diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2014-07-11 07:23:31 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2014-07-11 07:23:31 +0200 |
| commit | 81c63b0eed39432878f78727f60a1e7499645199 (patch) | |
| tree | 82387d8fecd1c20788fd8bd784a9b0bde091fb6b /src/libpts/plugins/imv_attestation | |
| parent | c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (diff) | |
| download | vyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.tar.gz vyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.zip | |
Imported Upstream version 5.2.0
Diffstat (limited to 'src/libpts/plugins/imv_attestation')
| -rw-r--r-- | src/libpts/plugins/imv_attestation/Makefile.am | 2 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/Makefile.in | 8 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest.c | 57 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.c | 207 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.h | 10 | ||||
| -rwxr-xr-x | src/libpts/plugins/imv_attestation/build-database.sh | 293 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/imv_attestation_agent.c | 230 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/imv_attestation_build.c | 14 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/imv_attestation_process.c | 93 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/imv_attestation_state.c | 68 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/imv_attestation_state.h | 26 |
11 files changed, 501 insertions, 507 deletions
diff --git a/src/libpts/plugins/imv_attestation/Makefile.am b/src/libpts/plugins/imv_attestation/Makefile.am index 8d18f1404..8dc74fd54 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.am +++ b/src/libpts/plugins/imv_attestation/Makefile.am @@ -6,7 +6,7 @@ AM_CPPFLAGS = \ -DPLUGINS=\""${attest_plugins}\"" AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imv-attestation.la diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in index ff94363bf..b0e3787ae 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.in +++ b/src/libpts/plugins/imv_attestation/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -275,6 +275,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -293,6 +294,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -320,6 +322,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -411,6 +414,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -429,7 +433,7 @@ AM_CPPFLAGS = \ -DPLUGINS=\""${attest_plugins}\"" AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imv-attestation.la imv_attestation_la_LIBADD = \ diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index 8f4df39e7..63c0023a7 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -19,8 +19,10 @@ #include <stdio.h> #include <string.h> #include <errno.h> -#include <syslog.h> #include <libgen.h> +#ifdef HAVE_SYSLOG +# include <syslog.h> +#endif #include <library.h> #include <utils/debug.h> @@ -43,9 +45,6 @@ static bool stderr_quiet = TRUE; */ static void attest_dbg(debug_t group, level_t level, char *fmt, ...) { - int priority = LOG_INFO; - char buffer[8192]; - char *current = buffer, *next; va_list args; if (level <= debug_level) @@ -58,22 +57,30 @@ static void attest_dbg(debug_t group, level_t level, char *fmt, ...) va_end(args); } - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) +#ifdef HAVE_SYSLOG { - next = strchr(current, '\n'); - if (next) + int priority = LOG_INFO; + char buffer[8192]; + char *current = buffer, *next; + + /* write in memory buffer first */ + va_start(args, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + + /* do a syslog with every line */ + while (current) { - *(next++) = '\0'; + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + syslog(priority, "%s\n", current); + current = next; } - syslog(priority, "%s\n", current); - current = next; } +#endif /* HAVE_SYSLOG */ } } @@ -91,7 +98,9 @@ static void cleanup(void) attest->destroy(attest); libpts_deinit(); libimcv_deinit(); +#ifdef HAVE_SYSLOG closelog(); +#endif } static void do_args(int argc, char *argv[]) @@ -144,9 +153,9 @@ static void do_args(int argc, char *argv[]) { "directory", required_argument, NULL, 'D' }, { "dir", required_argument, NULL, 'D' }, { "file", required_argument, NULL, 'F' }, - { "sha1-ima", no_argument, NULL, 'I' }, { "package", required_argument, NULL, 'G' }, { "key", required_argument, NULL, 'K' }, + { "measdir", required_argument, NULL, 'M' }, { "owner", required_argument, NULL, 'O' }, { "product", required_argument, NULL, 'P' }, { "relative", no_argument, NULL, 'R' }, @@ -294,9 +303,6 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; - case 'I': - attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA); - continue; case 'K': { chunk_t aik; @@ -308,6 +314,12 @@ static void do_args(int argc, char *argv[]) } continue; } + case 'M': + if (!attest->set_meas_directory(attest, optarg)) + { + exit(EXIT_FAILURE); + } + continue; case 'O': attest->set_owner(attest, optarg); continue; @@ -437,7 +449,9 @@ int main(int argc, char *argv[]) /* enable attest debugging hook */ dbg = attest_dbg; +#ifdef HAVE_SYSLOG openlog("attest", 0, LOG_DEBUG); +#endif atexit(library_deinit); @@ -471,4 +485,3 @@ int main(int argc, char *argv[]) exit(EXIT_SUCCESS); } - diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 7a8a1135a..d7f45ad29 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -79,6 +79,11 @@ struct private_attest_db_t { int fid; /** + * Directory where file measurement are to be taken + */ + char *meas_dir; + + /** * AIK to be queried */ chunk_t key; @@ -193,6 +198,21 @@ char* print_cfn(pts_comp_func_name_t *cfn) return buf; } +/** + * Get the directory separator to append to a path + */ +static const char* get_separator(const char *path) +{ + if (streq(path, DIRECTORY_SEPARATOR)) + { /* root directory on Unix file system, no separator */ + return ""; + } + else + { /* non-root or Windows path, use system specific separator */ + return DIRECTORY_SEPARATOR; + } +} + METHOD(attest_db_t, set_component, bool, private_attest_db_t *this, char *comp, bool create) { @@ -309,9 +329,9 @@ METHOD(attest_db_t, set_directory, bool, return FALSE; } - /* remove trailing '/' character if not root directory */ + /* remove trailing '/' or '\' character if not root directory */ len = strlen(dir); - if (len > 1 && dir[len-1] == '/') + if (len > 1 && dir[len-1] == DIRECTORY_SEPARATOR[0]) { dir[len-1] = '\0'; } @@ -385,7 +405,6 @@ METHOD(attest_db_t, set_file, bool, private_attest_db_t *this, char *file, bool create) { int fid; - char *sep; enumerator_t *e; if (this->file) @@ -399,7 +418,6 @@ METHOD(attest_db_t, set_file, bool, { return TRUE; } - sep = streq(this->dir, "/") ? "" : "/"; e = this->db->query(this->db, "SELECT id FROM files " "WHERE dir = ? AND name = ?", DB_INT, this->did, DB_TEXT, file, DB_INT); @@ -418,7 +436,8 @@ METHOD(attest_db_t, set_file, bool, if (!create) { - printf("file '%s%s%s' not found in database\n", this->dir, sep, file); + printf("file '%s%s%s' not found in database\n", + this->dir, get_separator(this->dir), file); return FALSE; } @@ -429,8 +448,8 @@ METHOD(attest_db_t, set_file, bool, { this->fid = fid; } - printf("file '%s%s%s' %sinserted into database\n", this->dir, sep, file, - this->fid ? "" : "could not be "); + printf("file '%s%s%s' %sinserted into database\n", this->dir, + get_separator(this->dir), file, this->fid ? "" : "could not be "); return this->fid > 0; } @@ -470,6 +489,22 @@ METHOD(attest_db_t, set_fid, bool, return this->fid > 0; } +METHOD(attest_db_t, set_meas_directory, bool, + private_attest_db_t *this, char *dir) +{ + size_t len; + + /* remove trailing '/' character if not root directory */ + len = strlen(dir); + if (len > 1 && dir[len-1] == '/') + { + dir[len-1] = '\0'; + } + this->meas_dir = strdup(dir); + + return TRUE; +} + METHOD(attest_db_t, set_key, bool, private_attest_db_t *this, chunk_t key, bool create) { @@ -1297,7 +1332,7 @@ METHOD(attest_db_t, list_hashes, void, printf("%d %N value%s found for file '%s%s%s'\n", count, pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", this->dir, - streq(this->dir, "/") ? "" : "/", this->file); + get_separator(this->dir), this->file); } } else if (this->file) @@ -1568,12 +1603,13 @@ METHOD(attest_db_t, list_sessions, void, */ static bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, - chunk_t measurement, int fid, bool ima, + chunk_t measurement, int fid, int *hashes_added, int *hashes_updated) { enumerator_t *e; chunk_t hash; char *label; + bool insert = TRUE, update = FALSE; label = "could not be created"; @@ -1581,46 +1617,50 @@ static bool insert_file_hash(private_attest_db_t *this, "SELECT hash FROM file_hashes WHERE algo = ? " "AND file = ? AND product = ? AND device = 0", DB_INT, algo, DB_UINT, fid, DB_UINT, this->pid, DB_BLOB); + if (!e) { printf("file_hashes query failed\n"); return FALSE; } - if (e->enumerate(e, &hash)) + + while (e->enumerate(e, &hash)) { + update = TRUE; + if (chunk_equals(measurement, hash)) { label = "exists and equals"; - } - else - { - if (this->db->execute(this->db, NULL, - "UPDATE file_hashes SET hash = ? WHERE algo = ? " - "AND file = ? AND product = ? and device = 0", - DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid, - DB_UINT, this->pid) == 1) - { - label = "updated"; - (*hashes_updated)++; - } + insert = FALSE; + break; } } - else + e->destroy(e); + + if (insert) { if (this->db->execute(this->db, NULL, "INSERT INTO file_hashes " "(file, product, device, algo, hash) " "VALUES (?, ?, 0, ?, ?)", DB_UINT, fid, DB_UINT, this->pid, - DB_INT, algo, DB_BLOB, measurement) == 1) + DB_INT, algo, DB_BLOB, measurement) != 1) + { + printf("file_hash insertion failed\n"); + return FALSE; + } + if (update) + { + label = "updated"; + (*hashes_updated)++; + } + else { label = "created"; (*hashes_added)++; } } - e->destroy(e); - - printf(" %#B - %s%s\n", &measurement, ima ? "ima - " : "", label); + printf(" %#B - %s\n", &measurement, label); return TRUE; } @@ -1629,33 +1669,24 @@ static bool insert_file_hash(private_attest_db_t *this, */ static bool add_hash(private_attest_db_t *this) { - char *pathname, *filename, *sep, *label, *pos; - char ima_buffer[IMA_MAX_NAME_LEN + 1]; - chunk_t measurement, ima_template; + char *pathname, *filename, *label; + const char *sep; pts_file_meas_t *measurements; + chunk_t measurement; hasher_t *hasher = NULL; - bool ima = FALSE; int fid, files_added = 0, hashes_added = 0, hashes_updated = 0; - int len, ima_hashes_added = 0, ima_hashes_updated = 0; enumerator_t *enumerator, *e; - if (this->algo == PTS_MEAS_ALGO_SHA1_IMA) + if (!this->meas_dir) { - ima = TRUE; - this->algo = PTS_MEAS_ALGO_SHA1; - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - if (!hasher) - { - printf("could not create hasher\n"); - return FALSE; - } + this->meas_dir = strdup(this->dir); } - sep = streq(this->dir, "/") ? "" : "/"; + sep = get_separator(this->meas_dir); if (this->fid) { /* build pathname from directory path and relative filename */ - if (asprintf(&pathname, "%s%s%s", this->dir, sep, this->file) == -1) + if (asprintf(&pathname, "%s%s%s", this->meas_dir, sep, this->file) == -1) { return FALSE; } @@ -1665,7 +1696,7 @@ static bool add_hash(private_attest_db_t *this) } else { - measurements = pts_file_meas_create_from_path(0, this->dir, TRUE, + measurements = pts_file_meas_create_from_path(0, this->meas_dir, TRUE, TRUE, this->algo); } if (!measurements) @@ -1717,59 +1748,18 @@ static bool add_hash(private_attest_db_t *this) printf("%4d: %s - %s\n", fid, filename, label); /* compute file measurement hash */ - if (!insert_file_hash(this, this->algo, measurement, fid, FALSE, + if (!insert_file_hash(this, this->algo, measurement, fid, &hashes_added, &hashes_updated)) { break; } - if (!ima) - { - continue; - } - - /* compute IMA template hash */ - pos = ima_buffer; - len = IMA_MAX_NAME_LEN; - if (!this->relative) - { - strncpy(pos, this->dir, len); - len = max(0, len - strlen(this->dir)); - pos = ima_buffer + IMA_MAX_NAME_LEN - len; - strncpy(pos, sep, len); - len = max(0, len - strlen(sep)); - pos = ima_buffer + IMA_MAX_NAME_LEN - len; - } - strncpy(pos, filename, len); - ima_buffer[IMA_MAX_NAME_LEN] = '\0'; - ima_template = chunk_create(ima_buffer, sizeof(ima_buffer)); - if (!hasher->get_hash(hasher, measurement, NULL) || - !hasher->get_hash(hasher, ima_template, measurement.ptr)) - { - printf("could not compute IMA template hash\n"); - break; - } - if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement, fid, - TRUE, &ima_hashes_added, &ima_hashes_updated)) - { - break; - } } enumerator->destroy(enumerator); - printf("%d measurements, added %d new files, %d file hashes", - measurements->get_file_count(measurements), files_added, - hashes_added); - if (ima) - { - printf(", %d ima hashes", ima_hashes_added); - hasher->destroy(hasher); - } - printf(", updated %d file hashes", hashes_updated); - if (ima) - { - printf(", %d ima hashes", ima_hashes_updated); - } - printf("\n"); + printf("%d measurements, added %d new files, %d file hashes, " + "updated %d file hashes\n", + measurements->get_file_count(measurements), + files_added, hashes_added, hashes_updated); measurements->destroy(measurements); return TRUE; @@ -1780,22 +1770,6 @@ METHOD(attest_db_t, add, bool, { bool success = FALSE; - /* add key/component pair */ - if (this->kid && this->cid) - { - success = this->db->execute(this->db, NULL, - "INSERT INTO key_component (key, component, seq_no) " - "VALUES (?, ?, ?)", - DB_UINT, this->kid, DB_UINT, this->cid, - DB_UINT, this->seq_no) == 1; - - printf("key/component pair (%d/%d) %sinserted into database at " - "position %d\n", this->kid, this->cid, - success ? "" : "could not be ", this->seq_no); - - return success; - } - /* add directory or file hash measurement for a given product */ if (this->did && this->pid) { @@ -1844,8 +1818,8 @@ METHOD(attest_db_t, delete, bool, DB_UINT, this->algo, DB_UINT, this->pid, DB_UINT, this->fid) > 0; - printf("%4d: %s%s%s\n", this->fid, this->dir, - streq(this->dir, "/") ? "" : "/", this->file); + printf("%4d: %s%s%s\n", this->fid, this->dir, get_separator(this->dir), + this->file); printf("%N value for product '%s' %sdeleted from database\n", pts_meas_algorithm_names, this->algo, this->product, success ? "" : "could not be "); @@ -1869,19 +1843,6 @@ METHOD(attest_db_t, delete, bool, return success; } - /* delete key/component pair */ - if (this->kid && this->cid) - { - success = this->db->execute(this->db, NULL, - "DELETE FROM key_component " - "WHERE key = ? AND component = ?", - DB_UINT, this->kid, DB_UINT, this->cid) > 0; - - printf("key/component pair (%d/%d) %sdeleted from database\n", - this->kid, this->cid, success ? "" : "could not be "); - return success; - } - if (this->cid) { success = this->db->execute(this->db, NULL, @@ -1900,7 +1861,7 @@ METHOD(attest_db_t, delete, bool, DB_UINT, this->fid) > 0; printf("file '%s%s%s' %sdeleted from database\n", this->dir, - streq(this->dir, "/") ? "" : "/", this->file, + get_separator(this->dir), this->file, success ? "" : "could not be "); return success; } @@ -1970,6 +1931,7 @@ METHOD(attest_db_t, destroy, void, free(this->version); free(this->file); free(this->dir); + free(this->meas_dir); free(this->owner); free(this->key.ptr); free(this); @@ -1990,6 +1952,7 @@ attest_db_t *attest_db_create(char *uri) .set_did = _set_did, .set_file = _set_file, .set_fid = _set_fid, + .set_meas_directory = _set_meas_directory, .set_key = _set_key, .set_kid = _set_kid, .set_package = _set_package, diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index d0a48d844..07e55cce7 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -84,6 +84,14 @@ struct attest_db_t { bool (*set_fid)(attest_db_t *this, int fid); /** + * Set path to directory where file[s] are to be measured + * + * @param meas_dir measurement directory + * @return TRUE if successful + */ + bool (*set_meas_directory)(attest_db_t *this, char *dir); + + /** * Set functional component to be queried * * @param key AIK diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh index be1024de0..f16b5d152 100755 --- a/src/libpts/plugins/imv_attestation/build-database.sh +++ b/src/libpts/plugins/imv_attestation/build-database.sh @@ -1,221 +1,84 @@ #!/bin/sh -p="Ubuntu 12.04 i686" +p="Ubuntu 14.04 x86_64" +a="x86_64-linux-gnu" +k="3.13.0-30-generic" -ipsec attest --add --product "$p" --sha1-ima --dir /sbin -ipsec attest --add --product "$p" --sha1-ima --dir /usr/sbin -ipsec attest --add --product "$p" --sha1-ima --dir /bin -ipsec attest --add --product "$p" --sha1-ima --dir /usr/bin -ipsec attest --add --product "$p" --sha1-ima --dir /etc/acpi -ipsec attest --add --product "$p" --sha1-ima --file /etc/init.d/rc -ipsec attest --add --product "$p" --sha1-ima --file /etc/init.d/rcS -ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-post-down.d -ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-pre-up.d -ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-up.d -ipsec attest --add --product "$p" --sha1-ima --file /etc/NetworkManager/dispatcher.d/01ifupdown -ipsec attest --add --product "$p" --sha1-ima --dir /etc/ppp/ip-down.d -ipsec attest --add --product "$p" --sha1-ima --dir /etc/rc2.d -ipsec attest --add --product "$p" --sha1-ima --dir /etc/rcS.d -ipsec attest --add --product "$p" --sha1-ima --file /etc/rc.local -ipsec attest --add --product "$p" --sha1-ima --dir /etc/resolvconf/update.d -ipsec attest --add --product "$p" --sha1-ima --file /etc/resolvconf/update-libc.d/avahi-daemon -ipsec attest --add --product "$p" --sha1-ima --dir /etc/update-motd.d -ipsec attest --add --product "$p" --sha1-ima --file /lib/crda/setregdomain -ipsec attest --add --product "$p" --sha1-ima --file /lib/init/apparmor-profile-load -ipsec attest --add --product "$p" --sha1-ima --file /lib/resolvconf/list-records -ipsec attest --add --product "$p" --sha1-ima --dir /lib/udev -ipsec attest --add --product "$p" --sha1-ima --file /lib/ufw/ufw-init -ipsec attest --add --product "$p" --sha1-ima --file /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/accountsservice/accounts-daemon -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/apt/methods -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/at-spi2-core -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/avahi/avahi-daemon-check-dns.sh -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/bamf/bamfdaemon -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit/run-seat.d -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit/run-session.d -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/cups/notifier -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/dconf/dconf-service -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/dbus-1.0/dbus-daemon-launch-helper -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/deja-dup/deja-dup/deja-dup-monitor -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/evolution/3.2/evolution-alarm-notify -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/firefox/firefox -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/firefox/plugin-container -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gcc/i686-linux-gnu/4.6/cc1 -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gcc/i686-linux-gnu/4.6/collect2 -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/geoclue/geoclue-master -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/git-core -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-desktop3/check_gl_texture_size -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-disk-utility/gdu-notification-daemon -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-online-accounts/goa-daemon -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/gnome-settings-daemon -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-user-share/gnome-user-share -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-screensaver/gnome-screensaver-dialog -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/gvfs -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gvfs//gvfs-fuse-daemon -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/i386-linux-gnu/colord/colord -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/i386-linux-gnu/gconf -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-application/indicator-application-service -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-appmenu/hud-service -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-datetime/indicator-datetime-service -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-messages/indicator-messages-service -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-printers/indicator-printers-service -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-session/indicator-session-service -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-sound/indicator-sound-service -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/lightdm -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/NetworkManager/nm-dhcp-client.action -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/NetworkManager/nm-dispatcher.action -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/notify-osd/notify-osd -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/nux/unity_support_test -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/pm-utils/power.d -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/pm-utils/sleep.d -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/policykit-1/polkitd -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/pulseaudio/pulse/gconf-helper -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/rtkit/rtkit-daemon -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/system-service/system-service-d -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/telepathy/mission-control-5 -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/thunderbird/thunderbird -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ubuntuone-client -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/ubuntu-geoip/ubuntu-geoip-provider -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ubuntu-sso-client -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/udisks -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity/unity-panel-service -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-applications/unity-applications-daemon -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-files/unity-files-daemon -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/unity-lens-music -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-video/unity-lens-video -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-scope-video-remote/unity-scope-video-remote -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/update-manager/release-upgrade-motd -ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/update-notifier -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/upower/upowerd -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/libvte-2.90-9/gnome-pty-helper -ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/zeitgeist/zeitgeist-fts -ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport -ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport-checkreports -ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport-gtk -ipsec attest --add --product "$p" --sha1-ima --dir /usr/share/language-tools -ipsec attest --add --product "$p" --sha1-ima --file /usr/share/virtualbox/VBoxCreateUSBNode.sh -ipsec attest --add --product "$p" --sha1-ima --relative --file /etc/ld.so.cache -ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib -ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/i386-linux-gnu -ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/i386-linux-gnu/security -for file in `find /lib/modules/3.2.21ima/kernel -name *.ko` +for hash in sha1 sha256 do -ipsec attest --add --product "$p" --sha1-ima --relative --file $file -done -ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/plymouth -ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/plymouth/renderers -ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/security -ipsec attest --add --product "$p" --sha1-ima --relative --dir /opt/Adobe/Reader9/Reader/intellinux/lib -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/apache2/modules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/compiz -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/compizconfig/backends/ -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/enchant -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libemiscwidgets.so.0.0.0 -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libeutil.so.0.0.0 -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libgnomecanvas.so.0.0.0 -for file in /usr/lib/firefox/*.so -do -ipsec attest --add --product "$p" --sha1-ima --relative --file $file -done -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libbrowsercomps.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libdbusservice.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libmozgnome.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox-addons/extensions/globalmenu@ubuntu.com/components/libglobalmenu.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox-addons/plugins/nppdf.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/flashplugin-installer/libflashplayer.so -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gedit/plugins -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gnome-bluetooth -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gnome-settings-daemon-3.0 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-2.0/2.10.0/menuproxies -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-3.0/3.0.0/menuproxies -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-3.0/3.0.0/theming-engines -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/alsa-lib -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/dri -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gconf/2 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gconv -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gio/modules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/modules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/2.10.0/engines -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/2.10.0/immodules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-3.0/modules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-3.0/3.0.0/immodules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gvfs -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/libcanberra-0.28 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/mesa -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/mit-krb5 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/openssl-1.0.0/engines -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/pango/1.6.0/modules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/pkcs11 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/polkit-1/extensions -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/nss -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/sane -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/sse2 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/indicators3/7 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/indicator-messages/status-providers/1 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/libpeas-1.0/loaders -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/man-db/libman-2.6.1.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/man-db/libmandb-2.6.1.so -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/mission-control-plugins.0 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/ModemManager -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/nautilus/extensions-3.0 -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/NetworkManager/libnm-settings-plugin-ifupdown.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/perl/5.14.2/auto/File/Glob/Glob.so -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/pulse-1.1/modules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/python2.7/lib-dynload -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/apt_inst.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/apt_pkg.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/cairo/_cairo.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/dbus/mainloop/qt.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/_dbus_bindings.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/_dbus_glib_bindings.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/duplicity/_librsync.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_gi.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_gobject/_gobject.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_glib/_glib.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/glib/_glib.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gobject/_gobject.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/atk.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gtk/_gtk.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gio/_gio.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gio/unix.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pango.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pangocairo.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pynotify/_pynotify.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/crypto.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/rand.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/SSL.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/PyQt4/QtCore.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/simplejson/_speedups.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/sip.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/twisted/internet/_sigchld.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/twisted/python/_initgroups.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/xapian/_xapian.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/zope/interface/_zope_interface_coptimizations.so -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/rsyslog -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sane -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sse2 -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sudo -for file in /usr/lib/thunderbird/*.so -do -ipsec attest --add --product "$p" --sha1-ima --relative --file $file + ipsec attest --add --product "$p" --$hash --dir /sbin + ipsec attest --add --product "$p" --$hash --dir /usr/sbin + ipsec attest --add --product "$p" --$hash --dir /bin + ipsec attest --add --product "$p" --$hash --dir /usr/bin + + ipsec attest --add --product "$p" --$hash --file /etc/init.d/rc + ipsec attest --add --product "$p" --$hash --file /etc/init.d/rcS + ipsec attest --add --product "$p" --$hash --dir /etc/network/if-pre-up.d + ipsec attest --add --product "$p" --$hash --dir /etc/network/if-up.d + ipsec attest --add --product "$p" --$hash --dir /etc/ppp/ip-down.d + ipsec attest --add --product "$p" --$hash --dir /etc/rcS.d + ipsec attest --add --product "$p" --$hash --dir /etc/rc2.d + ipsec attest --add --product "$p" --$hash --file /etc/rc.local + ipsec attest --add --product "$p" --$hash --dir /etc/resolvconf/update.d + ipsec attest --add --product "$p" --$hash --file /etc/resolvconf/update-libc.d/avahi-daemon + ipsec attest --add --product "$p" --$hash --dir /etc/update-motd.d + + ipsec attest --add --product "$p" --$hash --dir /lib + ipsec attest --add --product "$p" --$hash --file /lib/crda/setregdomain + ipsec attest --add --product "$p" --$hash --dir /lib/ebtables + ipsec attest --add --product "$p" --$hash --file /lib/init/apparmor-profile-load + ipsec attest --add --product "$p" --$hash --file /lib/resolvconf/list-records + ipsec attest --add --product "$p" --$hash --dir /lib/ufw + ipsec attest --add --product "$p" --$hash --dir /lib/udev + ipsec attest --add --product "$p" --$hash --dir /lib/systemd + ipsec attest --add --product "$p" --$hash --dir /lib/xtables + ipsec attest --add --product "$p" --$hash --dir /lib/$a + ipsec attest --add --product "$p" --$hash --dir /lib/$a/plymouth + ipsec attest --add --product "$p" --$hash --dir /lib/$a/plymouth/renderers + ipsec attest --add --product "$p" --$hash --dir /lib/$a/security + + ipsec attest --add --product "$p" --$hash --file /lib64/ld-linux-x86-64.so.2 + + for file in `find /usr/lib -name *.so` + do + ipsec attest --add --product "$p" --$hash --file $file + done + + for file in `find /usr/lib -name *service` + do + ipsec attest --add --product "$p" --$hash --file $file + done + + ipsec attest --add --product "$p" --$hash --dir /usr/lib + ipsec attest --add --product "$p" --$hash --dir /usr/lib/accountsservice + ipsec attest --add --product "$p" --$hash --dir /usr/lib/at-spi2-core + ipsec attest --add --product "$p" --$hash --file /usr/lib/avahi/avahi-daemon-check-dns.sh + ipsec attest --add --product "$p" --$hash --file /usr/lib/dbus-1.0/dbus-daemon-launch-helper + ipsec attest --add --product "$p" --$hash --dir /usr/lib/gvfs + ipsec attest --add --product "$p" --$hash --file /usr/lib/firefox/firefox + ipsec attest --add --product "$p" --$hash --dir /usr/lib/NetworkManager + ipsec attest --add --product "$p" --$hash --dir /usr/lib/pm-utils/power.d + ipsec attest --add --product "$p" --$hash --file /usr/lib/policykit-1/polkitd + ipsec attest --add --product "$p" --$hash --file /usr/lib/thunderbird/thunderbird + ipsec attest --add --product "$p" --$hash --dir /usr/lib/ubuntu-release-upgrader + ipsec attest --add --product "$p" --$hash --dir /usr/lib/update-notifier + + ipsec attest --add --product "$p" --$hash --dir /usr/lib/$a + ipsec attest --add --product "$p" --$hash --file /usr/lib/$a/mesa/libGL.so.1.2.0 + ipsec attest --add --product "$p" --$hash --dir /usr/lib/$a/samba + ipsec attest --add --product "$p" --$hash --dir /usr/lib/$a/sasl2 + + ipsec attest --add --product "$p" --$hash --dir /usr/share/language-tools + + ipsec attest --add --product "$p" --$hash --file /init \ + --measdir /usr/share/initramfs-tools + + ipsec attest --add --product "$p" --$hash --file /scripts/functions \ + --measdir /usr/share/initramfs-tools/scripts + + for file in `find /lib/modules/$k -name *.ko` + do + ipsec attest --add --product "$p" --$hash --file $file + done done -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird/components/libdbusservice.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird/components/libmozgnome.so -ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird-addons/extensions/globalmenu@ubuntu.com/components/libglobalmenu.so -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/drivers -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/extensions -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/input -ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/share/fonts/truetype/ubuntu-font-family -ipsec attest --del --product "$p" --sha1 --file /lib/resolvconf/list-records -ipsec attest --del --product "$p" --sha1-ima --file /lib/resolvconf/list-records -ipsec attest --del --product "$p" --sha1 --file /usr/bin/lsb_release -ipsec attest --del --product "$p" --sha1-ima --file /usr/bin/lsb_release -ipsec attest --del --product "$p" --sha1 --file /usr/share/language-tools/language-options -ipsec attest --del --product "$p" --sha1-ima --file /usr/share/language-tools/language-options diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c index ae2660bae..fcfee31c1 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2011-2012 Sansar Choinyambuu - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -25,11 +25,15 @@ #include <imcv.h> #include <imv/imv_agent.h> #include <imv/imv_msg.h> +#include <imv/imv_session.h> +#include <imv/imv_os_info.h> #include <ietf/ietf_attr.h> #include <ietf/ietf_attr_attr_request.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <ietf/ietf_attr_product_info.h> #include <ietf/ietf_attr_string_version.h> +#include <ita/ita_attr.h> +#include <ita/ita_attr_device_id.h> #include <libpts.h> @@ -111,7 +115,9 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result, private_imv_attestation_agent_t *this, TNC_ConnectionID id, TNC_ConnectionState new_state) { + TNC_IMV_Action_Recommendation rec; imv_state_t *state; + imv_session_t *session; switch (new_state) { @@ -120,6 +126,35 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result, return this->agent->create_state(this->agent, state); case TNC_CONNECTION_STATE_DELETE: return this->agent->delete_state(this->agent, id); + case TNC_CONNECTION_STATE_ACCESS_ALLOWED: + case TNC_CONNECTION_STATE_ACCESS_ISOLATED: + case TNC_CONNECTION_STATE_ACCESS_NONE: + if (this->agent->get_state(this->agent, id, &state) && imcv_db) + { + session = state->get_session(state); + + if (session->get_policy_started(session)) + { + switch (new_state) + { + case TNC_CONNECTION_STATE_ACCESS_ALLOWED: + rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; + break; + case TNC_CONNECTION_STATE_ACCESS_ISOLATED: + rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE; + break; + case TNC_CONNECTION_STATE_ACCESS_NONE: + default: + rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS; + } + imcv_db->add_recommendation(imcv_db, session, rec); + if (!imcv_db->policy_script(imcv_db, session, FALSE)) + { + DBG1(DBG_IMV, "error in policy script stop"); + } + } + } + /* fall through to default state */ default: return this->agent->change_state(this->agent, id, new_state, NULL); } @@ -131,15 +166,14 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result, static TNC_Result receive_msg(private_imv_attestation_agent_t *this, imv_state_t *state, imv_msg_t *in_msg) { - imv_attestation_state_t *attestation_state; imv_msg_t *out_msg; + imv_session_t *session; + imv_os_info_t *os_info; enumerator_t *enumerator; pa_tnc_attr_t *attr; pen_type_t type; TNC_Result result; - pts_t *pts; - chunk_t os_name = chunk_empty; - chunk_t os_version = chunk_empty; + chunk_t os_name, os_version; bool fatal_error = FALSE; /* parse received PA-TNC message and handle local and remote errors */ @@ -149,8 +183,8 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this, return result; } - attestation_state = (imv_attestation_state_t*)state; - pts = attestation_state->get_pts(attestation_state); + session = state->get_session(state); + os_info = session->get_os_info(session); out_msg = imv_msg_create_as_reply(in_msg); out_msg->set_msg_type(out_msg, msg_types[0]); @@ -188,17 +222,64 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this, case IETF_ATTR_PRODUCT_INFORMATION: { ietf_attr_product_info_t *attr_cast; + pen_t vendor_id; + state->set_action_flags(state, + IMV_ATTESTATION_ATTR_PRODUCT_INFO); attr_cast = (ietf_attr_product_info_t*)attr; - os_name = attr_cast->get_info(attr_cast, NULL, NULL); + os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL); + os_info->set_name(os_info, os_name); + + if (vendor_id != PEN_IETF) + { + DBG1(DBG_IMV, "operating system name is '%.*s' " + "from vendor %N", os_name.len, os_name.ptr, + pen_names, vendor_id); + } + else + { + DBG1(DBG_IMV, "operating system name is '%.*s'", + os_name.len, os_name.ptr); + } + break; + break; } case IETF_ATTR_STRING_VERSION: { ietf_attr_string_version_t *attr_cast; + state->set_action_flags(state, + IMV_ATTESTATION_ATTR_STRING_VERSION); attr_cast = (ietf_attr_string_version_t*)attr; os_version = attr_cast->get_version(attr_cast, NULL, NULL); + os_info->set_version(os_info, os_version); + + if (os_version.len) + { + DBG1(DBG_IMV, "operating system version is '%.*s'", + os_version.len, os_version.ptr); + } + break; + } + default: + break; + } + } + else if (type.vendor_id == PEN_ITA) + { + switch (type.type) + { + case ITA_ATTR_DEVICE_ID: + { + chunk_t value; + + state->set_action_flags(state, + IMV_ATTESTATION_ATTR_DEVICE_ID); + + value = attr->get_value(attr); + DBG1(DBG_IMV, "device ID is %.*s", value.len, value.ptr); + session->set_device_id(session, value); break; } default: @@ -218,15 +299,6 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this, } enumerator->destroy(enumerator); - /** - * The IETF Product Information and String Version attributes - * are supposed to arrive in the same PA-TNC message - */ - if (os_name.len && os_version.len) - { - pts->set_platform_info(pts, os_name, os_version); - } - if (fatal_error || result != TNC_RESULT_SUCCESS) { state->set_recommendation(state, @@ -288,6 +360,31 @@ METHOD(imv_agent_if_t, receive_message_long, TNC_Result, return result; } +/** + * Build an IETF Attribute Request attribute for missing attributes + */ +static pa_tnc_attr_t* build_attr_request(uint32_t received) +{ + pa_tnc_attr_t *attr; + ietf_attr_attr_request_t *attr_cast; + + attr = ietf_attr_attr_request_create(PEN_RESERVED, 0); + attr_cast = (ietf_attr_attr_request_t*)attr; + + if (!(received & IMV_ATTESTATION_ATTR_PRODUCT_INFO) || + !(received & IMV_ATTESTATION_ATTR_STRING_VERSION)) + { + attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION); + attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION); + } + if (!(received & IMV_ATTESTATION_ATTR_DEVICE_ID)) + { + attr_cast->add(attr_cast, PEN_ITA, ITA_ATTR_DEVICE_ID); + } + + return attr; +} + METHOD(imv_agent_if_t, batch_ending, TNC_Result, private_imv_attestation_agent_t *this, TNC_ConnectionID id) { @@ -302,7 +399,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, TNC_IMVID imv_id; TNC_Result result = TNC_RESULT_SUCCESS; pts_t *pts; - char *platform_info; + int pid; + uint32_t actions; enumerator_t *enumerator; if (!this->agent->get_state(this->agent, id, &state)) @@ -312,40 +410,59 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, attestation_state = (imv_attestation_state_t*)state; pts = attestation_state->get_pts(attestation_state); handshake_state = attestation_state->get_handshake_state(attestation_state); - platform_info = pts->get_platform_info(pts); + actions = state->get_action_flags(state); session = state->get_session(state); imv_id = this->agent->get_id(this->agent); /* exit if a recommendation has already been provided */ - if (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_REC) + if (actions & IMV_ATTESTATION_REC) { return TNC_RESULT_SUCCESS; } /* send an IETF attribute request if no platform info was received */ - if (!platform_info && - !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ATTR_REQ)) + if (!(actions & IMV_ATTESTATION_ATTR_REQ)) { - pa_tnc_attr_t *attr; - ietf_attr_attr_request_t *attr_cast; - imv_msg_t *os_msg; + if ((actions & IMV_ATTESTATION_ATTR_MUST) != IMV_ATTESTATION_ATTR_MUST) + { + imv_msg_t *os_msg; - attr = ietf_attr_attr_request_create(PEN_IETF, - IETF_ATTR_PRODUCT_INFORMATION); - attr_cast = (ietf_attr_attr_request_t*)attr; - attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION); + /* create attribute request for missing mandatory attributes */ + os_msg = imv_msg_create(this->agent, state, id, imv_id, + TNC_IMCID_ANY, msg_types[1]); + os_msg->add_attribute(os_msg, build_attr_request(actions)); + result = os_msg->send(os_msg, FALSE); + os_msg->destroy(os_msg); - os_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY, - msg_types[1]); - os_msg->add_attribute(os_msg, attr); - result = os_msg->send(os_msg, FALSE); - os_msg->destroy(os_msg); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + } + state->set_action_flags(state, IMV_ATTESTATION_ATTR_REQ); + } - if (result != TNC_RESULT_SUCCESS) + if (!session->get_policy_started(session) && + (actions & IMV_ATTESTATION_ATTR_PRODUCT_INFO) && + (actions & IMV_ATTESTATION_ATTR_STRING_VERSION) && + (actions & IMV_ATTESTATION_ATTR_DEVICE_ID)) + { + if (imcv_db) { - return result; + /* start the policy script */ + if (!imcv_db->policy_script(imcv_db, session, TRUE)) + { + DBG1(DBG_IMV, "error in policy script start"); + } + } + else + { + DBG2(DBG_IMV, "no workitems available - no evaluation possible"); + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ALLOW, + TNC_IMV_EVALUATION_RESULT_DONT_KNOW); + session->set_policy_started(session, TRUE); } - state->set_action_flags(state, IMV_ATTESTATION_FLAG_ATTR_REQ); } if (handshake_state == IMV_ATTESTATION_STATE_INIT) @@ -378,22 +495,24 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, } /* exit if we are not ready yet for PTS measurements */ - if (!platform_info || !session || - !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO)) + if (!(actions & IMV_ATTESTATION_ALGO)) { return TNC_RESULT_SUCCESS; } + session->get_session_id(session, &pid, NULL); + pts->set_platform_id(pts, pid); + /* create an empty out message - we might need it */ out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY, msg_types[0]); /* establish the PTS measurements to be taken */ - if (!(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS)) + if (!(actions & IMV_ATTESTATION_FILE_MEAS)) { bool is_dir, no_workitems = TRUE; - u_int32_t delimiter = SOLIDUS_UTF; - u_int16_t request_id; + uint32_t delimiter = SOLIDUS_UTF; + uint16_t request_id; pa_tnc_attr_t *attr; char *pathname; @@ -555,7 +674,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, enumerator->destroy(enumerator); /* sent all file and directory measurement and metadata requests */ - state->set_action_flags(state, IMV_ATTESTATION_FLAG_FILE_MEAS); + state->set_action_flags(state, IMV_ATTESTATION_FILE_MEAS); if (no_workitems) { @@ -600,14 +719,14 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, enumerator->destroy(enumerator); /* finalized all workitems? */ - if (session && session->get_policy_started(session) && + if (session->get_policy_started(session) && session->get_workitem_count(session, imv_id) == 0 && attestation_state->get_handshake_state(attestation_state) == IMV_ATTESTATION_STATE_END) { result = out_msg->send_assessment(out_msg); out_msg->destroy(out_msg); - state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC); + state->set_action_flags(state, IMV_ATTESTATION_REC); if (result != TNC_RESULT_SUCCESS) { @@ -642,14 +761,16 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, session = state->get_session(state); imv_id = this->agent->get_id(this->agent); - if (session) + if (imcv_db) { TNC_IMV_Evaluation_Result eval; TNC_IMV_Action_Recommendation rec; imv_workitem_t *workitem; enumerator_t *enumerator; - char *result_str; int pending_file_meas = 0; + char *result_str; + chunk_t result_buf; + bio_writer_t *result; enumerator = session->create_workitem_enumerator(session); if (enumerator) @@ -660,20 +781,28 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, { continue; } + result = bio_writer_create(128); + switch (workitem->get_type(workitem)) { case IMV_WORKITEM_FILE_REF_MEAS: case IMV_WORKITEM_FILE_MEAS: case IMV_WORKITEM_DIR_REF_MEAS: case IMV_WORKITEM_DIR_MEAS: - result_str = "Pending file measurements"; + result_str = "pending file measurements"; pending_file_meas++; break; case IMV_WORKITEM_TPM_ATTEST: - attestation_state->finalize_components(attestation_state); - result_str = "Pending component evidence"; + attestation_state->finalize_components(attestation_state, + result); + result->write_data(result, + chunk_from_str("; pending component evidence")); + result->write_uint8(result, '\0'); + result_buf = result->get_buf(result); + result_str = result_buf.ptr; break; default: + result->destroy(result); continue; } session->remove_workitem(session, enumerator); @@ -682,6 +811,7 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, state->update_recommendation(state, rec, eval); imcv_db->finalize_workitem(imcv_db, workitem); workitem->destroy(workitem); + result->destroy(result); } enumerator->destroy(enumerator); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c index 84023c6c6..120fe3eaa 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c @@ -62,6 +62,11 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state, pts_meas_algorithms_t selected_algorithm; chunk_t initiator_value, initiator_nonce; + if (!(state->get_action_flags(state) & IMV_ATTESTATION_DH_NONCE)) + { + break; + } + /* Send DH nonce finish attribute */ selected_algorithm = pts->get_meas_algorithm(pts); pts->get_my_public_value(pts, &initiator_value, &initiator_nonce); @@ -89,17 +94,14 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state, tcg_pts_attr_req_func_comp_evid_t *attr_cast; enumerator_t *enumerator; pts_comp_func_name_t *name; - chunk_t keyid; - int kid; - u_int8_t flags; - u_int32_t depth; + uint8_t flags; + uint32_t depth; bool first_component = TRUE; attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); - if (!pts->get_aik_keyid(pts, &keyid) || - pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS) + if (!pts->get_aik_id(pts)) { attestation_state->set_measurement_error(attestation_state, IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index e40c92a24..26a57d15c 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -46,10 +46,12 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, pts_database_t *pts_db, credential_manager_t *pts_credmgr) { + imv_session_t *session; imv_attestation_state_t *attestation_state; pen_type_t attr_type; pts_t *pts; + session = state->get_session(state); attestation_state = (imv_attestation_state_t*)state; pts = attestation_state->get_pts(attestation_state); attr_type = attr->get_type(attr); @@ -80,7 +82,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, return FALSE; } pts->set_meas_algorithm(pts, selected_algorithm); - state->set_action_flags(state, IMV_ATTESTATION_FLAG_ALGO); + state->set_action_flags(state, IMV_ATTESTATION_ALGO); break; } case TCG_PTS_DH_NONCE_PARAMS_RESP: @@ -140,6 +142,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, { return FALSE; } + state->set_action_flags(state, IMV_ATTESTATION_DH_NONCE); break; } case TCG_PTS_TPM_VERSION_INFO: @@ -157,9 +160,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, tcg_pts_attr_aik_t *attr_cast; certificate_t *aik, *issuer; public_key_t *public; - chunk_t keyid; + chunk_t keyid, keyid_hex, device_id; + int aik_id; enumerator_t *e; - bool trusted = FALSE; + bool trusted = FALSE, trusted_chain = FALSE; attr_cast = (tcg_pts_attr_aik_t*)attr; aik = attr_cast->get_aik(attr_cast); @@ -170,12 +174,27 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); break; } + + /* check trust into public key as stored in the database */ + public = aik->get_public_key(aik); + public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid); + DBG1(DBG_IMV, "verifying AIK with keyid %#B", &keyid); + keyid_hex = chunk_to_hex(keyid, NULL, FALSE); + if (session->get_device_id(session, &device_id) && + chunk_equals(keyid_hex, device_id)) + { + trusted = session->get_device_trust(session); + } + else + { + DBG1(DBG_IMV, "device ID unknown or different from AIK keyid"); + } + DBG1(DBG_IMV, "AIK public key is %strusted", trusted ? "" : "not "); + public->destroy(public); + chunk_free(&keyid_hex); + if (aik->get_type(aik) == CERT_X509) { - public = aik->get_public_key(aik); - public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid); - DBG1(DBG_IMV, "verifying AIK certificate with keyid %#B", &keyid); - public->destroy(public); e = pts_credmgr->create_trusted_enumerator(pts_credmgr, KEY_ANY, aik->get_issuer(aik), FALSE); @@ -183,21 +202,22 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, { if (aik->issued_by(aik, issuer, NULL)) { - trusted = TRUE; + trusted_chain = TRUE; break; } } e->destroy(e); DBG1(DBG_IMV, "AIK certificate is %strusted", - trusted ? "" : "not "); - if (!trusted) + trusted_chain ? "" : "not "); + if (!trusted || !trusted_chain) { attestation_state->set_measurement_error(attestation_state, IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); break; } } - pts->set_aik(pts, aik); + session->get_session_id(session, NULL, &aik_id); + pts->set_aik(pts, aik, aik_id); break; } case TCG_PTS_FILE_MEAS: @@ -205,21 +225,18 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, TNC_IMV_Evaluation_Result eval; TNC_IMV_Action_Recommendation rec; tcg_pts_attr_file_meas_t *attr_cast; - u_int16_t request_id; + uint16_t request_id; int arg_int, file_count; pts_meas_algorithms_t algo; pts_file_meas_t *measurements; - imv_session_t *session; imv_workitem_t *workitem, *found = NULL; imv_workitem_type_t type; - char result_str[BUF_LEN], *platform_info; + char result_str[BUF_LEN]; bool is_dir, correct; enumerator_t *enumerator; eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; - session = state->get_session(state); algo = pts->get_meas_algorithm(pts); - platform_info = pts->get_platform_info(pts); attr_cast = (tcg_pts_attr_file_meas_t*)attr; measurements = attr_cast->get_measurements(attr_cast); request_id = measurements->get_request_id(measurements); @@ -272,7 +289,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, /* check hashes from database against measurements */ e = pts_db->create_file_hash_enumerator(pts_db, - platform_info, algo, is_dir, arg_int); + pts->get_platform_id(pts), + algo, is_dir, arg_int); if (!e) { eval = TNC_IMV_EVALUATION_RESULT_ERROR; @@ -304,8 +322,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, while (e->enumerate(e, &filename, &measurement)) { if (pts_db->add_file_measurement(pts_db, - platform_info, algo, measurement, filename, - is_dir, arg_int) != SUCCESS) + pts->get_platform_id(pts), algo, measurement, + filename, is_dir, arg_int) != SUCCESS) { eval = TNC_IMV_EVALUATION_RESULT_ERROR; } @@ -328,7 +346,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, } else { - measurements->check(measurements, pts_db, platform_info, algo); + measurements->check(measurements, pts_db, + pts->get_platform_id(pts), algo); } break; } @@ -373,7 +392,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, pts_comp_func_name_t *name; pts_comp_evidence_t *evidence; pts_component_t *comp; - u_int32_t depth; + uint32_t depth; status_t status; attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr; @@ -398,14 +417,15 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, case TCG_PTS_SIMPLE_EVID_FINAL: { tcg_pts_attr_simple_evid_final_t *attr_cast; - u_int8_t flags; + uint8_t flags; pts_meas_algorithms_t comp_hash_algorithm; chunk_t pcr_comp, tpm_quote_sig, evid_sig; - chunk_t pcr_composite, quote_info; - imv_session_t *session; + chunk_t pcr_composite, quote_info, result_buf; imv_workitem_t *workitem; + imv_reason_string_t *reason_string; enumerator_t *enumerator; bool use_quote2, use_ver_info; + bio_writer_t *result; attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr; flags = attr_cast->get_quote_info(attr_cast, &comp_hash_algorithm, @@ -451,9 +471,10 @@ quote_error: * Finalize any pending measurement registrations and check * if all expected component measurements were received */ - attestation_state->finalize_components(attestation_state); + result = bio_writer_create(128); + attestation_state->finalize_components(attestation_state, + result); - session = state->get_session(state); enumerator = session->create_workitem_enumerator(session); while (enumerator->enumerate(enumerator, &workitem)) { @@ -461,8 +482,7 @@ quote_error: { TNC_IMV_Action_Recommendation rec; TNC_IMV_Evaluation_Result eval; - char *result_str; - u_int32_t error; + uint32_t error; error = attestation_state->get_measurement_error( attestation_state); @@ -470,34 +490,35 @@ quote_error: IMV_ATTESTATION_ERROR_COMP_EVID_PEND | IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)) { - imv_reason_string_t *reason_string; - chunk_t result; - reason_string = imv_reason_string_create("en", ", "); attestation_state->add_comp_evid_reasons( attestation_state, reason_string); - result = reason_string->get_encoding(reason_string); - result_str = strndup(result.ptr, result.len); + result->write_data(result, chunk_from_str("; ")); + result->write_data(result, + reason_string->get_encoding(reason_string)); reason_string->destroy(reason_string); eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR; } else { - result_str = strdup("attestation successful"); eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; } session->remove_workitem(session, enumerator); - rec = workitem->set_result(workitem, result_str, eval); + + result->write_uint8(result, '\0'); + result_buf = result->get_buf(result); + rec = workitem->set_result(workitem, result_buf.ptr, + eval); state->update_recommendation(state, rec, eval); imcv_db->finalize_workitem(imcv_db, workitem); workitem->destroy(workitem); - free(result_str); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); break; } } enumerator->destroy(enumerator); + result->destroy(result); } if (attr_cast->get_evid_sig(attr_cast, &evid_sig)) diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c index 9304b9a13..11afbc29d 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c @@ -63,22 +63,12 @@ struct private_imv_attestation_state_t { /** * Maximum PA-TNC message size for this TNCCS connection */ - u_int32_t max_msg_len; + uint32_t max_msg_len; /** * Flags set for completed actions */ - u_int32_t action_flags; - - /** - * Access Requestor ID Type - */ - u_int32_t ar_id_type; - - /** - * Access Requestor ID Value - */ - chunk_t ar_id_value; + uint32_t action_flags; /** * IMV database session associated with TNCCS connection @@ -113,7 +103,7 @@ struct private_imv_attestation_state_t { /** * Measurement error flags */ - u_int32_t measurement_error; + uint32_t measurement_error; /** * TNC Reason String @@ -215,46 +205,29 @@ METHOD(imv_state_t, set_flags, void, } METHOD(imv_state_t, set_max_msg_len, void, - private_imv_attestation_state_t *this, u_int32_t max_msg_len) + private_imv_attestation_state_t *this, uint32_t max_msg_len) { this->max_msg_len = max_msg_len; } -METHOD(imv_state_t, get_max_msg_len, u_int32_t, +METHOD(imv_state_t, get_max_msg_len, uint32_t, private_imv_attestation_state_t *this) { return this->max_msg_len; } METHOD(imv_state_t, set_action_flags, void, - private_imv_attestation_state_t *this, u_int32_t flags) + private_imv_attestation_state_t *this, uint32_t flags) { this->action_flags |= flags; } -METHOD(imv_state_t, get_action_flags, u_int32_t, +METHOD(imv_state_t, get_action_flags, uint32_t, private_imv_attestation_state_t *this) { return this->action_flags; } -METHOD(imv_state_t, set_ar_id, void, - private_imv_attestation_state_t *this, u_int32_t id_type, chunk_t id_value) -{ - this->ar_id_type = id_type; - this->ar_id_value = chunk_clone(id_value); -} - -METHOD(imv_state_t, get_ar_id, chunk_t, - private_imv_attestation_state_t *this, u_int32_t *id_type) -{ - if (id_type) - { - *id_type = this->ar_id_type; - } - return this->ar_id_value; -} - METHOD(imv_state_t, set_session, void, private_imv_attestation_state_t *this, imv_session_t *session) { @@ -362,7 +335,6 @@ METHOD(imv_state_t, destroy, void, DESTROY_IF(this->reason_string); this->components->destroy_function(this->components, (void *)free_func_comp); this->pts->destroy(this->pts); - free(this->ar_id_value.ptr); free(this); } @@ -387,7 +359,7 @@ METHOD(imv_attestation_state_t, get_pts, pts_t*, METHOD(imv_attestation_state_t, create_component, pts_component_t*, private_imv_attestation_state_t *this, pts_comp_func_name_t *name, - u_int32_t depth, pts_database_t *pts_db) + uint32_t depth, pts_database_t *pts_db) { enumerator_t *enumerator; func_comp_t *entry, *new_entry; @@ -437,8 +409,8 @@ METHOD(imv_attestation_state_t, create_component, pts_component_t*, /** * Enumerate file measurement entries */ -static bool entry_filter(void *null, func_comp_t **entry, u_int8_t *flags, - void *i2, u_int32_t *depth, +static bool entry_filter(void *null, func_comp_t **entry, uint8_t *flags, + void *i2, uint32_t *depth, void *i3, pts_comp_func_name_t **comp_name) { pts_component_t *comp; @@ -482,28 +454,38 @@ METHOD(imv_attestation_state_t, get_component, pts_component_t*, return found; } -METHOD(imv_attestation_state_t, get_measurement_error, u_int32_t, +METHOD(imv_attestation_state_t, get_measurement_error, uint32_t, private_imv_attestation_state_t *this) { return this->measurement_error; } METHOD(imv_attestation_state_t, set_measurement_error, void, - private_imv_attestation_state_t *this, u_int32_t error) + private_imv_attestation_state_t *this, uint32_t error) { this->measurement_error |= error; } METHOD(imv_attestation_state_t, finalize_components, void, - private_imv_attestation_state_t *this) + private_imv_attestation_state_t *this, bio_writer_t *result) { func_comp_t *entry; + bool first = TRUE; while (this->components->remove_last(this->components, (void**)&entry) == SUCCESS) { + if (first) + { + first = FALSE; + } + else + { + result->write_data(result, chunk_from_str("; ")); + } if (!entry->comp->finalize(entry->comp, - entry->name->get_qualifier(entry->name))) + entry->name->get_qualifier(entry->name), + result)) { set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND); } @@ -529,8 +511,6 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .get_max_msg_len = _get_max_msg_len, .set_action_flags = _set_action_flags, .get_action_flags = _get_action_flags, - .set_ar_id = _set_ar_id, - .get_ar_id = _get_ar_id, .set_session = _set_session, .get_session = _get_session, .change_state = _change_state, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h index 9369d30a2..b72857552 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h @@ -29,7 +29,9 @@ #include <pts/pts.h> #include <pts/pts_database.h> #include <pts/components/pts_component.h> + #include <library.h> +#include <bio/bio_writer.h> typedef struct imv_attestation_state_t imv_attestation_state_t; typedef enum imv_attestation_flag_t imv_attestation_flag_t; @@ -40,10 +42,15 @@ typedef enum imv_meas_error_t imv_meas_error_t; * IMV Attestation Flags set for completed actions */ enum imv_attestation_flag_t { - IMV_ATTESTATION_FLAG_ATTR_REQ = (1<<0), - IMV_ATTESTATION_FLAG_ALGO = (1<<1), - IMV_ATTESTATION_FLAG_FILE_MEAS = (1<<2), - IMV_ATTESTATION_FLAG_REC = (1<<3) + IMV_ATTESTATION_ATTR_PRODUCT_INFO = (1<<0), + IMV_ATTESTATION_ATTR_STRING_VERSION = (1<<1), + IMV_ATTESTATION_ATTR_DEVICE_ID = (1<<2), + IMV_ATTESTATION_ATTR_MUST = (1<<3)-1, + IMV_ATTESTATION_ATTR_REQ = (1<<3), + IMV_ATTESTATION_ALGO = (1<<4), + IMV_ATTESTATION_DH_NONCE = (1<<5), + IMV_ATTESTATION_FILE_MEAS = (1<<6), + IMV_ATTESTATION_REC = (1<<7) }; /** @@ -114,7 +121,7 @@ struct imv_attestation_state_t { */ pts_component_t* (*create_component)(imv_attestation_state_t *this, pts_comp_func_name_t *name, - u_int32_t depth, + uint32_t depth, pts_database_t *pts_db); /** @@ -136,15 +143,18 @@ struct imv_attestation_state_t { /** * Tell the Functional Components to finalize any measurement registrations * and to check if all expected measurements were received + * + * @param result Writer appending component measurement results */ - void (*finalize_components)(imv_attestation_state_t *this); + void (*finalize_components)(imv_attestation_state_t *this, + bio_writer_t *result); /** * Indicates the types of measurement errors that occurred * * @return Measurement error flags */ - u_int32_t (*get_measurement_error)(imv_attestation_state_t *this); + uint32_t (*get_measurement_error)(imv_attestation_state_t *this); /** * Call if a measurement error is encountered @@ -152,7 +162,7 @@ struct imv_attestation_state_t { * @param error Measurement error type */ void (*set_measurement_error)(imv_attestation_state_t *this, - u_int32_t error); + uint32_t error); /** * Returns a concatenation of File Measurement reason strings |