ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-21 05:53:27 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Updated the policy code to ignore based on the TPM Log Event. Added in the code for OS Events.

Browse Source
This commit is contained in:
Cyrus 2021-10-29 20:24:46 -04:00
parent aae6845730
commit fe617ea948
2 changed files with 69 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -543,11 +543,13 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
eventValueMap.put(rdv.getDigestValue(), rdv);
}
for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) {
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
tpmPcrEvents.add(tpe);
}
}
// for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) {
// if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
// tpmPcrEvents.add(tpe);
// }
// }
tpmPcrEvents.addAll(pcrPolicy.validateTpmEvents(
tcgMeasurementLog, eventValueMap));
}
} catch (CertificateException cEx) {
LOGGER.error(cEx);
@ -579,14 +581,15 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found.");
}
}
EventLogMeasurements eventLog = (EventLogMeasurements) measurement;
eventLog.setOverallValidationResult(fwStatus.getAppStatus());
this.referenceManifestManager.update(eventLog);
} else {
fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: "
+ "%s for %s can not be found", failedString, manufacturer));
}
EventLogMeasurements eventLog = (EventLogMeasurements) measurement;
eventLog.setOverallValidationResult(fwStatus.getAppStatus());
this.referenceManifestManager.update(eventLog);
return buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE,
fwStatus.getAppStatus(), fwStatus.getMessage(), validationObject, level);
}

64
HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
View File

@ -3,6 +3,8 @@ package hirs.data.persist;
import hirs.data.persist.tpm.PcrComposite;
import hirs.data.persist.tpm.PcrInfoShort;
import hirs.data.persist.tpm.PcrSelection;
import hirs.tpm.eventlog.TCGEventLog;
import hirs.tpm.eventlog.TpmPcrEvent;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.logging.log4j.Logger;
@ -12,6 +14,9 @@ import javax.persistence.Entity;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import static org.apache.logging.log4j.LogManager.getLogger;
@ -24,14 +29,22 @@ public final class PCRPolicy extends Policy {
private static final Logger LOGGER = getLogger(PCRPolicy.class);
private static final int NUM_TO_SKIP = 1;
// PCR 5-16
private static final int PXE_PCR_START = 5;
private static final int PXE_PCR_END = 16;
// PCR 10
private static final int IMA_PCR = 10;
// PCR 17-19
private static final int TBOOT_PCR = 17;
private static final int NUM_OF_TBOOT_PCR = 3;
private static final int TBOOT_PCR_START = 17;
private static final int TBOOT_PCR_END = 19;
// PCR 5
private static final int GPT_PCR = 5;
// Event Log Event Types
private static final String EVT_EFI_BOOT = "EV_EFI_BOOT_SERVICES_APPLICATION";
private static final String EVT_EFI_VAR = "EV_EFI_VARIABLE_BOOT";
private static final String EVT_EFI_GPT = "EV_EFI_GPT_EVENT";
@Column(nullable = false)
private boolean enableIgnoreIma = false;
@Column(nullable = false)
@ -83,10 +96,10 @@ public final class PCRPolicy extends Policy {
i += NUM_TO_SKIP;
}
if (enableIgnoretBoot && i == TBOOT_PCR) {
LOGGER.info("PCR Policy TBoot Ignore enabled.");
i += NUM_OF_TBOOT_PCR;
}
// if (enableIgnoretBoot && i == TBOOT_PCR_START) {
// LOGGER.info("PCR Policy TBoot Ignore enabled.");
// i += NUM_OF_TBOOT_PCR;
// }
if (enableIgnoreGpt && i == GPT_PCR) {
LOGGER.info("PCR Policy GPT Ignore enabled.");
@ -103,6 +116,45 @@ public final class PCRPolicy extends Policy {
return sb;
}
/**
* Checks that the expected FM events occurring. There are policy options that
* will ignore certin PCRs, Event Types and Event Variables present.
* @param tcgMeasurementLog Measurement log from the client
* @param eventValueMap The events stored as baseline to compare
* @return the events that didn't pass
*/
public List<TpmPcrEvent> validateTpmEvents(final TCGEventLog tcgMeasurementLog,
final Map<String, ReferenceDigestValue> eventValueMap) {
List<TpmPcrEvent> tpmPcrEvents = new LinkedList<>();
for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) {
if (enableIgnoreIma && tpe.getPcrIndex() == IMA_PCR) {
LOGGER.info(String.format("IMA Ignored -> %s", tpe));
} else if (enableIgnoreGpt && tpe.getPcrIndex() == GPT_PCR) {
LOGGER.info(String.format("GPT Ignored -> %s", tpe));
} else if (enableIgnoretBoot && (tpe.getPcrIndex() >= TBOOT_PCR_START
&& tpe.getPcrIndex() <= TBOOT_PCR_END)) {
LOGGER.info(String.format("TBOOT Ignored -> %s", tpe));
} else if (enableIgnoreOsEvt && (tpe.getPcrIndex() >= PXE_PCR_START
&& tpe.getPcrIndex() <= PXE_PCR_END)) {
LOGGER.info(String.format("OS Evt Ignored -> %s", tpe));
} else {
if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT)
|| tpe.getEventTypeStr().contains(EVT_EFI_GPT)
|| tpe.getEventTypeStr().contains(EVT_EFI_VAR))) {
// need to also look at #3
LOGGER.info(String.format("OS Evt Ignored -> %s", tpe));
} else {
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
tpmPcrEvents.add(tpe);
}
}
}
}
return tpmPcrEvents;
}
/**
* Compares hashs to validate the quote from the client.
*