Merge branch 'master' into issue-381

This commit is contained in:
chubtub 2021-11-10 10:08:42 -05:00
commit d183504a3f
9 changed files with 225 additions and 21 deletions

View File

@ -541,11 +541,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
eventValueMap.put(rdv.getDigestValue(), rdv); eventValueMap.put(rdv.getDigestValue(), rdv);
} }
for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { tpmPcrEvents.addAll(pcrPolicy.validateTpmEvents(
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { tcgMeasurementLog, eventValueMap));
tpmPcrEvents.add(tpe);
}
}
} }
} catch (CertificateException cEx) { } catch (CertificateException cEx) {
LOGGER.error(cEx); LOGGER.error(cEx);
@ -577,6 +574,10 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found."); fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found.");
} }
} }
EventLogMeasurements eventLog = (EventLogMeasurements) measurement;
eventLog.setOverallValidationResult(fwStatus.getAppStatus());
this.referenceManifestManager.update(eventLog);
} else { } else {
fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: " fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: "
+ "%s for %s can not be found", failedString, manufacturer)); + "%s for %s can not be found", failedString, manufacturer));

View File

@ -20,6 +20,7 @@ public class PolicyPageModel {
private boolean enableIgnoreIma; private boolean enableIgnoreIma;
private boolean enableIgnoreTboot; private boolean enableIgnoreTboot;
private boolean enableIgnoreGpt; private boolean enableIgnoreGpt;
private boolean enableIgnoreOsEvt;
// Variables to get policy settings from page // Variables to get policy settings from page
private String pcValidate; private String pcValidate;
@ -36,6 +37,7 @@ public class PolicyPageModel {
private String ignoreIma; private String ignoreIma;
private String ignoretBoot; private String ignoretBoot;
private String ignoreGpt; private String ignoreGpt;
private String ignoreOsEvt;
private String expirationValue; private String expirationValue;
private String devIdExpirationValue; private String devIdExpirationValue;
private String thresholdValue; private String thresholdValue;
@ -60,6 +62,7 @@ public class PolicyPageModel {
this.enableIgnoreIma = policy.isIgnoreImaEnabled(); this.enableIgnoreIma = policy.isIgnoreImaEnabled();
this.enableIgnoreTboot = policy.isIgnoreTbootEnabled(); this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
this.enableIgnoreGpt = policy.isIgnoreGptEnabled(); this.enableIgnoreGpt = policy.isIgnoreGptEnabled();
this.enableIgnoreOsEvt = policy.isIgnoreOsEvtEnabled();
this.expirationValue = policy.getValidityDays(); this.expirationValue = policy.getValidityDays();
this.thresholdValue = policy.getReissueThreshold(); this.thresholdValue = policy.getReissueThreshold();
this.devIdExpirationValue = policy.getDevIdValidityDays(); this.devIdExpirationValue = policy.getDevIdValidityDays();
@ -160,6 +163,14 @@ public class PolicyPageModel {
return enableIgnoreGpt; return enableIgnoreGpt;
} }
/**
* Gets the Enable Ignore Os Events state.
* @return the validation state.
*/
public boolean getEnableIgnoreOsEvt() {
return enableIgnoreOsEvt;
}
/** /**
* Gets the EC Validation value. * Gets the EC Validation value.
* *
@ -268,6 +279,15 @@ public class PolicyPageModel {
return ignoreGpt; return ignoreGpt;
} }
/**
* Gets the Ignore Os Evt validation value.
*
* @return the model string representation of this field (checked or unchecked)
*/
public String getIgnoreOsEvt() {
return ignoreOsEvt;
}
/** /**
* Sets the EC Validation state. * Sets the EC Validation state.
* *
@ -359,6 +379,15 @@ public class PolicyPageModel {
this.enableIgnoreGpt = enableIgnoreGpt; this.enableIgnoreGpt = enableIgnoreGpt;
} }
/**
* Sets the Enable Ignore Os Events state.
*
* @param enableIgnoreOsEvt true if performing validation, false otherwise
*/
public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) {
this.enableIgnoreOsEvt = enableIgnoreOsEvt;
}
/** /**
* Sets the Platform Certificate Validation state. * Sets the Platform Certificate Validation state.
* *
@ -497,6 +526,15 @@ public class PolicyPageModel {
this.ignoreGpt = ignoreGpt; this.ignoreGpt = ignoreGpt;
} }
/**
* Sets the Ignore Os Events state.
*
* @param ignoreOsEvt "checked" if enabling validation, false otherwise
*/
public void setIgnoreOsEvt(final String ignoreOsEvt) {
this.ignoreOsEvt = ignoreOsEvt;
}
/** /**
* Getter for the expiration value. * Getter for the expiration value.
* @return the value * @return the value
@ -577,6 +615,7 @@ public class PolicyPageModel {
+ ", enableIgnoreIma=" + enableIgnoreIma + ", enableIgnoreIma=" + enableIgnoreIma
+ ", enableIgnoreTboot=" + enableIgnoreTboot + ", enableIgnoreTboot=" + enableIgnoreTboot
+ ", enableIgnoreGpt=" + enableIgnoreGpt + ", enableIgnoreGpt=" + enableIgnoreGpt
+ ", enableIgnoreOsEvt=" + enableIgnoreOsEvt
+ ", expirationValue=" + expirationValue + ", expirationValue=" + expirationValue
+ ", thresholdValue=" + thresholdValue + ", thresholdValue=" + thresholdValue
+ ", devIdExpirationValue=" + devIdExpirationValue + ", devIdExpirationValue=" + devIdExpirationValue

View File

@ -90,7 +90,6 @@ public class PolicyPageController extends PageController<NoPageParams> {
ModelAndView mav = getBaseModelAndView(); ModelAndView mav = getBaseModelAndView();
SupplyChainPolicy policy = getDefaultPolicy(); SupplyChainPolicy policy = getDefaultPolicy();
PolicyPageModel pageModel = new PolicyPageModel(policy); PolicyPageModel pageModel = new PolicyPageModel(policy);
mav.addObject(INITIAL_DATA, pageModel); mav.addObject(INITIAL_DATA, pageModel);
@ -662,6 +661,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
policy.setFirmwareValidationEnabled(false); policy.setFirmwareValidationEnabled(false);
policy.getPcrPolicy().setEnableIgnoreIma(false); policy.getPcrPolicy().setEnableIgnoreIma(false);
policy.getPcrPolicy().setEnableIgnoretBoot(false); policy.getPcrPolicy().setEnableIgnoretBoot(false);
policy.setIgnoreOsEvtEnabled(false);
successMessage = "Firmware validation disabled"; successMessage = "Firmware validation disabled";
} }
@ -805,7 +805,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
//If Ignore TBoot is enabled without firmware, disallow change //If Ignore TBoot is enabled without firmware, disallow change
if (ignoreGptOptionEnabled && !policy.isFirmwareValidationEnabled()) { if (ignoreGptOptionEnabled && !policy.isFirmwareValidationEnabled()) {
handleUserError(model, messages, handleUserError(model, messages,
"Ignore TBoot can not be " "Ignore GPT Events can not be "
+ "enabled without Firmware Validation policy enabled."); + "enabled without Firmware Validation policy enabled.");
return redirectToSelf(new NoPageParams(), model, attr); return redirectToSelf(new NoPageParams(), model, attr);
} }
@ -830,6 +830,60 @@ public class PolicyPageController extends PageController<NoPageParams> {
return redirectToSelf(new NoPageParams(), model, attr); return redirectToSelf(new NoPageParams(), model, attr);
} }
/**
* Updates the ignore Os Events policy setting and
* redirects back to the original page.
*
* @param ppModel The data posted by the form mapped into an object.
* @param attr RedirectAttributes used to forward data back to the original
* page.
* @return View containing the url and parameters
* @throws URISyntaxException if malformed URI
*/
@RequestMapping(value = "update-os-evt-ignore", method = RequestMethod.POST)
public RedirectView updateIgnoreOsEvents(
@ModelAttribute final PolicyPageModel ppModel,
final RedirectAttributes attr)
throws URISyntaxException {
// set the data received to be populated back into the form
Map<String, Object> model = new HashMap<>();
PageMessages messages = new PageMessages();
String successMessage;
boolean ignoreOsEvtOptionEnabled = ppModel.getIgnoreOsEvt()
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
//If Ignore TBoot is enabled without firmware, disallow change
if (ignoreOsEvtOptionEnabled && !policy.isFirmwareValidationEnabled()) {
handleUserError(model, messages,
"Ignore Os Events can not be "
+ "enabled without Firmware Validation policy enabled.");
return redirectToSelf(new NoPageParams(), model, attr);
}
// set the policy option and create success message
if (ignoreOsEvtOptionEnabled) {
policy.getPcrPolicy().setEnableIgnoreOsEvt(true);
policy.getPcrPolicy().setEnableIgnoreGpt(true);
successMessage = "Ignore OS Events enabled";
} else {
policy.getPcrPolicy().setEnableIgnoreOsEvt(false);
successMessage = "Ignore OS Events disabled";
}
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
} catch (PolicyManagerException e) {
handlePolicyManagerUpdateError(model, messages, e,
"Error changing ACA OS Events ignore policy",
"Error updating policy. \n" + e.getMessage());
}
// return the redirect
return redirectToSelf(new NoPageParams(), model, attr);
}
private void handlePolicyManagerUpdateError(final Map<String, Object> model, private void handlePolicyManagerUpdateError(final Map<String, Object> model,
final PageMessages messages, final PageMessages messages,
final PolicyManagerException e, final PolicyManagerException e,

View File

@ -230,13 +230,11 @@ public class ReferenceManifestDetailsPageController
data.put("entityThumbprint", baseRim.getEntityThumbprint()); data.put("entityThumbprint", baseRim.getEntityThumbprint());
// Link // Link
data.put("linkHref", baseRim.getLinkHref()); data.put("linkHref", baseRim.getLinkHref());
data.put("linkHrefLink", "");
for (BaseReferenceManifest bRim : BaseReferenceManifest for (BaseReferenceManifest bRim : BaseReferenceManifest
.select(referenceManifestManager).getRIMs()) { .select(referenceManifestManager).getRIMs()) {
if (baseRim.getLinkHref().contains(bRim.getTagId())) { if (baseRim.getLinkHref().contains(bRim.getTagId())) {
data.put("linkHrefLink", bRim.getId().toString()); data.put("linkHrefLink", bRim.getId());
break;
} else {
data.put("linkHrefLink", "");
} }
} }
data.put("linkRel", baseRim.getLinkRel()); data.put("linkRel", baseRim.getLinkRel());
@ -254,16 +252,16 @@ public class ReferenceManifestDetailsPageController
data.put("pcUriGlobal", baseRim.getPcURIGlobal()); data.put("pcUriGlobal", baseRim.getPcURIGlobal());
data.put("pcUriLocal", baseRim.getPcURILocal()); data.put("pcUriLocal", baseRim.getPcURILocal());
data.put("rimLinkHash", baseRim.getRimLinkHash()); data.put("rimLinkHash", baseRim.getRimLinkHash());
boolean hashLinked = false;
if (baseRim.getRimLinkHash() != null) { if (baseRim.getRimLinkHash() != null) {
ReferenceManifest rim = BaseReferenceManifest.select(referenceManifestManager) ReferenceManifest rim = BaseReferenceManifest.select(referenceManifestManager)
.byBase64Hash(baseRim.getRimLinkHash()).getRIM(); .byHexDecHash(baseRim.getRimLinkHash()).getRIM();
hashLinked = (rim != null); if (rim != null) {
if (hashLinked) {
data.put("rimLinkId", rim.getId()); data.put("rimLinkId", rim.getId());
data.put("linkHashValid", true);
} else {
data.put("linkHashValid", false);
} }
} }
data.put("linkHashValid", hashLinked);
data.put("rimType", baseRim.getRimType()); data.put("rimType", baseRim.getRimType());
List<SwidResource> resources = baseRim.parseResource(); List<SwidResource> resources = baseRim.parseResource();

View File

@ -107,7 +107,19 @@
<label><input id="gptTop" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? 'checked' : ''} value="checked"/> Ignore GPT enabled</label> <label><input id="gptTop" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? 'checked' : ''} value="checked"/> Ignore GPT enabled</label>
</div> </div>
<div class="radio"> <div class="radio">
<label><input id="gptBot" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? '' : 'checked'} value="unchecked"/> Ignore GPT disabled</label> <label><input id="gptBot" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? '' : 'checked'} value="unchecked"/> Ignore GPT disabled</label>
</div>
</my:editor>
</li>
</form:form>
<form:form method="POST" modelAttribute="initialData" action="policy/update-os-evt-ignore">
<li>Ignore OS Events: ${initialData.enableIgnoreOsEvt ? 'Enabled' : 'Disabled'}
<my:editor id="ignoreOsEvtPolicyEditor" label="Edit Settings">
<div class="radio">
<label><input id="osTop" type="radio" name="ignoreOsEvt" ${initialData.enableIgnoreOsEvt ? 'checked' : ''} value="checked"/> Ignore Os Events enabled</label>
</div>
<div class="radio">
<label><input id="osBot" type="radio" name="ignoreOsEvt" ${initialData.enableIgnoreOsEvt ? '' : 'checked'} value="unchecked"/> Ignore Os Events disabled</label>
</div> </div>
</my:editor> </my:editor>
</li> </li>

View File

@ -371,7 +371,7 @@
<div> <div>
<span> <span>
<c:choose> <c:choose>
<c:when test="${initialData.linkRel=='requires'}"> <c:when test="${not empty initialData.linkHrefLink}">
<a href="${portal}/rim-details?id=${initialData.linkHrefLink}" rel="${initialData.linkRel}">${initialData.linkHref}</a> <a href="${portal}/rim-details?id=${initialData.linkHrefLink}" rel="${initialData.linkRel}">${initialData.linkHref}</a>
</c:when> </c:when>
<c:otherwise> <c:otherwise>

View File

@ -130,6 +130,16 @@ public class BaseReferenceManifest extends ReferenceManifest {
setFieldValue(BASE_64_HASH_FIELD, base64Hash); setFieldValue(BASE_64_HASH_FIELD, base64Hash);
return this; return this;
} }
/**
* Specify the RIM hash associated with the base RIM.
* @param hexDecHash the hash of the file associated with the rim
* @return this instance
*/
public Selector byHexDecHash(final String hexDecHash) {
setFieldValue(HEX_DEC_HASH_FIELD, hexDecHash);
return this;
}
} }
/** /**

View File

@ -3,6 +3,8 @@ package hirs.data.persist;
import hirs.data.persist.tpm.PcrComposite; import hirs.data.persist.tpm.PcrComposite;
import hirs.data.persist.tpm.PcrInfoShort; import hirs.data.persist.tpm.PcrInfoShort;
import hirs.data.persist.tpm.PcrSelection; import hirs.data.persist.tpm.PcrSelection;
import hirs.tpm.eventlog.TCGEventLog;
import hirs.tpm.eventlog.TpmPcrEvent;
import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex; import org.apache.commons.codec.binary.Hex;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
@ -12,6 +14,9 @@ import javax.persistence.Entity;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Arrays; import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import static org.apache.logging.log4j.LogManager.getLogger; import static org.apache.logging.log4j.LogManager.getLogger;
@ -24,14 +29,24 @@ public final class PCRPolicy extends Policy {
private static final Logger LOGGER = getLogger(PCRPolicy.class); private static final Logger LOGGER = getLogger(PCRPolicy.class);
private static final int NUM_TO_SKIP = 1; private static final int NUM_TO_SKIP = 1;
private static final int NUM_OF_TBOOT_PCR = 3;
// PCR 5-16
private static final int PXE_PCR_START = 5;
private static final int PXE_PCR_END = 16;
// PCR 10 // PCR 10
private static final int IMA_PCR = 10; private static final int IMA_PCR = 10;
// PCR 17-19 // PCR 17-19
private static final int TBOOT_PCR = 17; private static final int TBOOT_PCR_START = 17;
private static final int NUM_OF_TBOOT_PCR = 3; private static final int TBOOT_PCR_END = 19;
// PCR 5 // PCR 5
private static final int GPT_PCR = 5; private static final int GPT_PCR = 5;
// Event Log Event Types
private static final String EVT_EFI_BOOT = "EV_EFI_BOOT_SERVICES_APPLICATION";
private static final String EVT_EFI_VAR = "EV_EFI_VARIABLE_BOOT";
private static final String EVT_EFI_GPT = "EV_EFI_GPT_EVENT";
private static final String EVT_EFI_CFG = "EV_EFI_VARIABLE_DRIVER_CONFIG";
@Column(nullable = false) @Column(nullable = false)
private boolean enableIgnoreIma = false; private boolean enableIgnoreIma = false;
@Column(nullable = false) @Column(nullable = false)
@ -40,6 +55,8 @@ public final class PCRPolicy extends Policy {
private boolean linuxOs = false; private boolean linuxOs = false;
@Column(nullable = false) @Column(nullable = false)
private boolean enableIgnoreGpt = true; private boolean enableIgnoreGpt = true;
@Column(nullable = false)
private boolean enableIgnoreOsEvt = false;
private String[] baselinePcrs; private String[] baselinePcrs;
@ -81,7 +98,7 @@ public final class PCRPolicy extends Policy {
i += NUM_TO_SKIP; i += NUM_TO_SKIP;
} }
if (enableIgnoretBoot && i == TBOOT_PCR) { if (enableIgnoretBoot && i == TBOOT_PCR_START) {
LOGGER.info("PCR Policy TBoot Ignore enabled."); LOGGER.info("PCR Policy TBoot Ignore enabled.");
i += NUM_OF_TBOOT_PCR; i += NUM_OF_TBOOT_PCR;
} }
@ -101,6 +118,45 @@ public final class PCRPolicy extends Policy {
return sb; return sb;
} }
/**
* Checks that the expected FM events occurring. There are policy options that
* will ignore certin PCRs, Event Types and Event Variables present.
* @param tcgMeasurementLog Measurement log from the client
* @param eventValueMap The events stored as baseline to compare
* @return the events that didn't pass
*/
public List<TpmPcrEvent> validateTpmEvents(final TCGEventLog tcgMeasurementLog,
final Map<String, ReferenceDigestValue> eventValueMap) {
List<TpmPcrEvent> tpmPcrEvents = new LinkedList<>();
for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) {
if (enableIgnoreIma && tpe.getPcrIndex() == IMA_PCR) {
LOGGER.info(String.format("IMA Ignored -> %s", tpe));
} else if (enableIgnoretBoot && (tpe.getPcrIndex() >= TBOOT_PCR_START
&& tpe.getPcrIndex() <= TBOOT_PCR_END)) {
LOGGER.info(String.format("TBOOT Ignored -> %s", tpe));
} else if (enableIgnoreOsEvt && (tpe.getPcrIndex() >= PXE_PCR_START
&& tpe.getPcrIndex() <= PXE_PCR_END)) {
LOGGER.info(String.format("OS Evt Ignored -> %s", tpe));
} else {
if (enableIgnoreGpt && tpe.getEventTypeStr().contains(EVT_EFI_GPT)) {
LOGGER.info(String.format("GPT Ignored -> %s", tpe));
} else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT)
|| tpe.getEventTypeStr().contains(EVT_EFI_VAR))) {
LOGGER.info(String.format("OS Evt Ignored -> %s", tpe));
} else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_CFG)
&& tpe.getEventContentStr().contains("SecureBoot"))) {
LOGGER.info(String.format("OS Evt Config Ignored -> %s", tpe));
} else {
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
tpmPcrEvents.add(tpe);
}
}
}
}
return tpmPcrEvents;
}
/** /**
* Compares hashs to validate the quote from the client. * Compares hashs to validate the quote from the client.
* *
@ -122,6 +178,7 @@ public final class PCRPolicy extends Policy {
} catch (DecoderException deEx) { } catch (DecoderException deEx) {
LOGGER.error(deEx); LOGGER.error(deEx);
} }
PcrSelection pcrSelection = new PcrSelection(PcrSelection.ALL_PCRS_ON); PcrSelection pcrSelection = new PcrSelection(PcrSelection.ALL_PCRS_ON);
PcrComposite pcrComposite = new PcrComposite( PcrComposite pcrComposite = new PcrComposite(
pcrSelection, pcrSelection,
@ -211,6 +268,22 @@ public final class PCRPolicy extends Policy {
this.enableIgnoreGpt = enableIgnoreGpt; this.enableIgnoreGpt = enableIgnoreGpt;
} }
/**
* Getter for the Os Events ignore flag.
* @return true if Os Events is to be ignored.
*/
public boolean isEnableIgnoreOsEvt() {
return enableIgnoreOsEvt;
}
/**
* Setter for the Os Evt ignore flag.
* @param enableIgnoreOsEvt true if Os Evt is to be ignored.
*/
public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) {
this.enableIgnoreOsEvt = enableIgnoreOsEvt;
}
/** /**
* Getter for a flag to indicate the type of OS. * Getter for a flag to indicate the type of OS.
* @return true if the system is linux. * @return true if the system is linux.

View File

@ -226,6 +226,15 @@ public class SupplyChainPolicy extends Policy {
return this.pcrPolicy.isEnableIgnoreGpt(); return this.pcrPolicy.isEnableIgnoreGpt();
} }
/**
* Returns whether or not to validate the ignore Os Events on the device.
*
* @return whether or not to validate the ignore Os Events
*/
public boolean isIgnoreOsEvtEnabled() {
return this.pcrPolicy.isEnableIgnoreOsEvt();
}
/** /**
* Sets whether or not validate the ignore GPT on the device. * Sets whether or not validate the ignore GPT on the device.
* @param enableIgnoreGpt whether or not to validate the ignore GPT * @param enableIgnoreGpt whether or not to validate the ignore GPT
@ -234,6 +243,14 @@ public class SupplyChainPolicy extends Policy {
this.pcrPolicy.setEnableIgnoreGpt(enableIgnoreGpt); this.pcrPolicy.setEnableIgnoreGpt(enableIgnoreGpt);
} }
/**
* Sets whether or not validate the ignore Os Events on the device.
* @param enableIgnoreOsEvt whether or not to validate the ignore Os Events
*/
public void setIgnoreOsEvtEnabled(final boolean enableIgnoreOsEvt) {
this.pcrPolicy.setEnableIgnoreOsEvt(enableIgnoreOsEvt);
}
/** /**
* Returns whether or not to allow expired credentials and certificates to be considered * Returns whether or not to allow expired credentials and certificates to be considered
* valid if their supply chain is otherwise verified. * valid if their supply chain is otherwise verified.