Attestation IMV processes TPMRA workitem
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 26 Dec 2013 16:39:05 +0000 (17:39 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 13 Jan 2014 11:06:17 +0000 (12:06 +0100)
src/libimcv/imv/imv_workitem.c
src/libpts/plugins/imv_attestation/imv_attestation_agent.c
src/libpts/plugins/imv_attestation/imv_attestation_process.c

index 8d3c031..8784a0c 100644 (file)
@@ -20,7 +20,7 @@
 
 typedef struct private_imv_workitem_t private_imv_workitem_t;
 
-ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_SWID_TAGS,
+ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_TPM_ATTEST,
        "PCKGS",
        "UNSRC",
        "FWDEN",
index 978c740..0b960ac 100644 (file)
@@ -374,10 +374,37 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                        case IMV_WORKITEM_DIR_META:
                                                is_dir = TRUE;
                                                break;
+                                       case IMV_WORKITEM_TPM_ATTEST:
+                                       {
+                                               TNC_IMV_Action_Recommendation rec;
+                                               TNC_IMV_Evaluation_Result eval;
+                                               bool no_d_flag, no_t_flag;
+                                               char result_str[BUF_LEN];
+
+                                               workitem->set_imv_id(workitem, imv_id);
+                                               no_workitems = FALSE;
+                                               no_d_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D);
+                                               no_t_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T);
+                                               if (no_d_flag || no_t_flag)
+                                               {
+                                                       snprintf(result_str, BUF_LEN, "%s%s%s",
+                                                                       (no_t_flag) ? "no TPM available" : "",
+                                                                       (no_t_flag && no_d_flag) ? ", " : "",
+                                                                       (no_d_flag) ? "no DH nonce negotiation" : "");
+                                                       eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+                                                       session->remove_workitem(session, enumerator);
+                                                       rec = workitem->set_result(workitem, result_str, eval);
+                                                       state->update_recommendation(state, rec, eval);
+                                                       imcv_db->finalize_workitem(imcv_db, workitem);
+                                                       workitem->destroy(workitem);
+                                               }
+                                               continue;
+                                       }
                                        default:
                                                continue;
                                }
 
+                               /* initiate file and directory measurements */
                                pathname = this->pts_db->get_pathname(this->pts_db, is_dir,
                                                                                        workitem->get_arg_int(workitem));
                                if (!pathname)
index 5137d64..f5f1162 100644 (file)
@@ -366,6 +366,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                        pts_comp_evidence_t *evidence;
                        pts_component_t *comp;
                        u_int32_t depth;
+                       status_t status;
 
                        attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
                        evidence = attr_cast->get_comp_evidence(attr_cast);
@@ -377,8 +378,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                                DBG1(DBG_IMV, "  no entry found for component evidence request");
                                break;
                        }
-                       if (comp->verify(comp, name->get_qualifier(name), pts,
-                                                        evidence) != SUCCESS)
+                       status = comp->verify(comp, name->get_qualifier(name), pts, evidence);
+                       if (status == VERIFY_ERROR || status == FAILED)
                        {
                                state->update_recommendation(state,
                                                        TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
@@ -396,6 +397,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                        pts_meas_algorithms_t comp_hash_algorithm;
                        chunk_t pcr_comp, tpm_quote_sig, evid_sig;
                        chunk_t pcr_composite, quote_info;
+                       imv_session_t *session;
+                       imv_workitem_t *workitem;
+                       enumerator_t *enumerator;
                        bool use_quote2, use_ver_info;
 
                        attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
@@ -449,6 +453,41 @@ quote_error:
                                 * if all expected component measurements were received
                                 */
                                attestation_state->finalize_components(attestation_state);
+
+                               session = state->get_session(state);
+                               enumerator = session->create_workitem_enumerator(session);
+                               while (enumerator->enumerate(enumerator, &workitem))
+                               {
+                                       if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
+                                       {
+                                               TNC_IMV_Action_Recommendation rec;
+                                               TNC_IMV_Evaluation_Result eval;
+                                               char *result_str;
+                                               u_int32_t error;
+
+                                               error = attestation_state->get_measurement_error(
+                                                                                                               attestation_state);
+                                               if (error & (IMV_ATTESTATION_ERROR_COMP_EVID_FAIL |
+                                                                        IMV_ATTESTATION_ERROR_COMP_EVID_PEND |
+                                                                        IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL))
+                                               {
+                                                       result_str = "attestation failed";
+                                                       eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+                                               }
+                                               else
+                                               {
+                                                       result_str = "attestation successful";
+                                                       eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+                                               }
+                                               session->remove_workitem(session, enumerator);
+                                               rec = workitem->set_result(workitem, result_str, eval);
+                                               state->update_recommendation(state, rec, eval);
+                                               imcv_db->finalize_workitem(imcv_db, workitem);
+                                               workitem->destroy(workitem);
+                                               break;
+                                       }
+                               }
+                               enumerator->destroy(enumerator);
                        }
 
                        if (attr_cast->get_evid_sig(attr_cast, &evid_sig))