transfer IMA file measurements via PA-TNC
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 13 Jul 2012 12:46:36 +0000 (14:46 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 13 Jul 2012 12:46:42 +0000 (14:46 +0200)
src/libpts/plugins/imc_attestation/imc_attestation_process.c
src/libpts/plugins/imv_attestation/imv_attestation_process.c
src/libpts/pts/components/ita/ita_comp_ima.c
src/libpts/pts/components/ita/ita_comp_tboot.c
src/libpts/pts/components/ita/ita_comp_tgrub.c
src/libpts/pts/components/pts_component.h

index b70c053..d5ff07f 100644 (file)
@@ -320,6 +320,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                {
                        tcg_pts_attr_req_func_comp_evid_t *attr_cast;
                        pts_proto_caps_flag_t negotiated_caps;
+                       pts_file_meas_t *measurements;
                        pts_comp_func_name_t *name;
                        pts_comp_evidence_t *evid;
                        pts_component_t *comp;
@@ -387,12 +388,19 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                /* do the component evidence measurement[s] */
                                do
                                {
-                                       status = comp->measure(comp, pts, &evid);
+                                       status = comp->measure(comp, pts, &evid, &measurements);
                                        if (status == FAILED)
                                        {
                                                break;
                                        }
                                        attestation_state->add_evidence(attestation_state, evid);
+                                       if (measurements)
+                                       {
+                                               DBG2(DBG_IMC, "collected %d file measurements",
+                                                        measurements->get_file_count(measurements));
+                                               attr = tcg_pts_attr_file_meas_create(measurements);
+                                               attr_list->insert_last(attr_list, attr);
+                                       }
                                }
                                while (status == NEED_MORE);
                                comp->destroy(comp);
index fbe516d..2ad5d78 100644 (file)
@@ -193,8 +193,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        int file_count, file_id;
                        pts_meas_algorithms_t algo;
                        pts_file_meas_t *measurements;
-                       char *platform_info;
-                       enumerator_t *e_hash;
+                       char *platform_info, *filename;
+                       chunk_t measurement;
+                       enumerator_t *e, *e_hash;
                        bool is_dir;
 
                        platform_info = pts->get_platform_info(pts);
@@ -216,22 +217,34 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
                                 request_id, file_count, (file_count == 1) ? "":"s");
 
-                       if (!attestation_state->check_off_file_meas_request(attestation_state,
-                               request_id, &file_id, &is_dir))
+                       if (request_id)
                        {
-                               DBG1(DBG_IMV, "  no entry found for file measurement request %d",
-                                        request_id);
-                               break;
-                       }
+                               if (!attestation_state->check_off_file_meas_request(
+                                       attestation_state, request_id, &file_id, &is_dir))
+                               {
+                                       DBG1(DBG_IMV, "  no entry found for file measurement "
+                                                                 "request %d", request_id);
+                                       break;
+                               }
 
-                       /* check hashes from database against measurements */
-                       e_hash = pts_db->create_file_hash_enumerator(pts_db,
-                                                       platform_info, algo, file_id, is_dir);
-                       if (!measurements->verify(measurements, e_hash, is_dir))
+                               /* check hashes from database against measurements */
+                               e_hash = pts_db->create_file_hash_enumerator(pts_db,
+                                                               platform_info, algo, file_id, is_dir);
+                               if (!measurements->verify(measurements, e_hash, is_dir))
+                               {
+                                       attestation_state->set_measurement_error(attestation_state);
+                               }
+                               e_hash->destroy(e_hash);
+                       }
+                       else
                        {
-                               attestation_state->set_measurement_error(attestation_state);
+                               e = measurements->create_enumerator(measurements);
+                               while (e->enumerate(e, &filename, &measurement))
+                               {
+                                       DBG2(DBG_PTS, "  %#B for '%s'", &measurement, filename);
+                               }
+                               e->destroy(e);
                        }
-                       e_hash->destroy(e_hash);
                        break;
                }
                case TCG_PTS_UNIX_FILE_META:
index 2af276d..2de3caf 100644 (file)
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -172,7 +171,7 @@ struct ima_entry_t {
        /**
         * absolute path of executable files or basename of dynamic libraries
         */
-       chunk_t filename;
+       char *filename;
 };
 
 /**
@@ -191,7 +190,7 @@ static void free_ima_entry(ima_entry_t *this)
 {
        free(this->measurement.ptr);
        free(this->file_measurement.ptr);
-       free(this->filename.ptr);
+       free(this->filename);
        free(this);
 }
 
@@ -311,7 +310,7 @@ static bool load_runtime_measurements(char *file, linked_list_t *list,
                entry = malloc_thing(ima_entry_t);
                entry->measurement = chunk_alloc(HASH_SIZE_SHA1);
                entry->file_measurement = chunk_alloc(HASH_SIZE_SHA1);
-               entry->filename = chunk_empty;
+               entry->filename = NULL;
 
                if (res != 4 || pcr != IMA_PCR)
                {
@@ -338,11 +337,13 @@ static bool load_runtime_measurements(char *file, linked_list_t *list,
                {
                        break;
                }
-               entry->filename = chunk_alloc(len);
-               if (read(fd, entry->filename.ptr, len) != len)
+               entry->filename = malloc(len + 1);
+               if (read(fd, entry->filename, len) != len)
                {
                        break;
                }
+               entry->filename[len] = '\0';
+
                list->insert_last(list, entry);
        }
 
@@ -428,11 +429,16 @@ METHOD(pts_component_t, get_depth, u_int32_t,
 }
 
 METHOD(pts_component_t, measure, status_t,
-       pts_ita_comp_ima_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
+       pts_ita_comp_ima_t *this, pts_t *pts, pts_comp_evidence_t **evidence,
+       pts_file_meas_t **measurements)
 {
        bios_entry_t *bios_entry;
-       ima_entry_t *ima_entry;
+       ima_entry_t *ima_entry, *entry;
        status_t status;
+       enumerator_t *e;
+       pts_file_meas_t *file_meas;
+
+       *measurements = NULL;
 
        switch (this->state)
        {
@@ -486,19 +492,31 @@ METHOD(pts_component_t, measure, status_t,
                        if (this->state == IMA_STATE_BOOT_AGGREGATE)
                        {
                                check_boot_aggregate(this, ima_entry->measurement);
+
+                               if (this->ima_list->get_count(this->ima_list))
+                               {
+                                       /* extract file measurements */
+                                       file_meas = pts_file_meas_create(0);
+
+                                       e = this->ima_list->create_enumerator(this->ima_list);
+                                       while (e->enumerate(e, &entry))
+                                       {
+                                               file_meas->add(file_meas, entry->filename,
+                                                                                                 entry->file_measurement);
+                                       }
+                                       e->destroy(e);
+                                       *measurements = file_meas;
+                               }
                        }
 
-                       /* TODO optionally send file measurements */
-                       chunk_free(&ima_entry->file_measurement);
-                       chunk_free(&ima_entry->filename);
+                       free(ima_entry->file_measurement.ptr);
+                       free(ima_entry->filename);
                        free(ima_entry);
-
                        this->state = this->ima_list->get_count(this->ima_list) ?
                                                                        IMA_STATE_RUNTIME : IMA_STATE_END;
                        break;
                case IMA_STATE_END:
-                       /* shouldn't happen */
-                       return FAILED;
+                       break;
        }
        
        return (this->state == IMA_STATE_END) ? SUCCESS : NEED_MORE;
index dd26fdb..8ac8335 100644 (file)
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -107,7 +106,9 @@ METHOD(pts_component_t, get_depth, u_int32_t,
 }
 
 METHOD(pts_component_t, measure, status_t,
-       pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
+       pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t **evidence,
+       pts_file_meas_t **measurements)
+
 {
        pts_comp_evidence_t *evid;
        char *meas_hex, *pcr_before_hex, *pcr_after_hex;
index 00b9ef3..a25f2f8 100644 (file)
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -71,7 +70,8 @@ METHOD(pts_component_t, get_depth, u_int32_t,
 }
 
 METHOD(pts_component_t, measure, status_t,
-       pts_ita_comp_tgrub_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
+       pts_ita_comp_tgrub_t *this, pts_t *pts, pts_comp_evidence_t **evidence,
+       pts_file_meas_t **measurements)
 {
        pts_comp_evidence_t *evid;
        u_int32_t extended_pcr;
index 160fd05..970b75e 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@ typedef struct pts_component_t pts_component_t;
 
 #include "pts/pts.h"
 #include "pts/pts_database.h"
+#include "pts/pts_file_meas.h"
 #include "pts/components/pts_comp_func_name.h"
 #include "pts/components/pts_comp_evidence.h"
 
@@ -61,10 +62,12 @@ struct pts_component_t {
         *
         * @param pts                   PTS interface
         * @param evidence              returns component evidence measureemt
+        * @param measurements  additional file measurements (NULL if not present)
         * @return                              status return code
         */
        status_t (*measure)(pts_component_t *this, pts_t *pts,
-                                               pts_comp_evidence_t** evidence);
+                                               pts_comp_evidence_t** evidence,
+                                               pts_file_meas_t** measurements);
 
        /**
         * Verify the evidence measurements of the PTS Functional Component
@@ -76,7 +79,6 @@ struct pts_component_t {
        status_t (*verify)(pts_component_t *this, pts_t *pts,
                                           pts_comp_evidence_t *evidence);
 
-
        /**
         * Tell the PTS Functional Component to finalize pending registrations
         * and check for missing measurements