* for more details.
*/
+#define _GNU_SOURCE
+
#include "imc_attestation_state.h"
#include <imc/imc_agent.h>
#define IMC_VENDOR_ID PEN_TCG
#define IMC_SUBTYPE PA_SUBTYPE_TCG_PTS
+#define EXTEND_PCR 16
static imc_agent_t *imc_attestation;
*/
static char *responder_nonce = NULL;
+/**
+ * List of buffered Simple Component Evidences
+ * To be sent on reception of Generate Attestation Evidence attribute
+ */
+static linked_list_t *evidences = NULL;
+
/**
* see section 3.7.1 of TCG TNC IF-IMC Specification 1.2
*/
pa_tnc_msg->destroy(pa_tnc_msg);
}
+ evidences = linked_list_create();
+
return result;
}
sub_comp_depth = attr_cast->get_sub_component_depth(attr_cast);
/* TODO: Implement checking of components with its sub-components */
- if (sub_comp_depth != 1)
+ if (sub_comp_depth != 0)
{
DBG1(DBG_IMC, "Current version of Attestation IMC does not support"
- "sub component measurement deeper than 1. "
+ "sub component measurement deeper than zero. "
"Measuring top level component only.");
}
{
case PTS_FUNC_COMP_NAME_BIOS:
{
+ tcg_pts_attr_simple_comp_evid_params_t params;
+ pts_qualifier_t qualifier;
+ time_t measurement_time_t;
+ struct tm *time_now;
+ char *utc_time;
+ hasher_t *hasher;
+ u_char hash_output[HASH_SIZE_SHA384];
+ hash_algorithm_t hash_alg;
+
/* TODO: Implement BIOS measurement */
- DBG1(DBG_IMC, "TODO: Implement BIOS measurement");
+ DBG1(DBG_IMC, "Experimental implementation:"
+ " Extend TPM with etc/tnc_config file");
+
+ params.flags = PTS_SIMPLE_COMP_EVID_FLAG_PCR | PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID;
+ params.depth = 0;
+ params.vendor_id = PEN_TCG;
+
+ qualifier.kernel = FALSE;
+ qualifier.sub_component = FALSE;
+ qualifier.type = PTS_FUNC_COMP_TYPE_TNC;
+ params.qualifier = qualifier;
+
+ params.name = PTS_FUNC_COMP_NAME_BIOS;
+ params.extended_pcr = EXTEND_PCR;
+ params.hash_algorithm = pts->get_meas_algorithm(pts);
+
+ if (!(params.flags & PTS_SIMPLE_COMP_EVID_FLAG_PCR))
+ {
+ params.transformation = PTS_PCR_TRANSFORM_NO;
+ }
+ else if (pts->get_meas_algorithm(pts) & PTS_MEAS_ALGO_SHA1)
+ {
+ params.transformation = PTS_PCR_TRANSFORM_MATCH;
+ }
+ else if (pts->get_meas_algorithm(pts) & PTS_MEAS_ALGO_SHA256)
+ {
+ params.transformation = PTS_PCR_TRANSFORM_LONG;
+ }
+
+ /* Create a hasher */
+ hash_alg = pts_meas_to_hash_algorithm(pts->get_meas_algorithm(pts));
+ hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
+ if (!hasher)
+ {
+ DBG1(DBG_IMC, " hasher %N not available", hash_algorithm_names, hash_alg);
+ return TNC_RESULT_FATAL;
+ }
+
+ if (!pts->hash_file(pts, hasher, "/etc/tnc_config", hash_output))
+ {
+ hasher->destroy(hasher);
+ return TNC_RESULT_FATAL;
+ }
+
+ measurement_time_t = time(NULL);
+ if (!measurement_time_t)
+ {
+ params.measurement_time = chunk_create("0000-00-00T00:00:00Z", 20);
+ }
+ else
+ {
+ time_now = localtime(&measurement_time_t);
+ if (asprintf(&utc_time, "%d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZ",
+ time_now->tm_year + 1900,
+ time_now->tm_mon + 1,
+ time_now->tm_mday,
+ time_now->tm_hour,
+ time_now->tm_min,
+ time_now->tm_sec) < 0)
+ {
+ DBG1(DBG_IMC, "Couldn not format local time to UTC");
+ return TNC_RESULT_FATAL;
+ }
+ params.measurement_time = chunk_create(utc_time, 20);
+ params.measurement_time = chunk_clone(params.measurement_time);
+ }
+
+ params.measurement = chunk_create(hash_output, hasher->get_hash_size(hasher));
+ hasher->destroy(hasher);
+
+ params.policy_uri = chunk_empty;
+ if (!pts->read_pcr(pts, EXTEND_PCR, ¶ms.pcr_before))
+ {
+ DBG1(DBG_IMC, "Error occured while reading PCR: %d", EXTEND_PCR);
+ return TNC_RESULT_FATAL;
+ }
+ if (!pts->extend_pcr(pts, EXTEND_PCR,
+ params.measurement, ¶ms.pcr_after))
+ {
+ DBG1(DBG_IMC, "Error occured while extending PCR: %d", EXTEND_PCR);
+ return TNC_RESULT_FATAL;
+ }
+
+ /* Buffer Simple Component Evidence attribute */
+ attr = tcg_pts_attr_simple_comp_evid_create(params);
+ evidences->insert_last(evidences, attr);
break;
}
case PTS_FUNC_COMP_NAME_IGNORE:
}
case TCG_PTS_GEN_ATTEST_EVID:
{
+ enumerator_t *e;
pts_simple_evid_final_flag_t flags;
- /* TODO: TPM quote operation over included PCR's */
+ /* Send buffered Simple Component Evidences */
+ e = evidences->create_enumerator(evidences);
+ while (e->enumerate(e, &attr))
+ {
+ attr_list->insert_last(attr_list, attr);
+ }
+
+ /* TODO: TPM quote operation over included PCR's */
/* Send Simple Evidence Final attribute */
flags = PTS_SIMPLE_EVID_FINAL_FLAG_NO;
attr = tcg_pts_attr_simple_evid_final_create(flags, 0,
- chunk_empty, chunk_empty, chunk_empty);
+ chunk_empty, chunk_empty, chunk_empty);
attr_list->insert_last(attr_list, attr);
+
+ e->destroy(e);
+ evidences->destroy(evidences);
+
break;
}
case TCG_PTS_REQ_FILE_META:
}
free(responder_nonce);
+ DESTROY_IF(evidences);
libpts_deinit();
imc_attestation->destroy(imc_attestation);
IMV_ATTESTATION_STATE_END);
flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
- sub_comp_depth = 1;
+ sub_comp_depth = 0;
qualifier.kernel = FALSE;
qualifier.sub_component = FALSE;
qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
/* PTS-based Attestation Evidence */
case TCG_PTS_SIMPLE_COMP_EVID:
{
+ tcg_pts_attr_simple_comp_evid_t *attr_cast;
+ pts_attr_simple_comp_evid_flag_t flags;
+ u_int32_t depth, comp_vendor_id, extended_pcr;
+ u_int8_t family, measurement_type;
+ pts_qualifier_t qualifier;
+ pts_funct_comp_name_t name;
+ pts_meas_algorithms_t hash_algorithm;
+ pts_pcr_transform_t transformation;
+ chunk_t measurement_time, policy_uri, pcr_before, pcr_after, measurement;
+
+ attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
+ attr_info = attr->get_value(attr);
+
+ flags = attr_cast->get_flags(attr_cast);
+ depth = attr_cast->get_sub_component_depth(attr_cast);
+ /* TODO: Implement checking of components with its sub-components */
+ if (depth != 0)
+ {
+ DBG1(DBG_IMV, "Current version of Attestation IMV does not support"
+ "sub component measurement deeper than zero");
+ }
+ comp_vendor_id = attr_cast->get_spec_comp_funct_name_vendor_id(attr_cast);
+ if (comp_vendor_id != PEN_TCG)
+ {
+ DBG1(DBG_IMV, "Current version of Attestation IMV supports"
+ "only functional component namings by TCG ");
+ break;
+ }
+ family = attr_cast->get_family(attr_cast);
+ if (family)
+ {
+ attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
+ TCG_PTS_INVALID_NAME_FAM, attr_info);
+ attr_list->insert_last(attr_list, attr);
+ break;
+ }
+ qualifier = attr_cast->get_qualifier(attr_cast);
+ /* Check if Unknown or Wildcard was set for qualifier */
+ if (qualifier.kernel && qualifier.sub_component &&
+ (qualifier.type & PTS_FUNC_COMP_TYPE_ALL))
+ {
+ DBG1(DBG_IMV, "Wildcard was set for the qualifier"
+ "of functional component");
+ return TNC_RESULT_FATAL;
+ }
+ else if (!qualifier.kernel && !qualifier.sub_component &&
+ (qualifier.type & PTS_FUNC_COMP_TYPE_UNKNOWN))
+ {
+ DBG1(DBG_IMV, "Unknown feature was set for the qualifier"
+ "of functional component");
+ return TNC_RESULT_FATAL;
+ }
+ else
+ {
+ /* TODO: Implement what todo with received qualifier */
+ }
+
+ name = attr_cast->get_comp_funct_name(attr_cast);
+ measurement_type = attr_cast->get_measurement_type(attr_cast);
+ hash_algorithm = attr_cast->get_hash_algorithm(attr_cast);
+ transformation = attr_cast->get_pcr_trans(attr_cast);
+ measurement_time = attr_cast->get_measurement_time(attr_cast);
+
+ /* Call getters of optional fields when corresponding flag is set */
+ if (flags & PTS_SIMPLE_COMP_EVID_FLAG_PCR)
+ {
+ extended_pcr = attr_cast->get_extended_pcr(attr_cast);
+ pcr_before = attr_cast->get_pcr_before_value(attr_cast);
+ pcr_after = attr_cast->get_pcr_after_value(attr_cast);
+ measurement = attr_cast->get_comp_measurement(attr_cast);
+ }
+ if (!(flags & PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID))
+ {
+ policy_uri = attr_cast->get_policy_uri(attr_cast);
+ }
+
/** TODO: Implement saving the PCR number, Hash Algo = communicated one,
* PCR transform (truncate SHA256, SHA384), PCR before and after values
*/
projects / thirdparty / strongswan.git / commitdiff
