supplychainvalidationsummary will look up rims by ID (#805)

* Lookup here needed summary id from device object * Portal linkage issue * CertificatesUsed not working properly with RIM * Maybe need to link to base rim * Rim test 1 needed hw file * Working on CI * Connecting new tpm2_common * Edited the way scripts called in docker exec * TPM for reset each test * Defining efi paths in CI env file * Forgot to close while loops * Connecting default test files * Variable was wrong [no ci] * Added ACA tests using uploaded artifacts * Trying to chmod rim_setup.sh * rim_setup chmod issues * Added aca tests 9 and 10 to workflow * Added cases 9 and 10 for aca policy tests * Exit test scripts with error if one test fails * Attempt to solve uploaded rim linkup * Try only setting tagId if not null * updateSupportRimInfo was not setting associated rim on base * Attempt alternate lookup of rim by device name * Trouble with event log archived * Used wrong variable * Fix spotbugs * Try again * Change SupplyChainValidation.message size to MAX_MESSAGE_LENGTH
nsacyber · Jul 22, 2024 · 7c99b81 · 7c99b81
1 parent 315d3a2
commit 7c99b81
Show file tree

Hide file tree

Showing 19 changed files with 613 additions and 234 deletions.
diff --git a/.ci/docker/.env b/.ci/docker/.env
@@ -12,4 +12,41 @@ HIRS_ACA_HOSTNAME=hirsaca
 
 HIRS_SUBNET=172.19.0.0/16
 
-TEST_STATUS=0
+TEST_STATUS=0
+
+HIRS_DEFAULT_APPSETTINGS_FILE=/usr/share/hirs/appsettings.json
+
+HIRS_CI_REPO_ROOT=/hirs
+
+HIRS_CI_TEST_ROOT=/ci_test
+HIRS_CI_EFI_PATH_ROOT=$HIRS_CI_TEST_ROOT/boot/efi
+HIRS_CI_EFI_PATH_TCG=$HIRS_CI_EFI_PATH_ROOT/EFI/tcg
+HIRS_CI_EFI_PATH_PLATFORM=$HIRS_CI_EFI_PATH_TCG/cert/platform
+HIRS_CI_EFI_PATH_RIM=$HIRS_CI_EFI_PATH_TCG/manifest/rim
+HIRS_CI_EFI_PATH_SWIDTAG=$HIRS_CI_EFI_PATH_TCG/manifest/swidtag
+HIRS_CI_TEST_HW_JSON_FILE=$HIRS_CI_TEST_ROOT/hw.json
+HIRS_CI_TEST_EVENT_LOG_FILE=$HIRS_CI_TEST_ROOT/binary_bios_measurements
+
+HIRS_CI_TEST_DEFAULT_PROFILE_DIR=$HIRS_CI_REPO_ROOT/.ci/system-tests/profiles/laptop
+HIRS_CI_TEST_DEFAULT_TEST_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/default
+HIRS_CI_TEST_DEFAULT_DMI_ZIP=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/laptop_dmi.zip
+HIRS_CI_TEST_DEFAULT_HW_JSON_FILE=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_hw.json
+HIRS_CI_TEST_DEFAULT_EVENT_LOG=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_binary_bios_measurements
+HIRS_CI_TEST_DEFAULT_SETPCRS_SH=$HIRS_CI_TEST_DEFAULT_TEST_DIR/laptop_default_setpcrs.sh
+HIRS_CI_TEST_DEFAULT_PLATFORMCERTS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/platformcerts
+HIRS_CI_TEST_DEFAULT_RIMS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/rims
+HIRS_CI_TEST_DEFAULT_SWIDTAGS_DIR=$HIRS_CI_TEST_DEFAULT_PROFILE_DIR/empty/swidtags
+
+HIRS_CI_TPM_EK_CERT_FILE=/hirs/.ci/setup/certs/ek_cert.der
+HIRS_CI_TPM_EK_CERT_NV_ATTR="0x2000A"
+HIRS_CI_TPM_EK_CERT_NV_INDEX="0x1c00002"
+
+HIRS_ACA_POST_POINT_EK=HIRS_AttestationCAPortal/portal/certificate-request/endorsement-key-credentials/upload
+HIRS_ACA_POST_POINT_PLATFORM=HIRS_AttestationCAPortal/portal/certificate-request/platform-credentials/upload
+HIRS_ACA_POST_POINT_RIM=HIRS_AttestationCAPortal/portal/reference-manifests/upload
+HIRS_ACA_POST_POINT_TRUST=HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
+
+SERVER_ECERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_EK"
+SERVER_PCERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_PLATFORM"
+SERVER_CACERT_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_TRUST"
+SERVER_RIM_POST="https://$HIRS_ACA_HOSTNAME:$HIRS_ACA_PORTAL_PORT/$HIRS_ACA_POST_POINT_RIM"
diff --git a/.ci/docker/docker-compose-system-test.yml b/.ci/docker/docker-compose-system-test.yml
@@ -7,6 +7,7 @@ services:
       command: ["bash", "-c", "tail -f /dev/null;"]
       ports:
          - "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
+         - 9123:9123
       hostname: ${HIRS_ACA_HOSTNAME}
       networks:
          hirs_aca_system_tests:
@@ -21,7 +22,7 @@ services:
          - aca
       volumes:
          - ../../:/HIRS
-      command: ["bash", "-c", "/ibmswtpm2/src/tpm_server && tail -f /dev/null"]
+      command: ["bash", "-c", "tail -f /dev/null"]
       networks:
          hirs_aca_system_tests:
             ipv4_address: ${HIRS_ACA_PROVISIONER_TPM2_IP}
@@ -32,4 +33,4 @@ networks:
       ipam:
          driver: default
          config:
-            - subnet: ${HIRS_SUBNET}
+            - subnet: ${HIRS_SUBNET}
diff --git a/.ci/setup/container/setup_tpm2provisioner_dotnet.sh b/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
@@ -4,120 +4,26 @@
 #########################################################################################
 
 # Setting configurations
-. ./.ci/docker/.env
+. /hirs/.ci/docker/.env
+source /hirs/.ci/setup/container/tpm2_common.sh
 
 set -a
 
 set -e
 echo "*** Setting up TPM emulator for the TPM2 Provisioner *** "
 
 # Wait for ACA to boot
-echo "*** Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
-  until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do
-    sleep 1;
-  done
-  echo "*** ACA is up!"
+waitForAca
 
 ## Un-package Provisioner.NET RPM
 yes | dnf install HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm -y > /dev/null
 
 # Initiate startup for IBMTSS Tools
-pushd /ibmtss/utils
-tpm2_startup -T mssim -c &
-sleep 5
-tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002
-tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002
-popd
+startFreshTpmServer -f
+startupTpm
+installEkCert
 
-# Writing to Provisioner.Net configurations file for modified aca port and efi prefix
-cat <<APPSETTINGS_FILE > /usr/share/hirs/appsettings.json
-{
-  "auto_detect_tpm":  "TRUE",
-  "aca_address_port": "https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}",
-  "efi_prefix": "/ci_test/boot/efi",
-  "paccor_output_file": "",
-  "event_log_file":  "",
-  "hardware_manifest_collectors": "paccor_scripts",
-
-  "Serilog": {
-    "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
-    "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
-    "MinimumLevel": {
-      "Default": "Debug",
-      "Override": {
-        "Microsoft": "Warning",
-        "System": "Warning"
-      }
-    },
-    "WriteTo": [
-      {
-        "Name": "Console",
-        "Args": {
-          "outputTemplate": "{Message}{NewLine}",
-          "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
-          "restrictedToMinimumLevel": "Information"
-        }
-      },
-      {
-        "Name": "File",
-        "Args": {
-          "path": "hirs.log",
-          "rollingInterval": "Day",
-          "retainedFileCountLimit": 5
-        }
-      }
-    ]
-  }
-}
-APPSETTINGS_FILE
-cp /usr/share/hirs/appsettings.json /usr/share/hirs/appsettings_default.json
-cat <<APPSETTINGS_FILE_HW > /usr/share/hirs/appsettings_hw.json
-{
-  "auto_detect_tpm":  "TRUE",
-  "aca_address_port": "https://172.19.0.2:8443",
-  "efi_prefix": "/ci_test/boot/efi",
-  "paccor_output_file": "/ci_test/hw.json",
-  "event_log_file":  "/ci_test/binary_bios_measurements",
-  "hardware_manifest_collectors": "",
-  "linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor",
-  "linux_bios_version_file": "/ci_test/dmi/id/bios_version",
-  "linux_bios_date_file": "/ci_test/dmi/id/bios_date",
-  "linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor",
-  "linux_product_name_file": "/ci_test/dmi/id/product_name",
-  "linux_product_version_file": "/ci_test/dmi/id/product_version",
-  "linux_product_serial_file": "/ci_test/dmi/id/product_serial",
-
-  "Serilog": {
-    "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
-    "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
-    "MinimumLevel": {
-      "Default": "Debug",
-      "Override": {
-        "Microsoft": "Warning",
-        "System": "Warning"
-      }
-    },
-    "WriteTo": [
-      {
-        "Name": "Console",
-        "Args": {
-          "outputTemplate": "{Message}{NewLine}",
-          "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
-          "restrictedToMinimumLevel": "Information"
-        }
-      },
-      {
-        "Name": "File",
-        "Args": {
-          "path": "hirs.log",
-          "rollingInterval": "Day",
-          "retainedFileCountLimit": 5
-        }
-      }
-    ]
-  }
-}
-APPSETTINGS_FILE_HW
+setCiHirsAppsettingsFile
 
 # Triggering a single provision for test
 echo "==========="

diff --git a/.ci/setup/container/tpm2_common.sh b/.ci/setup/container/tpm2_common.sh
@@ -149,12 +149,200 @@ DEFAULT_SITE_CONFIG_FILE
    cat /etc/hirs/hirs-site.config
 }
 
+# Function to update the hirs-site.config file
+function setCiHirsAppsettingsFile {
+  # Setting configurations
+  . /hirs/.ci/docker/.env
+
+  HIRS_APPSETTINGS_FILE=$HIRS_DEFAULT_APPSETTINGS_FILE
+  ACA_ADDRESS="https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}"
+  EFI_PREFIX_PATH=$HIRS_CI_EFI_PATH_ROOT
+  PACCOR_OUTPUT_FILE=""
+  EVENT_LOG_FILE=""
+  HARDWARE_MANIFEST_COLLECTORS="paccor_scripts"
+
+  # Process parameters Argument handling 
+  POSITIONAL_ARGS=()
+  ORIGINAL_ARGS=("$@")
+  while [[ $# -gt 0 ]]; do
+    case $1 in
+      --aca-address)
+        shift # past argument
+        ACA_ADDRESS=$1
+        shift # past parameter
+        ;;
+      --efi-prefix)
+        shift # past argument
+        EFI_PREFIX_PATH=$1
+	shift # past parameter
+        ;;
+      --paccor-output-file)
+        shift # past argument
+	PACCOR_OUTPUT_FILE=$1
+	HARDWARE_MANIFEST_COLLECTORS=""
+        shift # past parameter
+        ;;
+      --event-log-file)
+        shift # past argument
+        EVENT_LOG_FILE=$1
+        shift # past argument
+        ;;
+      --linux-dmi)
+	USE_LINUX_DMI=YES
+	shift # past argument
+	;;
+    -*|--*)
+        echo "setCiHirsAppsettingsFile: Unknown option $1"
+        shift # past argument
+        ;;
+      *)
+       POSITIONAL_ARGS+=("$1") # save positional arg
+       # shift # past argument
+       break
+        ;;
+    esac
+  done
+  echo ""
+  echo "===========Updating ${HIRS_APPSETTINGS_FILE}, using values from /HIRS/.ci/docker/.env file...==========="
+
+  cat <<DEFAULT_APPSETTINGS_FILE > $HIRS_APPSETTINGS_FILE
+{
+  "auto_detect_tpm":  "TRUE",
+  "aca_address_port": "$ACA_ADDRESS",
+  "efi_prefix": "$EFI_PREFIX_PATH",
+  "paccor_output_file": "$PACCOR_OUTPUT_FILE",
+  "event_log_file": "$EVENT_LOG_FILE",
+  "hardware_manifest_collectors": "$HARDWARE_MANIFEST_COLLECTORS",
+DEFAULT_APPSETTINGS_FILE
+  if [ "$USE_LINUX_DMI" = YES ]; then
+    cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
+  "linux_bios_vendor_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_vendor",
+  "linux_bios_version_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_version",
+  "linux_bios_date_file": "$HIRS_CI_TEST_ROOT/dmi/id/bios_date",
+  "linux_sys_vendor_file": "$HIRS_CI_TEST_ROOT/dmi/id/sys_vendor",
+  "linux_product_name_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_name",
+  "linux_product_version_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_version",
+  "linux_product_serial_file": "$HIRS_CI_TEST_ROOT/dmi/id/product_serial",
+DEFAULT_APPSETTINGS_FILE
+  fi
+  cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
+  "Serilog": {
+    "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
+    "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
+    "MinimumLevel": {
+      "Default": "Debug",
+      "Override": {
+        "Microsoft": "Warning",
+        "System": "Warning"
+      }
+    },
+    "WriteTo": [
+      {
+        "Name": "Console",
+        "Args": {
+          "outputTemplate": "{Message}{NewLine}",
+          "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
+          "restrictedToMinimumLevel": "Information"
+        }
+      },
+      {
+        "Name": "File",
+        "Args": {
+          "path": "hirs.log",
+          "rollingInterval": "Day",
+          "retainedFileCountLimit": 5
+        }
+      }
+    ]
+  }
+}
+DEFAULT_APPSETTINGS_FILE
+}
+
+# These functions work on the tpm2provisioner_dotnet image 
+# They assume the IBM sw tpm server repo is cloned to /ibmswtpm2
+# They assume the IBM tss repo is cloned to /ibmtss
+# They assume tpm2-tools are installed.
+# They assume the HIRS repo is cloned to /hirs.
+function startFreshTpmServer {
+  # Process parameters Argument handling 
+  POSITIONAL_ARGS=()
+  ORIGINAL_ARGS=("$@")
+  while [[ $# -gt 0 ]]; do
+    case $1 in
+      -f|--force|--restart)
+	stopTpmServer
+	sleep 5
+	shift # past argument
+	;;
+    -*|--*)
+        echo "setCiHirsAppsettingsFile: Unknown option $1"
+        shift # past argument
+        ;;
+      *)
+       POSITIONAL_ARGS+=("$1") # save positional arg
+       # shift # past argument
+       break
+        ;;
+    esac
+  done
+
+  if isTpmServerRunning ; then
+    echo "TPM server already running."
+  else
+    echo -n "Starting TPM server..."
+    /ibmswtpm2/src/tpm_server -rm &> /dev/null &
+    sleep 2
+    pid=$(findTpmServerPid)
+    echo "...running with pid: $pid"
+  fi
+}
+
+function startupTpm {
+  echo "Running tpm2_startup"
+  tpm2_startup -T mssim -c
+  sleep 2
+}
+
+function installEkCert {
+  # Setting configurations
+  . /hirs/.ci/docker/.env
+
+  echo "Installing EK Cert $HIRS_CI_TPM_EK_CERT_FILE into TPM NVRAM at index $HIRS_CI_TPM_EK_CERT_NV_INDEX"
+  tpm2_nvdefine -T mssim -C o -a $HIRS_CI_TPM_EK_CERT_NV_ATTR -s $(cat $HIRS_CI_TPM_EK_CERT_FILE | wc -c) $HIRS_CI_TPM_EK_CERT_NV_INDEX
+  tpm2_nvwrite -T mssim -C o -i $HIRS_CI_TPM_EK_CERT_FILE $HIRS_CI_TPM_EK_CERT_NV_INDEX
+  echo "Finished installing EK cert."
+}
+
+function findTpmServerPid {
+  pid=$(pgrep -f /ibmswtpm2/src/tpm_server 2> /dev/null)
+  echo -n "$pid"
+}
+
+# ex usage: isTpmServerRunning && echo "up" || echo "down"
+function isTpmServerRunning {
+  tpmUp=$(findTpmServerPid)
+  if [ -n "$tpmUp" ]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+function stopTpmServer {
+  tpmUp=$(findTpmServerPid)
+  if [ -n "$tpmUp" ]; then
+    echo "Stopping TPM server with pid: $tpmUp"
+    kill -9 $tpmUp
+  fi
+}
+
 # Wait for ACA to boot
 function waitForAca {
   echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
-  until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
+  until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do
     sleep 1;
-  #echo "Checking on the ACA..."
   done
   echo "ACA is up!"
 }
+