Merge branch 'main' into v3_issue_836-spdm

Author: iadgovuser58

.github/workflows/dotnet_provisioner_unit_tests.yml

@@ -21,7 +21,7 @@ jobs:
           git config --global core.eol lf
 
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -82,14 +82,14 @@ jobs:
           more $logName
 
       - name: Upload Logs Ubuntu
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: contains(matrix.os, 'ubuntu') && always()
         with:
           name: "${{matrix.os}}-unit-tests-${{steps.ubuntu_result.outputs.result}}.log"
           path: HIRS_Provisioner.NET/*.log
 
       - name: Upload Logs Windows
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: contains(matrix.os, 'windows') && always()
         with:
           name: "${{matrix.os}}-unit-tests-${{steps.window_result.outputs.result}}.log"

.github/workflows/hirs_package_linux.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Set up JDK 17
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: '17'
         distribution: 'temurin'
@@ -26,44 +26,57 @@ jobs:
     - name: directory setup
       run: |
        mkdir -p artifacts/jars
+       mkdir -p artifacts/win
+       mkdir -p artifacts/win/hirstools
     - name: install dependencies
       run: |
         sudo apt-get update
         sudo apt-get install git curl nano cron mariadb-server
     - name: Setup Gradle
-      uses: gradle/gradle-build-action@v2
+      uses: gradle/actions/setup-gradle@v3
     - name: Execute Gradle build
       run: |
           ./gradlew build;
           ./gradlew bootWar;
           ./gradlew buildDeb;
           ./gradlew buildRpm;
+          ./gradlew buildZip
           cp HIRS_AttestationCAPortal/build/libs/*.jar artifacts/jars/. 
           cp HIRS_AttestationCA/build/libs/*.jar artifacts/jars/.
           cp HIRS_Utils/build/libs/*.jar artifacts/jars/.
           cp HIRS_Structs/build/libs/*.jar artifacts/jars/.
+          cp tools/tcg_rim_tool/build/distributions/*.zip artifacts/win
+          cp tools/tcg_eventlog_tool/build/distributions/*.zip artifacts/win
+          cp package/win/tcg-rim-tool/* artifacts/win/hirstools
     - name: Archive RPM files
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: RPM_Files
         path: HIRS_AttestationCAPortal/build/distributions/*.rpm
         if-no-files-found: error
     - name: Archive DEB files
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: DEB_Files
         path: HIRS_AttestationCAPortal/build/distributions/*.deb
         if-no-files-found: error
     - name: War files
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: WAR_Files
         path: HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war
         if-no-files-found: error
     - name: JAR_Files
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: JAR_Files
         path: artifacts/jars/
         if-no-files-found: error
-        
+    - name: ZIP_Files
+      uses: actions/upload-artifact@v4
+      with:
+        name: ZIP_Files
+        path: artifacts/win/
+        if-no-files-found: error
+
+        

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java

@@ -1,5 +1,6 @@
 package hirs.attestationca.persist.provision;
 
+import com.fasterxml.jackson.databind.ser.Serializers;
 import com.google.protobuf.ByteString;
 import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2;
 import hirs.attestationca.persist.entity.manager.CertificateRepository;
@@ -61,6 +62,8 @@
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
+import java.util.UUID;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -346,90 +349,151 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
                 dv.getHw().getManufacturer(),
                 dv.getHw().getProductName());
         BaseReferenceManifest dbBaseRim = null;
-        SupportReferenceManifest support;
+        SupportReferenceManifest support = null;
         EventLogMeasurements measurements;
+        boolean isReplacement = false;
+        String replacementRimId = "";
         String tagId = "";
         String fileName = "";
         Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)");
         Matcher matcher;
         MessageDigest messageDigest =  MessageDigest.getInstance("SHA-256");
 
-        if (dv.getLogfileCount() > 0) {
-            for (ByteString logFile : dv.getLogfileList()) {
-                try {
-                    support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
-                                    Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
-                            ReferenceManifest.SUPPORT_RIM);
-                    if (support == null) {
-                        support = new SupportReferenceManifest(
-                                String.format("%s.rimel",
-                                        defaultClientName),
-                                logFile.toByteArray());
-                        // this is a validity check
-                        new TCGEventLog(support.getRimBytes());
-                        // no issues, continue
-                        support.setPlatformManufacturer(dv.getHw().getManufacturer());
-                        support.setPlatformModel(dv.getHw().getProductName());
-                        support.setFileName(String.format("%s_[%s].rimel", defaultClientName,
-                                support.getHexDecHash().substring(
-                                        support.getHexDecHash().length() - NUM_OF_VARIABLES)));
-                        support.setDeviceName(dv.getNw().getHostname());
-                        this.referenceManifestRepository.save(support);
-                    } else {
-                        log.info("Client provided Support RIM already loaded in database.");
-                        if (support.isArchived()) {
-                            support.restore();
-                            support.resetCreateTime();
-                            this.referenceManifestRepository.save(support);
-                        }
-                    }
-                } catch (IOException ioEx) {
-                    log.error(ioEx);
-                } catch (Exception ex) {
-                    log.error(String.format("Failed to load support rim: %s", ex.getMessage()));
-                }
-            }
-        } else {
-            log.warn(String.format("%s did not send support RIM file...",
-                    dv.getNw().getHostname()));
-        }
-
         if (dv.getSwidfileCount() > 0) {
             for (ByteString swidFile : dv.getSwidfileList()) {
                 try {
                     dbBaseRim = (BaseReferenceManifest) referenceManifestRepository
                             .findByBase64Hash(Base64.getEncoder()
-                            .encodeToString(messageDigest
-                                    .digest(swidFile.toByteArray())));
+                                    .encodeToString(messageDigest
+                                            .digest(swidFile.toByteArray())));
                     if (dbBaseRim == null) {
+                        /*
+                        Either the swidFile does not have a corresponding base RIM in the backend
+                        or it was deleted. Check if there is a replacement by comparing tagId against
+                        all other base RIMs, and then set the corresponding support rim's deviceName.
+                         */
                         dbBaseRim = new BaseReferenceManifest(
                                 String.format("%s.swidtag",
                                         defaultClientName),
                                 swidFile.toByteArray());
+                        List<BaseReferenceManifest> baseRims = referenceManifestRepository.findAllBaseRims();
+                        for (BaseReferenceManifest bRim : baseRims) {
+                            if (bRim.getTagId().equals(dbBaseRim.getTagId())) {
+                                dbBaseRim = bRim;
+                                replacementRimId = dbBaseRim.getAssociatedRim().toString();
+                                isReplacement = true;
+                                break;
+                            }
+                        }
                         dbBaseRim.setDeviceName(dv.getNw().getHostname());
                         this.referenceManifestRepository.save(dbBaseRim);
-                    } else {
-                        log.info("Client provided Base RIM already loaded in database.");
-                        /**
-                         * Leaving this as is for now, however can there be a condition
-                         * in which the provisioner sends swidtags without support rims?
+                    } else if (dbBaseRim.isArchived()) {
+                        /*
+                        This block accounts for RIMs that may have been soft-deleted (archived)
+                        in an older version of the ACA.
                          */
+                        List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
+                        for (ReferenceManifest rim : rims) {
+                            if (rim.isBase() && rim.getTagId().equals(dbBaseRim.getTagId()) &&
+                                    rim.getCreateTime().after(dbBaseRim.getCreateTime())) {
+                                dbBaseRim.setDeviceName(null);
+                                dbBaseRim = (BaseReferenceManifest) rim;
+                                dbBaseRim.setDeviceName(dv.getNw().getHostname());
+                            }
+                        }
                         if (dbBaseRim.isArchived()) {
-                            dbBaseRim.restore();
-                            dbBaseRim.resetCreateTime();
+                            throw new Exception("Unable to locate an unarchived base RIM.");
+                        } else {
                             this.referenceManifestRepository.save(dbBaseRim);
                         }
+                    } else {
+                        dbBaseRim.setDeviceName(dv.getNw().getHostname());
+                        this.referenceManifestRepository.save(dbBaseRim);
                     }
                     tagId = dbBaseRim.getTagId();
                 } catch (UnmarshalException e) {
                     log.error(e);
+                } catch (Exception ex) {
+                    log.error(String.format("Failed to load base rim: %s", ex.getMessage()));
                 }
             }
         } else {
             log.warn(String.format("%s did not send swid tag file...",
                     dv.getNw().getHostname()));
         }
 
+        if (dv.getLogfileCount() > 0) {
+            for (ByteString logFile : dv.getLogfileList()) {
+                try {
+                    support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
+                                    Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
+                            ReferenceManifest.SUPPORT_RIM);
+                    if (support == null) {
+                        /*
+                        Either the logFile does not have a corresponding support RIM in the backend
+                        or it was deleted. The support RIM for a replacement base RIM is handled
+                        in the previous loop block.
+                         */
+                        if (isReplacement) {
+                            Optional<ReferenceManifest> replacementRim =
+                                    referenceManifestRepository.findById(UUID.fromString(replacementRimId));
+                            if (replacementRim.isPresent()) {
+                                support = (SupportReferenceManifest) replacementRim.get();
+                                support.setDeviceName(dv.getNw().getHostname());
+                            } else {
+                                throw new Exception("Unable to locate support RIM " + replacementRimId);
+                            }
+                        } else {
+                            support = new SupportReferenceManifest(
+                                    String.format("%s.rimel",
+                                            defaultClientName),
+                                    logFile.toByteArray());
+                            // this is a validity check
+                            new TCGEventLog(support.getRimBytes());
+                            // no issues, continue
+                            support.setPlatformManufacturer(dv.getHw().getManufacturer());
+                            support.setPlatformModel(dv.getHw().getProductName());
+                            support.setFileName(String.format("%s_[%s].rimel", defaultClientName,
+                                    support.getHexDecHash().substring(
+                                            support.getHexDecHash().length() - NUM_OF_VARIABLES)));
+                        }
+                        support.setDeviceName(dv.getNw().getHostname());
+                        this.referenceManifestRepository.save(support);
+                    } else if (support.isArchived()) {
+                        /*
+                        This block accounts for RIMs that may have been soft-deleted (archived)
+                        in an older version of the ACA.
+                         */
+                        List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
+                        for (ReferenceManifest rim : rims) {
+                            if (rim.isSupport() &&
+                                    rim.getTagId().equals(support.getTagId()) &&
+                                    rim.getCreateTime().after(support.getCreateTime())) {
+                                support.setDeviceName(null);
+                                support = (SupportReferenceManifest) rim;
+                                support.setDeviceName(dv.getNw().getHostname());
+                            }
+                        }
+                        if (support.isArchived()) {
+                            throw new Exception("Unable to locate an unarchived support RIM.");
+                        } else {
+                            this.referenceManifestRepository.save(support);
+                        }
+                    } else {
+                        support.setDeviceName(dv.getNw().getHostname());
+                        this.referenceManifestRepository.save(support);
+                    }
+                } catch (IOException ioEx) {
+                    log.error(ioEx);
+                } catch (Exception ex) {
+                    log.error(String.format("Failed to load support rim: %s", ex.getMessage()));
+                }
+            }
+        } else {
+            log.warn(String.format("%s did not send support RIM file...",
+                    dv.getNw().getHostname()));
+        }
+
         //update Support RIMs and Base RIMs.
         for (ByteString swidFile : dv.getSwidfileList()) {
             dbBaseRim = (BaseReferenceManifest) referenceManifestRepository

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java

@@ -239,9 +239,7 @@ public RedirectView delete(@RequestParam final String id,
                 messages.addError(notFoundMessage);
                 log.warn(notFoundMessage);
             } else {
-                // if support rim, update associated events
-                referenceManifest.archive();
-                referenceManifestRepository.save(referenceManifest);
+                referenceManifestRepository.delete(referenceManifest);
                 String deleteCompletedMessage = "RIM successfully deleted";
                 messages.addInfo(deleteCompletedMessage);
                 log.info(deleteCompletedMessage);

HIRS_Provisioner.NET/hirs/HIRS_Provisioner.NET.csproj

@@ -2,13 +2,13 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <RuntimeIdentifiers>linux-x64;win-x64</RuntimeIdentifiers>
     <StartupObject>hirs.Program</StartupObject>
     <PublishSingleFile>true</PublishSingleFile>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
-    <PackageVersion>3.0.0</PackageVersion>
+    <PackageVersion>3.0.1</PackageVersion>
     <Release></Release> 
 </PropertyGroup>
 
@@ -35,7 +35,7 @@
     <PackageReference Include="paccor.HardwareManifestPlugin" Version="1.0.0" />
     <PackageReference Include="paccor.HardwareManifestPluginManager" Version="1.0.0" />
     <PackageReference Include="paccor.paccor_scripts" Version="1.0.1" />
-    <PackageReference Include="Packaging.Targets" Version="0.1.220">
+    <PackageReference Include="Packaging.Targets" Version="0.1.226">
       <PrivateAssets>all</PrivateAssets> <!-- These assets will be consumed but won't flow to the parent project -->
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>

HIRS_Provisioner.NET/hirsTest/hirsTest.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <IsPackable>false</IsPackable>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>

package/win/tcg-rim-tool/README.md

@@ -0,0 +1,29 @@
+This README is part of the ZIP_Files.zip generated from hirs_package_linux.yml the goal of this zip is to have the TCG RIM tool, and the TCG Eventlog tool available on windows. 
+
+To get the tools running on windows follow the instructions below:  
+
+1- Unzip "ZIP_Files" 
+
+2- open powershell as administrator and navigate to the hirstools folder. 
+
+3- run the following command: ```powershell -ExecutionPolicy Bypass -File '.\create_hirstools_desktop_shortcut.ps1'```
+
+4- double-click the HIRS_tools shortcut on your desktop. 
+
+To run the rim tool try the following commands:
+
+> rim -c base -a .\tcg_rim_tool\Base_Rim_Config.json -l .\tcg_rim_tool\TpmLog.bin -k .\tcg_rim_tool\PC_OEM1_rim_signer_rsa_3k_sha384.key -p .\tcg_rim_tool\PC_OEM1_rim_signer_rsa_3k_sha384.pem -o baseRim.swidtag
+
+> rim -v .\baseRim.swidtag -p .\tcg_rim_tool\PC_OEM1_rim_signer_rsa_3k_sha384.pem -t .\tcg_rim_tool\PC_OEM1_Cert_Chain.pem -l .\tcg_rim_tool\TpmLog.bin
+
+
+
+To run the eventlog tool:
+
+elt -f  C:\Windows\Logs\MeasuredBoot\[.log file here] -e
+
+Eventlog files are found here windows:
+C:\Windows\Logs\MeasuredBoot
+
+Example Command would be: 
+> elt -f  C:\Windows\Logs\MeasuredBoot\000000001-000000001.log -e (file name needs to match on on your system)