Defined functional components within ITA namespace
authorSansar Choinyambuu <schoinya@hsr.ch>
Wed, 2 Nov 2011 15:38:06 +0000 (16:38 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 13:39:53 +0000 (14:39 +0100)
Implemented handling of functional components evidence request/response

src/libimcv/plugins/imc_attestation/imc_attestation_process.c
src/libimcv/plugins/imv_attestation/imv_attestation_build.c
src/libimcv/plugins/imv_attestation/imv_attestation_process.c
src/libpts/pts/pts.c
src/libpts/pts/pts.h
src/libpts/pts/pts_funct_comp_name.h
src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.c
src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.h
src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h
src/libpts/tcg/tcg_pts_attr_simple_evid_final.c

index 8748202..3975009 100644 (file)
 #include <debug.h>
 
 #define DEFAULT_NONCE_LEN              20
-#define EXTEND_PCR                             16
+
+/**
+ * Set parameters of Simple Component Evidence
+ */
+static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name,
+                                                               tcg_pts_attr_simple_comp_evid_params_t *out)
+{
+       tcg_pts_attr_simple_comp_evid_params_t params;
+       pts_qualifier_t qualifier;
+       time_t measurement_time_t;
+       struct tm *time_now;
+       char *utc_time;
+
+       params.name = name;
+       params.pcr_info_included = TRUE;
+       params.flags = PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID;
+       params.depth = 0;
+       params.vendor_id = PEN_ITA;
+
+       qualifier.kernel = FALSE;
+       qualifier.sub_component = FALSE;
+       qualifier.type = PTS_ITA_FUNC_COMP_TYPE_TRUSTED;
+       params.qualifier = qualifier;
+       /* The measurements done by tboot and trustedGRUB are SHA1 hashes */
+       params.hash_algorithm = TRUSTED_HASH_ALGO;
+       params.transformation = PTS_PCR_TRANSFORM_NO;
+
+       measurement_time_t = time(NULL);
+       if (!measurement_time_t)
+       {
+               params.measurement_time = chunk_create("0000-00-00T00:00:00Z", 20);
+               params.measurement_time = chunk_clone(params.measurement_time);
+       }
+       else
+       {
+               time_now = localtime(&measurement_time_t);
+               if (asprintf(&utc_time,
+                       "%d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZ",
+                       time_now->tm_year + 1900,
+                       time_now->tm_mon + 1,
+                       time_now->tm_mday,
+                       time_now->tm_hour,
+                       time_now->tm_min,
+                       time_now->tm_sec) < 0)
+               {
+                       DBG1(DBG_IMC, "could not format local time to UTC");
+                       return FALSE;
+               }
+               params.measurement_time = chunk_create(utc_time, 20);
+               params.measurement_time = chunk_clone(params.measurement_time);
+               free(utc_time);
+       }
+       params.policy_uri = chunk_empty;
+       params.measurement = chunk_empty;
+       
+       params.pcr_before = chunk_alloc(PCR_LEN);
+       memset(params.pcr_before.ptr, 0, PCR_LEN);
+       
+       /* Set extended PCR, which varies from component to component */
+       if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY)
+       {
+               params.extended_pcr = PCR_TBOOT_POLICY;
+       }
+       else if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE)
+       {
+               params.extended_pcr = PCR_TBOOT_MLE;
+       }
+       else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_MBR_STAGE1)
+       {
+               params.extended_pcr = PCR_TGRUB_MBR_STAGE1;
+       }
+       else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1)
+       {
+               params.extended_pcr = PCR_TGRUB_STAGE2_PART1;
+       }
+       else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2)
+       {
+               params.extended_pcr = PCR_TGRUB_STAGE2_PART2;
+       }
+       else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_CMD_LINE_ARGS)
+       {
+               params.extended_pcr = PCR_TGRUB_CMD_LINE_ARGS;
+       }
+       else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_CHECKFILE)
+       {
+               params.extended_pcr = PCR_TGRUB_CHECKFILE;
+       }
+       else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_LOADED_FILES)
+       {
+               params.extended_pcr = PCR_TGRUB_LOADED_FILES;
+       }
+       else
+       {
+               DBG1(DBG_IMC, "unsupported Functional Component Name: %d", params.name);
+               return FALSE;
+       }
+       
+       *out = params;
+       return TRUE;
+}
 
 bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                                         imc_attestation_state_t *attestation_state,
@@ -219,7 +318,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        u_int32_t comp_name_vendor_id;
                        u_int8_t family;
                        pts_qualifier_t qualifier;
-                       pts_funct_comp_name_t name;
+                       pts_ita_funct_comp_name_t name;
 
                        attr_info = attr->get_value(attr);
                        attr_cast = (tcg_pts_attr_req_funct_comp_evid_t*)attr;
@@ -259,21 +358,21 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        }
 
                        sub_comp_depth = attr_cast->get_sub_component_depth(attr_cast);
-                       /* TODO: Implement checking of components with its sub-components */
                        if (sub_comp_depth != 0)
                        {
                                DBG1(DBG_IMC, "current version of Attestation IMC does not "
                                                          "support sub component measurement deeper than "
                                                          "zero. Measuring top level component only.");
+                               return FALSE;
                        }
 
                        comp_name_vendor_id = attr_cast->get_comp_funct_name_vendor_id(
                                                                                                                                        attr_cast);
-                       if (comp_name_vendor_id != PEN_TCG)
+                       if (comp_name_vendor_id != PEN_ITA)
                        {
                                DBG1(DBG_IMC, "current version of Attestation IMC supports"
-                                                         "only functional component namings by TCG ");
-                               break;
+                                               "only functional component namings by ITA");
+                               return FALSE;
                        }
 
                        family = attr_cast->get_family(attr_cast);
@@ -289,152 +388,51 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
                        /* Check if Unknown or Wildcard was set for qualifier */
                        if (qualifier.kernel && qualifier.sub_component &&
-                          (qualifier.type & PTS_FUNC_COMP_TYPE_ALL))
+                          (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_ALL))
                        {
                                DBG2(DBG_IMC, "wildcard was set for the qualifier of functional"
                                        " component. Identifying the component with "
                                        "name binary enumeration");
                        }
                        else if (!qualifier.kernel && !qualifier.sub_component &&
-                                       (qualifier.type & PTS_FUNC_COMP_TYPE_UNKNOWN))
+                                       (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_UNKNOWN))
                        {
                                DBG2(DBG_IMC, "unknown was set for the qualifier of functional"
                                        " component. Identifying the component with "
                                        "name binary enumeration");
                        }
-                       else
+                       else if (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_TRUSTED)
                        {
-                               /* TODO: Implement what todo with received qualifier */
-                       }
+                               tcg_pts_attr_simple_comp_evid_params_t params;
 
-                       name = attr_cast->get_comp_funct_name(attr_cast);
-                       switch (name)
-                       {
-                               case PTS_FUNC_COMP_NAME_BIOS:
+                               /* Set parameters of Simple Component Evidence */
+                               name = attr_cast->get_comp_funct_name(attr_cast);
+                               if (!set_simple_comp_evid_params(name, &params))
                                {
-                                       tcg_pts_attr_simple_comp_evid_params_t params;
-                                       pts_qualifier_t qualifier;
-                                       time_t measurement_time_t;
-                                       struct tm *time_now;
-                                       char *utc_time;
-                                       hasher_t *hasher;
-                                       u_char hash_output[HASH_SIZE_SHA384];
-                                       hash_algorithm_t hash_alg;
-
-                                       /* TODO: Implement BIOS measurement */
-                                       DBG1(DBG_IMC, "experimental implementation:"
-                                                                " Extend TPM with etc/tnc_config file");
-                                       params.pcr_info_included = TRUE;
-                                       params.flags = PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID;
-                                       params.depth = 0;
-                                       params.vendor_id = PEN_TCG;
-                                                       
-                                       qualifier.kernel = FALSE;
-                                       qualifier.sub_component = FALSE;
-                                       qualifier.type = PTS_FUNC_COMP_TYPE_TNC;
-                                       params.qualifier = qualifier;
-                                                       
-                                       params.name = PTS_FUNC_COMP_NAME_BIOS;
-                                       params.extended_pcr = EXTEND_PCR;
-                                       params.hash_algorithm = pts->get_meas_algorithm(pts);
-
-                                       if (!params.pcr_info_included)
-                                       {
-                                               params.transformation = PTS_PCR_TRANSFORM_NO;
-                                       }
-                                       else if (pts->get_meas_algorithm(pts) & PTS_MEAS_ALGO_SHA1)
-                                       {
-                                               params.transformation = PTS_PCR_TRANSFORM_MATCH;
-                                       }
-                                       else if (pts->get_meas_algorithm(pts) & PTS_MEAS_ALGO_SHA256)
-                                       {
-                                               params.transformation = PTS_PCR_TRANSFORM_LONG;
-                                       }
-                                                       
-                                       /* Create a hasher */
-                                       hash_alg = pts_meas_algo_to_hash(pts->get_meas_algorithm(pts));
-                                       hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
-                                       if (!hasher)
-                                       {
-                                               DBG1(DBG_IMC, "  hasher %N not available",
-                                                        hash_algorithm_names, hash_alg);
-                                               return FALSE;
-                                       }
-
-                                       if (!pts->hash_file(pts, hasher, "/etc/tnc_config",
-                                               hash_output))
-                                       {
-                                               hasher->destroy(hasher);
-                                               return FALSE;
-                                       }
-                                               
-                                       measurement_time_t = time(NULL);
-                                       if (!measurement_time_t)
-                                       {
-                                               params.measurement_time = chunk_create(
-                                                       "0000-00-00T00:00:00Z", 20);
-                                       }
-                                       else
-                                       {
-                                               time_now = localtime(&measurement_time_t);
-                                               if (asprintf(&utc_time,
-                                                               "%d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZ",
-                                                               time_now->tm_year + 1900,
-                                                               time_now->tm_mon + 1,
-                                                               time_now->tm_mday,
-                                                               time_now->tm_hour,
-                                                               time_now->tm_min,
-                                                               time_now->tm_sec) < 0)
-                                               {
-                                                       DBG1(DBG_IMC, "could not format local time to UTC");
-                                                       hasher->destroy(hasher);
-                                                       return FALSE;
-                                               }
-                                               params.measurement_time = chunk_create(utc_time, 20);
-                                               params.measurement_time = chunk_clone(
-                                                       params.measurement_time);
-                                               free(utc_time);
-                                               
-                                       }
-                                               
-                                       params.measurement = chunk_create(hash_output,
-                                                                                       hasher->get_hash_size(hasher));
-                                       hasher->destroy(hasher);
-                                                       
-                                       params.policy_uri = chunk_empty;
-                                       if (!pts->read_pcr(pts, EXTEND_PCR, &params.pcr_before))
-                                       {
-                                               DBG1(DBG_IMC, "error occured while reading PCR: %d",
-                                                        EXTEND_PCR);
-                                               return FALSE;
-                                       }
-                                                       
-                                       if (!pts->extend_pcr(pts, EXTEND_PCR,
-                                               params.measurement, &params.pcr_after))
-                                       {
-                                               DBG1(DBG_IMC, "error occured while extending PCR: %d",
-                                                        EXTEND_PCR);
-                                               return FALSE;
-                                       }
-
-                                       /* Buffer Simple Component Evidence attribute */
-                                       attr = tcg_pts_attr_simple_comp_evid_create(params);
-                                       evidences->insert_last(evidences, attr);
-                                               
-                                       break;
+                                       DBG1(DBG_IMC, "error occured while setting parameters"
+                                                                 "for Simple Component Evidence");
+                                       return FALSE;
                                }
-                               case PTS_FUNC_COMP_NAME_IGNORE:
-                               case PTS_FUNC_COMP_NAME_CRTM:
-                               case PTS_FUNC_COMP_NAME_PLATFORM_EXT:
-                               case PTS_FUNC_COMP_NAME_BOARD:
-                               case PTS_FUNC_COMP_NAME_INIT_LOADER:
-                               case PTS_FUNC_COMP_NAME_OPT_ROMS:
-                               default:
+                               
+                               if (!pts->read_pcr(pts, params.extended_pcr, &params.pcr_after))
                                {
-                                       DBG1(DBG_IMC, "unsupported Functional Component Name");
-                                       break;
+                                       DBG1(DBG_IMC, "error occured while reading PCR: %d",
+                                                params.extended_pcr);
+                                       return FALSE;
                                }
+                               
+                               /* Buffer Simple Component Evidence attribute */
+                               attr = tcg_pts_attr_simple_comp_evid_create(params);
+                               evidences->insert_last(evidences, attr);
+                               break;
+                       }
+                       else
+                       {
+                               DBG1(DBG_IMC, "Functional Component with unsupported type: %d"
+                                       "was requested for evidence", qualifier.type);
+                               break;
                        }
+
                        break;
                }
                case TCG_PTS_GEN_ATTEST_EVID:
index 6837073..ed5c359 100644 (file)
@@ -210,7 +210,7 @@ bool imv_attestation_build(pa_tnc_msg_t *msg,
                        pts_attr_req_funct_comp_evid_flag_t flags;
                        u_int32_t sub_comp_depth;
                        pts_qualifier_t qualifier;
-                       pts_funct_comp_name_t name;
+                       pts_ita_funct_comp_name_t name;
 
                        attestation_state->set_handshake_state(attestation_state,
                                                                                IMV_ATTESTATION_STATE_END);
@@ -219,14 +219,22 @@ bool imv_attestation_build(pa_tnc_msg_t *msg,
                        sub_comp_depth = 0;
                        qualifier.kernel = FALSE;
                        qualifier.sub_component = FALSE;
-                       qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
-                       name = PTS_FUNC_COMP_NAME_BIOS;
+                       qualifier.type = PTS_ITA_FUNC_COMP_TYPE_TRUSTED;
 
                        /* Send Request Functional Component Evidence attribute */
+                       name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1;
                        attr = tcg_pts_attr_req_funct_comp_evid_create(flags,
-                                                                       sub_comp_depth, PEN_TCG, qualifier, name);
+                                                                       sub_comp_depth, PEN_ITA, qualifier, name);
                        attr->set_noskip_flag(attr, TRUE);
                        msg->add_attribute(msg, attr);
+                       
+                       /* Send Request Functional Component Evidence attribute */
+                       name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2;
+                       attr = tcg_pts_attr_req_funct_comp_evid_create(flags,
+                                                                       sub_comp_depth, PEN_ITA, qualifier, name);
+                       attr->set_noskip_flag(attr, TRUE);
+                       msg->add_attribute(msg, attr);
+                       
                        /* Send Generate Attestation Evidence attribute */
                        attr = tcg_pts_attr_gen_attest_evid_create();
                        attr->set_noskip_flag(attr, TRUE);
index 1ba627e..5e6f8bc 100644 (file)
@@ -185,7 +185,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        u_int32_t depth, comp_vendor_id, extended_pcr;
                        u_int8_t family, measurement_type;
                        pts_qualifier_t qualifier;
-                       pts_funct_comp_name_t name;
+                       pts_ita_funct_comp_name_t name;
                        pts_meas_algorithms_t hash_algorithm;
                        pts_pcr_transform_t transformation;
                        chunk_t measurement_time, policy_uri;
@@ -197,7 +197,6 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        pcr_info_inclided = attr_cast->is_pcr_info_included(attr_cast);
                        flags = attr_cast->get_flags(attr_cast);
                        depth = attr_cast->get_sub_component_depth(attr_cast);
-                       /* TODO: Implement check of components with its sub-components */
                        if (depth != 0)
                        {
                                DBG1(DBG_IMV, "Current version of Attestation IMV does not"
@@ -205,10 +204,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        }
                        comp_vendor_id = attr_cast->get_spec_comp_funct_name_vendor_id(
                                                                                                                attr_cast);
-                       if (comp_vendor_id != PEN_TCG)
+                       if (comp_vendor_id != PEN_ITA)
                        {
                                DBG1(DBG_IMV, "Current version of Attestation IMV supports"
-                                                         "only functional component namings by TCG ");
+                                                         "only functional component namings by ITA ");
                                break;
                        }
                        family = attr_cast->get_family(attr_cast);
@@ -223,24 +222,20 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
                        /* Check if Unknown or Wildcard was set for qualifier */
                        if (qualifier.kernel && qualifier.sub_component &&
-                          (qualifier.type & PTS_FUNC_COMP_TYPE_ALL))
+                          (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_ALL))
                        {
                                DBG1(DBG_IMV, "Wildcard was set for the qualifier "
                                                          "of functional component");
                                return FALSE;
                        }
                        else if (!qualifier.kernel && !qualifier.sub_component &&
-                                       (qualifier.type & PTS_FUNC_COMP_TYPE_UNKNOWN))
+                                       (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_UNKNOWN))
                        {
                                DBG1(DBG_IMV, "Unknown feature was set for the qualifier "
                                                          "of functional component");
                                return FALSE;
                        }
-                       else
-                       {
-                               /* TODO: Implement what todo with received qualifier */
-                       }
-                                       
+
                        name = attr_cast->get_comp_funct_name(attr_cast);
                        measurement_type = attr_cast->get_measurement_type(attr_cast);
                        hash_algorithm = attr_cast->get_hash_algorithm(attr_cast);
@@ -257,18 +252,17 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                pcr_after = attr_cast->get_pcr_after_value(attr_cast);
                                measurement = attr_cast->get_comp_measurement(attr_cast);
 
-                               DBG4(DBG_IMV,"PCR: %d was extended with %B",
+                               DBG3(DBG_IMV,"PCR: %d was extended with %B",
                                         extended_pcr, &measurement);
-                               DBG4(DBG_IMV,"PCR: %d before value: %B",
+                               DBG3(DBG_IMV,"PCR: %d before value: %B",
                                         extended_pcr, &pcr_before);
-                               DBG4(DBG_IMV,"PCR: %d after value: %B",
+                               DBG3(DBG_IMV,"PCR: %d after value: %B",
                                         extended_pcr, &pcr_after);
 
                                entry = malloc_thing(pcr_entry_t);
                                entry->pcr_number = extended_pcr;
-                               strncpy(entry->pcr_value, pcr_after.ptr, PCR_LEN);
+                               memcpy(entry->pcr_value, pcr_after.ptr, PCR_LEN);
                                pts->add_pcr_entry(pts, entry);
-                               
                        }
                        if (flags != PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID)
                        {
@@ -308,11 +302,18 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        }
                        if (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO)
                        {
-                               chunk_t pcr_composite, quote_info, quote_digest;
-                               hasher_t *hasher;
+                               chunk_t pcr_composite, quote_info;
                                pcr_comp = attr_cast->get_pcr_comp(attr_cast);
                                tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast);
 
+                               if (!pcr_comp.ptr || !tpm_quote_sign.ptr)
+                               {
+                                       DBG1(DBG_IMV, "PCR composite: %B", &pcr_comp);
+                                       DBG1(DBG_IMV, "TPM Quote Signature: %B", &tpm_quote_sign);
+                                       DBG1(DBG_IMV, "Either PCR Composite or Quote Signature missing");
+                                       return FALSE;
+                               }
+                               
                                /* Construct PCR Composite and TPM Quote Info structures*/
                                if (!pts->get_quote_info(pts, composite_algorithm,
                                        &pcr_composite, &quote_info))
@@ -320,9 +321,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                        DBG1(DBG_IMV, "unable to contruct TPM Quote Info");
                                        return FALSE;
                                }
-
+                               
                                /* Check calculated PCR composite matches with received */
-                               if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite))
+                               if (!chunk_equals(pcr_comp, pcr_composite))
                                {
                                        DBG1(DBG_IMV, "received PCR Compsosite didn't match"
                                                                  " with constructed");
@@ -332,24 +333,16 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                }
                                DBG2(DBG_IMV, "received PCR Composite matches with constructed");
                                chunk_clear(&pcr_composite);
-                               
-                               /* SHA1(TPM Quote Info) expected from IMC */
-                               hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-                               hasher->allocate_hash(hasher, quote_info, &quote_digest);
-                               hasher->destroy(hasher);
-                               chunk_clear(&quote_info);
-                               
-                               if (tpm_quote_sign.ptr &&
-                                       !pts->verify_quote_signature(pts, quote_digest,
-                                                                                                tpm_quote_sign))
+                                                               
+                               if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sign))
                                {
-                                       chunk_clear(&quote_digest);
+                                       chunk_clear(&quote_info);
                                        return FALSE;
                                }
                                
                                DBG2(DBG_IMV, "signature verification succeeded for "
                                                          "TPM Quote Info");
-                               chunk_clear(&quote_digest);
+                               chunk_clear(&quote_info);
                        }
                        
                        if (evid_signature_included)
index 9f36a76..9b490cd 100644 (file)
 #include <sys/utsname.h>
 #include <errno.h>
 
-#include <openssl/rsa.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-
 #define PTS_BUF_SIZE   4096
 
 typedef struct private_pts_t private_pts_t;
@@ -249,7 +245,7 @@ METHOD(pts_t, calculate_secret, bool,
                DBG1(DBG_PTS, "shared DH secret computation failed");
                return FALSE;
        }
-       DBG4(DBG_PTS, "shared DH secret: %B", &shared_secret);
+       DBG3(DBG_PTS, "shared DH secret: %B", &shared_secret);
 
        /* Calculate the secret assessment value */
        hash_alg = pts_meas_algo_to_hash(this->dh_hash_algorithm);
@@ -269,7 +265,7 @@ METHOD(pts_t, calculate_secret, bool,
         * argument of the TPM Quote command
         */
        this->secret.len = min(this->secret.len, 20);
-       DBG4(DBG_PTS, "secret assessment value: %B", &this->secret);
+       DBG3(DBG_PTS, "secret assessment value: %B", &this->secret);
        return TRUE;
 }
 
@@ -899,6 +895,9 @@ METHOD(pts_t, quote_tpm, bool,
        *pcr_composite = chunk_clone(*pcr_composite);
        DBG3(DBG_PTS, "Hash of PCR Composite: %B",pcr_composite);
 
+       chunk_t tmp = chunk_create(valData.rgbData, valData.ulDataLength);
+       DBG3(DBG_PTS, "TPM Quote Info: %B",&tmp);
+
        quote_sign = chunk_alloc(valData.ulValidationDataLength);
        memcpy(quote_sign.ptr, valData.rgbValidationData,
                                                          valData.ulValidationDataLength);
@@ -931,20 +930,6 @@ METHOD(pts_t, quote_tpm, bool,
        return FALSE;
 }
 
-/**
- * Comparison function for pcr_entry_t struct
- */
-static int pcr_entry_compare(const pcr_entry_t *a, const pcr_entry_t *b)
-{
-       return (a->pcr_number - b->pcr_number);
-}
-
-static int pcr_entry_compare_qsort(const void *a, const void *b)
-{
-       return pcr_entry_compare(*(const pcr_entry_t *const *)a
-                                                       , *(const pcr_entry_t *const *)b);
-}
-
 METHOD(pts_t, add_pcr_entry, void,
        private_pts_t *this, pcr_entry_t *new)
 {
@@ -961,7 +946,7 @@ METHOD(pts_t, add_pcr_entry, void,
        {
                if (entry->pcr_number == new->pcr_number)
                {
-                       DBG4(DBG_PTS, "updating already added PCR%d value",
+                       DBG3(DBG_PTS, "updating already added PCR%d value",
                                 entry->pcr_number);
                        this->pcrs->remove_at(this->pcrs, e);
                        free(entry);
@@ -969,11 +954,7 @@ METHOD(pts_t, add_pcr_entry, void,
                }
        }
        DESTROY_IF(e);
-
        this->pcrs->insert_last(this->pcrs, new);
-
-       qsort(this->pcrs, this->pcrs->get_count(this->pcrs),
-                 sizeof(pcr_entry_t *), pcr_entry_compare_qsort);
 }
 
 /**
@@ -1023,7 +1004,7 @@ METHOD(pts_t, get_quote_info, bool,
 
        pcr_composite_len = 2 + PCR_MASK_LEN + 4 +
                                                this->pcrs->get_count(this->pcrs) * PCR_LEN;
-
+       
        writer = bio_writer_create(pcr_composite_len);
        /* Lenght of the bist mask field */
        writer->write_uint16(writer, PCR_MASK_LEN);
@@ -1054,6 +1035,7 @@ METHOD(pts_t, get_quote_info, bool,
 
        /* PCR Composite structure */
        pcr_composite = chunk_clone(writer->get_buf(writer));
+       DBG3(DBG_PTS, "PCR Composite: %B", &pcr_composite);
        writer->destroy(writer);
 
        writer = bio_writer_create(TPM_QUOTE_INFO_LEN);
@@ -1079,13 +1061,13 @@ METHOD(pts_t, get_quote_info, bool,
 
                /* Hash the PCR Composite Structure */
                hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite);
-               DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite);
+               DBG3(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite);
                hasher->destroy(hasher);
        }
        else
        {
                *out_pcr_composite = chunk_clone(pcr_composite);
-               DBG4(DBG_PTS, "calculated PCR Composite: %B", out_pcr_composite);
+               DBG3(DBG_PTS, "calculated PCR Composite: %B", out_pcr_composite);
        }
 
        /* SHA1 hash of PCR Composite to construct TPM_QUOTE_INFO */
@@ -1109,7 +1091,7 @@ METHOD(pts_t, get_quote_info, bool,
        writer->write_data(writer, this->secret);
        /* TPM Quote Info */
        *out_quote_info = chunk_clone(writer->get_buf(writer));
-       DBG4(DBG_PTS, "Calculated TPM Quote Info: %B", out_quote_info);
+       DBG3(DBG_PTS, "Calculated TPM Quote Info: %B", out_quote_info);
        writer->destroy(writer);
 
        return TRUE;
@@ -1127,7 +1109,8 @@ METHOD(pts_t, verify_quote_signature, bool,
                return FALSE;
        }
 
-       if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_SHA1, data, signature))
+       if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1,
+               data, signature))
        {
                DBG1(DBG_PTS, "signature verification failed for TPM Quote Info");
                DESTROY_IF(aik_pub_key);
index 84175d7..79e3301 100644 (file)
@@ -41,6 +41,43 @@ typedef struct pcr_entry_t pcr_entry_t;
 #define REVERSE_SOLIDUS_UTF            0x5C
 
 /**
+ * PCR indices used for measurements of various functional components
+ */
+/** Commented the real PCR indices out, use just PCR16 for debugging
+#define PCR_BIOS                                               0
+#define PCR_PLATFORM_EXT                               1
+#define PCR_MOTHERBOARD                                        1
+#define PCR_OPTION_ROMS                                        2
+#define PCR_IPL                                                        4
+
+#define PCR_TBOOT_POLICY                               17
+#define PCR_TBOOT_MLE                                  18
+
+#define PCR_TGRUB_MBR_STAGE1                   4
+#define PCR_TGRUB_STAGE2_PART1                 8
+#define PCR_TGRUB_STAGE2_PART2                 9
+#define PCR_TGRUB_CMD_LINE_ARGS                        12
+#define PCR_TGRUB_CHECKFILE                            13
+#define PCR_TGRUB_LOADED_FILES                 14
+*/
+
+#define PCR_BIOS                                               16
+#define PCR_PLATFORM_EXT                               16
+#define PCR_MOTHERBOARD                                        16
+#define PCR_OPTION_ROMS                                        16
+#define PCR_IPL                                                        16
+
+#define PCR_TBOOT_POLICY                               16
+#define PCR_TBOOT_MLE                                  16
+
+#define PCR_TGRUB_MBR_STAGE1                   16
+#define PCR_TGRUB_STAGE2_PART1                 16
+#define PCR_TGRUB_STAGE2_PART2                 16
+#define PCR_TGRUB_CMD_LINE_ARGS                        16
+#define PCR_TGRUB_CHECKFILE                            16
+#define PCR_TGRUB_LOADED_FILES                 16
+
+/**
  * Length of the generated nonce used for calculation of shared secret
  */
 #define ASSESSMENT_SECRET_LEN  20
@@ -63,7 +100,12 @@ typedef struct pcr_entry_t pcr_entry_t;
 /**
  * Bitmask Lenght for PCR Composite structure
  */
-#define PCR_MASK_LEN                   MAX_NUM_PCR / 8
+#define PCR_MASK_LEN                   MAX_NUM_PCR/8
+
+/**
+ * Hashing algorithm used by tboot and trustedGRUB
+ */
+#define TRUSTED_HASH_ALGO              PTS_MEAS_ALGO_SHA1
 
 /**
  * PCR Entry structure which contains PCR number and current value
index 0926a2b..25b1028 100644 (file)
@@ -23,6 +23,8 @@
 
 typedef enum pts_funct_comp_type_t pts_funct_comp_type_t;
 typedef enum pts_funct_comp_name_t pts_funct_comp_name_t;
+typedef enum pts_ita_funct_comp_type_t pts_ita_funct_comp_type_t;
+typedef enum pts_ita_funct_comp_name_t pts_ita_funct_comp_name_t;
 typedef struct pts_qualifier_t pts_qualifier_t;
 
 /**
@@ -34,7 +36,7 @@ enum pts_funct_comp_type_t {
        /** Trusted Platform */
        PTS_FUNC_COMP_TYPE_TRUSTED =                     0x1,
        /** Operating System */
-       PTS_FUNC_COMP_TYPE_OS =                          0x2,
+       PTS_FUNC_COMP_TYPE_OS =                                 0x2,
        /** Graphical User Interface */
        PTS_FUNC_COMP_TYPE_GUI =                                 0x3,
        /** Application */
@@ -70,12 +72,47 @@ enum pts_funct_comp_name_t {
 };
 
 /**
+ * PTS Component Functional Type for Qualifier field in ITA namespace
+ */
+enum pts_ita_funct_comp_type_t {
+       /** Unknown */
+       PTS_ITA_FUNC_COMP_TYPE_UNKNOWN =                        0x0,
+       /** Trusted Platform */
+       PTS_ITA_FUNC_COMP_TYPE_TRUSTED =                        0x1,
+       /** All matching Components */
+       PTS_ITA_FUNC_COMP_TYPE_ALL =                            0xF,
+};
+
+/**
+ * PTS Component Functional Name Binary Enumeration in ITA namespace
+ */
+enum pts_ita_funct_comp_name_t {
+       /** Components measured into PCR17 during tboot */
+       PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY =                           0x0000,
+       /** Components measured into PCR18 during tboot */
+       PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE =                                      0x0001,
+       /** MBR information and stage1 during boot by trustedGRUB */
+       PTS_ITA_FUNC_COMP_NAME_TGRUB_MBR_STAGE1 =                       0x0002,
+       /** bootloader information stage2 part1 during boot by trustedGRUB */
+       PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1 =                     0x0003,
+       /** bootloader information stage2 part2 during boot by trustedGRUB */
+       PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2 =                     0x0004,
+       /** all commandline arguments from menu.lst and those entered in the shell
+        * during boot by trustedGRUB */
+       PTS_ITA_FUNC_COMP_NAME_TGRUB_CMD_LINE_ARGS =            0x0005,
+       /** all files checked via the checkfile-routine during boot by trustedGRUB */
+       PTS_ITA_FUNC_COMP_NAME_TGRUB_CHECKFILE =                        0x0006,
+       /** all files which are actually loaded during boot by trustedGRUB */
+       PTS_ITA_FUNC_COMP_NAME_TGRUB_LOADED_FILES =                     0x0007,
+};
+
+/**
  * Qualifier for Functional Component
  */
 struct pts_qualifier_t {
        bool      kernel;
        bool      sub_component;
-       pts_funct_comp_type_t  type;
+       pts_ita_funct_comp_type_t  type;
 };
 
 #endif /** PTS_FUNCT_COMP_NAME_H_ @}*/
index 716ec34..7f08f57 100644 (file)
@@ -123,7 +123,7 @@ struct private_tcg_pts_attr_req_funct_comp_evid_t {
        /**
         * Component Functional Name
         */
-       pts_funct_comp_name_t name;
+       pts_ita_funct_comp_name_t name;
 };
 
 METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
@@ -284,14 +284,14 @@ METHOD(tcg_pts_attr_req_funct_comp_evid_t, set_qualifier, void,
        this->qualifier = qualifier;
 }
 
-METHOD(tcg_pts_attr_req_funct_comp_evid_t, get_comp_funct_name, pts_funct_comp_name_t,
+METHOD(tcg_pts_attr_req_funct_comp_evid_t, get_comp_funct_name, pts_ita_funct_comp_name_t,
        private_tcg_pts_attr_req_funct_comp_evid_t *this)
 {
        return this->name;
 }
 
 METHOD(tcg_pts_attr_req_funct_comp_evid_t, set_comp_funct_name, void,
-       private_tcg_pts_attr_req_funct_comp_evid_t *this, pts_funct_comp_name_t name)
+       private_tcg_pts_attr_req_funct_comp_evid_t *this, pts_ita_funct_comp_name_t name)
 {
        this->name = name;
 }
@@ -303,7 +303,7 @@ pa_tnc_attr_t *tcg_pts_attr_req_funct_comp_evid_create(
                                                                        pts_attr_req_funct_comp_evid_flag_t flags,
                                                                        u_int32_t depth, u_int32_t vendor_id,
                                                                        pts_qualifier_t qualifier,
-                                                                       pts_funct_comp_name_t name)
+                                                                       pts_ita_funct_comp_name_t name)
 {
        private_tcg_pts_attr_req_funct_comp_evid_t *this;
 
index 215ce64..bddedb0 100644 (file)
@@ -109,7 +109,7 @@ struct tcg_pts_attr_req_funct_comp_evid_t {
         *
         * @return                              Component Functional Name
         */
-       pts_funct_comp_name_t (*get_comp_funct_name)(tcg_pts_attr_req_funct_comp_evid_t *this);
+       pts_ita_funct_comp_name_t (*get_comp_funct_name)(tcg_pts_attr_req_funct_comp_evid_t *this);
        
        
        /**
@@ -118,7 +118,7 @@ struct tcg_pts_attr_req_funct_comp_evid_t {
         * @param name                  Component Functional Name
         */
        void (*set_comp_funct_name)(tcg_pts_attr_req_funct_comp_evid_t *this,
-                                                               pts_funct_comp_name_t name);
+                                                               pts_ita_funct_comp_name_t name);
        
        
 };
@@ -135,7 +135,7 @@ struct tcg_pts_attr_req_funct_comp_evid_t {
 pa_tnc_attr_t* tcg_pts_attr_req_funct_comp_evid_create(pts_attr_req_funct_comp_evid_flag_t flags,
                                                        u_int32_t depth, u_int32_t vendor_id,
                                                        pts_qualifier_t qualifier,
-                                                       pts_funct_comp_name_t name);
+                                                       pts_ita_funct_comp_name_t name);
 
 /**
  * Creates an tcg_pts_attr_req_funct_comp_evid_t object from received data
index d33f1f8..58d9e92 100644 (file)
@@ -158,7 +158,7 @@ struct private_tcg_pts_attr_simple_comp_evid_t {
        /**
         * Component Functional Name
         */
-       pts_funct_comp_name_t name;
+       pts_ita_funct_comp_name_t name;
        
        /**
         * Measurement type
@@ -311,8 +311,11 @@ METHOD(pa_tnc_attr_t, build, void,
                writer->write_data  (writer, this->pcr_before);
                writer->write_data  (writer, this->pcr_after);
        }
-       
-       writer->write_data (writer, this->measurement);
+
+       if (this->measurement.ptr && this->measurement.len > 0)
+       {
+               writer->write_data (writer, this->measurement);
+       }
        
        this->value = chunk_clone(writer->get_buf(writer));
        writer->destroy(writer);
@@ -481,7 +484,7 @@ METHOD(tcg_pts_attr_simple_comp_evid_t, get_qualifier, pts_qualifier_t,
        return this->qualifier;
 }
 
-METHOD(tcg_pts_attr_simple_comp_evid_t, get_comp_funct_name, pts_funct_comp_name_t,
+METHOD(tcg_pts_attr_simple_comp_evid_t, get_comp_funct_name, pts_ita_funct_comp_name_t,
        private_tcg_pts_attr_simple_comp_evid_t *this)
 {
        return this->name;
@@ -602,7 +605,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(tcg_pts_attr_simple_comp_evi
                .extended_pcr = params.extended_pcr,
                .hash_algorithm = params.hash_algorithm,
                .transformation = params.transformation,
-               .measurement_time = chunk_clone(params.measurement_time),
+               .measurement_time = params.measurement_time,
                .policy_uri = chunk_clone(params.policy_uri),
                .pcr_before = params.pcr_before,
                .pcr_after = params.pcr_after,
index f72429c..ff846fc 100644 (file)
@@ -68,7 +68,7 @@ struct tcg_pts_attr_simple_comp_evid_params_t {
        u_int32_t depth;
        u_int32_t vendor_id;
        pts_qualifier_t qualifier;
-       pts_funct_comp_name_t name;
+       pts_ita_funct_comp_name_t name;
        u_int32_t extended_pcr;
        pts_meas_algorithms_t hash_algorithm;
        pts_pcr_transform_t transformation;
@@ -137,7 +137,7 @@ struct tcg_pts_attr_simple_comp_evid_t {
         *
         * @return                                      Component Functional Name
         */
-       pts_funct_comp_name_t (*get_comp_funct_name)(tcg_pts_attr_simple_comp_evid_t *this);
+       pts_ita_funct_comp_name_t (*get_comp_funct_name)(tcg_pts_attr_simple_comp_evid_t *this);
        
        /**
         * Get Measurement Type
index c6a5af3..dc7fb84 100644 (file)
@@ -252,7 +252,6 @@ METHOD(pa_tnc_attr_t, process, status_t,
                reader->read_data(reader, pcr_comp_len, &this->pcr_comp);
                this->pcr_comp = chunk_clone(this->pcr_comp);
                
-               this->pcr_comp = chunk_empty;
                reader->read_uint32(reader, &tpm_quote_sign_len);
                reader->read_data(reader, tpm_quote_sign_len, &this->tpm_quote_sign);
                this->tpm_quote_sign = chunk_clone(this->tpm_quote_sign);