Implemented tboot measurements checking (configure on imc)
authorSansar Choinyambuu <schoinya@hsr.ch>
Wed, 9 Nov 2011 14:22:57 +0000 (15:22 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 20:20:22 +0000 (21:20 +0100)
src/libimcv/plugins/imc_attestation/imc_attestation_process.c
src/libimcv/plugins/imv_attestation/imv_attestation_build.c
src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c

index 3975009..f91d8d8 100644 (file)
@@ -16,6 +16,8 @@
 #define _GNU_SOURCE
 
 #include <stdio.h>
+/* for isdigit */
+#include <ctype.h>
 
 #include "imc_attestation_process.h"
 
 #include <tcg/tcg_pts_attr_unix_file_meta.h>
 
 #include <debug.h>
+#include <utils/lexparser.h>
 
 #define DEFAULT_NONCE_LEN              20
 
 /**
+ * Convert string to u_int8_t
+ * code taken from http://www.codeguru.com/forum/showthread.php?t=316299
+ */
+static u_int8_t* string_to_bytearray(char *str_value)
+{
+       u_int32_t i;
+       u_int8_t *ret;
+
+       ret = malloc(strlen(str_value)/2);
+       for (i = 0; i < strlen(str_value)/2; i++)
+       {
+               char c1, c2;
+               u_int8_t d1, d2;
+
+               c1 = str_value[i*2];
+               c2 = str_value[i*2 + 1];
+
+               if (isdigit(c1))
+               {
+                       d1 = c1 - '0';
+               }
+               else if (c1 >= 'A' && c1 <= 'F')
+               {
+                       d1 = c1 - 'A' + 10;
+               }
+               else if (c1 >= 'a' && c1 <= 'f')
+               {
+                       d1 = c1 - 'a' + 10;
+               }
+
+               if (isdigit(c2))
+               {
+                       d2 = c2 - '0';
+               }
+               else if (c2 >= 'A' && c2 <= 'F')
+               {
+                       d2 = c2 - 'A' + 10;
+               }
+               else if (c2 >= 'a' && c2 <= 'f')
+               {
+                       d2 = c2 - 'a' + 10;
+               }
+               /* save value of two characters in one byte */
+               ret[i] = d1*16 + d2;
+       }
+
+       return ret;
+}
+
+/**
  * Set parameters of Simple Component Evidence
  */
 static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name,
@@ -55,7 +108,7 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name,
        time_t measurement_time_t;
        struct tm *time_now;
        char *utc_time;
-
+       
        params.name = name;
        params.pcr_info_included = TRUE;
        params.flags = PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID;
@@ -80,7 +133,7 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name,
        {
                time_now = localtime(&measurement_time_t);
                if (asprintf(&utc_time,
-                       "%d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZ",
+                       "%d-%.2d-%.2dT%.2d:%.2d:%.2dZ",
                        time_now->tm_year + 1900,
                        time_now->tm_mon + 1,
                        time_now->tm_mday,
@@ -95,20 +148,68 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name,
                params.measurement_time = chunk_clone(params.measurement_time);
                free(utc_time);
        }
-       params.policy_uri = chunk_empty;
-       params.measurement = chunk_empty;
-       
-       params.pcr_before = chunk_alloc(PCR_LEN);
-       memset(params.pcr_before.ptr, 0, PCR_LEN);
        
-       /* Set extended PCR, which varies from component to component */
-       if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY)
+       params.policy_uri = chunk_empty;
+
+       /* Provisional/temporal implementation for trsutedGRUB measurements */
+       if (params.name != PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY &&
+               params.name != PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE)
        {
-               params.extended_pcr = PCR_TBOOT_POLICY;
+               params.measurement = chunk_alloc(HASH_SIZE_SHA1);
+               memset(params.measurement.ptr, 0, HASH_SIZE_SHA1);
+               params.pcr_before = chunk_alloc(PCR_LEN);
+               memset(params.pcr_before.ptr, 0, PCR_LEN);
        }
-       else if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE)
+
+       /* Set parameters which varies from component to component */
+       if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY ||
+               params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE)
        {
-               params.extended_pcr = PCR_TBOOT_MLE;
+               char *measurement_str, *pcr_before_str, *pcr_after_str;
+               u_int8_t *measurement, *pcr_before, *pcr_after;
+
+               if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY)
+               {
+                       params.extended_pcr = PCR_TBOOT_POLICY;
+                       measurement_str = lib->settings->get_str(lib->settings,
+                                               "libimcv.plugins.imc-attestation.pcr17_meas", NULL);
+                       pcr_before_str = lib->settings->get_str(lib->settings,
+                                               "libimcv.plugins.imc-attestation.pcr17_before", NULL);
+                       pcr_after_str = lib->settings->get_str(lib->settings,
+                                               "libimcv.plugins.imc-attestation.pcr17_after", NULL);
+               }
+               else
+               {
+                       params.extended_pcr = PCR_TBOOT_MLE;
+                       measurement_str = lib->settings->get_str(lib->settings,
+                                               "libimcv.plugins.imc-attestation.pcr18_meas", NULL);
+                       pcr_before_str = lib->settings->get_str(lib->settings,
+                                               "libimcv.plugins.imc-attestation.pcr18_before", NULL);
+                       pcr_after_str = lib->settings->get_str(lib->settings,
+                                               "libimcv.plugins.imc-attestation.pcr18_after", NULL);
+               }
+
+               if (!measurement_str || !pcr_before_str || !pcr_after_str)
+               {
+                       DBG1(DBG_IMC, "tboot: configure measurement, before and after value"
+                                                 " for PCR%d", params.extended_pcr);
+                       return FALSE;
+               }
+
+               params.measurement = chunk_alloc(HASH_SIZE_SHA1);
+               measurement = string_to_bytearray(measurement_str);
+               memcpy(params.measurement.ptr, measurement, HASH_SIZE_SHA1);
+               free(measurement);
+
+               params.pcr_before = chunk_alloc(PCR_LEN);
+               pcr_before = string_to_bytearray(pcr_before_str);
+               memcpy(params.pcr_before.ptr, pcr_before, PCR_LEN);
+               free(pcr_before);
+
+               params.pcr_after = chunk_alloc(PCR_LEN);
+               pcr_after = string_to_bytearray(pcr_after_str);
+               memcpy(params.pcr_after.ptr, pcr_after, PCR_LEN);
+               free(pcr_after);
        }
        else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_MBR_STAGE1)
        {
@@ -414,7 +515,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                        return FALSE;
                                }
                                
-                               if (!pts->read_pcr(pts, params.extended_pcr, &params.pcr_after))
+                               /* Get PCR after value from log when TBOOT is measuring entity */
+                               if (!(name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY ||
+                                               name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE) &&
+                                       !pts->read_pcr(pts, params.extended_pcr, &params.pcr_after))
                                {
                                        DBG1(DBG_IMC, "error occured while reading PCR: %d",
                                                 params.extended_pcr);
index ed5c359..570bc86 100644 (file)
@@ -222,14 +222,14 @@ bool imv_attestation_build(pa_tnc_msg_t *msg,
                        qualifier.type = PTS_ITA_FUNC_COMP_TYPE_TRUSTED;
 
                        /* Send Request Functional Component Evidence attribute */
-                       name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1;
+                       name = PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY;
                        attr = tcg_pts_attr_req_funct_comp_evid_create(flags,
                                                                        sub_comp_depth, PEN_ITA, qualifier, name);
                        attr->set_noskip_flag(attr, TRUE);
                        msg->add_attribute(msg, attr);
                        
                        /* Send Request Functional Component Evidence attribute */
-                       name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2;
+                       name = PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE;
                        attr = tcg_pts_attr_req_funct_comp_evid_create(flags,
                                                                        sub_comp_depth, PEN_ITA, qualifier, name);
                        attr->set_noskip_flag(attr, TRUE);
index 58d9e92..e4969c1 100644 (file)
@@ -609,7 +609,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(tcg_pts_attr_simple_comp_evi
                .policy_uri = chunk_clone(params.policy_uri),
                .pcr_before = params.pcr_before,
                .pcr_after = params.pcr_after,
-               .measurement = chunk_clone(params.measurement),
+               .measurement = params.measurement,
        );
 
        return &this->public.pa_tnc_attribute;