mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-21 05:53:27 +00:00
Merge branch 'master' into issue-381
This commit is contained in:
commit
d183504a3f
@ -541,11 +541,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
eventValueMap.put(rdv.getDigestValue(), rdv);
|
eventValueMap.put(rdv.getDigestValue(), rdv);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) {
|
tpmPcrEvents.addAll(pcrPolicy.validateTpmEvents(
|
||||||
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
|
tcgMeasurementLog, eventValueMap));
|
||||||
tpmPcrEvents.add(tpe);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
} catch (CertificateException cEx) {
|
} catch (CertificateException cEx) {
|
||||||
LOGGER.error(cEx);
|
LOGGER.error(cEx);
|
||||||
@ -577,6 +574,10 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found.");
|
fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
EventLogMeasurements eventLog = (EventLogMeasurements) measurement;
|
||||||
|
eventLog.setOverallValidationResult(fwStatus.getAppStatus());
|
||||||
|
this.referenceManifestManager.update(eventLog);
|
||||||
} else {
|
} else {
|
||||||
fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: "
|
fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: "
|
||||||
+ "%s for %s can not be found", failedString, manufacturer));
|
+ "%s for %s can not be found", failedString, manufacturer));
|
||||||
|
@ -20,6 +20,7 @@ public class PolicyPageModel {
|
|||||||
private boolean enableIgnoreIma;
|
private boolean enableIgnoreIma;
|
||||||
private boolean enableIgnoreTboot;
|
private boolean enableIgnoreTboot;
|
||||||
private boolean enableIgnoreGpt;
|
private boolean enableIgnoreGpt;
|
||||||
|
private boolean enableIgnoreOsEvt;
|
||||||
|
|
||||||
// Variables to get policy settings from page
|
// Variables to get policy settings from page
|
||||||
private String pcValidate;
|
private String pcValidate;
|
||||||
@ -36,6 +37,7 @@ public class PolicyPageModel {
|
|||||||
private String ignoreIma;
|
private String ignoreIma;
|
||||||
private String ignoretBoot;
|
private String ignoretBoot;
|
||||||
private String ignoreGpt;
|
private String ignoreGpt;
|
||||||
|
private String ignoreOsEvt;
|
||||||
private String expirationValue;
|
private String expirationValue;
|
||||||
private String devIdExpirationValue;
|
private String devIdExpirationValue;
|
||||||
private String thresholdValue;
|
private String thresholdValue;
|
||||||
@ -60,6 +62,7 @@ public class PolicyPageModel {
|
|||||||
this.enableIgnoreIma = policy.isIgnoreImaEnabled();
|
this.enableIgnoreIma = policy.isIgnoreImaEnabled();
|
||||||
this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
|
this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
|
||||||
this.enableIgnoreGpt = policy.isIgnoreGptEnabled();
|
this.enableIgnoreGpt = policy.isIgnoreGptEnabled();
|
||||||
|
this.enableIgnoreOsEvt = policy.isIgnoreOsEvtEnabled();
|
||||||
this.expirationValue = policy.getValidityDays();
|
this.expirationValue = policy.getValidityDays();
|
||||||
this.thresholdValue = policy.getReissueThreshold();
|
this.thresholdValue = policy.getReissueThreshold();
|
||||||
this.devIdExpirationValue = policy.getDevIdValidityDays();
|
this.devIdExpirationValue = policy.getDevIdValidityDays();
|
||||||
@ -160,6 +163,14 @@ public class PolicyPageModel {
|
|||||||
return enableIgnoreGpt;
|
return enableIgnoreGpt;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the Enable Ignore Os Events state.
|
||||||
|
* @return the validation state.
|
||||||
|
*/
|
||||||
|
public boolean getEnableIgnoreOsEvt() {
|
||||||
|
return enableIgnoreOsEvt;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the EC Validation value.
|
* Gets the EC Validation value.
|
||||||
*
|
*
|
||||||
@ -268,6 +279,15 @@ public class PolicyPageModel {
|
|||||||
return ignoreGpt;
|
return ignoreGpt;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the Ignore Os Evt validation value.
|
||||||
|
*
|
||||||
|
* @return the model string representation of this field (checked or unchecked)
|
||||||
|
*/
|
||||||
|
public String getIgnoreOsEvt() {
|
||||||
|
return ignoreOsEvt;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the EC Validation state.
|
* Sets the EC Validation state.
|
||||||
*
|
*
|
||||||
@ -359,6 +379,15 @@ public class PolicyPageModel {
|
|||||||
this.enableIgnoreGpt = enableIgnoreGpt;
|
this.enableIgnoreGpt = enableIgnoreGpt;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the Enable Ignore Os Events state.
|
||||||
|
*
|
||||||
|
* @param enableIgnoreOsEvt true if performing validation, false otherwise
|
||||||
|
*/
|
||||||
|
public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) {
|
||||||
|
this.enableIgnoreOsEvt = enableIgnoreOsEvt;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the Platform Certificate Validation state.
|
* Sets the Platform Certificate Validation state.
|
||||||
*
|
*
|
||||||
@ -497,6 +526,15 @@ public class PolicyPageModel {
|
|||||||
this.ignoreGpt = ignoreGpt;
|
this.ignoreGpt = ignoreGpt;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the Ignore Os Events state.
|
||||||
|
*
|
||||||
|
* @param ignoreOsEvt "checked" if enabling validation, false otherwise
|
||||||
|
*/
|
||||||
|
public void setIgnoreOsEvt(final String ignoreOsEvt) {
|
||||||
|
this.ignoreOsEvt = ignoreOsEvt;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Getter for the expiration value.
|
* Getter for the expiration value.
|
||||||
* @return the value
|
* @return the value
|
||||||
@ -577,6 +615,7 @@ public class PolicyPageModel {
|
|||||||
+ ", enableIgnoreIma=" + enableIgnoreIma
|
+ ", enableIgnoreIma=" + enableIgnoreIma
|
||||||
+ ", enableIgnoreTboot=" + enableIgnoreTboot
|
+ ", enableIgnoreTboot=" + enableIgnoreTboot
|
||||||
+ ", enableIgnoreGpt=" + enableIgnoreGpt
|
+ ", enableIgnoreGpt=" + enableIgnoreGpt
|
||||||
|
+ ", enableIgnoreOsEvt=" + enableIgnoreOsEvt
|
||||||
+ ", expirationValue=" + expirationValue
|
+ ", expirationValue=" + expirationValue
|
||||||
+ ", thresholdValue=" + thresholdValue
|
+ ", thresholdValue=" + thresholdValue
|
||||||
+ ", devIdExpirationValue=" + devIdExpirationValue
|
+ ", devIdExpirationValue=" + devIdExpirationValue
|
||||||
|
@ -90,7 +90,6 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
ModelAndView mav = getBaseModelAndView();
|
ModelAndView mav = getBaseModelAndView();
|
||||||
|
|
||||||
SupplyChainPolicy policy = getDefaultPolicy();
|
SupplyChainPolicy policy = getDefaultPolicy();
|
||||||
|
|
||||||
PolicyPageModel pageModel = new PolicyPageModel(policy);
|
PolicyPageModel pageModel = new PolicyPageModel(policy);
|
||||||
mav.addObject(INITIAL_DATA, pageModel);
|
mav.addObject(INITIAL_DATA, pageModel);
|
||||||
|
|
||||||
@ -662,6 +661,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
policy.setFirmwareValidationEnabled(false);
|
policy.setFirmwareValidationEnabled(false);
|
||||||
policy.getPcrPolicy().setEnableIgnoreIma(false);
|
policy.getPcrPolicy().setEnableIgnoreIma(false);
|
||||||
policy.getPcrPolicy().setEnableIgnoretBoot(false);
|
policy.getPcrPolicy().setEnableIgnoretBoot(false);
|
||||||
|
policy.setIgnoreOsEvtEnabled(false);
|
||||||
successMessage = "Firmware validation disabled";
|
successMessage = "Firmware validation disabled";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -805,7 +805,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
//If Ignore TBoot is enabled without firmware, disallow change
|
//If Ignore TBoot is enabled without firmware, disallow change
|
||||||
if (ignoreGptOptionEnabled && !policy.isFirmwareValidationEnabled()) {
|
if (ignoreGptOptionEnabled && !policy.isFirmwareValidationEnabled()) {
|
||||||
handleUserError(model, messages,
|
handleUserError(model, messages,
|
||||||
"Ignore TBoot can not be "
|
"Ignore GPT Events can not be "
|
||||||
+ "enabled without Firmware Validation policy enabled.");
|
+ "enabled without Firmware Validation policy enabled.");
|
||||||
return redirectToSelf(new NoPageParams(), model, attr);
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
}
|
}
|
||||||
@ -830,6 +830,60 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
|||||||
return redirectToSelf(new NoPageParams(), model, attr);
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Updates the ignore Os Events policy setting and
|
||||||
|
* redirects back to the original page.
|
||||||
|
*
|
||||||
|
* @param ppModel The data posted by the form mapped into an object.
|
||||||
|
* @param attr RedirectAttributes used to forward data back to the original
|
||||||
|
* page.
|
||||||
|
* @return View containing the url and parameters
|
||||||
|
* @throws URISyntaxException if malformed URI
|
||||||
|
*/
|
||||||
|
@RequestMapping(value = "update-os-evt-ignore", method = RequestMethod.POST)
|
||||||
|
public RedirectView updateIgnoreOsEvents(
|
||||||
|
@ModelAttribute final PolicyPageModel ppModel,
|
||||||
|
final RedirectAttributes attr)
|
||||||
|
throws URISyntaxException {
|
||||||
|
// set the data received to be populated back into the form
|
||||||
|
Map<String, Object> model = new HashMap<>();
|
||||||
|
PageMessages messages = new PageMessages();
|
||||||
|
String successMessage;
|
||||||
|
boolean ignoreOsEvtOptionEnabled = ppModel.getIgnoreOsEvt()
|
||||||
|
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
|
||||||
|
|
||||||
|
try {
|
||||||
|
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||||
|
|
||||||
|
//If Ignore TBoot is enabled without firmware, disallow change
|
||||||
|
if (ignoreOsEvtOptionEnabled && !policy.isFirmwareValidationEnabled()) {
|
||||||
|
handleUserError(model, messages,
|
||||||
|
"Ignore Os Events can not be "
|
||||||
|
+ "enabled without Firmware Validation policy enabled.");
|
||||||
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
|
}
|
||||||
|
|
||||||
|
// set the policy option and create success message
|
||||||
|
if (ignoreOsEvtOptionEnabled) {
|
||||||
|
policy.getPcrPolicy().setEnableIgnoreOsEvt(true);
|
||||||
|
policy.getPcrPolicy().setEnableIgnoreGpt(true);
|
||||||
|
successMessage = "Ignore OS Events enabled";
|
||||||
|
} else {
|
||||||
|
policy.getPcrPolicy().setEnableIgnoreOsEvt(false);
|
||||||
|
successMessage = "Ignore OS Events disabled";
|
||||||
|
}
|
||||||
|
|
||||||
|
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
||||||
|
} catch (PolicyManagerException e) {
|
||||||
|
handlePolicyManagerUpdateError(model, messages, e,
|
||||||
|
"Error changing ACA OS Events ignore policy",
|
||||||
|
"Error updating policy. \n" + e.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
// return the redirect
|
||||||
|
return redirectToSelf(new NoPageParams(), model, attr);
|
||||||
|
}
|
||||||
|
|
||||||
private void handlePolicyManagerUpdateError(final Map<String, Object> model,
|
private void handlePolicyManagerUpdateError(final Map<String, Object> model,
|
||||||
final PageMessages messages,
|
final PageMessages messages,
|
||||||
final PolicyManagerException e,
|
final PolicyManagerException e,
|
||||||
|
@ -230,13 +230,11 @@ public class ReferenceManifestDetailsPageController
|
|||||||
data.put("entityThumbprint", baseRim.getEntityThumbprint());
|
data.put("entityThumbprint", baseRim.getEntityThumbprint());
|
||||||
// Link
|
// Link
|
||||||
data.put("linkHref", baseRim.getLinkHref());
|
data.put("linkHref", baseRim.getLinkHref());
|
||||||
|
data.put("linkHrefLink", "");
|
||||||
for (BaseReferenceManifest bRim : BaseReferenceManifest
|
for (BaseReferenceManifest bRim : BaseReferenceManifest
|
||||||
.select(referenceManifestManager).getRIMs()) {
|
.select(referenceManifestManager).getRIMs()) {
|
||||||
if (baseRim.getLinkHref().contains(bRim.getTagId())) {
|
if (baseRim.getLinkHref().contains(bRim.getTagId())) {
|
||||||
data.put("linkHrefLink", bRim.getId().toString());
|
data.put("linkHrefLink", bRim.getId());
|
||||||
break;
|
|
||||||
} else {
|
|
||||||
data.put("linkHrefLink", "");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
data.put("linkRel", baseRim.getLinkRel());
|
data.put("linkRel", baseRim.getLinkRel());
|
||||||
@ -254,16 +252,16 @@ public class ReferenceManifestDetailsPageController
|
|||||||
data.put("pcUriGlobal", baseRim.getPcURIGlobal());
|
data.put("pcUriGlobal", baseRim.getPcURIGlobal());
|
||||||
data.put("pcUriLocal", baseRim.getPcURILocal());
|
data.put("pcUriLocal", baseRim.getPcURILocal());
|
||||||
data.put("rimLinkHash", baseRim.getRimLinkHash());
|
data.put("rimLinkHash", baseRim.getRimLinkHash());
|
||||||
boolean hashLinked = false;
|
|
||||||
if (baseRim.getRimLinkHash() != null) {
|
if (baseRim.getRimLinkHash() != null) {
|
||||||
ReferenceManifest rim = BaseReferenceManifest.select(referenceManifestManager)
|
ReferenceManifest rim = BaseReferenceManifest.select(referenceManifestManager)
|
||||||
.byBase64Hash(baseRim.getRimLinkHash()).getRIM();
|
.byHexDecHash(baseRim.getRimLinkHash()).getRIM();
|
||||||
hashLinked = (rim != null);
|
if (rim != null) {
|
||||||
if (hashLinked) {
|
|
||||||
data.put("rimLinkId", rim.getId());
|
data.put("rimLinkId", rim.getId());
|
||||||
|
data.put("linkHashValid", true);
|
||||||
|
} else {
|
||||||
|
data.put("linkHashValid", false);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
data.put("linkHashValid", hashLinked);
|
|
||||||
data.put("rimType", baseRim.getRimType());
|
data.put("rimType", baseRim.getRimType());
|
||||||
|
|
||||||
List<SwidResource> resources = baseRim.parseResource();
|
List<SwidResource> resources = baseRim.parseResource();
|
||||||
|
@ -107,7 +107,19 @@
|
|||||||
<label><input id="gptTop" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? 'checked' : ''} value="checked"/> Ignore GPT enabled</label>
|
<label><input id="gptTop" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? 'checked' : ''} value="checked"/> Ignore GPT enabled</label>
|
||||||
</div>
|
</div>
|
||||||
<div class="radio">
|
<div class="radio">
|
||||||
<label><input id="gptBot" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? '' : 'checked'} value="unchecked"/> Ignore GPT disabled</label>
|
<label><input id="gptBot" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? '' : 'checked'} value="unchecked"/> Ignore GPT disabled</label>
|
||||||
|
</div>
|
||||||
|
</my:editor>
|
||||||
|
</li>
|
||||||
|
</form:form>
|
||||||
|
<form:form method="POST" modelAttribute="initialData" action="policy/update-os-evt-ignore">
|
||||||
|
<li>Ignore OS Events: ${initialData.enableIgnoreOsEvt ? 'Enabled' : 'Disabled'}
|
||||||
|
<my:editor id="ignoreOsEvtPolicyEditor" label="Edit Settings">
|
||||||
|
<div class="radio">
|
||||||
|
<label><input id="osTop" type="radio" name="ignoreOsEvt" ${initialData.enableIgnoreOsEvt ? 'checked' : ''} value="checked"/> Ignore Os Events enabled</label>
|
||||||
|
</div>
|
||||||
|
<div class="radio">
|
||||||
|
<label><input id="osBot" type="radio" name="ignoreOsEvt" ${initialData.enableIgnoreOsEvt ? '' : 'checked'} value="unchecked"/> Ignore Os Events disabled</label>
|
||||||
</div>
|
</div>
|
||||||
</my:editor>
|
</my:editor>
|
||||||
</li>
|
</li>
|
||||||
|
@ -371,7 +371,7 @@
|
|||||||
<div>
|
<div>
|
||||||
<span>
|
<span>
|
||||||
<c:choose>
|
<c:choose>
|
||||||
<c:when test="${initialData.linkRel=='requires'}">
|
<c:when test="${not empty initialData.linkHrefLink}">
|
||||||
<a href="${portal}/rim-details?id=${initialData.linkHrefLink}" rel="${initialData.linkRel}">${initialData.linkHref}</a>
|
<a href="${portal}/rim-details?id=${initialData.linkHrefLink}" rel="${initialData.linkRel}">${initialData.linkHref}</a>
|
||||||
</c:when>
|
</c:when>
|
||||||
<c:otherwise>
|
<c:otherwise>
|
||||||
|
@ -130,6 +130,16 @@ public class BaseReferenceManifest extends ReferenceManifest {
|
|||||||
setFieldValue(BASE_64_HASH_FIELD, base64Hash);
|
setFieldValue(BASE_64_HASH_FIELD, base64Hash);
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Specify the RIM hash associated with the base RIM.
|
||||||
|
* @param hexDecHash the hash of the file associated with the rim
|
||||||
|
* @return this instance
|
||||||
|
*/
|
||||||
|
public Selector byHexDecHash(final String hexDecHash) {
|
||||||
|
setFieldValue(HEX_DEC_HASH_FIELD, hexDecHash);
|
||||||
|
return this;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -3,6 +3,8 @@ package hirs.data.persist;
|
|||||||
import hirs.data.persist.tpm.PcrComposite;
|
import hirs.data.persist.tpm.PcrComposite;
|
||||||
import hirs.data.persist.tpm.PcrInfoShort;
|
import hirs.data.persist.tpm.PcrInfoShort;
|
||||||
import hirs.data.persist.tpm.PcrSelection;
|
import hirs.data.persist.tpm.PcrSelection;
|
||||||
|
import hirs.tpm.eventlog.TCGEventLog;
|
||||||
|
import hirs.tpm.eventlog.TpmPcrEvent;
|
||||||
import org.apache.commons.codec.DecoderException;
|
import org.apache.commons.codec.DecoderException;
|
||||||
import org.apache.commons.codec.binary.Hex;
|
import org.apache.commons.codec.binary.Hex;
|
||||||
import org.apache.logging.log4j.Logger;
|
import org.apache.logging.log4j.Logger;
|
||||||
@ -12,6 +14,9 @@ import javax.persistence.Entity;
|
|||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
import java.util.LinkedList;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
import static org.apache.logging.log4j.LogManager.getLogger;
|
import static org.apache.logging.log4j.LogManager.getLogger;
|
||||||
|
|
||||||
@ -24,14 +29,24 @@ public final class PCRPolicy extends Policy {
|
|||||||
private static final Logger LOGGER = getLogger(PCRPolicy.class);
|
private static final Logger LOGGER = getLogger(PCRPolicy.class);
|
||||||
|
|
||||||
private static final int NUM_TO_SKIP = 1;
|
private static final int NUM_TO_SKIP = 1;
|
||||||
|
private static final int NUM_OF_TBOOT_PCR = 3;
|
||||||
|
// PCR 5-16
|
||||||
|
private static final int PXE_PCR_START = 5;
|
||||||
|
private static final int PXE_PCR_END = 16;
|
||||||
// PCR 10
|
// PCR 10
|
||||||
private static final int IMA_PCR = 10;
|
private static final int IMA_PCR = 10;
|
||||||
// PCR 17-19
|
// PCR 17-19
|
||||||
private static final int TBOOT_PCR = 17;
|
private static final int TBOOT_PCR_START = 17;
|
||||||
private static final int NUM_OF_TBOOT_PCR = 3;
|
private static final int TBOOT_PCR_END = 19;
|
||||||
// PCR 5
|
// PCR 5
|
||||||
private static final int GPT_PCR = 5;
|
private static final int GPT_PCR = 5;
|
||||||
|
|
||||||
|
// Event Log Event Types
|
||||||
|
private static final String EVT_EFI_BOOT = "EV_EFI_BOOT_SERVICES_APPLICATION";
|
||||||
|
private static final String EVT_EFI_VAR = "EV_EFI_VARIABLE_BOOT";
|
||||||
|
private static final String EVT_EFI_GPT = "EV_EFI_GPT_EVENT";
|
||||||
|
private static final String EVT_EFI_CFG = "EV_EFI_VARIABLE_DRIVER_CONFIG";
|
||||||
|
|
||||||
@Column(nullable = false)
|
@Column(nullable = false)
|
||||||
private boolean enableIgnoreIma = false;
|
private boolean enableIgnoreIma = false;
|
||||||
@Column(nullable = false)
|
@Column(nullable = false)
|
||||||
@ -40,6 +55,8 @@ public final class PCRPolicy extends Policy {
|
|||||||
private boolean linuxOs = false;
|
private boolean linuxOs = false;
|
||||||
@Column(nullable = false)
|
@Column(nullable = false)
|
||||||
private boolean enableIgnoreGpt = true;
|
private boolean enableIgnoreGpt = true;
|
||||||
|
@Column(nullable = false)
|
||||||
|
private boolean enableIgnoreOsEvt = false;
|
||||||
|
|
||||||
private String[] baselinePcrs;
|
private String[] baselinePcrs;
|
||||||
|
|
||||||
@ -81,7 +98,7 @@ public final class PCRPolicy extends Policy {
|
|||||||
i += NUM_TO_SKIP;
|
i += NUM_TO_SKIP;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (enableIgnoretBoot && i == TBOOT_PCR) {
|
if (enableIgnoretBoot && i == TBOOT_PCR_START) {
|
||||||
LOGGER.info("PCR Policy TBoot Ignore enabled.");
|
LOGGER.info("PCR Policy TBoot Ignore enabled.");
|
||||||
i += NUM_OF_TBOOT_PCR;
|
i += NUM_OF_TBOOT_PCR;
|
||||||
}
|
}
|
||||||
@ -101,6 +118,45 @@ public final class PCRPolicy extends Policy {
|
|||||||
return sb;
|
return sb;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks that the expected FM events occurring. There are policy options that
|
||||||
|
* will ignore certin PCRs, Event Types and Event Variables present.
|
||||||
|
* @param tcgMeasurementLog Measurement log from the client
|
||||||
|
* @param eventValueMap The events stored as baseline to compare
|
||||||
|
* @return the events that didn't pass
|
||||||
|
*/
|
||||||
|
public List<TpmPcrEvent> validateTpmEvents(final TCGEventLog tcgMeasurementLog,
|
||||||
|
final Map<String, ReferenceDigestValue> eventValueMap) {
|
||||||
|
List<TpmPcrEvent> tpmPcrEvents = new LinkedList<>();
|
||||||
|
for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) {
|
||||||
|
if (enableIgnoreIma && tpe.getPcrIndex() == IMA_PCR) {
|
||||||
|
LOGGER.info(String.format("IMA Ignored -> %s", tpe));
|
||||||
|
} else if (enableIgnoretBoot && (tpe.getPcrIndex() >= TBOOT_PCR_START
|
||||||
|
&& tpe.getPcrIndex() <= TBOOT_PCR_END)) {
|
||||||
|
LOGGER.info(String.format("TBOOT Ignored -> %s", tpe));
|
||||||
|
} else if (enableIgnoreOsEvt && (tpe.getPcrIndex() >= PXE_PCR_START
|
||||||
|
&& tpe.getPcrIndex() <= PXE_PCR_END)) {
|
||||||
|
LOGGER.info(String.format("OS Evt Ignored -> %s", tpe));
|
||||||
|
} else {
|
||||||
|
if (enableIgnoreGpt && tpe.getEventTypeStr().contains(EVT_EFI_GPT)) {
|
||||||
|
LOGGER.info(String.format("GPT Ignored -> %s", tpe));
|
||||||
|
} else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT)
|
||||||
|
|| tpe.getEventTypeStr().contains(EVT_EFI_VAR))) {
|
||||||
|
LOGGER.info(String.format("OS Evt Ignored -> %s", tpe));
|
||||||
|
} else if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_CFG)
|
||||||
|
&& tpe.getEventContentStr().contains("SecureBoot"))) {
|
||||||
|
LOGGER.info(String.format("OS Evt Config Ignored -> %s", tpe));
|
||||||
|
} else {
|
||||||
|
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
|
||||||
|
tpmPcrEvents.add(tpe);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return tpmPcrEvents;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Compares hashs to validate the quote from the client.
|
* Compares hashs to validate the quote from the client.
|
||||||
*
|
*
|
||||||
@ -122,6 +178,7 @@ public final class PCRPolicy extends Policy {
|
|||||||
} catch (DecoderException deEx) {
|
} catch (DecoderException deEx) {
|
||||||
LOGGER.error(deEx);
|
LOGGER.error(deEx);
|
||||||
}
|
}
|
||||||
|
|
||||||
PcrSelection pcrSelection = new PcrSelection(PcrSelection.ALL_PCRS_ON);
|
PcrSelection pcrSelection = new PcrSelection(PcrSelection.ALL_PCRS_ON);
|
||||||
PcrComposite pcrComposite = new PcrComposite(
|
PcrComposite pcrComposite = new PcrComposite(
|
||||||
pcrSelection,
|
pcrSelection,
|
||||||
@ -211,6 +268,22 @@ public final class PCRPolicy extends Policy {
|
|||||||
this.enableIgnoreGpt = enableIgnoreGpt;
|
this.enableIgnoreGpt = enableIgnoreGpt;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Getter for the Os Events ignore flag.
|
||||||
|
* @return true if Os Events is to be ignored.
|
||||||
|
*/
|
||||||
|
public boolean isEnableIgnoreOsEvt() {
|
||||||
|
return enableIgnoreOsEvt;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setter for the Os Evt ignore flag.
|
||||||
|
* @param enableIgnoreOsEvt true if Os Evt is to be ignored.
|
||||||
|
*/
|
||||||
|
public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) {
|
||||||
|
this.enableIgnoreOsEvt = enableIgnoreOsEvt;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Getter for a flag to indicate the type of OS.
|
* Getter for a flag to indicate the type of OS.
|
||||||
* @return true if the system is linux.
|
* @return true if the system is linux.
|
||||||
|
@ -226,6 +226,15 @@ public class SupplyChainPolicy extends Policy {
|
|||||||
return this.pcrPolicy.isEnableIgnoreGpt();
|
return this.pcrPolicy.isEnableIgnoreGpt();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns whether or not to validate the ignore Os Events on the device.
|
||||||
|
*
|
||||||
|
* @return whether or not to validate the ignore Os Events
|
||||||
|
*/
|
||||||
|
public boolean isIgnoreOsEvtEnabled() {
|
||||||
|
return this.pcrPolicy.isEnableIgnoreOsEvt();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets whether or not validate the ignore GPT on the device.
|
* Sets whether or not validate the ignore GPT on the device.
|
||||||
* @param enableIgnoreGpt whether or not to validate the ignore GPT
|
* @param enableIgnoreGpt whether or not to validate the ignore GPT
|
||||||
@ -234,6 +243,14 @@ public class SupplyChainPolicy extends Policy {
|
|||||||
this.pcrPolicy.setEnableIgnoreGpt(enableIgnoreGpt);
|
this.pcrPolicy.setEnableIgnoreGpt(enableIgnoreGpt);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets whether or not validate the ignore Os Events on the device.
|
||||||
|
* @param enableIgnoreOsEvt whether or not to validate the ignore Os Events
|
||||||
|
*/
|
||||||
|
public void setIgnoreOsEvtEnabled(final boolean enableIgnoreOsEvt) {
|
||||||
|
this.pcrPolicy.setEnableIgnoreOsEvt(enableIgnoreOsEvt);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns whether or not to allow expired credentials and certificates to be considered
|
* Returns whether or not to allow expired credentials and certificates to be considered
|
||||||
* valid if their supply chain is otherwise verified.
|
* valid if their supply chain is otherwise verified.
|
||||||
|
Loading…
Reference in New Issue
Block a user