From 121b02108f824163c7e2c5ac412e11787abdf031 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 20 Nov 2020 08:34:22 -0500 Subject: [PATCH 01/15] Update VERSION Updating release version number. --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 524cb552..e9307ca5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.1 +2.0.2 From 85be3c2fc86e028a901b674d60396d69524cb83b Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Fri, 20 Nov 2020 08:56:34 -0500 Subject: [PATCH 02/15] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index e9307ca5..227cea21 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.2 +2.0.0 From 91fbc7cfd2974d1d28c1c668d57f5dfe3adc097f Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 20 Nov 2020 09:42:37 -0500 Subject: [PATCH 03/15] Initial commit, that adds an additional check to the file being uploaded to the rim page to ensure that it is a valid file. --- .../controllers/ReferenceManifestPageController.java | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java index eed18ab4..24c853f5 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java @@ -60,6 +60,7 @@ public class ReferenceManifestPageController private static final String BIOS_RELEASE_DATE_FORMAT = "yyyy-MM-dd"; private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"; + private static final String SWID_FILE_PATTERN = "([^\\s]+(\\.(?i)(swidtag))$)"; private final BiosDateValidator biosValidator; private final ReferenceManifestManager referenceManifestManager; @@ -188,18 +189,21 @@ public class ReferenceManifestPageController Map model = new HashMap<>(); PageMessages messages = new PageMessages(); String fileName; - Pattern pattern; + Pattern logPattern = Pattern.compile(LOG_FILE_PATTERN); + Pattern swidPattern = Pattern.compile(SWID_FILE_PATTERN); Matcher matcher; boolean supportRIM = false; + boolean swidtag = false; BaseReferenceManifest base; SupportReferenceManifest support; // loop through the files for (MultipartFile file : files) { fileName = file.getOriginalFilename(); - pattern = Pattern.compile(LOG_FILE_PATTERN); - matcher = pattern.matcher(fileName); + matcher = logPattern.matcher(fileName); supportRIM = matcher.matches(); + matcher = swidPattern.matcher(fileName); + swidtag = matcher.matches(); //Parse reference manifests ReferenceManifest rim = parseRIM(file, supportRIM, messages); @@ -223,7 +227,7 @@ public class ReferenceManifestPageController } } } - } else { + } else if (swidtag) { base = (BaseReferenceManifest) rim; for (SwidResource swid : base.parseResource()) { From fddc65e6cff441a856b4b01cd58ae7c75b29188d Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 20 Nov 2020 09:50:57 -0500 Subject: [PATCH 04/15] Simplified the code to do the same thing --- .../ReferenceManifestPageController.java | 91 +++++++++---------- 1 file changed, 43 insertions(+), 48 deletions(-) diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java index 24c853f5..9f7c5c7c 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java @@ -60,7 +60,6 @@ public class ReferenceManifestPageController private static final String BIOS_RELEASE_DATE_FORMAT = "yyyy-MM-dd"; private static final String LOG_FILE_PATTERN = "([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"; - private static final String SWID_FILE_PATTERN = "([^\\s]+(\\.(?i)(swidtag))$)"; private final BiosDateValidator biosValidator; private final ReferenceManifestManager referenceManifestManager; @@ -190,10 +189,8 @@ public class ReferenceManifestPageController PageMessages messages = new PageMessages(); String fileName; Pattern logPattern = Pattern.compile(LOG_FILE_PATTERN); - Pattern swidPattern = Pattern.compile(SWID_FILE_PATTERN); Matcher matcher; boolean supportRIM = false; - boolean swidtag = false; BaseReferenceManifest base; SupportReferenceManifest support; @@ -202,63 +199,61 @@ public class ReferenceManifestPageController fileName = file.getOriginalFilename(); matcher = logPattern.matcher(fileName); supportRIM = matcher.matches(); - matcher = swidPattern.matcher(fileName); - swidtag = matcher.matches(); //Parse reference manifests ReferenceManifest rim = parseRIM(file, supportRIM, messages); - if (supportRIM) { - // look for associated base/support - Set rims = BaseReferenceManifest - .select(referenceManifestManager).getRIMs(); - support = (SupportReferenceManifest) rim; - // update information for associated support rim - for (BaseReferenceManifest dbRim : rims) { - for (SwidResource swid : dbRim.parseResource()) { - if (swid.getName().equals(rim.getFileName())) { - support.setSwidTagVersion(dbRim.getSwidTagVersion()); - support.setPlatformManufacturer(dbRim.getPlatformManufacturer()); - support.setPlatformModel(dbRim.getPlatformModel()); - support.setTagId(dbRim.getTagId()); - support.setAssociatedRim(dbRim.getId()); - support.setUpdated(true); - break; + //Store only if it was parsed + if (rim != null) { + if (supportRIM) { + // look for associated base/support + Set rims = BaseReferenceManifest + .select(referenceManifestManager).getRIMs(); + support = (SupportReferenceManifest) rim; + // update information for associated support rim + for (BaseReferenceManifest dbRim : rims) { + for (SwidResource swid : dbRim.parseResource()) { + if (swid.getName().equals(rim.getFileName())) { + support.setSwidTagVersion(dbRim.getSwidTagVersion()); + support.setPlatformManufacturer(dbRim.getPlatformManufacturer()); + support.setPlatformModel(dbRim.getPlatformModel()); + support.setTagId(dbRim.getTagId()); + support.setAssociatedRim(dbRim.getId()); + support.setUpdated(true); + break; + } } } - } - } else if (swidtag) { - base = (BaseReferenceManifest) rim; + } else { + base = (BaseReferenceManifest) rim; - for (SwidResource swid : base.parseResource()) { - support = SupportReferenceManifest.select(referenceManifestManager) - .byFileName(swid.getName()).getRIM(); - if (support != null) { - base.setAssociatedRim(support.getId()); - if (support.isUpdated()) { - // this is separate because I want to break if we found it - // instead of finding it, it is uptodate but still search - break; - } else { - support.setSwidTagVersion(base.getSwidTagVersion()); - support.setPlatformManufacturer(base.getPlatformManufacturer()); - support.setPlatformModel(base.getPlatformModel()); - support.setTagId(base.getTagId()); - support.setUpdated(true); - try { - referenceManifestManager.update(support); - } catch (DBManagerException dbmEx) { - LOGGER.error(String.format("Couldn't update Support RIM " - + "%s with associated UUID %s", rim.getTagId(), - support.getId()), dbmEx); + for (SwidResource swid : base.parseResource()) { + support = SupportReferenceManifest.select(referenceManifestManager) + .byFileName(swid.getName()).getRIM(); + if (support != null) { + base.setAssociatedRim(support.getId()); + if (support.isUpdated()) { + // this is separate because I want to break if we found it + // instead of finding it, it is uptodate but still search + break; + } else { + support.setSwidTagVersion(base.getSwidTagVersion()); + support.setPlatformManufacturer(base.getPlatformManufacturer()); + support.setPlatformModel(base.getPlatformModel()); + support.setTagId(base.getTagId()); + support.setUpdated(true); + try { + referenceManifestManager.update(support); + } catch (DBManagerException dbmEx) { + LOGGER.error(String.format("Couldn't update Support RIM " + + "%s with associated UUID %s", rim.getTagId(), + support.getId()), dbmEx); + } } } } } - } - //Store only if it was parsed - if (rim != null) { storeManifest(file.getOriginalFilename(), messages, rim, From 46792648975174801a6d856b2d5bb5acaa651c5f Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Fri, 20 Nov 2020 12:42:07 -0500 Subject: [PATCH 05/15] Fix path for jar file --- tools/tcg_rim_tool/tcg_rim_tool.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/tcg_rim_tool/tcg_rim_tool.spec b/tools/tcg_rim_tool/tcg_rim_tool.spec index ed6f5a0d..502d3caf 100644 --- a/tools/tcg_rim_tool/tcg_rim_tool.spec +++ b/tools/tcg_rim_tool/tcg_rim_tool.spec @@ -23,7 +23,7 @@ rm -f /opt/hirs/rimtool/%{name}*.jar %install mkdir -p %{buildroot}/opt/hirs/rimtool/ %{buildroot}/usr/local/bin -cp build/libs/tools/%{name}-%{version}.jar %{buildroot}/opt/hirs/rimtool/ +cp build/libs/%{name}-%{version}.jar %{buildroot}/opt/hirs/rimtool/ cp ./rim_fields.json %{buildroot}/opt/hirs/rimtool/ cp ./keystore.jks %{buildroot}/opt/hirs/rimtool/ cp -r ./scripts/ %{buildroot}/opt/hirs/rimtool/ From 781dc92d9542e16ea0d9e5b30808795038ca22c0 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 24 Nov 2020 10:13:00 -0500 Subject: [PATCH 06/15] Added a bug fix for support rim and base rim display. If the Support RIM was uploaded, separately, first, then the Base; the base RIM details page would display a linked Support RIM but no expected PCR values. --- .../controllers/ReferenceManifestDetailsPageController.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index ded07cee..65298a58 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -102,6 +102,7 @@ public class ReferenceManifestDetailsPageController LOGGER.error(uuidError, iaEx); } catch (Exception ioEx) { LOGGER.error(ioEx); + LOGGER.trace(ioEx); } if (data.isEmpty()) { String notFoundMessage = "Unable to find RIM with ID: " + params.getId(); @@ -236,6 +237,10 @@ public class ReferenceManifestDetailsPageController baseRim.setAssociatedRim(support.getId()); logProcessor = new TCGEventLog(support.getRimBytes()); } + } else { + support = SupportReferenceManifest.select(referenceManifestManager) + .byEntityId(baseRim.getAssociatedRim()).getRIM(); + logProcessor = new TCGEventLog(support.getRimBytes()); } // going to have to pull the filename and grab that from the DB // to get the id to make the link From 40e744690b3d4bf72b2fb2eedc303afaa6655c27 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 25 Nov 2020 08:23:02 -0500 Subject: [PATCH 07/15] The 3 files the provisioner uploads to the ACA are system flat files. If the first or second one dosn't exist or cause an exception to be thrown, the rest aren't executed. This change separates the try catch statements so that each one is executed independently of the previous ones' error. --- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index f280c924..f30d6588 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -74,7 +74,15 @@ int provision() { const std::string& swid_file = props.get("tcg.swidtag.file", ""); try { dv.set_logfile(hirs::file_utils::fileToString(rim_file)); + } catch (HirsRuntimeException& hirsRuntimeException) { + logger.error(hirsRuntimeException.what()); + } + try { dv.set_swidfile(hirs::file_utils::fileToString(swid_file)); + } catch (HirsRuntimeException& hirsRuntimeException) { + logger.error(hirsRuntimeException.what()); + } + try { dv.set_livelog(hirs::file_utils::fileToString( "/sys/kernel/security/tpm0/binary_bios_measurements")); } catch (HirsRuntimeException& hirsRuntimeException) { From 749a3a2317fd043ff5e311ae4f212ade8b813d57 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 25 Nov 2020 10:06:56 -0500 Subject: [PATCH 08/15] When the provisioner sends the rim swidtag and the rimel and they already exists in the db but are archived, they don't unarchive them so they never show up on the RIM page. This change fixes that. --- .../AbstractAttestationCertificateAuthority.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index e3051ee0..1469a938 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -773,6 +773,8 @@ public abstract class AbstractAttestationCertificateAuthority this.referenceManifestManager.save(dbBaseRim); } else { LOG.info("Client provided Base RIM already loaded in database."); + dbBaseRim.restore(); + dbBaseRim.resetCreateTime(); } tagId = dbBaseRim.getTagId(); @@ -798,7 +800,7 @@ public abstract class AbstractAttestationCertificateAuthority support.setTagId(tagId); this.referenceManifestManager.save(support); } else { - LOG.error("Client provided Support RIM already loaded in database."); + LOG.info("Client provided Support RIM already loaded in database."); if (dbBaseRim != null) { support.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer()); support.setPlatformModel(dbBaseRim.getPlatformModel()); @@ -807,6 +809,8 @@ public abstract class AbstractAttestationCertificateAuthority support.setTagId(dbBaseRim.getTagId()); } + support.restore(); + support.resetCreateTime(); this.referenceManifestManager.update(support); } } catch (IOException ioEx) { From 61359e19205a46332e85cce4b2e822b50a186697 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 27 Nov 2020 13:09:04 -0500 Subject: [PATCH 09/15] Updated the provisioner to look into the tcg properties file for the location of the certificates that are to be uploaded instead of using the tpm (if the file is not in the tpm). --- HIRS_ProvisionerTPM2/include/Utils.h | 3 +++ .../package/rpm-post-install.sh | 11 +++++--- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 17 +++++++++++-- HIRS_ProvisionerTPM2/src/Utils.cpp | 25 +++++++++++++++++++ 4 files changed, 51 insertions(+), 5 deletions(-) diff --git a/HIRS_ProvisionerTPM2/include/Utils.h b/HIRS_ProvisionerTPM2/include/Utils.h index ca85ff45..acad7f60 100644 --- a/HIRS_ProvisionerTPM2/include/Utils.h +++ b/HIRS_ProvisionerTPM2/include/Utils.h @@ -5,6 +5,7 @@ #define HIRS_PROVISIONERTPM2_INCLUDE_UTILS_H_ #include +#include namespace hirs { @@ -32,6 +33,8 @@ namespace file_utils { std::string getFileAsOneLineOrEmptyString(const std::string& filename); + std::vector searchDirectory(const std::string& directory); + void writeBinaryFile(const std::string& bytes, const std::string& filename); diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index bb8f9182..9622dc3d 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -41,9 +41,10 @@ fi ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" -MAINFEST_DIRECTORY="/boot/tcg/manifest" -LOG_FILE_LOCATION="$MAINFEST_DIRECTORY/rim/" -TAG_FILE_LOCATION="$MAINFEST_DIRECTORY/swidtag/" +TCG_DIRECTORY="/boot/tcg" +LOG_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" +TAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" +CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" if [ ! -f "$TCG_BOOT_FILE" ]; then touch "$TCG_BOOT_FILE" @@ -59,4 +60,8 @@ if [ -d "$TAG_FILE_LOCATION" ]; then echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" fi +if [ -d "$CREDENTIALS_LOCATION" ]; then + echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_BOOT_FILE" +fi + chmod -w "$TCG_BOOT_FILE" diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index f280c924..705bf01d 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -44,6 +44,7 @@ int provision() { Logger logger = Logger::getDefaultLogger(); CommandTpm2 tpm2; + Properties props("/etc/hirs/tcg_boot.properties"); tpm2.setAuthData(); // get endorsement credential and endorsement key @@ -62,14 +63,26 @@ int provision() { cout << "----> Collecting platform credential from TPM" << endl; string platformCredential = tpm2.getPlatformCredentialDefault(); std::vector platformCredentials; - platformCredentials.push_back(platformCredential); + + // if platformCredential is empty, not in TPM + // pull from properties file + if (platformCredential.empty()) { + const std::string& cert_dir = props.get("tcg.cert.dir", ""); + try { + platformCredentials = + hirs::file_utils::searchDirectory(cert_dir); + } catch (HirsRuntimeException& hirsRuntimeException) { + logger.error(hirsRuntimeException.what()); + } + } else { + platformCredentials.push_back(platformCredential); + } // collect device info cout << "----> Collecting device information" << endl; hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); // collect TCG Boot files - Properties props("/etc/hirs/tcg_boot.properties"); const std::string& rim_file = props.get("tcg.rim.file", ""); const std::string& swid_file = props.get("tcg.swidtag.file", ""); try { diff --git a/HIRS_ProvisionerTPM2/src/Utils.cpp b/HIRS_ProvisionerTPM2/src/Utils.cpp index 957e6a5f..75aeccf8 100644 --- a/HIRS_ProvisionerTPM2/src/Utils.cpp +++ b/HIRS_ProvisionerTPM2/src/Utils.cpp @@ -6,6 +6,7 @@ #include +#include #include #include #include @@ -118,6 +119,30 @@ namespace file_utils { return string_utils::trimNewLines(fileToString(filename, "")); } + vector searchDirectory(const string& directory) { + DIR *dr; + std::vector platform_credentials; + dr = opendir(directory.c_str()); + + if (dr) { + struct dirent *en; + while ((en = readdir(dr)) != NULL) { + stringstream ss; + ss << directory.c_str(); + ss << en->d_name; + try { + platform_credentials.push_back(fileToString(ss.str())); + } catch (HirsRuntimeException& hirsRuntimeException) { + std::cout << hirsRuntimeException.what(); + } + } + // close directory + closedir(dr); + } + + return platform_credentials; + } + /** * Takes a byte string and writes the contents to a file of the given name. * @param bytes string bytes to write From bfeff6c867b2cc29df681eb153306694aed82454 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 30 Nov 2020 08:38:46 -0500 Subject: [PATCH 10/15] initial commit --- HIRS_ProvisionerTPM2/include/Utils.h | 2 +- HIRS_ProvisionerTPM2/package/rpm-post-install.sh | 12 +++++------- HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto | 4 ++-- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 14 +++++++++----- HIRS_ProvisionerTPM2/src/Utils.cpp | 8 ++++---- 5 files changed, 21 insertions(+), 19 deletions(-) diff --git a/HIRS_ProvisionerTPM2/include/Utils.h b/HIRS_ProvisionerTPM2/include/Utils.h index acad7f60..39099750 100644 --- a/HIRS_ProvisionerTPM2/include/Utils.h +++ b/HIRS_ProvisionerTPM2/include/Utils.h @@ -33,7 +33,7 @@ namespace file_utils { std::string getFileAsOneLineOrEmptyString(const std::string& filename); - std::vector searchDirectory(const std::string& directory); + std::vector search_directory(const std::string& directory); void writeBinaryFile(const std::string& bytes, const std::string& filename); diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index 9622dc3d..ce08f17d 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -42,22 +42,20 @@ ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties" TCG_DIRECTORY="/boot/tcg" -LOG_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" -TAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" +RIM_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" +SWIDTAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" if [ ! -f "$TCG_BOOT_FILE" ]; then touch "$TCG_BOOT_FILE" fi -if [ -d "$LOG_FILE_LOCATION" ]; then - RIM_FILE=$(find "$LOG_FILE_LOCATION" -name '*.rimel' -or -name '*.bin' -or -name '*.rimpcr' -or -name '*.log') - echo "tcg.rim.file=$RIM_FILE" > "$TCG_BOOT_FILE" +if [ -d "$RIM_FILE_LOCATION" ]; then + echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_BOOT_FILE" fi if [ -d "$TAG_FILE_LOCATION" ]; then - SWID_FILE=$(find "$TAG_FILE_LOCATION" -name '*.swidtag') - echo "tcg.swidtag.file=$SWID_FILE" >> "$TCG_BOOT_FILE" + echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_BOOT_FILE" fi if [ -d "$CREDENTIALS_LOCATION" ]; then diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto index af38dbac..e8cd5766 100644 --- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto +++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto @@ -58,8 +58,8 @@ message DeviceInfo { required NetworkInfo nw = 3; required OsInfo os = 4; optional bytes pcrslist = 5; - optional bytes logfile = 6; - optional bytes swidfile = 7; + repeated bytes logfile = 6; + repeated bytes swidfile = 7; optional bytes livelog = 8; } diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 957759e7..cd86e0a1 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -70,7 +70,7 @@ int provision() { const std::string& cert_dir = props.get("tcg.cert.dir", ""); try { platformCredentials = - hirs::file_utils::searchDirectory(cert_dir); + hirs::file_utils::search_directory(cert_dir); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } @@ -83,15 +83,19 @@ int provision() { hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); dv.set_pcrslist(tpm2.getPcrList()); // collect TCG Boot files - const std::string& rim_file = props.get("tcg.rim.file", ""); - const std::string& swid_file = props.get("tcg.swidtag.file", ""); + std::vector rim_files; + std::vector swidtag_files; + const std::string& rim_dir = props.get("tcg.rim.dir", ""); + const std::string& swid_dir = props.get("tcg.swidtag.dir", ""); try { - dv.set_logfile(hirs::file_utils::fileToString(rim_file)); + rim_files = hirs::file_utils::search_directory(rim_dir); + dv.set_logfile(rim_files); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } try { - dv.set_swidfile(hirs::file_utils::fileToString(swid_file)); + swidtag_files = hirs::file_utils::search_directory(swid_dir); + dv.set_swidfile(swidtag_files); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } diff --git a/HIRS_ProvisionerTPM2/src/Utils.cpp b/HIRS_ProvisionerTPM2/src/Utils.cpp index 75aeccf8..d8f10b56 100644 --- a/HIRS_ProvisionerTPM2/src/Utils.cpp +++ b/HIRS_ProvisionerTPM2/src/Utils.cpp @@ -119,9 +119,9 @@ namespace file_utils { return string_utils::trimNewLines(fileToString(filename, "")); } - vector searchDirectory(const string& directory) { + vector search_directory(const string& directory) { DIR *dr; - std::vector platform_credentials; + std::vector files; dr = opendir(directory.c_str()); if (dr) { @@ -131,7 +131,7 @@ namespace file_utils { ss << directory.c_str(); ss << en->d_name; try { - platform_credentials.push_back(fileToString(ss.str())); + files.push_back(fileToString(ss.str())); } catch (HirsRuntimeException& hirsRuntimeException) { std::cout << hirsRuntimeException.what(); } @@ -140,7 +140,7 @@ namespace file_utils { closedir(dr); } - return platform_credentials; + return files; } /** From 29b7d466cd8a4bd53af2bdfd30c50ef68509c26f Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 30 Nov 2020 09:23:10 -0500 Subject: [PATCH 11/15] Updated wording in validation for failed trust store --- .../java/hirs/validation/SupplyChainCredentialValidator.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index b449e2de..6aa80ff2 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -168,12 +168,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator } try { if (trustStore == null || trustStore.size() == 0) { - message = baseErrorMessage + "a trust store\n"; + message = baseErrorMessage + "an Issuer Cert in the Trust Store\n"; LOGGER.error(message); return new AppraisalStatus(FAIL, message); } } catch (KeyStoreException e) { - message = baseErrorMessage + "an intitialized trust store"; + message = baseErrorMessage + "an initialized trust store"; LOGGER.error(message); return new AppraisalStatus(FAIL, message); } From 857f1eb0ffb64c63fed26c5b59c79232f3e95d41 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 30 Nov 2020 10:11:25 -0500 Subject: [PATCH 12/15] There was a pull for an object that would be null without any RIMs uploaded. --- .../AbstractAttestationCertificateAuthority.java | 8 ++++++-- .../service/SupplyChainValidationServiceImpl.java | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index e3051ee0..a3a7627f 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -410,8 +410,12 @@ public abstract class AbstractAttestationCertificateAuthority // parse the EK Public key from the IdentityClaim once for use in supply chain validation // and later tpm20MakeCredential function RSAPublicKey ekPub = parsePublicKey(claim.getEkPublicArea().toByteArray()); - - AppraisalStatus.Status validationResult = doSupplyChainValidation(claim, ekPub); + AppraisalStatus.Status validationResult = AppraisalStatus.Status.FAIL; + try { + validationResult = doSupplyChainValidation(claim, ekPub); + } catch (Exception ex) { + LOG.error(ex); + } if (validationResult == AppraisalStatus.Status.PASS) { RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray()); diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 02ca8693..9cc6d494 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -369,8 +369,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe .byManufacturer(manufacturer).getRIM(); supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) .byManufacturer(manufacturer).getRIM(); - List resources = - ((BaseReferenceManifest) baseReferenceManifest).parseResource(); measurement = EventLogMeasurements.select(referenceManifestManager) .byManufacturer(manufacturer).includeArchived().getRIM(); @@ -390,6 +388,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } if (passed) { + List resources = + ((BaseReferenceManifest) baseReferenceManifest).parseResource(); fwStatus = new AppraisalStatus(PASS, SupplyChainCredentialValidator.FIRMWARE_VALID); From 6eefb393a37fc95a8450aa8951f7274485f7496e Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 30 Nov 2020 14:16:57 -0500 Subject: [PATCH 13/15] Updated the code to pull all the files from a swid tag file directory and a rim log file directory, instead of a single file. --- ...stractAttestationCertificateAuthority.java | 126 +++++++++--------- .../package/rpm-post-install.sh | 2 +- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 12 +- 3 files changed, 76 insertions(+), 64 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 1469a938..02165d56 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -743,78 +743,82 @@ public abstract class AbstractAttestationCertificateAuthority Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Matcher matcher; - if (dv.hasSwidfile()) { - try { - dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) - .includeArchived() - .byHashCode(Arrays.hashCode(dv.getSwidfile().toByteArray())) - .getRIM(); + if (dv.getSwidfileCount() > 0) { + for (ByteString swidFile : dv.getSwidfileList()) { + try { + dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(Arrays.hashCode(swidFile.toByteArray())) + .getRIM(); - if (dbBaseRim == null) { - dbBaseRim = new BaseReferenceManifest( - String.format("%s.swidtag", - clientName), - dv.getSwidfile().toByteArray()); + if (dbBaseRim == null) { + dbBaseRim = new BaseReferenceManifest( + String.format("%s.swidtag", + clientName), + swidFile.toByteArray()); - BaseReferenceManifest base = (BaseReferenceManifest) dbBaseRim; - for (SwidResource swid : base.parseResource()) { - matcher = pattern.matcher(swid.getName()); - if (matcher.matches()) { - //found the file name - int dotIndex = swid.getName().lastIndexOf("."); - clientName = swid.getName().substring(0, dotIndex); - dbBaseRim = new BaseReferenceManifest( - String.format("%s.swidtag", - clientName), - dv.getSwidfile().toByteArray()); - break; + BaseReferenceManifest base = (BaseReferenceManifest) dbBaseRim; + for (SwidResource swid : base.parseResource()) { + matcher = pattern.matcher(swid.getName()); + if (matcher.matches()) { + //found the file name + int dotIndex = swid.getName().lastIndexOf("."); + clientName = swid.getName().substring(0, dotIndex); + dbBaseRim = new BaseReferenceManifest( + String.format("%s.swidtag", + clientName), + swidFile.toByteArray()); + break; + } } + this.referenceManifestManager.save(dbBaseRim); + } else { + LOG.info("Client provided Base RIM already loaded in database."); + dbBaseRim.restore(); + dbBaseRim.resetCreateTime(); } - this.referenceManifestManager.save(dbBaseRim); - } else { - LOG.info("Client provided Base RIM already loaded in database."); - dbBaseRim.restore(); - dbBaseRim.resetCreateTime(); - } - tagId = dbBaseRim.getTagId(); - } catch (IOException ioEx) { - LOG.error(ioEx); + tagId = dbBaseRim.getTagId(); + } catch (IOException ioEx) { + LOG.error(ioEx); + } } } - if (dv.hasLogfile()) { - try { - support = SupportReferenceManifest.select(referenceManifestManager) - .includeArchived() - .byHashCode(Arrays.hashCode(dv.getLogfile().toByteArray())) - .getRIM(); + if (dv.getLogfileCount() > 0) { + for (ByteString logFile : dv.getLogfileList()) { + try { + support = SupportReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(Arrays.hashCode(logFile.toByteArray())) + .getRIM(); - if (support == null) { - support = new SupportReferenceManifest( - String.format("%s.rimel", - clientName), - dv.getLogfile().toByteArray()); - support.setPlatformManufacturer(dv.getHw().getManufacturer()); - support.setPlatformModel(dv.getHw().getProductName()); - support.setTagId(tagId); - this.referenceManifestManager.save(support); - } else { - LOG.info("Client provided Support RIM already loaded in database."); - if (dbBaseRim != null) { - support.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer()); - support.setPlatformModel(dbBaseRim.getPlatformModel()); - support.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); - support.setAssociatedRim(dbBaseRim.getId()); - support.setTagId(dbBaseRim.getTagId()); + if (support == null) { + support = new SupportReferenceManifest( + String.format("%s.rimel", + clientName), + logFile.toByteArray()); + support.setPlatformManufacturer(dv.getHw().getManufacturer()); + support.setPlatformModel(dv.getHw().getProductName()); + support.setTagId(tagId); + this.referenceManifestManager.save(support); + } else { + LOG.info("Client provided Support RIM already loaded in database."); + if (dbBaseRim != null) { + support.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer()); + support.setPlatformModel(dbBaseRim.getPlatformModel()); + support.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); + support.setAssociatedRim(dbBaseRim.getId()); + support.setTagId(dbBaseRim.getTagId()); + } + + support.restore(); + support.resetCreateTime(); + this.referenceManifestManager.update(support); } - - support.restore(); - support.resetCreateTime(); - this.referenceManifestManager.update(support); + } catch (IOException ioEx) { + LOG.error(ioEx); } - } catch (IOException ioEx) { - LOG.error(ioEx); } } diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index ce08f17d..f1eac4c1 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -54,7 +54,7 @@ if [ -d "$RIM_FILE_LOCATION" ]; then echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_BOOT_FILE" fi -if [ -d "$TAG_FILE_LOCATION" ]; then +if [ -d "$SWIDTAG_FILE_LOCATION" ]; then echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_BOOT_FILE" fi diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index cd86e0a1..e53d1331 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -89,13 +89,21 @@ int provision() { const std::string& swid_dir = props.get("tcg.swidtag.dir", ""); try { rim_files = hirs::file_utils::search_directory(rim_dir); - dv.set_logfile(rim_files); + for (const auto& rims : rim_files) { + if (rims != "") { + dv.add_logfile(rims); + } + } } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } try { swidtag_files = hirs::file_utils::search_directory(swid_dir); - dv.set_swidfile(swidtag_files); + for (const auto& swidtag : swidtag_files) { + if (swidtag != "") { + dv.add_swidfile(swidtag); + } + } } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } From 70662bddec2ff3402433a95399caf3b6a3f6dd27 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 1 Dec 2020 11:13:41 -0500 Subject: [PATCH 14/15] Updated how the bios measurement file is uploaded. Changed the code to pull the string from the properties file instead of a hard link in the code. --- .../AbstractAttestationCertificateAuthority.java | 8 ++++++++ HIRS_ProvisionerTPM2/package/rpm-post-install.sh | 5 +++++ HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 5 +++-- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 59fbb719..b0ba7123 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -785,6 +785,8 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send swid tag file..."); } if (dv.hasLogfile()) { @@ -820,9 +822,12 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send support RIM file..."); } if (dv.hasLivelog()) { + LOG.info("Device sent bios measurement log..."); fileName = String.format("%s.measurement", clientName); try { @@ -831,6 +836,7 @@ public abstract class AbstractAttestationCertificateAuthority .byManufacturer(dv.getHw().getManufacturer()) .includeArchived().getRIM(); if (support != null) { + LOG.info("Previous bios measurement log found and being replaced..."); this.referenceManifestManager.delete(support); } support = new EventLogMeasurements(fileName, @@ -842,6 +848,8 @@ public abstract class AbstractAttestationCertificateAuthority } catch (IOException ioEx) { LOG.error(ioEx); } + } else { + LOG.warn("Device did not send bios measurement log..."); } // Get TPM info, currently unimplemented diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index 9622dc3d..9562a412 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -45,6 +45,7 @@ TCG_DIRECTORY="/boot/tcg" LOG_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/" TAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" +BINARY_BIOS_MEASUREMENTS="/sys/kernel/security/tpm0/binary_bios_measurements" if [ ! -f "$TCG_BOOT_FILE" ]; then touch "$TCG_BOOT_FILE" @@ -64,4 +65,8 @@ if [ -d "$CREDENTIALS_LOCATION" ]; then echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_BOOT_FILE" fi +if [ -f "$BINARY_BIOS_MEASUREMENTS" ]; then + echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_BOOT_FILE" +fi + chmod -w "$TCG_BOOT_FILE" diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 957759e7..5a6428b9 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -85,6 +85,8 @@ int provision() { // collect TCG Boot files const std::string& rim_file = props.get("tcg.rim.file", ""); const std::string& swid_file = props.get("tcg.swidtag.file", ""); + const std::string& live_log_file = props.get("tcg.event.file", ""); + try { dv.set_logfile(hirs::file_utils::fileToString(rim_file)); } catch (HirsRuntimeException& hirsRuntimeException) { @@ -96,8 +98,7 @@ int provision() { logger.error(hirsRuntimeException.what()); } try { - dv.set_livelog(hirs::file_utils::fileToString( - "/sys/kernel/security/tpm0/binary_bios_measurements")); + dv.set_livelog(hirs::file_utils::fileToString(live_log_file)); } catch (HirsRuntimeException& hirsRuntimeException) { logger.error(hirsRuntimeException.what()); } From a07fbbd847c4054b6cfc74cd6d50416a2bdab48b Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 2 Dec 2020 11:46:42 -0500 Subject: [PATCH 15/15] In a previous pull request, the reference manifest manager was not called to update the unarchived base rim. So it appears to never have been uploaded. --- .../attestationca/AbstractAttestationCertificateAuthority.java | 1 + 1 file changed, 1 insertion(+) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index ab70e628..25ea3f5b 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -780,6 +780,7 @@ public abstract class AbstractAttestationCertificateAuthority LOG.info("Client provided Base RIM already loaded in database."); dbBaseRim.restore(); dbBaseRim.resetCreateTime(); + this.referenceManifestManager.update(dbBaseRim); } tagId = dbBaseRim.getTagId();