diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 88900294..41e2db7e 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -543,11 +543,13 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe eventValueMap.put(rdv.getDigestValue(), rdv); } - for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { - if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { - tpmPcrEvents.add(tpe); - } - } +// for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { +// if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { +// tpmPcrEvents.add(tpe); +// } +// } + tpmPcrEvents.addAll(pcrPolicy.validateTpmEvents( + tcgMeasurementLog, eventValueMap)); } } catch (CertificateException cEx) { LOGGER.error(cEx); @@ -579,14 +581,15 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found."); } } + + EventLogMeasurements eventLog = (EventLogMeasurements) measurement; + eventLog.setOverallValidationResult(fwStatus.getAppStatus()); + this.referenceManifestManager.update(eventLog); } else { fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: " + "%s for %s can not be found", failedString, manufacturer)); } - EventLogMeasurements eventLog = (EventLogMeasurements) measurement; - eventLog.setOverallValidationResult(fwStatus.getAppStatus()); - this.referenceManifestManager.update(eventLog); return buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE, fwStatus.getAppStatus(), fwStatus.getMessage(), validationObject, level); } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java index 28392843..1dfdc3a4 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java @@ -3,6 +3,8 @@ package hirs.data.persist; import hirs.data.persist.tpm.PcrComposite; import hirs.data.persist.tpm.PcrInfoShort; import hirs.data.persist.tpm.PcrSelection; +import hirs.tpm.eventlog.TCGEventLog; +import hirs.tpm.eventlog.TpmPcrEvent; import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.binary.Hex; import org.apache.logging.log4j.Logger; @@ -12,6 +14,9 @@ import javax.persistence.Entity; import java.nio.charset.StandardCharsets; import java.security.NoSuchAlgorithmException; import java.util.Arrays; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; import static org.apache.logging.log4j.LogManager.getLogger; @@ -24,14 +29,22 @@ public final class PCRPolicy extends Policy { private static final Logger LOGGER = getLogger(PCRPolicy.class); private static final int NUM_TO_SKIP = 1; + // PCR 5-16 + private static final int PXE_PCR_START = 5; + private static final int PXE_PCR_END = 16; // PCR 10 private static final int IMA_PCR = 10; // PCR 17-19 - private static final int TBOOT_PCR = 17; - private static final int NUM_OF_TBOOT_PCR = 3; + private static final int TBOOT_PCR_START = 17; + private static final int TBOOT_PCR_END = 19; // PCR 5 private static final int GPT_PCR = 5; + // Event Log Event Types + private static final String EVT_EFI_BOOT = "EV_EFI_BOOT_SERVICES_APPLICATION"; + private static final String EVT_EFI_VAR = "EV_EFI_VARIABLE_BOOT"; + private static final String EVT_EFI_GPT = "EV_EFI_GPT_EVENT"; + @Column(nullable = false) private boolean enableIgnoreIma = false; @Column(nullable = false) @@ -83,10 +96,10 @@ public final class PCRPolicy extends Policy { i += NUM_TO_SKIP; } - if (enableIgnoretBoot && i == TBOOT_PCR) { - LOGGER.info("PCR Policy TBoot Ignore enabled."); - i += NUM_OF_TBOOT_PCR; - } +// if (enableIgnoretBoot && i == TBOOT_PCR_START) { +// LOGGER.info("PCR Policy TBoot Ignore enabled."); +// i += NUM_OF_TBOOT_PCR; +// } if (enableIgnoreGpt && i == GPT_PCR) { LOGGER.info("PCR Policy GPT Ignore enabled."); @@ -103,6 +116,45 @@ public final class PCRPolicy extends Policy { return sb; } + /** + * Checks that the expected FM events occurring. There are policy options that + * will ignore certin PCRs, Event Types and Event Variables present. + * @param tcgMeasurementLog Measurement log from the client + * @param eventValueMap The events stored as baseline to compare + * @return the events that didn't pass + */ + public List validateTpmEvents(final TCGEventLog tcgMeasurementLog, + final Map eventValueMap) { + List tpmPcrEvents = new LinkedList<>(); + for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { + + if (enableIgnoreIma && tpe.getPcrIndex() == IMA_PCR) { + LOGGER.info(String.format("IMA Ignored -> %s", tpe)); + } else if (enableIgnoreGpt && tpe.getPcrIndex() == GPT_PCR) { + LOGGER.info(String.format("GPT Ignored -> %s", tpe)); + } else if (enableIgnoretBoot && (tpe.getPcrIndex() >= TBOOT_PCR_START + && tpe.getPcrIndex() <= TBOOT_PCR_END)) { + LOGGER.info(String.format("TBOOT Ignored -> %s", tpe)); + } else if (enableIgnoreOsEvt && (tpe.getPcrIndex() >= PXE_PCR_START + && tpe.getPcrIndex() <= PXE_PCR_END)) { + LOGGER.info(String.format("OS Evt Ignored -> %s", tpe)); + } else { + if (enableIgnoreOsEvt && (tpe.getEventTypeStr().contains(EVT_EFI_BOOT) + || tpe.getEventTypeStr().contains(EVT_EFI_GPT) + || tpe.getEventTypeStr().contains(EVT_EFI_VAR))) { + // need to also look at #3 + LOGGER.info(String.format("OS Evt Ignored -> %s", tpe)); + } else { + if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { + tpmPcrEvents.add(tpe); + } + } + } + } + + return tpmPcrEvents; + } + /** * Compares hashs to validate the quote from the client. *