Using the database entries for generating Functional Component Evidence Requests
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation_build.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_build.h"
17 #include "imv_attestation_state.h"
18
19 #include <tcg/tcg_pts_attr_proto_caps.h>
20 #include <tcg/tcg_pts_attr_meas_algo.h>
21 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
22 #include <tcg/tcg_pts_attr_dh_nonce_finish.h>
23 #include <tcg/tcg_pts_attr_get_tpm_version_info.h>
24 #include <tcg/tcg_pts_attr_get_aik.h>
25 #include <tcg/tcg_pts_attr_req_funct_comp_evid.h>
26 #include <tcg/tcg_pts_attr_gen_attest_evid.h>
27 #include <tcg/tcg_pts_attr_req_file_meas.h>
28 #include <tcg/tcg_pts_attr_req_file_meta.h>
29
30 #include <debug.h>
31
32 bool imv_attestation_build(pa_tnc_msg_t *msg,
33 imv_attestation_state_t *attestation_state,
34 pts_meas_algorithms_t supported_algorithms,
35 pts_dh_group_t supported_dh_groups,
36 pts_database_t *pts_db)
37 {
38 imv_attestation_handshake_state_t handshake_state;
39 pts_t *pts;
40 pa_tnc_attr_t *attr;
41
42 handshake_state = attestation_state->get_handshake_state(attestation_state);
43 pts = attestation_state->get_pts(attestation_state);
44
45 /* D-H attributes are redundant */
46 /* when D-H Nonce Exchange is not selected on IMC side */
47 if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
48 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
49 {
50 DBG1(DBG_IMV, "PTS-IMC is not using Diffie-Hellman Nonce negotiation,"
51 "advancing to TPM Initialization phase");
52 handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
53 }
54 /* TPM Version Info, AIK attributes are redundant */
55 /* when TPM is not available on IMC side */
56 if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
57 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
58 {
59 DBG1(DBG_IMV, "PTS-IMC has not got TPM available,"
60 "advancing to File Measurement phase");
61 handshake_state = IMV_ATTESTATION_STATE_MEAS;
62 }
63 /* Component Measurement cannot be done without D-H Nonce Exchange */
64 /* or TPM on IMC side */
65 if (handshake_state == IMV_ATTESTATION_STATE_COMP_EVID &&
66 (!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T) ||
67 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D)) )
68 {
69 DBG1(DBG_IMV, "PTS-IMC has not got TPM available,"
70 "skipping Component Measurement phase");
71 handshake_state = IMV_ATTESTATION_STATE_END;
72 }
73
74 /* Switch on the attribute type IMV has received */
75 switch (handshake_state)
76 {
77 case IMV_ATTESTATION_STATE_INIT:
78 {
79 pts_proto_caps_flag_t flags;
80
81 /* Send Request Protocol Capabilities attribute */
82 flags = pts->get_proto_caps(pts);
83 attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
84 attr->set_noskip_flag(attr, TRUE);
85 msg->add_attribute(msg, attr);
86
87 /* Send Measurement Algorithms attribute */
88 attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
89 attr->set_noskip_flag(attr, TRUE);
90 msg->add_attribute(msg, attr);
91
92 attestation_state->set_handshake_state(attestation_state,
93 IMV_ATTESTATION_STATE_NONCE_REQ);
94 break;
95 }
96 case IMV_ATTESTATION_STATE_NONCE_REQ:
97 {
98 int min_nonce_len;
99
100 /* Send DH nonce parameters request attribute */
101 min_nonce_len = lib->settings->get_int(lib->settings,
102 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
103 attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
104 supported_dh_groups);
105 attr->set_noskip_flag(attr, TRUE);
106 msg->add_attribute(msg, attr);
107
108 attestation_state->set_handshake_state(attestation_state,
109 IMV_ATTESTATION_STATE_TPM_INIT);
110 break;
111 }
112 case IMV_ATTESTATION_STATE_TPM_INIT:
113 {
114 pts_meas_algorithms_t selected_algorithm;
115 chunk_t initiator_value, initiator_nonce;
116
117 if ((pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
118 {
119 /* Send DH nonce finish attribute */
120 selected_algorithm = pts->get_meas_algorithm(pts);
121 pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
122 attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
123 initiator_value, initiator_nonce);
124 attr->set_noskip_flag(attr, TRUE);
125 msg->add_attribute(msg, attr);
126 }
127
128 /* Send Get TPM Version attribute */
129 attr = tcg_pts_attr_get_tpm_version_info_create();
130 attr->set_noskip_flag(attr, TRUE);
131 msg->add_attribute(msg, attr);
132
133 /* Send Get AIK attribute */
134 attr = tcg_pts_attr_get_aik_create();
135 attr->set_noskip_flag(attr, TRUE);
136 msg->add_attribute(msg, attr);
137
138 attestation_state->set_handshake_state(attestation_state,
139 IMV_ATTESTATION_STATE_MEAS);
140 break;
141 }
142 case IMV_ATTESTATION_STATE_MEAS:
143 {
144 enumerator_t *enumerator;
145 u_int32_t delimiter = SOLIDUS_UTF;
146 char *platform_info, *pathname;
147 u_int16_t request_id;
148 int id, type;
149 bool is_dir;
150
151 attestation_state->set_handshake_state(attestation_state,
152 IMV_ATTESTATION_STATE_COMP_EVID);
153
154 /* Get Platform and OS of the PTS-IMC */
155 platform_info = pts->get_platform_info(pts);
156
157 if (!pts_db || !platform_info)
158 {
159 DBG1(DBG_IMV, "%s%s%s not available",
160 (pts_db) ? "" : "pts database",
161 (!pts_db && !platform_info) ? "and" : "",
162 (platform_info) ? "" : "platform info");
163 break;
164 }
165 DBG1(DBG_IMV, "platform is '%s'", platform_info);
166
167 /* Send Request File Metadata attribute */
168 enumerator = pts_db->create_file_meta_enumerator(pts_db,
169 platform_info);
170 if (!enumerator)
171 {
172 break;
173 }
174 while (enumerator->enumerate(enumerator, &type, &pathname))
175 {
176 is_dir = (type != 0);
177 DBG2(DBG_IMV, "metadata request for %s '%s'",
178 is_dir ? "directory" : "file", pathname);
179 attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
180 pathname);
181 attr->set_noskip_flag(attr, TRUE);
182 msg->add_attribute(msg, attr);
183 }
184 enumerator->destroy(enumerator);
185
186 /* Send Request File Measurement attribute */
187 enumerator = pts_db->create_file_meas_enumerator(pts_db,
188 platform_info);
189 if (!enumerator)
190 {
191 break;
192 }
193 while (enumerator->enumerate(enumerator, &id, &type, &pathname))
194 {
195 is_dir = (type != 0);
196 request_id = attestation_state->add_file_meas_request(
197 attestation_state, id, is_dir);
198 DBG2(DBG_IMV, "measurement request %d for %s '%s'",
199 request_id, is_dir ? "directory" : "file", pathname);
200 attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
201 delimiter, pathname);
202 attr->set_noskip_flag(attr, TRUE);
203 msg->add_attribute(msg, attr);
204 }
205 enumerator->destroy(enumerator);
206 break;
207 }
208 case IMV_ATTESTATION_STATE_COMP_EVID:
209 {
210 pts_attr_req_funct_comp_evid_flag_t flags;
211 u_int32_t sub_comp_depth;
212 pts_qualifier_t qualifier;
213 pts_ita_funct_comp_name_t name;
214 enumerator_t *enumerator;
215 char *platform_info, *pathname;
216
217 attestation_state->set_handshake_state(attestation_state,
218 IMV_ATTESTATION_STATE_END);
219
220 flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
221 sub_comp_depth = 0;
222 qualifier.kernel = FALSE;
223 qualifier.sub_component = FALSE;
224 qualifier.type = PTS_ITA_FUNC_COMP_TYPE_TRUSTED;
225
226 /* Get Platform and OS of the PTS-IMC */
227 platform_info = pts->get_platform_info(pts);
228 if (!pts_db || !platform_info)
229 {
230 DBG1(DBG_IMV, "%s%s%s not available",
231 (pts_db) ? "" : "pts database",
232 (!pts_db && !platform_info) ? "and" : "",
233 (platform_info) ? "" : "platform info");
234 break;
235 }
236 DBG1(DBG_IMV, "platform is '%s'", platform_info);
237
238
239 enumerator = pts_db->create_comp_evid_enumerator(pts_db,
240 platform_info);
241 if (!enumerator)
242 {
243 break;
244 }
245 while (enumerator->enumerate(enumerator, &pathname))
246 {
247 if (strcmp(pathname, TBOOT_POLICY_STR) == 0)
248 {
249 name = PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY;
250 }
251 else if (strcmp(pathname, TBOOT_MLE_STR) == 0)
252 {
253 name = PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE;
254 }
255 else
256 {
257 DBG1(DBG_IMV, "Unknown functional component name: \"%s\"",
258 pathname);
259 enumerator->destroy(enumerator);
260 return FALSE;
261 }
262
263 /* Send Request Functional Component Evidence attribute */
264 attr = tcg_pts_attr_req_funct_comp_evid_create(flags,
265 sub_comp_depth, PEN_ITA, qualifier, name);
266 attr->set_noskip_flag(attr, TRUE);
267 msg->add_attribute(msg, attr);
268 attestation_state->add_comp_evid_request( attestation_state,
269 PEN_ITA, qualifier, name);
270 }
271 enumerator->destroy(enumerator);
272
273
274 /* Send Generate Attestation Evidence attribute */
275 attr = tcg_pts_attr_gen_attest_evid_create();
276 attr->set_noskip_flag(attr, TRUE);
277 msg->add_attribute(msg, attr);
278
279 break;
280 }
281 default:
282 DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
283 handshake_state);
284 return FALSE;
285 }
286 return TRUE;
287 }