"support sub component measurements");
return FALSE;
}
- comp = pts_components->create(pts_components, name);
+ comp = pts_components->create(pts_components, name, depth);
if (!comp)
{
DBG2(DBG_IMC, " not registered: no evidence provided");
0, '/etc/tnc_config', 1
);
+INSERT INTO files (
+ type, path
+) VALUES (
+ 0, 'tboot_pcr17'
+);
+
+INSERT INTO files (
+ type, path
+) VALUES (
+ 0, 'tboot_pcr18'
+);
+
/* Components */
INSERT INTO components (
4, 22
);
+INSERT INTO product_file (
+ product, file
+) VALUES (
+ 4, 23
+);
+
+INSERT INTO product_file (
+ product, file
+) VALUES (
+ 4, 24
+);
+
INSERT INTO product_file (
product, file
) VALUES (
7, 22
);
-/* Product Component */
-
-INSERT INTO product_component (
- product, component, sequence
+INSERT INTO product_file (
+ product, file
) VALUES (
- 4, 1, 1
+ 7, 23
);
-INSERT INTO product_component (
- product, component, sequence
+INSERT INTO product_file (
+ product, file
) VALUES (
- 4, 2, 2
+ 7, 24
);
+/* Product Component */
+
INSERT INTO product_component (
- product, component, sequence
+ product, component, depth, sequence
) VALUES (
- 7, 1, 1
+ 4, 2, 0, 2
);
INSERT INTO product_component (
- product, component, sequence
+ product, component, depth, sequence
) VALUES (
- 7, 2, 2
+ 7, 2, 0, 2
);
/* File Hashes */
20, 7, 7, 8192, X'84200bd318bb022915150842ddf4002e061ef593604ad0d07021dc662cc40bfa749cce084ddf25d0e5137f6380f613d8'
);
-INSERT INTO component_hashes (
- component, product, algo, hash
+INSERT INTO file_hashes (
+ file, product, component, algo, hash
) VALUES (
- 2, 4, 32768, X'9704353630674bfe21b86b64a7b0f99c297cf902'
+ 23, 4, 2, 32768, X'9704353630674bfe21b86b64a7b0f99c297cf902'
);
-INSERT INTO component_hashes (
- component, product, algo, hash
+INSERT INTO file_hashes (
+ file, product, component, algo, hash
) VALUES (
- 2, 4, 32768, X'8397d8048ee36d7955e38da16fc33e86ef61d6b0'
+ 24, 4, 2, 32768, X'8397d8048ee36d7955e38da16fc33e86ef61d6b0'
);
pts_comp_func_name_t *comp_name;
int vid, name, qualifier;
u_int8_t flags;
+ u_int32_t depth;
bool first = TRUE;
attestation_state->set_handshake_state(attestation_state,
break;
}
DBG2(DBG_IMV, "evidence request by");
- while (enumerator->enumerate(enumerator, &vid, &name, &qualifier))
+ while (enumerator->enumerate(enumerator, &vid, &name,
+ &qualifier, &depth))
{
comp_name = pts_comp_func_name_create(vid, name, qualifier);
comp_name->log(comp_name, " ");
- comp = pts_components->create(pts_components, comp_name);
+ comp = pts_components->create(pts_components, comp_name, depth);
if (!comp)
{
DBG2(DBG_IMV, " not registered: removed from request");
flags = comp->get_evidence_flags(comp);
/* TODO check flags against negotiated_caps */
attr_cast = (tcg_pts_attr_req_func_comp_evid_t *)attr;
- attr_cast->add_component(attr_cast, flags, 0, comp_name);
+ attr_cast->add_component(attr_cast, flags, depth, comp_name);
}
enumerator->destroy(enumerator);
CREATE TABLE product_component (
product INTEGER NOT NULL,
component INTEGER NOT NULL,
+ depth INTEGER DEFAULT 0,
sequence INTEGER DEFAULT 0,
PRIMARY KEY (product, component)
);
file INTEGER NOT NULL,
directory INTEGER DEFAULT 0,
product INTEGER NOT NULL,
+ component INTEGER DEFAULT 0,
algo INTEGER NOT NULL,
hash BLOB NOT NULL,
- PRIMARY KEY(file, directory, product, algo)
+ PRIMARY KEY(file, directory, product, component, algo)
);
-
-DROP TABLE IF EXISTS component_hashes;
-CREATE TABLE component_hashes (
- component INTEGER NOT NULL,
- product INTEGER NOT NULL,
- algo INTEGER NOT NULL,
- hash BLOB NOT NULL,
- PRIMARY KEY(component, product, algo)
-);
-
*/
pts_comp_func_name_t *name;
+ /**
+ * Sub-component depth
+ */
+ u_int32_t depth;
+
/**
* Extended PCR last handled
*/
return PTS_REQ_FUNC_COMP_EVID_PCR;
}
+METHOD(pts_component_t, get_depth, u_int32_t,
+ pts_ita_comp_tboot_t *this)
+{
+ return this->depth;
+}
+
METHOD(pts_component_t, measure, status_t,
pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
{
pts_pcr_transform_t transform;
time_t measurement_time;
chunk_t measurement, pcr_before, pcr_after;
+ enumerator_t *enumerator;
+ char *file;
+ chunk_t hash;
+ char *platform_info;
+
+ platform_info = pts->get_platform_info(pts);
+ if (!pts_db || !platform_info)
+ {
+ DBG1(DBG_PTS, "%s%s%s not available",
+ (pts_db) ? "" : "pts database",
+ (!pts_db && !platform_info) ? "and" : "",
+ (platform_info) ? "" : "platform info");
+ return FAILED;
+ }
switch (this->extended_pcr)
{
case 0:
this->extended_pcr = PCR_TBOOT_POLICY;
+ file = "tboot_pcr17";
break;
case PCR_TBOOT_POLICY:
this->extended_pcr = PCR_TBOOT_MLE;
+ file = "tboot_pcr18";
break;
default:
return FAILED;
}
measurement = evidence->get_measurement(evidence, &extended_pcr,
- &algo, &transform, &measurement_time);
+ &algo, &transform, &measurement_time);
if (extended_pcr != this->extended_pcr)
{
return FAILED;
}
- /* TODO check measurement in database */
+ /* check measurement in database */
+ enumerator = pts_db->create_comp_hash_enumerator(pts_db, file,
+ platform_info, this->name, algo);
+ while (enumerator->enumerate(enumerator, &hash))
+ {
+ if (!chunk_equals(hash, measurement))
+ {
+ DBG1(DBG_PTS, "Incorrect TBOOT component measurement for PCR %d. "
+ "Expected: %#B, Received: %#B",
+ this->extended_pcr, &hash, &measurement);
+ return FAILED;
+ }
+ else
+ {
+ DBG3(DBG_PTS, "Matching TBOOT component measurement for PCR %d",
+ this->extended_pcr);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
if (has_pcr_info)
}
METHOD(pts_component_t, destroy, void,
- pts_ita_comp_tboot_t *this)
+ pts_ita_comp_tboot_t *this)
{
this->name->destroy(this->name);
free(this);
/**
* See header
*/
-pts_component_t *pts_ita_comp_tboot_create(u_int8_t qualifier)
+pts_component_t *pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth)
{
pts_ita_comp_tboot_t *this;
.public = {
.get_comp_func_name = _get_comp_func_name,
.get_evidence_flags = _get_evidence_flags,
+ .get_depth = _get_depth,
.measure = _measure,
.verify = _verify,
.destroy = _destroy,
},
.name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_TBOOT,
qualifier),
+ .depth = depth,
);
return &this->public;
* @param qualifier PTS Component Functional Name Qualifier
*
*/
-pts_component_t* pts_ita_comp_tboot_create(u_int8_t qualifier);
+pts_component_t* pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth);
#endif /** PTS_ITA_COMP_TBOOT_H_ @}*/
* Component Functional Name
*/
pts_comp_func_name_t *name;
+
+ /**
+ * Sub-component depth
+ */
+ u_int32_t depth;
};
METHOD(pts_component_t, get_comp_func_name, pts_comp_func_name_t*,
return PTS_REQ_FUNC_COMP_EVID_PCR;
}
+METHOD(pts_component_t, get_depth, u_int32_t,
+ pts_ita_comp_tgrub_t *this)
+{
+ return this->depth;
+}
+
METHOD(pts_component_t, measure, status_t,
pts_ita_comp_tgrub_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
{
/**
* See header
*/
-pts_component_t *pts_ita_comp_tgrub_create(u_int8_t qualifier)
+pts_component_t *pts_ita_comp_tgrub_create(u_int8_t qualifier, u_int32_t depth)
{
pts_ita_comp_tgrub_t *this;
.public = {
.get_comp_func_name = _get_comp_func_name,
.get_evidence_flags = _get_evidence_flags,
+ .get_depth = _get_depth,
.measure = _measure,
.verify = _verify,
.destroy = _destroy,
},
.name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_TBOOT,
qualifier),
+ .depth = depth,
);
return &this->public;
* @param qualifier PTS Component Functional Name Qualifier
*
*/
-pts_component_t* pts_ita_comp_tgrub_create(u_int8_t qualifier);
+pts_component_t* pts_ita_comp_tgrub_create(u_int8_t qualifier, u_int32_t depth);
#endif /** PTS_ITA_COMP_TGRUB_H_ @}*/
*/
u_int8_t (*get_evidence_flags)(pts_component_t *this);
+ /**
+ * Get the PTS Sub-component Depth
+ *
+ * @return PTS Sub-component Depth
+ */
+ u_int32_t (*get_depth)(pts_component_t *this);
+
/**
* Do evidence measurements on the PTS Functional Component
*
}
METHOD(pts_component_manager_t, create, pts_component_t*,
- private_pts_component_manager_t *this, pts_comp_func_name_t *name)
+ private_pts_component_manager_t *this,
+ pts_comp_func_name_t *name, u_int32_t depth)
{
enumerator_t *enumerator, *e2;
vendor_entry_t *entry;
{
if (entry2->name == name->get_name(name) && entry2->create)
{
- component = entry2->create(name->get_qualifier(name));
+ component = entry2->create(name->get_qualifier(name), depth);
break;
}
}
#include <library.h>
#include <pen/pen.h>
-typedef pts_component_t* (*pts_component_create_t)(u_int8_t qualifier);
+typedef pts_component_t* (*pts_component_create_t)(u_int8_t qualifier,
+ u_int32_t depth);
/**
* Manages PTS Functional Components
* Create a PTS Component object from a Functional Component Name object
*
* @param name Component Functional Name
+ * @param depth Sub-component Depth
* @return Component object if supported, NULL else
*/
pts_component_t* (*create)(pts_component_manager_t *this,
- pts_comp_func_name_t *name);
+ pts_comp_func_name_t *name, u_int32_t depth);
/**
* Destroys a pts_component_manager_t object.
/* look for all entries belonging to a product in the components table */
e = this->db->query(this->db,
- "SELECT c.vendor_id, c.name, c.qualifier FROM components AS c "
+ "SELECT c.vendor_id, c.name, c.qualifier, pc.depth "
+ "FROM components AS c "
"JOIN product_component AS pc ON c.id = pc.component "
"JOIN products AS p ON p.id = pc.product "
"WHERE p.name = ? ORDER BY pc.sequence",
- DB_TEXT, product, DB_INT, DB_INT, DB_INT);
+ DB_TEXT, product, DB_INT, DB_INT, DB_INT, DB_INT);
return e;
}
}
METHOD(pts_database_t, create_comp_hash_enumerator, enumerator_t*,
- private_pts_database_t *this, char *product, pts_meas_algorithms_t algo,
- pts_comp_func_name_t *comp_name)
+ private_pts_database_t *this, char *file, char *product,
+ pts_comp_func_name_t *comp_name, pts_meas_algorithms_t algo)
{
enumerator_t *e;
e = this->db->query(this->db,
- "SELECT ch.hash FROM component_hashes AS ch "
- "JOIN components AS c ON ch.component = c.id "
- "JOIN products AS p ON ch.product = p.id "
- "WHERE p.name = ? AND c.vendor_id = ? "
- "AND c.name = ? AND c.qualifier = ? AND ch.algo = ? ",
- DB_TEXT, product, DB_INT, comp_name->get_vendor_id(comp_name),
+ "SELECT fh.hash FROM file_hashes AS fh "
+ "JOIN files AS f ON fh.file = f.id "
+ "JOIN products AS p ON fh.product = p.id "
+ "JOIN components AS c ON fh.component = c.id "
+ "WHERE f.path = ? AND p.name = ? AND c.vendor_id = ? "
+ "AND c.name = ? AND c.qualifier = ? AND fh.algo = ? ",
+ DB_TEXT, file, DB_TEXT, product,
+ DB_INT, comp_name->get_vendor_id(comp_name),
DB_INT, comp_name->get_name(comp_name),
DB_INT, comp_name->get_qualifier(comp_name),
DB_INT, algo, DB_BLOB);
/**
* Get stored measurement hash for functional component entries
*
+ * @param file file path in files table
* @param product software product (os, vpn client, etc.)
* @param algo hash algorithm used for measurement
* @param comp_name functional component name object
* @return enumerator over all matching measurement hashes
*/
enumerator_t* (*create_comp_hash_enumerator)(pts_database_t *this,
- char *product, pts_meas_algorithms_t algo,
- pts_comp_func_name_t *comp_name);
+ char *file, char *product,
+ pts_comp_func_name_t *comp_name,
+ pts_meas_algorithms_t algo);
/**
* Destroys a pts_database_t object.
projects / thirdparty / strongswan.git / commitdiff
