defined various measurement hash and pcr functions
[strongswan.git] / src / libpts / pts / components / ita / ita_comp_tboot.c
1 /*
2 * Copyright (C) 2011 Andreas Steffen
3 *
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "ita_comp_tboot.h"
18 #include "ita_comp_func_name.h"
19
20 #include "pts/components/pts_component.h"
21 #include "pts/components/pts_comp_evidence.h"
22
23 #include <debug.h>
24 #include <pen/pen.h>
25
26 typedef struct pts_ita_comp_tboot_t pts_ita_comp_tboot_t;
27
28 /**
29 * Private data of a pts_ita_comp_tboot_t object.
30 *
31 */
32 struct pts_ita_comp_tboot_t {
33
34 /**
35 * Public pts_component_t interface.
36 */
37 pts_component_t public;
38
39 /**
40 * Component Functional Name
41 */
42 pts_comp_func_name_t *name;
43
44 /**
45 * Sub-component depth
46 */
47 u_int32_t depth;
48
49 /**
50 * Extended PCR last handled
51 */
52 u_int32_t extended_pcr;
53
54 /**
55 * Time of TBOOT measurement
56 */
57 time_t measurement_time;
58
59 };
60
61 METHOD(pts_component_t, get_comp_func_name, pts_comp_func_name_t*,
62 pts_ita_comp_tboot_t *this)
63 {
64 return this->name;
65 }
66
67 METHOD(pts_component_t, get_evidence_flags, u_int8_t,
68 pts_ita_comp_tboot_t *this)
69 {
70 return PTS_REQ_FUNC_COMP_EVID_PCR;
71 }
72
73 METHOD(pts_component_t, get_depth, u_int32_t,
74 pts_ita_comp_tboot_t *this)
75 {
76 return this->depth;
77 }
78
79 METHOD(pts_component_t, measure, status_t,
80 pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
81 {
82 pts_comp_evidence_t *evid;
83 char *meas_hex, *pcr_before_hex, *pcr_after_hex;
84 chunk_t measurement, pcr_before, pcr_after;
85 size_t hash_size, pcr_len;
86 pts_pcr_transform_t pcr_transform;
87 pts_meas_algorithms_t hash_algo;
88
89 switch (this->extended_pcr)
90 {
91 case 0:
92 /* dummy data since currently the TBOOT log is not retrieved */
93 time(&this->measurement_time);
94 meas_hex = lib->settings->get_str(lib->settings,
95 "libimcv.plugins.imc-attestation.pcr17_meas", NULL);
96 pcr_before_hex = lib->settings->get_str(lib->settings,
97 "libimcv.plugins.imc-attestation.pcr17_before", NULL);
98 pcr_after_hex = lib->settings->get_str(lib->settings,
99 "libimcv.plugins.imc-attestation.pcr17_after", NULL);
100 this->extended_pcr = PCR_TBOOT_POLICY;
101 break;
102 case PCR_TBOOT_POLICY:
103 /* dummy data since currently the TBOOT log is not retrieved */
104 meas_hex = lib->settings->get_str(lib->settings,
105 "libimcv.plugins.imc-attestation.pcr18_meas", NULL);
106 pcr_before_hex = lib->settings->get_str(lib->settings,
107 "libimcv.plugins.imc-attestation.pcr18_before", NULL);
108 pcr_after_hex = lib->settings->get_str(lib->settings,
109 "libimcv.plugins.imc-attestation.pcr18_after", NULL);
110 this->extended_pcr = PCR_TBOOT_MLE;
111 break;
112 default:
113 return FAILED;
114 }
115
116 hash_algo = pts->get_meas_algorithm(pts);
117 hash_size = pts_meas_algo_hash_size(hash_algo);
118 pcr_len = pts->get_pcr_len(pts);
119 pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
120
121 /* get and check the measurement data */
122 measurement = chunk_from_hex(
123 chunk_create(meas_hex, strlen(meas_hex)), NULL);
124 pcr_before = chunk_from_hex(
125 chunk_create(pcr_before_hex, strlen(pcr_before_hex)), NULL);
126 pcr_after = chunk_from_hex(
127 chunk_create(pcr_after_hex, strlen(pcr_after_hex)), NULL);
128 if (pcr_before.len != pcr_len || pcr_after.len != pcr_len ||
129 measurement.len != hash_size)
130 {
131 DBG1(DBG_PTS, "TBOOT measurement or pcr data have the wrong size");
132 free(measurement.ptr);
133 free(pcr_before.ptr);
134 free(pcr_after.ptr);
135 return FAILED;
136 }
137
138 evid = *evidence = pts_comp_evidence_create(this->name->clone(this->name),
139 this->depth, this->extended_pcr,
140 hash_algo, pcr_transform,
141 this->measurement_time, measurement);
142 evid->set_pcr_info(evid, pcr_before, pcr_after);
143
144 return (this->extended_pcr == PCR_TBOOT_MLE) ? SUCCESS : NEED_MORE;
145 }
146
147 METHOD(pts_component_t, verify, status_t,
148 pts_ita_comp_tboot_t *this, pts_t *pts, pts_database_t *pts_db,
149 pts_comp_evidence_t *evidence)
150 {
151 bool has_pcr_info;
152 u_int32_t extended_pcr;
153 pts_meas_algorithms_t algo;
154 pts_pcr_transform_t transform;
155 time_t measurement_time;
156 chunk_t measurement, pcr_before, pcr_after, hash;
157 enumerator_t *enumerator;
158 char *file, *platform_info;
159 status_t status = NOT_FOUND;
160
161 platform_info = pts->get_platform_info(pts);
162 if (!pts_db || !platform_info)
163 {
164 DBG1(DBG_PTS, "%s%s%s not available",
165 (pts_db) ? "" : "pts database",
166 (!pts_db && !platform_info) ? "and" : "",
167 (platform_info) ? "" : "platform info");
168 return FAILED;
169 }
170
171 switch (this->extended_pcr)
172 {
173 case 0:
174 this->extended_pcr = PCR_TBOOT_POLICY;
175 file = "pcr17";
176 break;
177 case PCR_TBOOT_POLICY:
178 this->extended_pcr = PCR_TBOOT_MLE;
179 file = "pcr18";
180 break;
181 default:
182 return FAILED;
183 }
184
185 measurement = evidence->get_measurement(evidence, &extended_pcr,
186 &algo, &transform, &measurement_time);
187 if (extended_pcr != this->extended_pcr)
188 {
189 DBG1(DBG_PTS, "expected PCR %2d but received measurement for PCR %2d",
190 this->extended_pcr, extended_pcr);
191 return FAILED;
192 }
193
194 /* check measurement in database */
195 enumerator = pts_db->create_comp_hash_enumerator(pts_db, file,
196 platform_info, this->name, TRUSTED_HASH_ALGO);
197 while (enumerator->enumerate(enumerator, &hash))
198 {
199 if (chunk_equals(hash, measurement))
200 {
201 DBG2(DBG_PTS, "PCR %2d matching TBOOT component measurement "
202 "found in database", this->extended_pcr);
203 status = SUCCESS;
204 break;
205 }
206 else
207 {
208 DBG1(DBG_PTS, "PCR %2d no matching TBOOT component measurement "
209 "found in database", this->extended_pcr);
210 DBG1(DBG_PTS, " expected: %#B", &hash);
211 DBG1(DBG_PTS, " received: %#B", &measurement);
212 status = FAILED;
213 break;
214 }
215 }
216 enumerator->destroy(enumerator);
217
218 if (status == NOT_FOUND)
219 {
220 DBG1(DBG_PTS, "PCR %2d no measurement found in database",
221 this->extended_pcr);
222 return FAILED;
223 }
224
225 has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
226 if (has_pcr_info)
227 {
228 if (!pts->add_pcr(pts, extended_pcr, pcr_before, pcr_after))
229 {
230 return FAILED;
231 }
232 }
233
234 return (this->extended_pcr == PCR_TBOOT_MLE) ? SUCCESS : NEED_MORE;
235 }
236
237 METHOD(pts_component_t, destroy, void,
238 pts_ita_comp_tboot_t *this)
239 {
240 this->name->destroy(this->name);
241 free(this);
242 }
243
244 /**
245 * See header
246 */
247 pts_component_t *pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth)
248 {
249 pts_ita_comp_tboot_t *this;
250
251 INIT(this,
252 .public = {
253 .get_comp_func_name = _get_comp_func_name,
254 .get_evidence_flags = _get_evidence_flags,
255 .get_depth = _get_depth,
256 .measure = _measure,
257 .verify = _verify,
258 .destroy = _destroy,
259 },
260 .name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_TBOOT,
261 qualifier),
262 .depth = depth,
263 );
264
265 return &this->public;
266 }
267