#include "imc_attestation_process.h"
#include <ietf/ietf_attr_pa_tnc_error.h>
+
+#include <libpts.h>
#include <pts/pts.h>
#include <tcg/tcg_pts_attr_proto_caps.h>
#define DEFAULT_NONCE_LEN 20
-/**
- * Set parameters of Simple Component Evidence
- */
-static bool set_simple_comp_evid_params(pts_t *pts, pts_comp_func_name_t *name,
- u_int8_t sequence, tcg_pts_attr_simple_comp_evid_params_t *out)
-{
- tcg_pts_attr_simple_comp_evid_params_t params;
- time_t measurement_time_t;
- struct tm *time_now;
- char *utc_time;
-
- params.name = name;
- params.pcr_info_included = TRUE;
- params.flags = PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID;
- params.depth = 0;
-
- /* The measurements done by tboot and trustedGRUB are SHA1 hashes */
- params.hash_algorithm = TRUSTED_HASH_ALGO;
- params.transformation = PTS_PCR_TRANSFORM_NO;
-
- measurement_time_t = time(NULL);
- if (!measurement_time_t)
- {
- params.measurement_time = chunk_create("0000-00-00T00:00:00Z", 20);
- params.measurement_time = chunk_clone(params.measurement_time);
- }
- else
- {
- time_now = localtime(&measurement_time_t);
- if (asprintf(&utc_time,
- "%d-%.2d-%.2dT%.2d:%.2d:%.2dZ",
- time_now->tm_year + 1900,
- time_now->tm_mon + 1,
- time_now->tm_mday,
- time_now->tm_hour,
- time_now->tm_min,
- time_now->tm_sec) < 0)
- {
- DBG1(DBG_IMC, "could not format local time to UTC");
- return FALSE;
- }
- params.measurement_time = chunk_create(utc_time, 20);
- params.measurement_time = chunk_clone(params.measurement_time);
- free(utc_time);
- }
-
- params.policy_uri = chunk_empty;
-
- /* Provisional/temporal implementation for components except tboot */
- if (params.name->get_name(params.name) == PTS_ITA_COMP_FUNC_NAME_TGRUB)
- {
- params.extended_pcr = PCR_DEBUG;
-
- params.measurement = chunk_alloc(HASH_SIZE_SHA1);
- memset(params.measurement.ptr, 0, HASH_SIZE_SHA1);
-
- params.pcr_before = chunk_alloc(PCR_LEN);
- memset(params.pcr_before.ptr, 0, PCR_LEN);
-
- if(!pts->read_pcr(pts, params.extended_pcr, ¶ms.pcr_after))
- {
- DBG1(DBG_IMC, "error occured while reading PCR: %d",
- params.extended_pcr);
- return FALSE;
- }
- }
- /* Set parameters which varies from component to component */
- else if (params.name->get_name(params.name) == PTS_ITA_COMP_FUNC_NAME_TBOOT)
- {
- char *measurement, *pcr_before, *pcr_after;
-
- if (sequence == 1)
- {
- params.extended_pcr = PCR_TBOOT_POLICY;
- measurement = lib->settings->get_str(lib->settings,
- "libimcv.plugins.imc-attestation.pcr17_meas", NULL);
- pcr_before = lib->settings->get_str(lib->settings,
- "libimcv.plugins.imc-attestation.pcr17_before", NULL);
- pcr_after = lib->settings->get_str(lib->settings,
- "libimcv.plugins.imc-attestation.pcr17_after", NULL);
- }
- else
- {
- params.extended_pcr = PCR_TBOOT_MLE;
- measurement = lib->settings->get_str(lib->settings,
- "libimcv.plugins.imc-attestation.pcr18_meas", NULL);
- pcr_before = lib->settings->get_str(lib->settings,
- "libimcv.plugins.imc-attestation.pcr18_before", NULL);
- pcr_after = lib->settings->get_str(lib->settings,
- "libimcv.plugins.imc-attestation.pcr18_after", NULL);
- }
-
- if (!measurement || !pcr_before || !pcr_after)
- {
- DBG1(DBG_IMC, "tboot: configure measurement, before and after value"
- " for PCR%d", params.extended_pcr);
- return FALSE;
- }
-
- params.measurement = chunk_from_hex(
- chunk_create(measurement, strlen(measurement)), NULL);
- params.pcr_before = chunk_from_hex(
- chunk_create(pcr_before, strlen(pcr_before)), NULL);
- params.pcr_after = chunk_from_hex(
- chunk_create(pcr_after, strlen(pcr_after)), NULL);
-
- }
- else
- {
- DBG1(DBG_IMC, "unsupported Functional Component Name: Vendor ID: %d"
- " Name: %d, Qualifier: %d",
- params.name->get_vendor_id(params.name),
- params.name->get_name(params.name),
- params.name->get_qualifier(params.name));
- return FALSE;
- }
-
- *out = params;
- return TRUE;
-}
-
bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
imc_attestation_state_t *attestation_state,
pts_meas_algorithms_t supported_algorithms,
- pts_dh_group_t supported_dh_groups,
- linked_list_t *evidences)
+ pts_dh_group_t supported_dh_groups)
{
chunk_t attr_info;
pts_t *pts;
tcg_pts_attr_req_func_comp_evid_t *attr_cast;
pts_proto_caps_flag_t negotiated_caps;
pts_comp_func_name_t *name;
+ pts_comp_evidence_t *evid;
+ pts_component_t *comp;
u_int32_t depth;
u_int8_t flags;
+ status_t status;
enumerator_t *e;
attr_info = attr->get_value(attr);
e = attr_cast->create_enumerator(attr_cast);
while (e->enumerate(e, &flags, &depth, &name))
{
- name->log(name, " ");
+ name->log(name, "* ");
negotiated_caps = pts->get_proto_caps(pts);
if (flags & PTS_REQ_FUNC_COMP_FLAG_TTC)
attr_list->insert_last(attr_list, attr);
break;
}
- if (depth != 0)
+ if (depth > 0)
{
- DBG1(DBG_IMC, "current version of Attestation IMC does not "
- "support sub component measurement deeper than "
- "zero. Measuring top level component only.");
+ DBG1(DBG_IMC, "the Attestation IMC currently does not "
+ "support sub component measurements");
return FALSE;
}
-
- /* Check if Unknown or Wildcard was set for qualifier */
- if (name->get_qualifier(name) & PTS_QUALIFIER_WILDCARD)
- {
- DBG2(DBG_IMC, "wildcard was set for the qualifier of functional"
- " component. Identifying the component with "
- "name binary enumeration");
- }
- else if (name->get_qualifier(name) & PTS_QUALIFIER_UNKNOWN)
+ name = name->clone(name);
+ comp = pts_components->create(pts_components, name);
+ if (!comp)
{
- DBG2(DBG_IMC, "unknown was set for the qualifier of functional"
- " component. Identifying the component with "
- "name binary enumeration");
+ DBG2(DBG_IMC, " not registered: no evidence provided");
+ name->destroy(name);
+ continue;
}
- else if ((name->get_qualifier(name) >> PTS_ITA_QUALIFIER_TYPE_SIZE)
- & PTS_ITA_QUALIFIER_TYPE_TRUSTED)
- {
- tcg_pts_attr_simple_comp_evid_params_t params;
- if (name->get_name(name) == PTS_ITA_COMP_FUNC_NAME_TBOOT)
- {
- u_int8_t i;
- for (i = 1; i <= TBOOT_SEQUENCE_COUNT; i++)
- {
- /* Set parameters of Simple Component Evidence */
- if (!set_simple_comp_evid_params(pts, name, i, ¶ms))
- {
- DBG1(DBG_IMC, "error occured while setting "
- " parameters for Simple Component Evidence");
- return FALSE;
- }
- /* Buffer Simple Component Evidence attribute */
- attr = tcg_pts_attr_simple_comp_evid_create(params);
- evidences->insert_last(evidences, attr);
-
- }
- break;
- }
- else
+ /* do the component evidence measurement[s] */
+ do
+ {
+ status = comp->measure(comp, pts, &evid);
+ if (status == FAILED)
{
- /* Set parameters of Simple Component Evidence */
- if (!set_simple_comp_evid_params(pts, name, 0, ¶ms))
- {
- DBG1(DBG_IMC, "error occured while setting parameters"
- "for Simple Component Evidence");
- return FALSE;
- }
-
- /* Buffer Simple Component Evidence attribute */
- attr = tcg_pts_attr_simple_comp_evid_create(params);
- evidences->insert_last(evidences, attr);
-
break;
}
+ attestation_state->add_evidence(attestation_state, evid);
}
- else
- {
- DBG1(DBG_IMC, "Functional Component with unsupported type: %d"
- "was requested for evidence",
- (name->get_qualifier(name) >> PTS_ITA_QUALIFIER_TYPE_SIZE));
- break;
- }
+ while (status == NEED_MORE);
+ comp->destroy(comp);
}
e->destroy(e);
break;
}
case TCG_PTS_GEN_ATTEST_EVID:
{
- enumerator_t *e;
pts_simple_evid_final_flag_t flags;
pts_meas_algorithms_t composite_algorithm = 0;
+ pts_comp_evidence_t *evidence;
chunk_t pcr_composite, quote_signature;
- u_int32_t num_of_evidences, i = 0;
+ u_int32_t i, evid_count, extended_pcr;
u_int32_t *pcrs;
bool use_quote2;
/* Send buffered Simple Component Evidences */
- num_of_evidences = evidences->get_count(evidences);
- pcrs = (u_int32_t*)malloc(sizeof(u_int32_t)*num_of_evidences);
+ evid_count = attestation_state->get_evid_count(attestation_state);
+ pcrs = (u_int32_t*)malloc(sizeof(u_int32_t)*evid_count);
- e = evidences->create_enumerator(evidences);
- while (e->enumerate(e, &attr))
+ for (i = 0; i < evid_count; i++)
{
- tcg_pts_attr_simple_comp_evid_t *attr_cast;
- u_int32_t extended_pcr;
-
- attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
- extended_pcr = attr_cast->get_extended_pcr(attr_cast);
+ evidence = attestation_state->next_evidence(attestation_state);
+ extended_pcr = evidence->get_extended_pcr(evidence);
- /* Add extended PCR number to PCR list to quote */
- /* Duplicated PCR numbers have no influence */
+ /**
+ * Add extended PCR number to PCR list to quote
+ * Duplicated PCR numbers have no influence
+ */
pcrs[i] = extended_pcr;
- i++;
- /* Send Simple Compoenent Evidence */
+
+ /* Send Simple Component Evidence */
+ attr = tcg_pts_attr_simple_comp_evid_create(evidence);
attr_list->insert_last(attr_list, attr);
}
FALSE : TRUE;
/* Quote */
- if (!pts->quote_tpm(pts, use_quote2, pcrs, num_of_evidences,
+ if (!pts->quote_tpm(pts, use_quote2, pcrs, evid_count,
&pcr_composite, "e_signature))
{
DBG1(DBG_IMC, "error occured during TPM quote operation");
- DESTROY_IF(e);
- DESTROY_IF(evidences);
return FALSE;
}
composite_algorithm, pcr_composite,
quote_signature, chunk_empty);
attr_list->insert_last(attr_list, attr);
-
- DESTROY_IF(e);
- DESTROY_IF(evidences);
-
break;
}
/* TODO: Not implemented yet */
projects / strongswan.git / blobdiff