From e9c0c8c3a158605b2e61b05f0dbc884f8254de40 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 1 Jul 2024 12:14:39 -0400 Subject: [PATCH 01/39] update pciids to acapciids throughout code --- .../persist/util/{PciIds.java => AcaPciIds.java} | 2 +- .../validation/CertificateAttributeScvValidator.java | 10 +++++----- .../portal/page/utils/CertificateStringMapBuilder.java | 10 +++++----- HIRS_Utils/src/main/java/hirs/utils/PciIds.java | 4 ++++ 4 files changed, 15 insertions(+), 11 deletions(-) rename HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/{PciIds.java => AcaPciIds.java} (99%) create mode 100644 HIRS_Utils/src/main/java/hirs/utils/PciIds.java diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/PciIds.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java similarity index 99% rename from HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/PciIds.java rename to HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java index db2eb678..b946df4b 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/PciIds.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java @@ -24,7 +24,7 @@ import java.util.List; * Provide Java access to PCI IDs. */ @Log4j2 -public final class PciIds { +public final class AcaPciIds { /** * This pci ids file can be in different places on different distributions. */ diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java index 83444afc..6f18313e 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java @@ -13,7 +13,7 @@ import hirs.attestationca.persist.entity.userdefined.info.ComponentInfo; import hirs.attestationca.persist.entity.userdefined.info.HardwareInfo; import hirs.attestationca.persist.entity.userdefined.report.DeviceInfoReport; import hirs.attestationca.persist.enums.AppraisalStatus; -import hirs.attestationca.persist.util.PciIds; +import hirs.attestationca.persist.util.AcaPciIds; import hirs.utils.enums.DeviceInfoEnums; import lombok.extern.log4j.Log4j2; import org.apache.commons.codec.digest.DigestUtils; @@ -445,8 +445,8 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid // is to be displayed as the failure fullDeltaChainComponents.clear(); for (ComponentIdentifier ci : subCompIdList) { - if (ci.isVersion2() && PciIds.DB.isReady()) { - ci = PciIds.translate((ComponentIdentifierV2) ci); + if (ci.isVersion2() && AcaPciIds.DB.isReady()) { + ci = AcaPciIds.translate((ComponentIdentifierV2) ci); } log.error("Unmatched component: " + ci); fullDeltaChainComponents.add(ci); @@ -606,9 +606,9 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid int unmatchedComponentCounter = 1; for (ComponentIdentifier unmatchedComponent : pcUnmatchedComponents) { - if (unmatchedComponent.isVersion2() && PciIds.DB.isReady()) { + if (unmatchedComponent.isVersion2() && AcaPciIds.DB.isReady()) { unmatchedComponent = - PciIds.translate((ComponentIdentifierV2) unmatchedComponent); + AcaPciIds.translate((ComponentIdentifierV2) unmatchedComponent); } log.error("Unmatched component " + unmatchedComponentCounter++ + ": " + unmatchedComponent); diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java index e06216f6..c112ef2c 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java @@ -12,7 +12,7 @@ import hirs.attestationca.persist.entity.userdefined.certificate.IssuedAttestati import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential; import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentIdentifier; import hirs.attestationca.persist.entity.userdefined.certificate.attributes.PlatformConfiguration; -import hirs.attestationca.persist.util.PciIds; +import hirs.attestationca.persist.util.AcaPciIds; import hirs.utils.BouncyCastleUtils; import lombok.AccessLevel; import lombok.NoArgsConstructor; @@ -371,8 +371,8 @@ public final class CertificateStringMapBuilder { .findByCertificateSerialNumberAndBoardSerialNumber( certificate.getSerialNumber().toString(), certificate.getPlatformSerial()); - if (PciIds.DB.isReady()) { - compResults = PciIds.translateResults(compResults); + if (AcaPciIds.DB.isReady()) { + compResults = AcaPciIds.translateResults(compResults); } data.put("componentResults", compResults); @@ -381,8 +381,8 @@ public final class CertificateStringMapBuilder { if (platformConfiguration != null) { //Component Identifier - attempt to translate hardware IDs List comps = platformConfiguration.getComponentIdentifier(); - if (PciIds.DB.isReady()) { - comps = PciIds.translate(comps); + if (AcaPciIds.DB.isReady()) { + comps = AcaPciIds.translate(comps); } data.put("componentsIdentifier", comps); //Component Identifier URI diff --git a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java new file mode 100644 index 00000000..63ed3499 --- /dev/null +++ b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java @@ -0,0 +1,4 @@ +package hirs.utils; + +public class PciIds { +} From 31715b5ac4a1ae9a4db48849331f4dd4e9fecf56 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 1 Jul 2024 12:34:22 -0400 Subject: [PATCH 02/39] add pciids to utils and update classes that use it --- .../attestationca/persist/util/AcaPciIds.java | 60 +--------------- .../CertificateAttributeScvValidator.java | 5 +- .../utils/CertificateStringMapBuilder.java | 5 +- HIRS_Utils/build.gradle | 1 + .../src/main/java/hirs/utils/PciIds.java | 71 ++++++++++++++++++- 5 files changed, 79 insertions(+), 63 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java index b946df4b..29dbe00d 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java @@ -2,7 +2,6 @@ package hirs.attestationca.persist.util; import com.github.marandus.pciid.model.Device; import com.github.marandus.pciid.model.Vendor; -import com.github.marandus.pciid.service.PciIdsDatabase; import com.google.common.base.Strings; import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult; import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentIdentifier; @@ -12,71 +11,16 @@ import lombok.extern.log4j.Log4j2; import org.bouncycastle.asn1.ASN1UTF8String; import org.bouncycastle.asn1.DERUTF8String; -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; import java.util.ArrayList; -import java.util.Collections; import java.util.List; +import static hirs.utils.PciIds.DB; + /** * Provide Java access to PCI IDs. */ @Log4j2 public final class AcaPciIds { - /** - * This pci ids file can be in different places on different distributions. - */ - public static final List PCI_IDS_PATH = - Collections.unmodifiableList(new ArrayList<>() { - private static final long serialVersionUID = 1L; - { - add("/usr/share/hwdata/pci.ids"); - add("/usr/share/misc/pci.ids"); - add("/tmp/pci.ids"); - } - }); - - /** - * The PCI IDs Database object. - * - * This only needs to be loaded one time. - * - * The pci ids library protects the data inside the object by making it immutable. - */ - public static final PciIdsDatabase DB = new PciIdsDatabase(); - - static { - if (!DB.isReady()) { - String dbFile = null; - for (final String path : PCI_IDS_PATH) { - if ((new File(path)).exists()) { - log.info("PCI IDs file was found {}", path); - dbFile = path; - break; - } - } - if (dbFile != null) { - InputStream is = null; - try { - is = new FileInputStream(new File(dbFile)); - DB.loadStream(is); - } catch (IOException e) { - // DB will not be ready, hardware IDs will not be translated - dbFile = null; - } finally { - if (is != null) { - try { - is.close(); - } catch (IOException e) { - dbFile = null; - } - } - } - } - } - } /** * The Component Class TCG Registry OID. diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java index 6f18313e..a427835c 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java @@ -14,6 +14,7 @@ import hirs.attestationca.persist.entity.userdefined.info.HardwareInfo; import hirs.attestationca.persist.entity.userdefined.report.DeviceInfoReport; import hirs.attestationca.persist.enums.AppraisalStatus; import hirs.attestationca.persist.util.AcaPciIds; +import hirs.utils.PciIds; import hirs.utils.enums.DeviceInfoEnums; import lombok.extern.log4j.Log4j2; import org.apache.commons.codec.digest.DigestUtils; @@ -445,7 +446,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid // is to be displayed as the failure fullDeltaChainComponents.clear(); for (ComponentIdentifier ci : subCompIdList) { - if (ci.isVersion2() && AcaPciIds.DB.isReady()) { + if (ci.isVersion2() && PciIds.DB.isReady()) { ci = AcaPciIds.translate((ComponentIdentifierV2) ci); } log.error("Unmatched component: " + ci); @@ -606,7 +607,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid int unmatchedComponentCounter = 1; for (ComponentIdentifier unmatchedComponent : pcUnmatchedComponents) { - if (unmatchedComponent.isVersion2() && AcaPciIds.DB.isReady()) { + if (unmatchedComponent.isVersion2() && PciIds.DB.isReady()) { unmatchedComponent = AcaPciIds.translate((ComponentIdentifierV2) unmatchedComponent); } diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java index c112ef2c..d415f3f1 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java @@ -14,6 +14,7 @@ import hirs.attestationca.persist.entity.userdefined.certificate.attributes.Comp import hirs.attestationca.persist.entity.userdefined.certificate.attributes.PlatformConfiguration; import hirs.attestationca.persist.util.AcaPciIds; import hirs.utils.BouncyCastleUtils; +import hirs.utils.PciIds; import lombok.AccessLevel; import lombok.NoArgsConstructor; import lombok.extern.log4j.Log4j2; @@ -371,7 +372,7 @@ public final class CertificateStringMapBuilder { .findByCertificateSerialNumberAndBoardSerialNumber( certificate.getSerialNumber().toString(), certificate.getPlatformSerial()); - if (AcaPciIds.DB.isReady()) { + if (PciIds.DB.isReady()) { compResults = AcaPciIds.translateResults(compResults); } data.put("componentResults", compResults); @@ -381,7 +382,7 @@ public final class CertificateStringMapBuilder { if (platformConfiguration != null) { //Component Identifier - attempt to translate hardware IDs List comps = platformConfiguration.getComponentIdentifier(); - if (AcaPciIds.DB.isReady()) { + if (PciIds.DB.isReady()) { comps = AcaPciIds.translate(comps); } data.put("componentsIdentifier", comps); diff --git a/HIRS_Utils/build.gradle b/HIRS_Utils/build.gradle index 100af334..cac43798 100644 --- a/HIRS_Utils/build.gradle +++ b/HIRS_Utils/build.gradle @@ -38,6 +38,7 @@ dependencies { implementation libs.commons.lang3 implementation libs.commons.io implementation libs.minimal.json + implementation libs.pci implementation 'org.apache.logging.log4j:log4j-core:2.19.0' implementation 'org.apache.logging.log4j:log4j-api:2.19.0' diff --git a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java index 63ed3499..b6bfcb87 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java +++ b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java @@ -1,4 +1,73 @@ package hirs.utils; -public class PciIds { +import com.github.marandus.pciid.service.PciIdsDatabase; +import lombok.extern.log4j.Log4j2; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +/** + * Provide Java access to PCI IDs. + */ +@Log4j2 +public final class PciIds { + + /** + * This pci ids file can be in different places on different distributions. + */ + public static final List PCI_IDS_PATH = + Collections.unmodifiableList(new ArrayList<>() { + private static final long serialVersionUID = 1L; + { + add("/usr/share/hwdata/pci.ids"); + add("/usr/share/misc/pci.ids"); + add("/tmp/pci.ids"); + } + }); + + /** + * The PCI IDs Database object. + * + * This only needs to be loaded one time. + * + * The pci ids library protects the data inside the object by making it immutable. + */ + public static final PciIdsDatabase DB = new PciIdsDatabase(); + + static { + if (!DB.isReady()) { + String dbFile = null; + for (final String path : PCI_IDS_PATH) { + if ((new File(path)).exists()) { + log.info("PCI IDs file was found {}", path); + dbFile = path; + break; + } + } + if (dbFile != null) { + InputStream is = null; + try { + is = new FileInputStream(new File(dbFile)); + DB.loadStream(is); + } catch (IOException e) { + // DB will not be ready, hardware IDs will not be translated + dbFile = null; + } finally { + if (is != null) { + try { + is.close(); + } catch (IOException e) { + dbFile = null; + } + } + } + } + } + } + } From 2b7b19a5f90b07d0e054041da2e68f72a46c2ac5 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 1 Jul 2024 12:54:05 -0400 Subject: [PATCH 03/39] moved the 4 vendor/device translate functions to the utils pciids --- .../attestationca/persist/util/AcaPciIds.java | 86 +----------------- .../src/main/java/hirs/utils/PciIds.java | 87 +++++++++++++++++++ 2 files changed, 89 insertions(+), 84 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java index 29dbe00d..54d68ae2 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java @@ -14,7 +14,8 @@ import org.bouncycastle.asn1.DERUTF8String; import java.util.ArrayList; import java.util.List; -import static hirs.utils.PciIds.DB; +import static hirs.utils.PciIds.translateDevice; +import static hirs.utils.PciIds.translateVendor; /** * Provide Java access to PCI IDs. @@ -129,87 +130,4 @@ public final class AcaPciIds { } return newComponent; } - - /** - * Look up the vendor name from the PCI IDs list, if the input string contains an ID. - * If any part of this fails, return the original manufacturer value. - * @param refManufacturer DERUTF8String, likely from a ComponentIdentifier - * @return DERUTF8String with the discovered vendor name, or the original manufacturer value. - */ - public static ASN1UTF8String translateVendor(final ASN1UTF8String refManufacturer) { - ASN1UTF8String manufacturer = refManufacturer; - if (manufacturer != null && manufacturer.getString().trim().matches("^[0-9A-Fa-f]{4}$")) { - Vendor ven = DB.findVendor(manufacturer.getString().toLowerCase()); - if (ven != null && !Strings.isNullOrEmpty(ven.getName())) { - manufacturer = new DERUTF8String(ven.getName()); - } - } - return manufacturer; - } - - /** - * Look up the vendor name from the PCI IDs list, if the input string contains an ID. - * If any part of this fails, return the original manufacturer value. - * @param refManufacturer String, likely from a ComponentResult - * @return String with the discovered vendor name, or the original manufacturer value. - */ - public static String translateVendor(final String refManufacturer) { - String manufacturer = refManufacturer; - if (manufacturer != null && manufacturer.trim().matches("^[0-9A-Fa-f]{4}$")) { - Vendor ven = DB.findVendor(manufacturer.toLowerCase()); - if (ven != null && !Strings.isNullOrEmpty(ven.getName())) { - manufacturer = ven.getName(); - } - } - return manufacturer; - } - - /** - * Look up the device name from the PCI IDs list, if the input strings contain IDs. - * The Device lookup requires the Vendor ID AND the Device ID to be valid values. - * If any part of this fails, return the original model value. - * @param refManufacturer ASN1UTF8String, likely from a ComponentIdentifier - * @param refModel ASN1UTF8String, likely from a ComponentIdentifier - * @return ASN1UTF8String with the discovered device name, or the original model value. - */ - public static ASN1UTF8String translateDevice(final ASN1UTF8String refManufacturer, - final ASN1UTF8String refModel) { - ASN1UTF8String manufacturer = refManufacturer; - ASN1UTF8String model = refModel; - if (manufacturer != null - && model != null - && manufacturer.getString().trim().matches("^[0-9A-Fa-f]{4}$") - && model.getString().trim().matches("^[0-9A-Fa-f]{4}$")) { - Device dev = DB.findDevice(manufacturer.getString().toLowerCase(), - model.getString().toLowerCase()); - if (dev != null && !Strings.isNullOrEmpty(dev.getName())) { - model = new DERUTF8String(dev.getName()); - } - } - return model; - } - - /** - * Look up the device name from the PCI IDs list, if the input strings contain IDs. - * The Device lookup requires the Vendor ID AND the Device ID to be valid values. - * If any part of this fails, return the original model value. - * @param refManufacturer String, likely from a ComponentResult - * @param refModel String, likely from a ComponentResult - * @return String with the discovered device name, or the original model value. - */ - public static String translateDevice(final String refManufacturer, - final String refModel) { - String model = refModel; - if (refManufacturer != null - && model != null - && refManufacturer.trim().matches("^[0-9A-Fa-f]{4}$") - && model.trim().matches("^[0-9A-Fa-f]{4}$")) { - Device dev = DB.findDevice(refManufacturer.toLowerCase(), - model.toLowerCase()); - if (dev != null && !Strings.isNullOrEmpty(dev.getName())) { - model = dev.getName(); - } - } - return model; - } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java index b6bfcb87..84240ba2 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java +++ b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java @@ -1,7 +1,12 @@ package hirs.utils; +import com.github.marandus.pciid.model.Device; +import com.github.marandus.pciid.model.Vendor; import com.github.marandus.pciid.service.PciIdsDatabase; +import com.google.common.base.Strings; import lombok.extern.log4j.Log4j2; +import org.bouncycastle.asn1.ASN1UTF8String; +import org.bouncycastle.asn1.DERUTF8String; import java.io.File; import java.io.FileInputStream; @@ -70,4 +75,86 @@ public final class PciIds { } } + /** + * Look up the vendor name from the PCI IDs list, if the input string contains an ID. + * If any part of this fails, return the original manufacturer value. + * @param refManufacturer DERUTF8String, likely from a ComponentIdentifier + * @return DERUTF8String with the discovered vendor name, or the original manufacturer value. + */ + public static ASN1UTF8String translateVendor(final ASN1UTF8String refManufacturer) { + ASN1UTF8String manufacturer = refManufacturer; + if (manufacturer != null && manufacturer.getString().trim().matches("^[0-9A-Fa-f]{4}$")) { + Vendor ven = DB.findVendor(manufacturer.getString().toLowerCase()); + if (ven != null && !Strings.isNullOrEmpty(ven.getName())) { + manufacturer = new DERUTF8String(ven.getName()); + } + } + return manufacturer; + } + + /** + * Look up the vendor name from the PCI IDs list, if the input string contains an ID. + * If any part of this fails, return the original manufacturer value. + * @param refManufacturer String, likely from a ComponentResult + * @return String with the discovered vendor name, or the original manufacturer value. + */ + public static String translateVendor(final String refManufacturer) { + String manufacturer = refManufacturer; + if (manufacturer != null && manufacturer.trim().matches("^[0-9A-Fa-f]{4}$")) { + Vendor ven = DB.findVendor(manufacturer.toLowerCase()); + if (ven != null && !Strings.isNullOrEmpty(ven.getName())) { + manufacturer = ven.getName(); + } + } + return manufacturer; + } + + /** + * Look up the device name from the PCI IDs list, if the input strings contain IDs. + * The Device lookup requires the Vendor ID AND the Device ID to be valid values. + * If any part of this fails, return the original model value. + * @param refManufacturer ASN1UTF8String, likely from a ComponentIdentifier + * @param refModel ASN1UTF8String, likely from a ComponentIdentifier + * @return ASN1UTF8String with the discovered device name, or the original model value. + */ + public static ASN1UTF8String translateDevice(final ASN1UTF8String refManufacturer, + final ASN1UTF8String refModel) { + ASN1UTF8String manufacturer = refManufacturer; + ASN1UTF8String model = refModel; + if (manufacturer != null + && model != null + && manufacturer.getString().trim().matches("^[0-9A-Fa-f]{4}$") + && model.getString().trim().matches("^[0-9A-Fa-f]{4}$")) { + Device dev = DB.findDevice(manufacturer.getString().toLowerCase(), + model.getString().toLowerCase()); + if (dev != null && !Strings.isNullOrEmpty(dev.getName())) { + model = new DERUTF8String(dev.getName()); + } + } + return model; + } + + /** + * Look up the device name from the PCI IDs list, if the input strings contain IDs. + * The Device lookup requires the Vendor ID AND the Device ID to be valid values. + * If any part of this fails, return the original model value. + * @param refManufacturer String, likely from a ComponentResult + * @param refModel String, likely from a ComponentResult + * @return String with the discovered device name, or the original model value. + */ + public static String translateDevice(final String refManufacturer, + final String refModel) { + String model = refModel; + if (refManufacturer != null + && model != null + && refManufacturer.trim().matches("^[0-9A-Fa-f]{4}$") + && model.trim().matches("^[0-9A-Fa-f]{4}$")) { + Device dev = DB.findDevice(refManufacturer.toLowerCase(), + model.toLowerCase()); + if (dev != null && !Strings.isNullOrEmpty(dev.getName())) { + model = dev.getName(); + } + } + return model; + } } From 137c801b3a43b402e19afa8179b3b01c082857df Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 1 Jul 2024 13:00:18 -0400 Subject: [PATCH 04/39] added pciids translations to SPDM Device Context file --- .../events/DeviceSecurityEventDataPciContext.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index ed8f4c89..01b182b8 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -3,6 +3,9 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import lombok.Getter; +import static hirs.utils.PciIds.translateDevice; +import static hirs.utils.PciIds.translateVendor; + /** * Class to process the DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT event per PFP. *

@@ -108,11 +111,11 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe dSEDpciContextInfo += super.toString(); dSEDpciContextInfo += "\n Device Type = PCI"; - dSEDpciContextInfo += "\n VendorID = 0x" + vendorId; - dSEDpciContextInfo += "\n DeviceID = 0x" + deviceId; + dSEDpciContextInfo += "\n Vendor = " + translateVendor(vendorId); + dSEDpciContextInfo += "\n Device = " + translateDevice(vendorId, deviceId); dSEDpciContextInfo += "\n RevisionID = 0x" + revisionId; dSEDpciContextInfo += "\n ClassCode = 0x" + classCode; - dSEDpciContextInfo += "\n SubsystemVendorID = 0x" + subsystemVendorId; + dSEDpciContextInfo += "\n SubsystemVendor = " + translateVendor(subsystemVendorId); dSEDpciContextInfo += "\n SubsystemID = 0x" + subsystemId; return dSEDpciContextInfo; From 5da47f3aa61fd1ef42391b64e6a8423a640fc848 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 1 Jul 2024 13:04:45 -0400 Subject: [PATCH 05/39] cleaning up imports --- .../main/java/hirs/attestationca/persist/util/AcaPciIds.java | 4 ---- 1 file changed, 4 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java index 54d68ae2..1234ebca 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java @@ -1,14 +1,10 @@ package hirs.attestationca.persist.util; -import com.github.marandus.pciid.model.Device; -import com.github.marandus.pciid.model.Vendor; -import com.google.common.base.Strings; import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult; import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentIdentifier; import hirs.attestationca.persist.entity.userdefined.certificate.attributes.V2.ComponentIdentifierV2; import lombok.extern.log4j.Log4j2; -import org.bouncycastle.asn1.ASN1UTF8String; import org.bouncycastle.asn1.DERUTF8String; import java.util.ArrayList; From 22e33acb3624ab0b86e9d5280c6fecbcdb263644 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 1 Jul 2024 13:05:26 -0400 Subject: [PATCH 06/39] cleaning up comments --- .../eventlog/events/DeviceSecurityEventDataPciContext.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index 01b182b8..4d23e5c1 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -102,9 +102,9 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe } /** - * Returns a human readable description of the data within this structure. + * Returns a human-readable description of the data within this structure. * - * @return a description of this structure.. + * @return a description of this structure. */ public String toString() { String dSEDpciContextInfo = ""; From 2fd6ee0557d98d0075213174b1b270147c6e4cdc Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Wed, 3 Jul 2024 13:03:54 -0400 Subject: [PATCH 07/39] cleaned up a few checkstyle warnings --- .../src/main/java/hirs/tcg_eventlog/Main.java | 36 +++++++++++-------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java index e0c909a7..3f992872 100644 --- a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java +++ b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java @@ -27,7 +27,12 @@ final class Main { private static Commander commander = null; private static FileOutputStream outputStream = null; private static byte[] eventLog = null; - private static boolean bContentFlag, bEventFlag, bHexEvent, bHexFlag, bPcrFlag = false; + private static boolean bContentFlag = false; + private static boolean bEventFlag = false; + private static boolean bHexEvent = false; + private static boolean bHexFlag = false; + private static boolean bPcrFlag = false; + /** * Main Constructor. @@ -131,17 +136,16 @@ final class Main { + evLog.getEventList().size() + " events:\n\n"); } if (evLog.getVendorTableFileStatus() == FILESTATUS_NOT_ACCESSIBLE) { - writeOut("*** WARNING: The file vendor-table.json file was not accessible so data " + - "in some Secure Boot PCR 7 events cannot be processed.\n\n"); - } - else if (evLog.getVendorTableFileStatus() == FILESTATUS_FROM_CODE) { - writeOut("*** NOTE: " + - "The file vendor-table.json file was not accessible from the filesystem,\n" + - " so the vendor-table.json from code was " + - "used. If updates were made in the\n" + - " filesystem file, they will not be reflected. " + - "This affects parsing in some\n" + - " Secure Boot PCR 7 events.\n\n"); + writeOut("*** WARNING: The file vendor-table.json file was not accessible so data " + + "in some Secure Boot PCR 7 events cannot be processed.\n\n"); + } else if (evLog.getVendorTableFileStatus() == FILESTATUS_FROM_CODE) { + writeOut("*** NOTE: " + + "The file vendor-table.json file was not accessible from the filesystem,\n" + + " so the vendor-table.json from code was " + + "used. If updates were made in the\n" + + " filesystem file, they will not be reflected. " + + "This affects parsing in some\n" + + " Secure Boot PCR 7 events.\n\n"); } } int eventCount = 0; @@ -189,7 +193,8 @@ final class Main { * @return a byte array holding the entire log */ public static byte[] openLog(final String fileName) { - String os = System.getProperty("os.name").toLowerCase(), fName = fileName; + String os = System.getProperty("os.name").toLowerCase(); + String fName = fileName; byte[] rawLog = null; boolean bDefault = false; bHexFlag = commander.getHexFlag(); @@ -248,7 +253,8 @@ final class Main { * @return A sting containing human readable results. */ public static String compareLogs(final String logFileName1, final String logFileName2) { - TCGEventLog eventLog1 = null, eventLog2 = null; + TCGEventLog eventLog1 = null; + TCGEventLog eventLog2 = null; byte[] evLog = openLog(logFileName1); byte[] evLog2 = openLog(logFileName2); StringBuilder sb = new StringBuilder(); @@ -337,7 +343,7 @@ final class Main { * * @param eventLog The Reference Event log. * @param event single event to match. - * @return + * @return indicator whether match was found. */ private static boolean digestMatch(final Collection eventLog, final TpmPcrEvent event) { From de4f6214fb6285aa58e19afb8f55e5e14b58fc8f Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Wed, 3 Jul 2024 14:26:00 -0400 Subject: [PATCH 08/39] working to get class code --- .../src/main/java/hirs/utils/PciIds.java | 21 +++++++++++++++++++ .../DeviceSecurityEventDataPciContext.java | 7 ++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java index 84240ba2..e457e8d3 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java +++ b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java @@ -1,6 +1,7 @@ package hirs.utils; import com.github.marandus.pciid.model.Device; +import com.github.marandus.pciid.model.DeviceClass; import com.github.marandus.pciid.model.Vendor; import com.github.marandus.pciid.service.PciIdsDatabase; import com.google.common.base.Strings; @@ -157,4 +158,24 @@ public final class PciIds { } return model; } + + /** + * Look up the device class name from the PCI IDs list, if the input string contains an ID. + * If any part of this fails, return the original manufacturer value. + * @param refDeviceClass String + * @return String with the discovered vendor name, or the original manufacturer value. + */ + public static String translateDeviceClass(final String refDeviceClass) { + String deviceClass = refDeviceClass; + if (deviceClass != null && deviceClass.trim().matches("^[0-9A-Fa-f]{6}$")) { + DeviceClass devC = DB.findDeviceClass(deviceClass.toLowerCase()); + DeviceClass devD = DB.findDeviceClass("010802"); + System.out.println("XXXX: " + devC); + System.out.println("YYYY: " + devD); + if (devC != null && !Strings.isNullOrEmpty(devC.getName())) { + deviceClass = devC.getName(); + } + } + return deviceClass; + } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index 4d23e5c1..2b9cee36 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -4,6 +4,7 @@ import hirs.utils.HexUtils; import lombok.Getter; import static hirs.utils.PciIds.translateDevice; +import static hirs.utils.PciIds.translateDeviceClass; import static hirs.utils.PciIds.translateVendor; /** @@ -113,10 +114,10 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe dSEDpciContextInfo += "\n Device Type = PCI"; dSEDpciContextInfo += "\n Vendor = " + translateVendor(vendorId); dSEDpciContextInfo += "\n Device = " + translateDevice(vendorId, deviceId); - dSEDpciContextInfo += "\n RevisionID = 0x" + revisionId; - dSEDpciContextInfo += "\n ClassCode = 0x" + classCode; + dSEDpciContextInfo += "\n RevisionID = " + revisionId; + dSEDpciContextInfo += "\n Device Class = " + translateDeviceClass(classCode); dSEDpciContextInfo += "\n SubsystemVendor = " + translateVendor(subsystemVendorId); - dSEDpciContextInfo += "\n SubsystemID = 0x" + subsystemId; + dSEDpciContextInfo += "\n Subsystem = " + translateDevice(subsystemVendorId, subsystemId); return dSEDpciContextInfo; } From 770b36d4f3bf451295eb2c77558e43de48b72bb9 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 5 Jul 2024 09:26:16 -0400 Subject: [PATCH 09/39] update output message in main --- .../src/main/java/hirs/tcg_eventlog/Main.java | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java index 3f992872..39a24549 100644 --- a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java +++ b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java @@ -136,16 +136,13 @@ final class Main { + evLog.getEventList().size() + " events:\n\n"); } if (evLog.getVendorTableFileStatus() == FILESTATUS_NOT_ACCESSIBLE) { - writeOut("*** WARNING: The file vendor-table.json file was not accessible so data " - + "in some Secure Boot PCR 7 events cannot be processed.\n\n"); + writeOut("*** WARNING: The file vendor-table.json was not accessible from the " + + "filesystem or the code, so some event data shown in the output of this " + + "tool may be outdated or omitted.\n\n"); } else if (evLog.getVendorTableFileStatus() == FILESTATUS_FROM_CODE) { writeOut("*** NOTE: " + "The file vendor-table.json file was not accessible from the filesystem,\n" - + " so the vendor-table.json from code was " - + "used. If updates were made in the\n" - + " filesystem file, they will not be reflected. " - + "This affects parsing in some\n" - + " Secure Boot PCR 7 events.\n\n"); + + " so the vendor-table.json from code was used.\n\n"); } } int eventCount = 0; From d2032973b579992c07dad2dd36ce8f99260d3a94 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 5 Jul 2024 13:11:25 -0400 Subject: [PATCH 10/39] working on class code --- .../src/main/java/hirs/utils/PciIds.java | 44 ++++++++++++++----- .../DeviceSecurityEventDataPciContext.java | 10 ++++- 2 files changed, 42 insertions(+), 12 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java index e457e8d3..1449b155 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java +++ b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java @@ -2,6 +2,8 @@ package hirs.utils; import com.github.marandus.pciid.model.Device; import com.github.marandus.pciid.model.DeviceClass; +import com.github.marandus.pciid.model.DeviceSubclass; +import com.github.marandus.pciid.model.ProgramInterface; import com.github.marandus.pciid.model.Vendor; import com.github.marandus.pciid.service.PciIdsDatabase; import com.google.common.base.Strings; @@ -162,20 +164,40 @@ public final class PciIds { /** * Look up the device class name from the PCI IDs list, if the input string contains an ID. * If any part of this fails, return the original manufacturer value. - * @param refDeviceClass String - * @return String with the discovered vendor name, or the original manufacturer value. + * @param refClassCode String, formatted as 2 characters (1 byte) for each of the 3 categories + * Example "010802": + * Class: "01" + * Subclass: "08" + * Programming Interface: "02" + * @return List 3-element list with the class code + * 1st element: human-readable description of Class + * 2nd element: human-readable description of Subclass + * 3rd element: human-readable description of Programming Interface */ - public static String translateDeviceClass(final String refDeviceClass) { - String deviceClass = refDeviceClass; - if (deviceClass != null && deviceClass.trim().matches("^[0-9A-Fa-f]{6}$")) { - DeviceClass devC = DB.findDeviceClass(deviceClass.toLowerCase()); - DeviceClass devD = DB.findDeviceClass("010802"); - System.out.println("XXXX: " + devC); - System.out.println("YYYY: " + devD); + public static List translateDeviceClass(final String refClassCode) { + List translatedClassCode = new ArrayList<>(); + + String classCode = refClassCode; + if (classCode != null && classCode.trim().matches("^[0-9A-Fa-f]{6}$")) { + String deviceClass = classCode.substring(0,2).toLowerCase(); + String deviceSubclass = classCode.substring(2,2).toLowerCase(); + String programInterface = classCode.substring(4,2).toLowerCase(); + translatedClassCode.add(deviceClass); + translatedClassCode.add(deviceSubclass); + translatedClassCode.add(programInterface); + DeviceClass devC = DB.findDeviceClass(deviceClass); + DeviceSubclass devSc = DB.findDeviceSubclass(deviceClass, deviceSubclass); + ProgramInterface progI = DB.findProgramInterface(deviceClass, deviceSubclass, programInterface); if (devC != null && !Strings.isNullOrEmpty(devC.getName())) { - deviceClass = devC.getName(); + translatedClassCode.set(0, devC.getName()); + } + if (devSc != null && !Strings.isNullOrEmpty(devSc.getName())) { + translatedClassCode.set(1, devSc.getName()); + } + if (progI != null && !Strings.isNullOrEmpty(progI.getName())) { + translatedClassCode.set(2, progI.getName()); } } - return deviceClass; + return translatedClassCode; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index 2b9cee36..8684b60f 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -3,6 +3,9 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import lombok.Getter; +import java.util.ArrayList; +import java.util.List; + import static hirs.utils.PciIds.translateDevice; import static hirs.utils.PciIds.translateDeviceClass; import static hirs.utils.PciIds.translateVendor; @@ -115,7 +118,12 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe dSEDpciContextInfo += "\n Vendor = " + translateVendor(vendorId); dSEDpciContextInfo += "\n Device = " + translateDevice(vendorId, deviceId); dSEDpciContextInfo += "\n RevisionID = " + revisionId; - dSEDpciContextInfo += "\n Device Class = " + translateDeviceClass(classCode); + + List classCodeList = translateDeviceClass(classCode); + dSEDpciContextInfo += "\n Device Class:"; + dSEDpciContextInfo += "\n Class = " + classCodeList.get(0); + dSEDpciContextInfo += "\n Subclass = " + classCodeList.get(1); + dSEDpciContextInfo += "\n Programming Interface = " + classCodeList.get(2); dSEDpciContextInfo += "\n SubsystemVendor = " + translateVendor(subsystemVendorId); dSEDpciContextInfo += "\n Subsystem = " + translateDevice(subsystemVendorId, subsystemId); From 2b198816b681c41ac5bdd7a9517f9525e641bc74 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 8 Jul 2024 10:16:32 -0400 Subject: [PATCH 11/39] fixes/minor changes --- HIRS_Utils/src/main/java/hirs/utils/PciIds.java | 4 ++-- .../utils/tpm/eventlog/events/DeviceSecurityEventHeader.java | 2 +- .../java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java index 1449b155..6bac767b 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java +++ b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java @@ -180,8 +180,8 @@ public final class PciIds { String classCode = refClassCode; if (classCode != null && classCode.trim().matches("^[0-9A-Fa-f]{6}$")) { String deviceClass = classCode.substring(0,2).toLowerCase(); - String deviceSubclass = classCode.substring(2,2).toLowerCase(); - String programInterface = classCode.substring(4,2).toLowerCase(); + String deviceSubclass = classCode.substring(2,4).toLowerCase(); + String programInterface = classCode.substring(4,6).toLowerCase(); translatedClassCode.add(deviceClass); translatedClassCode.add(deviceSubclass); translatedClassCode.add(programInterface); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 210f4f86..5e60f607 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -208,7 +208,7 @@ public abstract class DeviceSecurityEventHeader { dsedHeaderCommonInfo += "\n SPDM Device Type = " + deviceTypeToString(deviceType); if (devicePathValid) { - dsedHeaderCommonInfo += "\n SPDM Device Path =\n"; + dsedHeaderCommonInfo += "\n SPDM Device Path:\n"; dsedHeaderCommonInfo += devicePath; } else { diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java index adcec477..bd647deb 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java @@ -116,7 +116,7 @@ public class UefiDevicePath { */ private String processDev(final byte[] path, final int offset) throws UnsupportedEncodingException { - String devInfo = " "; + String devInfo = " "; int devPath = path[offset]; byte unknownSubType = path[offset + UefiConstants.OFFSET_1]; switch (path[0 + offset]) { From 9d837f9b4d56ef35d1ff2e129f7f41061c5c28f3 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 8 Jul 2024 14:46:59 -0400 Subject: [PATCH 12/39] updated comments for DeviceSecurityEvent files, started processing of new data structure --- .../eventlog/events/DeviceSecurityEvent.java | 19 ++------ .../events/EvEfiSpdmDeviceSecurityEvent.java | 3 -- .../utils/tpm/eventlog/events/EvNoAction.java | 2 + .../events/NvIndexInstanceEventLogData.java | 47 +++++++++++++++++++ 4 files changed, 53 insertions(+), 18 deletions(-) create mode 100644 HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java index 49cf9555..161f7a7a 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java @@ -7,7 +7,6 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_PCI; import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_USB; - /** * Abstract base class to process the DEVICE_SECURITY_EVENT_DATA or ..DATA2 event. * Parses event data per PFP v1.06 Rev52 Tables 20 and 26. @@ -17,10 +16,10 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY * The first 2 fields of the respective headers are the same in both ..DATA and ..DATA2. * Field 1: * The first 16 bytes of the event data header MUST be a String based identifier (Signature), - * NUL-terminated, per PFP. The only currently defined Signature is "SPDM Device Sec", which - * implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2. + * per PFP. The only currently defined Signatures are "SPDM Device Sec" and "SPDM Device Sec2", + * which implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2, respectively. * Field 2: - * The Version field indicates whether the Device Security Event is ..DATA or ..DATA2. + * The Version field also indicates whether the Device Security Event is ..DATA or ..DATA2. * * DEVICE SECURITY EVENT structures defined by PFP v1.06 Rev 52: *

@@ -39,19 +38,9 @@ import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TY * UINT8 Signature[16]; * UINT16 Version; * ... ... + * (The rest of the components are different for HEADER vs HEADER2) * } *

- * Notes: - * 1. Has an EventType of EV_EFI_SPDM_FIRMWARE_BLOB (0x800000E1) - * 2. Event content defined as DEVICE_SECURITY_EVENT_DATA Struct. - * 3. First 16 bytes of the structure header is an ASCII "SPDM Device Sec" - *

- * Only a few of the Device Security Event Data events have been implemented as there are many, - * but only those that were reported using the test devices at hand. - * Without test patterns, the processing may lead to an un-handled exception. - * For now, the only test pattern uses ..DeviceContext with PCI only, without USB -> assume only 1 - * even though the spec says both are in the data structure. If it is only 1, though, there's no - * method to tell them apart. */ public abstract class DeviceSecurityEvent { diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index 8da93b23..f686e560 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -2,10 +2,7 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import hirs.utils.tpm.eventlog.uefi.UefiConstants; -import lombok.Getter; -import java.io.IOException; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 2b058187..3da56ae0 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -48,6 +48,8 @@ public class EvNoAction { if (signature.contains("Spec ID Event03")) { // implies CryptAgileFormat specIDEvent = new EvEfiSpecIdEvent(eventData); bSpecIDEvent = true; + } else if (signature.contains("NvIndexInstance")) { + System.out.println("XXXX Nv Index Instance"); } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java new file mode 100644 index 00000000..295fb119 --- /dev/null +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -0,0 +1,47 @@ +package hirs.utils.tpm.eventlog.events; + + +/** + * Class to process the NV_INDEX_INSTANCE_EVENT_LOG_DATA per PFP. + * The first 16 bytes of the event data header are a String based identifier (Signature), + * NUL-terminated, per PFP. The only currently defined Signature is "SPDM Device Sec", + * which implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2. + * + * HEADERS defined by PFP v1.06 Rev 52. + * Certain fields are common to both ..HEADER and ..HEADER2, and are noted below the structures. + *

+ * typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER { + * UINT8 Signature[16]; + * UINT16 Version; + * UINT16 Length; + * UINT32 SpdmHashAlg; + * UINT32 DeviceType; + * SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock; + * UINT64 DevicePathLength; + * UNIT8 DevicePath[DevicePathLength] + * } DEVICE_SECURITY_EVENT_DATA_HEADER; + *

+ * typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER2 { - NOT IMPLEMENTED YET + * UINT8 Signature[16]; + * UINT16 Version; + * UINT8 AuthState; + * UINT8 Reserved; + * UINT32 Length; + * UINT32 DeviceType; + * UINT32 SubHeaderType; + * UINT32 SubHeaderLength; + * UINT32 SubHeaderUID; + * UINT64 DevicePathLength; + * UNIT8 DevicePath[DevicePathLength] + * } DEVICE_SECURITY_EVENT_DATA_HEADER2; + *

+ * Fields common to both ..HEADER and ..HEADER2: + * Signature + * Version + * DeviceType + * DevicePathLength + * DevicePath + *

+ */ +public class NvIndexInstanceEventLogData { +} From 6b1731df0877b97b9e6125975ecdbd68e817443f Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 8 Jul 2024 18:24:03 -0400 Subject: [PATCH 13/39] implementing NvIndexInstance and supporting code --- .../hirs/utils/tpm/eventlog/TpmPcrEvent.java | 4 +- .../eventlog/events/DeviceSecurityEvent.java | 12 +- .../events/DeviceSecurityEventData.java | 33 +++-- .../events/DeviceSecurityEventData2.java | 75 ++++++---- .../events/DeviceSecurityEventDataHeader.java | 17 ++- .../events/EvEfiSpdmDeviceSecurityEvent.java | 37 +++-- .../utils/tpm/eventlog/events/EvNoAction.java | 41 ++++-- .../events/NvIndexInstanceEventLogData.java | 132 +++++++++++++----- 8 files changed, 241 insertions(+), 110 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java index 5a5758e9..6226de2b 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java @@ -555,9 +555,7 @@ public class TpmPcrEvent { case EvConstants.EV_EFI_HCRTM_EVENT: break; case EvConstants.EV_EFI_SPDM_FIRMWARE_BLOB: - EvEfiSpdmDeviceSecurityEvent tempp = new EvEfiSpdmDeviceSecurityEvent(content); - description += "Event Content:\n" + tempp.toString(); -// description += "Event Content:\n" + new EvEfiSpdmDeviceSecurityEvent(content).toString(); + description += "Event Content:\n" + new EvEfiSpdmDeviceSecurityEvent(content).toString(); break; case EvConstants.EV_EFI_SPDM_FIRMWARE_CONFIG: description += "Event Content:\n" + new EvEfiSpdmDeviceSecurityEvent(content).toString(); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java index 161f7a7a..509525b9 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java @@ -1,5 +1,6 @@ package hirs.utils.tpm.eventlog.events; +import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; import lombok.Getter; import lombok.Setter; @@ -84,9 +85,14 @@ public abstract class DeviceSecurityEvent { deviceContextInfo = "\n No Device Context (indicated by device type value of 0"; } else if (deviceType == DEVICE_TYPE_PCI) { - dsedDevContext - = new DeviceSecurityEventDataPciContext(dsedDeviceContextBytes); - deviceContextInfo = dsedDevContext.toString(); + try { + dsedDevContext + = new DeviceSecurityEventDataPciContext(dsedDeviceContextBytes); + deviceContextInfo = dsedDevContext.toString(); + } + catch(NullPointerException e) { + deviceContextInfo = " Could not interpret Device Context info"; + } } else if (deviceType == DEVICE_TYPE_USB) { // dsedDevContext diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java index 9a852704..298a0279 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java @@ -23,22 +23,37 @@ public class DeviceSecurityEventData extends DeviceSecurityEvent { @Getter private DeviceSecurityEventDataHeader dsedHeader = null; + /** + * Human-readable description of the data within the + * DEVICE_SECURITY_EVENT_DATA_HEADER. + */ + @Getter + String headerInfo = ""; + /** * DeviceSecurityEventData Constructor. * * @param dsedBytes byte array holding the DeviceSecurityEventData. */ public DeviceSecurityEventData(final byte[] dsedBytes) { - dsedHeader = new DeviceSecurityEventDataHeader(dsedBytes); - setDeviceType(dsedHeader.getDeviceType()); - int dsedHeaderLength = dsedHeader.getDsedHeaderLength(); - int dsedDevContextLength = dsedBytes.length - dsedHeaderLength; - byte[] dsedDevContextBytes = new byte[dsedDevContextLength]; - System.arraycopy(dsedBytes, dsedHeaderLength, dsedDevContextBytes, 0, - dsedDevContextLength); + try { + dsedHeader = new DeviceSecurityEventDataHeader(dsedBytes); + headerInfo = dsedHeader.toString(); - instantiateDeviceContext(dsedDevContextBytes); + setDeviceType(dsedHeader.getDeviceType()); + int dsedHeaderLength = dsedHeader.getDsedHeaderLength(); + + int dsedDevContextLength = dsedBytes.length - dsedHeaderLength; + byte[] dsedDevContextBytes = new byte[dsedDevContextLength]; + System.arraycopy(dsedBytes, dsedHeaderLength, dsedDevContextBytes, 0, + dsedDevContextLength); + + instantiateDeviceContext(dsedDevContextBytes); + } + catch(NullPointerException e) { + headerInfo = " Could not interpret Header info"; + } } /** @@ -48,7 +63,7 @@ public class DeviceSecurityEventData extends DeviceSecurityEvent { */ public String toString() { String dsedInfo = ""; - dsedInfo += dsedHeader.toString(); + dsedInfo += headerInfo; dsedInfo += getDeviceContextInfo(); return dsedInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java index 68327e30..597b1ffd 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java @@ -34,7 +34,14 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { private DeviceSecurityEventDataSubHeader dsedSubHeader = null; /** - * Human readable description of the data within the + * Human-readable description of the data within the + * DEVICE_SECURITY_EVENT_DATA_HEADER2. + */ + @Getter + String headerInfo = ""; + + /** + * Human-readable description of the data within the * DEVICE_SECURITY_EVENT_DATA_SUB_HEADER. SUB_HEADER can be either * DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_MEASUREMENT_BLOCK or * DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN @@ -49,36 +56,48 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { */ public DeviceSecurityEventData2(final byte[] dsedBytes) { - dsedHeader2 = new DeviceSecurityEventDataHeader2(dsedBytes); - setDeviceType(dsedHeader2.getDeviceType()); - int dsedHeaderLength = dsedHeader2.getDsedHeaderLength(); - int subHeaderType = dsedHeader2.getSubHeaderType(); - int subHeaderLength = dsedHeader2.getSubHeaderLength(); + try { + dsedHeader2 = new DeviceSecurityEventDataHeader2(dsedBytes); + headerInfo = dsedHeader2.toString(); - subHeaderInfo = "\nSub header type: " + subHeaderType; + setDeviceType(dsedHeader2.getDeviceType()); + int dsedHeaderLength = dsedHeader2.getDsedHeaderLength(); + int subHeaderType = dsedHeader2.getSubHeaderType(); + int subHeaderLength = dsedHeader2.getSubHeaderLength(); - byte[] dsedSubHeaderBytes = new byte[subHeaderLength]; - System.arraycopy(dsedBytes, dsedHeaderLength, dsedSubHeaderBytes, 0, subHeaderLength); + subHeaderInfo = "\nSub header type: " + subHeaderType; - if (subHeaderType == SUBHEADERTYPE_MEAS_BLOCK) { - dsedSubHeader = new DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock(dsedSubHeaderBytes); - subHeaderInfo += dsedSubHeader.toString(); + byte[] dsedSubHeaderBytes = new byte[subHeaderLength]; + System.arraycopy(dsedBytes, dsedHeaderLength, dsedSubHeaderBytes, 0, subHeaderLength); + + if (subHeaderType == SUBHEADERTYPE_MEAS_BLOCK) { + try { + dsedSubHeader = new DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock(dsedSubHeaderBytes); + subHeaderInfo += dsedSubHeader.toString(); + } + catch(NullPointerException e) { + subHeaderInfo = " Could not interpret Sub header info"; + } + } + else if (subHeaderType == SUBHEADERTYPE_CERT_CHAIN) { + // dsedSubHeader = new DeviceSecurityEventDataSubHeaderCertChain(); + subHeaderInfo += " Cert chain to be implemented "; + } + else { + subHeaderInfo += " Sub header type unknown"; + } + + int dsedDevContextStartByte = dsedHeaderLength + subHeaderLength; + int dsedDevContextLength = dsedBytes.length - dsedDevContextStartByte; + byte[] dsedDevContextBytes = new byte[dsedDevContextLength]; + System.arraycopy(dsedBytes, dsedDevContextStartByte, dsedDevContextBytes, 0, + dsedDevContextLength); + + instantiateDeviceContext(dsedDevContextBytes); } - else if (subHeaderType == SUBHEADERTYPE_CERT_CHAIN) { - // dsedSubHeader = new DeviceSecurityEventDataSubHeaderCertChain(); - subHeaderInfo += " Cert chain to be implemented "; + catch(NullPointerException e) { + headerInfo = " Could not interpret Header info"; } - else { - subHeaderInfo += "Sub header type unknown"; - } - - int dsedDevContextStartByte = dsedHeaderLength + subHeaderLength; - int dsedDevContextLength = dsedBytes.length - dsedDevContextStartByte; - byte[] dsedDevContextBytes = new byte[dsedDevContextLength]; - System.arraycopy(dsedBytes, dsedDevContextStartByte, dsedDevContextBytes, 0, - dsedDevContextLength); - - instantiateDeviceContext(dsedDevContextBytes); } /** @@ -88,8 +107,8 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { */ public String toString() { String dsedInfo = ""; - dsedInfo += dsedHeader2.toString(); - dsedInfo += dsedSubHeader.toString(); + dsedInfo += headerInfo; + dsedInfo += subHeaderInfo; dsedInfo += getDeviceContextInfo(); return dsedInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java index bc4218e9..dc572e3b 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java @@ -5,6 +5,7 @@ import hirs.utils.tpm.eventlog.spdm.SpdmHa; import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; import hirs.utils.tpm.eventlog.uefi.UefiConstants; import lombok.Getter; +import org.apache.commons.lang3.ObjectUtils; import java.io.ByteArrayInputStream; import java.io.IOException; @@ -48,6 +49,12 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { */ private SpdmMeasurementBlock spdmMeasurementBlock = null; + /** + * Human-readable description of the data within the + * SpdmMeasurementBlock. + */ + private String spdmMeasurementBlockInfo = ""; + /** * DeviceSecurityEventDataHeader Constructor. * @@ -83,7 +90,13 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { ByteArrayInputStream spdmMeasurementBlockData = new ByteArrayInputStream(spdmMeasBlockBytes); - spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockData); + try { + spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockData); + spdmMeasurementBlockInfo = spdmMeasurementBlock.toString(); + } + catch(NullPointerException e) { + spdmMeasurementBlockInfo = "Could not interpret SPDM Measurement Block info"; + } int devPathLenStartByte = 28 + sizeOfSpdmMeasBlock; extractDevicePathAndFinalSize(dsedBytes, devPathLenStartByte); @@ -101,7 +114,7 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { String spdmHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmHashAlgo); dsedHeaderInfo += "\n SPDM Hash Algorithm = " + spdmHashAlgoStr; dsedHeaderInfo += "\n SPDM Measurement Block:"; - dsedHeaderInfo += spdmMeasurementBlock.toString(); + dsedHeaderInfo += spdmMeasurementBlockInfo; return dsedHeaderInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index f686e560..28b42cdc 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -38,10 +38,10 @@ public class EvEfiSpdmDeviceSecurityEvent { /** * Signature (text) data. */ - private String signature = ""; + private String dsedSignature = ""; /** - * Human readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. + * Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. */ String spdmInfo = ""; @@ -49,49 +49,48 @@ public class EvEfiSpdmDeviceSecurityEvent { * EvEfiSpdmFirmwareBlob constructor. * * @param eventData byte array holding the event to process. - * @throws java.io.UnsupportedEncodingException if input fails to parse. */ public EvEfiSpdmDeviceSecurityEvent(final byte[] eventData) { - byte[] signatureBytes = new byte[UefiConstants.SIZE_16]; - System.arraycopy(eventData, 0, signatureBytes, 0, UefiConstants.SIZE_16); - signature = new String(signatureBytes, StandardCharsets.UTF_8); - signature = signature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters + byte[] dsedSignatureBytes = new byte[UefiConstants.SIZE_16]; + System.arraycopy(eventData, 0, dsedSignatureBytes, 0, UefiConstants.SIZE_16); + dsedSignature = new String(dsedSignatureBytes, StandardCharsets.UTF_8); + dsedSignature = dsedSignature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters - byte[] versionBytes = new byte[UefiConstants.SIZE_2]; - System.arraycopy(eventData, UefiConstants.OFFSET_16, versionBytes, 0, + byte[] dsedVersionBytes = new byte[UefiConstants.SIZE_2]; + System.arraycopy(eventData, UefiConstants.OFFSET_16, dsedVersionBytes, 0, UefiConstants.SIZE_2); - String version = HexUtils.byteArrayToHexString(versionBytes); - if (version == "") { - version = "version not readable"; + String dsedVersion = HexUtils.byteArrayToHexString(dsedVersionBytes); + if (dsedVersion == "") { + dsedVersion = "version not readable"; } - if (signature.contains("SPDM Device Sec2")) { + if (dsedSignature.contains("SPDM Device Sec2")) { spdmInfo = " Signature = SPDM Device Sec2"; - if (version.equals("0200")) { + if (dsedVersion.equals("0200")) { dsed = new DeviceSecurityEventData2(eventData); spdmInfo += dsed.toString(); } else { - spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + version; + spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion; } } - else if (signature.contains("SPDM Device Sec")) { // implies Device Security event + else if (dsedSignature.contains("SPDM Device Sec")) { // implies Device Security event spdmInfo = " Signature = SPDM Device Sec"; - if (version.equals("0100")) { + if (dsedVersion.equals("0100")) { dsed = new DeviceSecurityEventData(eventData); spdmInfo += dsed.toString(); } else { - spdmInfo += " Incompatible version for DeviceSecurityEventData: " + version; + spdmInfo += " Incompatible version for DeviceSecurityEventData: " + dsedVersion; } } else { - spdmInfo = " Signature = Undetermined value: " + signature; + spdmInfo = " Signature = Undetermined value: " + dsedSignature; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 3da56ae0..7e01edbc 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -7,12 +7,15 @@ import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** - * Class to process the EV_NO_ACTION event using a structure of TCG_EfiSpecIDEvent. + * Class to process the EV_NO_ACTION event. * The first 16 bytes of the event data MUST be a String based identifier (Signature). - * The only currently defined Signature is "Spec ID Event03" - * which implies the data is a TCG_EfiSpecIDEvent. - * TCG_EfiSpecIDEvent is the first event in a TPM Event Log and is used to determine - * if the format of the Log (SHA1 vs Crypto Agile). + * The only currently defined Signatures are + * 1) "Spec ID Event03" + * - implies the data is a TCG_EfiSpecIDEvent + * - TCG_EfiSpecIDEvent is the first event in a TPM Event Log and is used to determine + * if the format of the Log (SHA1 vs Crypto Agile). + * 2) "NvIndexInstance" + * - implies the data is a NV_INDEX_INSTANCE_EVENT_LOG_DATA *

* Notes: * 1. First 16 bytes of the structure is an ASCII with a fixed Length of 16 @@ -28,11 +31,20 @@ public class EvNoAction { * True of the event is a SpecIDEvent. */ private boolean bSpecIDEvent = false; + /** + * True of the event is a NvIndexInstance. + */ + private boolean bNvIndexInstance = false; /** * EvEfiSpecIdEvent Object. */ @Getter private EvEfiSpecIdEvent specIDEvent = null; + /** + * NvIndexInstanceEvent Object. + */ + @Getter + private NvIndexInstanceEventLogData nvIndexInstanceEvent = null; /** * EvNoAction constructor. @@ -49,7 +61,8 @@ public class EvNoAction { specIDEvent = new EvEfiSpecIdEvent(eventData); bSpecIDEvent = true; } else if (signature.contains("NvIndexInstance")) { - System.out.println("XXXX Nv Index Instance"); + nvIndexInstanceEvent = new NvIndexInstanceEventLogData(eventData); + bNvIndexInstance = true; } } @@ -68,21 +81,23 @@ public class EvNoAction { * @return Human readable description of this event. */ public String toString() { - String specInfo = ""; + String noActionInfo = ""; if (bSpecIDEvent) { - specInfo += " Signature = Spec ID Event03 : "; + noActionInfo += " Signature = Spec ID Event03 : "; if (specIDEvent.isCryptoAgile()) { - specInfo += "Log format is Crypto Agile\n"; + noActionInfo += "Log format is Crypto Agile\n"; } else { - specInfo += "Log format is SHA 1 (NOT Crypto Agile)\n"; + noActionInfo += "Log format is SHA 1 (NOT Crypto Agile)\n"; } - specInfo += " Platform Profile Specification version = " + noActionInfo += " Platform Profile Specification version = " + specIDEvent.getVersionMajor() + "." + specIDEvent.getVersionMinor() + " using errata version " + specIDEvent.getErrata(); + } else if (bNvIndexInstance) { + noActionInfo = nvIndexInstanceEvent.toString(); } else { - specInfo = "EV_NO_ACTION event named " + signature + noActionInfo = "EV_NO_ACTION event named " + signature + " encountered but support for processing it has not been added to this application.\n"; } - return specInfo; + return noActionInfo; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index 295fb119..4bd4c59b 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -1,47 +1,113 @@ package hirs.utils.tpm.eventlog.events; +import hirs.utils.HexUtils; +import hirs.utils.tpm.eventlog.uefi.UefiConstants; + +import java.nio.charset.StandardCharsets; + /** * Class to process the NV_INDEX_INSTANCE_EVENT_LOG_DATA per PFP. - * The first 16 bytes of the event data header are a String based identifier (Signature), - * NUL-terminated, per PFP. The only currently defined Signature is "SPDM Device Sec", - * which implies the data is a DEVICE_SECURITY_EVENT_DATA or ..DATA2. + * Per PFP, the first 16 bytes of the structure are a String based identifier (Signature), + * which are a NULL-terminated ASCII string "NvIndexInstance". * * HEADERS defined by PFP v1.06 Rev 52. * Certain fields are common to both ..HEADER and ..HEADER2, and are noted below the structures. *

- * typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER { - * UINT8 Signature[16]; + * typedef struct tdNV_INDEX_INSTANCE_EVENT_LOG_DATA { + * BYTE Signature[16]; * UINT16 Version; - * UINT16 Length; - * UINT32 SpdmHashAlg; - * UINT32 DeviceType; - * SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock; - * UINT64 DevicePathLength; - * UNIT8 DevicePath[DevicePathLength] - * } DEVICE_SECURITY_EVENT_DATA_HEADER; - *

- * typedef struct tdDEVICE_SECURITY_EVENT_DATA_HEADER2 { - NOT IMPLEMENTED YET - * UINT8 Signature[16]; - * UINT16 Version; - * UINT8 AuthState; - * UINT8 Reserved; - * UINT32 Length; - * UINT32 DeviceType; - * UINT32 SubHeaderType; - * UINT32 SubHeaderLength; - * UINT32 SubHeaderUID; - * UINT64 DevicePathLength; - * UNIT8 DevicePath[DevicePathLength] - * } DEVICE_SECURITY_EVENT_DATA_HEADER2; - *

- * Fields common to both ..HEADER and ..HEADER2: - * Signature - * Version - * DeviceType - * DevicePathLength - * DevicePath + * UINT8[6] Reserved; + * DEVICE_SECURITY_EVENT_DATA2 Data; + * } NV_INDEX_INSTANCE_EVENT_LOG_DATA; *

*/ public class NvIndexInstanceEventLogData { + + /** + * DeviceSecurityEventData2 Object. + */ +// private DeviceSecurityEventData2 dsed = null; + private DeviceSecurityEvent dsed = null; + + /** + * Signature (text) data. + */ + private String signature = ""; + + /** + * Version. + */ + private String version = ""; + + /** + * Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. + */ + String nvIndexInstanceInfo = ""; + + /** + * NvIndexInstanceEventLogData constructor. + * + * @param eventData byte array holding the event to process. + */ + public NvIndexInstanceEventLogData(final byte[] eventData) { + + byte[] signatureBytes = new byte[16]; + System.arraycopy(eventData, 0, signatureBytes, 0, 16); + signature = new String(signatureBytes, StandardCharsets.UTF_8); + signature = signature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters + + byte[] versionBytes = new byte[2]; + System.arraycopy(eventData, 16, versionBytes, 0, 2); + String version = HexUtils.byteArrayToHexString(versionBytes); + if (version == "") { + version = "version not readable"; + } + + // 6 bytes of Reserved data + + byte[] dsedSignatureBytes = new byte[16]; + System.arraycopy(eventData, 24, dsedSignatureBytes, 0, 16); + String dsedSignature = new String(dsedSignatureBytes, StandardCharsets.UTF_8); + dsedSignature = dsedSignature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters + + byte[] dsedVersionBytes = new byte[2]; + System.arraycopy(eventData, 40, dsedVersionBytes, 0, 2); + String dsedVersion = HexUtils.byteArrayToHexString(dsedVersionBytes); + if (dsedVersion == "") { + dsedVersion = "version not readable"; + } + + if (dsedSignature.contains("SPDM Device Sec2")) { + + int dsedEventDataSize = eventData.length - 24; + byte[] dsedEventData = new byte[dsedEventDataSize]; + System.arraycopy(eventData, 24, dsedEventData, 0, dsedEventDataSize); + + nvIndexInstanceInfo = " Signature = SPDM Device Sec2"; + + if (dsedVersion.equals("0200")) { + // TODO this is throwing a nullPointerException + dsed = new DeviceSecurityEventData2(dsedEventData); + nvIndexInstanceInfo += dsed.toString(); + } + else { + nvIndexInstanceInfo += " Incompatible version for DeviceSecurityEventData2: " + + dsedVersion; + } + } + else { + nvIndexInstanceInfo = " Signature error: should be \'SPDM Device Sec2\' but is " + + signature; + } + } + + /** + * Returns a description of this event. + * + * @return Human-readable description of this event. + */ + public String toString() { + return nvIndexInstanceInfo; + } } From e41460573308bf411b6c591f25667c1503119180 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:54:41 -0400 Subject: [PATCH 14/39] fixed check of class code list --- .../events/DeviceSecurityEventDataPciContext.java | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index 8684b60f..4f16a1e5 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -120,10 +120,14 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe dSEDpciContextInfo += "\n RevisionID = " + revisionId; List classCodeList = translateDeviceClass(classCode); - dSEDpciContextInfo += "\n Device Class:"; - dSEDpciContextInfo += "\n Class = " + classCodeList.get(0); - dSEDpciContextInfo += "\n Subclass = " + classCodeList.get(1); - dSEDpciContextInfo += "\n Programming Interface = " + classCodeList.get(2); + dSEDpciContextInfo += "\n Device Class: "; + if(classCodeList.size() == 3) { + dSEDpciContextInfo += "\n Class = " + classCodeList.get(0); + dSEDpciContextInfo += "\n Subclass = " + classCodeList.get(1); + dSEDpciContextInfo += "\n Programming Interface = " + classCodeList.get(2); + } else { + dSEDpciContextInfo += " ** Class code could not be determined **"; + } dSEDpciContextInfo += "\n SubsystemVendor = " + translateVendor(subsystemVendorId); dSEDpciContextInfo += "\n Subsystem = " + translateDevice(subsystemVendorId, subsystemId); From 341b8b47796c0a90e65a623c72d1e416aea70e4e Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 11 Jul 2024 17:26:43 -0400 Subject: [PATCH 15/39] updating Device Path output --- .../tpm/eventlog/uefi/UefiBootOrder.java | 6 +-- .../tpm/eventlog/uefi/UefiBootVariable.java | 4 +- .../tpm/eventlog/uefi/UefiDevicePath.java | 39 +++++++++++++------ 3 files changed, 32 insertions(+), 17 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootOrder.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootOrder.java index 2a048a1c..c1defc00 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootOrder.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootOrder.java @@ -25,15 +25,15 @@ public class UefiBootOrder { } /** - * Provides a human readable Boot Order list on single line. + * Provides a human-readable Boot Order list on single line. * - * @return A human readable Boot Order + * @return A human-readable Boot Order */ public String toString() { StringBuilder orderList = new StringBuilder(); orderList.append("BootOrder = "); for (int i = 0; i < bootOrder.length; i++) { - orderList.append(String.format("Boot %04d", (int) bootOrder[i])); + orderList.append(String.format("Boot%04d ", (int) bootOrder[i])); } //orderList.append("\n"); return orderList.toString(); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootVariable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootVariable.java index 15fb8d78..3b0c14f7 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootVariable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootVariable.java @@ -23,7 +23,7 @@ import java.util.Arrays; */ public class UefiBootVariable { /** - * Human readable description of the variable. + * Human-readable description of the variable. */ private String description = ""; /** @@ -81,7 +81,7 @@ public class UefiBootVariable { * @return string that represents a UEFI boot variable. */ public String toString() { - StringBuilder bootInfo = new StringBuilder("Description = "); + StringBuilder bootInfo = new StringBuilder(" EFI Load Option = "); // remove all non ascii chars String bootVar = description.replaceAll("[^a-zA-Z_0-0\\s]", ""); bootInfo.append(bootVar + "\n" + efiDevPath.toString()); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java index bd647deb..4f5b3f5f 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java @@ -7,8 +7,20 @@ import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** - * Class to process EFI_DEVICE_PATH_PROTOCOL which is referred to as the UEFI_DEVICE_PATH + * Class to process a Device Path. A Device Path is a variable-length binary + * structure that is made up of variable-length generic Device Path nodes. + * The first Device Path node starts at byte offset zero of the Device Path. + * The next Device Path node starts at the end of the previous Device Path node. + * There is no limit to the number, type, or sequence of nodes in a Device Path. *

+ * Generic Device Path Node Structure: + * Name Byte Offset Byte Length Description + * Type 0 1 Device path type (such as 0x01 - Hardware Device Path) + * Sub-Type 1 1 Sub-Type + * Length 2 2 Length of this structure in bytes. Length is 4+n bytes + * Data 4 n Specific Device Path data + *

+ * EFI_DEVICE_PATH_PROTOCOL: * #define EFI_DEVICE_PATH_PROTOCOL_GUID \09576e91-6d3f-11d2-8e39-00a0c969723b * typedef struct _EFI_DEVICE_PATH_PROTOCOL { * UINT8 Type; @@ -23,7 +35,7 @@ import java.nio.charset.StandardCharsets; * Type 0x04 Media Device Path * Type 0x05 BIOS Boot Specification Device Path * Type 0x7F End of Hardware Device Path - * Each Type has a sub-type that may or may no be defined in the section + * Each Type has a Subtype that may or may not be defined in the section *

* Only a few of the SubTypes have been implemented as there are many, * but only those that were reported using the test devices at hand. @@ -36,11 +48,11 @@ public class UefiDevicePath { @Getter private String type = ""; /** - * UEFI Device path sub-type. + * UEFI Device path subtype. */ private String subType = ""; /** - * UEFI Device path human readable description. + * UEFI Device path human-readable description. */ private String devPathInfo = ""; /** @@ -111,7 +123,7 @@ public class UefiDevicePath { * * @param path * @param offset - * @return human readable string representing the UEFI device path + * @return human-readable string representing the UEFI device path * @throws java.io.UnsupportedEncodingException */ private String processDev(final byte[] path, final int offset) @@ -181,12 +193,11 @@ public class UefiDevicePath { private String acpiSubType(final byte[] path, final int offset) { subType = ""; switch (path[offset + UefiConstants.OFFSET_1]) { - case 0x01: - subType = "(Short): "; + case 0x01: // standard version subType += acpiShortSubType(path, offset); break; case 0x02: - subType = "Expanded ACPI Device Path"; + subType = "(expanded version): "; break; default: subType = "Invalid ACPI Device Path sub type"; @@ -205,9 +216,13 @@ public class UefiDevicePath { subType = ""; byte[] hid = new byte[UefiConstants.SIZE_4]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, hid, 0, UefiConstants.SIZE_4); - subType += "_HID = " + HexUtils.byteArrayToHexString(hid); + subType += "\n _HID = " + HexUtils.byteArrayToHexString(hid); System.arraycopy(path, 2 * UefiConstants.SIZE_4 + offset, hid, 0, UefiConstants.SIZE_4); - subType += "_UID = " + HexUtils.byteArrayToHexString(hid); + String uid = HexUtils.byteArrayToHexString(hid); + if(uid.contains("00000000")) { + uid = "No _UID exists for this device"; + } + subType += "\n _UID = " + uid; return subType; } @@ -219,9 +234,9 @@ public class UefiDevicePath { * @return pci device info. */ private String pciSubType(final byte[] path, final int offset) { - subType = "PCI: PCI Function Number = "; + subType = "\n PCI Function Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_4]); - subType += " PCI Device Number = "; + subType += "\n PCI Device Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_5]); return subType; } From 9e61b6e4d98803740c6611fd0c2994d60398284e Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 12 Jul 2024 16:55:44 -0400 Subject: [PATCH 16/39] updating output --- .../utils/tpm/eventlog/uefi/UefiDevicePath.java | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java index 4f5b3f5f..a7d02311 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java @@ -234,7 +234,8 @@ public class UefiDevicePath { * @return pci device info. */ private String pciSubType(final byte[] path, final int offset) { - subType = "\n PCI Function Number = "; + subType = "\n Hardware Device Path Type = PCI"; + subType += "\n PCI Function Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_4]); subType += "\n PCI Device Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_5]); @@ -242,7 +243,7 @@ public class UefiDevicePath { } /** - * processes the SATA sub type. + * processes the SATA subtype. * * @param path * @param offset @@ -261,7 +262,7 @@ public class UefiDevicePath { } /** - * Processes the hard drive sub type. + * Processes the hard drive subtype. * * @param path * @param offset @@ -306,7 +307,7 @@ public class UefiDevicePath { } /** - * Process the File path sub type. + * Process the File path subtype. * * @param path * @param offset @@ -326,7 +327,7 @@ public class UefiDevicePath { } /** - * Process a vendor sub-type on a Media Type. + * Process a vendor subtype on a Media Type. * Length of this structure in bytes. Length is 20 + n bytes * Vendor-assigned GUID that defines the data that follows. * Vendor-defined variable size data. @@ -352,7 +353,7 @@ public class UefiDevicePath { + offset, vendorData, 0, subTypeLength - UefiConstants.SIZE_16); subType += " : Vendor Data = " + HexUtils.byteArrayToHexString(vendorData); } else { - subType += " : No Vendor Data pesent"; + subType += " : No Vendor Data present"; } return subType; } From cbfe800659ff4e6a60fd668792e8061a4347c30e Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 15 Jul 2024 17:54:13 -0400 Subject: [PATCH 17/39] working on NoAction signatures --- .../utils/tpm/eventlog/events/EvNoAction.java | 79 +++++++++++++++---- 1 file changed, 63 insertions(+), 16 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 7e01edbc..2f557abf 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -1,5 +1,6 @@ package hirs.utils.tpm.eventlog.events; +import hirs.utils.HexUtils; import hirs.utils.tpm.eventlog.uefi.UefiConstants; import lombok.Getter; @@ -31,20 +32,22 @@ public class EvNoAction { * True of the event is a SpecIDEvent. */ private boolean bSpecIDEvent = false; +// /** +// * EvEfiSpecIdEvent Object. +// */ +// @Getter +// private EvEfiSpecIdEvent specIDEvent = null; +// /** +// * NvIndexInstanceEvent Object. +// */ +// @Getter +// private NvIndexInstanceEventLogData nvIndexInstanceEvent = null; + /** - * True of the event is a NvIndexInstance. - */ - private boolean bNvIndexInstance = false; - /** - * EvEfiSpecIdEvent Object. + * Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. */ @Getter - private EvEfiSpecIdEvent specIDEvent = null; - /** - * NvIndexInstanceEvent Object. - */ - @Getter - private NvIndexInstanceEventLogData nvIndexInstanceEvent = null; + String noActionInfo = ""; /** * EvNoAction constructor. @@ -58,11 +61,16 @@ public class EvNoAction { signature = new String(signatureBytes, StandardCharsets.UTF_8); signature = signature.replaceAll("[^\\P{C}\t\r\n]", ""); // remove null characters if (signature.contains("Spec ID Event03")) { // implies CryptAgileFormat - specIDEvent = new EvEfiSpecIdEvent(eventData); + EvEfiSpecIdEvent specIDEvent = new EvEfiSpecIdEvent(eventData); + noActionInfo += specIDEventToString(specIDEvent).toString(); bSpecIDEvent = true; - } else if (signature.contains("NvIndexInstance")) { - nvIndexInstanceEvent = new NvIndexInstanceEventLogData(eventData); - bNvIndexInstance = true; + } else if (signature.contains("StartupLocality")) { + noActionInfo += " Signature = StartupLocality: "; + noActionInfo += "\n " + getLocality(eventData); + } + else if (signature.contains("NvIndexInstance")) { + NvIndexInstanceEventLogData nvIndexInstanceEvent = new NvIndexInstanceEventLogData(eventData); + noActionInfo += nvIndexInstanceEvent.toString(); } } @@ -75,10 +83,47 @@ public class EvNoAction { return bSpecIDEvent; } + public String specIDEventToString(EvEfiSpecIdEvent specIDEvent) { + + String specIdInfo = ""; + specIdInfo += " Signature = Spec ID Event03 : "; + if (specIDEvent.isCryptoAgile()) { + specIdInfo += "Log format is Crypto Agile\n"; + } else { + specIdInfo += "Log format is SHA 1 (NOT Crypto Agile)\n"; + } + specIdInfo += " Platform Profile Specification version = " + + specIDEvent.getVersionMajor() + "." + specIDEvent.getVersionMinor() + + " using errata version " + specIDEvent.getErrata(); + + return specIdInfo; + } + + private String getLocality(final byte[] eventData) { + byte[] localityBytes = new byte[1]; + System.arraycopy(eventData, 2, localityBytes, 0, 1); + int locality = HexUtils.leReverseInt(localityBytes); + + switch (locality) { + case 0: + noActionInfo += "Locality 0 without an H-CRTM sequence"; + break; + case 3: + noActionInfo += "Locality 3 without an H-CRTM sequence"; + break; + case 4: + noActionInfo += "Locality 4 with an H-CRTM sequence initialized"; + break; + default: + noActionInfo += "Startup Locality unknown"; + } + return noActionInfo; + } + /** * Returns a description of this event. * - * @return Human readable description of this event. + * @return Human-readable description of this event. */ public String toString() { String noActionInfo = ""; @@ -92,6 +137,8 @@ public class EvNoAction { noActionInfo += " Platform Profile Specification version = " + specIDEvent.getVersionMajor() + "." + specIDEvent.getVersionMinor() + " using errata version " + specIDEvent.getErrata(); + } else if (b) { + noActionInfo = nvIndexInstanceEvent.toString(); } else if (bNvIndexInstance) { noActionInfo = nvIndexInstanceEvent.toString(); } else { From e463c0cf76dc17d70da2ec617b2c2611a6623a9f Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 18 Jul 2024 10:01:58 -0400 Subject: [PATCH 18/39] fixing NoAction event --- .../hirs/utils/tpm/eventlog/TpmPcrEvent.java | 45 ++++++++++--------- .../utils/tpm/eventlog/events/EvNoAction.java | 45 +++++++++---------- 2 files changed, 46 insertions(+), 44 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java index 6226de2b..6a704724 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java @@ -6,7 +6,6 @@ import hirs.utils.tpm.eventlog.events.EvConstants; import hirs.utils.tpm.eventlog.events.EvEfiGptPartition; import hirs.utils.tpm.eventlog.events.EvEfiHandoffTable; import hirs.utils.tpm.eventlog.events.EvEfiSpdmDeviceSecurityEvent; -import hirs.utils.tpm.eventlog.events.EvEfiSpecIdEvent; import hirs.utils.tpm.eventlog.events.EvEventTag; import hirs.utils.tpm.eventlog.events.EvIPL; import hirs.utils.tpm.eventlog.events.EvNoAction; @@ -113,7 +112,6 @@ public class TpmPcrEvent { * Event hash for Crypto Agile events. */ private byte[] eventDataSha256hash; - private EvPostCode evPostCode; @Setter @Getter private int eventNumber; @Setter @Getter @@ -232,7 +230,7 @@ public class TpmPcrEvent { */ protected void setEventContent(final byte[] eventData) { eventContent = new byte[eventData.length]; - evPostCode = new EvPostCode(eventContent); + //EvPostCode evPostCode = new EvPostCode(eventContent); System.arraycopy(eventData, 0, eventContent, 0, eventData.length); } @@ -263,22 +261,25 @@ public class TpmPcrEvent { case EvConstants.EV_UNUSED: break; case EvConstants.EV_NO_ACTION: - EvNoAction noAction = null; - try { - noAction = new EvNoAction(eventContent); - sb.append(noAction.toString()); - if (noAction.isSpecIDEvent()) { - // this should be in the constructor - EvEfiSpecIdEvent specID = noAction.getSpecIDEvent(); - specVersion = String.format("%s.%s", - specID.getVersionMajor(), - specID.getVersionMinor()); - specErrataVersion = specID.getErrata(); - } - } catch (UnsupportedEncodingException ueEx) { - log.error(ueEx); - sb.append(ueEx.toString()); +// EvNoAction noAction = null; +// try { +// noAction = new EvNoAction(eventContent); + EvNoAction noAction = new EvNoAction(eventContent); + sb.append(noAction.toString()); + if (noAction.isSpecIDEvent()) { +// // this should be in the constructor +// EvEfiSpecIdEvent specID = noAction.getSpecIDEvent(); +// specVersion = String.format("%s.%s", +// specID.getVersionMajor(), +// specID.getVersionMinor()); +// specErrataVersion = specID.getErrata(); + specVersion = noAction.getSpecVersion(); + specErrataVersion = noAction.getSpecErrataVersion(); } +// } catch (UnsupportedEncodingException ueEx) { +// log.error(ueEx); +// sb.append(ueEx.toString()); +// } break; case EvConstants.EV_SEPARATOR: if (EvPostCode.isAscii(eventContent) @@ -458,9 +459,11 @@ public class TpmPcrEvent { EvNoAction noAction = new EvNoAction(content); description += "Event Content:\n" + noAction.toString(); if (noAction.isSpecIDEvent()) { - EvEfiSpecIdEvent specID = noAction.getSpecIDEvent(); - specVersion = specID.getVersionMajor() + "." + specID.getVersionMinor(); - specErrataVersion = specID.getErrata(); +// EvEfiSpecIdEvent specID = noAction.getSpecIDEvent(); +// specVersion = specID.getVersionMajor() + "." + specID.getVersionMinor(); +// specErrataVersion = specID.getErrata(); + specVersion = noAction.getSpecVersion(); + specErrataVersion = noAction.getSpecErrataVersion(); } break; case EvConstants.EV_SEPARATOR: diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 2f557abf..2e223bf7 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -32,6 +32,16 @@ public class EvNoAction { * True of the event is a SpecIDEvent. */ private boolean bSpecIDEvent = false; + /** + * TCG Event Log spec version. + */ + @Getter + private String specVersion = "Unknown"; + /** + * TCG Event Log errata version. + */ + @Getter + private String specErrataVersion = "Unknown"; // /** // * EvEfiSpecIdEvent Object. // */ @@ -55,7 +65,8 @@ public class EvNoAction { * @param eventData byte array holding the event to process. * @throws java.io.UnsupportedEncodingException if input fails to parse. */ - public EvNoAction(final byte[] eventData) throws UnsupportedEncodingException { +// public EvNoAction(final byte[] eventData) throws UnsupportedEncodingException { + public EvNoAction(final byte[] eventData) { byte[] signatureBytes = new byte[UefiConstants.SIZE_15]; System.arraycopy(eventData, 0, signatureBytes, 0, UefiConstants.SIZE_15); signature = new String(signatureBytes, StandardCharsets.UTF_8); @@ -64,13 +75,20 @@ public class EvNoAction { EvEfiSpecIdEvent specIDEvent = new EvEfiSpecIdEvent(eventData); noActionInfo += specIDEventToString(specIDEvent).toString(); bSpecIDEvent = true; + specVersion = String.format("%s.%s", + specIDEvent.getVersionMajor(), + specIDEvent.getVersionMinor()); + specErrataVersion = specIDEvent.getErrata(); } else if (signature.contains("StartupLocality")) { noActionInfo += " Signature = StartupLocality: "; noActionInfo += "\n " + getLocality(eventData); - } - else if (signature.contains("NvIndexInstance")) { + } else if (signature.contains("NvIndexInstance")) { NvIndexInstanceEventLogData nvIndexInstanceEvent = new NvIndexInstanceEventLogData(eventData); noActionInfo += nvIndexInstanceEvent.toString(); + } else { + noActionInfo = "EV_NO_ACTION event named " + signature + + " encountered but support for processing it has not been" + + " added to this application.\n"; } } @@ -95,7 +113,7 @@ public class EvNoAction { specIdInfo += " Platform Profile Specification version = " + specIDEvent.getVersionMajor() + "." + specIDEvent.getVersionMinor() + " using errata version " + specIDEvent.getErrata(); - + return specIdInfo; } @@ -126,25 +144,6 @@ public class EvNoAction { * @return Human-readable description of this event. */ public String toString() { - String noActionInfo = ""; - if (bSpecIDEvent) { - noActionInfo += " Signature = Spec ID Event03 : "; - if (specIDEvent.isCryptoAgile()) { - noActionInfo += "Log format is Crypto Agile\n"; - } else { - noActionInfo += "Log format is SHA 1 (NOT Crypto Agile)\n"; - } - noActionInfo += " Platform Profile Specification version = " - + specIDEvent.getVersionMajor() + "." + specIDEvent.getVersionMinor() - + " using errata version " + specIDEvent.getErrata(); - } else if (b) { - noActionInfo = nvIndexInstanceEvent.toString(); - } else if (bNvIndexInstance) { - noActionInfo = nvIndexInstanceEvent.toString(); - } else { - noActionInfo = "EV_NO_ACTION event named " + signature - + " encountered but support for processing it has not been added to this application.\n"; - } return noActionInfo; } } From 9054822347b7d543ea38aabebb0fd575d731d9d8 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 18 Jul 2024 10:16:52 -0400 Subject: [PATCH 19/39] fixing NoAction event --- .../utils/tpm/eventlog/events/EvNoAction.java | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 2e223bf7..815f5c75 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -80,8 +80,8 @@ public class EvNoAction { specIDEvent.getVersionMinor()); specErrataVersion = specIDEvent.getErrata(); } else if (signature.contains("StartupLocality")) { - noActionInfo += " Signature = StartupLocality: "; - noActionInfo += "\n " + getLocality(eventData); + noActionInfo += " Signature = StartupLocality"; + noActionInfo += "\n StartupLocality = " + getLocality(eventData); } else if (signature.contains("NvIndexInstance")) { NvIndexInstanceEventLogData nvIndexInstanceEvent = new NvIndexInstanceEventLogData(eventData); noActionInfo += nvIndexInstanceEvent.toString(); @@ -118,24 +118,25 @@ public class EvNoAction { } private String getLocality(final byte[] eventData) { + String localityInfo = ""; byte[] localityBytes = new byte[1]; - System.arraycopy(eventData, 2, localityBytes, 0, 1); + System.arraycopy(eventData, 16, localityBytes, 0, 1); int locality = HexUtils.leReverseInt(localityBytes); switch (locality) { case 0: - noActionInfo += "Locality 0 without an H-CRTM sequence"; + localityInfo += "Locality 0 without an H-CRTM sequence"; break; case 3: - noActionInfo += "Locality 3 without an H-CRTM sequence"; + localityInfo += "Locality 3 without an H-CRTM sequence"; break; case 4: - noActionInfo += "Locality 4 with an H-CRTM sequence initialized"; + localityInfo += "Locality 4 with an H-CRTM sequence initialized"; break; default: - noActionInfo += "Startup Locality unknown"; + localityInfo += "Unknown"; } - return noActionInfo; + return localityInfo; } /** From 181ca4993ef0ba4efc0f66bd4adba175fc7a4b81 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 18 Jul 2024 11:14:09 -0400 Subject: [PATCH 20/39] cleaned up NoAction event --- .../hirs/utils/tpm/eventlog/TpmPcrEvent.java | 16 ---------------- .../tpm/eventlog/events/EvSCrtmVersion.java | 2 +- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java index 6a704724..dd3c7590 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java @@ -261,25 +261,12 @@ public class TpmPcrEvent { case EvConstants.EV_UNUSED: break; case EvConstants.EV_NO_ACTION: -// EvNoAction noAction = null; -// try { -// noAction = new EvNoAction(eventContent); EvNoAction noAction = new EvNoAction(eventContent); sb.append(noAction.toString()); if (noAction.isSpecIDEvent()) { -// // this should be in the constructor -// EvEfiSpecIdEvent specID = noAction.getSpecIDEvent(); -// specVersion = String.format("%s.%s", -// specID.getVersionMajor(), -// specID.getVersionMinor()); -// specErrataVersion = specID.getErrata(); specVersion = noAction.getSpecVersion(); specErrataVersion = noAction.getSpecErrataVersion(); } -// } catch (UnsupportedEncodingException ueEx) { -// log.error(ueEx); -// sb.append(ueEx.toString()); -// } break; case EvConstants.EV_SEPARATOR: if (EvPostCode.isAscii(eventContent) @@ -459,9 +446,6 @@ public class TpmPcrEvent { EvNoAction noAction = new EvNoAction(content); description += "Event Content:\n" + noAction.toString(); if (noAction.isSpecIDEvent()) { -// EvEfiSpecIdEvent specID = noAction.getSpecIDEvent(); -// specVersion = specID.getVersionMajor() + "." + specID.getVersionMinor(); -// specErrataVersion = specID.getErrata(); specVersion = noAction.getSpecVersion(); specErrataVersion = noAction.getSpecErrataVersion(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvSCrtmVersion.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvSCrtmVersion.java index 948fd0f9..79b5cf54 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvSCrtmVersion.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvSCrtmVersion.java @@ -46,7 +46,7 @@ public class EvSCrtmVersion { } else if (EvPostCode.isAscii(data)) { description = new String(data, StandardCharsets.UTF_8); } else { - description = "Unknown Version format"; + description = " Unknown Version format"; } } return (description); From f1a22c7cc4d0a00dc0fb4f3ccffd62c72244f6bc Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 18 Jul 2024 11:15:54 -0400 Subject: [PATCH 21/39] cleaned up NoAction event --- .../hirs/utils/tpm/eventlog/events/EvNoAction.java | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 815f5c75..6334922e 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -4,7 +4,6 @@ import hirs.utils.HexUtils; import hirs.utils.tpm.eventlog.uefi.UefiConstants; import lombok.Getter; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** @@ -42,16 +41,6 @@ public class EvNoAction { */ @Getter private String specErrataVersion = "Unknown"; -// /** -// * EvEfiSpecIdEvent Object. -// */ -// @Getter -// private EvEfiSpecIdEvent specIDEvent = null; -// /** -// * NvIndexInstanceEvent Object. -// */ -// @Getter -// private NvIndexInstanceEventLogData nvIndexInstanceEvent = null; /** * Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. @@ -65,7 +54,6 @@ public class EvNoAction { * @param eventData byte array holding the event to process. * @throws java.io.UnsupportedEncodingException if input fails to parse. */ -// public EvNoAction(final byte[] eventData) throws UnsupportedEncodingException { public EvNoAction(final byte[] eventData) { byte[] signatureBytes = new byte[UefiConstants.SIZE_15]; System.arraycopy(eventData, 0, signatureBytes, 0, UefiConstants.SIZE_15); From 602fd88e538696e23a50ff02a9db73664b4c6eb7 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 18 Jul 2024 17:37:10 -0400 Subject: [PATCH 22/39] working SPDM NvIndex and CertChain --- .../eventlog/events/DeviceSecurityEvent.java | 11 +-- .../events/DeviceSecurityEventData2.java | 31 +++--- .../DeviceSecurityEventDataDeviceContext.java | 13 +++ .../events/DeviceSecurityEventDataHeader.java | 3 - .../DeviceSecurityEventDataHeader2.java | 11 --- .../DeviceSecurityEventDataSubHeader.java | 28 ++++++ ...ceSecurityEventDataSubHeaderCertChain.java | 80 +++++++++++++++ ...ventDataSubHeaderSpdmMeasurementBlock.java | 3 +- .../events/DeviceSecurityEventHeader.java | 20 +--- .../tpm/eventlog/events/EvEfiSpecIdEvent.java | 1 - .../eventlog/spdm/SpdmCertificateChain.java | 98 +++++++++++++++++++ .../hirs/utils/tpm/eventlog/spdm/SpdmHa.java | 2 +- .../eventlog/spdm/SpdmMeasurementBlock.java | 2 +- 13 files changed, 245 insertions(+), 58 deletions(-) create mode 100644 HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java create mode 100644 HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java index 509525b9..c25e063c 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java @@ -1,13 +1,8 @@ package hirs.utils.tpm.eventlog.events; -import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; import lombok.Getter; import lombok.Setter; -import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_NONE; -import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_PCI; -import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventHeader.DEVICE_TYPE_USB; - /** * Abstract base class to process the DEVICE_SECURITY_EVENT_DATA or ..DATA2 event. * Parses event data per PFP v1.06 Rev52 Tables 20 and 26. @@ -81,10 +76,10 @@ public abstract class DeviceSecurityEvent { */ public void instantiateDeviceContext(final byte[] dsedDeviceContextBytes) { - if (deviceType == DEVICE_TYPE_NONE) { + if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE) { deviceContextInfo = "\n No Device Context (indicated by device type value of 0"; } - else if (deviceType == DEVICE_TYPE_PCI) { + else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI) { try { dsedDevContext = new DeviceSecurityEventDataPciContext(dsedDeviceContextBytes); @@ -94,7 +89,7 @@ public abstract class DeviceSecurityEvent { deviceContextInfo = " Could not interpret Device Context info"; } } - else if (deviceType == DEVICE_TYPE_USB) { + else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB) { // dsedDevContext // = new DeviceSecurityEventDataUsbContext(dsedDeviceContextBytes); // deviceContextInfo = dsedDevContext.toString(); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java index 597b1ffd..c1c7320e 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java @@ -2,12 +2,6 @@ package hirs.utils.tpm.eventlog.events; import lombok.Getter; -import java.io.IOException; -import java.io.UnsupportedEncodingException; - -import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventDataHeader2.SUBHEADERTYPE_CERT_CHAIN; -import static hirs.utils.tpm.eventlog.events.DeviceSecurityEventDataHeader2.SUBHEADERTYPE_MEAS_BLOCK; - /** * Class to process DEVICE_SECURITY_EVENT_DATA2. * Parses event data per PFP v1.06 Rev52 Table 26. @@ -65,26 +59,35 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { int subHeaderType = dsedHeader2.getSubHeaderType(); int subHeaderLength = dsedHeader2.getSubHeaderLength(); - subHeaderInfo = "\nSub header type: " + subHeaderType; + subHeaderInfo = "\n Sub header type: " + + DeviceSecurityEventDataSubHeader.subheaderTypeToString(subHeaderType); byte[] dsedSubHeaderBytes = new byte[subHeaderLength]; System.arraycopy(dsedBytes, dsedHeaderLength, dsedSubHeaderBytes, 0, subHeaderLength); - if (subHeaderType == SUBHEADERTYPE_MEAS_BLOCK) { + if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_MEAS_BLOCK) { try { - dsedSubHeader = new DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock(dsedSubHeaderBytes); + dsedSubHeader = + new DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock(dsedSubHeaderBytes); subHeaderInfo += dsedSubHeader.toString(); } catch(NullPointerException e) { - subHeaderInfo = " Could not interpret Sub header info"; + subHeaderInfo = "\n Could not interpret Sub header info for SPDM measurment block"; } } - else if (subHeaderType == SUBHEADERTYPE_CERT_CHAIN) { - // dsedSubHeader = new DeviceSecurityEventDataSubHeaderCertChain(); - subHeaderInfo += " Cert chain to be implemented "; + else if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_CERT_CHAIN) { + subHeaderInfo += "\n Cert chain to be implemented "; + try { + dsedSubHeader = + new DeviceSecurityEventDataSubHeaderCertChain(dsedSubHeaderBytes); + subHeaderInfo += dsedSubHeader.toString(); + } + catch(NullPointerException e) { + subHeaderInfo = "\n Could not interpret Sub header info for SPDM measurement block"; + } } else { - subHeaderInfo += " Sub header type unknown"; + subHeaderInfo += "\n Sub header type unknown"; } int dsedDevContextStartByte = dsedHeaderLength + subHeaderLength; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java index 0404884e..c773ce05 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java @@ -28,6 +28,19 @@ public abstract class DeviceSecurityEventDataDeviceContext { @Getter private int length = 0; + /** + * Device Security Event Data Device Type = no device type. + */ + public static final int DEVICE_TYPE_NONE = 0; + /** + * Device Security Event Data Device Type = DEVICE_TYPE_PCI. + */ + public static final int DEVICE_TYPE_PCI = 1; + /** + * Device Security Event Data Device Type = DEVICE_TYPE_USB. + */ + public static final int DEVICE_TYPE_USB = 2; + /** * DeviceSecurityEventDataDeviceContext Constructor. * diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java index dc572e3b..1a8838e2 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java @@ -5,11 +5,8 @@ import hirs.utils.tpm.eventlog.spdm.SpdmHa; import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; import hirs.utils.tpm.eventlog.uefi.UefiConstants; import lombok.Getter; -import org.apache.commons.lang3.ObjectUtils; import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.UnsupportedEncodingException; /** * Class to process the DEVICE_SECURITY_EVENT_DATA_HEADER. diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java index d09d7daa..3b0f6761 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java @@ -3,8 +3,6 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import lombok.Getter; -import java.io.UnsupportedEncodingException; - /** * Class to process the DEVICE_SECURITY_EVENT_DATA_HEADER2. * DEVICE_SECURITY_EVENT_DATA_HEADER2 contains the measurement(s) and hash algorithm identifier @@ -81,15 +79,6 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { * Auth state - device is not an SPDM-capable device */ public static final int AUTH_NO_SPDM = 0xFF; - /** - * Sub header type - SPDM measurement block - */ - public static final int SUBHEADERTYPE_MEAS_BLOCK = 0; - /** - * Sub header type - SPDM cert chain - */ - public static final int SUBHEADERTYPE_CERT_CHAIN = 1; - public DeviceSecurityEventDataHeader2(final byte[] dsedBytes) { diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java index 8c7b0764..2807a3b4 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java @@ -14,7 +14,35 @@ package hirs.utils.tpm.eventlog.events; */ public abstract class DeviceSecurityEventDataSubHeader { + /** + * Sub header type - SPDM measurement block + */ + public static final int SUBHEADERTYPE_MEAS_BLOCK = 0; + /** + * Sub header type - SPDM cert chain + */ + public static final int SUBHEADERTYPE_CERT_CHAIN = 1; + + public DeviceSecurityEventDataSubHeader() { } + + /** + * Returns the device type via a lookup. + * Lookup based upon section 10.2.7.2, Table 19, in the PFP 1.06 v52 spec. + * + * @param subheaderTypeInt int to convert to string + * @return name of the device type + */ + public static String subheaderTypeToString(final int subheaderTypeInt) { + switch (subheaderTypeInt) { + case SUBHEADERTYPE_MEAS_BLOCK: + return "SPDM Measurement Block"; + case SUBHEADERTYPE_CERT_CHAIN: + return "SPDM Cert Chain"; + default: + return "Unknown or invalid Subheader Type"; + } + } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java new file mode 100644 index 00000000..2c77e2bf --- /dev/null +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -0,0 +1,80 @@ +package hirs.utils.tpm.eventlog.events; + +import hirs.utils.HexUtils; +import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; +import lombok.Getter; + +import java.io.ByteArrayInputStream; +import java.util.ArrayList; + +/** + * Class to process the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN event per PFP. + * + *

+ * typedef union tdDEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN { + * UINT16 SpdmVersion; + * UINT8 SpdmSlotId; + * UINT8 Reserved; + * UINT32 SpdmBaseHashAlgo; + * SPDM_CERT_CHAIN SpdmCertChain; + * } DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN; + *

+ */ +public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEventDataSubHeader{ + + /** + * SPDM version. + */ + @Getter + private int spdmVersion = 0; + /** + * SPDM slot ID. + */ + @Getter + private int spdmLotId = 0; + /** + * SPDM base hash algorithm. + */ + @Getter + private int spdmBaseHashAlgo = -1; + + /** + * DeviceSecurityEventDataSubHeaderCertChain Constructor. + * + * @param dsedSubHBytes byte array holding the DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock. + */ + public DeviceSecurityEventDataSubHeaderCertChain(final byte[] dsedSubHBytes) { + + spdmMeasurementBlockList = new ArrayList<>(); + + byte[] spdmVersionBytes = new byte[2]; + System.arraycopy(dsedSubHBytes, 0, spdmVersionBytes, 0, 2); + spdmVersion = HexUtils.leReverseInt(spdmVersionBytes); + + byte[] spdmLotIdBytes = new byte[1]; + System.arraycopy(dsedSubHBytes, 2, spdmLotIdBytes, 0, 1); + spdmLotId = HexUtils.leReverseInt(spdmLotIdBytes); + + // byte[] reserved[Bytes]: 1 byte + + byte[] spdmBaseHashAlgoBytes = new byte[4]; + System.arraycopy(dsedSubHBytes, 4, spdmBaseHashAlgoBytes, 0, 4); + spdmBaseHashAlgo = HexUtils.leReverseInt(spdmBaseHashAlgoBytes); + + // get the size of the SPDM Cert Chain + int spdmCertChainSize = dsedSubHBytes.length - 8; + + // extract the bytes that comprise the SPDM Cert Chain + byte[] spdmCertChainBytes = new byte[spdmCertChainSize]; + System.arraycopy(dsedSubHBytes, 8, spdmCertChainBytes, 0, + spdmCertChainSize); + + ByteArrayInputStream spdmMeasurementBlockListData = + new ByteArrayInputStream(spdmMeasurementBlockListBytes); + while (spdmMeasurementBlockListData.available() > 0) { + SpdmMeasurementBlock spdmMeasurementBlock; + spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockListData); + spdmMeasurementBlockList.add(spdmMeasurementBlock); + } + } +} diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java index 21559967..9df680ac 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java @@ -6,7 +6,6 @@ import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; import lombok.Getter; import java.io.ByteArrayInputStream; -import java.io.IOException; import java.util.ArrayList; import java.util.List; @@ -47,7 +46,7 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device private List spdmMeasurementBlockList; /** - * DeviceSecurityEventDataHeader Constructor. + * DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock Constructor. * * @param dsedSubHBytes byte array holding the DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock. */ diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 5e60f607..894bd68a 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -89,20 +89,6 @@ public abstract class DeviceSecurityEventHeader { */ private boolean devicePathValid = false; - /** - * Device Security Event Data Device Type = no device type. - */ - public static final int DEVICE_TYPE_NONE = 0; - /** - * Device Security Event Data Device Type = DEVICE_TYPE_PCI. - */ - public static final int DEVICE_TYPE_PCI = 1; - /** - * Device Security Event Data Device Type = DEVICE_TYPE_USB. - */ - public static final int DEVICE_TYPE_USB = 2; - - /** * DeviceSecurityEventDataHeaderBase Default Constructor. */ @@ -187,11 +173,11 @@ public abstract class DeviceSecurityEventHeader { */ public String deviceTypeToString(final int deviceTypeInt) { switch (deviceTypeInt) { - case DEVICE_TYPE_NONE: + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE: return "No device type"; - case DEVICE_TYPE_PCI: + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI: return "PCI"; - case DEVICE_TYPE_USB: + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB: return "USB"; default: return "Unknown or invalid Device Type"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpecIdEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpecIdEvent.java index c082d16e..9dec023f 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpecIdEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpecIdEvent.java @@ -98,7 +98,6 @@ public class EvEfiSpecIdEvent { algList = new ArrayList<>(); byte[] signatureBytes = new byte[UefiConstants.SIZE_16]; System.arraycopy(efiSpecId, 0, signatureBytes, 0, UefiConstants.SIZE_16); - signature = HexUtils.byteArrayToHexString(signatureBytes); signature = new String(signatureBytes, StandardCharsets.UTF_8) .substring(0, UefiConstants.SIZE_15); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java new file mode 100644 index 00000000..5a876a0a --- /dev/null +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -0,0 +1,98 @@ +package hirs.utils.tpm.eventlog.spdm; + +import hirs.utils.HexUtils; +import lombok.Getter; + +import java.io.ByteArrayInputStream; +import java.io.IOException; + +/** + * Class to process the SpdmCertificateChain. + *

+ * Certificate chain format, defined by SPDM v1.03, Sect 10.6.1, Table 33: + * Certificate chain format { + * Length 1 byte; + * Reserved 2 bytes; + * RootHash bytes; + * Certificates - (4 + ) bytes; + * } + *

+ * Length: total length of cert chain including all fields in this block + * H: the output size of the hash algorithm selected by the most recent ALGORITHMS response + * this field shall be in hash byte order + * hash algorithm is included in the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN + * structure as the member "SpdmBaseHashAlg" + * RootHash: the digest of the Root Certificate. + * Certificates: Complete cert chain consisting of 1 or more ASN.1 DER-encoded X.509 v3 certs + * this field shall be in Encoded ASN.1 byte order + */ +public class SpdmCertificateChain { + + /** + * Length of the certificate chain to include all fields in this structure. + */ + @Getter + private int length = 0; + /** + * Root hash. + */ + private byte[] rootHash = null; + /** + * Certificates. + */ +// private SpdmMeasurement spdmMeasurement; + /** + * Error reading SPDM Cert Chain. + */ + private boolean spdmCertificateChainReadError = false; + + /** + * SpdmMeasurementBlock Constructor. + * + * @param spdmMeasBlocks byte array holding the SPDM Measurement Block bytes. + */ + public SpdmCertificateChain(final ByteArrayInputStream spdmMeasBlocks) { + + try { + byte[] indexBytes = new byte[1]; + spdmMeasBlocks.read(indexBytes); + index = HexUtils.leReverseInt(indexBytes); + + byte[] measurementSpecBytes = new byte[1]; + spdmMeasBlocks.read(measurementSpecBytes); + measurementSpec = HexUtils.leReverseInt(measurementSpecBytes); + + // in future, can crosscheck this measurement size with the MeasurementSpec hash alg size + byte[] measurementSizeBytes = new byte[2]; + spdmMeasBlocks.read(measurementSizeBytes); + int measurementSize = HexUtils.leReverseInt(measurementSizeBytes); + + byte[] measurementBytes = new byte[measurementSize]; + spdmMeasBlocks.read(measurementBytes); + spdmMeasurement = new SpdmMeasurement(measurementBytes); + } catch (IOException ioEx) { + spdmMeasurementBlockReadError = true; + } + } + + /** + * Returns a human-readable description of the data within this structure. + * + * @return a description of this structure. + */ + public String toString() { + +// String spdmMeasBlockInfo = ""; +// +// if(spdmMeasurementBlockReadError) { +// spdmMeasBlockInfo += "\n Error reading SPDM Measurement Block"; +// } +// else { +// spdmMeasBlockInfo += "\n Index = " + index; +// spdmMeasBlockInfo += "\n MeasurementSpec = " + measurementSpec; +// spdmMeasBlockInfo += spdmMeasurement.toString(); +// } +// +// return spdmMeasBlockInfo; +// } +} diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java index cf49aae4..c619ba92 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java @@ -41,7 +41,7 @@ public class SpdmHa { /** * Returns the hash name via a lookup. - * Lookup based upon section 10.4 for the SPDM v1.03 document. + * Lookup based upon SPDM Spec v1.03 section 10.4. * * @param algId int to convert to string * @return name of the algorithm diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java index a9159bd5..12724125 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java @@ -83,7 +83,7 @@ public class SpdmMeasurementBlock { /** * Returns a human-readable description of the data within this structure. * - * @return a description of this structure.. + * @return a description of this structure. */ public String toString() { From 0266b5293ed82ef6bf7eceb7cb1fbd8fce7a8d7d Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 19 Jul 2024 18:18:06 -0400 Subject: [PATCH 23/39] parsing SPDM cert chain --- ...ceSecurityEventDataSubHeaderCertChain.java | 16 ++- .../eventlog/spdm/SpdmCertificateChain.java | 105 ++++++++++++------ 2 files changed, 80 insertions(+), 41 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index 2c77e2bf..45c9e722 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -45,8 +45,6 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve */ public DeviceSecurityEventDataSubHeaderCertChain(final byte[] dsedSubHBytes) { - spdmMeasurementBlockList = new ArrayList<>(); - byte[] spdmVersionBytes = new byte[2]; System.arraycopy(dsedSubHBytes, 0, spdmVersionBytes, 0, 2); spdmVersion = HexUtils.leReverseInt(spdmVersionBytes); @@ -69,12 +67,12 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve System.arraycopy(dsedSubHBytes, 8, spdmCertChainBytes, 0, spdmCertChainSize); - ByteArrayInputStream spdmMeasurementBlockListData = - new ByteArrayInputStream(spdmMeasurementBlockListBytes); - while (spdmMeasurementBlockListData.available() > 0) { - SpdmMeasurementBlock spdmMeasurementBlock; - spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockListData); - spdmMeasurementBlockList.add(spdmMeasurementBlock); - } +// ByteArrayInputStream spdmMeasurementBlockListData = +// new ByteArrayInputStream(spdmMeasurementBlockListBytes); +// while (spdmMeasurementBlockListData.available() > 0) { +// SpdmMeasurementBlock spdmMeasurementBlock; +// spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockListData); +// spdmMeasurementBlockList.add(spdmMeasurementBlock); +// } } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index 5a876a0a..ad6fb351 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -1,17 +1,25 @@ package hirs.utils.tpm.eventlog.spdm; import hirs.utils.HexUtils; +import hirs.utils.tpm.eventlog.uefi.UefiConstants; +import hirs.utils.tpm.eventlog.uefi.UefiSignatureData; +import hirs.utils.tpm.eventlog.uefi.UefiX509Cert; import lombok.Getter; import java.io.ByteArrayInputStream; import java.io.IOException; +import java.math.BigInteger; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; /** * Class to process the SpdmCertificateChain. *

* Certificate chain format, defined by SPDM v1.03, Sect 10.6.1, Table 33: * Certificate chain format { - * Length 1 byte; + * Length 2 bytes; * Reserved 2 bytes; * RootHash bytes; * Certificates - (4 + ) bytes; @@ -31,47 +39,80 @@ public class SpdmCertificateChain { /** * Length of the certificate chain to include all fields in this structure. */ - @Getter private int length = 0; /** * Root hash. */ private byte[] rootHash = null; - /** - * Certificates. - */ -// private SpdmMeasurement spdmMeasurement; - /** - * Error reading SPDM Cert Chain. - */ - private boolean spdmCertificateChainReadError = false; /** - * SpdmMeasurementBlock Constructor. + * Number of certs in the SPDM cert chain. + */ + @Getter + private int numberOfCerts = 0; + /** + * Array List of certs found in the chain. + */ +// private ArrayList certList = new ArrayList(); + private ArrayList certList = new ArrayList(); + + /** + * SpdmCertificateChain Constructor. * - * @param spdmMeasBlocks byte array holding the SPDM Measurement Block bytes. + * @param spdmCertChainBytes byte array holding the SPDM Cert Chain bytes. */ - public SpdmCertificateChain(final ByteArrayInputStream spdmMeasBlocks) { + public SpdmCertificateChain(final byte[] spdmCertChainBytes, final int rootHashLength) throws CertificateException, NoSuchAlgorithmException, IOException { - try { - byte[] indexBytes = new byte[1]; - spdmMeasBlocks.read(indexBytes); - index = HexUtils.leReverseInt(indexBytes); + byte[] lengthBytes = new byte[2]; + System.arraycopy(spdmCertChainBytes, 0, lengthBytes, 0, 2); + length = HexUtils.leReverseInt(lengthBytes); - byte[] measurementSpecBytes = new byte[1]; - spdmMeasBlocks.read(measurementSpecBytes); - measurementSpec = HexUtils.leReverseInt(measurementSpecBytes); + // Reserved: 2 bytes - // in future, can crosscheck this measurement size with the MeasurementSpec hash alg size - byte[] measurementSizeBytes = new byte[2]; - spdmMeasBlocks.read(measurementSizeBytes); - int measurementSize = HexUtils.leReverseInt(measurementSizeBytes); + rootHash = new byte[rootHashLength]; + System.arraycopy(spdmCertChainBytes, 4, rootHash, 0, rootHashLength); - byte[] measurementBytes = new byte[measurementSize]; - spdmMeasBlocks.read(measurementBytes); - spdmMeasurement = new SpdmMeasurement(measurementBytes); - } catch (IOException ioEx) { - spdmMeasurementBlockReadError = true; + int certChainStartPos = 4 + rootHashLength; + int certChainLength = spdmCertChainBytes.length - certChainStartPos; + byte[] certChainBytes = new byte[certChainLength]; + System.arraycopy(spdmCertChainBytes, certChainStartPos, certChainBytes, 0, certChainLength); + + processCertChain(certChainBytes); + } + + //TODO possily get rid of exceptions + /** + * Method for processing the data in an EFI SignatureList (ex. can be one or more X509 certs) + * + * @param certChainData Byte array holding the cert chain data + * @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate. + * @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. + * @throws java.io.IOException If there's a problem parsing the signature data. + */ + private void processCertChain(final byte[] certChainData) + throws CertificateException, NoSuchAlgorithmException, IOException { + + UefiX509Cert cert = null; + + ByteArrayInputStream certChainDataIS = new ByteArrayInputStream(certChainData); + while (certChainDataIS.available() > 0) { + + byte[] certType = new byte[UefiConstants.SIZE_2]; + certChainDataIS.read(certType); + byte[] certLength = new byte[UefiConstants.SIZE_2]; + certChainDataIS.read(certLength); + int cLength = new BigInteger(certLength).intValue() + UefiConstants.SIZE_4; + byte[] certData = new byte[cLength]; + certChainDataIS.read(certData); + // put the cert back together + byte[] certBlob = new byte[cLength + UefiConstants.SIZE_4]; + System.arraycopy(certType, 0, certBlob, 0, 2); + System.arraycopy(certLength, 0, certBlob, 2, 2); + System.arraycopy(certData, 0, certBlob, UefiConstants.OFFSET_4, cLength); + cert = new UefiX509Cert(certBlob); +// cert = new X509Certificate(certBlob); + certList.add(cert); + numberOfCerts++; } } @@ -82,7 +123,7 @@ public class SpdmCertificateChain { */ public String toString() { -// String spdmMeasBlockInfo = ""; + String spdmMeasBlockInfo = ""; // // if(spdmMeasurementBlockReadError) { // spdmMeasBlockInfo += "\n Error reading SPDM Measurement Block"; @@ -93,6 +134,6 @@ public class SpdmCertificateChain { // spdmMeasBlockInfo += spdmMeasurement.toString(); // } // -// return spdmMeasBlockInfo; -// } + return spdmMeasBlockInfo; + } } From f2f5c520535a161da618891e38669088d8aca927 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 1 Aug 2024 17:31:14 -0400 Subject: [PATCH 24/39] spdm cert chain parsing --- .../events/DeviceSecurityEventData2.java | 4 +-- .../DeviceSecurityEventDataHeader2.java | 2 ++ ...ceSecurityEventDataSubHeaderCertChain.java | 25 +++++++++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java index c1c7320e..b2f63ba4 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java @@ -72,11 +72,11 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { subHeaderInfo += dsedSubHeader.toString(); } catch(NullPointerException e) { - subHeaderInfo = "\n Could not interpret Sub header info for SPDM measurment block"; + subHeaderInfo = "\n Could not interpret Sub header info for SPDM measurment block"; } } else if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_CERT_CHAIN) { - subHeaderInfo += "\n Cert chain to be implemented "; + subHeaderInfo += "\n Cert chain to be implemented "; try { dsedSubHeader = new DeviceSecurityEventDataSubHeaderCertChain(dsedSubHeaderBytes); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java index 3b0f6761..56934fef 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java @@ -39,6 +39,8 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { private int length = 0; /** * Event sub headerType + * SUBHEADERTYPE_MEAS_BLOCK = 0 + * SUBHEADERTYPE_CERT_CHAIN = 1 */ @Getter private int subHeaderType = 0; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index 45c9e722..eac5bc8a 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -1,6 +1,7 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; +import hirs.utils.tpm.eventlog.spdm.SpdmHa; import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; import lombok.Getter; @@ -75,4 +76,28 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve // spdmMeasurementBlockList.add(spdmMeasurementBlock); // } } + + + /** + * Returns a human-readable description of the data within this structure. + * + * @return a description of this structure. + */ + public String toString() { + String dsedSubHeaderInfo = ""; +// dsedSubHeaderInfo += "\n SPDM Version: " + spdmVersion; +// String spdmHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmMeasurementHashAlgo); +// dsedSubHeaderInfo += "\n SPDM Hash Algorithm = " + spdmHashAlgoStr; +// +// // SPDM Measurement Block List output +// dsedSubHeaderInfo += "\n Number of SPDM Measurement Blocks = " + spdmMeasurementBlockList.size(); +// int spdmMeasBlockCnt = 1; +// for (SpdmMeasurementBlock spdmMeasBlock : spdmMeasurementBlockList) { +// dsedSubHeaderInfo += "\n SPDM Measurement Block # " + spdmMeasBlockCnt++ + " of " + +// spdmMeasurementBlockList.size(); +// dsedSubHeaderInfo += spdmMeasBlock.toString(); +// } + + return dsedSubHeaderInfo; + } } From e91517c77cd8be8851c25dbf7acea8d5dd1023bd Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 2 Aug 2024 18:35:08 -0400 Subject: [PATCH 25/39] parsing SPDM cert chain --- .../events/DeviceSecurityEventData2.java | 4 +- ...ceSecurityEventDataSubHeaderCertChain.java | 56 ++++---- ...ventDataSubHeaderSpdmMeasurementBlock.java | 12 +- .../eventlog/spdm/SpdmCertificateChain.java | 135 ++++++++++++------ .../hirs/utils/tpm/eventlog/spdm/SpdmHa.java | 38 +++++ .../tpm/eventlog/uefi/UefiSignatureData.java | 12 +- .../tpm/eventlog/uefi/UefiSignatureList.java | 42 +++++- 7 files changed, 214 insertions(+), 85 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java index b2f63ba4..7a2c2479 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java @@ -76,14 +76,14 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { } } else if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_CERT_CHAIN) { - subHeaderInfo += "\n Cert chain to be implemented "; +// subHeaderInfo += "\n Cert chain to be implemented "; try { dsedSubHeader = new DeviceSecurityEventDataSubHeaderCertChain(dsedSubHeaderBytes); subHeaderInfo += dsedSubHeader.toString(); } catch(NullPointerException e) { - subHeaderInfo = "\n Could not interpret Sub header info for SPDM measurement block"; + subHeaderInfo = "\n Could not interpret Sub header info for SPDM cert chain"; } } else { diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index eac5bc8a..dc7c22c3 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -1,8 +1,8 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; +import hirs.utils.tpm.eventlog.spdm.SpdmCertificateChain; import hirs.utils.tpm.eventlog.spdm.SpdmHa; -import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; import lombok.Getter; import java.io.ByteArrayInputStream; @@ -20,24 +20,33 @@ import java.util.ArrayList; * SPDM_CERT_CHAIN SpdmCertChain; * } DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN; *

+ * SpdmVersion: SpdmBaseHashAlgo + * SpdmSlotId: SlotId associated with this SPDM Certificate Chain + * SpdmBaseHashAlgo: SPDM Base Hash Algorithm for the root certificate in the SPDM Certificate chain + * SpdmCertChain: SPDM Certificate Chain */ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEventDataSubHeader{ /** * SPDM version. */ - @Getter private int spdmVersion = 0; /** * SPDM slot ID. */ - @Getter - private int spdmLotId = 0; + private int spdmSlotId = 0; /** * SPDM base hash algorithm. */ - @Getter private int spdmBaseHashAlgo = -1; + /** + * SPDM cert chain. + */ + private SpdmCertificateChain spdmCertChain = null; + /** + * Human-readable description of any error associated with SPDM base hash alg. + */ + String spdmBaseHashAlgoError = ""; /** * DeviceSecurityEventDataSubHeaderCertChain Constructor. @@ -52,7 +61,7 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve byte[] spdmLotIdBytes = new byte[1]; System.arraycopy(dsedSubHBytes, 2, spdmLotIdBytes, 0, 1); - spdmLotId = HexUtils.leReverseInt(spdmLotIdBytes); + spdmSlotId = HexUtils.leReverseInt(spdmLotIdBytes); // byte[] reserved[Bytes]: 1 byte @@ -68,13 +77,15 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve System.arraycopy(dsedSubHBytes, 8, spdmCertChainBytes, 0, spdmCertChainSize); -// ByteArrayInputStream spdmMeasurementBlockListData = -// new ByteArrayInputStream(spdmMeasurementBlockListBytes); -// while (spdmMeasurementBlockListData.available() > 0) { -// SpdmMeasurementBlock spdmMeasurementBlock; -// spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockListData); -// spdmMeasurementBlockList.add(spdmMeasurementBlock); -// } + int spdmBaseHashAlgoSize = SpdmHa.tcgAlgIdToByteSize(spdmBaseHashAlgo); + + if(spdmBaseHashAlgoSize > 0) { + spdmCertChain = new SpdmCertificateChain(spdmCertChainBytes, spdmBaseHashAlgoSize); + } + else { + spdmBaseHashAlgoError += "SPDM base hash algorithm size is not >0"; + } + } @@ -85,18 +96,13 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve */ public String toString() { String dsedSubHeaderInfo = ""; -// dsedSubHeaderInfo += "\n SPDM Version: " + spdmVersion; -// String spdmHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmMeasurementHashAlgo); -// dsedSubHeaderInfo += "\n SPDM Hash Algorithm = " + spdmHashAlgoStr; -// -// // SPDM Measurement Block List output -// dsedSubHeaderInfo += "\n Number of SPDM Measurement Blocks = " + spdmMeasurementBlockList.size(); -// int spdmMeasBlockCnt = 1; -// for (SpdmMeasurementBlock spdmMeasBlock : spdmMeasurementBlockList) { -// dsedSubHeaderInfo += "\n SPDM Measurement Block # " + spdmMeasBlockCnt++ + " of " + -// spdmMeasurementBlockList.size(); -// dsedSubHeaderInfo += spdmMeasBlock.toString(); -// } + dsedSubHeaderInfo += "\n SPDM Version = " + spdmVersion; + dsedSubHeaderInfo += "\n SPDM Slot ID = " + spdmSlotId; + String spdmBaseHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmBaseHashAlgo); + dsedSubHeaderInfo += "\n SPDM Base Hash Algorithm = " + spdmBaseHashAlgoStr; + + // SPDM Certificate Chain output + dsedSubHeaderInfo += spdmCertChain.toString(); return dsedSubHeaderInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java index 9df680ac..19c5d42a 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java @@ -21,6 +21,14 @@ import java.util.List; * SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock[SpdmMeasurementBlockCount]; * } DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_MEASUREMENT_BLOCK; *

+ * + * SpdmMeasurementBlock is an array of SPDM_MEASUREMENT_BLOCKs + * The size of each block is the same and can be found by either: + * 1) 4 + SpdmMeasurementBlock MeasurementSize + * OR + * 2) 4 + hash length of the hash algorithm found in + * DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_MEASUREMENT_BLOCK SpdmMeasurementHashAlgo + * where 4 is the size of the SpdmMeasurementBlock header */ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends DeviceSecurityEventDataSubHeader { @@ -68,7 +76,7 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device System.arraycopy(dsedSubHBytes, 4, spdmMeasurementHashAlgoBytes, 0, 4); spdmMeasurementHashAlgo = HexUtils.leReverseInt(spdmMeasurementHashAlgoBytes); - // get the size of the SPDM Measurement Block List + // get the total size of the SPDM Measurement Block List int spdmMeasurementBlockListSize = dsedSubHBytes.length - 8; // extract the bytes that comprise the SPDM Measurement Block List @@ -92,7 +100,7 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device */ public String toString() { String dsedSubHeaderInfo = ""; - dsedSubHeaderInfo += "\n SPDM Version: " + spdmVersion; + dsedSubHeaderInfo += "\n SPDM Version = " + spdmVersion; String spdmHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmMeasurementHashAlgo); dsedSubHeaderInfo += "\n SPDM Hash Algorithm = " + spdmHashAlgoStr; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index ad6fb351..7aaf1cb2 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -1,8 +1,10 @@ package hirs.utils.tpm.eventlog.spdm; import hirs.utils.HexUtils; +import hirs.utils.tpm.eventlog.events.DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock; import hirs.utils.tpm.eventlog.uefi.UefiConstants; import hirs.utils.tpm.eventlog.uefi.UefiSignatureData; +import hirs.utils.tpm.eventlog.uefi.UefiSignatureList; import hirs.utils.tpm.eventlog.uefi.UefiX509Cert; import lombok.Getter; @@ -31,6 +33,8 @@ import java.util.ArrayList; * hash algorithm is included in the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN * structure as the member "SpdmBaseHashAlg" * RootHash: the digest of the Root Certificate. + * size is determined by hash algorithm selected by the most recent SPDM ALGORITHMS response; + * the hash algorithm is the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN SpdmBaseHashAlgo * Certificates: Complete cert chain consisting of 1 or more ASN.1 DER-encoded X.509 v3 certs * this field shall be in Encoded ASN.1 byte order */ @@ -44,75 +48,99 @@ public class SpdmCertificateChain { * Root hash. */ private byte[] rootHash = null; - /** * Number of certs in the SPDM cert chain. */ - @Getter private int numberOfCerts = 0; /** * Array List of certs found in the chain. */ // private ArrayList certList = new ArrayList(); private ArrayList certList = new ArrayList(); + /** + * Human-readable description of any error associated with SPDM base hash alg. + */ + String spdmBaseHashAlgoError = ""; + /** + * Human-readable description of any error associated with parsing the X509 certs. + */ + String certProcessingError = ""; /** * SpdmCertificateChain Constructor. * * @param spdmCertChainBytes byte array holding the SPDM Cert Chain bytes. */ - public SpdmCertificateChain(final byte[] spdmCertChainBytes, final int rootHashLength) throws CertificateException, NoSuchAlgorithmException, IOException { + public SpdmCertificateChain(final byte[] spdmCertChainBytes, final int rootHashLength) { - byte[] lengthBytes = new byte[2]; - System.arraycopy(spdmCertChainBytes, 0, lengthBytes, 0, 2); - length = HexUtils.leReverseInt(lengthBytes); + if(rootHashLength <= 0) { + spdmBaseHashAlgoError = "SPDM base hash algorithm size is not >0"; + } + else { + byte[] lengthBytes = new byte[2]; + System.arraycopy(spdmCertChainBytes, 0, lengthBytes, 0, 2); + length = HexUtils.leReverseInt(lengthBytes); - // Reserved: 2 bytes + // Reserved: 2 bytes - rootHash = new byte[rootHashLength]; - System.arraycopy(spdmCertChainBytes, 4, rootHash, 0, rootHashLength); + rootHash = new byte[rootHashLength]; + System.arraycopy(spdmCertChainBytes, 4, rootHash, 0, rootHashLength); - int certChainStartPos = 4 + rootHashLength; - int certChainLength = spdmCertChainBytes.length - certChainStartPos; - byte[] certChainBytes = new byte[certChainLength]; - System.arraycopy(spdmCertChainBytes, certChainStartPos, certChainBytes, 0, certChainLength); + int certChainStartPos = 4 + rootHashLength; + int certChainLength = spdmCertChainBytes.length - certChainStartPos; + byte[] certChainBytes = new byte[certChainLength]; + System.arraycopy(spdmCertChainBytes, certChainStartPos, certChainBytes, 0, certChainLength); - processCertChain(certChainBytes); + processCertChain(certChainBytes); + } } - //TODO possily get rid of exceptions /** * Method for processing the data in an EFI SignatureList (ex. can be one or more X509 certs) * * @param certChainData Byte array holding the cert chain data - * @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate. - * @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. - * @throws java.io.IOException If there's a problem parsing the signature data. */ - private void processCertChain(final byte[] certChainData) - throws CertificateException, NoSuchAlgorithmException, IOException { + private void processCertChain(final byte[] certChainData) { UefiX509Cert cert = null; ByteArrayInputStream certChainDataIS = new ByteArrayInputStream(certChainData); while (certChainDataIS.available() > 0) { - byte[] certType = new byte[UefiConstants.SIZE_2]; - certChainDataIS.read(certType); - byte[] certLength = new byte[UefiConstants.SIZE_2]; - certChainDataIS.read(certLength); - int cLength = new BigInteger(certLength).intValue() + UefiConstants.SIZE_4; - byte[] certData = new byte[cLength]; - certChainDataIS.read(certData); - // put the cert back together - byte[] certBlob = new byte[cLength + UefiConstants.SIZE_4]; - System.arraycopy(certType, 0, certBlob, 0, 2); - System.arraycopy(certLength, 0, certBlob, 2, 2); - System.arraycopy(certData, 0, certBlob, UefiConstants.OFFSET_4, cLength); - cert = new UefiX509Cert(certBlob); + // java.io.IOException If there's a problem parsing the cert chain data. + // java.security.cert.CertificateException if there's a problem parsing the X509 certificate. + // java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. + try { + byte[] certType = new byte[UefiConstants.SIZE_2]; + certChainDataIS.read(certType); + byte[] certLength = new byte[UefiConstants.SIZE_2]; + certChainDataIS.read(certLength); + int cLength = new BigInteger(certLength).intValue() + UefiConstants.SIZE_4; + byte[] certData = new byte[cLength]; + certChainDataIS.read(certData); + // put the cert back together + byte[] certBlob = new byte[cLength + UefiConstants.SIZE_4]; + System.arraycopy(certType, 0, certBlob, 0, 2); + System.arraycopy(certLength, 0, certBlob, 2, 2); + System.arraycopy(certData, 0, certBlob, UefiConstants.OFFSET_4, cLength); + + cert = new UefiX509Cert(certBlob); // cert = new X509Certificate(certBlob); - certList.add(cert); - numberOfCerts++; + certList.add(cert); + numberOfCerts++; + } catch (IOException e) { + certProcessingError += "Error with Cert # " + (numberOfCerts+1) + + ": IOException (error reading cert data)"; + break; + } catch (CertificateException e) { + certProcessingError += "Error with Cert # " + (numberOfCerts+1) + + ": CertificateException"; + break; + } catch (NoSuchAlgorithmException e) { + certProcessingError += "Error with Cert # " + numberOfCerts+1 + + ": CNoSuchAlgorithmException"; + break; + } } } @@ -123,17 +151,30 @@ public class SpdmCertificateChain { */ public String toString() { - String spdmMeasBlockInfo = ""; -// -// if(spdmMeasurementBlockReadError) { -// spdmMeasBlockInfo += "\n Error reading SPDM Measurement Block"; -// } -// else { -// spdmMeasBlockInfo += "\n Index = " + index; -// spdmMeasBlockInfo += "\n MeasurementSpec = " + measurementSpec; -// spdmMeasBlockInfo += spdmMeasurement.toString(); -// } -// - return spdmMeasBlockInfo; + String spdmCertChainInfo = ""; + + if(spdmBaseHashAlgoError != "") { + spdmCertChainInfo += "\n *** ERROR with SPDM base hash algorithm size ***"; + spdmCertChainInfo += "\n " + spdmBaseHashAlgoError; + spdmCertChainInfo += "\n Stopping processing of this cert chain"; + } + else { + spdmCertChainInfo += "\n Root hash = " + rootHash.toString(); + spdmCertChainInfo += "\n Number of certs in chain = " + numberOfCerts + "\n"; + + int certCnt = 1; + for (UefiX509Cert cert : certList) { + spdmCertChainInfo += " Cert # " + certCnt++ + " of " + + numberOfCerts + ": ------------------\n"; + spdmCertChainInfo += cert.toString(); + } + + if (certProcessingError != "") { + spdmCertChainInfo += " *** ERROR processing cert ***"; + spdmCertChainInfo += "\n " + certProcessingError; + spdmCertChainInfo += "\n Stopping processing of this cert chain"; + } + } + return spdmCertChainInfo; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java index c619ba92..0a937031 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java @@ -75,4 +75,42 @@ public class SpdmHa { } return alg; } + + + /** + * Returns the hash name via a lookup. + * Lookup based upon SPDM Spec v1.03 section 10.4. + * + * @param algId int to convert to string + * @return name of the algorithm + */ + public static int tcgAlgIdToByteSize(final int algId) { + int byteSize; + switch (algId) { + //case TPM_ALG_RAW: // add this when have more test data + // byteSize = ; + // break; + case TPM_ALG_SHA_256: + byteSize = 32; + break; + case TPM_ALG_SHA_384: + byteSize = 48; + break; + case TPM_ALG_SHA_512: + byteSize = 64; + break; + case TPM_ALG_SHA3_256: + byteSize = 32; + break; + case TPM_ALG_SHA3_384: + byteSize = 48; + break; + case TPM_ALG_SHA3_512: + byteSize = 64; + break; + default: + byteSize = -1; + } + return byteSize; + } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java index d4d6b324..d38a3e98 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java @@ -10,9 +10,15 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; /** - * Class for processing the contents of a Secure Boot PK, KEK, DB or DBX contents. - * used for EFIVariables associated with Secure Boot - * as defined by Section 32.4.1 Signature Database from the UEFI 2.8 specification + * Class for processing either + * 1) the contents of a Secure Boot PK, KEK, DB or DBX contents, + * used for EFIVariables associated with Secure Boot, + * as defined by Section 32.4.1 Signature Database from the UEFI 2.8 specification + * 2) the contents of an SPDM devdb, + * used for SPDM Device Policy or Device Authority, whose data is an EFIVariable + * EFIVariable data for SPDM Device Policy: UefiSignatureList + * EFIVariable data for SPDM Device: UefiSignatureData only + * as defined by PFP v1.06 Rev52, Section 10.4 *

* typedef struct _EFI_SIGNATURE_DATA { * EFI_GUID SignatureOwner; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java index b2a682d1..ec780cdb 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java @@ -12,12 +12,18 @@ import java.util.ArrayList; import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILESTATUS_NOT_ACCESSIBLE; /** - * Class for processing the contents of a Secure Boot DB or DBX contents. - * used for EFIVariables associated with Secure Boot - * as defined by Section 32.4.1 Signature Database from the UEFI 2.8 specification. + * Class for processing either + * 1) the contents of a Secure Boot PK, KEK, DB or DBX contents, + * used for EFIVariables associated with Secure Boot, + * as defined by Section 32.4.1 Signature Database from the UEFI 2.8 specification + * 2) the contents of an SPDM devdb, + * used for SPDM Device Policy, whose data is an EFIVariable + * as defined by PFP v1.06 Rev52, Section 10.4 *

- * An EFI Signature List is actual a list of Certificates used to verify a Signature. - * This is mainly found in PCR[7] UEFI variables for the Secure Boot PK, KEK, Db and DBx variables. + * An EFI Signature List is actually a list of Certificates used to verify a Signature. + * This is mainly found in PCR[7] UEFI variables for either the + * Secure Boot PK, KEK, Db and DBx variables + * or the SPDM devdb variable (under EV_EFI_SPDM_DEVICE_POLICY). *

* typedef struct _EFI_SIGNATURE_LIST { * EFI_GUID SignatureType; @@ -27,6 +33,27 @@ import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILESTATUS_NOT_ACCESSIB * // UINT8 SignatureHeader[SignatureHeaderSize]; * // EFI_SIGNATURE_DATA Signatures[...][SignatureSize]; * } EFI_SIGNATURE_LIST; + * + * Signatures[][] is an array of signatures. + * - Each signature is SignatureSize bytes in length. + * - The format of the signature is defined by SignatureType (SHA256, X509) + * + * / |-------------------------| ------- SignatureType + * / | Signature List Header | SignatureListSize + * |---------------------| / |-------------------------|\ SignatureHeaderSize + * | Signature List #0 | / | Signature Header | \ _____ SignatureSize + * | | / |-------------------------| + * |---------------------| / | Signature #0 | + * | Signature List #1 | / |-------------------------| + * |---------------------|/ | Signature #1 | --> each Signature is + * | Signature List #2 | |-------------------------| 1 UefiSignatureData + * | | | Signature #2 | (1 cert or hash) + * | | |-------------------------| + * |---------------------| | ... | + * \ | | + * \ |-------------------------| + * \ | Signature #n | + * \ |-------------------------| */ public class UefiSignatureList { /** @@ -125,7 +152,7 @@ public class UefiSignatureList { vendorTableFileStatus = signatureType.getVendorTableFileStatus(); // if signatureType is invalid, don't even process any of the data - // however, if signatureTYpe is valid, but some of the data later on is invalid, that will + // however, if signatureType is valid, but some of the data later on is invalid, that will // be caught when UefiSignatureData is processed if (!isValidSigListGUID(signatureType)) { //processSignatureData(lists); @@ -230,7 +257,10 @@ public class UefiSignatureList { sigInfo.append(" UEFI Signature List Type = " + signatureType.toString() + "\n"); sigInfo.append(" Number of Certs or Hashes in UEFI Signature List = " + numberOfCerts + "\n"); + int certOrHashCnt = 1; for (int i = 0; i < sigList.size(); i++) { + sigInfo.append(" Cert or Hash # " + certOrHashCnt++ + " of " + + numberOfCerts + ": ------------------\n"); UefiSignatureData certData = sigList.get(i); sigInfo.append(certData.toString()); } From b7ffc6da51383d53c197b166af5ff9e5cc582177 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 2 Aug 2024 18:42:03 -0400 Subject: [PATCH 26/39] parsing SPDM cert chain --- .../utils/tpm/eventlog/spdm/SpdmCertificateChain.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index 7aaf1cb2..91efedf3 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -155,11 +155,11 @@ public class SpdmCertificateChain { if(spdmBaseHashAlgoError != "") { spdmCertChainInfo += "\n *** ERROR with SPDM base hash algorithm size ***"; - spdmCertChainInfo += "\n " + spdmBaseHashAlgoError; - spdmCertChainInfo += "\n Stopping processing of this cert chain"; + spdmCertChainInfo += "\n " + spdmBaseHashAlgoError; + spdmCertChainInfo += "\n Stopping processing of this cert chain"; } else { - spdmCertChainInfo += "\n Root hash = " + rootHash.toString(); + spdmCertChainInfo += "\n Root hash = " + HexUtils.byteArrayToHexString(rootHash); spdmCertChainInfo += "\n Number of certs in chain = " + numberOfCerts + "\n"; int certCnt = 1; @@ -171,8 +171,8 @@ public class SpdmCertificateChain { if (certProcessingError != "") { spdmCertChainInfo += " *** ERROR processing cert ***"; - spdmCertChainInfo += "\n " + certProcessingError; - spdmCertChainInfo += "\n Stopping processing of this cert chain"; + spdmCertChainInfo += "\n " + certProcessingError; + spdmCertChainInfo += "\n Stopping processing of this cert chain"; } } return spdmCertChainInfo; From 19716d581904eea53e7ac8958622447813221c23 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 5 Aug 2024 14:07:07 -0400 Subject: [PATCH 27/39] SPDM cert chain processing; cleaned up output spacing for several events --- .../events/DeviceSecurityEventData2.java | 13 ++- .../DeviceSecurityEventDataDeviceContext.java | 2 +- .../events/DeviceSecurityEventDataHeader.java | 4 +- .../DeviceSecurityEventDataHeader2.java | 4 +- .../DeviceSecurityEventDataPciContext.java | 20 ++-- ...ceSecurityEventDataSubHeaderCertChain.java | 6 +- ...ventDataSubHeaderSpdmMeasurementBlock.java | 10 +- .../events/DeviceSecurityEventHeader.java | 8 +- .../eventlog/events/EvEfiBootServicesApp.java | 14 +-- .../eventlog/events/EvEfiHandoffTable.java | 11 +- .../events/EvEfiSpdmDeviceSecurityEvent.java | 10 +- .../events/NvIndexInstanceEventLogData.java | 7 +- .../eventlog/spdm/SpdmCertificateChain.java | 30 +++--- .../tpm/eventlog/spdm/SpdmMeasurement.java | 3 +- .../eventlog/spdm/SpdmMeasurementBlock.java | 6 +- .../tpm/eventlog/uefi/UefiBootOrder.java | 2 +- .../tpm/eventlog/uefi/UefiDevicePath.java | 102 ++++++++++-------- .../utils/tpm/eventlog/uefi/UefiVariable.java | 12 +-- 18 files changed, 139 insertions(+), 125 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java index 7a2c2479..b4a2b915 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java @@ -59,8 +59,8 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { int subHeaderType = dsedHeader2.getSubHeaderType(); int subHeaderLength = dsedHeader2.getSubHeaderLength(); - subHeaderInfo = "\n Sub header type: " - + DeviceSecurityEventDataSubHeader.subheaderTypeToString(subHeaderType); + subHeaderInfo = " Sub header type: " + + DeviceSecurityEventDataSubHeader.subheaderTypeToString(subHeaderType) + "\n"; byte[] dsedSubHeaderBytes = new byte[subHeaderLength]; System.arraycopy(dsedBytes, dsedHeaderLength, dsedSubHeaderBytes, 0, subHeaderLength); @@ -72,22 +72,21 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { subHeaderInfo += dsedSubHeader.toString(); } catch(NullPointerException e) { - subHeaderInfo = "\n Could not interpret Sub header info for SPDM measurment block"; + subHeaderInfo = " Could not interpret Sub header info for SPDM measurment block\n"; } } else if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_CERT_CHAIN) { -// subHeaderInfo += "\n Cert chain to be implemented "; try { dsedSubHeader = new DeviceSecurityEventDataSubHeaderCertChain(dsedSubHeaderBytes); subHeaderInfo += dsedSubHeader.toString(); } catch(NullPointerException e) { - subHeaderInfo = "\n Could not interpret Sub header info for SPDM cert chain"; + subHeaderInfo = " Could not interpret Sub header info for SPDM cert chain\n"; } } else { - subHeaderInfo += "\n Sub header type unknown"; + subHeaderInfo += " Sub header type unknown\n"; } int dsedDevContextStartByte = dsedHeaderLength + subHeaderLength; @@ -99,7 +98,7 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { instantiateDeviceContext(dsedDevContextBytes); } catch(NullPointerException e) { - headerInfo = " Could not interpret Header info"; + headerInfo = " Could not interpret Header info\n"; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java index c773ce05..0a9f2088 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java @@ -65,7 +65,7 @@ public abstract class DeviceSecurityEventDataDeviceContext { public String toString() { String dSEDdeviceContextCommonInfo = ""; - dSEDdeviceContextCommonInfo += "\n DeviceSecurityEventData Device Context:"; + dSEDdeviceContextCommonInfo += " DeviceSecurityEventData Device Context:\n"; return dSEDdeviceContextCommonInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java index 1a8838e2..f0e56c74 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java @@ -109,8 +109,8 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { dsedHeaderInfo += super.toString(); String spdmHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmHashAlgo); - dsedHeaderInfo += "\n SPDM Hash Algorithm = " + spdmHashAlgoStr; - dsedHeaderInfo += "\n SPDM Measurement Block:"; + dsedHeaderInfo += " SPDM Hash Algorithm = " + spdmHashAlgoStr + "\n"; + dsedHeaderInfo += " SPDM Measurement Block:\n"; dsedHeaderInfo += spdmMeasurementBlockInfo; return dsedHeaderInfo; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java index 56934fef..4bdb8cef 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java @@ -124,8 +124,8 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { String dsedHeader2Info = ""; dsedHeader2Info += super.toString(); - dsedHeader2Info += "\n AuthState: " + getAuthStateString(); - dsedHeader2Info += "\n Sub header UID: " + subHeaderUid; + dsedHeader2Info += " AuthState: " + getAuthStateString() + "\n"; + dsedHeader2Info += " Sub header UID: " + subHeaderUid + "\n"; return dsedHeader2Info; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index 4f16a1e5..280470ba 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -114,22 +114,22 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe String dSEDpciContextInfo = ""; dSEDpciContextInfo += super.toString(); - dSEDpciContextInfo += "\n Device Type = PCI"; - dSEDpciContextInfo += "\n Vendor = " + translateVendor(vendorId); - dSEDpciContextInfo += "\n Device = " + translateDevice(vendorId, deviceId); - dSEDpciContextInfo += "\n RevisionID = " + revisionId; + dSEDpciContextInfo += " Device Type = PCI\n"; + dSEDpciContextInfo += " Vendor = " + translateVendor(vendorId) + "\n"; + dSEDpciContextInfo += " Device = " + translateDevice(vendorId, deviceId) + "\n"; + dSEDpciContextInfo += " RevisionID = " + revisionId + "\n"; List classCodeList = translateDeviceClass(classCode); - dSEDpciContextInfo += "\n Device Class: "; + dSEDpciContextInfo += " Device Class: \n"; if(classCodeList.size() == 3) { - dSEDpciContextInfo += "\n Class = " + classCodeList.get(0); - dSEDpciContextInfo += "\n Subclass = " + classCodeList.get(1); - dSEDpciContextInfo += "\n Programming Interface = " + classCodeList.get(2); + dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; + dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; + dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; } else { dSEDpciContextInfo += " ** Class code could not be determined **"; } - dSEDpciContextInfo += "\n SubsystemVendor = " + translateVendor(subsystemVendorId); - dSEDpciContextInfo += "\n Subsystem = " + translateDevice(subsystemVendorId, subsystemId); + dSEDpciContextInfo += " SubsystemVendor = " + translateVendor(subsystemVendorId) + "\n"; + dSEDpciContextInfo += " Subsystem = " + translateDevice(subsystemVendorId, subsystemId) + "\n"; return dSEDpciContextInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index dc7c22c3..1818e0a5 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -96,10 +96,10 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve */ public String toString() { String dsedSubHeaderInfo = ""; - dsedSubHeaderInfo += "\n SPDM Version = " + spdmVersion; - dsedSubHeaderInfo += "\n SPDM Slot ID = " + spdmSlotId; + dsedSubHeaderInfo += " SPDM Version = " + spdmVersion + "\n"; + dsedSubHeaderInfo += " SPDM Slot ID = " + spdmSlotId + "\n"; String spdmBaseHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmBaseHashAlgo); - dsedSubHeaderInfo += "\n SPDM Base Hash Algorithm = " + spdmBaseHashAlgoStr; + dsedSubHeaderInfo += " SPDM Base Hash Algorithm = " + spdmBaseHashAlgoStr + "\n"; // SPDM Certificate Chain output dsedSubHeaderInfo += spdmCertChain.toString(); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java index 19c5d42a..81742744 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java @@ -100,16 +100,16 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device */ public String toString() { String dsedSubHeaderInfo = ""; - dsedSubHeaderInfo += "\n SPDM Version = " + spdmVersion; + dsedSubHeaderInfo += " SPDM Version = " + spdmVersion + "\n"; String spdmHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmMeasurementHashAlgo); - dsedSubHeaderInfo += "\n SPDM Hash Algorithm = " + spdmHashAlgoStr; + dsedSubHeaderInfo += " SPDM Hash Algorithm = " + spdmHashAlgoStr + "\n"; // SPDM Measurement Block List output - dsedSubHeaderInfo += "\n Number of SPDM Measurement Blocks = " + spdmMeasurementBlockList.size(); + dsedSubHeaderInfo += " Number of SPDM Measurement Blocks = " + spdmMeasurementBlockList.size() + "\n"; int spdmMeasBlockCnt = 1; for (SpdmMeasurementBlock spdmMeasBlock : spdmMeasurementBlockList) { - dsedSubHeaderInfo += "\n SPDM Measurement Block # " + spdmMeasBlockCnt++ + " of " + - spdmMeasurementBlockList.size(); + dsedSubHeaderInfo += " SPDM Measurement Block # " + spdmMeasBlockCnt++ + " of " + + spdmMeasurementBlockList.size() + "\n"; dsedSubHeaderInfo += spdmMeasBlock.toString(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 894bd68a..71b95cab 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -147,7 +147,7 @@ public abstract class DeviceSecurityEventHeader { // get the device path if (devicePathLength != 0) { - startByte = startByte + UefiConstants.SIZE_8; + startByte = startByte + 8; byte[] devPathBytes = new byte[devicePathLength]; System.arraycopy(dsedBytes, startByte, devPathBytes, 0, devicePathLength); @@ -192,13 +192,13 @@ public abstract class DeviceSecurityEventHeader { public String toString() { String dsedHeaderCommonInfo = ""; - dsedHeaderCommonInfo += "\n SPDM Device Type = " + deviceTypeToString(deviceType); + dsedHeaderCommonInfo += " SPDM Device Type = " + deviceTypeToString(deviceType) + "\n"; if (devicePathValid) { - dsedHeaderCommonInfo += "\n SPDM Device Path:\n"; + dsedHeaderCommonInfo += " SPDM Device Path:\n"; dsedHeaderCommonInfo += devicePath; } else { - dsedHeaderCommonInfo += "\n SPDM Device Path = Unknown or invalid"; + dsedHeaderCommonInfo += " SPDM Device Path = Unknown or invalid\n"; } return dsedHeaderCommonInfo; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiBootServicesApp.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiBootServicesApp.java index 36c13e33..31e168d9 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiBootServicesApp.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiBootServicesApp.java @@ -117,15 +117,15 @@ public class EvEfiBootServicesApp { * @return a human readable string. */ public String toString() { - String info = "Image info: "; - info += " Image physical address: " + HexUtils.byteArrayToHexString(physicalAddress); - info += " Image length = " + imageLength; - info += " Image link time address: " + HexUtils.byteArrayToHexString(physicalAddress); - info += " Device path length = " + devicePathLength; + String info = " Image info:\n"; + info += " Image physical address = " + HexUtils.byteArrayToHexString(physicalAddress) + "\n"; + info += " Image length = " + imageLength + "\n"; + info += " Image link time address = " + HexUtils.byteArrayToHexString(physicalAddress) + "\n"; + info += " Device path length = " + devicePathLength + "\n"; if (devicePathValid) { - info += "\n" + devicePath.toString(); + info += devicePath.toString() + "\n"; } else { - info += "\n No uefi device paths were specified"; + info += " No uefi device paths were specified\n"; } return info; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiHandoffTable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiHandoffTable.java index 758e91e8..9b931f24 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiHandoffTable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiHandoffTable.java @@ -128,14 +128,15 @@ public class EvEfiHandoffTable { */ public String toString() { StringBuilder tableInfo = new StringBuilder(); - tableInfo.append("Number of UEFI_CONFIGURATION_TABLEs = " + numberOfTables + "\n"); + tableInfo.append(" Number of UEFI_CONFIGURATION_TABLEs = " + numberOfTables + "\n"); for (int i = 0; i < numberOfTables; i++) { UefiGuid currentGuid = vendorGuids.get(i); - tableInfo.append(" Table " + i + ": " + currentGuid.toString()); - tableInfo.append(" UEFI industry standard table type = " + tableInfo.append(" Table " + i + ":\n"); + tableInfo.append(" GUID = " + currentGuid.toString() + "\n"); + tableInfo.append(" UEFI industry standard table type = " + currentGuid.getVendorTableReference() + "\n"); - tableInfo.append(" VendorTable " + i + " address: " - + HexUtils.byteArrayToHexString(vendorTables.get(i))); + tableInfo.append(" VendorTable " + i + " address: " + + HexUtils.byteArrayToHexString(vendorTables.get(i)) + "\n"); } return tableInfo.toString(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index 28b42cdc..56b0d5f1 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -67,30 +67,30 @@ public class EvEfiSpdmDeviceSecurityEvent { if (dsedSignature.contains("SPDM Device Sec2")) { - spdmInfo = " Signature = SPDM Device Sec2"; + spdmInfo = " Signature = SPDM Device Sec2\n"; if (dsedVersion.equals("0200")) { dsed = new DeviceSecurityEventData2(eventData); spdmInfo += dsed.toString(); } else { - spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion; + spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion + "\n"; } } else if (dsedSignature.contains("SPDM Device Sec")) { // implies Device Security event - spdmInfo = " Signature = SPDM Device Sec"; + spdmInfo = " Signature = SPDM Device Sec\n"; if (dsedVersion.equals("0100")) { dsed = new DeviceSecurityEventData(eventData); spdmInfo += dsed.toString(); } else { - spdmInfo += " Incompatible version for DeviceSecurityEventData: " + dsedVersion; + spdmInfo += " Incompatible version for DeviceSecurityEventData: " + dsedVersion + "\n"; } } else { - spdmInfo = " Signature = Undetermined value: " + dsedSignature; + spdmInfo = " Signature = Undetermined value: " + dsedSignature + "\n"; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index 4bd4c59b..68321113 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -84,21 +84,20 @@ public class NvIndexInstanceEventLogData { byte[] dsedEventData = new byte[dsedEventDataSize]; System.arraycopy(eventData, 24, dsedEventData, 0, dsedEventDataSize); - nvIndexInstanceInfo = " Signature = SPDM Device Sec2"; + nvIndexInstanceInfo = " Signature = SPDM Device Sec2\n"; if (dsedVersion.equals("0200")) { - // TODO this is throwing a nullPointerException dsed = new DeviceSecurityEventData2(dsedEventData); nvIndexInstanceInfo += dsed.toString(); } else { nvIndexInstanceInfo += " Incompatible version for DeviceSecurityEventData2: " - + dsedVersion; + + dsedVersion + "\n"; } } else { nvIndexInstanceInfo = " Signature error: should be \'SPDM Device Sec2\' but is " - + signature; + + signature + "\n"; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index 91efedf3..d286e4b3 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -111,21 +111,21 @@ public class SpdmCertificateChain { // java.security.cert.CertificateException if there's a problem parsing the X509 certificate. // java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. try { - byte[] certType = new byte[UefiConstants.SIZE_2]; + byte[] certType = new byte[2]; certChainDataIS.read(certType); - byte[] certLength = new byte[UefiConstants.SIZE_2]; + byte[] certLength = new byte[2]; certChainDataIS.read(certLength); - int cLength = new BigInteger(certLength).intValue() + UefiConstants.SIZE_4; +// int cLength = new BigInteger(certLength).intValue() + UefiConstants.SIZE_4; + int cLength = new BigInteger(certLength).intValue(); byte[] certData = new byte[cLength]; certChainDataIS.read(certData); // put the cert back together - byte[] certBlob = new byte[cLength + UefiConstants.SIZE_4]; + byte[] certBlob = new byte[cLength + 4]; System.arraycopy(certType, 0, certBlob, 0, 2); System.arraycopy(certLength, 0, certBlob, 2, 2); - System.arraycopy(certData, 0, certBlob, UefiConstants.OFFSET_4, cLength); - + System.arraycopy(certData, 0, certBlob, 4, cLength); cert = new UefiX509Cert(certBlob); -// cert = new X509Certificate(certBlob); + //cert = new X509Certificate(certBlob); certList.add(cert); numberOfCerts++; } catch (IOException e) { @@ -154,13 +154,13 @@ public class SpdmCertificateChain { String spdmCertChainInfo = ""; if(spdmBaseHashAlgoError != "") { - spdmCertChainInfo += "\n *** ERROR with SPDM base hash algorithm size ***"; - spdmCertChainInfo += "\n " + spdmBaseHashAlgoError; - spdmCertChainInfo += "\n Stopping processing of this cert chain"; + spdmCertChainInfo += " *** ERROR with SPDM base hash algorithm size ***\n"; + spdmCertChainInfo += " " + spdmBaseHashAlgoError + "\n"; + spdmCertChainInfo += " Stopping processing of this cert chain\n"; } else { - spdmCertChainInfo += "\n Root hash = " + HexUtils.byteArrayToHexString(rootHash); - spdmCertChainInfo += "\n Number of certs in chain = " + numberOfCerts + "\n"; + spdmCertChainInfo += " Root hash = " + HexUtils.byteArrayToHexString(rootHash) + "\n"; + spdmCertChainInfo += " Number of certs in chain = " + numberOfCerts + "\n"; int certCnt = 1; for (UefiX509Cert cert : certList) { @@ -170,9 +170,9 @@ public class SpdmCertificateChain { } if (certProcessingError != "") { - spdmCertChainInfo += " *** ERROR processing cert ***"; - spdmCertChainInfo += "\n " + certProcessingError; - spdmCertChainInfo += "\n Stopping processing of this cert chain"; + spdmCertChainInfo += " *** ERROR processing cert ***\n"; + spdmCertChainInfo += " " + certProcessingError + "\n"; + spdmCertChainInfo += " Stopping processing of this cert chain\n"; } } return spdmCertChainInfo; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java index 504983cd..417a6c28 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java @@ -119,10 +119,11 @@ public class SpdmMeasurement { public String toString() { String spdmMeasInfo = ""; - spdmMeasInfo += "\n SPDM Measurement Value Type = " + + spdmMeasInfo += " SPDM Measurement Value Type = " + dmtfSpecMeasurementValueTypeToString(dmtfSpecMeasurementValueType); spdmMeasInfo += "\n SPDM Measurement Value = " + HexUtils.byteArrayToHexString(dmtfSpecMeasurementValue); + spdmMeasInfo += "\n"; return spdmMeasInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java index 12724125..ac486ab2 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java @@ -90,11 +90,11 @@ public class SpdmMeasurementBlock { String spdmMeasBlockInfo = ""; if(spdmMeasurementBlockReadError) { - spdmMeasBlockInfo += "\n Error reading SPDM Measurement Block"; + spdmMeasBlockInfo += " Error reading SPDM Measurement Block\n"; } else { - spdmMeasBlockInfo += "\n Index = " + index; - spdmMeasBlockInfo += "\n MeasurementSpec = " + measurementSpec; + spdmMeasBlockInfo += " Index = " + index + "\n"; + spdmMeasBlockInfo += " MeasurementSpec = " + measurementSpec + "\n"; spdmMeasBlockInfo += spdmMeasurement.toString(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootOrder.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootOrder.java index c1defc00..d9e12ff4 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootOrder.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiBootOrder.java @@ -31,7 +31,7 @@ public class UefiBootOrder { */ public String toString() { StringBuilder orderList = new StringBuilder(); - orderList.append("BootOrder = "); + orderList.append(" BootOrder = "); for (int i = 0; i < bootOrder.length; i++) { orderList.append(String.format("Boot%04d ", (int) bootOrder[i])); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java index a7d02311..2b96dd46 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java @@ -75,9 +75,9 @@ public class UefiDevicePath { } /** - * Returns the UEFI device sub-type. + * Returns the UEFI device subtype. * - * @return uefi sub-type + * @return uefi subtype */ public String getSubType() { return subType.trim(); @@ -102,9 +102,6 @@ public class UefiDevicePath { || (devPath.intValue() == UefiConstants.END_FLAG)) { break; } - if (devCount++ > 0) { - pInfo.append("\n"); - } pInfo.append(processDev(path, pathOffset)); devLength = path[pathOffset + UefiConstants.OFFSET_3] * UefiConstants.SIZE_256 + path[pathOffset + UefiConstants.OFFSET_2]; @@ -135,50 +132,50 @@ public class UefiDevicePath { case UefiConstants.DEV_HW: type = "Hardware Device Path"; if (devPath == UefiConstants.DEVPATH_HARWARE) { - devInfo += type + ": " + pciSubType(path, offset); + devInfo += type + ":\n" + pciSubType(path, offset); } break; case UefiConstants.DEV_ACPI: type = "ACPI Device Path"; - devInfo += type + ": " + acpiSubType(path, offset); + devInfo += type + ":\n" + acpiSubType(path, offset); break; case UefiConstants.DEV_MSG: type = "Messaging Device Path"; if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_SATA) { - devInfo += type + ": " + sataSubType(path, offset); + devInfo += type + ":\n" + sataSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_NVM) { - devInfo += type + ": " + nvmSubType(path, offset); + devInfo += type + ":\n" + nvmSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_USB) { - devInfo += type + ": " + usbSubType(path, offset); + devInfo += type + ":\n" + usbSubType(path, offset); } else { - devInfo += "UEFI Messaging Device Path Type " + Integer.valueOf(unknownSubType); + devInfo += "UEFI Messaging Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; } break; case UefiConstants.DEV_MEDIA: type = "Media Device Path"; if (path[offset + UefiConstants.OFFSET_1] == 0x01) { - devInfo += type + ": " + hardDriveSubType(path, offset); + devInfo += type + ":\n" + hardDriveSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_VENDOR) { - devInfo += type + ": " + vendorSubType(path, offset); + devInfo += type + ":\n" + vendorSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_FILE) { - devInfo += type + ": " + filePathSubType(path, offset); + devInfo += type + ":\n" + filePathSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_PWIG_FILE) { - devInfo += type + ": " + piwgFirmVolFile(path, offset); + devInfo += type + ":\n" + piwgFirmVolFile(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_PWIG_VOL) { - devInfo += type + ": " + piwgFirmVolPath(path, offset); + devInfo += type + ":\n" + piwgFirmVolPath(path, offset); } else { - devInfo += "UEFI Media Device Path Type " + Integer.valueOf(unknownSubType); + devInfo += "UEFI Media Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; } break; case UefiConstants.DEV_BIOS: type = "BIOS Device Path"; - devInfo += type + ": " + biosDevicePath(path, offset); + devInfo += type + ":\n" + biosDevicePath(path, offset); break; case UefiConstants.TERMINATOR: - devInfo += "End of Hardware Device Path"; + devInfo += "End of Hardware Device Path\n"; break; default: - devInfo += "UEFI Device Path Type " + Integer.valueOf(unknownSubType); + devInfo += "UEFI Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; } return devInfo; } @@ -191,16 +188,17 @@ public class UefiDevicePath { * @return acpi device info */ private String acpiSubType(final byte[] path, final int offset) { - subType = ""; + subType = " Sub Type = ACPI\n"; switch (path[offset + UefiConstants.OFFSET_1]) { case 0x01: // standard version subType += acpiShortSubType(path, offset); break; case 0x02: - subType = "(expanded version): "; + subType = "(expanded version):\n"; + // tbd break; default: - subType = "Invalid ACPI Device Path sub type"; + subType = "Invalid ACPI Device Path sub type\n"; } return subType; } @@ -216,13 +214,13 @@ public class UefiDevicePath { subType = ""; byte[] hid = new byte[UefiConstants.SIZE_4]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, hid, 0, UefiConstants.SIZE_4); - subType += "\n _HID = " + HexUtils.byteArrayToHexString(hid); + subType += " _HID = " + HexUtils.byteArrayToHexString(hid) + "\n"; System.arraycopy(path, 2 * UefiConstants.SIZE_4 + offset, hid, 0, UefiConstants.SIZE_4); String uid = HexUtils.byteArrayToHexString(hid); if(uid.contains("00000000")) { uid = "No _UID exists for this device"; } - subType += "\n _UID = " + uid; + subType += " _UID = " + uid + "\n"; return subType; } @@ -234,11 +232,12 @@ public class UefiDevicePath { * @return pci device info. */ private String pciSubType(final byte[] path, final int offset) { - subType = "\n Hardware Device Path Type = PCI"; - subType += "\n PCI Function Number = "; + subType = " Sub Type = PCI\n"; + subType += " PCI Function Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_4]); subType += "\n PCI Device Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_5]); + subType += "\n"; return subType; } @@ -250,7 +249,8 @@ public class UefiDevicePath { * @return SATA drive info. */ private String sataSubType(final byte[] path, final int offset) { - subType = "SATA: HBA Port Number = "; + subType = " Sub Type = SATA\n"; + subType += " SATA: HBA Port Number = "; byte[] data = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, data, 0, UefiConstants.SIZE_2); subType += HexUtils.byteArrayToHexString(data); @@ -258,6 +258,7 @@ public class UefiDevicePath { subType += " Port Multiplier = " + HexUtils.byteArrayToHexString(data); System.arraycopy(path, UefiConstants.OFFSET_8 + offset, data, 0, UefiConstants.SIZE_2); subType += " Logical Unit Number = " + HexUtils.byteArrayToHexString(data); + subType += "\n"; return subType; } @@ -269,7 +270,8 @@ public class UefiDevicePath { * @return hard drive info. */ private String hardDriveSubType(final byte[] path, final int offset) { - subType = "Partition Number = "; + subType = " Sub Type = Hard Drive\n"; + subType += " Partition Number = "; byte[] partnumber = new byte[UefiConstants.SIZE_4]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, partnumber, 0, UefiConstants.SIZE_4); @@ -277,14 +279,14 @@ public class UefiDevicePath { byte[] data = new byte[UefiConstants.SIZE_8]; System.arraycopy(path, UefiConstants.OFFSET_8 + offset, data, 0, UefiConstants.SIZE_8); - subType += " Partition Start = " + HexUtils.byteArrayToHexString(data); + subType += "\n Partition Start = " + HexUtils.byteArrayToHexString(data); System.arraycopy(path, UefiConstants.OFFSET_16 + offset, data, 0, UefiConstants.SIZE_8); - subType += " Partition Size = " + HexUtils.byteArrayToHexString(data); + subType += "\n Partition Size = " + HexUtils.byteArrayToHexString(data); byte[] signature = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_24 + offset, signature, 0, UefiConstants.SIZE_16); - subType += "\n Partition Signature = "; + subType += "\n Partition Signature = "; if (path[UefiConstants.OFFSET_41 + offset] == UefiConstants.DRIVE_SIG_NONE) { subType += "None"; } else if (path[UefiConstants.OFFSET_41 + offset] == UefiConstants.DRIVE_SIG_32BIT) { @@ -295,14 +297,15 @@ public class UefiDevicePath { } else { subType += "invalid partition signature type"; } - subType += " Partition Format = "; + subType += "\n Partition Format = "; if (path[UefiConstants.OFFSET_40 + offset] == UefiConstants.DRIVE_TYPE_PC_AT) { - subType += " PC-AT compatible legacy MBR"; + subType += "PC-AT compatible legacy MBR"; } else if (path[UefiConstants.OFFSET_40 + offset] == UefiConstants.DRIVE_TYPE_GPT) { - subType += " GUID Partition Table"; + subType += "GUID Partition Table"; } else { - subType += " Invalid partition table type"; + subType += "Invalid partition table type"; } + subType += "\n"; return subType; } @@ -314,7 +317,8 @@ public class UefiDevicePath { * @return file path info. */ private String filePathSubType(final byte[] path, final int offset) { - subType = "File Path = "; + subType = " Sub Type = File Path\n"; + subType += " File Path = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, 2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); int subTypeLength = HexUtils.leReverseInt(lengthBytes); @@ -323,6 +327,7 @@ public class UefiDevicePath { 0, subTypeLength); byte[] fileName = convertChar16tobyteArray(filePath); subType += new String(fileName, StandardCharsets.UTF_8); + subType += "\n"; return subType; } @@ -337,7 +342,8 @@ public class UefiDevicePath { * @return vendor device info. */ private String vendorSubType(final byte[] path, final int offset) { - subType = "Vendor Subtype GUID = "; + subType = " Sub Type = Vendor\n"; + subType += " Vendor Subtype GUID = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); @@ -355,6 +361,7 @@ public class UefiDevicePath { } else { subType += " : No Vendor Data present"; } + subType += "\n"; return subType; } @@ -367,8 +374,8 @@ public class UefiDevicePath { * @return USB device info. */ private String usbSubType(final byte[] path, final int offset) { - subType = " USB "; - subType += " port = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_4]); + subType = " Sub Type = USB\n"; + subType += " port = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_4]); subType += " interface = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_5]); byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, @@ -377,6 +384,7 @@ public class UefiDevicePath { byte[] usbData = new byte[subTypeLength]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, usbData, 0, subTypeLength); + subType += "\n"; // Todo add further USB processing ... return subType; } @@ -393,7 +401,8 @@ public class UefiDevicePath { * @return NVM device info. */ private String nvmSubType(final byte[] path, final int offset) { - subType = "NVM Express Namespace = "; + subType = " Sub Type = NVM\n"; + subType += " NVM Express Namespace = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); @@ -402,6 +411,7 @@ public class UefiDevicePath { System.arraycopy(path, UefiConstants.OFFSET_4 + offset, nvmData, 0, subTypeLength); subType += HexUtils.byteArrayToHexString(nvmData); + subType += "\n"; return subType; } @@ -416,7 +426,8 @@ public class UefiDevicePath { * @return String that represents the UEFI defined BIOS Device Type. */ private String biosDevicePath(final byte[] path, final int offset) { - subType = "Legacy BIOS : Type = "; + subType = " Sub Type = Bios Device Path\n"; + subType += " Legacy BIOS : Type = "; Byte pathType = Byte.valueOf(path[offset + 1]); switch (pathType.intValue()) { case UefiConstants.DEVPATH_BIOS_RESERVED: @@ -448,6 +459,7 @@ public class UefiDevicePath { subType += "Unknown"; break; } + subType += "\n"; return subType; } @@ -462,12 +474,13 @@ public class UefiDevicePath { * @return String that represents the PIWG Firmware Volume Path */ private String piwgFirmVolFile(final byte[] path, final int offset) { - subType = "PIWG Firmware File "; + subType = " Sub Type = PIWG Firmware Volume File\n"; byte[] guidData = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, guidData, 0, UefiConstants.SIZE_16); UefiGuid guid = new UefiGuid(guidData); subType += guid.toString(); + subType += "\n"; return subType; } @@ -482,12 +495,13 @@ public class UefiDevicePath { * @return String that represents the PIWG Firmware Volume Path */ private String piwgFirmVolPath(final byte[] path, final int offset) { - subType = "PIWG Firmware Volume "; + subType = " Sub Type = PIWG Firmware Volume Path\n"; byte[] guidData = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, guidData, 0, UefiConstants.SIZE_16); UefiGuid guid = new UefiGuid(guidData); subType += guid.toString(); + subType += "\n"; return subType; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java index 2e56828a..d2864e95 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java @@ -196,10 +196,10 @@ public class UefiVariable { public String toString() { StringBuilder efiVariable = new StringBuilder(); - efiVariable.append("UEFI Variable Name: " + efiVarName + "\n"); - efiVariable.append("UEFI Variable GUID: " + uefiVarGuid.toString() + "\n"); + efiVariable.append(" UEFI Variable Name: " + efiVarName + "\n"); + efiVariable.append(" UEFI Variable GUID: " + uefiVarGuid.toString() + "\n"); if (efiVarName != "") { - efiVariable.append("UEFI Variable Contents => " + "\n"); + efiVariable.append(" UEFI Variable Contents => " + "\n"); } String tmpName = ""; if (efiVarName.contains("Boot00")) { @@ -233,10 +233,10 @@ public class UefiVariable { break; default: if (!tmpName.isEmpty()) { - efiVariable.append(String.format("Data not provided for " + efiVariable.append(String.format(" Data not provided for " + "UEFI variable named %s ", tmpName)); } else { - efiVariable.append("Data not provided "); + efiVariable.append(" Data not provided "); } } @@ -247,7 +247,7 @@ public class UefiVariable { int certSuperListCnt = 1; for (UefiSignatureList uefiSigList : certSuperList) { efiVariable.append("UEFI Signature List # " + certSuperListCnt++ + " of " + - certSuperList.size() + ":\n"); + certSuperList.size() + ": ------------------\n"); efiVariable.append(uefiSigList.toString()); } if(invalidSignatureListEncountered) { From 92042f869837a245dbb78fc8a7cf26ed6f605618 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Mon, 5 Aug 2024 18:23:50 -0400 Subject: [PATCH 28/39] fixed Device Policy & Authority output with current (limited) test data --- .../events/NvIndexInstanceEventLogData.java | 17 ++-- .../eventlog/spdm/SpdmCertificateChain.java | 10 +-- .../tpm/eventlog/uefi/UefiSignatureData.java | 4 +- .../tpm/eventlog/uefi/UefiSignatureList.java | 18 ++-- .../utils/tpm/eventlog/uefi/UefiVariable.java | 84 ++++++++++++++++--- 5 files changed, 96 insertions(+), 37 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index 68321113..2022b9aa 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -1,8 +1,6 @@ package hirs.utils.tpm.eventlog.events; - import hirs.utils.HexUtils; -import hirs.utils.tpm.eventlog.uefi.UefiConstants; import java.nio.charset.StandardCharsets; @@ -35,11 +33,6 @@ public class NvIndexInstanceEventLogData { */ private String signature = ""; - /** - * Version. - */ - private String version = ""; - /** * Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. */ @@ -59,10 +52,12 @@ public class NvIndexInstanceEventLogData { byte[] versionBytes = new byte[2]; System.arraycopy(eventData, 16, versionBytes, 0, 2); - String version = HexUtils.byteArrayToHexString(versionBytes); - if (version == "") { - version = "version not readable"; + String nvIndexVersion = HexUtils.byteArrayToHexString(versionBytes); + if (nvIndexVersion == "") { + nvIndexVersion = "version not readable"; } + nvIndexInstanceInfo = " Nv Index Instance Signature = " + signature + "\n"; + nvIndexInstanceInfo += " Nv Index Instance Version = " + nvIndexVersion + "\n"; // 6 bytes of Reserved data @@ -84,7 +79,7 @@ public class NvIndexInstanceEventLogData { byte[] dsedEventData = new byte[dsedEventDataSize]; System.arraycopy(eventData, 24, dsedEventData, 0, dsedEventDataSize); - nvIndexInstanceInfo = " Signature = SPDM Device Sec2\n"; + nvIndexInstanceInfo += " Signature = SPDM Device Sec2\n"; if (dsedVersion.equals("0200")) { dsed = new DeviceSecurityEventData2(dsedEventData); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index d286e4b3..6bcdb312 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -1,19 +1,13 @@ package hirs.utils.tpm.eventlog.spdm; import hirs.utils.HexUtils; -import hirs.utils.tpm.eventlog.events.DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock; -import hirs.utils.tpm.eventlog.uefi.UefiConstants; -import hirs.utils.tpm.eventlog.uefi.UefiSignatureData; -import hirs.utils.tpm.eventlog.uefi.UefiSignatureList; import hirs.utils.tpm.eventlog.uefi.UefiX509Cert; -import lombok.Getter; import java.io.ByteArrayInputStream; import java.io.IOException; import java.math.BigInteger; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; import java.util.ArrayList; /** @@ -153,7 +147,7 @@ public class SpdmCertificateChain { String spdmCertChainInfo = ""; - if(spdmBaseHashAlgoError != "") { + if(!spdmBaseHashAlgoError.isEmpty()) { spdmCertChainInfo += " *** ERROR with SPDM base hash algorithm size ***\n"; spdmCertChainInfo += " " + spdmBaseHashAlgoError + "\n"; spdmCertChainInfo += " Stopping processing of this cert chain\n"; @@ -169,7 +163,7 @@ public class SpdmCertificateChain { spdmCertChainInfo += cert.toString(); } - if (certProcessingError != "") { + if (!certProcessingError.isEmpty()) { spdmCertChainInfo += " *** ERROR processing cert ***\n"; spdmCertChainInfo += " " + certProcessingError + "\n"; spdmCertChainInfo += " Stopping processing of this cert chain\n"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java index d38a3e98..4cc561a8 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java @@ -73,8 +73,8 @@ public class UefiSignatureData { * * @param inputStream The Signature data. * @param sigType UEFI defined signature type. - * @throws java.io.IOException if there's an problem reading the input stream. - * @throws java.security.cert.CertificateException If there a problem parsing the X509 certificate. + * @throws java.io.IOException if there's a problem reading the input stream. + * @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate. * @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. */ UefiSignatureData(final ByteArrayInputStream inputStream, final UefiGuid sigType) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java index ec780cdb..a74741f3 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java @@ -34,9 +34,16 @@ import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILESTATUS_NOT_ACCESSIB * // EFI_SIGNATURE_DATA Signatures[...][SignatureSize]; * } EFI_SIGNATURE_LIST; * + * SignatureListHeader (contents common to any Signature Type) + * - SignatureType + * - SignatureListSize + * - SignatureHeaderSize + * - SignatureSize + * SignatureHeader (contents depend on the SignatureType) + * - The format of this header is specified by the SignatureType (SHA256, X509). * Signatures[][] is an array of signatures. * - Each signature is SignatureSize bytes in length. - * - The format of the signature is defined by SignatureType (SHA256, X509) + * - The format of the signature is defined by SignatureType (SHA256, X509). * * / |-------------------------| ------- SignatureType * / | Signature List Header | SignatureListSize @@ -54,6 +61,7 @@ import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILESTATUS_NOT_ACCESSIB * \ |-------------------------| * \ | Signature #n | * \ |-------------------------| + * */ public class UefiSignatureList { /** @@ -85,7 +93,7 @@ public class UefiSignatureList { /** * Current status of Signature List data. */ - private String dataStatus = "Signature List data validity is undetermined yet"; + private String dataInvalidStatus = "Signature List data validity is undetermined yet"; /** * Array List of Signature found in the list. */ @@ -191,7 +199,7 @@ public class UefiSignatureList { UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType); if (!tmpSigData.isValid()) { dataValid = false; - dataStatus = tmpSigData.getStatus(); + dataInvalidStatus = tmpSigData.getStatus(); break; } sigList.add(tmpSigData); @@ -213,7 +221,7 @@ public class UefiSignatureList { UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType); if (!tmpigData.isValid()) { dataValid = false; - dataStatus = tmpigData.getStatus(); + dataInvalidStatus = tmpigData.getStatus(); break; } sigList.add(tmpigData); @@ -265,7 +273,7 @@ public class UefiSignatureList { sigInfo.append(certData.toString()); } if (!dataValid) { - sigInfo.append(" *** Invalid UEFI Signature data encountered: " + dataStatus + "\n"); + sigInfo.append(" *** Invalid UEFI Signature data encountered: " + dataInvalidStatus + "\n"); } } return sigInfo.toString(); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java index d2864e95..47c11dd4 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java @@ -75,6 +75,11 @@ public class UefiVariable { @Getter private String vendorTableFileStatus = FILESTATUS_FROM_FILESYSTEM; + /** + * Human-readable description of the data within the SPDM devdc (to be updated with more test data). + */ + String spdmDevdcInfo = ""; + /** * EFIVariable constructor. * The UEFI_VARIABLE_DATA contains a "VariableName" field which is used to determine @@ -128,10 +133,16 @@ public class UefiVariable { case "dbx": processSigList(uefiVariableData); break; - case "devdb": // Update when test patterns exist - break; // PFP v1.06 Rev 52, Sec 3.3.4.8 + case "devdb": + processSigList(uefiVariableData); + break; // Update when test patterns exist + // PFP v1.06 Rev 52, Sec 3.3.4.8 // EV_EFI_SPDM_DEVICE_POLICY: EFI_SIGNATURE_LIST // EV_EFI_SPDM_DEVICE_AUTHORITY: EFI_SIGNATURE_DATA + // for now, differentiate them by using devdc for ..DEVICE_AUTHORITY + case "devdc": + processSigDataX509(uefiVariableData); + break; case "Boot00": bootv = new UefiBootVariable(uefiVariableData); break; @@ -188,6 +199,52 @@ public class UefiVariable { } } + /** + * Method for processing the data in an EFI SignatureList (ex. can be one or more X509 certs) + * + * @param efiSigData Byte array holding the SignatureList data + * @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate. + * @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. + * @throws java.io.IOException If there's a problem parsing the signature data. + */ + private void processSigDataX509(final byte[] efiSigData) + throws CertificateException, NoSuchAlgorithmException, IOException { + + ByteArrayInputStream efiSigDataIS = new ByteArrayInputStream(efiSigData); + ArrayList sigList = new ArrayList(); + spdmDevdcInfo += ""; + + // for now, use signature type for X509 + // in future with more test data, update this + byte[] guid = HexUtils.hexStringToByteArray("A159C0A5E494A74A87B5AB155C2BF072"); + UefiGuid signatureType = new UefiGuid(guid); + + int numberOfCerts = 0; + boolean dataValid = true; + String dataInvalidStatus = "Signature data validity is undetermined yet"; + while (efiSigDataIS.available() > 0) { + UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType); + if (!tmpSigData.isValid()) { + dataValid = false; + dataInvalidStatus = tmpSigData.getStatus(); + break; + } + sigList.add(tmpSigData); + numberOfCerts++; + } + spdmDevdcInfo += " Number of X509 Certs in UEFI Signature Data = " + numberOfCerts + "\n"; + int certCnt = 0; + for (int i = 0; i < sigList.size(); i++) { + certCnt++; + spdmDevdcInfo += " Cert # " + certCnt + " of " + numberOfCerts + ": ------------------\n"; + UefiSignatureData certData = sigList.get(i); + spdmDevdcInfo += certData.toString(); + } + if (!dataValid) { + spdmDevdcInfo += " *** Invalid UEFI Signature data encountered: " + dataInvalidStatus + "\n"; + } + } + /** * Print out all the interesting characteristics available on this UEFI Variable. * @@ -216,11 +273,11 @@ public class UefiVariable { case "KEK": case "db": case "dbx": - break; case "devdb": // SPDM_DEVICE_POLICY and SPDM_DEVICE_AUTHORITY + case "devdc": // for now use devdb and devdc // (update when test patterns exist) - efiVariable.append(" EV_EFI_SPDM_DEVICE_POLICY and EV_EFI_SPDM_DEVICE_AUTHORITY: " + - "To be processed once more test patterns exist"); + //efiVariable.append(" EV_EFI_SPDM_DEVICE_POLICY and EV_EFI_SPDM_DEVICE_AUTHORITY: " + + // "To be processed once more test patterns exist"); break; case "Boot00": efiVariable.append(bootv.toString()); @@ -243,12 +300,12 @@ public class UefiVariable { // Signature List output (if there are any Signature Lists) if (certSuperList.size() > 0){ efiVariable.append("Number of UEFI Signature Lists = " + certSuperList.size() + "\n"); - } - int certSuperListCnt = 1; - for (UefiSignatureList uefiSigList : certSuperList) { - efiVariable.append("UEFI Signature List # " + certSuperListCnt++ + " of " + - certSuperList.size() + ": ------------------\n"); - efiVariable.append(uefiSigList.toString()); + int certSuperListCnt = 1; + for (UefiSignatureList uefiSigList : certSuperList) { + efiVariable.append("UEFI Signature List # " + certSuperListCnt++ + " of " + + certSuperList.size() + ": ------------------\n"); + efiVariable.append(uefiSigList.toString()); + } } if(invalidSignatureListEncountered) { efiVariable.append(invalidSignatureListStatus); @@ -256,6 +313,11 @@ public class UefiVariable { "Stopped processing of this event data\n"); } + // Signature Data output (if there is a Signature Data) + if(!spdmDevdcInfo.isEmpty()) { + efiVariable.append(spdmDevdcInfo); + } + return efiVariable.toString(); } From 042a830a6e2c3afe59e8f3a913d8bf1ec72ffd33 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Tue, 6 Aug 2024 20:07:31 -0400 Subject: [PATCH 29/39] fixing spotbug --- .../hirs/utils/tpm/eventlog/TpmPcrEvent.java | 16 ++++++--- .../eventlog/events/DeviceSecurityEvent.java | 34 ++++++++----------- .../events/DeviceSecurityEventData.java | 11 +++--- .../events/DeviceSecurityEventData2.java | 33 ++++++------------ .../DeviceSecurityEventDataDeviceContext.java | 4 +-- .../events/DeviceSecurityEventDataHeader.java | 15 +++----- .../DeviceSecurityEventDataHeader2.java | 8 ++--- .../DeviceSecurityEventDataSubHeader.java | 4 +-- ...ceSecurityEventDataSubHeaderCertChain.java | 1 - .../events/DeviceSecurityEventHeader.java | 31 ++++------------- .../events/EvEfiSpdmDeviceSecurityEvent.java | 1 + .../utils/tpm/eventlog/events/EvNoAction.java | 3 +- .../events/NvIndexInstanceEventLogData.java | 1 + .../eventlog/spdm/SpdmCertificateChain.java | 5 ++- .../tpm/eventlog/uefi/UefiDevicePath.java | 7 ++-- .../utils/tpm/eventlog/uefi/UefiVariable.java | 14 ++++---- 16 files changed, 75 insertions(+), 113 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java index dd3c7590..05702d71 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java @@ -261,11 +261,17 @@ public class TpmPcrEvent { case EvConstants.EV_UNUSED: break; case EvConstants.EV_NO_ACTION: - EvNoAction noAction = new EvNoAction(eventContent); - sb.append(noAction.toString()); - if (noAction.isSpecIDEvent()) { - specVersion = noAction.getSpecVersion(); - specErrataVersion = noAction.getSpecErrataVersion(); + EvNoAction noAction = null; + try { + noAction = new EvNoAction(eventContent); + sb.append(noAction.toString()); + if (noAction.isSpecIDEvent()) { + specVersion = noAction.getSpecVersion(); + specErrataVersion = noAction.getSpecErrataVersion(); + } + } catch (UnsupportedEncodingException ueEx) { + log.error(ueEx); + sb.append(ueEx.toString()); } break; case EvConstants.EV_SEPARATOR: diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java index c25e063c..ab88c364 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java @@ -76,27 +76,23 @@ public abstract class DeviceSecurityEvent { */ public void instantiateDeviceContext(final byte[] dsedDeviceContextBytes) { - if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE) { - deviceContextInfo = "\n No Device Context (indicated by device type value of 0"; - } - else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI) { - try { - dsedDevContext - = new DeviceSecurityEventDataPciContext(dsedDeviceContextBytes); - deviceContextInfo = dsedDevContext.toString(); - } - catch(NullPointerException e) { - deviceContextInfo = " Could not interpret Device Context info"; - } - } - else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB) { - // dsedDevContext - // = new DeviceSecurityEventDataUsbContext(dsedDeviceContextBytes); - // deviceContextInfo = dsedDevContext.toString(); - deviceContextInfo = " Device Type: USB - To be implemented"; + if(dsedDeviceContextBytes.length == 0) { + deviceContextInfo = "\n DeviceSecurityEventDataDeviceContext object is empty"; } else { - deviceContextInfo = " Unknown device type; cannot process device context"; + if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE) { + deviceContextInfo = "\n No Device Context (indicated by device type value of 0)"; + } + else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI) { + dsedDevContext = new DeviceSecurityEventDataPciContext(dsedDeviceContextBytes); + deviceContextInfo = dsedDevContext.toString(); + } + else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB) { + deviceContextInfo = " Device Type: USB - To be implemented"; + } + else { + deviceContextInfo = " Unknown device type; cannot process device context"; + } } } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java index 298a0279..00dde07f 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java @@ -37,7 +37,10 @@ public class DeviceSecurityEventData extends DeviceSecurityEvent { */ public DeviceSecurityEventData(final byte[] dsedBytes) { - try { + if(dsedBytes.length == 0) { + headerInfo = " DeviceSecurityEventData object is empty"; + } + else { dsedHeader = new DeviceSecurityEventDataHeader(dsedBytes); headerInfo = dsedHeader.toString(); @@ -51,9 +54,6 @@ public class DeviceSecurityEventData extends DeviceSecurityEvent { instantiateDeviceContext(dsedDevContextBytes); } - catch(NullPointerException e) { - headerInfo = " Could not interpret Header info"; - } } /** @@ -62,8 +62,7 @@ public class DeviceSecurityEventData extends DeviceSecurityEvent { * @return a description of this structure. */ public String toString() { - String dsedInfo = ""; - dsedInfo += headerInfo; + String dsedInfo = headerInfo; dsedInfo += getDeviceContextInfo(); return dsedInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java index b4a2b915..b4701ba0 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java @@ -2,6 +2,8 @@ package hirs.utils.tpm.eventlog.events; import lombok.Getter; +import java.io.UnsupportedEncodingException; + /** * Class to process DEVICE_SECURITY_EVENT_DATA2. * Parses event data per PFP v1.06 Rev52 Table 26. @@ -50,7 +52,10 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { */ public DeviceSecurityEventData2(final byte[] dsedBytes) { - try { + if(dsedBytes.length == 0) { + headerInfo = " DeviceSecurityEventData2 object is empty"; + } + else { dsedHeader2 = new DeviceSecurityEventDataHeader2(dsedBytes); headerInfo = dsedHeader2.toString(); @@ -66,24 +71,12 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { System.arraycopy(dsedBytes, dsedHeaderLength, dsedSubHeaderBytes, 0, subHeaderLength); if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_MEAS_BLOCK) { - try { - dsedSubHeader = - new DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock(dsedSubHeaderBytes); - subHeaderInfo += dsedSubHeader.toString(); - } - catch(NullPointerException e) { - subHeaderInfo = " Could not interpret Sub header info for SPDM measurment block\n"; - } + dsedSubHeader = new DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock(dsedSubHeaderBytes); + subHeaderInfo += dsedSubHeader.toString(); } else if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_CERT_CHAIN) { - try { - dsedSubHeader = - new DeviceSecurityEventDataSubHeaderCertChain(dsedSubHeaderBytes); - subHeaderInfo += dsedSubHeader.toString(); - } - catch(NullPointerException e) { - subHeaderInfo = " Could not interpret Sub header info for SPDM cert chain\n"; - } + dsedSubHeader = new DeviceSecurityEventDataSubHeaderCertChain(dsedSubHeaderBytes); + subHeaderInfo += dsedSubHeader.toString(); } else { subHeaderInfo += " Sub header type unknown\n"; @@ -97,9 +90,6 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { instantiateDeviceContext(dsedDevContextBytes); } - catch(NullPointerException e) { - headerInfo = " Could not interpret Header info\n"; - } } /** @@ -108,8 +98,7 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { * @return a description of this structure. */ public String toString() { - String dsedInfo = ""; - dsedInfo += headerInfo; + String dsedInfo = headerInfo; dsedInfo += subHeaderInfo; dsedInfo += getDeviceContextInfo(); return dsedInfo; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java index 0a9f2088..ffb29a8f 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java @@ -58,9 +58,9 @@ public abstract class DeviceSecurityEventDataDeviceContext { } /** - * Returns a human readable description of the data common to device context structures. + * Returns a human-readable description of the data common to device context structures. * - * @return a description of this structure.. + * @return a description of this structure. */ public String toString() { String dSEDdeviceContextCommonInfo = ""; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java index f0e56c74..d105eb41 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java @@ -7,6 +7,7 @@ import hirs.utils.tpm.eventlog.uefi.UefiConstants; import lombok.Getter; import java.io.ByteArrayInputStream; +import java.io.UnsupportedEncodingException; /** * Class to process the DEVICE_SECURITY_EVENT_DATA_HEADER. @@ -87,13 +88,9 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { ByteArrayInputStream spdmMeasurementBlockData = new ByteArrayInputStream(spdmMeasBlockBytes); - try { - spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockData); - spdmMeasurementBlockInfo = spdmMeasurementBlock.toString(); - } - catch(NullPointerException e) { - spdmMeasurementBlockInfo = "Could not interpret SPDM Measurement Block info"; - } + + spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockData); + spdmMeasurementBlockInfo = spdmMeasurementBlock.toString(); int devPathLenStartByte = 28 + sizeOfSpdmMeasBlock; extractDevicePathAndFinalSize(dsedBytes, devPathLenStartByte); @@ -105,9 +102,7 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { * @return a description of this structure. */ public String toString() { - String dsedHeaderInfo = ""; - - dsedHeaderInfo += super.toString(); + String dsedHeaderInfo = super.toString(); String spdmHashAlgoStr = SpdmHa.tcgAlgIdToString(spdmHashAlgo); dsedHeaderInfo += " SPDM Hash Algorithm = " + spdmHashAlgoStr + "\n"; dsedHeaderInfo += " SPDM Measurement Block:\n"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java index 4bdb8cef..e5c52554 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java @@ -3,6 +3,8 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import lombok.Getter; +import java.io.UnsupportedEncodingException; + /** * Class to process the DEVICE_SECURITY_EVENT_DATA_HEADER2. * DEVICE_SECURITY_EVENT_DATA_HEADER2 contains the measurement(s) and hash algorithm identifier @@ -43,7 +45,7 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { * SUBHEADERTYPE_CERT_CHAIN = 1 */ @Getter - private int subHeaderType = 0; + private int subHeaderType = -1; /** * Event sub header length. */ @@ -121,9 +123,7 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { * @return a description of this structure. */ public String toString() { - String dsedHeader2Info = ""; - - dsedHeader2Info += super.toString(); + String dsedHeader2Info = super.toString(); dsedHeader2Info += " AuthState: " + getAuthStateString() + "\n"; dsedHeader2Info += " Sub header UID: " + subHeaderUid + "\n"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java index 2807a3b4..1bbdb413 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java @@ -23,11 +23,9 @@ public abstract class DeviceSecurityEventDataSubHeader { */ public static final int SUBHEADERTYPE_CERT_CHAIN = 1; - public DeviceSecurityEventDataSubHeader() { } - /** * Returns the device type via a lookup. * Lookup based upon section 10.2.7.2, Table 19, in the PFP 1.06 v52 spec. @@ -42,7 +40,7 @@ public abstract class DeviceSecurityEventDataSubHeader { case SUBHEADERTYPE_CERT_CHAIN: return "SPDM Cert Chain"; default: - return "Unknown or invalid Subheader Type"; + return "Unknown or invalid Subheader Type of value " + subheaderTypeInt; } } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index 1818e0a5..26262afa 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -88,7 +88,6 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve } - /** * Returns a human-readable description of the data within this structure. * diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 71b95cab..398f9529 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -84,20 +84,9 @@ public abstract class DeviceSecurityEventHeader { */ @Getter private UefiDevicePath devicePath = null; - /** - * Is the Device Path Valid. - */ - private boolean devicePathValid = false; /** - * DeviceSecurityEventDataHeaderBase Default Constructor. - */ - public DeviceSecurityEventHeader() { - - } - - /** - * DeviceSecurityEventDataHeaderBase Constructor. + * DeviceSecurityEventDataHeader Constructor. * * @param dSEDbytes byte array holding the DeviceSecurityEventData. */ @@ -112,7 +101,6 @@ public abstract class DeviceSecurityEventHeader { System.arraycopy(dSEDbytes, UefiConstants.OFFSET_16, versionBytes, 0, UefiConstants.SIZE_2); version = HexUtils.byteArrayToHexString(versionBytes); - } /** @@ -140,24 +128,17 @@ public abstract class DeviceSecurityEventHeader { public void extractDevicePathAndFinalSize(final byte[] dsedBytes, int startByte) { // get the device path length - byte[] devicePathLengthBytes = new byte[UefiConstants.SIZE_8]; - System.arraycopy(dsedBytes, startByte, devicePathLengthBytes, 0, - UefiConstants.SIZE_8); + byte[] devicePathLengthBytes = new byte[8]; + System.arraycopy(dsedBytes, startByte, devicePathLengthBytes, 0, 8); int devicePathLength = HexUtils.leReverseInt(devicePathLengthBytes); // get the device path - if (devicePathLength != 0) { + if (devicePathLength > 0) { startByte = startByte + 8; byte[] devPathBytes = new byte[devicePathLength]; System.arraycopy(dsedBytes, startByte, devPathBytes, 0, devicePathLength); - try { - devicePath = new UefiDevicePath(devPathBytes); - devicePathValid = true; - } - catch (UnsupportedEncodingException e) { - devicePathValid = false; - } + devicePath = new UefiDevicePath(devPathBytes); } // header total size @@ -193,7 +174,7 @@ public abstract class DeviceSecurityEventHeader { String dsedHeaderCommonInfo = ""; dsedHeaderCommonInfo += " SPDM Device Type = " + deviceTypeToString(deviceType) + "\n"; - if (devicePathValid) { + if (devicePath != null) { dsedHeaderCommonInfo += " SPDM Device Path:\n"; dsedHeaderCommonInfo += devicePath; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index 56b0d5f1..397fb316 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -3,6 +3,7 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import hirs.utils.tpm.eventlog.uefi.UefiConstants; +import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 6334922e..866a4b92 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -4,6 +4,7 @@ import hirs.utils.HexUtils; import hirs.utils.tpm.eventlog.uefi.UefiConstants; import lombok.Getter; +import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** @@ -54,7 +55,7 @@ public class EvNoAction { * @param eventData byte array holding the event to process. * @throws java.io.UnsupportedEncodingException if input fails to parse. */ - public EvNoAction(final byte[] eventData) { + public EvNoAction(final byte[] eventData) throws UnsupportedEncodingException { byte[] signatureBytes = new byte[UefiConstants.SIZE_15]; System.arraycopy(eventData, 0, signatureBytes, 0, UefiConstants.SIZE_15); signature = new String(signatureBytes, StandardCharsets.UTF_8); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index 2022b9aa..7d228d54 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -2,6 +2,7 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; +import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index 6bcdb312..36766351 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -37,7 +37,7 @@ public class SpdmCertificateChain { /** * Length of the certificate chain to include all fields in this structure. */ - private int length = 0; + //private int length = 0; /** * Root hash. */ @@ -49,7 +49,6 @@ public class SpdmCertificateChain { /** * Array List of certs found in the chain. */ -// private ArrayList certList = new ArrayList(); private ArrayList certList = new ArrayList(); /** * Human-readable description of any error associated with SPDM base hash alg. @@ -73,7 +72,7 @@ public class SpdmCertificateChain { else { byte[] lengthBytes = new byte[2]; System.arraycopy(spdmCertChainBytes, 0, lengthBytes, 0, 2); - length = HexUtils.leReverseInt(lengthBytes); + //length = HexUtils.leReverseInt(lengthBytes); // Reserved: 2 bytes diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java index 2b96dd46..e8e19442 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java @@ -67,7 +67,7 @@ public class UefiDevicePath { * @param path byte array holding device path data * @throws java.io.UnsupportedEncodingException if path byte array contains unexpected values */ - public UefiDevicePath(final byte[] path) throws UnsupportedEncodingException { + public UefiDevicePath(final byte[] path) { devPathInfo = processDevPath(path); byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2, lengthBytes, 0, UefiConstants.OFFSET_2); @@ -93,7 +93,7 @@ public class UefiDevicePath { * @return Human readable string containing the device path description. * @throws java.io.UnsupportedEncodingException */ - private String processDevPath(final byte[] path) throws UnsupportedEncodingException { + private String processDevPath(final byte[] path) { StringBuilder pInfo = new StringBuilder(); int devLength = 0, pathOffset = 0, devCount = 0; while (true) { @@ -123,8 +123,7 @@ public class UefiDevicePath { * @return human-readable string representing the UEFI device path * @throws java.io.UnsupportedEncodingException */ - private String processDev(final byte[] path, final int offset) - throws UnsupportedEncodingException { + private String processDev(final byte[] path, final int offset) { String devInfo = " "; int devPath = path[offset]; byte unknownSubType = path[offset + UefiConstants.OFFSET_1]; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java index 47c11dd4..4b8d7a12 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java @@ -200,9 +200,9 @@ public class UefiVariable { } /** - * Method for processing the data in an EFI SignatureList (ex. can be one or more X509 certs) + * Method for processing the data in an EFI Signature Data, where the data is known to be an X509 cert * - * @param efiSigData Byte array holding the SignatureList data + * @param efiSigData Byte array holding the SignatureData data * @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate. * @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. * @throws java.io.IOException If there's a problem parsing the signature data. @@ -214,8 +214,8 @@ public class UefiVariable { ArrayList sigList = new ArrayList(); spdmDevdcInfo += ""; - // for now, use signature type for X509 - // in future with more test data, update this + // for now, hard-code the signature type for X509 + // in future with more test data, update this (potentially need to look at previous SPDM event) byte[] guid = HexUtils.hexStringToByteArray("A159C0A5E494A74A87B5AB155C2BF072"); UefiGuid signatureType = new UefiGuid(guid); @@ -274,10 +274,8 @@ public class UefiVariable { case "db": case "dbx": case "devdb": // SPDM_DEVICE_POLICY and SPDM_DEVICE_AUTHORITY - case "devdc": // for now use devdb and devdc - // (update when test patterns exist) - //efiVariable.append(" EV_EFI_SPDM_DEVICE_POLICY and EV_EFI_SPDM_DEVICE_AUTHORITY: " + - // "To be processed once more test patterns exist"); + case "devdc": // for now use devdb and devdc respectively + // (update when more test patterns exist) break; case "Boot00": efiVariable.append(bootv.toString()); From 6124e632016f61db24c172766516e96b8d107d81 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Wed, 7 Aug 2024 11:15:22 -0400 Subject: [PATCH 30/39] cleaning up --- .../hirs/utils/tpm/eventlog/TpmPcrEvent.java | 10 +-- .../events/DeviceSecurityEventData.java | 3 - .../events/DeviceSecurityEventData2.java | 2 - .../DeviceSecurityEventDataDeviceContext.java | 1 - .../events/DeviceSecurityEventDataHeader.java | 10 ++- .../DeviceSecurityEventDataHeader2.java | 12 ++- .../DeviceSecurityEventDataPciContext.java | 2 - .../DeviceSecurityEventDataSubHeader.java | 5 +- ...ceSecurityEventDataSubHeaderCertChain.java | 5 -- ...ventDataSubHeaderSpdmMeasurementBlock.java | 23 ++++- .../events/DeviceSecurityEventHeader.java | 1 - .../events/EvEfiSpdmDeviceSecurityEvent.java | 1 - .../utils/tpm/eventlog/events/EvNoAction.java | 5 ++ .../tpm/eventlog/events/EvSCrtmVersion.java | 2 +- .../events/NvIndexInstanceEventLogData.java | 1 - .../eventlog/spdm/SpdmCertificateChain.java | 3 +- .../hirs/utils/tpm/eventlog/spdm/SpdmHa.java | 5 +- .../tpm/eventlog/spdm/SpdmMeasurement.java | 3 +- .../eventlog/spdm/SpdmMeasurementBlock.java | 53 ++++-------- .../tpm/eventlog/uefi/UefiSecureBoot.java | 8 +- .../tpm/eventlog/uefi/UefiSignatureList.java | 85 +++++++------------ .../utils/tpm/eventlog/uefi/UefiVariable.java | 6 +- 22 files changed, 108 insertions(+), 138 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java index 05702d71..ec18d1cf 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java @@ -318,12 +318,8 @@ public class TpmPcrEvent { case EvConstants.EV_EFI_EVENT_BASE: break; case EvConstants.EV_EFI_VARIABLE_DRIVER_CONFIG: - UefiVariable efiVar = null; try { - efiVar = new UefiVariable(eventContent); - String efiVarDescription = efiVar.toString().replace("\n", "\n "); - sb.append(efiVarDescription.substring(0, - efiVarDescription.length() - INDENT_3)); + sb.append(new UefiVariable(eventContent).toString()); } catch (CertificateException cEx) { log.error(cEx); sb.append(cEx.toString()); @@ -508,9 +504,7 @@ public class TpmPcrEvent { break; case EvConstants.EV_EFI_VARIABLE_DRIVER_CONFIG: UefiVariable efiVar = new UefiVariable(content); - String efiVarDescription = efiVar.toString().replace("\n", "\n "); - description += "Event Content:\n " + efiVarDescription.substring(0, - efiVarDescription.length() - INDENT_3); + description += "Event Content:\n" + efiVar.toString(); vendorTableFileStatus = efiVar.getVendorTableFileStatus(); break; case EvConstants.EV_EFI_VARIABLE_BOOT: diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java index 00dde07f..ce7dc4c0 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java @@ -2,9 +2,6 @@ package hirs.utils.tpm.eventlog.events; import lombok.Getter; -import java.io.IOException; -import java.io.UnsupportedEncodingException; - /** * Class to process DEVICE_SECURITY_EVENT_DATA. * Parses event data per PFP v1.06 Rev52 Table 20. diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java index b4701ba0..6a363813 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java @@ -2,8 +2,6 @@ package hirs.utils.tpm.eventlog.events; import lombok.Getter; -import java.io.UnsupportedEncodingException; - /** * Class to process DEVICE_SECURITY_EVENT_DATA2. * Parses event data per PFP v1.06 Rev52 Table 26. diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java index ffb29a8f..5a480251 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataDeviceContext.java @@ -69,6 +69,5 @@ public abstract class DeviceSecurityEventDataDeviceContext { return dSEDdeviceContextCommonInfo; } - } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java index d105eb41..9d02ea47 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader.java @@ -7,7 +7,7 @@ import hirs.utils.tpm.eventlog.uefi.UefiConstants; import lombok.Getter; import java.io.ByteArrayInputStream; -import java.io.UnsupportedEncodingException; +import java.io.IOException; /** * Class to process the DEVICE_SECURITY_EVENT_DATA_HEADER. @@ -89,8 +89,12 @@ public class DeviceSecurityEventDataHeader extends DeviceSecurityEventHeader { ByteArrayInputStream spdmMeasurementBlockData = new ByteArrayInputStream(spdmMeasBlockBytes); - spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockData); - spdmMeasurementBlockInfo = spdmMeasurementBlock.toString(); + try { + spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockData); + spdmMeasurementBlockInfo = spdmMeasurementBlock.toString(); + } catch (IOException e) { + spdmMeasurementBlockInfo = " Error reading SPDM Measurement Block"; + } int devPathLenStartByte = 28 + sizeOfSpdmMeasBlock; extractDevicePathAndFinalSize(dsedBytes, devPathLenStartByte); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java index e5c52554..ddaef9cf 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java @@ -3,8 +3,6 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import lombok.Getter; -import java.io.UnsupportedEncodingException; - /** * Class to process the DEVICE_SECURITY_EVENT_DATA_HEADER2. * DEVICE_SECURITY_EVENT_DATA_HEADER2 contains the measurement(s) and hash algorithm identifier @@ -84,6 +82,11 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { */ public static final int AUTH_NO_SPDM = 0xFF; + /** + * DeviceSecurityEventDataHeader2 Constructor. + * + * @param dsedBytes byte array holding the DeviceSecurityEventData2. + */ public DeviceSecurityEventDataHeader2(final byte[] dsedBytes) { super(dsedBytes); @@ -130,6 +133,11 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { return dsedHeader2Info; } + /** + * Returns a human-readable description of auth state based on numeric representation lookup. + * + * @return a description of the auth state. + */ public String getAuthStateString() { switch (authState) { diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index 280470ba..ff90af3d 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -3,7 +3,6 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import lombok.Getter; -import java.util.ArrayList; import java.util.List; import static hirs.utils.PciIds.translateDevice; @@ -102,7 +101,6 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe byte[] pciSubsystemIdBytes = new byte[2]; System.arraycopy(dSEDpciContextBytes, 14, pciSubsystemIdBytes, 0, 2); subsystemId = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciSubsystemIdBytes)); - } /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java index 1bbdb413..81ac2543 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java @@ -1,6 +1,5 @@ package hirs.utils.tpm.eventlog.events; - /** * Class to process the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER event per PFP. * @@ -23,6 +22,10 @@ public abstract class DeviceSecurityEventDataSubHeader { */ public static final int SUBHEADERTYPE_CERT_CHAIN = 1; + /** + * DeviceSecurityEventDataSubHeader Default Constructor. + * + */ public DeviceSecurityEventDataSubHeader() { } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index 26262afa..b1cc4011 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -3,10 +3,6 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import hirs.utils.tpm.eventlog.spdm.SpdmCertificateChain; import hirs.utils.tpm.eventlog.spdm.SpdmHa; -import lombok.Getter; - -import java.io.ByteArrayInputStream; -import java.util.ArrayList; /** * Class to process the DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN event per PFP. @@ -85,7 +81,6 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve else { spdmBaseHashAlgoError += "SPDM base hash algorithm size is not >0"; } - } /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java index 81742744..86ecce59 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java @@ -6,6 +6,7 @@ import hirs.utils.tpm.eventlog.spdm.SpdmMeasurementBlock; import lombok.Getter; import java.io.ByteArrayInputStream; +import java.io.IOException; import java.util.ArrayList; import java.util.List; @@ -52,6 +53,10 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device * List of SPDM Measurement Blocks. */ private List spdmMeasurementBlockList; + /** + * Error reading SPDM Measurement Block. + */ + private boolean spdmMeasurementBlockReadError = false; /** * DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock Constructor. @@ -87,9 +92,14 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device ByteArrayInputStream spdmMeasurementBlockListData = new ByteArrayInputStream(spdmMeasurementBlockListBytes); while (spdmMeasurementBlockListData.available() > 0) { - SpdmMeasurementBlock spdmMeasurementBlock; - spdmMeasurementBlock = new SpdmMeasurementBlock(spdmMeasurementBlockListData); - spdmMeasurementBlockList.add(spdmMeasurementBlock); + try { + SpdmMeasurementBlock spdmMeasurementBlock = + new SpdmMeasurementBlock(spdmMeasurementBlockListData); + spdmMeasurementBlockList.add(spdmMeasurementBlock); + } catch (IOException e) { + spdmMeasurementBlockReadError = true; + break; + } } } @@ -105,13 +115,18 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device dsedSubHeaderInfo += " SPDM Hash Algorithm = " + spdmHashAlgoStr + "\n"; // SPDM Measurement Block List output - dsedSubHeaderInfo += " Number of SPDM Measurement Blocks = " + spdmMeasurementBlockList.size() + "\n"; + dsedSubHeaderInfo += " Number of SPDM Measurement Blocks = " + + spdmMeasurementBlockList.size() + "\n"; int spdmMeasBlockCnt = 1; for (SpdmMeasurementBlock spdmMeasBlock : spdmMeasurementBlockList) { dsedSubHeaderInfo += " SPDM Measurement Block # " + spdmMeasBlockCnt++ + " of " + spdmMeasurementBlockList.size() + "\n"; dsedSubHeaderInfo += spdmMeasBlock.toString(); } + if(spdmMeasurementBlockReadError) { + dsedSubHeaderInfo += " Error reading SPDM Measurement Block #" + + spdmMeasBlockCnt + ", halting processing\n"; + } return dsedSubHeaderInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 398f9529..5d2696b6 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -5,7 +5,6 @@ import hirs.utils.tpm.eventlog.uefi.UefiConstants; import hirs.utils.tpm.eventlog.uefi.UefiDevicePath; import lombok.Getter; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index 397fb316..56b0d5f1 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -3,7 +3,6 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import hirs.utils.tpm.eventlog.uefi.UefiConstants; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 866a4b92..812b46cd 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -106,6 +106,11 @@ public class EvNoAction { return specIdInfo; } + /** + * Returns a human-readable description of locality based on numeric representation lookup. + * + * @return a description of the locality. + */ private String getLocality(final byte[] eventData) { String localityInfo = ""; byte[] localityBytes = new byte[1]; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvSCrtmVersion.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvSCrtmVersion.java index 79b5cf54..d9a4ba54 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvSCrtmVersion.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvSCrtmVersion.java @@ -39,7 +39,7 @@ public class EvSCrtmVersion { if (UefiGuid.isValidUUID(data)) { guid = new UefiGuid(data); String guidInfo = guid.toStringNoLookup(); - description = " SCRM Version = " + guidInfo; + description = " SCRM Version = " + guidInfo; } } else if (data.length < UefiConstants.SIZE_4) { description = HexUtils.byteArrayToHexString(data); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index 7d228d54..2022b9aa 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -2,7 +2,6 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index 36766351..b057e3a9 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -63,6 +63,7 @@ public class SpdmCertificateChain { * SpdmCertificateChain Constructor. * * @param spdmCertChainBytes byte array holding the SPDM Cert Chain bytes. + * @param rootHashLength length of RootHash. */ public SpdmCertificateChain(final byte[] spdmCertChainBytes, final int rootHashLength) { @@ -108,7 +109,7 @@ public class SpdmCertificateChain { certChainDataIS.read(certType); byte[] certLength = new byte[2]; certChainDataIS.read(certLength); -// int cLength = new BigInteger(certLength).intValue() + UefiConstants.SIZE_4; + //int cLength = new BigInteger(certLength).intValue() + UefiConstants.SIZE_4; int cLength = new BigInteger(certLength).intValue(); byte[] certData = new byte[cLength]; certChainDataIS.read(certData); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java index 0a937031..202e6c03 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java @@ -76,13 +76,12 @@ public class SpdmHa { return alg; } - /** - * Returns the hash name via a lookup. + * Returns the hash value size based on the hash algorithm. * Lookup based upon SPDM Spec v1.03 section 10.4. * * @param algId int to convert to string - * @return name of the algorithm + * @return size of the algorithm output */ public static int tcgAlgIdToByteSize(final int algId) { int byteSize; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java index 417a6c28..b64f18dc 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java @@ -1,7 +1,6 @@ package hirs.utils.tpm.eventlog.spdm; import hirs.utils.HexUtils; -import lombok.AccessLevel; import lombok.Getter; /** @@ -36,7 +35,7 @@ public class SpdmMeasurement { /** * Measurement value (digest). */ - private byte[] dmtfSpecMeasurementValue = null; + private byte[] dmtfSpecMeasurementValue; /** * SpdmMeasurement Constructor. diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java index ac486ab2..98bb2bab 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurementBlock.java @@ -1,16 +1,10 @@ package hirs.utils.tpm.eventlog.spdm; import hirs.utils.HexUtils; -import hirs.utils.tpm.eventlog.uefi.UefiConstants; import lombok.Getter; -import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; -import java.io.FileInputStream; import java.io.IOException; -import java.io.UnsupportedEncodingException; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; /** * Class to process the SpdmMeasurementBlock. @@ -46,38 +40,30 @@ public class SpdmMeasurementBlock { * SPDM Measurement. */ private SpdmMeasurement spdmMeasurement; - /** - * Error reading SPDM Measurement Block. - */ - private boolean spdmMeasurementBlockReadError = false; /** * SpdmMeasurementBlock Constructor. * * @param spdmMeasBlocks byte array holding the SPDM Measurement Block bytes. */ - public SpdmMeasurementBlock(final ByteArrayInputStream spdmMeasBlocks) { + public SpdmMeasurementBlock(final ByteArrayInputStream spdmMeasBlocks) throws IOException { - try { - byte[] indexBytes = new byte[1]; - spdmMeasBlocks.read(indexBytes); - index = HexUtils.leReverseInt(indexBytes); + byte[] indexBytes = new byte[1]; + spdmMeasBlocks.read(indexBytes); + index = HexUtils.leReverseInt(indexBytes); - byte[] measurementSpecBytes = new byte[1]; - spdmMeasBlocks.read(measurementSpecBytes); - measurementSpec = HexUtils.leReverseInt(measurementSpecBytes); + byte[] measurementSpecBytes = new byte[1]; + spdmMeasBlocks.read(measurementSpecBytes); + measurementSpec = HexUtils.leReverseInt(measurementSpecBytes); - // in future, can crosscheck this measurement size with the MeasurementSpec hash alg size - byte[] measurementSizeBytes = new byte[2]; - spdmMeasBlocks.read(measurementSizeBytes); - int measurementSize = HexUtils.leReverseInt(measurementSizeBytes); + // in future, can crosscheck this measurement size with the MeasurementSpec hash alg size + byte[] measurementSizeBytes = new byte[2]; + spdmMeasBlocks.read(measurementSizeBytes); + int measurementSize = HexUtils.leReverseInt(measurementSizeBytes); - byte[] measurementBytes = new byte[measurementSize]; - spdmMeasBlocks.read(measurementBytes); - spdmMeasurement = new SpdmMeasurement(measurementBytes); - } catch (IOException ioEx) { - spdmMeasurementBlockReadError = true; - } + byte[] measurementBytes = new byte[measurementSize]; + spdmMeasBlocks.read(measurementBytes); + spdmMeasurement = new SpdmMeasurement(measurementBytes); } /** @@ -89,14 +75,9 @@ public class SpdmMeasurementBlock { String spdmMeasBlockInfo = ""; - if(spdmMeasurementBlockReadError) { - spdmMeasBlockInfo += " Error reading SPDM Measurement Block\n"; - } - else { - spdmMeasBlockInfo += " Index = " + index + "\n"; - spdmMeasBlockInfo += " MeasurementSpec = " + measurementSpec + "\n"; - spdmMeasBlockInfo += spdmMeasurement.toString(); - } + spdmMeasBlockInfo += " Index = " + index + "\n"; + spdmMeasBlockInfo += " MeasurementSpec = " + measurementSpec + "\n"; + spdmMeasBlockInfo += spdmMeasurement.toString(); return spdmMeasBlockInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSecureBoot.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSecureBoot.java index 42c8af56..44df7ead 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSecureBoot.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSecureBoot.java @@ -38,18 +38,18 @@ public class UefiSecureBoot { } /** - * Provides a human readable value for the Secure Boot variable. + * Provides a human-readable value for the Secure Boot variable. * * @return Human readable description. */ public String toString() { if (!berror) { if (secureBootVariable == 1) { - info += " Secure Boot is enabled "; + info += " Secure Boot is enabled "; } else if (secureBootVariable == 0) { - info += " Secure Boot is NOT enabled "; + info += " Secure Boot is NOT enabled "; } else { - info += " Unkown State: Secure Variable is undefined "; + info += " Unknown State: Secure Variable is undefined "; } } return info; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java index a74741f3..15937f34 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java @@ -112,37 +112,37 @@ public class UefiSignatureList { @Getter private String vendorTableFileStatus = FILESTATUS_NOT_ACCESSIBLE; - /** - * UefiSignatureList constructor. - * - * @param list byte array holding the signature list. - * @throws java.security.cert.CertificateException If there a problem parsing the X509 certificate. - * @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. - * @throws java.io.IOException If there's a problem parsing the signature data. - */ - UefiSignatureList(final byte[] list) - throws CertificateException, NoSuchAlgorithmException, IOException { - - byte[] guid = new byte[UefiConstants.SIZE_16]; - System.arraycopy(list, 0, guid, 0, UefiConstants.SIZE_16); - signatureType = new UefiGuid(guid); - vendorTableFileStatus = signatureType.getVendorTableFileStatus(); - - byte[] lSize = new byte[UefiConstants.SIZE_4]; - System.arraycopy(list, UefiConstants.OFFSET_16, lSize, 0, UefiConstants.SIZE_4); - listSize = HexUtils.leReverseInt(lSize); - - byte[] hSize = new byte[UefiConstants.SIZE_4]; - System.arraycopy(list, UefiConstants.OFFSET_20, hSize, 0, UefiConstants.SIZE_4); - - byte[] sSize = new byte[UefiConstants.SIZE_4]; - System.arraycopy(list, UefiConstants.OFFSET_24, sSize, 0, UefiConstants.SIZE_4); - signatureSize = HexUtils.leReverseInt(sSize); - - sigData = new byte[signatureSize]; - System.arraycopy(list, UefiConstants.OFFSET_28, sigData, 0, signatureSize); - processSignatureList(sigData); - } +// /** +// * UefiSignatureList constructor. +// * +// * @param list byte array holding the signature list. +// * @throws java.security.cert.CertificateException If there a problem parsing the X509 certificate. +// * @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. +// * @throws java.io.IOException If there's a problem parsing the signature data. +// */ +// UefiSignatureList(final byte[] list) +// throws CertificateException, NoSuchAlgorithmException, IOException { +// +// byte[] guid = new byte[UefiConstants.SIZE_16]; +// System.arraycopy(list, 0, guid, 0, UefiConstants.SIZE_16); +// signatureType = new UefiGuid(guid); +// vendorTableFileStatus = signatureType.getVendorTableFileStatus(); +// +// byte[] lSize = new byte[UefiConstants.SIZE_4]; +// System.arraycopy(list, UefiConstants.OFFSET_16, lSize, 0, UefiConstants.SIZE_4); +// listSize = HexUtils.leReverseInt(lSize); +// +// byte[] hSize = new byte[UefiConstants.SIZE_4]; +// System.arraycopy(list, UefiConstants.OFFSET_20, hSize, 0, UefiConstants.SIZE_4); +// +// byte[] sSize = new byte[UefiConstants.SIZE_4]; +// System.arraycopy(list, UefiConstants.OFFSET_24, sSize, 0, UefiConstants.SIZE_4); +// signatureSize = HexUtils.leReverseInt(sSize); +// +// sigData = new byte[signatureSize]; +// System.arraycopy(list, UefiConstants.OFFSET_28, sigData, 0, signatureSize); +// processSignatureList(sigData); +// } /** * EFI Signature list constructor. @@ -163,7 +163,6 @@ public class UefiSignatureList { // however, if signatureType is valid, but some of the data later on is invalid, that will // be caught when UefiSignatureData is processed if (!isValidSigListGUID(signatureType)) { - //processSignatureData(lists); signatureTypeValid = false; } else { // valid SigData Processing signatureTypeValid = true; @@ -207,28 +206,6 @@ public class UefiSignatureList { } } - /** - * Method for processing a set of EFI SignatureList(s). - * - * @param sigDataIS Byte array holding one or more SignatureLists. - * @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate. - * @throws java.security.NoSuchAlgorithmException if there's a problem hashing the certificate. - * @throws java.io.IOException If there's a problem parsing the signature data. - */ - private void processSignatureData(final ByteArrayInputStream sigDataIS) - throws CertificateException, NoSuchAlgorithmException, IOException { - while (sigDataIS.available() > 0) { - UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType); - if (!tmpigData.isValid()) { - dataValid = false; - dataInvalidStatus = tmpigData.getStatus(); - break; - } - sigList.add(tmpigData); - numberOfCerts++; - } - } - /** * Checks to see if GUID is listed on page 1729 of UEFI spec version 2.8. * diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java index 4b8d7a12..a78f2f59 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java @@ -248,7 +248,7 @@ public class UefiVariable { /** * Print out all the interesting characteristics available on this UEFI Variable. * - * @return human readable description of the UEFi variable. + * @return human-readable description of the UEFi variable. */ public String toString() { StringBuilder efiVariable = new StringBuilder(); @@ -320,11 +320,11 @@ public class UefiVariable { } /** - * Retrieves human readable description from a Certificate. + * Retrieves human-readable description from a Certificate. * * @param data byte[] holding the certificate. * @param offset offset to start of the certificate within the byte array. - * @return human readable description of a certificate. + * @return human-readable description of a certificate. */ public String printCert(final byte[] data, final int offset) { String certInfo = ""; From 9884e668eb8a5706a6e52e8802bf192ad8c1dad3 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Wed, 7 Aug 2024 11:41:05 -0400 Subject: [PATCH 31/39] temporarily reverting 3 files back to what they are in main to get past a merge conflict, will deal with the conflict after this --- .../DeviceSecurityEventDataPciContext.java | 22 +-- .../events/DeviceSecurityEventHeader.java | 60 +++++-- .../tpm/eventlog/uefi/UefiDevicePath.java | 149 +++++++----------- 3 files changed, 119 insertions(+), 112 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index ff90af3d..4f16a1e5 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -3,6 +3,7 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import lombok.Getter; +import java.util.ArrayList; import java.util.List; import static hirs.utils.PciIds.translateDevice; @@ -101,6 +102,7 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe byte[] pciSubsystemIdBytes = new byte[2]; System.arraycopy(dSEDpciContextBytes, 14, pciSubsystemIdBytes, 0, 2); subsystemId = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciSubsystemIdBytes)); + } /** @@ -112,22 +114,22 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe String dSEDpciContextInfo = ""; dSEDpciContextInfo += super.toString(); - dSEDpciContextInfo += " Device Type = PCI\n"; - dSEDpciContextInfo += " Vendor = " + translateVendor(vendorId) + "\n"; - dSEDpciContextInfo += " Device = " + translateDevice(vendorId, deviceId) + "\n"; - dSEDpciContextInfo += " RevisionID = " + revisionId + "\n"; + dSEDpciContextInfo += "\n Device Type = PCI"; + dSEDpciContextInfo += "\n Vendor = " + translateVendor(vendorId); + dSEDpciContextInfo += "\n Device = " + translateDevice(vendorId, deviceId); + dSEDpciContextInfo += "\n RevisionID = " + revisionId; List classCodeList = translateDeviceClass(classCode); - dSEDpciContextInfo += " Device Class: \n"; + dSEDpciContextInfo += "\n Device Class: "; if(classCodeList.size() == 3) { - dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; - dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; - dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; + dSEDpciContextInfo += "\n Class = " + classCodeList.get(0); + dSEDpciContextInfo += "\n Subclass = " + classCodeList.get(1); + dSEDpciContextInfo += "\n Programming Interface = " + classCodeList.get(2); } else { dSEDpciContextInfo += " ** Class code could not be determined **"; } - dSEDpciContextInfo += " SubsystemVendor = " + translateVendor(subsystemVendorId) + "\n"; - dSEDpciContextInfo += " Subsystem = " + translateDevice(subsystemVendorId, subsystemId) + "\n"; + dSEDpciContextInfo += "\n SubsystemVendor = " + translateVendor(subsystemVendorId); + dSEDpciContextInfo += "\n Subsystem = " + translateDevice(subsystemVendorId, subsystemId); return dSEDpciContextInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 5d2696b6..5e60f607 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -5,6 +5,7 @@ import hirs.utils.tpm.eventlog.uefi.UefiConstants; import hirs.utils.tpm.eventlog.uefi.UefiDevicePath; import lombok.Getter; +import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** @@ -83,9 +84,34 @@ public abstract class DeviceSecurityEventHeader { */ @Getter private UefiDevicePath devicePath = null; + /** + * Is the Device Path Valid. + */ + private boolean devicePathValid = false; /** - * DeviceSecurityEventDataHeader Constructor. + * Device Security Event Data Device Type = no device type. + */ + public static final int DEVICE_TYPE_NONE = 0; + /** + * Device Security Event Data Device Type = DEVICE_TYPE_PCI. + */ + public static final int DEVICE_TYPE_PCI = 1; + /** + * Device Security Event Data Device Type = DEVICE_TYPE_USB. + */ + public static final int DEVICE_TYPE_USB = 2; + + + /** + * DeviceSecurityEventDataHeaderBase Default Constructor. + */ + public DeviceSecurityEventHeader() { + + } + + /** + * DeviceSecurityEventDataHeaderBase Constructor. * * @param dSEDbytes byte array holding the DeviceSecurityEventData. */ @@ -100,6 +126,7 @@ public abstract class DeviceSecurityEventHeader { System.arraycopy(dSEDbytes, UefiConstants.OFFSET_16, versionBytes, 0, UefiConstants.SIZE_2); version = HexUtils.byteArrayToHexString(versionBytes); + } /** @@ -127,17 +154,24 @@ public abstract class DeviceSecurityEventHeader { public void extractDevicePathAndFinalSize(final byte[] dsedBytes, int startByte) { // get the device path length - byte[] devicePathLengthBytes = new byte[8]; - System.arraycopy(dsedBytes, startByte, devicePathLengthBytes, 0, 8); + byte[] devicePathLengthBytes = new byte[UefiConstants.SIZE_8]; + System.arraycopy(dsedBytes, startByte, devicePathLengthBytes, 0, + UefiConstants.SIZE_8); int devicePathLength = HexUtils.leReverseInt(devicePathLengthBytes); // get the device path - if (devicePathLength > 0) { - startByte = startByte + 8; + if (devicePathLength != 0) { + startByte = startByte + UefiConstants.SIZE_8; byte[] devPathBytes = new byte[devicePathLength]; System.arraycopy(dsedBytes, startByte, devPathBytes, 0, devicePathLength); - devicePath = new UefiDevicePath(devPathBytes); + try { + devicePath = new UefiDevicePath(devPathBytes); + devicePathValid = true; + } + catch (UnsupportedEncodingException e) { + devicePathValid = false; + } } // header total size @@ -153,11 +187,11 @@ public abstract class DeviceSecurityEventHeader { */ public String deviceTypeToString(final int deviceTypeInt) { switch (deviceTypeInt) { - case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE: + case DEVICE_TYPE_NONE: return "No device type"; - case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI: + case DEVICE_TYPE_PCI: return "PCI"; - case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB: + case DEVICE_TYPE_USB: return "USB"; default: return "Unknown or invalid Device Type"; @@ -172,13 +206,13 @@ public abstract class DeviceSecurityEventHeader { public String toString() { String dsedHeaderCommonInfo = ""; - dsedHeaderCommonInfo += " SPDM Device Type = " + deviceTypeToString(deviceType) + "\n"; - if (devicePath != null) { - dsedHeaderCommonInfo += " SPDM Device Path:\n"; + dsedHeaderCommonInfo += "\n SPDM Device Type = " + deviceTypeToString(deviceType); + if (devicePathValid) { + dsedHeaderCommonInfo += "\n SPDM Device Path:\n"; dsedHeaderCommonInfo += devicePath; } else { - dsedHeaderCommonInfo += " SPDM Device Path = Unknown or invalid\n"; + dsedHeaderCommonInfo += "\n SPDM Device Path = Unknown or invalid"; } return dsedHeaderCommonInfo; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java index e8e19442..bd647deb 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java @@ -7,20 +7,8 @@ import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** - * Class to process a Device Path. A Device Path is a variable-length binary - * structure that is made up of variable-length generic Device Path nodes. - * The first Device Path node starts at byte offset zero of the Device Path. - * The next Device Path node starts at the end of the previous Device Path node. - * There is no limit to the number, type, or sequence of nodes in a Device Path. + * Class to process EFI_DEVICE_PATH_PROTOCOL which is referred to as the UEFI_DEVICE_PATH *

- * Generic Device Path Node Structure: - * Name Byte Offset Byte Length Description - * Type 0 1 Device path type (such as 0x01 - Hardware Device Path) - * Sub-Type 1 1 Sub-Type - * Length 2 2 Length of this structure in bytes. Length is 4+n bytes - * Data 4 n Specific Device Path data - *

- * EFI_DEVICE_PATH_PROTOCOL: * #define EFI_DEVICE_PATH_PROTOCOL_GUID \09576e91-6d3f-11d2-8e39-00a0c969723b * typedef struct _EFI_DEVICE_PATH_PROTOCOL { * UINT8 Type; @@ -35,7 +23,7 @@ import java.nio.charset.StandardCharsets; * Type 0x04 Media Device Path * Type 0x05 BIOS Boot Specification Device Path * Type 0x7F End of Hardware Device Path - * Each Type has a Subtype that may or may not be defined in the section + * Each Type has a sub-type that may or may no be defined in the section *

* Only a few of the SubTypes have been implemented as there are many, * but only those that were reported using the test devices at hand. @@ -48,11 +36,11 @@ public class UefiDevicePath { @Getter private String type = ""; /** - * UEFI Device path subtype. + * UEFI Device path sub-type. */ private String subType = ""; /** - * UEFI Device path human-readable description. + * UEFI Device path human readable description. */ private String devPathInfo = ""; /** @@ -67,7 +55,7 @@ public class UefiDevicePath { * @param path byte array holding device path data * @throws java.io.UnsupportedEncodingException if path byte array contains unexpected values */ - public UefiDevicePath(final byte[] path) { + public UefiDevicePath(final byte[] path) throws UnsupportedEncodingException { devPathInfo = processDevPath(path); byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2, lengthBytes, 0, UefiConstants.OFFSET_2); @@ -75,9 +63,9 @@ public class UefiDevicePath { } /** - * Returns the UEFI device subtype. + * Returns the UEFI device sub-type. * - * @return uefi subtype + * @return uefi sub-type */ public String getSubType() { return subType.trim(); @@ -93,7 +81,7 @@ public class UefiDevicePath { * @return Human readable string containing the device path description. * @throws java.io.UnsupportedEncodingException */ - private String processDevPath(final byte[] path) { + private String processDevPath(final byte[] path) throws UnsupportedEncodingException { StringBuilder pInfo = new StringBuilder(); int devLength = 0, pathOffset = 0, devCount = 0; while (true) { @@ -102,6 +90,9 @@ public class UefiDevicePath { || (devPath.intValue() == UefiConstants.END_FLAG)) { break; } + if (devCount++ > 0) { + pInfo.append("\n"); + } pInfo.append(processDev(path, pathOffset)); devLength = path[pathOffset + UefiConstants.OFFSET_3] * UefiConstants.SIZE_256 + path[pathOffset + UefiConstants.OFFSET_2]; @@ -120,10 +111,11 @@ public class UefiDevicePath { * * @param path * @param offset - * @return human-readable string representing the UEFI device path + * @return human readable string representing the UEFI device path * @throws java.io.UnsupportedEncodingException */ - private String processDev(final byte[] path, final int offset) { + private String processDev(final byte[] path, final int offset) + throws UnsupportedEncodingException { String devInfo = " "; int devPath = path[offset]; byte unknownSubType = path[offset + UefiConstants.OFFSET_1]; @@ -131,50 +123,50 @@ public class UefiDevicePath { case UefiConstants.DEV_HW: type = "Hardware Device Path"; if (devPath == UefiConstants.DEVPATH_HARWARE) { - devInfo += type + ":\n" + pciSubType(path, offset); + devInfo += type + ": " + pciSubType(path, offset); } break; case UefiConstants.DEV_ACPI: type = "ACPI Device Path"; - devInfo += type + ":\n" + acpiSubType(path, offset); + devInfo += type + ": " + acpiSubType(path, offset); break; case UefiConstants.DEV_MSG: type = "Messaging Device Path"; if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_SATA) { - devInfo += type + ":\n" + sataSubType(path, offset); + devInfo += type + ": " + sataSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_NVM) { - devInfo += type + ":\n" + nvmSubType(path, offset); + devInfo += type + ": " + nvmSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_USB) { - devInfo += type + ":\n" + usbSubType(path, offset); + devInfo += type + ": " + usbSubType(path, offset); } else { - devInfo += "UEFI Messaging Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; + devInfo += "UEFI Messaging Device Path Type " + Integer.valueOf(unknownSubType); } break; case UefiConstants.DEV_MEDIA: type = "Media Device Path"; if (path[offset + UefiConstants.OFFSET_1] == 0x01) { - devInfo += type + ":\n" + hardDriveSubType(path, offset); + devInfo += type + ": " + hardDriveSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_VENDOR) { - devInfo += type + ":\n" + vendorSubType(path, offset); + devInfo += type + ": " + vendorSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_FILE) { - devInfo += type + ":\n" + filePathSubType(path, offset); + devInfo += type + ": " + filePathSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_PWIG_FILE) { - devInfo += type + ":\n" + piwgFirmVolFile(path, offset); + devInfo += type + ": " + piwgFirmVolFile(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_PWIG_VOL) { - devInfo += type + ":\n" + piwgFirmVolPath(path, offset); + devInfo += type + ": " + piwgFirmVolPath(path, offset); } else { - devInfo += "UEFI Media Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; + devInfo += "UEFI Media Device Path Type " + Integer.valueOf(unknownSubType); } break; case UefiConstants.DEV_BIOS: type = "BIOS Device Path"; - devInfo += type + ":\n" + biosDevicePath(path, offset); + devInfo += type + ": " + biosDevicePath(path, offset); break; case UefiConstants.TERMINATOR: - devInfo += "End of Hardware Device Path\n"; + devInfo += "End of Hardware Device Path"; break; default: - devInfo += "UEFI Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; + devInfo += "UEFI Device Path Type " + Integer.valueOf(unknownSubType); } return devInfo; } @@ -187,17 +179,17 @@ public class UefiDevicePath { * @return acpi device info */ private String acpiSubType(final byte[] path, final int offset) { - subType = " Sub Type = ACPI\n"; + subType = ""; switch (path[offset + UefiConstants.OFFSET_1]) { - case 0x01: // standard version + case 0x01: + subType = "(Short): "; subType += acpiShortSubType(path, offset); break; case 0x02: - subType = "(expanded version):\n"; - // tbd + subType = "Expanded ACPI Device Path"; break; default: - subType = "Invalid ACPI Device Path sub type\n"; + subType = "Invalid ACPI Device Path sub type"; } return subType; } @@ -213,13 +205,9 @@ public class UefiDevicePath { subType = ""; byte[] hid = new byte[UefiConstants.SIZE_4]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, hid, 0, UefiConstants.SIZE_4); - subType += " _HID = " + HexUtils.byteArrayToHexString(hid) + "\n"; + subType += "_HID = " + HexUtils.byteArrayToHexString(hid); System.arraycopy(path, 2 * UefiConstants.SIZE_4 + offset, hid, 0, UefiConstants.SIZE_4); - String uid = HexUtils.byteArrayToHexString(hid); - if(uid.contains("00000000")) { - uid = "No _UID exists for this device"; - } - subType += " _UID = " + uid + "\n"; + subType += "_UID = " + HexUtils.byteArrayToHexString(hid); return subType; } @@ -231,25 +219,22 @@ public class UefiDevicePath { * @return pci device info. */ private String pciSubType(final byte[] path, final int offset) { - subType = " Sub Type = PCI\n"; - subType += " PCI Function Number = "; + subType = "PCI: PCI Function Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_4]); - subType += "\n PCI Device Number = "; + subType += " PCI Device Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_5]); - subType += "\n"; return subType; } /** - * processes the SATA subtype. + * processes the SATA sub type. * * @param path * @param offset * @return SATA drive info. */ private String sataSubType(final byte[] path, final int offset) { - subType = " Sub Type = SATA\n"; - subType += " SATA: HBA Port Number = "; + subType = "SATA: HBA Port Number = "; byte[] data = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, data, 0, UefiConstants.SIZE_2); subType += HexUtils.byteArrayToHexString(data); @@ -257,20 +242,18 @@ public class UefiDevicePath { subType += " Port Multiplier = " + HexUtils.byteArrayToHexString(data); System.arraycopy(path, UefiConstants.OFFSET_8 + offset, data, 0, UefiConstants.SIZE_2); subType += " Logical Unit Number = " + HexUtils.byteArrayToHexString(data); - subType += "\n"; return subType; } /** - * Processes the hard drive subtype. + * Processes the hard drive sub type. * * @param path * @param offset * @return hard drive info. */ private String hardDriveSubType(final byte[] path, final int offset) { - subType = " Sub Type = Hard Drive\n"; - subType += " Partition Number = "; + subType = "Partition Number = "; byte[] partnumber = new byte[UefiConstants.SIZE_4]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, partnumber, 0, UefiConstants.SIZE_4); @@ -278,14 +261,14 @@ public class UefiDevicePath { byte[] data = new byte[UefiConstants.SIZE_8]; System.arraycopy(path, UefiConstants.OFFSET_8 + offset, data, 0, UefiConstants.SIZE_8); - subType += "\n Partition Start = " + HexUtils.byteArrayToHexString(data); + subType += " Partition Start = " + HexUtils.byteArrayToHexString(data); System.arraycopy(path, UefiConstants.OFFSET_16 + offset, data, 0, UefiConstants.SIZE_8); - subType += "\n Partition Size = " + HexUtils.byteArrayToHexString(data); + subType += " Partition Size = " + HexUtils.byteArrayToHexString(data); byte[] signature = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_24 + offset, signature, 0, UefiConstants.SIZE_16); - subType += "\n Partition Signature = "; + subType += "\n Partition Signature = "; if (path[UefiConstants.OFFSET_41 + offset] == UefiConstants.DRIVE_SIG_NONE) { subType += "None"; } else if (path[UefiConstants.OFFSET_41 + offset] == UefiConstants.DRIVE_SIG_32BIT) { @@ -296,28 +279,26 @@ public class UefiDevicePath { } else { subType += "invalid partition signature type"; } - subType += "\n Partition Format = "; + subType += " Partition Format = "; if (path[UefiConstants.OFFSET_40 + offset] == UefiConstants.DRIVE_TYPE_PC_AT) { - subType += "PC-AT compatible legacy MBR"; + subType += " PC-AT compatible legacy MBR"; } else if (path[UefiConstants.OFFSET_40 + offset] == UefiConstants.DRIVE_TYPE_GPT) { - subType += "GUID Partition Table"; + subType += " GUID Partition Table"; } else { - subType += "Invalid partition table type"; + subType += " Invalid partition table type"; } - subType += "\n"; return subType; } /** - * Process the File path subtype. + * Process the File path sub type. * * @param path * @param offset * @return file path info. */ private String filePathSubType(final byte[] path, final int offset) { - subType = " Sub Type = File Path\n"; - subType += " File Path = "; + subType = "File Path = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, 2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); int subTypeLength = HexUtils.leReverseInt(lengthBytes); @@ -326,12 +307,11 @@ public class UefiDevicePath { 0, subTypeLength); byte[] fileName = convertChar16tobyteArray(filePath); subType += new String(fileName, StandardCharsets.UTF_8); - subType += "\n"; return subType; } /** - * Process a vendor subtype on a Media Type. + * Process a vendor sub-type on a Media Type. * Length of this structure in bytes. Length is 20 + n bytes * Vendor-assigned GUID that defines the data that follows. * Vendor-defined variable size data. @@ -341,8 +321,7 @@ public class UefiDevicePath { * @return vendor device info. */ private String vendorSubType(final byte[] path, final int offset) { - subType = " Sub Type = Vendor\n"; - subType += " Vendor Subtype GUID = "; + subType = "Vendor Subtype GUID = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); @@ -358,9 +337,8 @@ public class UefiDevicePath { + offset, vendorData, 0, subTypeLength - UefiConstants.SIZE_16); subType += " : Vendor Data = " + HexUtils.byteArrayToHexString(vendorData); } else { - subType += " : No Vendor Data present"; + subType += " : No Vendor Data pesent"; } - subType += "\n"; return subType; } @@ -373,8 +351,8 @@ public class UefiDevicePath { * @return USB device info. */ private String usbSubType(final byte[] path, final int offset) { - subType = " Sub Type = USB\n"; - subType += " port = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_4]); + subType = " USB "; + subType += " port = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_4]); subType += " interface = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_5]); byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, @@ -383,7 +361,6 @@ public class UefiDevicePath { byte[] usbData = new byte[subTypeLength]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, usbData, 0, subTypeLength); - subType += "\n"; // Todo add further USB processing ... return subType; } @@ -400,8 +377,7 @@ public class UefiDevicePath { * @return NVM device info. */ private String nvmSubType(final byte[] path, final int offset) { - subType = " Sub Type = NVM\n"; - subType += " NVM Express Namespace = "; + subType = "NVM Express Namespace = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); @@ -410,7 +386,6 @@ public class UefiDevicePath { System.arraycopy(path, UefiConstants.OFFSET_4 + offset, nvmData, 0, subTypeLength); subType += HexUtils.byteArrayToHexString(nvmData); - subType += "\n"; return subType; } @@ -425,8 +400,7 @@ public class UefiDevicePath { * @return String that represents the UEFI defined BIOS Device Type. */ private String biosDevicePath(final byte[] path, final int offset) { - subType = " Sub Type = Bios Device Path\n"; - subType += " Legacy BIOS : Type = "; + subType = "Legacy BIOS : Type = "; Byte pathType = Byte.valueOf(path[offset + 1]); switch (pathType.intValue()) { case UefiConstants.DEVPATH_BIOS_RESERVED: @@ -458,7 +432,6 @@ public class UefiDevicePath { subType += "Unknown"; break; } - subType += "\n"; return subType; } @@ -473,13 +446,12 @@ public class UefiDevicePath { * @return String that represents the PIWG Firmware Volume Path */ private String piwgFirmVolFile(final byte[] path, final int offset) { - subType = " Sub Type = PIWG Firmware Volume File\n"; + subType = "PIWG Firmware File "; byte[] guidData = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, guidData, 0, UefiConstants.SIZE_16); UefiGuid guid = new UefiGuid(guidData); subType += guid.toString(); - subType += "\n"; return subType; } @@ -494,13 +466,12 @@ public class UefiDevicePath { * @return String that represents the PIWG Firmware Volume Path */ private String piwgFirmVolPath(final byte[] path, final int offset) { - subType = " Sub Type = PIWG Firmware Volume Path\n"; + subType = "PIWG Firmware Volume "; byte[] guidData = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, guidData, 0, UefiConstants.SIZE_16); UefiGuid guid = new UefiGuid(guidData); subType += guid.toString(); - subType += "\n"; return subType; } From d858246ce085a7a64300527a3d30d2eec327d349 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Wed, 7 Aug 2024 11:53:29 -0400 Subject: [PATCH 32/39] added the 3 files back in that had caused merge conflict --- .../DeviceSecurityEventDataPciContext.java | 22 ++- .../events/DeviceSecurityEventHeader.java | 60 ++----- .../tpm/eventlog/uefi/UefiDevicePath.java | 151 +++++++++++------- 3 files changed, 112 insertions(+), 121 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index 4f16a1e5..ff90af3d 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -3,7 +3,6 @@ package hirs.utils.tpm.eventlog.events; import hirs.utils.HexUtils; import lombok.Getter; -import java.util.ArrayList; import java.util.List; import static hirs.utils.PciIds.translateDevice; @@ -102,7 +101,6 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe byte[] pciSubsystemIdBytes = new byte[2]; System.arraycopy(dSEDpciContextBytes, 14, pciSubsystemIdBytes, 0, 2); subsystemId = HexUtils.byteArrayToHexString(HexUtils.leReverseByte(pciSubsystemIdBytes)); - } /** @@ -114,22 +112,22 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe String dSEDpciContextInfo = ""; dSEDpciContextInfo += super.toString(); - dSEDpciContextInfo += "\n Device Type = PCI"; - dSEDpciContextInfo += "\n Vendor = " + translateVendor(vendorId); - dSEDpciContextInfo += "\n Device = " + translateDevice(vendorId, deviceId); - dSEDpciContextInfo += "\n RevisionID = " + revisionId; + dSEDpciContextInfo += " Device Type = PCI\n"; + dSEDpciContextInfo += " Vendor = " + translateVendor(vendorId) + "\n"; + dSEDpciContextInfo += " Device = " + translateDevice(vendorId, deviceId) + "\n"; + dSEDpciContextInfo += " RevisionID = " + revisionId + "\n"; List classCodeList = translateDeviceClass(classCode); - dSEDpciContextInfo += "\n Device Class: "; + dSEDpciContextInfo += " Device Class: \n"; if(classCodeList.size() == 3) { - dSEDpciContextInfo += "\n Class = " + classCodeList.get(0); - dSEDpciContextInfo += "\n Subclass = " + classCodeList.get(1); - dSEDpciContextInfo += "\n Programming Interface = " + classCodeList.get(2); + dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; + dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; + dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; } else { dSEDpciContextInfo += " ** Class code could not be determined **"; } - dSEDpciContextInfo += "\n SubsystemVendor = " + translateVendor(subsystemVendorId); - dSEDpciContextInfo += "\n Subsystem = " + translateDevice(subsystemVendorId, subsystemId); + dSEDpciContextInfo += " SubsystemVendor = " + translateVendor(subsystemVendorId) + "\n"; + dSEDpciContextInfo += " Subsystem = " + translateDevice(subsystemVendorId, subsystemId) + "\n"; return dSEDpciContextInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 5e60f607..5d2696b6 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -5,7 +5,6 @@ import hirs.utils.tpm.eventlog.uefi.UefiConstants; import hirs.utils.tpm.eventlog.uefi.UefiDevicePath; import lombok.Getter; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** @@ -84,34 +83,9 @@ public abstract class DeviceSecurityEventHeader { */ @Getter private UefiDevicePath devicePath = null; - /** - * Is the Device Path Valid. - */ - private boolean devicePathValid = false; /** - * Device Security Event Data Device Type = no device type. - */ - public static final int DEVICE_TYPE_NONE = 0; - /** - * Device Security Event Data Device Type = DEVICE_TYPE_PCI. - */ - public static final int DEVICE_TYPE_PCI = 1; - /** - * Device Security Event Data Device Type = DEVICE_TYPE_USB. - */ - public static final int DEVICE_TYPE_USB = 2; - - - /** - * DeviceSecurityEventDataHeaderBase Default Constructor. - */ - public DeviceSecurityEventHeader() { - - } - - /** - * DeviceSecurityEventDataHeaderBase Constructor. + * DeviceSecurityEventDataHeader Constructor. * * @param dSEDbytes byte array holding the DeviceSecurityEventData. */ @@ -126,7 +100,6 @@ public abstract class DeviceSecurityEventHeader { System.arraycopy(dSEDbytes, UefiConstants.OFFSET_16, versionBytes, 0, UefiConstants.SIZE_2); version = HexUtils.byteArrayToHexString(versionBytes); - } /** @@ -154,24 +127,17 @@ public abstract class DeviceSecurityEventHeader { public void extractDevicePathAndFinalSize(final byte[] dsedBytes, int startByte) { // get the device path length - byte[] devicePathLengthBytes = new byte[UefiConstants.SIZE_8]; - System.arraycopy(dsedBytes, startByte, devicePathLengthBytes, 0, - UefiConstants.SIZE_8); + byte[] devicePathLengthBytes = new byte[8]; + System.arraycopy(dsedBytes, startByte, devicePathLengthBytes, 0, 8); int devicePathLength = HexUtils.leReverseInt(devicePathLengthBytes); // get the device path - if (devicePathLength != 0) { - startByte = startByte + UefiConstants.SIZE_8; + if (devicePathLength > 0) { + startByte = startByte + 8; byte[] devPathBytes = new byte[devicePathLength]; System.arraycopy(dsedBytes, startByte, devPathBytes, 0, devicePathLength); - try { - devicePath = new UefiDevicePath(devPathBytes); - devicePathValid = true; - } - catch (UnsupportedEncodingException e) { - devicePathValid = false; - } + devicePath = new UefiDevicePath(devPathBytes); } // header total size @@ -187,11 +153,11 @@ public abstract class DeviceSecurityEventHeader { */ public String deviceTypeToString(final int deviceTypeInt) { switch (deviceTypeInt) { - case DEVICE_TYPE_NONE: + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE: return "No device type"; - case DEVICE_TYPE_PCI: + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI: return "PCI"; - case DEVICE_TYPE_USB: + case DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB: return "USB"; default: return "Unknown or invalid Device Type"; @@ -206,13 +172,13 @@ public abstract class DeviceSecurityEventHeader { public String toString() { String dsedHeaderCommonInfo = ""; - dsedHeaderCommonInfo += "\n SPDM Device Type = " + deviceTypeToString(deviceType); - if (devicePathValid) { - dsedHeaderCommonInfo += "\n SPDM Device Path:\n"; + dsedHeaderCommonInfo += " SPDM Device Type = " + deviceTypeToString(deviceType) + "\n"; + if (devicePath != null) { + dsedHeaderCommonInfo += " SPDM Device Path:\n"; dsedHeaderCommonInfo += devicePath; } else { - dsedHeaderCommonInfo += "\n SPDM Device Path = Unknown or invalid"; + dsedHeaderCommonInfo += " SPDM Device Path = Unknown or invalid\n"; } return dsedHeaderCommonInfo; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java index bd647deb..879e27f8 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java @@ -3,12 +3,23 @@ package hirs.utils.tpm.eventlog.uefi; import hirs.utils.HexUtils; import lombok.Getter; -import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; /** - * Class to process EFI_DEVICE_PATH_PROTOCOL which is referred to as the UEFI_DEVICE_PATH + * Class to process a Device Path. A Device Path is a variable-length binary + * structure that is made up of variable-length generic Device Path nodes. + * The first Device Path node starts at byte offset zero of the Device Path. + * The next Device Path node starts at the end of the previous Device Path node. + * There is no limit to the number, type, or sequence of nodes in a Device Path. *

+ * Generic Device Path Node Structure: + * Name Byte Offset Byte Length Description + * Type 0 1 Device path type (such as 0x01 - Hardware Device Path) + * Sub-Type 1 1 Sub-Type + * Length 2 2 Length of this structure in bytes. Length is 4+n bytes + * Data 4 n Specific Device Path data + *

+ * EFI_DEVICE_PATH_PROTOCOL: * #define EFI_DEVICE_PATH_PROTOCOL_GUID \09576e91-6d3f-11d2-8e39-00a0c969723b * typedef struct _EFI_DEVICE_PATH_PROTOCOL { * UINT8 Type; @@ -23,7 +34,7 @@ import java.nio.charset.StandardCharsets; * Type 0x04 Media Device Path * Type 0x05 BIOS Boot Specification Device Path * Type 0x7F End of Hardware Device Path - * Each Type has a sub-type that may or may no be defined in the section + * Each Type has a Subtype that may or may not be defined in the section *

* Only a few of the SubTypes have been implemented as there are many, * but only those that were reported using the test devices at hand. @@ -36,11 +47,11 @@ public class UefiDevicePath { @Getter private String type = ""; /** - * UEFI Device path sub-type. + * UEFI Device path subtype. */ private String subType = ""; /** - * UEFI Device path human readable description. + * UEFI Device path human-readable description. */ private String devPathInfo = ""; /** @@ -53,9 +64,8 @@ public class UefiDevicePath { * UEFI Device path constructor. * * @param path byte array holding device path data - * @throws java.io.UnsupportedEncodingException if path byte array contains unexpected values */ - public UefiDevicePath(final byte[] path) throws UnsupportedEncodingException { + public UefiDevicePath(final byte[] path) { devPathInfo = processDevPath(path); byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2, lengthBytes, 0, UefiConstants.OFFSET_2); @@ -63,9 +73,9 @@ public class UefiDevicePath { } /** - * Returns the UEFI device sub-type. + * Returns the UEFI device subtype. * - * @return uefi sub-type + * @return uefi subtype */ public String getSubType() { return subType.trim(); @@ -81,7 +91,7 @@ public class UefiDevicePath { * @return Human readable string containing the device path description. * @throws java.io.UnsupportedEncodingException */ - private String processDevPath(final byte[] path) throws UnsupportedEncodingException { + private String processDevPath(final byte[] path) { StringBuilder pInfo = new StringBuilder(); int devLength = 0, pathOffset = 0, devCount = 0; while (true) { @@ -90,9 +100,6 @@ public class UefiDevicePath { || (devPath.intValue() == UefiConstants.END_FLAG)) { break; } - if (devCount++ > 0) { - pInfo.append("\n"); - } pInfo.append(processDev(path, pathOffset)); devLength = path[pathOffset + UefiConstants.OFFSET_3] * UefiConstants.SIZE_256 + path[pathOffset + UefiConstants.OFFSET_2]; @@ -111,11 +118,10 @@ public class UefiDevicePath { * * @param path * @param offset - * @return human readable string representing the UEFI device path + * @return human-readable string representing the UEFI device path * @throws java.io.UnsupportedEncodingException */ - private String processDev(final byte[] path, final int offset) - throws UnsupportedEncodingException { + private String processDev(final byte[] path, final int offset) { String devInfo = " "; int devPath = path[offset]; byte unknownSubType = path[offset + UefiConstants.OFFSET_1]; @@ -123,50 +129,50 @@ public class UefiDevicePath { case UefiConstants.DEV_HW: type = "Hardware Device Path"; if (devPath == UefiConstants.DEVPATH_HARWARE) { - devInfo += type + ": " + pciSubType(path, offset); + devInfo += type + ":\n" + pciSubType(path, offset); } break; case UefiConstants.DEV_ACPI: type = "ACPI Device Path"; - devInfo += type + ": " + acpiSubType(path, offset); + devInfo += type + ":\n" + acpiSubType(path, offset); break; case UefiConstants.DEV_MSG: type = "Messaging Device Path"; if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_SATA) { - devInfo += type + ": " + sataSubType(path, offset); + devInfo += type + ":\n" + sataSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_NVM) { - devInfo += type + ": " + nvmSubType(path, offset); + devInfo += type + ":\n" + nvmSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEV_SUB_USB) { - devInfo += type + ": " + usbSubType(path, offset); + devInfo += type + ":\n" + usbSubType(path, offset); } else { - devInfo += "UEFI Messaging Device Path Type " + Integer.valueOf(unknownSubType); + devInfo += "UEFI Messaging Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; } break; case UefiConstants.DEV_MEDIA: type = "Media Device Path"; if (path[offset + UefiConstants.OFFSET_1] == 0x01) { - devInfo += type + ": " + hardDriveSubType(path, offset); + devInfo += type + ":\n" + hardDriveSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_VENDOR) { - devInfo += type + ": " + vendorSubType(path, offset); + devInfo += type + ":\n" + vendorSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_FILE) { - devInfo += type + ": " + filePathSubType(path, offset); + devInfo += type + ":\n" + filePathSubType(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_PWIG_FILE) { - devInfo += type + ": " + piwgFirmVolFile(path, offset); + devInfo += type + ":\n" + piwgFirmVolFile(path, offset); } else if (path[offset + UefiConstants.OFFSET_1] == UefiConstants.DEVPATH_PWIG_VOL) { - devInfo += type + ": " + piwgFirmVolPath(path, offset); + devInfo += type + ":\n" + piwgFirmVolPath(path, offset); } else { - devInfo += "UEFI Media Device Path Type " + Integer.valueOf(unknownSubType); + devInfo += "UEFI Media Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; } break; case UefiConstants.DEV_BIOS: type = "BIOS Device Path"; - devInfo += type + ": " + biosDevicePath(path, offset); + devInfo += type + ":\n" + biosDevicePath(path, offset); break; case UefiConstants.TERMINATOR: - devInfo += "End of Hardware Device Path"; + devInfo += "End of Hardware Device Path\n"; break; default: - devInfo += "UEFI Device Path Type " + Integer.valueOf(unknownSubType); + devInfo += "UEFI Device Path Type " + Integer.valueOf(unknownSubType) + "\n"; } return devInfo; } @@ -179,17 +185,17 @@ public class UefiDevicePath { * @return acpi device info */ private String acpiSubType(final byte[] path, final int offset) { - subType = ""; + subType = " Sub Type = ACPI\n"; switch (path[offset + UefiConstants.OFFSET_1]) { - case 0x01: - subType = "(Short): "; + case 0x01: // standard version subType += acpiShortSubType(path, offset); break; case 0x02: - subType = "Expanded ACPI Device Path"; + subType = "(expanded version):\n"; + // tbd break; default: - subType = "Invalid ACPI Device Path sub type"; + subType = "Invalid ACPI Device Path sub type\n"; } return subType; } @@ -205,9 +211,13 @@ public class UefiDevicePath { subType = ""; byte[] hid = new byte[UefiConstants.SIZE_4]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, hid, 0, UefiConstants.SIZE_4); - subType += "_HID = " + HexUtils.byteArrayToHexString(hid); + subType += " _HID = " + HexUtils.byteArrayToHexString(hid) + "\n"; System.arraycopy(path, 2 * UefiConstants.SIZE_4 + offset, hid, 0, UefiConstants.SIZE_4); - subType += "_UID = " + HexUtils.byteArrayToHexString(hid); + String uid = HexUtils.byteArrayToHexString(hid); + if(uid.contains("00000000")) { + uid = "No _UID exists for this device"; + } + subType += " _UID = " + uid + "\n"; return subType; } @@ -219,22 +229,25 @@ public class UefiDevicePath { * @return pci device info. */ private String pciSubType(final byte[] path, final int offset) { - subType = "PCI: PCI Function Number = "; + subType = " Sub Type = PCI\n"; + subType += " PCI Function Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_4]); - subType += " PCI Device Number = "; + subType += "\n PCI Device Number = "; subType += String.format("0x%x", path[offset + UefiConstants.SIZE_5]); + subType += "\n"; return subType; } /** - * processes the SATA sub type. + * processes the SATA subtype. * * @param path * @param offset * @return SATA drive info. */ private String sataSubType(final byte[] path, final int offset) { - subType = "SATA: HBA Port Number = "; + subType = " Sub Type = SATA\n"; + subType += " SATA: HBA Port Number = "; byte[] data = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, data, 0, UefiConstants.SIZE_2); subType += HexUtils.byteArrayToHexString(data); @@ -242,18 +255,20 @@ public class UefiDevicePath { subType += " Port Multiplier = " + HexUtils.byteArrayToHexString(data); System.arraycopy(path, UefiConstants.OFFSET_8 + offset, data, 0, UefiConstants.SIZE_2); subType += " Logical Unit Number = " + HexUtils.byteArrayToHexString(data); + subType += "\n"; return subType; } /** - * Processes the hard drive sub type. + * Processes the hard drive subtype. * * @param path * @param offset * @return hard drive info. */ private String hardDriveSubType(final byte[] path, final int offset) { - subType = "Partition Number = "; + subType = " Sub Type = Hard Drive\n"; + subType += " Partition Number = "; byte[] partnumber = new byte[UefiConstants.SIZE_4]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, partnumber, 0, UefiConstants.SIZE_4); @@ -261,14 +276,14 @@ public class UefiDevicePath { byte[] data = new byte[UefiConstants.SIZE_8]; System.arraycopy(path, UefiConstants.OFFSET_8 + offset, data, 0, UefiConstants.SIZE_8); - subType += " Partition Start = " + HexUtils.byteArrayToHexString(data); + subType += "\n Partition Start = " + HexUtils.byteArrayToHexString(data); System.arraycopy(path, UefiConstants.OFFSET_16 + offset, data, 0, UefiConstants.SIZE_8); - subType += " Partition Size = " + HexUtils.byteArrayToHexString(data); + subType += "\n Partition Size = " + HexUtils.byteArrayToHexString(data); byte[] signature = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_24 + offset, signature, 0, UefiConstants.SIZE_16); - subType += "\n Partition Signature = "; + subType += "\n Partition Signature = "; if (path[UefiConstants.OFFSET_41 + offset] == UefiConstants.DRIVE_SIG_NONE) { subType += "None"; } else if (path[UefiConstants.OFFSET_41 + offset] == UefiConstants.DRIVE_SIG_32BIT) { @@ -279,26 +294,28 @@ public class UefiDevicePath { } else { subType += "invalid partition signature type"; } - subType += " Partition Format = "; + subType += "\n Partition Format = "; if (path[UefiConstants.OFFSET_40 + offset] == UefiConstants.DRIVE_TYPE_PC_AT) { - subType += " PC-AT compatible legacy MBR"; + subType += "PC-AT compatible legacy MBR"; } else if (path[UefiConstants.OFFSET_40 + offset] == UefiConstants.DRIVE_TYPE_GPT) { - subType += " GUID Partition Table"; + subType += "GUID Partition Table"; } else { - subType += " Invalid partition table type"; + subType += "Invalid partition table type"; } + subType += "\n"; return subType; } /** - * Process the File path sub type. + * Process the File path subtype. * * @param path * @param offset * @return file path info. */ private String filePathSubType(final byte[] path, final int offset) { - subType = "File Path = "; + subType = " Sub Type = File Path\n"; + subType += " File Path = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, 2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); int subTypeLength = HexUtils.leReverseInt(lengthBytes); @@ -307,11 +324,12 @@ public class UefiDevicePath { 0, subTypeLength); byte[] fileName = convertChar16tobyteArray(filePath); subType += new String(fileName, StandardCharsets.UTF_8); + subType += "\n"; return subType; } /** - * Process a vendor sub-type on a Media Type. + * Process a vendor subtype on a Media Type. * Length of this structure in bytes. Length is 20 + n bytes * Vendor-assigned GUID that defines the data that follows. * Vendor-defined variable size data. @@ -321,7 +339,8 @@ public class UefiDevicePath { * @return vendor device info. */ private String vendorSubType(final byte[] path, final int offset) { - subType = "Vendor Subtype GUID = "; + subType = " Sub Type = Vendor\n"; + subType += " Vendor Subtype GUID = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); @@ -337,8 +356,9 @@ public class UefiDevicePath { + offset, vendorData, 0, subTypeLength - UefiConstants.SIZE_16); subType += " : Vendor Data = " + HexUtils.byteArrayToHexString(vendorData); } else { - subType += " : No Vendor Data pesent"; + subType += " : No Vendor Data present"; } + subType += "\n"; return subType; } @@ -351,8 +371,8 @@ public class UefiDevicePath { * @return USB device info. */ private String usbSubType(final byte[] path, final int offset) { - subType = " USB "; - subType += " port = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_4]); + subType = " Sub Type = USB\n"; + subType += " port = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_4]); subType += " interface = " + Integer.valueOf(path[offset + UefiConstants.OFFSET_5]); byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, @@ -361,6 +381,7 @@ public class UefiDevicePath { byte[] usbData = new byte[subTypeLength]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, usbData, 0, subTypeLength); + subType += "\n"; // Todo add further USB processing ... return subType; } @@ -377,7 +398,8 @@ public class UefiDevicePath { * @return NVM device info. */ private String nvmSubType(final byte[] path, final int offset) { - subType = "NVM Express Namespace = "; + subType = " Sub Type = NVM\n"; + subType += " NVM Express Namespace = "; byte[] lengthBytes = new byte[UefiConstants.SIZE_2]; System.arraycopy(path, UefiConstants.OFFSET_2 + offset, lengthBytes, 0, UefiConstants.SIZE_2); @@ -386,6 +408,7 @@ public class UefiDevicePath { System.arraycopy(path, UefiConstants.OFFSET_4 + offset, nvmData, 0, subTypeLength); subType += HexUtils.byteArrayToHexString(nvmData); + subType += "\n"; return subType; } @@ -400,7 +423,8 @@ public class UefiDevicePath { * @return String that represents the UEFI defined BIOS Device Type. */ private String biosDevicePath(final byte[] path, final int offset) { - subType = "Legacy BIOS : Type = "; + subType = " Sub Type = Bios Device Path\n"; + subType += " Legacy BIOS : Type = "; Byte pathType = Byte.valueOf(path[offset + 1]); switch (pathType.intValue()) { case UefiConstants.DEVPATH_BIOS_RESERVED: @@ -432,6 +456,7 @@ public class UefiDevicePath { subType += "Unknown"; break; } + subType += "\n"; return subType; } @@ -446,12 +471,13 @@ public class UefiDevicePath { * @return String that represents the PIWG Firmware Volume Path */ private String piwgFirmVolFile(final byte[] path, final int offset) { - subType = "PIWG Firmware File "; + subType = " Sub Type = PIWG Firmware Volume File\n"; byte[] guidData = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, guidData, 0, UefiConstants.SIZE_16); UefiGuid guid = new UefiGuid(guidData); subType += guid.toString(); + subType += "\n"; return subType; } @@ -466,12 +492,13 @@ public class UefiDevicePath { * @return String that represents the PIWG Firmware Volume Path */ private String piwgFirmVolPath(final byte[] path, final int offset) { - subType = "PIWG Firmware Volume "; + subType = " Sub Type = PIWG Firmware Volume Path\n"; byte[] guidData = new byte[UefiConstants.SIZE_16]; System.arraycopy(path, UefiConstants.OFFSET_4 + offset, guidData, 0, UefiConstants.SIZE_16); UefiGuid guid = new UefiGuid(guidData); subType += guid.toString(); + subType += "\n"; return subType; } From a5b9cd7ad933db4dbce608eb95fb59976ae9d516 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 9 Aug 2024 11:47:11 -0400 Subject: [PATCH 33/39] checking null object --- ...ceSecurityEventDataSubHeaderCertChain.java | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index b1cc4011..57680253 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -42,7 +42,7 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve /** * Human-readable description of any error associated with SPDM base hash alg. */ - String spdmBaseHashAlgoError = ""; + String spdmCertChainError = ""; /** * DeviceSecurityEventDataSubHeaderCertChain Constructor. @@ -75,11 +75,16 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve int spdmBaseHashAlgoSize = SpdmHa.tcgAlgIdToByteSize(spdmBaseHashAlgo); - if(spdmBaseHashAlgoSize > 0) { - spdmCertChain = new SpdmCertificateChain(spdmCertChainBytes, spdmBaseHashAlgoSize); + if(spdmCertChainSize <= 0) { + spdmCertChainError += "SPDM cert chain length is not >0, " + + "stopping cert chain processing"; } - else { - spdmBaseHashAlgoError += "SPDM base hash algorithm size is not >0"; + else if(spdmBaseHashAlgoSize <= 0) { + spdmCertChainError += "SPDM base hash algorithm size is not >0 " + + "stopping cert chain processing"; + } + if(spdmCertChainError.isEmpty()) { + spdmCertChain = new SpdmCertificateChain(spdmCertChainBytes, spdmBaseHashAlgoSize); } } @@ -96,7 +101,15 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve dsedSubHeaderInfo += " SPDM Base Hash Algorithm = " + spdmBaseHashAlgoStr + "\n"; // SPDM Certificate Chain output - dsedSubHeaderInfo += spdmCertChain.toString(); + if(!spdmCertChainError.isEmpty()) { + dsedSubHeaderInfo += " SPDM cert chain error: " + spdmCertChainError; + } + else if(spdmCertChain == null) { + dsedSubHeaderInfo += " SPDM cert chain error: Could not parse cert chain\n"; + } + else { + dsedSubHeaderInfo += spdmCertChain.toString(); + } return dsedSubHeaderInfo; } From 6721b9502be08ce4ba1bbda0ba2bd02b825d4412 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 9 Aug 2024 12:47:08 -0400 Subject: [PATCH 34/39] added newline --- .../events/DeviceSecurityEventDataSubHeaderCertChain.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index 57680253..3bb60b50 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -102,7 +102,7 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve // SPDM Certificate Chain output if(!spdmCertChainError.isEmpty()) { - dsedSubHeaderInfo += " SPDM cert chain error: " + spdmCertChainError; + dsedSubHeaderInfo += " SPDM cert chain error: " + spdmCertChainError + "\n"; } else if(spdmCertChain == null) { dsedSubHeaderInfo += " SPDM cert chain error: Could not parse cert chain\n"; From 1324edcfcb7239e643f493501e461f912939032e Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 9 Aug 2024 13:20:26 -0400 Subject: [PATCH 35/39] consolidated a few case statements in TpmPcrEvent --- .../hirs/utils/tpm/eventlog/TpmPcrEvent.java | 30 +++---------------- .../events/EvEfiSpdmDeviceSecurityEvent.java | 28 ++++++++--------- .../events/NvIndexInstanceEventLogData.java | 16 +++++----- 3 files changed, 26 insertions(+), 48 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java index ec18d1cf..29705a62 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TpmPcrEvent.java @@ -318,19 +318,6 @@ public class TpmPcrEvent { case EvConstants.EV_EFI_EVENT_BASE: break; case EvConstants.EV_EFI_VARIABLE_DRIVER_CONFIG: - try { - sb.append(new UefiVariable(eventContent).toString()); - } catch (CertificateException cEx) { - log.error(cEx); - sb.append(cEx.toString()); - } catch (NoSuchAlgorithmException noSaEx) { - log.error(noSaEx); - sb.append(noSaEx.toString()); - } catch (IOException ioEx) { - log.error(ioEx); - sb.append(ioEx.toString()); - } - break; case EvConstants.EV_EFI_VARIABLE_BOOT: case EvConstants.EV_EFI_VARIABLE_AUTHORITY: case EvConstants.EV_EFI_SPDM_DEVICE_POLICY: @@ -503,26 +490,19 @@ public class TpmPcrEvent { case EvConstants.EV_EFI_EVENT_BASE: break; case EvConstants.EV_EFI_VARIABLE_DRIVER_CONFIG: - UefiVariable efiVar = new UefiVariable(content); - description += "Event Content:\n" + efiVar.toString(); - vendorTableFileStatus = efiVar.getVendorTableFileStatus(); - break; case EvConstants.EV_EFI_VARIABLE_BOOT: case EvConstants.EV_EFI_VARIABLE_AUTHORITY: case EvConstants.EV_EFI_SPDM_DEVICE_POLICY: case EvConstants.EV_EFI_SPDM_DEVICE_AUTHORITY: - UefiVariable efiVar2 = new UefiVariable(content); - description += "Event Content:\n" + efiVar2.toString(); - vendorTableFileStatus = efiVar2.getVendorTableFileStatus(); + UefiVariable efiVar = new UefiVariable(content); + description += "Event Content:\n" + efiVar.toString(); + vendorTableFileStatus = efiVar.getVendorTableFileStatus(); break; case EvConstants.EV_EFI_BOOT_SERVICES_APPLICATION: + case EvConstants.EV_EFI_BOOT_SERVICES_DRIVER: EvEfiBootServicesApp bootServices = new EvEfiBootServicesApp(content); description += "Event Content:\n" + bootServices.toString(); break; - case EvConstants.EV_EFI_BOOT_SERVICES_DRIVER: // same as EV_EFI_BOOT_SERVICES_APP - EvEfiBootServicesApp bootDriver = new EvEfiBootServicesApp(content); - description += "Event Content:\n" + bootDriver.toString(); - break; case EvConstants.EV_EFI_RUNTIME_SERVICES_DRIVER: break; case EvConstants.EV_EFI_GPT_EVENT: @@ -542,8 +522,6 @@ public class TpmPcrEvent { case EvConstants.EV_EFI_HCRTM_EVENT: break; case EvConstants.EV_EFI_SPDM_FIRMWARE_BLOB: - description += "Event Content:\n" + new EvEfiSpdmDeviceSecurityEvent(content).toString(); - break; case EvConstants.EV_EFI_SPDM_FIRMWARE_CONFIG: description += "Event Content:\n" + new EvEfiSpdmDeviceSecurityEvent(content).toString(); break; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index 56b0d5f1..ce0e0e9a 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -69,25 +69,25 @@ public class EvEfiSpdmDeviceSecurityEvent { spdmInfo = " Signature = SPDM Device Sec2\n"; - if (dsedVersion.equals("0200")) { - dsed = new DeviceSecurityEventData2(eventData); - spdmInfo += dsed.toString(); - } - else { - spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion + "\n"; - } +// if (dsedVersion.equals("0200")) { +// dsed = new DeviceSecurityEventData2(eventData); +// spdmInfo += dsed.toString(); +// } +// else { +// spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion + "\n"; +// } } else if (dsedSignature.contains("SPDM Device Sec")) { // implies Device Security event spdmInfo = " Signature = SPDM Device Sec\n"; - if (dsedVersion.equals("0100")) { - dsed = new DeviceSecurityEventData(eventData); - spdmInfo += dsed.toString(); - } - else { - spdmInfo += " Incompatible version for DeviceSecurityEventData: " + dsedVersion + "\n"; - } +// if (dsedVersion.equals("0100")) { +// dsed = new DeviceSecurityEventData(eventData); +// spdmInfo += dsed.toString(); +// } +// else { +// spdmInfo += " Incompatible version for DeviceSecurityEventData: " + dsedVersion + "\n"; +// } } else { spdmInfo = " Signature = Undetermined value: " + dsedSignature + "\n"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index 2022b9aa..d371fb49 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -81,14 +81,14 @@ public class NvIndexInstanceEventLogData { nvIndexInstanceInfo += " Signature = SPDM Device Sec2\n"; - if (dsedVersion.equals("0200")) { - dsed = new DeviceSecurityEventData2(dsedEventData); - nvIndexInstanceInfo += dsed.toString(); - } - else { - nvIndexInstanceInfo += " Incompatible version for DeviceSecurityEventData2: " - + dsedVersion + "\n"; - } +// if (dsedVersion.equals("0200")) { +// dsed = new DeviceSecurityEventData2(dsedEventData); +// nvIndexInstanceInfo += dsed.toString(); +// } +// else { +// nvIndexInstanceInfo += " Incompatible version for DeviceSecurityEventData2: " +// + dsedVersion + "\n"; +// } } else { nvIndexInstanceInfo = " Signature error: should be \'SPDM Device Sec2\' but is " From 6f0553fe3fe0db68eb30533f009b18f1609703c1 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Fri, 9 Aug 2024 13:50:15 -0400 Subject: [PATCH 36/39] debugging SLF4J warning --- .../DeviceSecurityEventDataPciContext.java | 28 +++++++++---------- .../events/EvEfiSpdmDeviceSecurityEvent.java | 28 +++++++++---------- .../events/NvIndexInstanceEventLogData.java | 16 +++++------ .../src/main/java/hirs/tcg_eventlog/Main.java | 8 +++--- 4 files changed, 40 insertions(+), 40 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index ff90af3d..52dda706 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -113,21 +113,21 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe dSEDpciContextInfo += super.toString(); dSEDpciContextInfo += " Device Type = PCI\n"; - dSEDpciContextInfo += " Vendor = " + translateVendor(vendorId) + "\n"; - dSEDpciContextInfo += " Device = " + translateDevice(vendorId, deviceId) + "\n"; - dSEDpciContextInfo += " RevisionID = " + revisionId + "\n"; +// dSEDpciContextInfo += " Vendor = " + translateVendor(vendorId) + "\n"; +// dSEDpciContextInfo += " Device = " + translateDevice(vendorId, deviceId) + "\n"; +// dSEDpciContextInfo += " RevisionID = " + revisionId + "\n"; - List classCodeList = translateDeviceClass(classCode); - dSEDpciContextInfo += " Device Class: \n"; - if(classCodeList.size() == 3) { - dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; - dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; - dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; - } else { - dSEDpciContextInfo += " ** Class code could not be determined **"; - } - dSEDpciContextInfo += " SubsystemVendor = " + translateVendor(subsystemVendorId) + "\n"; - dSEDpciContextInfo += " Subsystem = " + translateDevice(subsystemVendorId, subsystemId) + "\n"; +// List classCodeList = translateDeviceClass(classCode); +// dSEDpciContextInfo += " Device Class: \n"; +// if(classCodeList.size() == 3) { +// dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; +// dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; +// dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; +// } else { +// dSEDpciContextInfo += " ** Class code could not be determined **"; +// } +// dSEDpciContextInfo += " SubsystemVendor = " + translateVendor(subsystemVendorId) + "\n"; +// dSEDpciContextInfo += " Subsystem = " + translateDevice(subsystemVendorId, subsystemId) + "\n"; return dSEDpciContextInfo; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index ce0e0e9a..56b0d5f1 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -69,25 +69,25 @@ public class EvEfiSpdmDeviceSecurityEvent { spdmInfo = " Signature = SPDM Device Sec2\n"; -// if (dsedVersion.equals("0200")) { -// dsed = new DeviceSecurityEventData2(eventData); -// spdmInfo += dsed.toString(); -// } -// else { -// spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion + "\n"; -// } + if (dsedVersion.equals("0200")) { + dsed = new DeviceSecurityEventData2(eventData); + spdmInfo += dsed.toString(); + } + else { + spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion + "\n"; + } } else if (dsedSignature.contains("SPDM Device Sec")) { // implies Device Security event spdmInfo = " Signature = SPDM Device Sec\n"; -// if (dsedVersion.equals("0100")) { -// dsed = new DeviceSecurityEventData(eventData); -// spdmInfo += dsed.toString(); -// } -// else { -// spdmInfo += " Incompatible version for DeviceSecurityEventData: " + dsedVersion + "\n"; -// } + if (dsedVersion.equals("0100")) { + dsed = new DeviceSecurityEventData(eventData); + spdmInfo += dsed.toString(); + } + else { + spdmInfo += " Incompatible version for DeviceSecurityEventData: " + dsedVersion + "\n"; + } } else { spdmInfo = " Signature = Undetermined value: " + dsedSignature + "\n"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index d371fb49..2022b9aa 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -81,14 +81,14 @@ public class NvIndexInstanceEventLogData { nvIndexInstanceInfo += " Signature = SPDM Device Sec2\n"; -// if (dsedVersion.equals("0200")) { -// dsed = new DeviceSecurityEventData2(dsedEventData); -// nvIndexInstanceInfo += dsed.toString(); -// } -// else { -// nvIndexInstanceInfo += " Incompatible version for DeviceSecurityEventData2: " -// + dsedVersion + "\n"; -// } + if (dsedVersion.equals("0200")) { + dsed = new DeviceSecurityEventData2(dsedEventData); + nvIndexInstanceInfo += dsed.toString(); + } + else { + nvIndexInstanceInfo += " Incompatible version for DeviceSecurityEventData2: " + + dsedVersion + "\n"; + } } else { nvIndexInstanceInfo = " Signature error: should be \'SPDM Device Sec2\' but is " diff --git a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java index 39a24549..c87bb5c6 100644 --- a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java +++ b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java @@ -1,5 +1,9 @@ package hirs.tcg_eventlog; +import hirs.utils.HexUtils; +import hirs.utils.tpm.eventlog.TCGEventLog; +import hirs.utils.tpm.eventlog.TpmPcrEvent; + import java.io.FileOutputStream; import java.io.IOException; import java.nio.charset.Charset; @@ -12,10 +16,6 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; -import hirs.utils.tpm.eventlog.TCGEventLog; -import hirs.utils.tpm.eventlog.TpmPcrEvent; -import hirs.utils.HexUtils; - import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILESTATUS_FROM_CODE; import static hirs.utils.tpm.eventlog.uefi.UefiConstants.FILESTATUS_NOT_ACCESSIBLE; From 30a049a613870b2800457dcd769943727866255f Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Wed, 14 Aug 2024 18:51:39 -0400 Subject: [PATCH 37/39] fix SLF4J warnings --- HIRS_Utils/build.gradle | 5 ++-- .../DeviceSecurityEventDataPciContext.java | 28 +++++++++---------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/HIRS_Utils/build.gradle b/HIRS_Utils/build.gradle index cac43798..c9135b87 100644 --- a/HIRS_Utils/build.gradle +++ b/HIRS_Utils/build.gradle @@ -43,17 +43,16 @@ dependencies { implementation 'org.apache.logging.log4j:log4j-core:2.19.0' implementation 'org.apache.logging.log4j:log4j-api:2.19.0' implementation 'org.glassfish.jaxb:jaxb-runtime:4.0.1' + implementation 'org.slf4j:slf4j-simple:1.7.30' testImplementation 'org.junit.jupiter:junit-jupiter:5.9.3' testImplementation 'org.junit.platform:junit-platform-launcher:1.9.3' testImplementation 'org.hamcrest:hamcrest:2.2' - testImplementation project(path: ':HIRS_AttestationCA') - testImplementation 'org.mockito:mockito-core:4.2.0' + testImplementation project(path: ':HIRS_AttestationCA') compileOnly libs.lombok annotationProcessor libs.lombok - } checkstyle { diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index 52dda706..ff90af3d 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -113,21 +113,21 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe dSEDpciContextInfo += super.toString(); dSEDpciContextInfo += " Device Type = PCI\n"; -// dSEDpciContextInfo += " Vendor = " + translateVendor(vendorId) + "\n"; -// dSEDpciContextInfo += " Device = " + translateDevice(vendorId, deviceId) + "\n"; -// dSEDpciContextInfo += " RevisionID = " + revisionId + "\n"; + dSEDpciContextInfo += " Vendor = " + translateVendor(vendorId) + "\n"; + dSEDpciContextInfo += " Device = " + translateDevice(vendorId, deviceId) + "\n"; + dSEDpciContextInfo += " RevisionID = " + revisionId + "\n"; -// List classCodeList = translateDeviceClass(classCode); -// dSEDpciContextInfo += " Device Class: \n"; -// if(classCodeList.size() == 3) { -// dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; -// dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; -// dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; -// } else { -// dSEDpciContextInfo += " ** Class code could not be determined **"; -// } -// dSEDpciContextInfo += " SubsystemVendor = " + translateVendor(subsystemVendorId) + "\n"; -// dSEDpciContextInfo += " Subsystem = " + translateDevice(subsystemVendorId, subsystemId) + "\n"; + List classCodeList = translateDeviceClass(classCode); + dSEDpciContextInfo += " Device Class: \n"; + if(classCodeList.size() == 3) { + dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; + dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; + dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; + } else { + dSEDpciContextInfo += " ** Class code could not be determined **"; + } + dSEDpciContextInfo += " SubsystemVendor = " + translateVendor(subsystemVendorId) + "\n"; + dSEDpciContextInfo += " Subsystem = " + translateDevice(subsystemVendorId, subsystemId) + "\n"; return dSEDpciContextInfo; } From 583869f4085fe3e00ebd6c15fba6b89aa50cb83a Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 15 Aug 2024 17:48:05 -0400 Subject: [PATCH 38/39] fixing checkstyle warnings --- .../src/main/java/hirs/utils/PciIds.java | 6 ++-- .../hirs/utils/tpm/eventlog/TCGEventLog.java | 6 ++-- .../eventlog/events/DeviceSecurityEvent.java | 16 ++++------ .../events/DeviceSecurityEventData.java | 7 ++--- .../events/DeviceSecurityEventData2.java | 15 ++++------ .../DeviceSecurityEventDataHeader2.java | 14 ++++----- .../DeviceSecurityEventDataPciContext.java | 2 +- .../DeviceSecurityEventDataSubHeader.java | 4 +-- ...ceSecurityEventDataSubHeaderCertChain.java | 27 ++++++++--------- ...ventDataSubHeaderSpdmMeasurementBlock.java | 14 ++++----- .../events/DeviceSecurityEventHeader.java | 21 ++++++------- .../events/EvEfiSpdmDeviceSecurityEvent.java | 14 ++++----- .../utils/tpm/eventlog/events/EvNoAction.java | 11 +++++-- .../events/NvIndexInstanceEventLogData.java | 8 ++--- .../eventlog/spdm/SpdmCertificateChain.java | 30 +++++++++---------- .../hirs/utils/tpm/eventlog/spdm/SpdmHa.java | 2 +- .../tpm/eventlog/spdm/SpdmMeasurement.java | 10 +++---- .../tpm/eventlog/uefi/UefiDevicePath.java | 6 ++-- .../utils/tpm/eventlog/uefi/UefiGuid.java | 15 +++++----- .../tpm/eventlog/uefi/UefiSignatureList.java | 13 ++++---- .../utils/tpm/eventlog/uefi/UefiVariable.java | 28 ++++++++--------- 21 files changed, 129 insertions(+), 140 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java index 6bac767b..ceeabbd0 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/PciIds.java +++ b/HIRS_Utils/src/main/java/hirs/utils/PciIds.java @@ -179,9 +179,9 @@ public final class PciIds { String classCode = refClassCode; if (classCode != null && classCode.trim().matches("^[0-9A-Fa-f]{6}$")) { - String deviceClass = classCode.substring(0,2).toLowerCase(); - String deviceSubclass = classCode.substring(2,4).toLowerCase(); - String programInterface = classCode.substring(4,6).toLowerCase(); + String deviceClass = classCode.substring(0, 2).toLowerCase(); + String deviceSubclass = classCode.substring(2, 4).toLowerCase(); + String programInterface = classCode.substring(4, 6).toLowerCase(); translatedClassCode.add(deviceClass); translatedClassCode.add(deviceSubclass); translatedClassCode.add(programInterface); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java index 7c0142f4..3591b2b5 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java @@ -169,9 +169,9 @@ public final class TCGEventLog { // the if statement is executed // [new event file status = eventList.get(eventNumber-1).getVendorTableFileStatus()] // (ie. if the new file status is not-accessible or from-code, then want to update) - if((vendorTableFileStatus != FILESTATUS_NOT_ACCESSIBLE) && - (eventList.get(eventNumber-1).getVendorTableFileStatus() != FILESTATUS_FROM_FILESYSTEM)) { - vendorTableFileStatus = eventList.get(eventNumber-1).getVendorTableFileStatus(); + if ((vendorTableFileStatus != FILESTATUS_NOT_ACCESSIBLE) + && (eventList.get(eventNumber - 1).getVendorTableFileStatus() != FILESTATUS_FROM_FILESYSTEM)) { + vendorTableFileStatus = eventList.get(eventNumber - 1).getVendorTableFileStatus(); } } calculatePcrValues(); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java index ab88c364..400d9236 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEvent.java @@ -58,7 +58,7 @@ public abstract class DeviceSecurityEvent { * DEVICE_SECURITY_EVENT_DATA_DEVICE_CONTEXT. DEVICE can be either PCI or USB. */ @Getter - String deviceContextInfo = ""; + private String deviceContextInfo = ""; /** * DeviceSecurityEventData Default Constructor. @@ -76,21 +76,17 @@ public abstract class DeviceSecurityEvent { */ public void instantiateDeviceContext(final byte[] dsedDeviceContextBytes) { - if(dsedDeviceContextBytes.length == 0) { + if (dsedDeviceContextBytes.length == 0) { deviceContextInfo = "\n DeviceSecurityEventDataDeviceContext object is empty"; - } - else { + } else { if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_NONE) { deviceContextInfo = "\n No Device Context (indicated by device type value of 0)"; - } - else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI) { + } else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_PCI) { dsedDevContext = new DeviceSecurityEventDataPciContext(dsedDeviceContextBytes); deviceContextInfo = dsedDevContext.toString(); - } - else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB) { + } else if (deviceType == DeviceSecurityEventDataDeviceContext.DEVICE_TYPE_USB) { deviceContextInfo = " Device Type: USB - To be implemented"; - } - else { + } else { deviceContextInfo = " Unknown device type; cannot process device context"; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java index ce7dc4c0..9a3e2429 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData.java @@ -25,7 +25,7 @@ public class DeviceSecurityEventData extends DeviceSecurityEvent { * DEVICE_SECURITY_EVENT_DATA_HEADER. */ @Getter - String headerInfo = ""; + private String headerInfo = ""; /** * DeviceSecurityEventData Constructor. @@ -34,10 +34,9 @@ public class DeviceSecurityEventData extends DeviceSecurityEvent { */ public DeviceSecurityEventData(final byte[] dsedBytes) { - if(dsedBytes.length == 0) { + if (dsedBytes.length == 0) { headerInfo = " DeviceSecurityEventData object is empty"; - } - else { + } else { dsedHeader = new DeviceSecurityEventDataHeader(dsedBytes); headerInfo = dsedHeader.toString(); diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java index 6a363813..6416ad93 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventData2.java @@ -32,7 +32,7 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { * DEVICE_SECURITY_EVENT_DATA_HEADER2. */ @Getter - String headerInfo = ""; + private String headerInfo = ""; /** * Human-readable description of the data within the @@ -41,7 +41,7 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { * DEVICE_SECURITY_EVENT_DATA_SUB_HEADER_SPDM_CERT_CHAIN */ @Getter - String subHeaderInfo = ""; + private String subHeaderInfo = ""; /** * DeviceSecurityEventData2 Constructor. @@ -50,10 +50,9 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { */ public DeviceSecurityEventData2(final byte[] dsedBytes) { - if(dsedBytes.length == 0) { + if (dsedBytes.length == 0) { headerInfo = " DeviceSecurityEventData2 object is empty"; - } - else { + } else { dsedHeader2 = new DeviceSecurityEventDataHeader2(dsedBytes); headerInfo = dsedHeader2.toString(); @@ -71,12 +70,10 @@ public class DeviceSecurityEventData2 extends DeviceSecurityEvent { if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_MEAS_BLOCK) { dsedSubHeader = new DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock(dsedSubHeaderBytes); subHeaderInfo += dsedSubHeader.toString(); - } - else if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_CERT_CHAIN) { + } else if (subHeaderType == DeviceSecurityEventDataSubHeader.SUBHEADERTYPE_CERT_CHAIN) { dsedSubHeader = new DeviceSecurityEventDataSubHeaderCertChain(dsedSubHeaderBytes); subHeaderInfo += dsedSubHeader.toString(); - } - else { + } else { subHeaderInfo += " Sub header type unknown\n"; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java index ddaef9cf..6c402afd 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataHeader2.java @@ -28,7 +28,7 @@ import lombok.Getter; public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { /** - * Event auth state + * Event auth state. */ @Getter private int authState = 0; @@ -38,7 +38,7 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { @Getter private int length = 0; /** - * Event sub headerType + * Event sub headerType. * SUBHEADERTYPE_MEAS_BLOCK = 0 * SUBHEADERTYPE_CERT_CHAIN = 1 */ @@ -56,12 +56,12 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { private String subHeaderUid = ""; /** - * Auth state - success + * Auth state - success. */ public static final int AUTH_SUCCESS = 0; /** * Auth state - digital signature of the data is valid, but the public key certificate chain is not - * validated with the entry in in the UEFI device signature variable + * validated with the entry in the UEFI device signature variable. */ public static final int AUTH_NO_AUTHORITY = 1; /** @@ -70,15 +70,15 @@ public class DeviceSecurityEventDataHeader2 extends DeviceSecurityEventHeader { */ public static final int AUTH_NO_BINDING = 2; /** - * Auth state - data has no digital signature + * Auth state - data has no digital signature. */ public static final int AUTH_FAIL_NO_SIG = 3; /** - * Auth state - data is invalid + * Auth state - data is invalid. */ public static final int AUTH_FAIL_INVALID = 4; /** - * Auth state - device is not an SPDM-capable device + * Auth state - device is not an SPDM-capable device. */ public static final int AUTH_NO_SPDM = 0xFF; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java index ff90af3d..fda1397c 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataPciContext.java @@ -119,7 +119,7 @@ public class DeviceSecurityEventDataPciContext extends DeviceSecurityEventDataDe List classCodeList = translateDeviceClass(classCode); dSEDpciContextInfo += " Device Class: \n"; - if(classCodeList.size() == 3) { + if (classCodeList.size() == 3) { dSEDpciContextInfo += " Class = " + classCodeList.get(0) + "\n"; dSEDpciContextInfo += " Subclass = " + classCodeList.get(1) + "\n"; dSEDpciContextInfo += " Programming Interface = " + classCodeList.get(2) + "\n"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java index 81ac2543..5bc149e7 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeader.java @@ -14,11 +14,11 @@ package hirs.utils.tpm.eventlog.events; public abstract class DeviceSecurityEventDataSubHeader { /** - * Sub header type - SPDM measurement block + * Sub header type - SPDM measurement block. */ public static final int SUBHEADERTYPE_MEAS_BLOCK = 0; /** - * Sub header type - SPDM cert chain + * Sub header type - SPDM cert chain. */ public static final int SUBHEADERTYPE_CERT_CHAIN = 1; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java index 3bb60b50..727883ec 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderCertChain.java @@ -21,7 +21,7 @@ import hirs.utils.tpm.eventlog.spdm.SpdmHa; * SpdmBaseHashAlgo: SPDM Base Hash Algorithm for the root certificate in the SPDM Certificate chain * SpdmCertChain: SPDM Certificate Chain */ -public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEventDataSubHeader{ +public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEventDataSubHeader { /** * SPDM version. @@ -42,7 +42,7 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve /** * Human-readable description of any error associated with SPDM base hash alg. */ - String spdmCertChainError = ""; + private String spdmCertChainError = ""; /** * DeviceSecurityEventDataSubHeaderCertChain Constructor. @@ -75,15 +75,14 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve int spdmBaseHashAlgoSize = SpdmHa.tcgAlgIdToByteSize(spdmBaseHashAlgo); - if(spdmCertChainSize <= 0) { - spdmCertChainError += "SPDM cert chain length is not >0, " + - "stopping cert chain processing"; + if (spdmCertChainSize <= 0) { + spdmCertChainError += "SPDM cert chain length is not >0, " + + "stopping cert chain processing"; + } else if (spdmBaseHashAlgoSize <= 0) { + spdmCertChainError += "SPDM base hash algorithm size is not >0 " + + "stopping cert chain processing"; } - else if(spdmBaseHashAlgoSize <= 0) { - spdmCertChainError += "SPDM base hash algorithm size is not >0 " + - "stopping cert chain processing"; - } - if(spdmCertChainError.isEmpty()) { + if (spdmCertChainError.isEmpty()) { spdmCertChain = new SpdmCertificateChain(spdmCertChainBytes, spdmBaseHashAlgoSize); } } @@ -101,13 +100,11 @@ public class DeviceSecurityEventDataSubHeaderCertChain extends DeviceSecurityEve dsedSubHeaderInfo += " SPDM Base Hash Algorithm = " + spdmBaseHashAlgoStr + "\n"; // SPDM Certificate Chain output - if(!spdmCertChainError.isEmpty()) { + if (!spdmCertChainError.isEmpty()) { dsedSubHeaderInfo += " SPDM cert chain error: " + spdmCertChainError + "\n"; - } - else if(spdmCertChain == null) { + } else if (spdmCertChain == null) { dsedSubHeaderInfo += " SPDM cert chain error: Could not parse cert chain\n"; - } - else { + } else { dsedSubHeaderInfo += spdmCertChain.toString(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java index 86ecce59..c13c2251 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock.java @@ -115,17 +115,17 @@ public class DeviceSecurityEventDataSubHeaderSpdmMeasurementBlock extends Device dsedSubHeaderInfo += " SPDM Hash Algorithm = " + spdmHashAlgoStr + "\n"; // SPDM Measurement Block List output - dsedSubHeaderInfo += " Number of SPDM Measurement Blocks = " + - spdmMeasurementBlockList.size() + "\n"; + dsedSubHeaderInfo += " Number of SPDM Measurement Blocks = " + + spdmMeasurementBlockList.size() + "\n"; int spdmMeasBlockCnt = 1; for (SpdmMeasurementBlock spdmMeasBlock : spdmMeasurementBlockList) { - dsedSubHeaderInfo += " SPDM Measurement Block # " + spdmMeasBlockCnt++ + " of " + - spdmMeasurementBlockList.size() + "\n"; + dsedSubHeaderInfo += " SPDM Measurement Block # " + spdmMeasBlockCnt++ + " of " + + spdmMeasurementBlockList.size() + "\n"; dsedSubHeaderInfo += spdmMeasBlock.toString(); } - if(spdmMeasurementBlockReadError) { - dsedSubHeaderInfo += " Error reading SPDM Measurement Block #" + - spdmMeasBlockCnt + ", halting processing\n"; + if (spdmMeasurementBlockReadError) { + dsedSubHeaderInfo += " Error reading SPDM Measurement Block #" + + spdmMeasBlockCnt + ", halting processing\n"; } return dsedSubHeaderInfo; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java index 5d2696b6..13612538 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/DeviceSecurityEventHeader.java @@ -63,8 +63,8 @@ public abstract class DeviceSecurityEventHeader { @Getter private String signature = ""; /** - * Version determines data structure used (..DATA or ..DATA2), - * which determines whether ..HEADER or ..HEADER2 is used + * Version determines data structure used (..DATA or ..DATA2). + * This determines whether ..HEADER or ..HEADER2 is used. */ @Getter private String version = ""; @@ -108,7 +108,7 @@ public abstract class DeviceSecurityEventHeader { * @param dsedBytes byte array holding the DeviceSecurityEventData/Data2. * @param startByte starting byte of device type (depends on header fields before it). */ - public void extractDeviceType(final byte[] dsedBytes, int startByte) { + public void extractDeviceType(final byte[] dsedBytes, final int startByte) { // get the device type ID byte[] deviceTypeBytes = new byte[UefiConstants.SIZE_4]; @@ -124,24 +124,26 @@ public abstract class DeviceSecurityEventHeader { * @param dsedBytes byte array holding the DeviceSecurityEventData/Data2. * @param startByte starting byte of device path (depends on header fields before it). */ - public void extractDevicePathAndFinalSize(final byte[] dsedBytes, int startByte) { + public void extractDevicePathAndFinalSize(final byte[] dsedBytes, final int startByte) { + + int startByteUpdated = startByte; // get the device path length byte[] devicePathLengthBytes = new byte[8]; - System.arraycopy(dsedBytes, startByte, devicePathLengthBytes, 0, 8); + System.arraycopy(dsedBytes, startByteUpdated, devicePathLengthBytes, 0, 8); int devicePathLength = HexUtils.leReverseInt(devicePathLengthBytes); // get the device path if (devicePathLength > 0) { - startByte = startByte + 8; + startByteUpdated = startByteUpdated + 8; byte[] devPathBytes = new byte[devicePathLength]; - System.arraycopy(dsedBytes, startByte, devPathBytes, + System.arraycopy(dsedBytes, startByteUpdated, devPathBytes, 0, devicePathLength); devicePath = new UefiDevicePath(devPathBytes); } // header total size - dsedHeaderLength = startByte + devicePathLength; + dsedHeaderLength = startByteUpdated + devicePathLength; } /** @@ -176,8 +178,7 @@ public abstract class DeviceSecurityEventHeader { if (devicePath != null) { dsedHeaderCommonInfo += " SPDM Device Path:\n"; dsedHeaderCommonInfo += devicePath; - } - else { + } else { dsedHeaderCommonInfo += " SPDM Device Path = Unknown or invalid\n"; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java index 56b0d5f1..8f879311 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvEfiSpdmDeviceSecurityEvent.java @@ -43,7 +43,7 @@ public class EvEfiSpdmDeviceSecurityEvent { /** * Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. */ - String spdmInfo = ""; + private String spdmInfo = ""; /** * EvEfiSpdmFirmwareBlob constructor. @@ -72,24 +72,20 @@ public class EvEfiSpdmDeviceSecurityEvent { if (dsedVersion.equals("0200")) { dsed = new DeviceSecurityEventData2(eventData); spdmInfo += dsed.toString(); - } - else { + } else { spdmInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion + "\n"; } - } - else if (dsedSignature.contains("SPDM Device Sec")) { // implies Device Security event + } else if (dsedSignature.contains("SPDM Device Sec")) { // implies Device Security event spdmInfo = " Signature = SPDM Device Sec\n"; if (dsedVersion.equals("0100")) { dsed = new DeviceSecurityEventData(eventData); spdmInfo += dsed.toString(); - } - else { + } else { spdmInfo += " Incompatible version for DeviceSecurityEventData: " + dsedVersion + "\n"; } - } - else { + } else { spdmInfo = " Signature = Undetermined value: " + dsedSignature + "\n"; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java index 812b46cd..9635b1c7 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/EvNoAction.java @@ -47,7 +47,7 @@ public class EvNoAction { * Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. */ @Getter - String noActionInfo = ""; + private String noActionInfo = ""; /** * EvNoAction constructor. @@ -90,7 +90,13 @@ public class EvNoAction { return bSpecIDEvent; } - public String specIDEventToString(EvEfiSpecIdEvent specIDEvent) { + /** + * Returns a human-readable description of a SpecId event. + * + * @param specIDEvent byte array holding the event. + * @return a description of the event. + */ + public String specIDEventToString(final EvEfiSpecIdEvent specIDEvent) { String specIdInfo = ""; specIdInfo += " Signature = Spec ID Event03 : "; @@ -109,6 +115,7 @@ public class EvNoAction { /** * Returns a human-readable description of locality based on numeric representation lookup. * + * @param eventData byte array holding the event from which to grab locality * @return a description of the locality. */ private String getLocality(final byte[] eventData) { diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java index 2022b9aa..1e6e9134 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/events/NvIndexInstanceEventLogData.java @@ -36,7 +36,7 @@ public class NvIndexInstanceEventLogData { /** * Human-readable description of the data within this DEVICE_SECURITY_EVENT_DATA/..DATA2 event. */ - String nvIndexInstanceInfo = ""; + private String nvIndexInstanceInfo = ""; /** * NvIndexInstanceEventLogData constructor. @@ -84,13 +84,11 @@ public class NvIndexInstanceEventLogData { if (dsedVersion.equals("0200")) { dsed = new DeviceSecurityEventData2(dsedEventData); nvIndexInstanceInfo += dsed.toString(); - } - else { + } else { nvIndexInstanceInfo += " Incompatible version for DeviceSecurityEventData2: " + dsedVersion + "\n"; } - } - else { + } else { nvIndexInstanceInfo = " Signature error: should be \'SPDM Device Sec2\' but is " + signature + "\n"; } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java index b057e3a9..8d0062c6 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmCertificateChain.java @@ -34,9 +34,9 @@ import java.util.ArrayList; */ public class SpdmCertificateChain { - /** - * Length of the certificate chain to include all fields in this structure. - */ + ///** + // * Length of the certificate chain to include all fields in this structure. + // */ //private int length = 0; /** * Root hash. @@ -53,11 +53,11 @@ public class SpdmCertificateChain { /** * Human-readable description of any error associated with SPDM base hash alg. */ - String spdmBaseHashAlgoError = ""; + private String spdmBaseHashAlgoError = ""; /** * Human-readable description of any error associated with parsing the X509 certs. */ - String certProcessingError = ""; + private String certProcessingError = ""; /** * SpdmCertificateChain Constructor. @@ -67,10 +67,9 @@ public class SpdmCertificateChain { */ public SpdmCertificateChain(final byte[] spdmCertChainBytes, final int rootHashLength) { - if(rootHashLength <= 0) { + if (rootHashLength <= 0) { spdmBaseHashAlgoError = "SPDM base hash algorithm size is not >0"; - } - else { + } else { byte[] lengthBytes = new byte[2]; System.arraycopy(spdmCertChainBytes, 0, lengthBytes, 0, 2); //length = HexUtils.leReverseInt(lengthBytes); @@ -123,15 +122,15 @@ public class SpdmCertificateChain { certList.add(cert); numberOfCerts++; } catch (IOException e) { - certProcessingError += "Error with Cert # " + (numberOfCerts+1) + certProcessingError += "Error with Cert # " + (numberOfCerts + 1) + ": IOException (error reading cert data)"; break; } catch (CertificateException e) { - certProcessingError += "Error with Cert # " + (numberOfCerts+1) + certProcessingError += "Error with Cert # " + (numberOfCerts + 1) + ": CertificateException"; break; } catch (NoSuchAlgorithmException e) { - certProcessingError += "Error with Cert # " + numberOfCerts+1 + certProcessingError += "Error with Cert # " + (numberOfCerts + 1) + ": CNoSuchAlgorithmException"; break; } @@ -147,19 +146,18 @@ public class SpdmCertificateChain { String spdmCertChainInfo = ""; - if(!spdmBaseHashAlgoError.isEmpty()) { + if (!spdmBaseHashAlgoError.isEmpty()) { spdmCertChainInfo += " *** ERROR with SPDM base hash algorithm size ***\n"; spdmCertChainInfo += " " + spdmBaseHashAlgoError + "\n"; spdmCertChainInfo += " Stopping processing of this cert chain\n"; - } - else { + } else { spdmCertChainInfo += " Root hash = " + HexUtils.byteArrayToHexString(rootHash) + "\n"; spdmCertChainInfo += " Number of certs in chain = " + numberOfCerts + "\n"; int certCnt = 1; for (UefiX509Cert cert : certList) { - spdmCertChainInfo += " Cert # " + certCnt++ + " of " + - numberOfCerts + ": ------------------\n"; + spdmCertChainInfo += " Cert # " + certCnt++ + " of " + + numberOfCerts + ": ------------------\n"; spdmCertChainInfo += cert.toString(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java index 202e6c03..63d3a788 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmHa.java @@ -11,7 +11,7 @@ import lombok.NoArgsConstructor; public class SpdmHa { /** - * Spdm Hash Alg = Raw bit stream + * Spdm Hash Alg = Raw bit stream. */ public static final int TPM_ALG_RAW = 1; /** diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java index b64f18dc..4a90cacb 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/spdm/SpdmMeasurement.java @@ -61,7 +61,7 @@ public class SpdmMeasurement { } /** - * Lookup for SPDM measurement value type + * Lookup for SPDM measurement value type. * * @param measValType the numerical representation of the measurement value type. * @@ -118,10 +118,10 @@ public class SpdmMeasurement { public String toString() { String spdmMeasInfo = ""; - spdmMeasInfo += " SPDM Measurement Value Type = " + - dmtfSpecMeasurementValueTypeToString(dmtfSpecMeasurementValueType); - spdmMeasInfo += "\n SPDM Measurement Value = " + - HexUtils.byteArrayToHexString(dmtfSpecMeasurementValue); + spdmMeasInfo += " SPDM Measurement Value Type = " + + dmtfSpecMeasurementValueTypeToString(dmtfSpecMeasurementValueType); + spdmMeasInfo += "\n SPDM Measurement Value = " + + HexUtils.byteArrayToHexString(dmtfSpecMeasurementValue); spdmMeasInfo += "\n"; return spdmMeasInfo; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java index 879e27f8..099b0050 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiDevicePath.java @@ -93,7 +93,9 @@ public class UefiDevicePath { */ private String processDevPath(final byte[] path) { StringBuilder pInfo = new StringBuilder(); - int devLength = 0, pathOffset = 0, devCount = 0; + int devLength = 0; + int pathOffset = 0; + int devCount = 0; while (true) { Byte devPath = Byte.valueOf(path[pathOffset]); if ((devPath.intValue() == UefiConstants.TERMINATOR) @@ -214,7 +216,7 @@ public class UefiDevicePath { subType += " _HID = " + HexUtils.byteArrayToHexString(hid) + "\n"; System.arraycopy(path, 2 * UefiConstants.SIZE_4 + offset, hid, 0, UefiConstants.SIZE_4); String uid = HexUtils.byteArrayToHexString(hid); - if(uid.contains("00000000")) { + if (uid.contains("00000000")) { uid = "No _UID exists for this device"; } subType += " _UID = " + uid + "\n"; diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiGuid.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiGuid.java index f15f49c1..fd103f62 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiGuid.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiGuid.java @@ -28,20 +28,20 @@ public class UefiGuid { */ private static final int UUID_EPOCH_DIVISOR = 10000; /** - * Filesystem path of vendor-table.json + * Filesystem path of vendor-table.json. */ private static final Path JSON_PATH = FileSystems.getDefault().getPath("/etc", "hirs", "aca", "default-properties", "vendor-table.json"); /** - * Name of vendor-table file in code + * Name of vendor-table file in code. */ private static final String JSON_FILENAME = "vendor-table.json"; /** - * Reference to the vendor-table json object + * Reference to the vendor-table json object. */ private JsonObject uefiVendorRef; /** - * Track status of vendor-table.json + * Track status of vendor-table.json. */ @Getter private String vendorTableFileStatus = FILESTATUS_NOT_ACCESSIBLE; @@ -77,13 +77,12 @@ public class UefiGuid { uefiVendorRef = JsonUtils.getSpecificJsonObject(vendorPathString, "VendorTable"); - if(!isVendorTableReferenceHandleEmpty()) { + if (!isVendorTableReferenceHandleEmpty()) { vendorTableFileStatus = FILESTATUS_FROM_FILESYSTEM; - } - else { + } else { // could not access vendor-table.json from filesystem, so attempt to access from code uefiVendorRef = JsonUtils.getSpecificJsonObject(JSON_FILENAME, "VendorTable"); - if(!isVendorTableReferenceHandleEmpty()) { + if (!isVendorTableReferenceHandleEmpty()) { vendorTableFileStatus = FILESTATUS_FROM_CODE; } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java index 15937f34..9ccd0c56 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java @@ -107,7 +107,7 @@ public class UefiSignatureList { */ private UefiGuid signatureType = null; /** - * Track status of vendor-table.json + * Track status of vendor-table.json. */ @Getter private String vendorTableFileStatus = FILESTATUS_NOT_ACCESSIBLE; @@ -235,17 +235,16 @@ public class UefiSignatureList { StringBuilder sigInfo = new StringBuilder(); if (!signatureTypeValid) { - sigInfo.append(" *** Unknown UEFI Signature Type encountered:\n" + - " " + signatureType.toString() + "\n"); - } - else { + sigInfo.append(" *** Unknown UEFI Signature Type encountered:\n" + + " " + signatureType.toString() + "\n"); + } else { sigInfo.append(" UEFI Signature List Type = " + signatureType.toString() + "\n"); sigInfo.append(" Number of Certs or Hashes in UEFI Signature List = " + numberOfCerts + "\n"); int certOrHashCnt = 1; for (int i = 0; i < sigList.size(); i++) { - sigInfo.append(" Cert or Hash # " + certOrHashCnt++ + " of " + - numberOfCerts + ": ------------------\n"); + sigInfo.append(" Cert or Hash # " + certOrHashCnt++ + " of " + + numberOfCerts + ": ------------------\n"); UefiSignatureData certData = sigList.get(i); sigInfo.append(certData.toString()); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java index a78f2f59..04752a3a 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java @@ -42,11 +42,11 @@ public class UefiVariable { @Getter private String efiVarName = ""; /** - * Encountered invalid UEFI Signature List + * Encountered invalid UEFI Signature List. */ private boolean invalidSignatureListEncountered = false; /** - * Invalid UEFI Signature List + * Invalid UEFI Signature List. */ private String invalidSignatureListStatus = ""; /** @@ -78,7 +78,7 @@ public class UefiVariable { /** * Human-readable description of the data within the SPDM devdc (to be updated with more test data). */ - String spdmDevdcInfo = ""; + private String spdmDevdcInfo = ""; /** * EFIVariable constructor. @@ -184,13 +184,13 @@ public class UefiVariable { // the if statement is executed // [new event file status = list.getVendorTableFileStatus()] // (ie. if the new file status is not-accessible or from-code, then want to update) - if((vendorTableFileStatus != FILESTATUS_NOT_ACCESSIBLE) && - (list.getVendorTableFileStatus() != FILESTATUS_FROM_FILESYSTEM)) { + if ((vendorTableFileStatus != FILESTATUS_NOT_ACCESSIBLE) + && (list.getVendorTableFileStatus() != FILESTATUS_FROM_FILESYSTEM)) { vendorTableFileStatus = list.getVendorTableFileStatus(); } // efiVariableSigListContents += list.toString(); - if(!list.isSignatureTypeValid()) { + if (!list.isSignatureTypeValid()) { invalidSignatureListEncountered = true; invalidSignatureListStatus = list.toString(); break; @@ -200,7 +200,7 @@ public class UefiVariable { } /** - * Method for processing the data in an EFI Signature Data, where the data is known to be an X509 cert + * Method for processing the data in an EFI Signature Data, where the data is known to be an X509 cert. * * @param efiSigData Byte array holding the SignatureData data * @throws java.security.cert.CertificateException If there's a problem parsing the X509 certificate. @@ -296,23 +296,23 @@ public class UefiVariable { } // Signature List output (if there are any Signature Lists) - if (certSuperList.size() > 0){ + if (certSuperList.size() > 0) { efiVariable.append("Number of UEFI Signature Lists = " + certSuperList.size() + "\n"); int certSuperListCnt = 1; for (UefiSignatureList uefiSigList : certSuperList) { - efiVariable.append("UEFI Signature List # " + certSuperListCnt++ + " of " + - certSuperList.size() + ": ------------------\n"); + efiVariable.append("UEFI Signature List # " + certSuperListCnt++ + " of " + + certSuperList.size() + ": ------------------\n"); efiVariable.append(uefiSigList.toString()); } } - if(invalidSignatureListEncountered) { + if (invalidSignatureListEncountered) { efiVariable.append(invalidSignatureListStatus); - efiVariable.append("*** Encountered invalid Signature Type - " + - "Stopped processing of this event data\n"); + efiVariable.append("*** Encountered invalid Signature Type - " + + "Stopped processing of this event data\n"); } // Signature Data output (if there is a Signature Data) - if(!spdmDevdcInfo.isEmpty()) { + if (!spdmDevdcInfo.isEmpty()) { efiVariable.append(spdmDevdcInfo); } From 12e52bfecf9241b589afa78684345df5a5d69720 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Thu, 15 Aug 2024 17:55:39 -0400 Subject: [PATCH 39/39] fixed another checkstyle warning --- .../src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java index 3591b2b5..3d6c58fe 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/TCGEventLog.java @@ -170,7 +170,8 @@ public final class TCGEventLog { // [new event file status = eventList.get(eventNumber-1).getVendorTableFileStatus()] // (ie. if the new file status is not-accessible or from-code, then want to update) if ((vendorTableFileStatus != FILESTATUS_NOT_ACCESSIBLE) - && (eventList.get(eventNumber - 1).getVendorTableFileStatus() != FILESTATUS_FROM_FILESYSTEM)) { + && (eventList.get(eventNumber - 1).getVendorTableFileStatus() + != FILESTATUS_FROM_FILESYSTEM)) { vendorTableFileStatus = eventList.get(eventNumber - 1).getVendorTableFileStatus(); } }