use D flag for PTS Protocol Capabilities
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation_build.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_build.h"
17 #include "imv_attestation_state.h"
18
19 #include <tcg/tcg_pts_attr_proto_caps.h>
20 #include <tcg/tcg_pts_attr_meas_algo.h>
21 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
22 #include <tcg/tcg_pts_attr_dh_nonce_finish.h>
23 #include <tcg/tcg_pts_attr_get_tpm_version_info.h>
24 #include <tcg/tcg_pts_attr_get_aik.h>
25 #include <tcg/tcg_pts_attr_req_funct_comp_evid.h>
26 #include <tcg/tcg_pts_attr_gen_attest_evid.h>
27 #include <tcg/tcg_pts_attr_req_file_meas.h>
28 #include <tcg/tcg_pts_attr_req_file_meta.h>
29
30 #include <debug.h>
31
32 bool imv_attestation_build(pa_tnc_msg_t *msg,
33 imv_attestation_state_t *attestation_state,
34 pts_meas_algorithms_t supported_algorithms,
35 pts_dh_group_t supported_dh_groups,
36 pts_database_t *pts_db)
37 {
38 imv_attestation_handshake_state_t handshake_state;
39 pts_t *pts;
40 pa_tnc_attr_t *attr;
41
42 handshake_state = attestation_state->get_handshake_state(attestation_state);
43 pts = attestation_state->get_pts(attestation_state);
44
45 if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
46 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
47 {
48 DBG1(DBG_IMV, "PTS-IMC is not using Diffie-Hellman Nonce negotiation,"
49 "advancing to TPM Initialization phase");
50 handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
51 }
52 if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
53 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
54 {
55 DBG1(DBG_IMV, "PTS-IMC has not got TPM available,"
56 "advancing to File Measurement phase");
57 handshake_state = IMV_ATTESTATION_STATE_MEAS;
58 }
59 if (handshake_state == IMV_ATTESTATION_STATE_COMP_EVID &&
60 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
61 {
62 DBG1(DBG_IMV, "PTS-IMC has not got TPM available,"
63 "skipping Component Measurement phase");
64 handshake_state = IMV_ATTESTATION_STATE_END;
65 }
66
67 /* Switch on the attribute type IMV has received */
68 switch (handshake_state)
69 {
70 case IMV_ATTESTATION_STATE_INIT:
71 {
72 pts_proto_caps_flag_t flags;
73
74 /* Send Request Protocol Capabilities attribute */
75 flags = pts->get_proto_caps(pts);
76 attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
77 attr->set_noskip_flag(attr, TRUE);
78 msg->add_attribute(msg, attr);
79
80 /* Send Measurement Algorithms attribute */
81 attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
82 attr->set_noskip_flag(attr, TRUE);
83 msg->add_attribute(msg, attr);
84
85 attestation_state->set_handshake_state(attestation_state,
86 IMV_ATTESTATION_STATE_NONCE_REQ);
87 break;
88 }
89 case IMV_ATTESTATION_STATE_NONCE_REQ:
90 {
91 int min_nonce_len;
92
93 /* Send DH nonce parameters request attribute */
94 min_nonce_len = lib->settings->get_int(lib->settings,
95 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
96 attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
97 supported_dh_groups);
98 attr->set_noskip_flag(attr, TRUE);
99 msg->add_attribute(msg, attr);
100
101 attestation_state->set_handshake_state(attestation_state,
102 IMV_ATTESTATION_STATE_TPM_INIT);
103 break;
104 }
105 case IMV_ATTESTATION_STATE_TPM_INIT:
106 {
107 pts_meas_algorithms_t selected_algorithm;
108 chunk_t initiator_value, initiator_nonce;
109
110 /* Send DH nonce finish attribute */
111 selected_algorithm = pts->get_meas_algorithm(pts);
112 pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
113 attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
114 initiator_value, initiator_nonce);
115 attr->set_noskip_flag(attr, TRUE);
116 msg->add_attribute(msg, attr);
117
118 /* Send Get TPM Version attribute */
119 attr = tcg_pts_attr_get_tpm_version_info_create();
120 attr->set_noskip_flag(attr, TRUE);
121 msg->add_attribute(msg, attr);
122
123 /* Send Get AIK attribute */
124 attr = tcg_pts_attr_get_aik_create();
125 attr->set_noskip_flag(attr, TRUE);
126 msg->add_attribute(msg, attr);
127
128 attestation_state->set_handshake_state(attestation_state,
129 IMV_ATTESTATION_STATE_MEAS);
130 break;
131 }
132 case IMV_ATTESTATION_STATE_MEAS:
133 {
134 enumerator_t *enumerator;
135 u_int32_t delimiter = SOLIDUS_UTF;
136 char *platform_info, *pathname;
137 u_int16_t request_id;
138 int id, type;
139 bool is_dir;
140
141 attestation_state->set_handshake_state(attestation_state,
142 IMV_ATTESTATION_STATE_COMP_EVID);
143
144 /* Get Platform and OS of the PTS-IMC */
145 platform_info = pts->get_platform_info(pts);
146
147 if (!pts_db || !platform_info)
148 {
149 DBG1(DBG_IMV, "%s%s%s not available",
150 (pts_db) ? "" : "pts database",
151 (!pts_db && !platform_info) ? "and" : "",
152 (platform_info) ? "" : "platform info");
153 break;
154 }
155 DBG1(DBG_IMV, "platform is '%s'", platform_info);
156
157 /* Send Request File Metadata attribute */
158 enumerator = pts_db->create_file_meta_enumerator(pts_db,
159 platform_info);
160 if (!enumerator)
161 {
162 break;
163 }
164 while (enumerator->enumerate(enumerator, &type, &pathname))
165 {
166 is_dir = (type != 0);
167 DBG2(DBG_IMV, "metadata request for %s '%s'",
168 is_dir ? "directory" : "file", pathname);
169 attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
170 pathname);
171 attr->set_noskip_flag(attr, TRUE);
172 msg->add_attribute(msg, attr);
173 }
174 enumerator->destroy(enumerator);
175
176 /* Send Request File Measurement attribute */
177 enumerator = pts_db->create_file_meas_enumerator(pts_db,
178 platform_info);
179 if (!enumerator)
180 {
181 break;
182 }
183 while (enumerator->enumerate(enumerator, &id, &type, &pathname))
184 {
185 is_dir = (type != 0);
186 request_id = attestation_state->add_request(attestation_state,
187 id, is_dir);
188 DBG2(DBG_IMV, "measurement request %d for %s '%s'",
189 request_id, is_dir ? "directory" : "file", pathname);
190 attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
191 delimiter, pathname);
192 attr->set_noskip_flag(attr, TRUE);
193 msg->add_attribute(msg, attr);
194 }
195 enumerator->destroy(enumerator);
196 break;
197 }
198 case IMV_ATTESTATION_STATE_COMP_EVID:
199 {
200 pts_attr_req_funct_comp_evid_flag_t flags;
201 u_int32_t sub_comp_depth;
202 pts_qualifier_t qualifier;
203 pts_funct_comp_name_t name;
204
205 attestation_state->set_handshake_state(attestation_state,
206 IMV_ATTESTATION_STATE_END);
207
208 flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
209 sub_comp_depth = 0;
210 qualifier.kernel = FALSE;
211 qualifier.sub_component = FALSE;
212 qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
213 name = PTS_FUNC_COMP_NAME_BIOS;
214
215 /* Send Request Functional Component Evidence attribute */
216 attr = tcg_pts_attr_req_funct_comp_evid_create(flags,
217 sub_comp_depth, PEN_TCG, qualifier, name);
218 attr->set_noskip_flag(attr, TRUE);
219 msg->add_attribute(msg, attr);
220 /* Send Generate Attestation Evidence attribute */
221 attr = tcg_pts_attr_gen_attest_evid_create();
222 attr->set_noskip_flag(attr, TRUE);
223 msg->add_attribute(msg, attr);
224
225 break;
226 }
227 default:
228 DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
229 handshake_state);
230 return FALSE;
231 }
232 return TRUE;
233 }