Construct PCR Composite using information received in Simple Component Evidence attributes
This commit is contained in:
parent
d09cf19716
commit
d6fc5bace3
|
@ -246,19 +246,22 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
|
|||
/* Call getters of optional fields when corresponding flag is set */
|
||||
if (pcr_info_inclided)
|
||||
{
|
||||
pcr_entry_t *entry;
|
||||
|
||||
extended_pcr = attr_cast->get_extended_pcr(attr_cast);
|
||||
pcr_before = attr_cast->get_pcr_before_value(attr_cast);
|
||||
pcr_after = attr_cast->get_pcr_after_value(attr_cast);
|
||||
measurement = attr_cast->get_comp_measurement(attr_cast);
|
||||
|
||||
DBG3(DBG_IMV,"PCR: %d was extended with %B", extended_pcr, &measurement);
|
||||
DBG3(DBG_IMV,"PCR: %d before value: %B", extended_pcr, &pcr_before);
|
||||
DBG3(DBG_IMV,"PCR: %d after value: %B", extended_pcr, &pcr_after);
|
||||
DBG4(DBG_IMV,"PCR: %d was extended with %B", extended_pcr, &measurement);
|
||||
DBG4(DBG_IMV,"PCR: %d before value: %B", extended_pcr, &pcr_before);
|
||||
DBG4(DBG_IMV,"PCR: %d after value: %B", extended_pcr, &pcr_after);
|
||||
|
||||
if (!pts->does_pcr_value_match(pts, pcr_after))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
entry = malloc_thing(pcr_entry_t);
|
||||
entry->pcr_number = extended_pcr;
|
||||
strcpy(entry->pcr_value, pcr_after.ptr);
|
||||
pts->add_pcr_entry(pts, entry);
|
||||
|
||||
}
|
||||
if (flags != PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID)
|
||||
{
|
||||
|
@ -295,35 +298,33 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
|
|||
}
|
||||
if (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO)
|
||||
{
|
||||
chunk_t quote_info, quote_digest;
|
||||
chunk_t pcr_composite, quote_info, quote_digest;
|
||||
hasher_t *hasher;
|
||||
pcr_comp = attr_cast->get_pcr_comp(attr_cast);
|
||||
tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast);
|
||||
|
||||
if (!pts->get_quote_info(pts, "e_info))
|
||||
|
||||
/* Construct PCR Composite and TPM Quote Info structures*/
|
||||
if (!pts->get_quote_info(pts, &pcr_composite, "e_info))
|
||||
{
|
||||
DBG1(DBG_IMV, "unable to contruct TPM Quote Info");
|
||||
free(quote_info.ptr);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* Check calculated PCR composite structure matches with received */
|
||||
if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite))
|
||||
{
|
||||
DBG1(DBG_IMV, "received PCR Compsosite didn't match with constructed");
|
||||
free(pcr_composite.ptr);
|
||||
free(quote_info.ptr);
|
||||
return FALSE;
|
||||
}
|
||||
free(pcr_composite.ptr);
|
||||
|
||||
/* SHA1(TPM Quote Info) expected from IMC */
|
||||
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
|
||||
hasher->allocate_hash(hasher, quote_info, "e_digest);
|
||||
hasher->destroy(hasher);
|
||||
|
||||
if (pcr_comp.ptr && strncmp(quote_info.ptr, pcr_comp.ptr,
|
||||
quote_info.len - ASSESSMENT_SECRET_LEN) != 0)
|
||||
{
|
||||
DBG1(DBG_IMV, "calculated TPM Quote Info differs from received");
|
||||
DBG3(DBG_IMV, "calculated: %B", "e_info);
|
||||
DBG3(DBG_IMV, "received: %B", &pcr_comp);
|
||||
free(quote_digest.ptr);
|
||||
free(quote_info.ptr);
|
||||
return FALSE;
|
||||
}
|
||||
DBG2(DBG_IMV, "received TPM Quote Info matches with calculated");
|
||||
|
||||
if (tpm_quote_sign.ptr &&
|
||||
!pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign))
|
||||
{
|
||||
|
|
|
@ -113,6 +113,10 @@ struct private_pts_t {
|
|||
*/
|
||||
certificate_t *aik;
|
||||
|
||||
/**
|
||||
* List of extended PCR's with corresponding values
|
||||
*/
|
||||
linked_list_t *pcrs;
|
||||
};
|
||||
|
||||
METHOD(pts_t, get_proto_caps, pts_proto_caps_flag_t,
|
||||
|
@ -828,7 +832,7 @@ METHOD(pts_t, quote_tpm, bool,
|
|||
TSS_VALIDATION valData;
|
||||
u_int32_t i;
|
||||
TSS_RESULT result;
|
||||
chunk_t pcr_comp, quote_sign;
|
||||
chunk_t quote_sign;
|
||||
|
||||
result = Tspi_Context_Create(&hContext);
|
||||
if (result != TSS_SUCCESS)
|
||||
|
@ -909,12 +913,7 @@ METHOD(pts_t, quote_tpm, bool,
|
|||
}
|
||||
|
||||
/* Set output chunks */
|
||||
pcr_comp = chunk_alloc(valData.ulDataLength - ASSESSMENT_SECRET_LEN);
|
||||
memcpy(pcr_comp.ptr, valData.rgbData,
|
||||
valData.ulDataLength - ASSESSMENT_SECRET_LEN);
|
||||
*pcr_composite = pcr_comp;
|
||||
*pcr_composite = chunk_clone(*pcr_composite);
|
||||
DBG3(DBG_PTS, "PCR comp: %B",pcr_composite);
|
||||
*pcr_composite = chunk_empty;
|
||||
|
||||
quote_sign = chunk_alloc(valData.ulValidationDataLength);
|
||||
memcpy(quote_sign.ptr, valData.rgbValidationData,
|
||||
|
@ -923,7 +922,6 @@ METHOD(pts_t, quote_tpm, bool,
|
|||
*quote_signature = chunk_clone(*quote_signature);
|
||||
DBG3(DBG_PTS, "Quote sign: %B",quote_signature);
|
||||
|
||||
chunk_clear(&pcr_comp);
|
||||
chunk_clear("e_sign);
|
||||
Tspi_Context_FreeMemory(hContext, NULL);
|
||||
Tspi_Context_CloseObject(hContext, hPcrComposite);
|
||||
|
@ -949,149 +947,34 @@ METHOD(pts_t, quote_tpm, bool,
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert from string to byte array (configured PCR values)
|
||||
*/
|
||||
static u_int8_t* pcr_string_to_bytearray(char *str_value)
|
||||
METHOD(pts_t, add_pcr_entry, void,
|
||||
private_pts_t *this, pcr_entry_t *new)
|
||||
{
|
||||
u_int32_t i;
|
||||
u_int8_t *ret;
|
||||
|
||||
if (strlen(str_value) != PCR_LEN * 2)
|
||||
{
|
||||
DBG1(DBG_PTS, "expected PCR value with %d characters, current:%s",
|
||||
PCR_LEN * 2, str_value);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
ret = malloc(PCR_LEN);
|
||||
for (i = 0; i < strlen(str_value)/2; i++)
|
||||
{
|
||||
char c1, c2;
|
||||
u_int8_t d1, d2;
|
||||
|
||||
c1 = str_value[i*2];
|
||||
c2 = str_value[i*2 + 1];
|
||||
|
||||
/**
|
||||
* Convert characters to u_int8_t
|
||||
* code taken from http://www.codeguru.com/forum/showthread.php?t=316299
|
||||
*/
|
||||
|
||||
if (isdigit(c1))
|
||||
{
|
||||
d1 = c1 - '0';
|
||||
}
|
||||
else if (c1 >= 'A' && c1 <= 'F')
|
||||
{
|
||||
d1 = c1 - 'A' + 10;
|
||||
}
|
||||
else if (c1 >= 'a' && c1 <= 'f')
|
||||
{
|
||||
d1 = c1 - 'a' + 10;
|
||||
}
|
||||
|
||||
if (isdigit(c2))
|
||||
{
|
||||
d2 = c2 - '0';
|
||||
}
|
||||
else if (c2 >= 'A' && c2 <= 'F')
|
||||
{
|
||||
d2 = c2 - 'A' + 10;
|
||||
}
|
||||
else if (c2 >= 'a' && c2 <= 'f')
|
||||
{
|
||||
d2 = c2 - 'a' + 10;
|
||||
}
|
||||
/* save value of two characters in one byte */
|
||||
ret[i] = d1*16 + d2;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Build PCR Entries from the configuration
|
||||
*/
|
||||
static bool load_pcr_entries(linked_list_t **output)
|
||||
{
|
||||
linked_list_t *entries;
|
||||
int i, len;
|
||||
|
||||
entries = linked_list_create();
|
||||
for(i = 0; i < MAX_NUM_PCR; i++)
|
||||
{
|
||||
char *string_pcr_value;
|
||||
pcr_entry_t *entry;
|
||||
len = snprintf(NULL, 0, "%s%d", "libimcv.plugins.imv-attestation.pcr", i);
|
||||
|
||||
char var[len + 1];
|
||||
len = snprintf(var, len + 1, "%s%d", "libimcv.plugins.imv-attestation.pcr", i);
|
||||
string_pcr_value = lib->settings->get_str(lib->settings, var, NULL);
|
||||
|
||||
if (string_pcr_value)
|
||||
{
|
||||
u_int8_t *pcr_value;
|
||||
|
||||
entry = malloc_thing(pcr_entry_t);
|
||||
entry->pcr_number = i;
|
||||
|
||||
pcr_value = pcr_string_to_bytearray(string_pcr_value);
|
||||
strcpy(entry->pcr_value, pcr_value);
|
||||
entries->insert_last(entries, entry);
|
||||
free(pcr_value);
|
||||
}
|
||||
}
|
||||
|
||||
if (entries->get_count(entries))
|
||||
{
|
||||
*output = entries;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
DBG1(DBG_PTS, "pcr value(s) not available");
|
||||
DESTROY_IF(entries);
|
||||
*output = NULL;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
METHOD(pts_t, does_pcr_value_match, bool,
|
||||
private_pts_t *this, chunk_t pcr_after_value)
|
||||
{
|
||||
linked_list_t *entries;
|
||||
enumerator_t *e;
|
||||
pcr_entry_t *pcr_entry;
|
||||
bool match_found = FALSE;
|
||||
pcr_entry_t *entry;
|
||||
|
||||
if (!load_pcr_entries(&entries))
|
||||
if (!this->pcrs)
|
||||
{
|
||||
DBG1(DBG_PTS, "failed to load PCR entries");
|
||||
return FALSE;
|
||||
this->pcrs = linked_list_create();
|
||||
}
|
||||
|
||||
e = entries->create_enumerator(entries);
|
||||
while (e->enumerate(e, &pcr_entry))
|
||||
|
||||
e = this->pcrs->create_enumerator(this->pcrs);
|
||||
while (e->enumerate(e, &entry))
|
||||
{
|
||||
if (strncmp(pcr_entry->pcr_value, pcr_after_value.ptr, PCR_LEN) == 0)
|
||||
if (entry->pcr_number == new->pcr_number)
|
||||
{
|
||||
DBG1(DBG_PTS, "PCR %d value matched with configured value",
|
||||
pcr_entry->pcr_number);
|
||||
match_found = TRUE;
|
||||
DBG4(DBG_PTS, "updating already added PCR%d value",
|
||||
entry->pcr_number);
|
||||
this->pcrs->remove_at(this->pcrs, e);
|
||||
free(entry);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
DESTROY_IF(e);
|
||||
DESTROY_IF(entries);
|
||||
free(pcr_entry);
|
||||
|
||||
if (match_found)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
DBG1(DBG_PTS, "PCR after value didn't match with any of the configured values");
|
||||
return FALSE;
|
||||
this->pcrs->insert_last(this->pcrs, new);
|
||||
|
||||
/* TODO: Sort pcr entries with pcr index */
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1103,7 +986,7 @@ METHOD(pts_t, does_pcr_value_match, bool,
|
|||
* The first two bytes of the message represent the length
|
||||
* of the bitmask that follows. The bitmask represents the
|
||||
* requested PCRs to be quoted.
|
||||
*
|
||||
*
|
||||
* TPM Main-Part 2 TPM Structures_v1.2 8.1
|
||||
* The bitmask is in big endian order"
|
||||
*
|
||||
|
@ -1119,48 +1002,61 @@ METHOD(pts_t, does_pcr_value_match, bool,
|
|||
* 20 byte SHA1 of TCPA_PCR_COMPOSITE
|
||||
* 20 byte nonce
|
||||
*/
|
||||
static chunk_t calculate_quote_info(private_pts_t *this, linked_list_t *pcr_entries)
|
||||
|
||||
METHOD(pts_t, get_quote_info, bool,
|
||||
private_pts_t *this, chunk_t *out_pcr_composite, chunk_t *out_quote_info)
|
||||
{
|
||||
enumerator_t *e;
|
||||
pcr_entry_t *pcr_entry;
|
||||
chunk_t quote_info, pcr_composite, hash_pcr_composite;
|
||||
chunk_t pcr_composite, hash_pcr_composite, quote_info;
|
||||
u_int32_t pcr_composite_len;
|
||||
bio_writer_t *writer;
|
||||
u_int8_t mask_bytes[PCR_MASK_LEN] = {0,0,0}, i;
|
||||
hasher_t *hasher;
|
||||
|
||||
if (this->pcrs->get_count(this->pcrs) == 0)
|
||||
{
|
||||
DBG1(DBG_PTS, "PCR entries unavailable, unable to construct TPM Quote Info");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
pcr_composite_len = 2 + PCR_MASK_LEN + 4 +
|
||||
pcr_entries->get_count(pcr_entries) * PCR_LEN;
|
||||
|
||||
this->pcrs->get_count(this->pcrs) * PCR_LEN;
|
||||
|
||||
writer = bio_writer_create(pcr_composite_len);
|
||||
/* Lenght of the bist mask field */
|
||||
writer->write_uint16(writer, PCR_MASK_LEN);
|
||||
/* Bit mask indicating selected PCRs */
|
||||
e = pcr_entries->create_enumerator(pcr_entries);
|
||||
e = this->pcrs->create_enumerator(this->pcrs);
|
||||
while (e->enumerate(e, &pcr_entry))
|
||||
{
|
||||
u_int32_t index = pcr_entry->pcr_number;
|
||||
mask_bytes[index / 8] |= (1 << (index % 8));
|
||||
}
|
||||
|
||||
e->destroy(e);
|
||||
|
||||
for (i = 0; i< PCR_MASK_LEN ; i++)
|
||||
{
|
||||
writer->write_uint8(writer, mask_bytes[i]);
|
||||
}
|
||||
|
||||
|
||||
/* Lenght of the pcr entries */
|
||||
writer->write_uint32(writer, pcr_entries->get_count(pcr_entries) * PCR_LEN);
|
||||
writer->write_uint32(writer, this->pcrs->get_count(this->pcrs) * PCR_LEN);
|
||||
/* Actual PCR values */
|
||||
e = pcr_entries->create_enumerator(pcr_entries);
|
||||
e = this->pcrs->create_enumerator(this->pcrs);
|
||||
while (e->enumerate(e, &pcr_entry))
|
||||
{
|
||||
writer->write_data(writer, chunk_create(pcr_entry->pcr_value, PCR_LEN));
|
||||
}
|
||||
free(pcr_entry);
|
||||
e->destroy(e);
|
||||
|
||||
/* PCR Composite structure */
|
||||
pcr_composite = chunk_clone(writer->get_buf(writer));
|
||||
*out_pcr_composite = pcr_composite;
|
||||
DBG4(DBG_PTS, "Calculated PCR Composite: %B", out_pcr_composite);
|
||||
writer->destroy(writer);
|
||||
|
||||
|
||||
writer = bio_writer_create(TPM_QUOTE_INFO_LEN);
|
||||
/* Version number */
|
||||
writer->write_uint8(writer, 1);
|
||||
|
@ -1177,38 +1073,27 @@ static chunk_t calculate_quote_info(private_pts_t *this, linked_list_t *pcr_entr
|
|||
/* SHA1 hash of PCR Composite Structure */
|
||||
hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
|
||||
hasher->allocate_hash(hasher, pcr_composite, &hash_pcr_composite);
|
||||
hasher->destroy(hasher);
|
||||
writer->write_data(writer, hash_pcr_composite);
|
||||
|
||||
/* Secret assessment value 20 bytes (nonce) */
|
||||
writer->write_data(writer, this->secret);
|
||||
|
||||
/* TPM Quote Info */
|
||||
quote_info = chunk_clone(writer->get_buf(writer));
|
||||
DBG3(DBG_PTS, "Calculated TPM Quote Info: %B", "e_info);
|
||||
|
||||
e->destroy(e);
|
||||
writer->destroy(writer);
|
||||
hasher->destroy(hasher);
|
||||
chunk_clear(&pcr_composite);
|
||||
chunk_clear(&hash_pcr_composite);
|
||||
free(pcr_entry);
|
||||
pcr_entries->destroy(pcr_entries);
|
||||
|
||||
return quote_info;
|
||||
}
|
||||
|
||||
METHOD(pts_t, get_quote_info, bool,
|
||||
private_pts_t *this, chunk_t *quote_info)
|
||||
{
|
||||
linked_list_t *entries;
|
||||
|
||||
if (!load_pcr_entries(&entries))
|
||||
if (!this->secret.ptr)
|
||||
{
|
||||
DBG1(DBG_PTS, "failed to load PCR entries");
|
||||
DBG1(DBG_PTS, "Secret assessment value unavailable",
|
||||
"unable to construct TPM Quote Info");
|
||||
chunk_clear(&pcr_composite);
|
||||
chunk_clear(&hash_pcr_composite);
|
||||
writer->destroy(writer);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
*quote_info = calculate_quote_info(this, entries);
|
||||
/* Secret assessment value 20 bytes (nonce) */
|
||||
writer->write_data(writer, this->secret);
|
||||
/* TPM Quote Info */
|
||||
quote_info = chunk_clone(writer->get_buf(writer));
|
||||
*out_quote_info = quote_info;
|
||||
DBG4(DBG_PTS, "Calculated TPM Quote Info: %B", out_quote_info);
|
||||
|
||||
writer->destroy(writer);
|
||||
chunk_clear(&hash_pcr_composite);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
@ -1294,6 +1179,7 @@ METHOD(pts_t, destroy, void,
|
|||
{
|
||||
DESTROY_IF(this->aik);
|
||||
DESTROY_IF(this->dh);
|
||||
DESTROY_IF(this->pcrs);
|
||||
free(this->initiator_nonce.ptr);
|
||||
free(this->responder_nonce.ptr);
|
||||
free(this->secret.ptr);
|
||||
|
@ -1483,7 +1369,7 @@ pts_t *pts_create(bool is_imc)
|
|||
.read_pcr = _read_pcr,
|
||||
.extend_pcr = _extend_pcr,
|
||||
.quote_tpm = _quote_tpm,
|
||||
.does_pcr_value_match = _does_pcr_value_match,
|
||||
.add_pcr_entry = _add_pcr_entry,
|
||||
.get_quote_info = _get_quote_info,
|
||||
.verify_quote_signature = _verify_quote_signature,
|
||||
.destroy = _destroy,
|
||||
|
|
|
@ -274,19 +274,20 @@ struct pts_t {
|
|||
chunk_t *pcr_composite, chunk_t *quote_signature);
|
||||
|
||||
/**
|
||||
* Check PCR after value in Simple Component Evidence matches configured value
|
||||
* Add extended PCR with its corresponding value
|
||||
*
|
||||
* @return FALSE in case of any error or non-match, TRUE otherwise
|
||||
*/
|
||||
bool (*does_pcr_value_match)(pts_t *this, chunk_t pcr_after_value);
|
||||
void (*add_pcr_entry)(pts_t *this, pcr_entry_t *entry);
|
||||
|
||||
/**
|
||||
* Constructs and returns TPM Quote Info structure expected from IMC
|
||||
*
|
||||
* @param digest Output variable to store quote digest
|
||||
*
|
||||
* @param pcr_composite Output variable to store PCR Composite
|
||||
* @param quote_info Output variable to store TPM Quote Info
|
||||
* @return FALSE in case of any error, TRUE otherwise
|
||||
*/
|
||||
bool (*get_quote_info)(pts_t *this, chunk_t *quote_info);
|
||||
bool (*get_quote_info)(pts_t *this, chunk_t *pcr_composite, chunk_t *quote_info);
|
||||
|
||||
/**
|
||||
* Constructs and returns PCR Quote Digest structure expected from IMC
|
||||
|
|
Loading…
Reference in New Issue