Merge branch 'master' into issue-395

.ci/docker/docker-compose-system-test.yml

@@ -1,4 +1,5 @@
 version: "3.1"
+
 services:
    aca:
       image: hirs/hirs-ci:aca
@@ -23,6 +24,7 @@ services:
          - aca
       volumes:
          - ../../:/HIRS
+         - ../system-tests/profiles/laptop/dmi:/sys/class/dmi:ro
       entrypoint: /bin/bash -c
       command: [tail -f /dev/null;]
       devices:

.ci/system-tests/aca_policy_tests.sh

@@ -10,25 +10,33 @@ failedTests=0;
 # Start ACA Policy Tests
 # provision_tpm takes 1 parameter (the expected result): "pass" or "fail"
 
-echo "ACA POLICY TEST 1: Test ACA default policy "
+write_to_logs "ACA POLICY TEST 1: Test ACA default policy "
+setPlatformCerts "laptop" "empty"
 provision_tpm2 "pass"
 
-echo "ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store"
+write_to_logs "ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store"
 setPolicyEkOnly
 provision_tpm2 "fail"
 
-echo "ACA POLICY TEST 3: Test EK Only Validation Policy" 
+write_to_logs "ACA POLICY TEST 3: Test EK Only Validation Policy" 
 uploadTrustedCerts
 provision_tpm2 "pass"
 
-echo "ACA POLICY TEST 4: Test PC Validation Policy with no PC" 
+write_to_logs "ACA POLICY TEST 4: Test PC Validation Policy with no PC" 
 setPolicyEkPc_noAttCheck
 provision_tpm2 "fail"
 
-echo "ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC" 
+write_to_logs "ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC" 
 setPolicyEkPcFw
 provision_tpm2 "fail"
 
+write_to_logs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC ###"
+clearAcaDb
+setPolicyEkPc
+uploadTrustedCerts
+setPlatformCerts "laptop" "default"
+provision_tpm2 "pass"
+
 #  Process Test Results, any single failure will send back a failed result.
 if [[ $failedTests != 0 ]]; then
     export TEST_STATUS=1;

.ci/system-tests/container/pc_setup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+#########################################################################################
+#   Setup for platform certificate tests
+#
+#########################################################################################
+
+profile=$1
+test=$2
+compscript="$profile"_"$test"_allcomponents.sh
+hwlist="$profile"_"$test"_hw.json
+mkdir -p /boot/tcg/cert/platform/;  # Create the platform cert folder if its not there
+rm -f /boot/tcg/cert/platform/*;   # clear out any previous data
+
+echo "Test is using platform cert(s) from $profile : $test"
+
+# Step 1: Copy allcomponents script to the paccor/scripts folder
+cp -f /HIRS/.ci/system-tests/profiles/$profile/$test/$compscript /opt/paccor/scripts/allcomponents.sh;
+
+# Step 2: Copy allcomponents json file to the paccor/scripts folder
+cp  -f /HIRS/.ci/system-tests/profiles/$profile/$test/$hwlist /opt/paccor/scripts/$hwlist ;
+
+# Step 3: Copy the platform cert to tcg folder on boot drive
+pushd /HIRS/.ci/system-tests/profiles/$profile/$test/platformcerts/ > /dev/null
+#skip copy of platform cert if .gitigore exists (empty profile)
+if [[ ! -f ".gitignore" ]]; then
+    for cert in * ; do
+          cp -f $cert /boot/tcg/cert/platform/$cert;
+    done
+fi
+
+popd > /dev/null
+
+# Step 4: Make some data available for debugging
+bash /opt/paccor/scripts/allcomponents.sh > /var/log/hirs/provisioner/allcomponents.output.log

.ci/system-tests/profiles/laptop/default/laptop_default_allcomponents.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+###############################################################
+# Simulate paccor output for a laptop device
+#
+###############################################################
+pushd /opt/paccor/scripts > /dev/null
+cat "laptop_default_hw.json"
+popd > /dev/null

.ci/system-tests/profiles/laptop/default/laptop_default_hw.json

@@ -0,0 +1,55 @@
+{
+    
+    "PLATFORM": {
+        "PLATFORMMANUFACTURERSTR": "Dell Inc.","PLATFORMMODEL": "Latitude 5580","PLATFORMVERSION": "Not Specified","PLATFORMSERIAL": "56LMWD2"
+    },
+    "COMPONENTS": [
+        {
+             "COMPONENTCLASS": {
+        "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+        "COMPONENTCLASSVALUE": "00020001"
+    },"MANUFACTURER": "Dell Inc.","MODEL": "10","SERIAL": "56LMWD2"
+        },
+        {
+             "COMPONENTCLASS": {
+        "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+        "COMPONENTCLASSVALUE": "00030003"
+    },"MANUFACTURER": "Dell Inc.","MODEL": "08T986","FIELDREPLACEABLE": "true","SERIAL": "/56LMWD2/TW320707A30298/","REVISION": "A00"
+        },
+        {
+             "COMPONENTCLASS": {
+        "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+        "COMPONENTCLASSVALUE": "00130003"
+    },"MANUFACTURER": "Dell Inc.","MODEL": "Not Specified","REVISION": "1.5.3"
+        },
+       {
+            "COMPONENTCLASS": {
+       "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+       "COMPONENTCLASSVALUE": "00010002"
+   },"MANUFACTURER": "Intel(R) Corporation","MODEL": "198","FIELDREPLACEABLE": "true","SERIAL": "To Be Filled By O.E.M.","REVISION": "Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz"
+       },
+       {
+            "COMPONENTCLASS": {
+       "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+       "COMPONENTCLASSVALUE": "00060001"
+   },"MANUFACTURER": "80AD000080AD","MODEL": "HMA81GS6AFR8N-UH","FIELDREPLACEABLE": "true","SERIAL": "29AC2764","REVISION": "01172200"
+       },
+       {
+            "COMPONENTCLASS": {
+       "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+       "COMPONENTCLASSVALUE": "00060001"
+   },"MANUFACTURER": "80AD000080AD","MODEL": "HMA81GS6AFR8N-UH","FIELDREPLACEABLE": "true","SERIAL": "29AC274B","REVISION": "01172200"
+       }
+    ],
+    "PROPERTIES": [
+        {
+            "NAME": "uname -r",
+            "VALUE": "4.14.252-195.483.amzn2.x86_64"
+        },
+        {
+            "NAME": "OS Release",
+            "VALUE": "CentOS Linux 7 (Core)"
+        }
+    ]
+}
+

.ci/system-tests/profiles/laptop/default/laptop_setpcrs.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# This file will set the tpm emulators PCR values to match the dell8850 event log.
+
+tpm2_pcrextend 0:sha256=38dc62a7c4ba6f19930538c1704b5a97f20f19e802951aab7e78ced610a3df5f -Q
+tpm2_pcrextend 0:sha256=d4720b4009438213b803568017f903093f6bea8ab47d283db32b6eabedbbf155 -Q
+tpm2_pcrextend 0:sha256=2649fffc46f2044e2d683712fb59ce10ccfcbeb91d541cbe117d9c2d459da273 -Q
+tpm2_pcrextend 0:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+
+
+tpm2_pcrextend 1:sha256=cbb15df37b131921890da0973ed097d567123b08e3fa6449e33a6acd15385be0 -Q
+tpm2_pcrextend 1:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+tpm2_pcrextend 1:sha256=4e93b6abf5532ff7a4da93769c41874f62cef02a9abc60b6baa62227762e5964 -Q
+tpm2_pcrextend 1:sha256=9ad0d8e4e4b6b80386f43e747d0e8f4a55a860bae1fbbf54c588fd474b30a1da -Q
+tpm2_pcrextend 1:sha256=fd662842e607c5800389f2d3073cb26100ce4b5f93d9e62e6b139813141a4173 -Q
+
+tpm2_pcrextend 2:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+
+tpm2_pcrextend 3:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+
+tpm2_pcrextend 4:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+tpm2_pcrextend 4:sha256=dda0121dcf167db1e2622d10f454701837ac6af304a03ec06b3027904988c56b -Q
+tpm2_pcrextend 4:sha256=afb8038e914c99969dd828b58289ff2f820fb785025f21a92cc48651ebc13005 -Q
+tpm2_pcrextend 4:sha256=f80bdf3a58ec348742486e439f3c75a962043931f7cacd1e9bb8e6bf0cb2df9a -Q
+
+
+tpm2_pcrextend 5:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+tpm2_pcrextend 5:sha256=ef4c76c6a2226cb891be17a65f5a3035889979b5a1b1a246224ee7120dda3efa -Q
+
+tpm2_pcrextend 6:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+
+tpm2_pcrextend 7:sha256=ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e -Q
+tpm2_pcrextend 7:sha256=2abfe9865a654102acb12f0fefe52dc4d01bce40901410eb3dadaf212700a2b7 -Q
+tpm2_pcrextend 7:sha256=63a525134bfbc242058c0e6b42794f8b1d142d13029a9aa38a3272c5ca2390c5 -Q
+tpm2_pcrextend 7:sha256=ad1850a4885628d86273bad743779c9e665db060236270b5d24dd98f3a22fe86 -Q
+tpm2_pcrextend 7:sha256=f0bf49c6a2d3e170077f1f66875d6cb9b2aa382060cac5c0b645660bb95bc058 -Q
+tpm2_pcrextend 7:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+tpm2_pcrextend 7:sha256=4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 -Q
+tpm2_pcrextend 7:sha256=87ee47938723178072c0b0ed3ff7575e82ca37f0634a1a67d15d4d5ce53e8dab -Q
+tpm2_pcrextend 7:sha256=194c8cf6648963b6574271d6c86d250a381ea0346749a355576fa95f5b6e1dae -Q
+
+tpm2_pcrextend 14:sha256=9fa163e06ff76a9f0d0262151328aa38f903495bc81ebcbd5bc40fcdbebb4a63 -Q
+tpm2_pcrextend 14:sha256=8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0 -Q
+
+

.ci/system-tests/profiles/laptop/default/swidtags/dell.5580.1.swidtag

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" corpus="false" name="Dell5580" patch="false" supplemental="false" tagId="hirs.swid.SwidTags.dell5580" tagVersion="1" version="0.1" versionScheme="multipartnumeric" xml:lang="en">
+  <Entity name="HIRS" regid="www.example.com" role="softwareCreator tagCreator"/>
+  <Link href="https://Example.com/support/ProductA/firmware/installfiles" rel="installationmedia"/>
+  <Meta xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" n8060:colloquialVersion="0.1" n8060:edition="0.1" n8060:product="Dell 5580" n8060:revision="0.1" rim:BindingSpec="PC Client RIM" rim:BindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Dell Inc." rim:platformModel="Latitude 5580" rim:rimLinkHash="88f21d8e44d4271149297404df91caf207130bfa116582408abd04ede6db7f51"/>
+  <Payload>
+    <Directory name="/boot/tcg/rim/support">
+      <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="bc120b2d8752bc6eb228b5b433825d766183985cf02d7ab678210901a9730932" name="dell.5580.1.rimel" size="20113"/>
+    </Directory>
+  </Payload>
+  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <Reference URI="">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <DigestValue>JVPYXmpDVzZn+mHPqcPR0NaL0oSJ/24WP5Wsq+/22B8=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>A1x+c+zbVwvdrmG9/r0LwOLXA0KjxxIgElrfStSX8Uv33vzaG9/S8YIsKlE/6O4dIBlkaKUvqamf
+53YOXtfkD2gzYPhNqIMlPbKXdLMhIrBRRkDzoYHbMRcIcJdGOFEeM/UNS2cxvK5vojPu8ODVde44
+TdyzS/TlTJXvkm7sx/50Xs3O0ZdrHA4mihYRrRCUaR5QCDmTGyzMIYY1aujF0NOYVm3+YssFsMkH
+4K5fEv/IomR5kmK68VEmC71krknIfhSw6K7y0rooWUuPMoiLOpjYT+SvykjBzJPsxPzKMULb1Vgy
+qe7XS9lxgt89U5wiIyNhsu6q4YqVebbO5aLpsQ==</SignatureValue>
+    <KeyInfo>
+      <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
+      <KeyValue>
+        <RSAKeyValue>
+          <Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
+xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
+dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
+otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
+jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==</Modulus>
+          <Exponent>AQAB</Exponent>
+        </RSAKeyValue>
+      </KeyValue>
+    </KeyInfo>
+  </Signature>
+</SoftwareIdentity>

.ci/system-tests/profiles/laptop/empty/laptop_empty_allcomponents.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+###############################################################
+# Simulate paccor output for a laptop device
+#
+###############################################################
+pushd /opt/paccor/scripts > /dev/null
+cat "laptop_empty_hw.json"
+popd > /dev/null

.ci/system-tests/profiles/laptop/empty/laptop_empty_hw.json

@@ -0,0 +1,55 @@
+{
+    
+    "PLATFORM": {
+        "PLATFORMMANUFACTURERSTR": "Dell Inc.","PLATFORMMODEL": "Latitude 5580","PLATFORMVERSION": "Not Specified","PLATFORMSERIAL": "56LMWD2"
+    },
+    "COMPONENTS": [
+        {
+             "COMPONENTCLASS": {
+        "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+        "COMPONENTCLASSVALUE": "00020001"
+    },"MANUFACTURER": "Dell Inc.","MODEL": "10","SERIAL": "56LMWD2"
+        },
+        {
+             "COMPONENTCLASS": {
+        "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+        "COMPONENTCLASSVALUE": "00030003"
+    },"MANUFACTURER": "Dell Inc.","MODEL": "08T986","FIELDREPLACEABLE": "true","SERIAL": "/56LMWD2/TW320707A30298/","REVISION": "A00"
+        },
+        {
+             "COMPONENTCLASS": {
+        "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+        "COMPONENTCLASSVALUE": "00130003"
+    },"MANUFACTURER": "Dell Inc.","MODEL": "Not Specified","REVISION": "1.5.3"
+        },
+       {
+            "COMPONENTCLASS": {
+       "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+       "COMPONENTCLASSVALUE": "00010002"
+   },"MANUFACTURER": "Intel(R) Corporation","MODEL": "198","FIELDREPLACEABLE": "true","SERIAL": "To Be Filled By O.E.M.","REVISION": "Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz"
+       },
+       {
+            "COMPONENTCLASS": {
+       "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+       "COMPONENTCLASSVALUE": "00060001"
+   },"MANUFACTURER": "80AD000080AD","MODEL": "HMA81GS6AFR8N-UH","FIELDREPLACEABLE": "true","SERIAL": "29AC2764","REVISION": "01172200"
+       },
+       {
+            "COMPONENTCLASS": {
+       "COMPONENTCLASSREGISTRY": "2.23.133.18.3.1",
+       "COMPONENTCLASSVALUE": "00060001"
+   },"MANUFACTURER": "80AD000080AD","MODEL": "HMA81GS6AFR8N-UH","FIELDREPLACEABLE": "true","SERIAL": "29AC274B","REVISION": "01172200"
+       }
+    ],
+    "PROPERTIES": [
+        {
+            "NAME": "uname -r",
+            "VALUE": "4.14.252-195.483.amzn2.x86_64"
+        },
+        {
+            "NAME": "OS Release",
+            "VALUE": "CentOS Linux 7 (Core)"
+        }
+    ]
+}
+

.ci/system-tests/profiles/laptop/empty/laptop_empty_setpcrs.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# This file will set the tpm emulators PCR values to match the dell8850 event log.
+
+tpm2_pcrextend 0:sha256=38dc62a7c4ba6f19930538c1704b5a97f20f19e802951aab7e78ced610a3df5f -Q
+tpm2_pcrextend 0:sha256=d4720b4009438213b803568017f903093f6bea8ab47d283db32b6eabedbbf155 -Q
+tpm2_pcrextend 0:sha256=2649fffc46f2044e2d683712fb59ce10ccfcbeb91d541cbe117d9c2d459da273 -Q
+tpm2_pcrextend 0:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+
+
+tpm2_pcrextend 1:sha256=cbb15df37b131921890da0973ed097d567123b08e3fa6449e33a6acd15385be0 -Q
+tpm2_pcrextend 1:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+tpm2_pcrextend 1:sha256=4e93b6abf5532ff7a4da93769c41874f62cef02a9abc60b6baa62227762e5964 -Q
+tpm2_pcrextend 1:sha256=9ad0d8e4e4b6b80386f43e747d0e8f4a55a860bae1fbbf54c588fd474b30a1da -Q
+tpm2_pcrextend 1:sha256=fd662842e607c5800389f2d3073cb26100ce4b5f93d9e62e6b139813141a4173 -Q
+
+tpm2_pcrextend 2:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+
+tpm2_pcrextend 3:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+
+tpm2_pcrextend 4:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+tpm2_pcrextend 4:sha256=dda0121dcf167db1e2622d10f454701837ac6af304a03ec06b3027904988c56b -Q
+tpm2_pcrextend 4:sha256=afb8038e914c99969dd828b58289ff2f820fb785025f21a92cc48651ebc13005 -Q
+tpm2_pcrextend 4:sha256=f80bdf3a58ec348742486e439f3c75a962043931f7cacd1e9bb8e6bf0cb2df9a -Q
+
+
+tpm2_pcrextend 5:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+tpm2_pcrextend 5:sha256=ef4c76c6a2226cb891be17a65f5a3035889979b5a1b1a246224ee7120dda3efa -Q
+
+tpm2_pcrextend 6:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+
+tpm2_pcrextend 7:sha256=ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e -Q
+tpm2_pcrextend 7:sha256=2abfe9865a654102acb12f0fefe52dc4d01bce40901410eb3dadaf212700a2b7 -Q
+tpm2_pcrextend 7:sha256=63a525134bfbc242058c0e6b42794f8b1d142d13029a9aa38a3272c5ca2390c5 -Q
+tpm2_pcrextend 7:sha256=ad1850a4885628d86273bad743779c9e665db060236270b5d24dd98f3a22fe86 -Q
+tpm2_pcrextend 7:sha256=f0bf49c6a2d3e170077f1f66875d6cb9b2aa382060cac5c0b645660bb95bc058 -Q
+tpm2_pcrextend 7:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q
+tpm2_pcrextend 7:sha256=4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 -Q
+tpm2_pcrextend 7:sha256=87ee47938723178072c0b0ed3ff7575e82ca37f0634a1a67d15d4d5ce53e8dab -Q
+tpm2_pcrextend 7:sha256=194c8cf6648963b6574271d6c86d250a381ea0346749a355576fa95f5b6e1dae -Q
+
+tpm2_pcrextend 14:sha256=9fa163e06ff76a9f0d0262151328aa38f903495bc81ebcbd5bc40fcdbebb4a63 -Q
+tpm2_pcrextend 14:sha256=8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0 -Q
+
+

.ci/system-tests/profiles/laptop/empty/platformcerts/.gitignore

@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore

.ci/system-tests/profiles/laptop/empty/rims/.gitignore

@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore

.ci/system-tests/profiles/laptop/empty/swidtags/.gitignore

@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore

.ci/system-tests/profiles/laptop/empty/trustcerts/.gitignore

@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore

.ci/system-tests/run-system-tests.sh

@@ -7,6 +7,7 @@ aca_container=hirs-aca1
 tpm2_container=hirs-provisioner1-tpm2
 testResult="passed";
 issuerCert=../setup/certs/ca.crt
+hirs_aca_log=/var/log/tomcat/HIRS_AttestationCA.log
 
 # Source files for Docker Variables and helper scripts
 . ./.ci/docker/.env
@@ -15,19 +16,19 @@ set -a
 
 echo "********  Setting up for HIRS System Tests for TPM 2.0 ******** "
 
+# expand dmi files for mounting to the provisioner containers
+unzip -q .ci/system-tests/profiles/laptop/laptop_dmi.zip -d .ci/system-tests/profiles/laptop/
 # Start System Testing Docker Environment
-cd .ci/docker
+pushd .ci/docker
 
 docker-compose -f docker-compose-system-test.yml up -d
 
-cd ../system-tests
+popd
+pushd .ci/system-tests
 source sys_test_common.sh
 
-aca_container_id="$(docker ps -aqf "name=$aca_container")"
+echo "ACA Container info: $(checkContainerStatus $aca_container)";
-tpm2_container_id="$(docker ps -aqf "name=$tpm2_container")"
+echo "TPM2 Provisioner Container info: $(checkContainerStatus $tpm2_container)";
-
-echo "ACA Container ID is $aca_container_id and has a status of $(CheckContainerStatus $aca_container_id)";
-echo "TPM2 Provisioner Container ID is $tpm2_container_id and has a status of  $(CheckContainerStatus $tpm2_container_id)";
 
 # Install HIRS provioner and setup tpm2 emulator
 docker exec $tpm2_container /HIRS/.ci/setup/setup-tpm2provisioner.sh
@@ -58,13 +59,13 @@ echo ""
 echo "End of System Tests for TPM 2.0, cleaning up..."
 echo ""
 # Clean up services and network
-docker-compose down
+popd
-
+pushd .ci/docker
+docker-compose -f docker-compose-system-test.yml down -v
+popd
 # Clean up dangling containers
 echo "Cleaning up dangling containers..."
 echo ""
-docker ps -a
-echo ""
 docker container prune --force
 echo ""
 echo "New value of test status is ${TEST_STATUS}"

.ci/system-tests/sys_test_common.sh

@@ -4,10 +4,12 @@
 #
 #########################################################################################
 
-CheckContainerStatus() {
+# Check container status and abort if container is not running
-  container_id=$1
+checkContainerStatus() {
+  container_name=$1
+  container_id="$(docker ps -aqf "name=$container_name")"
   container_status="$(docker inspect $container_id --format='{{.State.Status}}')"
-  echo "Container Status: $container_status"
+  echo "Container id is $container_id and the status is $container_status"
 
   if [ "$container_status" != "running" ]; then
      container_exit_code="$(docker inspect $container_id --format='{{.State.ExitCode}}')"
@@ -17,32 +19,54 @@ CheckContainerStatus() {
 fi
 }
 
+# clear all policy settings
 setPolicyNone() {
-docker exec $aca_container mysql -u root -D hirs_db -e"Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0, enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0;" 
+docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
+           enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" 
 }
 
+# Policy Settings for tests ...
 setPolicyEkOnly() {
-docker exec $aca_container mysql -u root -D hirs_db -e"Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0, enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0;" 
+docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
+           enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
 }
 
 setPolicyEkPc_noAttCheck() {
-docker exec $aca_container mysql -u root -D hirs_db -e"Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1, enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0;" 
+docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
+           enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
 }
 
 setPolicyEkPc() {
-docker exec $aca_container mysql -u root -D hirs_db -e"Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1, enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0;" 
+docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
+           enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
 }
 
 setPolicyEkPcFw() {
-docker exec $aca_container mysql -u root -D hirs_db -e"Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1, enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0;" 
+docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
+           enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
 }
 
+# Clear all ACA DB items including policy
+clearAcaDb() {
+docker exec $aca_container mysql -u root -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
+ AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate
+ ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate
+ ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate
+ RepoPackage_IMABaselineRecord;truncate Report;truncate ReportMapper;truncate ReportRequestState;truncate ReportSummary;truncate
+ State;truncate SupplyChainValidation;truncate SupplyChainValidationSummary;truncate ReferenceManifest;truncate
+ ReferenceDigestRecord; truncate ReferenceDigestValue; truncate
+ SupplyChainValidationSummary_SupplyChainValidation;truncate TPM2ProvisionerState;truncate TPMBaselineRecords;truncate
+ TPMDeviceState;truncate TPMReport;truncate TPMReport_pcrValueList; set foreign_key_checks=1;" 
+}
+
+# Upload Certs to the ACA DB
 uploadTrustedCerts() {
   curl -k -s -F "file=@$issuerCert" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
 }
 
 # provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail"
 # updates totalTests and failedTests counts
+# provision_tpm2 <expected_results>
 provision_tpm2() {
    expected_result=$1
    ((totalTests++))
@@ -67,13 +91,32 @@ provision_tpm2() {
   fi
 }
 
-clearAcaDb() {
+# Places platform cert(s) held in the test folder(s) in the provisioners tcg folder
-docker exec $aca_container mysql -u root -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
+# setPlatCert <profile> <test>
- AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate
+setPlatformCerts() {
- ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate
+  docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/pc_setup.sh $1 $2 
- ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate
+  #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
- RepoPackage_IMABaselineRecord;truncate Report;truncate ReportMapper;truncate ReportRequestState;truncate ReportSummary;truncate
+}
- State;truncate SupplyChainValidation;truncate SupplyChainValidationSummary;truncate ReferenceManifest;truncate
+
- SupplyChainValidationSummary_SupplyChainValidation;truncate TPM2ProvisionerState;truncate TPMBaselineRecords;truncate
+# Places platform cert held in the test folder in the provisioners tcg folder
- TPMDeviceState;truncate TPMReport;truncate TPMReport_pcrValueList; set foreign_key_checks=1;" 
+# setRimBundle <profile> <test>
+setRimBundles() {
+  profile=$1
+  test=$2
+  docker exec $tpm2_container rm /boot/tcg/manifest/rim/*;
+  docker exec $tpm2_container rm /boot/tcg/manifest/swidtag/*;
+  docker exec $tpm2_container cp /HIRS/.ci/system-tests/$profile/$test/rims/* /boot/tcg/manifest/rim; 
+  docker exec $tpm2_container cp /HIRS/.ci/system-tests/$profile/$test/swidtags/* /boot/tcg/manifest/swidtag;
+  docker exec $tpm2_container ls /boot/tcg/manifest/rim/
+  docker exec $tpm2_container ls /boot/tcg/manifest/swidtag/
+}
+
+# Writes to the Action ouput, ACA log, and Provisioner Log
+# Used for marking the start of system tests and noting the result
+# write_to_logs <log statement>
+write_to_logs() {
+  line=$1
+  echo $line;
+  docker exec $aca_container sh -c "echo '$line' >> /var/log/tomcat/HIRS_AttestationCA.log"
+  docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log"
 }

HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java

@@ -439,10 +439,11 @@ public abstract class AbstractAttestationCertificateAuthority
             }
         }
 
+        ByteString blobStr = ByteString.copyFrom(new byte[]{});
         if (validationResult == AppraisalStatus.Status.PASS) {
             RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray());
             byte[] nonce = generateRandomBytes(NONCE_LENGTH);
-            ByteString blobStr = tpm20MakeCredential(ekPub, akPub, nonce);
+            blobStr = tpm20MakeCredential(ekPub, akPub, nonce);
             SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
             String pcrQuoteMask = PCR_QUOTE_MASK;
 
@@ -465,7 +466,12 @@ public abstract class AbstractAttestationCertificateAuthority
         } else {
             LOG.error("Supply chain validation did not succeed. Result is: "
                     + validationResult);
-            return new byte[]{};
+            // empty response
+            ProvisionerTpm2.IdentityClaimResponse response
+                    = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
+                    .setCredentialBlob(blobStr)
+                    .build();
+            return response.toByteArray();
         }
     }
 

HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp

@@ -175,7 +175,7 @@
             <br />
 
             <%-- Generate LDevID Certificate--%>
-            <div class="aca-input-box">
+            <div class="aca-input-box" style="display: none">
                 <form:form method="POST" modelAttribute="initialData" action="policy/update-issue-devid">
                     <li>Generate LDevID Certificate: ${initialData.issueDevIdCertificate ? 'Enabled' : 'Disabled'}
                         <my:editor id="issuedDevIdCertificatePolicyEditor" label="Edit Settings">

HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp

@@ -143,13 +143,20 @@ int provision() {
     RestfulClientProvisioner provisioner;
     string response = provisioner.sendIdentityClaim(identityClaim);
     hirs::pb::IdentityClaimResponse icr;
+
     if (!icr.ParseFromString(response) || !icr.has_credential_blob()) {
+        logger.error("The ACA did not send make credential blob.");
         cout << "----> Provisioning failed." << endl;
         cout << "The ACA did not send make credential information." << endl;
         return 0;
     }
 
     string nonceBlob = icr.credential_blob();
+    if (nonceBlob == "") {
+        cout << "----> Provisioning failed." << endl;
+        cout << "The ACA sent empty credential information." << endl;
+        return 0;
+    }
 
     // activateIdentity requires we read makeCredential output from a file
     cout << "----> Received response. Attempting to decrypt nonce" << endl;

VERSION

@@ -1 +1 @@
-2.1.0
+2.1.1

build.gradle

@@ -120,11 +120,11 @@ subprojects {
       joda_time:     'joda-time:joda-time:2.9.4',
       jstl:        [ 'org.apache.taglibs:taglibs-standard-impl:1.2.5',
                      'org.apache.taglibs:taglibs-standard-spec:1.2.5'],
-      log4j2:      [ 'org.apache.logging.log4j:log4j-api:2.16.0',
+      log4j2:      [ 'org.apache.logging.log4j:log4j-api:2.17.1',
-                     'org.apache.logging.log4j:log4j-core:2.16.0',
+                     'org.apache.logging.log4j:log4j-core:2.17.1',
-                     'org.apache.logging.log4j:log4j-slf4j-impl:2.16.0'],
+                     'org.apache.logging.log4j:log4j-slf4j-impl:2.17.1'],
-      log4j2_web:  'org.apache.logging.log4j:log4j-web:2.16.0',
+      log4j2_web:  'org.apache.logging.log4j:log4j-web:2.17.1',
-      log_bridge:    'org.apache.logging.log4j:log4j-jcl:2.16.0',
+      log_bridge:    'org.apache.logging.log4j:log4j-jcl:2.17.1',
       mockito:       'org.mockito:mockito-all:1.10.19',
       mariadb:       'org.mariadb.jdbc:mariadb-java-client:2.2.1',
       minimal_json:  'com.eclipsesource.minimal-json:minimal-json:0.9.5',

tools/tcg_eventlog_tool/build.gradle

@@ -13,7 +13,6 @@ dependencies {
     compile project(':HIRS_Utils')
     compile libs.jcommander
     compile libs.commons_io
-    compile libs.log4j2
     compileOnly libs.checkstyle
     compileOnly libs.findbugs
     testCompile libs.testng