From: Sansar Choinyambuu <schoinya@hsr.ch>
Date: Wed, 9 Nov 2011 14:22:57 +0000 (+0100)
Subject: Implemented tboot measurements checking (configure on imc)
X-Git-Tag: 4.6.2~209
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=868c24b2a43ed571dd6a67d0e0ade9e3ed7fea85;p=thirdparty%2Fstrongswan.git

Implemented tboot measurements checking (configure on imc)
---

diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
index 3975009ff1..f91d8d8f5c 100644
--- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
@@ -16,6 +16,8 @@
 #define _GNU_SOURCE
 
 #include <stdio.h>
+/* for isdigit */
+#include <ctype.h>
 
 #include "imc_attestation_process.h"
 
@@ -41,9 +43,60 @@
 #include <tcg/tcg_pts_attr_unix_file_meta.h>
 
 #include <debug.h>
+#include <utils/lexparser.h>
 
 #define DEFAULT_NONCE_LEN		20
 
+/**
+ * Convert string to u_int8_t
+ * code taken from http://www.codeguru.com/forum/showthread.php?t=316299
+ */
+static u_int8_t* string_to_bytearray(char *str_value)
+{
+	u_int32_t i;
+	u_int8_t *ret;
+
+	ret = malloc(strlen(str_value)/2);
+	for (i = 0; i < strlen(str_value)/2; i++)
+	{
+		char c1, c2;
+		u_int8_t d1, d2;
+
+		c1 = str_value[i*2];
+		c2 = str_value[i*2 + 1];
+
+		if (isdigit(c1))
+		{
+			d1 = c1 - '0';
+		}
+		else if (c1 >= 'A' && c1 <= 'F')
+		{
+			d1 = c1 - 'A' + 10;
+		}
+		else if (c1 >= 'a' && c1 <= 'f')
+		{
+			d1 = c1 - 'a' + 10;
+		}
+
+		if (isdigit(c2))
+		{
+			d2 = c2 - '0';
+		}
+		else if (c2 >= 'A' && c2 <= 'F')
+		{
+			d2 = c2 - 'A' + 10;
+		}
+		else if (c2 >= 'a' && c2 <= 'f')
+		{
+			d2 = c2 - 'a' + 10;
+		}
+		/* save value of two characters in one byte */
+		ret[i] = d1*16 + d2;
+	}
+
+	return ret;
+}
+
 /**
  * Set parameters of Simple Component Evidence
  */
@@ -55,7 +108,7 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name,
 	time_t measurement_time_t;
 	struct tm *time_now;
 	char *utc_time;
-
+	
 	params.name = name;
 	params.pcr_info_included = TRUE;
 	params.flags = PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID;
@@ -80,7 +133,7 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name,
 	{
 		time_now = localtime(&measurement_time_t);
 		if (asprintf(&utc_time,
-			"%d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZ",
+			"%d-%.2d-%.2dT%.2d:%.2d:%.2dZ",
 			time_now->tm_year + 1900,
 			time_now->tm_mon + 1,
 			time_now->tm_mday,
@@ -95,20 +148,68 @@ static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name,
 		params.measurement_time = chunk_clone(params.measurement_time);
 		free(utc_time);
 	}
-	params.policy_uri = chunk_empty;
-	params.measurement = chunk_empty;
-	
-	params.pcr_before = chunk_alloc(PCR_LEN);
-	memset(params.pcr_before.ptr, 0, PCR_LEN);
 	
-	/* Set extended PCR, which varies from component to component */
-	if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY)
+	params.policy_uri = chunk_empty;
+
+	/* Provisional/temporal implementation for trsutedGRUB measurements */
+	if (params.name != PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY &&
+		params.name != PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE)
 	{
-		params.extended_pcr = PCR_TBOOT_POLICY;
+		params.measurement = chunk_alloc(HASH_SIZE_SHA1);
+		memset(params.measurement.ptr, 0, HASH_SIZE_SHA1);
+		params.pcr_before = chunk_alloc(PCR_LEN);
+		memset(params.pcr_before.ptr, 0, PCR_LEN);
 	}
-	else if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE)
+
+	/* Set parameters which varies from component to component */
+	if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY ||
+		params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE)
 	{
-		params.extended_pcr = PCR_TBOOT_MLE;
+		char *measurement_str, *pcr_before_str, *pcr_after_str;
+		u_int8_t *measurement, *pcr_before, *pcr_after;
+
+		if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY)
+		{
+			params.extended_pcr = PCR_TBOOT_POLICY;
+			measurement_str = lib->settings->get_str(lib->settings,
+						"libimcv.plugins.imc-attestation.pcr17_meas", NULL);
+			pcr_before_str = lib->settings->get_str(lib->settings,
+						"libimcv.plugins.imc-attestation.pcr17_before", NULL);
+			pcr_after_str = lib->settings->get_str(lib->settings,
+						"libimcv.plugins.imc-attestation.pcr17_after", NULL);
+		}
+		else
+		{
+			params.extended_pcr = PCR_TBOOT_MLE;
+			measurement_str = lib->settings->get_str(lib->settings,
+						"libimcv.plugins.imc-attestation.pcr18_meas", NULL);
+			pcr_before_str = lib->settings->get_str(lib->settings,
+						"libimcv.plugins.imc-attestation.pcr18_before", NULL);
+			pcr_after_str = lib->settings->get_str(lib->settings,
+						"libimcv.plugins.imc-attestation.pcr18_after", NULL);
+		}
+
+		if (!measurement_str || !pcr_before_str || !pcr_after_str)
+		{
+			DBG1(DBG_IMC, "tboot: configure measurement, before and after value"
+						  " for PCR%d", params.extended_pcr);
+			return FALSE;
+		}
+
+		params.measurement = chunk_alloc(HASH_SIZE_SHA1);
+		measurement = string_to_bytearray(measurement_str);
+		memcpy(params.measurement.ptr, measurement, HASH_SIZE_SHA1);
+		free(measurement);
+
+		params.pcr_before = chunk_alloc(PCR_LEN);
+		pcr_before = string_to_bytearray(pcr_before_str);
+		memcpy(params.pcr_before.ptr, pcr_before, PCR_LEN);
+		free(pcr_before);
+
+		params.pcr_after = chunk_alloc(PCR_LEN);
+		pcr_after = string_to_bytearray(pcr_after_str);
+		memcpy(params.pcr_after.ptr, pcr_after, PCR_LEN);
+		free(pcr_after);
 	}
 	else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_MBR_STAGE1)
 	{
@@ -414,7 +515,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 					return FALSE;
 				}
 				
-				if (!pts->read_pcr(pts, params.extended_pcr, &params.pcr_after))
+				/* Get PCR after value from log when TBOOT is measuring entity */
+				if (!(name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY ||
+						name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE) &&
+					!pts->read_pcr(pts, params.extended_pcr, &params.pcr_after))
 				{
 					DBG1(DBG_IMC, "error occured while reading PCR: %d",
 						 params.extended_pcr);
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
index ed5c359b79..570bc8652c 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
@@ -222,14 +222,14 @@ bool imv_attestation_build(pa_tnc_msg_t *msg,
 			qualifier.type = PTS_ITA_FUNC_COMP_TYPE_TRUSTED;
 
 			/* Send Request Functional Component Evidence attribute */
-			name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1;
+			name = PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY;
 			attr = tcg_pts_attr_req_funct_comp_evid_create(flags,
 									sub_comp_depth, PEN_ITA, qualifier, name);
 			attr->set_noskip_flag(attr, TRUE);
 			msg->add_attribute(msg, attr);
 			
 			/* Send Request Functional Component Evidence attribute */
-			name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2;
+			name = PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE;
 			attr = tcg_pts_attr_req_funct_comp_evid_create(flags,
 									sub_comp_depth, PEN_ITA, qualifier, name);
 			attr->set_noskip_flag(attr, TRUE);
diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
index 58d9e922b6..e4969c14cd 100644
--- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
+++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c
@@ -609,7 +609,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(tcg_pts_attr_simple_comp_evi
 		.policy_uri = chunk_clone(params.policy_uri),
 		.pcr_before = params.pcr_before,
 		.pcr_after = params.pcr_after,
-		.measurement = chunk_clone(params.measurement),
+		.measurement = params.measurement,
 	);
 
 	return &this->public.pa_tnc_attribute;