpt; } + /** + * Gets the Enable Ignore Os Events state. + * @return the validation state. + */ + public boolean getEnableIgnoreOsEvt() { + return enableIgnoreOsEvt; + } + /** * Gets the EC Validation value. * @@ -268,6 +279,15 @@ public class PolicyPageModel { return ignoreGpt; } + /** + * Gets the Ignore Os Evt validation value. + * + * @return the model string representation of this field (checked or unchecked) + */ + public String getIgnoreOsEvt() { + return ignoreOsEvt; + } + /** * Sets the EC Validation state. * @@ -359,6 +379,15 @@ public class PolicyPageModel { this.enableIgnoreGpt = enableIgnoreGpt; } + /** + * Sets the Enable Ignore Os Events state. + * + * @param enableIgnoreOsEvt true if performing validation, false otherwise + */ + public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) { + this.enableIgnoreOsEvt = enableIgnoreOsEvt; + } + /** * Sets the Platform Certificate Validation state. * @@ -497,6 +526,15 @@ public class PolicyPageModel { this.ignoreGpt = ignoreGpt; } + /** + * Sets the Ignore Os Events state. + * + * @param ignoreOsEvt "checked" if enabling validation, false otherwise + */ + public void setIgnoreOsEvt(final String ignoreOsEvt) { + this.ignoreOsEvt = ignoreOsEvt; + } + /** * Getter for the expiration value. * @return the value @@ -577,6 +615,7 @@ public class PolicyPageModel { + ", enableIgnoreIma=" + enableIgnoreIma + ", enableIgnoreTboot=" + enableIgnoreTboot + ", enableIgnoreGpt=" + enableIgnoreGpt + + ", enableIgnoreOsEvt=" + enableIgnoreOsEvt + ", expirationValue=" + expirationValue + ", thresholdValue=" + thresholdValue + ", devIdExpirationValue=" + devIdExpirationValue diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java index 7e55be67..9cd5d7ca 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java @@ -90,7 +90,6 @@ public class PolicyPageController extends PageController { ModelAndView mav = getBaseModelAndView(); SupplyChainPolicy policy = getDefaultPolicy(); - PolicyPageModel pageModel = new PolicyPageModel(policy); mav.addObject(INITIAL_DATA, pageModel); @@ -662,6 +661,7 @@ public class PolicyPageController extends PageController { policy.setFirmwareValidationEnabled(false); policy.getPcrPolicy().setEnableIgnoreIma(false); policy.getPcrPolicy().setEnableIgnoretBoot(false); + policy.setIgnoreOsEvtEnabled(false); successMessage = "Firmware validation disabled"; } @@ -805,7 +805,7 @@ public class PolicyPageController extends PageController { //If Ignore TBoot is enabled without firmware, disallow change if (ignoreGptOptionEnabled && !policy.isFirmwareValidationEnabled()) { handleUserError(model, messages, - "Ignore TBoot can not be " + "Ignore GPT Events can not be " + "enabled without Firmware Validation policy enabled."); return redirectToSelf(new NoPageParams(), model, attr); } @@ -830,6 +830,59 @@ public class PolicyPageController extends PageController { return redirectToSelf(new NoPageParams(), model, attr); } + /** + * Updates the ignore Os Events policy setting and + * redirects back to the original page. + * + * @param ppModel The data posted by the form mapped into an object. + * @param attr RedirectAttributes used to forward data back to the original + * page. + * @return View containing the url and parameters + * @throws URISyntaxException if malformed URI + */ + @RequestMapping(value = "update-os-evt-ignore", method = RequestMethod.POST) + public RedirectView updateIgnoreOsEvents( + @ModelAttribute final PolicyPageModel ppModel, + final RedirectAttributes attr) + throws URISyntaxException { + // set the data received to be populated back into the form + Map model = new HashMap<>(); + PageMessages messages = new PageMessages(); + String successMessage; + boolean ignoreOsEvtOptionEnabled = ppModel.getIgnoreOsEvt() + .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE); + + try { + SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model); + + //If Ignore TBoot is enabled without firmware, disallow change + if (ignoreOsEvtOptionEnabled && !policy.isFirmwareValidationEnabled()) { + handleUserError(model, messages, + "Ignore Os Events can not be " + + "enabled without Firmware Validation policy enabled."); + return redirectToSelf(new NoPageParams(), model, attr); + } + + // set the policy option and create success message + if (ignoreOsEvtOptionEnabled) { + policy.getPcrPolicy().setEnableIgnoreOsEvt(true); + successMessage = "Ignore GPT enabled"; + } else { + policy.getPcrPolicy().setEnableIgnoreOsEvt(false); + successMessage = "Ignore GPT disabled"; + } + + savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy); + } catch (PolicyManagerException e) { + handlePolicyManagerUpdateError(model, messages, e, + "Error changing ACA Os Events ignore policy", + "Error updating policy. \n" + e.getMessage()); + } + + // return the redirect + return redirectToSelf(new NoPageParams(), model, attr); + } + private void handlePolicyManagerUpdateError(final Map model, final PageMessages messages, final PolicyManagerException e, diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp index da03cdab..81d5f384 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp @@ -107,7 +107,19 @@
- + +
+ + + + +
  • Ignore OS Events: ${initialData.enableIgnoreOsEvt ? 'Enabled' : 'Disabled'} + +
    + +
    +
    +
    • diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java index 0af19c27..28392843 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java @@ -40,6 +40,8 @@ public final class PCRPolicy extends Policy { private boolean linuxOs = false; @Column(nullable = false) private boolean enableIgnoreGpt = true; + @Column(nullable = false) + private boolean enableIgnoreOsEvt = false; private String[] baselinePcrs; @@ -211,6 +213,22 @@ public final class PCRPolicy extends Policy { this.enableIgnoreGpt = enableIgnoreGpt; } + /** + * Getter for the Os Events ignore flag. + * @return true if Os Events is to be ignored. + */ + public boolean isEnableIgnoreOsEvt() { + return enableIgnoreOsEvt; + } + + /** + * Setter for the Os Evt ignore flag. + * @param enableIgnoreOsEvt true if Os Evt is to be ignored. + */ + public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) { + this.enableIgnoreOsEvt = enableIgnoreOsEvt; + } + /** * Getter for a flag to indicate the type of OS. * @return true if the system is linux. diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java index a8b78bc2..4ba35856 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java @@ -226,6 +226,15 @@ public class SupplyChainPolicy extends Policy { return this.pcrPolicy.isEnableIgnoreGpt(); } + /** + * Returns whether or not to validate the ignore Os Events on the device. + * + * @return whether or not to validate the ignore Os Events + */ + public boolean isIgnoreOsEvtEnabled() { + return this.pcrPolicy.isEnableIgnoreOsEvt(); + } + /** * Sets whether or not validate the ignore GPT on the device. * @param enableIgnoreGpt whether or not to validate the ignore GPT @@ -234,6 +243,14 @@ public class SupplyChainPolicy extends Policy { this.pcrPolicy.setEnableIgnoreGpt(enableIgnoreGpt); } + /** + * Sets whether or not validate the ignore Os Events on the device. + * @param enableIgnoreOsEvt whether or not to validate the ignore Os Events + */ + public void setIgnoreOsEvtEnabled(final boolean enableIgnoreOsEvt) { + this.pcrPolicy.setEnableIgnoreOsEvt(enableIgnoreOsEvt); + } + /** * Returns whether or not to allow expired credentials and certificates to be considered * valid if their supply chain is otherwise verified. From fe617ea948ca8a24cbc683028727fd13da80c09f Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 29 Oct 2021 20:24:46 -0400 Subject: [PATCH 2/6] Updated the policy code to ignore based on the TPM Log Event. Added in the code for OS Events. --- .../SupplyChainValidationServiceImpl.java | 19 +++--- .../java/hirs/data/persist/PCRPolicy.java | 64 +++++++++++++++++-- 2 files changed, 69 insertions(+), 14 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 88900294..41e2db7e 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -543,11 +543,13 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe eventValueMap.put(rdv.getDigestValue(), rdv); } - for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { - if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { - tpmPcrEvents.add(tpe); - } - } +// for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { +// if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { +// tpmPcrEvents.add(tpe); +// } +// } + tpmPcrEvents.addAll(pcrPolicy.validateTpmEvents( + tcgMeasurementLog, eventValueMap)); } } catch (CertificateException cEx) { LOGGER.error(cEx); @@ -579,14 +581,15 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found."); } } + + EventLogMeasurements eventLog = (EventLogMeasurements) measurement; + eventLog.setOverallValidationResult(fwStatus.getAppStatus()); + this.referenceManifestManager.update(eventLog); } else { fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: " + "%s for %s can not be found", failedString, manufacturer)); } - EventLogMeasurements eventLog = (EventLogMeasurements) measurement; - eventLog.setOverallValidationResult(fwStatus.getAppStatus()); - this.referenceManifestManager.update(eventLog); return buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE, fwStatus.getAppStatus(), fwStatus.getMessage(), validationObject, level); } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java index 28392843..1dfdc3a4 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java @@ -3,6 +3,8 @@ package hirs.data.persist; import hirs.data.persist.tpm.PcrComposite; import hirs.data.persist.tpm.PcrInfoShort; import hirs.data.persist.tpm.PcrSelection; +import hirs.tpm.eventlog.TCGEventLog; +import hirs.tpm.eventlog.TpmPcrEvent; import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.binary.Hex; import org.apache.logging.log4j.Logger; @@ -12,6 +14,9 @@ import javax.persistence.Entity; import java.nio.charset.StandardCharsets; import java.security.NoSuchAlgorithmException; import java.util.Arrays; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; import static org.apache.logging.log4j.LogManager.getLogger; @@ -24,14 +29,22 @@ public final class PCRPolicy extends Policy { private static final Logger LOGGER = getLogger(PCRPolicy.class); private static final int NUM_TO_SKIP = 1; + // PCR 5-16 + private static final int PXE_PCR_START = 5; + private static final int PXE_PCR_END = 16; // PCR 10 private static final int IMA_PCR = 10; // PCR 17-19 - private static final int TBOOT_PCR = 17; - private static final int NUM_OF_TBOOT_PCR = 3; + private static final int TBOOT_PCR_START = 17; + private static final int TBOOT_PCR_END = 19; // PCR 5 private static final int GPT_PCR = 5; + // Event Log Event Types + private static final String EVT_EFI_BOOT = "EV_EFI_BOOT_SERVICES_APPLICATION"; + private static final String EVT_EFI_VAR = "EV_EFI_VARIABLE_BOOT"; + private static final String EVT_EFI_GPT = "EV_EFI_GPT_EVENT"; + @Column(nullable = false) private boolean enableIgnoreIma = false; @Column(nullable = false) @@ -83,10 +96,10 @@ public final class PCRPolicy extends Policy { i += NUM_TO_SKIP; } - if (enableIgnoretBoot && i == TBOOT_PCR) { - LOGGER.info("PCR Policy TBoot Ignore enabled."); - i += NUM_OF_TBOOT_PCR; - } +// if (enableIgnoretBoot && i == TBOOT_PCR_START) { +// LOGGER.info("PCR Policy TBoot Ignore enabled."); +// i += NUM_OF_TBOOT_PCR; +// } if (enableIgnoreGpt && i == GPT_PCR) { LOGGER.info("PCR Policy GPT Ignore enabled."); @@ -103,6 +116,45 @@ public final class PCRPolicy extends Policy { return sb; } + /** + * Checks that the expected FM events occurring. There are policy options that + * will ignore certin PCRs, Event Types and Event Variables present. + * @param tcgMeasurementLog Measurement log from the client + * @param eventValueMap The events stored as baseline to compare + * @return the events that didn't pass + */ + public List validateTpmEvents(final TCGEventLog tcgMeasurementLog, + final Map eventValueMap) { + List tpmPcrEvents = new LinkedList<>(); + for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { + + if (enableIgnoreIma && tpe.getPcrIndex() == IMA_PCR) { + LOGGER.info(String.format("IMA Ignored -> %s", tpe)); + } else if (enableIgnoreGpt && tpe.getPcrIndex() == GPT_PCR) { + LOGGER.info(String.format("GPT Ignored -> %s", tpe)); + } else if (enableIgnoretBoot && (tpe.getPcrIndex() >= TBOOT_PCR_START + && tpe.getPcrIndex() <= TBOOT_PCR_END)) { + LOGGER.info(String.format("TBOOT Ignored -> %s", tpe)); + } else if (enableIgnoreOsEvt && (tpe.getPcrIndex() >= PXE_PCR_START + && tpe.getPcrIndex() <= PXE_PCR_END)) { + LOGGER.info(String.format("OS Evt Ignored -> %s", tpe)); + } else { + if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT) + || tpe.getEventTypeStr().contains(EVT_EFI_GPT) + || tpe.getEventTypeStr().contains(EVT_EFI_VAR))) { + // need to also look at #3 + LOGGER.info(String.format("OS Evt Ignored -> %s", tpe)); + } else { + if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { + tpmPcrEvents.add(tpe); + } + } + } + } + + return tpmPcrEvents; + } + /** * Compares hashs to validate the quote from the client. * From e82de123418cf21551efaaf929f6b996f8db0a71 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 1 Nov 2021 09:35:36 -0400 Subject: [PATCH 3/6] Updated the ignore OS events check with the last rule for #404 --- HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java index 1dfdc3a4..85eb9aab 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java @@ -44,6 +44,7 @@ public final class PCRPolicy extends Policy { private static final String EVT_EFI_BOOT = "EV_EFI_BOOT_SERVICES_APPLICATION"; private static final String EVT_EFI_VAR = "EV_EFI_VARIABLE_BOOT"; private static final String EVT_EFI_GPT = "EV_EFI_GPT_EVENT"; + private static final String EVT_EFI_CFG = "EV_EFI_VARIABLE_DRIVER_CONFIG"; @Column(nullable = false) private boolean enableIgnoreIma = false; @@ -142,8 +143,10 @@ public final class PCRPolicy extends Policy { if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT) || tpe.getEventTypeStr().contains(EVT_EFI_GPT) || tpe.getEventTypeStr().contains(EVT_EFI_VAR))) { - // need to also look at #3 LOGGER.info(String.format("OS Evt Ignored -> %s", tpe)); + } else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_CFG) + && tpe.getEventContentStr().contains("SecureBoot"))) { + LOGGER.info(String.format("OS Evt Config Ignored -> %s", tpe)); } else { if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { tpmPcrEvents.add(tpe); From f0ea84d199975bd19f81852a793fd1e4f896ce64 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 5 Nov 2021 16:11:28 -0400 Subject: [PATCH 4/6] I added code to do different masks on the pcr selection, but that was not needed. So I just uncommented the one section of ignore not being used. --- .../src/main/java/hirs/data/persist/PCRPolicy.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java index 85eb9aab..2a7a473c 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java @@ -29,6 +29,7 @@ public final class PCRPolicy extends Policy { private static final Logger LOGGER = getLogger(PCRPolicy.class); private static final int NUM_TO_SKIP = 1; + private static final int NUM_OF_TBOOT_PCR = 3; // PCR 5-16 private static final int PXE_PCR_START = 5; private static final int PXE_PCR_END = 16; @@ -97,10 +98,10 @@ public final class PCRPolicy extends Policy { i += NUM_TO_SKIP; } -// if (enableIgnoretBoot && i == TBOOT_PCR_START) { -// LOGGER.info("PCR Policy TBoot Ignore enabled."); -// i += NUM_OF_TBOOT_PCR; -// } + if (enableIgnoretBoot && i == TBOOT_PCR_START) { + LOGGER.info("PCR Policy TBoot Ignore enabled."); + i += NUM_OF_TBOOT_PCR; + } if (enableIgnoreGpt && i == GPT_PCR) { LOGGER.info("PCR Policy GPT Ignore enabled."); @@ -179,6 +180,7 @@ public final class PCRPolicy extends Policy { } catch (DecoderException deEx) { LOGGER.error(deEx); } + PcrSelection pcrSelection = new PcrSelection(PcrSelection.ALL_PCRS_ON); PcrComposite pcrComposite = new PcrComposite( pcrSelection, From 2d9fb19d38a1ab0905406c1902e2a25968049ebf Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 10 Nov 2021 07:27:33 -0500 Subject: [PATCH 5/6] Updated the new polices after doing a bit of testing to make sure that they do ignore when there is a failure on that specific bit. --- .../service/SupplyChainValidationServiceImpl.java | 5 ----- .../portal/page/controllers/PolicyPageController.java | 7 ++++--- HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java | 8 +++----- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 41e2db7e..98bf7d33 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -543,11 +543,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe eventValueMap.put(rdv.getDigestValue(), rdv); } -// for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { -// if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { -// tpmPcrEvents.add(tpe); -// } -// } tpmPcrEvents.addAll(pcrPolicy.validateTpmEvents( tcgMeasurementLog, eventValueMap)); } diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java index 9cd5d7ca..f6f3e43c 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java @@ -866,16 +866,17 @@ public class PolicyPageController extends PageController { // set the policy option and create success message if (ignoreOsEvtOptionEnabled) { policy.getPcrPolicy().setEnableIgnoreOsEvt(true); - successMessage = "Ignore GPT enabled"; + policy.getPcrPolicy().setEnableIgnoreGpt(true); + successMessage = "Ignore OS Events enabled"; } else { policy.getPcrPolicy().setEnableIgnoreOsEvt(false); - successMessage = "Ignore GPT disabled"; + successMessage = "Ignore OS Events disabled"; } savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy); } catch (PolicyManagerException e) { handlePolicyManagerUpdateError(model, messages, e, - "Error changing ACA Os Events ignore policy", + "Error changing ACA OS Events ignore policy", "Error updating policy. \n" + e.getMessage()); } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java index 2a7a473c..0a2dd19c 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java @@ -129,11 +129,8 @@ public final class PCRPolicy extends Policy { final Map eventValueMap) { List tpmPcrEvents = new LinkedList<>(); for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { - if (enableIgnoreIma && tpe.getPcrIndex() == IMA_PCR) { LOGGER.info(String.format("IMA Ignored -> %s", tpe)); - } else if (enableIgnoreGpt && tpe.getPcrIndex() == GPT_PCR) { - LOGGER.info(String.format("GPT Ignored -> %s", tpe)); } else if (enableIgnoretBoot && (tpe.getPcrIndex() >= TBOOT_PCR_START && tpe.getPcrIndex() <= TBOOT_PCR_END)) { LOGGER.info(String.format("TBOOT Ignored -> %s", tpe)); @@ -141,8 +138,9 @@ public final class PCRPolicy extends Policy { && tpe.getPcrIndex() <= PXE_PCR_END)) { LOGGER.info(String.format("OS Evt Ignored -> %s", tpe)); } else { - if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT) - || tpe.getEventTypeStr().contains(EVT_EFI_GPT) + if (enableIgnoreGpt && tpe.getEventTypeStr().contains(EVT_EFI_GPT)) { + LOGGER.info(String.format("GPT Ignored -> %s", tpe)); + } else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT) || tpe.getEventTypeStr().contains(EVT_EFI_VAR))) { LOGGER.info(String.format("OS Evt Ignored -> %s", tpe)); } else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_CFG) From 04b050de156ef08aa7167e4436a4e07e34f6d64d Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 10 Nov 2021 09:50:17 -0500 Subject: [PATCH 6/6] The rimlinkhash meta information wasn't linking up with the associated swidtag. This is because the wrong hash look up was being used. Previously when the hexDecHash and base64Hash were implemented, the main focus was on the rimel and not the swidtag. --- .../ReferenceManifestDetailsPageController.java | 16 +++++++--------- .../src/main/webapp/WEB-INF/jsp/rim-details.jsp | 2 +- .../hirs/data/persist/BaseReferenceManifest.java | 10 ++++++++++ 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index 7fe9308f..2768c94a 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -231,13 +231,11 @@ public class ReferenceManifestDetailsPageController data.put("entityThumbprint", baseRim.getEntityThumbprint()); // Link data.put("linkHref", baseRim.getLinkHref()); + data.put("linkHrefLink", ""); for (BaseReferenceManifest bRim : BaseReferenceManifest .select(referenceManifestManager).getRIMs()) { if (baseRim.getLinkHref().contains(bRim.getTagId())) { - data.put("linkHrefLink", bRim.getId().toString()); - break; - } else { - data.put("linkHrefLink", ""); + data.put("linkHrefLink", bRim.getId()); } } data.put("linkRel", baseRim.getLinkRel()); @@ -255,16 +253,16 @@ public class ReferenceManifestDetailsPageController data.put("pcUriGlobal", baseRim.getPcURIGlobal()); data.put("pcUriLocal", baseRim.getPcURILocal()); data.put("rimLinkHash", baseRim.getRimLinkHash()); - boolean hashLinked = false; if (baseRim.getRimLinkHash() != null) { ReferenceManifest rim = BaseReferenceManifest.select(referenceManifestManager) - .byBase64Hash(baseRim.getRimLinkHash()).getRIM(); - hashLinked = (rim != null); - if (hashLinked) { + .byHexDecHash(baseRim.getRimLinkHash()).getRIM(); + if (rim != null) { data.put("rimLinkId", rim.getId()); + data.put("linkHashValid", true); + } else { + data.put("linkHashValid", false); } } - data.put("linkHashValid", hashLinked); data.put("rimType", baseRim.getRimType()); List resources = baseRim.parseResource(); diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp index 7c285d07..d63a48b8 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp @@ -371,7 +371,7 @@
    - + ${initialData.linkHref} diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java index 0a260bdd..1ca317b3 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java @@ -130,6 +130,16 @@ public class BaseReferenceManifest extends ReferenceManifest { setFieldValue(BASE_64_HASH_FIELD, base64Hash); return this; } + + /** + * Specify the RIM hash associated with the base RIM. + * @param hexDecHash the hash of the file associated with the rim + * @return this instance + */ + public Selector byHexDecHash(final String hexDecHash) { + setFieldValue(HEX_DEC_HASH_FIELD, hexDecHash); + return this; + } } /**