diff --git a/.ci/setup/certs/oem_certs.zip b/.ci/setup/certs/oem_certs.zip new file mode 100644 index 000000000..4d7107dda Binary files /dev/null and b/.ci/setup/certs/oem_certs.zip differ diff --git a/scripts/install_hat.ps1 b/scripts/install_hat.ps1 new file mode 100644 index 000000000..a65ad6d62 --- /dev/null +++ b/scripts/install_hat.ps1 @@ -0,0 +1,115 @@ +#Requires -RunAsAdministrator +# Powershell script to install the HIRS Acceptance Test on Windows +Write-Host "Installing the HIRS Acceptance Test (HAT)" +Write-Host "Checking for prerequisites..." + +# Check for connectivity to github +$Github=Test-Connection -ComputerName www.github.com -Quiet +if ($Github -ne 'True' ) { + Write-Host "Cannot reach www.github.com, please check internet connection and Firewall settings" + Write-Host "Exiting without installing HAT. Hit Any key to exit" + $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") + exit; +} else { + Write-Host "Github is accessible, continuing installation..." +} + +# Check For Docker Services +$Service=Get-Service -Name Docker +if ($Service.Status -ne 'Running') { + Write-Host "Docker is either NOT running or NOT installed." + Write-Host "Please start or install Docker Desktop. See https://docs.docker.com/desktop/install/windows-install/"; + Write-Host "Exiting without installing HAT. Hit any key to exit" + $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") + exit; +} else { + Write-Host "Docker is running, continuing installation..." +} + +# Check for previos install +if (Test-Path -Path hirs) { + Write-Host "The hirs folder exists under the current directory, aborting install." + Write-Host "Exiting without installing HAT. Hit Any key to exit" + $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") + exit +} + +# Warn Admin that device needs to be attached for the next step and wait for connection +Write-Host "Please attach an Ethernet cable between this device and a powered target device for the next step. Hit Any Key to Continue" +$Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | out-null +Write-Host "Testing wired Ethernet connection..." +$ethernet=Get-NetAdapter -Physical | Where {$_.Status -eq 'Up' -and $_.MediaType -eq 802.3} +if (!$ethernet) { + Write-Host "Wired Ethernet connection not found, Please connect" + do { + $ethernet=Get-NetAdapter -Physical | Where {$_.Status -eq 'Up' -and $_.MediaType -eq 802.3} + Start-Sleep -seconds 10 + Write-Host "Waiting for an Ethernet connection..." + } until ($ethernet) +} +Write-Host "Wired Ethernet connection found, continuing..." +# Make Firwall Rules for ACA to operate +Write-Host "Adding Firewall rules" +netsh advfirewall firewall add rule name="ACA HTTPS" dir=in action=allow protocol=TCP localport=8443 | out-null +netsh advfirewall firewall add rule name="ACA HTTPS" dir=out action=allow protocol=TCP localport=8443 | out-null + +# Make folder for necessary files +mkdir hirs | out-null +Push-Location .\hirs\ | out-null + +Write-Host "Retreiving Configuration Files" +wget https://raw.githubusercontent.com/nsacyber/HIRS/main/.ci/docker/compose-acceptance-test-windows.yml -o compose-acceptance-test-windows.yml +#wget https://raw.githubusercontent.com/nsacyber/HIRS/v3_hat-compose/.ci/docker/compose-acceptance-test-windows.yml -o compose-acceptance-test-windows.yml + +Write-Host "Retreiving Trust Stores" +wget https://raw.githubusercontent.com/nsacyber/HIRS/main/.ci/setup/certs/oem_certs.zip -o oem_certs.zip +wget https://raw.githubusercontent.com/nsacyber/HIRS/main/scripts/start_hat.ps1 -o start_hat.ps1 +wget https://raw.githubusercontent.com/nsacyber/HIRS/main/scripts/remove_hat.ps1 -o remove_hat.ps1 +#wget https://raw.githubusercontent.com/nsacyber/HIRS/v3_issue_645-hatSetup/.ci/setup/certs/oem_certs.zip -o oem_certs.zip +#wget https://raw.githubusercontent.com/nsacyber/HIRS/v3_issue_645-hatSetup/scripts/start_hat.ps1 -o start_hat.ps1 +#wget https://raw.githubusercontent.com/nsacyber/HIRS/v3_issue_645-hatSetup/scripts/remove_hat.ps1 -o remove_hat.ps1 + +Expand-Archive -Path oem_certs.zip +Write-Host "Downloading images (This can take a while)" +docker pull ghcr.io/nsacyber/hirs/aca:latest +docker pull ghcr.io/nsacyber/hirs/hat:latest +Write-Host "Creating shortcut for starting the Acceptance Test (HAT start)" + +# Create a shortcut to the start_hat.ps1 script +$WshShell = New-Object -comObject WScript.Shell +$Shortcut = $WshShell.CreateShortcut("$Home\Desktop\start_hat.lnk") +$Shortcut.Targetpath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" +$Shortcut.Arguments = "-ExecutionPolicy bypass $Home\hirs\start_hat.ps1" +$Shortcut.Save() + +# Start up the containers in a detached mode + docker compose -f $Home\hirs\compose-acceptance-test-windows.yml up --detach +# Wait for ACA to start +Write-Host "Waiting for ACA to start up on local host port 8443 ..." +Write-Host " Note that several TCP connect failure notices are expectred while the container boots up." +Start-Sleep -seconds 10 + while ((Test-NetConnection -computername localhost -Port 8443 ).TcpTestSucceeded -eq $FALSE ) { Start-Sleep -seconds 5 } +Write-Host "ACA is up!" +# Upload all files in the upload folder +Write-Host "Uploading OEM Certificates Chains to the ACA..." +Get-ChildItem ".\oem_certs\upload\" | +foreach-Object { + $filename = $_.FullName + Write-Host "Uploading $filename" + curl.exe -k -F "file=@$filename" ` + "https://127.0.0.1:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload" +} +# Set ACA Policy to perform EK and Platform Cert validation +$Properties=docker exec aca powershell -command "Get-Content C:\ProgramData\hirs\aca\aca.properties" +$Props=echo $Properties | Out-String | ConvertFrom-StringData +$Prop=$Props.hirs_db_password +docker exec aca mysql -u hirs_db -D hirs_db --password=$Prop -e ` +"Update policysettings set ecValidationEnabled=1, pcValidationEnabled=1, ` +pcAttributeValidationEnabled=1, utcValidationEnabled=0, firmwareValidationEnabled=0, ` + expiredCertificateValidationEnabled=0, ignoreGptEnabled=1, ` +ignoreImaEnabled=0, ignoretBootEnabled=0, ignoreOsEvtEnabled=1;" + +# Done +Write-Host "HIRS Acceptance Test Installation complete." +Write-Host "Open up the HIRS ACA Portal on your browser using this url: https://localhost:8443" +Pop-Location | out-null \ No newline at end of file diff --git a/scripts/remove_hat.ps1 b/scripts/remove_hat.ps1 new file mode 100644 index 000000000..4a0f8aa05 --- /dev/null +++ b/scripts/remove_hat.ps1 @@ -0,0 +1,63 @@ +#Requires -RunAsAdministrator +# Powershell script to install the HIRS Acceptance Test on Windows + +$Service = Get-Service -Name Docker +if ($Service.Status -ne 'Running') { + Write-Host "Docker is either NOT running or NOT installed." + Write-Host "Please start Docker Desktop." + Write-Host "Exiting without removing the HAT. Hit Any Key to exit" + $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") + Exit; +} else { + Write-Host "Docker is running, continuing HAT removal..." +} +$CurrentDir = Split-Path -Path (Get-Location) -Leaf + +if ($CurrentDir -ne 'hirs') { + Write-Host "Please run this script from the hirs directory" + Write-Host "Exiting without removing the HAT. Hit Any Key to exit" + $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") + Exit; +} +# remove Firewall Rules +Write-Host "Removing HAT FW Rule ACA HTTPS" +netsh advfirewall firewall delete rule name="ACA HTTPS" + +# remove HAT Docker containers and images +$IsAcaRunning = docker container inspect -f '{{.State.Running}}' aca 2>&1 | out-null +$IsHatRunning = docker container inspect -f '{{.State.Running}}' hat 2>&1 | out-null + +if ($IsHatRunning -eq "true") { + Write-Host "Shutting down the HAT container" + docker stop hat +} + +if ($IsAcaRunning -eq "true") { + Write-Host "Shutting down the ACA container" + docker stop aca +} +Write-Host "Removing HAT Containers" +docker stop aca +docker stop hat +docker rm aca +docker rm hat + +Write-Host "Remove HAT docker network" +docker network rm hat_network + +Write-Host "Removing HAT images" + +#docker image rm ghcr.io/nsacyber/hirs/aca:latest +#docker image rm ghcr.io/nsacyber/hirs/hat:latest + +Write-Host "Removing local HAT folder and files" +cd .. + +if (Test-Path -LiteralPath hirs) { + Remove-Item -LiteralPath hirs -Recurse +} + +Write-Host "Removing HAT Deskstop Shortcut" +Remove-Item "$Home\Desktop\start_hat.lnk" -Force + +Write-Host "HAT has been removed from the system" \ No newline at end of file diff --git a/scripts/start_hat.ps1 b/scripts/start_hat.ps1 new file mode 100644 index 000000000..f0416c201 --- /dev/null +++ b/scripts/start_hat.ps1 @@ -0,0 +1,39 @@ +# Script to start the docker continers used for the HIRS Acceptance Test + +$DockerProc = Get-process "*docker desktop*" + if ($DockerProc.Count -eq 0 ) { + Write-Host "Docker Service is not started, please start Docker Desktop." + Write-Host "Exiting without starting HAT. Hit any key to exit" + $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") + exit +} + +$IsAcaRunning = docker container inspect -f '{{.State.Running}}' aca 2>&1 +$IsHatRunning = docker container inspect -f '{{.State.Running}}' hat 2>&1 + +if ($IsHatRunning -eq $TRUE) { + Write-Host "HAT container is already running" +} + +if ($IsAcaRunning -eq $TRUE) { + Write-Host "ACA container is already running" +} + +if ( ($IsHatRunning -eq $TRUE) -and ($IsAcaRunning -eq $TRUE) ) { + Write-Host "ACA and Hat container are already started, exiting" + Write-Host "You can check container status in the Docker Desktop." + Write-Host "Use the following URL in your Browser to view the ACA Portal: https://localhost:8443" + Write-Host "Hit any key to exit" + $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") + exit + } else { + Write-Host "Starting ACA and HAT containers..." + docker compose -f $Home\hirs\compose-acceptance-test-windows.yml up --detach + } + +Write-Host "HIRS Acceptance Test Servers Have been started." +Write-Host "You can check container status in the Docker Desktop." +Write-Host "Use the following URL in your Browser to view the ACA Portal: https://localhost:8443" +Write-Host "Hit any key" +$Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") +exit; \ No newline at end of file