Skip to content

Commit c37dd12

Browse files
chubtubchubtub
committed
Detect replacement RIM bundle and process accordingly during FW provisioning
Handle replacement base and support RIMs in their respective logic blocks
1 parent a123acc commit c37dd12

File tree

2 files changed

+103
-55
lines changed

2 files changed

+103
-55
lines changed

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java

+102-52
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,8 @@
6262
import java.util.LinkedList;
6363
import java.util.List;
6464
import java.util.Map;
65+
import java.util.Optional;
66+
import java.util.UUID;
6567
import java.util.regex.Matcher;
6668
import java.util.regex.Pattern;
6769

@@ -347,78 +349,49 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
347349
dv.getHw().getManufacturer(),
348350
dv.getHw().getProductName());
349351
BaseReferenceManifest dbBaseRim = null;
350-
SupportReferenceManifest support;
352+
SupportReferenceManifest support = null;
351353
EventLogMeasurements measurements;
354+
boolean isReplacement = false;
355+
String replacementRimId = "";
352356
String tagId = "";
353357
String fileName = "";
354358
Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)");
355359
Matcher matcher;
356360
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
357361

358-
if (dv.getLogfileCount() > 0) {
359-
for (ByteString logFile : dv.getLogfileList()) {
360-
try {
361-
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
362-
Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
363-
ReferenceManifest.SUPPORT_RIM);
364-
if (support == null) {
365-
support = new SupportReferenceManifest(
366-
String.format("%s.rimel",
367-
defaultClientName),
368-
logFile.toByteArray());
369-
// this is a validity check
370-
new TCGEventLog(support.getRimBytes());
371-
// no issues, continue
372-
support.setPlatformManufacturer(dv.getHw().getManufacturer());
373-
support.setPlatformModel(dv.getHw().getProductName());
374-
support.setFileName(String.format("%s_[%s].rimel", defaultClientName,
375-
support.getHexDecHash().substring(
376-
support.getHexDecHash().length() - NUM_OF_VARIABLES)));
377-
support.setDeviceName(dv.getNw().getHostname());
378-
this.referenceManifestRepository.save(support);
379-
} else if (support.isArchived()) {
380-
List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
381-
for (ReferenceManifest rim : rims) {
382-
if (rim.isSupport() &&
383-
rim.getTagId().equals(support.getTagId()) &&
384-
rim.getCreateTime().after(support.getCreateTime())) {
385-
support.setDeviceName(null);
386-
support = (SupportReferenceManifest) rim;
387-
support.setDeviceName(dv.getNw().getHostname());
388-
}
389-
}
390-
if (support.isArchived()) {
391-
throw new Exception("Unable to locate an unarchived support RIM.");
392-
} else {
393-
this.referenceManifestRepository.save(support);
394-
}
395-
}
396-
} catch (IOException ioEx) {
397-
log.error(ioEx);
398-
} catch (Exception ex) {
399-
log.error(String.format("Failed to load support rim: %s", ex.getMessage()));
400-
}
401-
}
402-
} else {
403-
log.warn(String.format("%s did not send support RIM file...",
404-
dv.getNw().getHostname()));
405-
}
406-
407362
if (dv.getSwidfileCount() > 0) {
408363
for (ByteString swidFile : dv.getSwidfileList()) {
409364
try {
410365
dbBaseRim = (BaseReferenceManifest) referenceManifestRepository
411366
.findByBase64Hash(Base64.getEncoder()
412-
.encodeToString(messageDigest
413-
.digest(swidFile.toByteArray())));
367+
.encodeToString(messageDigest
368+
.digest(swidFile.toByteArray())));
414369
if (dbBaseRim == null) {
370+
/*
371+
Either the swidFile does not have a corresponding base RIM in the backend
372+
or it was deleted. Check if there is a replacement by comparing tagId against
373+
all other base RIMs, and then set the corresponding support rim's deviceName.
374+
*/
415375
dbBaseRim = new BaseReferenceManifest(
416376
String.format("%s.swidtag",
417377
defaultClientName),
418378
swidFile.toByteArray());
379+
List<BaseReferenceManifest> baseRims = referenceManifestRepository.findAllBaseRims();
380+
for (BaseReferenceManifest bRim : baseRims) {
381+
if (bRim.getTagId().equals(dbBaseRim.getTagId())) {
382+
dbBaseRim = bRim;
383+
replacementRimId = dbBaseRim.getAssociatedRim().toString();
384+
isReplacement = true;
385+
break;
386+
}
387+
}
419388
dbBaseRim.setDeviceName(dv.getNw().getHostname());
420389
this.referenceManifestRepository.save(dbBaseRim);
421390
} else if (dbBaseRim.isArchived()) {
391+
/*
392+
This block accounts for RIMs that may have been soft-deleted (archived)
393+
in an older version of the ACA.
394+
*/
422395
List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
423396
for (ReferenceManifest rim : rims) {
424397
if (rim.isBase() && rim.getTagId().equals(dbBaseRim.getTagId()) &&
@@ -430,7 +403,12 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
430403
}
431404
if (dbBaseRim.isArchived()) {
432405
throw new Exception("Unable to locate an unarchived base RIM.");
406+
} else {
407+
this.referenceManifestRepository.save(dbBaseRim);
433408
}
409+
} else {
410+
dbBaseRim.setDeviceName(dv.getNw().getHostname());
411+
this.referenceManifestRepository.save(dbBaseRim);
434412
}
435413
tagId = dbBaseRim.getTagId();
436414
} catch (UnmarshalException e) {
@@ -444,6 +422,78 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
444422
dv.getNw().getHostname()));
445423
}
446424

425+
if (dv.getLogfileCount() > 0) {
426+
for (ByteString logFile : dv.getLogfileList()) {
427+
try {
428+
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
429+
Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
430+
ReferenceManifest.SUPPORT_RIM);
431+
if (support == null) {
432+
/*
433+
Either the logFile does not have a corresponding support RIM in the backend
434+
or it was deleted. The support RIM for a replacement base RIM is handled
435+
in the previous loop block.
436+
*/
437+
if (isReplacement) {
438+
Optional<ReferenceManifest> replacementRim =
439+
referenceManifestRepository.findById(UUID.fromString(replacementRimId));
440+
if (replacementRim.isPresent()) {
441+
support = (SupportReferenceManifest) replacementRim.get();
442+
support.setDeviceName(dv.getNw().getHostname());
443+
} else {
444+
throw new Exception("Unable to locate support RIM " + replacementRimId);
445+
}
446+
} else {
447+
support = new SupportReferenceManifest(
448+
String.format("%s.rimel",
449+
defaultClientName),
450+
logFile.toByteArray());
451+
// this is a validity check
452+
new TCGEventLog(support.getRimBytes());
453+
// no issues, continue
454+
support.setPlatformManufacturer(dv.getHw().getManufacturer());
455+
support.setPlatformModel(dv.getHw().getProductName());
456+
support.setFileName(String.format("%s_[%s].rimel", defaultClientName,
457+
support.getHexDecHash().substring(
458+
support.getHexDecHash().length() - NUM_OF_VARIABLES)));
459+
}
460+
support.setDeviceName(dv.getNw().getHostname());
461+
this.referenceManifestRepository.save(support);
462+
} else if (support.isArchived()) {
463+
/*
464+
This block accounts for RIMs that may have been soft-deleted (archived)
465+
in an older version of the ACA.
466+
*/
467+
List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
468+
for (ReferenceManifest rim : rims) {
469+
if (rim.isSupport() &&
470+
rim.getTagId().equals(support.getTagId()) &&
471+
rim.getCreateTime().after(support.getCreateTime())) {
472+
support.setDeviceName(null);
473+
support = (SupportReferenceManifest) rim;
474+
support.setDeviceName(dv.getNw().getHostname());
475+
}
476+
}
477+
if (support.isArchived()) {
478+
throw new Exception("Unable to locate an unarchived support RIM.");
479+
} else {
480+
this.referenceManifestRepository.save(support);
481+
}
482+
} else {
483+
support.setDeviceName(dv.getNw().getHostname());
484+
this.referenceManifestRepository.save(support);
485+
}
486+
} catch (IOException ioEx) {
487+
log.error(ioEx);
488+
} catch (Exception ex) {
489+
log.error(String.format("Failed to load support rim: %s", ex.getMessage()));
490+
}
491+
}
492+
} else {
493+
log.warn(String.format("%s did not send support RIM file...",
494+
dv.getNw().getHostname()));
495+
}
496+
447497
//update Support RIMs and Base RIMs.
448498
for (ByteString swidFile : dv.getSwidfileList()) {
449499
dbBaseRim = (BaseReferenceManifest) referenceManifestRepository

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java

+1-3
Original file line numberDiff line numberDiff line change
@@ -239,9 +239,7 @@ public RedirectView delete(@RequestParam final String id,
239239
messages.addError(notFoundMessage);
240240
log.warn(notFoundMessage);
241241
} else {
242-
// if support rim, update associated events
243-
referenceManifest.archive();
244-
referenceManifestRepository.save(referenceManifest);
242+
referenceManifestRepository.delete(referenceManifest);
245243
String deleteCompletedMessage = "RIM successfully deleted";
246244
messages.addInfo(deleteCompletedMessage);
247245
log.info(deleteCompletedMessage);

0 commit comments

Comments
 (0)