From: Sansar Choinyambuu Date: Wed, 2 Nov 2011 15:38:06 +0000 (+0100) Subject: Defined functional components within ITA namespace X-Git-Tag: 4.6.2~266 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2aa28b164e3e675042dcb9c40d9542d9faa9866e;p=thirdparty%2Fstrongswan.git Defined functional components within ITA namespace Implemented handling of functional components evidence request/response --- diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c index 8748202029..3975009ff1 100644 --- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c @@ -43,7 +43,106 @@ #include #define DEFAULT_NONCE_LEN 20 -#define EXTEND_PCR 16 + +/** + * Set parameters of Simple Component Evidence + */ +static bool set_simple_comp_evid_params(pts_ita_funct_comp_name_t name, + tcg_pts_attr_simple_comp_evid_params_t *out) +{ + tcg_pts_attr_simple_comp_evid_params_t params; + pts_qualifier_t qualifier; + time_t measurement_time_t; + struct tm *time_now; + char *utc_time; + + params.name = name; + params.pcr_info_included = TRUE; + params.flags = PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID; + params.depth = 0; + params.vendor_id = PEN_ITA; + + qualifier.kernel = FALSE; + qualifier.sub_component = FALSE; + qualifier.type = PTS_ITA_FUNC_COMP_TYPE_TRUSTED; + params.qualifier = qualifier; + /* The measurements done by tboot and trustedGRUB are SHA1 hashes */ + params.hash_algorithm = TRUSTED_HASH_ALGO; + params.transformation = PTS_PCR_TRANSFORM_NO; + + measurement_time_t = time(NULL); + if (!measurement_time_t) + { + params.measurement_time = chunk_create("0000-00-00T00:00:00Z", 20); + params.measurement_time = chunk_clone(params.measurement_time); + } + else + { + time_now = localtime(&measurement_time_t); + if (asprintf(&utc_time, + "%d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZ", + time_now->tm_year + 1900, + time_now->tm_mon + 1, + time_now->tm_mday, + time_now->tm_hour, + time_now->tm_min, + time_now->tm_sec) < 0) + { + DBG1(DBG_IMC, "could not format local time to UTC"); + return FALSE; + } + params.measurement_time = chunk_create(utc_time, 20); + params.measurement_time = chunk_clone(params.measurement_time); + free(utc_time); + } + params.policy_uri = chunk_empty; + params.measurement = chunk_empty; + + params.pcr_before = chunk_alloc(PCR_LEN); + memset(params.pcr_before.ptr, 0, PCR_LEN); + + /* Set extended PCR, which varies from component to component */ + if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY) + { + params.extended_pcr = PCR_TBOOT_POLICY; + } + else if (params.name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE) + { + params.extended_pcr = PCR_TBOOT_MLE; + } + else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_MBR_STAGE1) + { + params.extended_pcr = PCR_TGRUB_MBR_STAGE1; + } + else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1) + { + params.extended_pcr = PCR_TGRUB_STAGE2_PART1; + } + else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2) + { + params.extended_pcr = PCR_TGRUB_STAGE2_PART2; + } + else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_CMD_LINE_ARGS) + { + params.extended_pcr = PCR_TGRUB_CMD_LINE_ARGS; + } + else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_CHECKFILE) + { + params.extended_pcr = PCR_TGRUB_CHECKFILE; + } + else if (params.name == PTS_ITA_FUNC_COMP_NAME_TGRUB_LOADED_FILES) + { + params.extended_pcr = PCR_TGRUB_LOADED_FILES; + } + else + { + DBG1(DBG_IMC, "unsupported Functional Component Name: %d", params.name); + return FALSE; + } + + *out = params; + return TRUE; +} bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, imc_attestation_state_t *attestation_state, @@ -219,7 +318,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, u_int32_t comp_name_vendor_id; u_int8_t family; pts_qualifier_t qualifier; - pts_funct_comp_name_t name; + pts_ita_funct_comp_name_t name; attr_info = attr->get_value(attr); attr_cast = (tcg_pts_attr_req_funct_comp_evid_t*)attr; @@ -259,21 +358,21 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } sub_comp_depth = attr_cast->get_sub_component_depth(attr_cast); - /* TODO: Implement checking of components with its sub-components */ if (sub_comp_depth != 0) { DBG1(DBG_IMC, "current version of Attestation IMC does not " "support sub component measurement deeper than " "zero. Measuring top level component only."); + return FALSE; } comp_name_vendor_id = attr_cast->get_comp_funct_name_vendor_id( attr_cast); - if (comp_name_vendor_id != PEN_TCG) + if (comp_name_vendor_id != PEN_ITA) { DBG1(DBG_IMC, "current version of Attestation IMC supports" - "only functional component namings by TCG "); - break; + "only functional component namings by ITA"); + return FALSE; } family = attr_cast->get_family(attr_cast); @@ -289,152 +388,51 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Check if Unknown or Wildcard was set for qualifier */ if (qualifier.kernel && qualifier.sub_component && - (qualifier.type & PTS_FUNC_COMP_TYPE_ALL)) + (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_ALL)) { DBG2(DBG_IMC, "wildcard was set for the qualifier of functional" " component. Identifying the component with " "name binary enumeration"); } else if (!qualifier.kernel && !qualifier.sub_component && - (qualifier.type & PTS_FUNC_COMP_TYPE_UNKNOWN)) + (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_UNKNOWN)) { DBG2(DBG_IMC, "unknown was set for the qualifier of functional" " component. Identifying the component with " "name binary enumeration"); } - else + else if (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_TRUSTED) { - /* TODO: Implement what todo with received qualifier */ - } + tcg_pts_attr_simple_comp_evid_params_t params; - name = attr_cast->get_comp_funct_name(attr_cast); - switch (name) - { - case PTS_FUNC_COMP_NAME_BIOS: + /* Set parameters of Simple Component Evidence */ + name = attr_cast->get_comp_funct_name(attr_cast); + if (!set_simple_comp_evid_params(name, ¶ms)) { - tcg_pts_attr_simple_comp_evid_params_t params; - pts_qualifier_t qualifier; - time_t measurement_time_t; - struct tm *time_now; - char *utc_time; - hasher_t *hasher; - u_char hash_output[HASH_SIZE_SHA384]; - hash_algorithm_t hash_alg; - - /* TODO: Implement BIOS measurement */ - DBG1(DBG_IMC, "experimental implementation:" - " Extend TPM with etc/tnc_config file"); - params.pcr_info_included = TRUE; - params.flags = PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID; - params.depth = 0; - params.vendor_id = PEN_TCG; - - qualifier.kernel = FALSE; - qualifier.sub_component = FALSE; - qualifier.type = PTS_FUNC_COMP_TYPE_TNC; - params.qualifier = qualifier; - - params.name = PTS_FUNC_COMP_NAME_BIOS; - params.extended_pcr = EXTEND_PCR; - params.hash_algorithm = pts->get_meas_algorithm(pts); - - if (!params.pcr_info_included) - { - params.transformation = PTS_PCR_TRANSFORM_NO; - } - else if (pts->get_meas_algorithm(pts) & PTS_MEAS_ALGO_SHA1) - { - params.transformation = PTS_PCR_TRANSFORM_MATCH; - } - else if (pts->get_meas_algorithm(pts) & PTS_MEAS_ALGO_SHA256) - { - params.transformation = PTS_PCR_TRANSFORM_LONG; - } - - /* Create a hasher */ - hash_alg = pts_meas_algo_to_hash(pts->get_meas_algorithm(pts)); - hasher = lib->crypto->create_hasher(lib->crypto, hash_alg); - if (!hasher) - { - DBG1(DBG_IMC, " hasher %N not available", - hash_algorithm_names, hash_alg); - return FALSE; - } - - if (!pts->hash_file(pts, hasher, "/etc/tnc_config", - hash_output)) - { - hasher->destroy(hasher); - return FALSE; - } - - measurement_time_t = time(NULL); - if (!measurement_time_t) - { - params.measurement_time = chunk_create( - "0000-00-00T00:00:00Z", 20); - } - else - { - time_now = localtime(&measurement_time_t); - if (asprintf(&utc_time, - "%d-%2.2d-%2.2dT%2.2d:%2.2d:%2.2dZ", - time_now->tm_year + 1900, - time_now->tm_mon + 1, - time_now->tm_mday, - time_now->tm_hour, - time_now->tm_min, - time_now->tm_sec) < 0) - { - DBG1(DBG_IMC, "could not format local time to UTC"); - hasher->destroy(hasher); - return FALSE; - } - params.measurement_time = chunk_create(utc_time, 20); - params.measurement_time = chunk_clone( - params.measurement_time); - free(utc_time); - - } - - params.measurement = chunk_create(hash_output, - hasher->get_hash_size(hasher)); - hasher->destroy(hasher); - - params.policy_uri = chunk_empty; - if (!pts->read_pcr(pts, EXTEND_PCR, ¶ms.pcr_before)) - { - DBG1(DBG_IMC, "error occured while reading PCR: %d", - EXTEND_PCR); - return FALSE; - } - - if (!pts->extend_pcr(pts, EXTEND_PCR, - params.measurement, ¶ms.pcr_after)) - { - DBG1(DBG_IMC, "error occured while extending PCR: %d", - EXTEND_PCR); - return FALSE; - } - - /* Buffer Simple Component Evidence attribute */ - attr = tcg_pts_attr_simple_comp_evid_create(params); - evidences->insert_last(evidences, attr); - - break; + DBG1(DBG_IMC, "error occured while setting parameters" + "for Simple Component Evidence"); + return FALSE; } - case PTS_FUNC_COMP_NAME_IGNORE: - case PTS_FUNC_COMP_NAME_CRTM: - case PTS_FUNC_COMP_NAME_PLATFORM_EXT: - case PTS_FUNC_COMP_NAME_BOARD: - case PTS_FUNC_COMP_NAME_INIT_LOADER: - case PTS_FUNC_COMP_NAME_OPT_ROMS: - default: + + if (!pts->read_pcr(pts, params.extended_pcr, ¶ms.pcr_after)) { - DBG1(DBG_IMC, "unsupported Functional Component Name"); - break; + DBG1(DBG_IMC, "error occured while reading PCR: %d", + params.extended_pcr); + return FALSE; } + + /* Buffer Simple Component Evidence attribute */ + attr = tcg_pts_attr_simple_comp_evid_create(params); + evidences->insert_last(evidences, attr); + break; + } + else + { + DBG1(DBG_IMC, "Functional Component with unsupported type: %d" + "was requested for evidence", qualifier.type); + break; } + break; } case TCG_PTS_GEN_ATTEST_EVID: diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c index 6837073f1b..ed5c359b79 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c @@ -210,7 +210,7 @@ bool imv_attestation_build(pa_tnc_msg_t *msg, pts_attr_req_funct_comp_evid_flag_t flags; u_int32_t sub_comp_depth; pts_qualifier_t qualifier; - pts_funct_comp_name_t name; + pts_ita_funct_comp_name_t name; attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); @@ -219,14 +219,22 @@ bool imv_attestation_build(pa_tnc_msg_t *msg, sub_comp_depth = 0; qualifier.kernel = FALSE; qualifier.sub_component = FALSE; - qualifier.type = PTS_FUNC_COMP_TYPE_ALL; - name = PTS_FUNC_COMP_NAME_BIOS; + qualifier.type = PTS_ITA_FUNC_COMP_TYPE_TRUSTED; /* Send Request Functional Component Evidence attribute */ + name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1; attr = tcg_pts_attr_req_funct_comp_evid_create(flags, - sub_comp_depth, PEN_TCG, qualifier, name); + sub_comp_depth, PEN_ITA, qualifier, name); attr->set_noskip_flag(attr, TRUE); msg->add_attribute(msg, attr); + + /* Send Request Functional Component Evidence attribute */ + name = PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2; + attr = tcg_pts_attr_req_funct_comp_evid_create(flags, + sub_comp_depth, PEN_ITA, qualifier, name); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + /* Send Generate Attestation Evidence attribute */ attr = tcg_pts_attr_gen_attest_evid_create(); attr->set_noskip_flag(attr, TRUE); diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index 1ba627ec9d..5e6f8bc8de 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -185,7 +185,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, u_int32_t depth, comp_vendor_id, extended_pcr; u_int8_t family, measurement_type; pts_qualifier_t qualifier; - pts_funct_comp_name_t name; + pts_ita_funct_comp_name_t name; pts_meas_algorithms_t hash_algorithm; pts_pcr_transform_t transformation; chunk_t measurement_time, policy_uri; @@ -197,7 +197,6 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, pcr_info_inclided = attr_cast->is_pcr_info_included(attr_cast); flags = attr_cast->get_flags(attr_cast); depth = attr_cast->get_sub_component_depth(attr_cast); - /* TODO: Implement check of components with its sub-components */ if (depth != 0) { DBG1(DBG_IMV, "Current version of Attestation IMV does not" @@ -205,10 +204,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } comp_vendor_id = attr_cast->get_spec_comp_funct_name_vendor_id( attr_cast); - if (comp_vendor_id != PEN_TCG) + if (comp_vendor_id != PEN_ITA) { DBG1(DBG_IMV, "Current version of Attestation IMV supports" - "only functional component namings by TCG "); + "only functional component namings by ITA "); break; } family = attr_cast->get_family(attr_cast); @@ -223,24 +222,20 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Check if Unknown or Wildcard was set for qualifier */ if (qualifier.kernel && qualifier.sub_component && - (qualifier.type & PTS_FUNC_COMP_TYPE_ALL)) + (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_ALL)) { DBG1(DBG_IMV, "Wildcard was set for the qualifier " "of functional component"); return FALSE; } else if (!qualifier.kernel && !qualifier.sub_component && - (qualifier.type & PTS_FUNC_COMP_TYPE_UNKNOWN)) + (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_UNKNOWN)) { DBG1(DBG_IMV, "Unknown feature was set for the qualifier " "of functional component"); return FALSE; } - else - { - /* TODO: Implement what todo with received qualifier */ - } - + name = attr_cast->get_comp_funct_name(attr_cast); measurement_type = attr_cast->get_measurement_type(attr_cast); hash_algorithm = attr_cast->get_hash_algorithm(attr_cast); @@ -257,18 +252,17 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, pcr_after = attr_cast->get_pcr_after_value(attr_cast); measurement = attr_cast->get_comp_measurement(attr_cast); - DBG4(DBG_IMV,"PCR: %d was extended with %B", + DBG3(DBG_IMV,"PCR: %d was extended with %B", extended_pcr, &measurement); - DBG4(DBG_IMV,"PCR: %d before value: %B", + DBG3(DBG_IMV,"PCR: %d before value: %B", extended_pcr, &pcr_before); - DBG4(DBG_IMV,"PCR: %d after value: %B", + DBG3(DBG_IMV,"PCR: %d after value: %B", extended_pcr, &pcr_after); entry = malloc_thing(pcr_entry_t); entry->pcr_number = extended_pcr; - strncpy(entry->pcr_value, pcr_after.ptr, PCR_LEN); + memcpy(entry->pcr_value, pcr_after.ptr, PCR_LEN); pts->add_pcr_entry(pts, entry); - } if (flags != PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID) { @@ -308,11 +302,18 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } if (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO) { - chunk_t pcr_composite, quote_info, quote_digest; - hasher_t *hasher; + chunk_t pcr_composite, quote_info; pcr_comp = attr_cast->get_pcr_comp(attr_cast); tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast); + if (!pcr_comp.ptr || !tpm_quote_sign.ptr) + { + DBG1(DBG_IMV, "PCR composite: %B", &pcr_comp); + DBG1(DBG_IMV, "TPM Quote Signature: %B", &tpm_quote_sign); + DBG1(DBG_IMV, "Either PCR Composite or Quote Signature missing"); + return FALSE; + } + /* Construct PCR Composite and TPM Quote Info structures*/ if (!pts->get_quote_info(pts, composite_algorithm, &pcr_composite, "e_info)) @@ -320,9 +321,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, DBG1(DBG_IMV, "unable to contruct TPM Quote Info"); return FALSE; } - + /* Check calculated PCR composite matches with received */ - if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite)) + if (!chunk_equals(pcr_comp, pcr_composite)) { DBG1(DBG_IMV, "received PCR Compsosite didn't match" " with constructed"); @@ -332,24 +333,16 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } DBG2(DBG_IMV, "received PCR Composite matches with constructed"); chunk_clear(&pcr_composite); - - /* SHA1(TPM Quote Info) expected from IMC */ - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - hasher->allocate_hash(hasher, quote_info, "e_digest); - hasher->destroy(hasher); - chunk_clear("e_info); - - if (tpm_quote_sign.ptr && - !pts->verify_quote_signature(pts, quote_digest, - tpm_quote_sign)) + + if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sign)) { - chunk_clear("e_digest); + chunk_clear("e_info); return FALSE; } DBG2(DBG_IMV, "signature verification succeeded for " "TPM Quote Info"); - chunk_clear("e_digest); + chunk_clear("e_info); } if (evid_signature_included) diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index 9f36a76d7d..9b490cde0d 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -27,10 +27,6 @@ #include #include -#include -#include -#include - #define PTS_BUF_SIZE 4096 typedef struct private_pts_t private_pts_t; @@ -249,7 +245,7 @@ METHOD(pts_t, calculate_secret, bool, DBG1(DBG_PTS, "shared DH secret computation failed"); return FALSE; } - DBG4(DBG_PTS, "shared DH secret: %B", &shared_secret); + DBG3(DBG_PTS, "shared DH secret: %B", &shared_secret); /* Calculate the secret assessment value */ hash_alg = pts_meas_algo_to_hash(this->dh_hash_algorithm); @@ -269,7 +265,7 @@ METHOD(pts_t, calculate_secret, bool, * argument of the TPM Quote command */ this->secret.len = min(this->secret.len, 20); - DBG4(DBG_PTS, "secret assessment value: %B", &this->secret); + DBG3(DBG_PTS, "secret assessment value: %B", &this->secret); return TRUE; } @@ -899,6 +895,9 @@ METHOD(pts_t, quote_tpm, bool, *pcr_composite = chunk_clone(*pcr_composite); DBG3(DBG_PTS, "Hash of PCR Composite: %B",pcr_composite); + chunk_t tmp = chunk_create(valData.rgbData, valData.ulDataLength); + DBG3(DBG_PTS, "TPM Quote Info: %B",&tmp); + quote_sign = chunk_alloc(valData.ulValidationDataLength); memcpy(quote_sign.ptr, valData.rgbValidationData, valData.ulValidationDataLength); @@ -931,20 +930,6 @@ METHOD(pts_t, quote_tpm, bool, return FALSE; } -/** - * Comparison function for pcr_entry_t struct - */ -static int pcr_entry_compare(const pcr_entry_t *a, const pcr_entry_t *b) -{ - return (a->pcr_number - b->pcr_number); -} - -static int pcr_entry_compare_qsort(const void *a, const void *b) -{ - return pcr_entry_compare(*(const pcr_entry_t *const *)a - , *(const pcr_entry_t *const *)b); -} - METHOD(pts_t, add_pcr_entry, void, private_pts_t *this, pcr_entry_t *new) { @@ -961,7 +946,7 @@ METHOD(pts_t, add_pcr_entry, void, { if (entry->pcr_number == new->pcr_number) { - DBG4(DBG_PTS, "updating already added PCR%d value", + DBG3(DBG_PTS, "updating already added PCR%d value", entry->pcr_number); this->pcrs->remove_at(this->pcrs, e); free(entry); @@ -969,11 +954,7 @@ METHOD(pts_t, add_pcr_entry, void, } } DESTROY_IF(e); - this->pcrs->insert_last(this->pcrs, new); - - qsort(this->pcrs, this->pcrs->get_count(this->pcrs), - sizeof(pcr_entry_t *), pcr_entry_compare_qsort); } /** @@ -1023,7 +1004,7 @@ METHOD(pts_t, get_quote_info, bool, pcr_composite_len = 2 + PCR_MASK_LEN + 4 + this->pcrs->get_count(this->pcrs) * PCR_LEN; - + writer = bio_writer_create(pcr_composite_len); /* Lenght of the bist mask field */ writer->write_uint16(writer, PCR_MASK_LEN); @@ -1054,6 +1035,7 @@ METHOD(pts_t, get_quote_info, bool, /* PCR Composite structure */ pcr_composite = chunk_clone(writer->get_buf(writer)); + DBG3(DBG_PTS, "PCR Composite: %B", &pcr_composite); writer->destroy(writer); writer = bio_writer_create(TPM_QUOTE_INFO_LEN); @@ -1079,13 +1061,13 @@ METHOD(pts_t, get_quote_info, bool, /* Hash the PCR Composite Structure */ hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite); - DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite); + DBG3(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite); hasher->destroy(hasher); } else { *out_pcr_composite = chunk_clone(pcr_composite); - DBG4(DBG_PTS, "calculated PCR Composite: %B", out_pcr_composite); + DBG3(DBG_PTS, "calculated PCR Composite: %B", out_pcr_composite); } /* SHA1 hash of PCR Composite to construct TPM_QUOTE_INFO */ @@ -1109,7 +1091,7 @@ METHOD(pts_t, get_quote_info, bool, writer->write_data(writer, this->secret); /* TPM Quote Info */ *out_quote_info = chunk_clone(writer->get_buf(writer)); - DBG4(DBG_PTS, "Calculated TPM Quote Info: %B", out_quote_info); + DBG3(DBG_PTS, "Calculated TPM Quote Info: %B", out_quote_info); writer->destroy(writer); return TRUE; @@ -1127,7 +1109,8 @@ METHOD(pts_t, verify_quote_signature, bool, return FALSE; } - if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_SHA1, data, signature)) + if (!aik_pub_key->verify(aik_pub_key, SIGN_RSA_EMSA_PKCS1_SHA1, + data, signature)) { DBG1(DBG_PTS, "signature verification failed for TPM Quote Info"); DESTROY_IF(aik_pub_key); diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h index 84175d7cee..79e33016e5 100644 --- a/src/libpts/pts/pts.h +++ b/src/libpts/pts/pts.h @@ -40,6 +40,43 @@ typedef struct pcr_entry_t pcr_entry_t; #define SOLIDUS_UTF 0x2F #define REVERSE_SOLIDUS_UTF 0x5C +/** + * PCR indices used for measurements of various functional components + */ +/** Commented the real PCR indices out, use just PCR16 for debugging +#define PCR_BIOS 0 +#define PCR_PLATFORM_EXT 1 +#define PCR_MOTHERBOARD 1 +#define PCR_OPTION_ROMS 2 +#define PCR_IPL 4 + +#define PCR_TBOOT_POLICY 17 +#define PCR_TBOOT_MLE 18 + +#define PCR_TGRUB_MBR_STAGE1 4 +#define PCR_TGRUB_STAGE2_PART1 8 +#define PCR_TGRUB_STAGE2_PART2 9 +#define PCR_TGRUB_CMD_LINE_ARGS 12 +#define PCR_TGRUB_CHECKFILE 13 +#define PCR_TGRUB_LOADED_FILES 14 +*/ + +#define PCR_BIOS 16 +#define PCR_PLATFORM_EXT 16 +#define PCR_MOTHERBOARD 16 +#define PCR_OPTION_ROMS 16 +#define PCR_IPL 16 + +#define PCR_TBOOT_POLICY 16 +#define PCR_TBOOT_MLE 16 + +#define PCR_TGRUB_MBR_STAGE1 16 +#define PCR_TGRUB_STAGE2_PART1 16 +#define PCR_TGRUB_STAGE2_PART2 16 +#define PCR_TGRUB_CMD_LINE_ARGS 16 +#define PCR_TGRUB_CHECKFILE 16 +#define PCR_TGRUB_LOADED_FILES 16 + /** * Length of the generated nonce used for calculation of shared secret */ @@ -63,7 +100,12 @@ typedef struct pcr_entry_t pcr_entry_t; /** * Bitmask Lenght for PCR Composite structure */ -#define PCR_MASK_LEN MAX_NUM_PCR / 8 +#define PCR_MASK_LEN MAX_NUM_PCR/8 + +/** + * Hashing algorithm used by tboot and trustedGRUB + */ +#define TRUSTED_HASH_ALGO PTS_MEAS_ALGO_SHA1 /** * PCR Entry structure which contains PCR number and current value diff --git a/src/libpts/pts/pts_funct_comp_name.h b/src/libpts/pts/pts_funct_comp_name.h index 0926a2bc75..25b1028d64 100644 --- a/src/libpts/pts/pts_funct_comp_name.h +++ b/src/libpts/pts/pts_funct_comp_name.h @@ -23,6 +23,8 @@ typedef enum pts_funct_comp_type_t pts_funct_comp_type_t; typedef enum pts_funct_comp_name_t pts_funct_comp_name_t; +typedef enum pts_ita_funct_comp_type_t pts_ita_funct_comp_type_t; +typedef enum pts_ita_funct_comp_name_t pts_ita_funct_comp_name_t; typedef struct pts_qualifier_t pts_qualifier_t; /** @@ -34,7 +36,7 @@ enum pts_funct_comp_type_t { /** Trusted Platform */ PTS_FUNC_COMP_TYPE_TRUSTED = 0x1, /** Operating System */ - PTS_FUNC_COMP_TYPE_OS = 0x2, + PTS_FUNC_COMP_TYPE_OS = 0x2, /** Graphical User Interface */ PTS_FUNC_COMP_TYPE_GUI = 0x3, /** Application */ @@ -69,13 +71,48 @@ enum pts_funct_comp_name_t { PTS_FUNC_COMP_NAME_OPT_ROMS = 0x0006, }; +/** + * PTS Component Functional Type for Qualifier field in ITA namespace + */ +enum pts_ita_funct_comp_type_t { + /** Unknown */ + PTS_ITA_FUNC_COMP_TYPE_UNKNOWN = 0x0, + /** Trusted Platform */ + PTS_ITA_FUNC_COMP_TYPE_TRUSTED = 0x1, + /** All matching Components */ + PTS_ITA_FUNC_COMP_TYPE_ALL = 0xF, +}; + +/** + * PTS Component Functional Name Binary Enumeration in ITA namespace + */ +enum pts_ita_funct_comp_name_t { + /** Components measured into PCR17 during tboot */ + PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY = 0x0000, + /** Components measured into PCR18 during tboot */ + PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE = 0x0001, + /** MBR information and stage1 during boot by trustedGRUB */ + PTS_ITA_FUNC_COMP_NAME_TGRUB_MBR_STAGE1 = 0x0002, + /** bootloader information stage2 part1 during boot by trustedGRUB */ + PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART1 = 0x0003, + /** bootloader information stage2 part2 during boot by trustedGRUB */ + PTS_ITA_FUNC_COMP_NAME_TGRUB_STAGE2_PART2 = 0x0004, + /** all commandline arguments from menu.lst and those entered in the shell + * during boot by trustedGRUB */ + PTS_ITA_FUNC_COMP_NAME_TGRUB_CMD_LINE_ARGS = 0x0005, + /** all files checked via the checkfile-routine during boot by trustedGRUB */ + PTS_ITA_FUNC_COMP_NAME_TGRUB_CHECKFILE = 0x0006, + /** all files which are actually loaded during boot by trustedGRUB */ + PTS_ITA_FUNC_COMP_NAME_TGRUB_LOADED_FILES = 0x0007, +}; + /** * Qualifier for Functional Component */ struct pts_qualifier_t { bool kernel; bool sub_component; - pts_funct_comp_type_t type; + pts_ita_funct_comp_type_t type; }; #endif /** PTS_FUNCT_COMP_NAME_H_ @}*/ diff --git a/src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.c index 716ec34e39..7f08f57de8 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.c @@ -123,7 +123,7 @@ struct private_tcg_pts_attr_req_funct_comp_evid_t { /** * Component Functional Name */ - pts_funct_comp_name_t name; + pts_ita_funct_comp_name_t name; }; METHOD(pa_tnc_attr_t, get_vendor_id, pen_t, @@ -284,14 +284,14 @@ METHOD(tcg_pts_attr_req_funct_comp_evid_t, set_qualifier, void, this->qualifier = qualifier; } -METHOD(tcg_pts_attr_req_funct_comp_evid_t, get_comp_funct_name, pts_funct_comp_name_t, +METHOD(tcg_pts_attr_req_funct_comp_evid_t, get_comp_funct_name, pts_ita_funct_comp_name_t, private_tcg_pts_attr_req_funct_comp_evid_t *this) { return this->name; } METHOD(tcg_pts_attr_req_funct_comp_evid_t, set_comp_funct_name, void, - private_tcg_pts_attr_req_funct_comp_evid_t *this, pts_funct_comp_name_t name) + private_tcg_pts_attr_req_funct_comp_evid_t *this, pts_ita_funct_comp_name_t name) { this->name = name; } @@ -303,7 +303,7 @@ pa_tnc_attr_t *tcg_pts_attr_req_funct_comp_evid_create( pts_attr_req_funct_comp_evid_flag_t flags, u_int32_t depth, u_int32_t vendor_id, pts_qualifier_t qualifier, - pts_funct_comp_name_t name) + pts_ita_funct_comp_name_t name) { private_tcg_pts_attr_req_funct_comp_evid_t *this; diff --git a/src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.h b/src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.h index 215ce6408a..bddedb0df6 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.h +++ b/src/libpts/tcg/tcg_pts_attr_req_funct_comp_evid.h @@ -109,7 +109,7 @@ struct tcg_pts_attr_req_funct_comp_evid_t { * * @return Component Functional Name */ - pts_funct_comp_name_t (*get_comp_funct_name)(tcg_pts_attr_req_funct_comp_evid_t *this); + pts_ita_funct_comp_name_t (*get_comp_funct_name)(tcg_pts_attr_req_funct_comp_evid_t *this); /** @@ -118,7 +118,7 @@ struct tcg_pts_attr_req_funct_comp_evid_t { * @param name Component Functional Name */ void (*set_comp_funct_name)(tcg_pts_attr_req_funct_comp_evid_t *this, - pts_funct_comp_name_t name); + pts_ita_funct_comp_name_t name); }; @@ -135,7 +135,7 @@ struct tcg_pts_attr_req_funct_comp_evid_t { pa_tnc_attr_t* tcg_pts_attr_req_funct_comp_evid_create(pts_attr_req_funct_comp_evid_flag_t flags, u_int32_t depth, u_int32_t vendor_id, pts_qualifier_t qualifier, - pts_funct_comp_name_t name); + pts_ita_funct_comp_name_t name); /** * Creates an tcg_pts_attr_req_funct_comp_evid_t object from received data diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c index d33f1f8ef3..58d9e922b6 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c @@ -158,7 +158,7 @@ struct private_tcg_pts_attr_simple_comp_evid_t { /** * Component Functional Name */ - pts_funct_comp_name_t name; + pts_ita_funct_comp_name_t name; /** * Measurement type @@ -311,8 +311,11 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_data (writer, this->pcr_before); writer->write_data (writer, this->pcr_after); } - - writer->write_data (writer, this->measurement); + + if (this->measurement.ptr && this->measurement.len > 0) + { + writer->write_data (writer, this->measurement); + } this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); @@ -481,7 +484,7 @@ METHOD(tcg_pts_attr_simple_comp_evid_t, get_qualifier, pts_qualifier_t, return this->qualifier; } -METHOD(tcg_pts_attr_simple_comp_evid_t, get_comp_funct_name, pts_funct_comp_name_t, +METHOD(tcg_pts_attr_simple_comp_evid_t, get_comp_funct_name, pts_ita_funct_comp_name_t, private_tcg_pts_attr_simple_comp_evid_t *this) { return this->name; @@ -602,7 +605,7 @@ pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(tcg_pts_attr_simple_comp_evi .extended_pcr = params.extended_pcr, .hash_algorithm = params.hash_algorithm, .transformation = params.transformation, - .measurement_time = chunk_clone(params.measurement_time), + .measurement_time = params.measurement_time, .policy_uri = chunk_clone(params.policy_uri), .pcr_before = params.pcr_before, .pcr_after = params.pcr_after, diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h index f72429c0cd..ff846fc8b3 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h +++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.h @@ -68,7 +68,7 @@ struct tcg_pts_attr_simple_comp_evid_params_t { u_int32_t depth; u_int32_t vendor_id; pts_qualifier_t qualifier; - pts_funct_comp_name_t name; + pts_ita_funct_comp_name_t name; u_int32_t extended_pcr; pts_meas_algorithms_t hash_algorithm; pts_pcr_transform_t transformation; @@ -137,7 +137,7 @@ struct tcg_pts_attr_simple_comp_evid_t { * * @return Component Functional Name */ - pts_funct_comp_name_t (*get_comp_funct_name)(tcg_pts_attr_simple_comp_evid_t *this); + pts_ita_funct_comp_name_t (*get_comp_funct_name)(tcg_pts_attr_simple_comp_evid_t *this); /** * Get Measurement Type diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c index c6a5af3e17..dc7fb84839 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c @@ -252,7 +252,6 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_data(reader, pcr_comp_len, &this->pcr_comp); this->pcr_comp = chunk_clone(this->pcr_comp); - this->pcr_comp = chunk_empty; reader->read_uint32(reader, &tpm_quote_sign_len); reader->read_data(reader, tpm_quote_sign_len, &this->tpm_quote_sign); this->tpm_quote_sign = chunk_clone(this->tpm_quote_sign);