nsacyber · apldev4 · Oct 2, 2018 · Sep 18, 2018
diff --git a/HIRS_ProvisionerTPM2/CMakeLists.txt b/HIRS_ProvisionerTPM2/CMakeLists.txt
@@ -38,6 +38,17 @@ endif()
 configure_file ("${CMAKE_SOURCE_DIR}/include/Version.h.in"
         "${CMAKE_SOURCE_DIR}/include/Version.h")
 
+# Attempt to Determine Build Environment
+if (UNIX AND NOT APPLE)
+    file(READ /etc/os-release OS_INFO)
+    string(REGEX MATCH "NAME=\"[A-Za-z ]+\"" DISTRIBUTION_NAME ${OS_INFO})
+    string(REGEX MATCH "VERSION_ID=\"[0-9. ]+\"" DISTRIBUTION_VERSION ${OS_INFO})
+    string(REPLACE "NAME=" "" DISTRIBUTION ${DISTRIBUTION_NAME})
+    string(REPLACE "VERSION_ID=" "" DISTRIBUTION_VERSION ${DISTRIBUTION_VERSION})
+    string(REPLACE "\"" "" DISTRIBUTION ${DISTRIBUTION})
+    string(REPLACE "\"" "" DISTRIBUTION_VERSION ${DISTRIBUTION_VERSION})
+endif()
+
 # Set C++ Standard 11 based on version information
 if (${CMAKE_MAJOR_VERSION}.${CMAKE_MINOR_VERSION} GREATER 3.0)
     set(CMAKE_CXX_STANDARD 11)
@@ -219,28 +230,43 @@ if(STATIC_ANALYSIS)
 endif(STATIC_ANALYSIS)
 
 # Set variables for CPack Package generation tool
-set(CPACK_GENERATOR "RPM")
 set(CPACK_PACKAGE_NAME HIRS_Provisioner_TPM_2_0)
 set(CPACK_PACKAGE_VENDOR "U.S. Government")
+set(CPACK_PACKAGE_CONTACT "U.S. Government")
 set(CPACK_PACKAGE_VERSION_MAJOR ${MAJOR_VERSION})
 set(CPACK_PACKAGE_VERSION_MINOR ${MINOR_VERSION})
 set(CPACK_PACKAGE_VERSION_PATCH ${PATCH_VERSION})
 set(CPACK_PACKAGE_RELEASE ${PACKAGE_RELEASE_NUMBER})
 set(CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
 set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX})
 
-# Set variables specific to CPack RPM package generator
-set(CPACK_RPM_PACKAGE_NAME "HIRS_Provisioner_TPM_2_0")
-set(CPACK_RPM_PACKAGE_RELEASE_DIST "el7")
-set(CPACK_RPM_PACKAGE_LICENSE "None")
-set(CPACK_RPM_PACKAGE_GROUP "System Environment/Base")
-set(CPACK_RPM_PACKAGE_REQUIRES "log4cplus >= 1.1.2, tpm2-tss >= 1.0, tpm2-tools >= 1.1.0, protobuf >= 2.4.1, re2 >= 20160401, lshw")
-set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/rpm-post-install.sh)
-set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/local /usr/local/bin /usr/local/include /usr/local/lib)
-
-# set package filenames
-set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}.${CPACK_RPM_PACKAGE_RELEASE_DIST}.${CMAKE_SYSTEM_PROCESSOR}")
-set(CPACK_RPM_FILE_NAME "${CPACK_RPM_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}.${CPACK_RPM_PACKAGE_RELEASE_DIST}.${CMAKE_SYSTEM_PROCESSOR}")
+# Setup Development Distribution CPack
+if (${DISTRIBUTION} STREQUAL "Ubuntu")
+    # Set variables specific to CPack DEB package generator
+    set(CPACK_GENERATOR "DEB")
+    set(CPACK_DEBIAN_PACKAGE_NAME "HIRSProvisionerTPM2.0")
+    set(CPACK_DEBIAN_PACKAGE_SECTION "admin")
+    set(CPACK_DEBIAN_PACKAGE_DEPENDS "liblog4cplus-1.1-9(>=1.1.2), libsapi-utils(>=1.0), tpm2-tools(>=1.1), libprotobuf10(>=2.4.1), libcurlpp0(>=0.8), lshw")
+    if (${DISTRIBUTION_VERSION} STREQUAL "17.10")
+        set(CPACK_DEBIAN_PACKAGE_DEPENDS "${CPACK_DEBIAN_PACKAGE_DEPENDS}, libre2-3(>=20160401)")
+    elseif(${DISTRIBUTION_VERSION} STREQUAL "18.04" OR ${DISTRIBUTION_VERSION} STREQUAL "18.10")
+        set(CPACK_DEBIAN_PACKAGE_DEPENDS "${CPACK_DEBIAN_PACKAGE_DEPENDS}, libre2-4(>=20160401)")
+    endif()
+    set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE amd64)
+    set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA ${CMAKE_SOURCE_DIR}/package/postinst)
+    set(CPACK_PACKAGE_FILE_NAME "${CPACK_DEBIAN_PACKAGE_NAME}_${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}_${CPACK_DEBIAN_PACKAGE_ARCHITECTURE}")
+elseif (${DISTRIBUTION} STREQUAL "CentOS Linux")
+    # Set variables specific to CPack RPM package generator
+    set(CPACK_GENERATOR "RPM")
+    set(CPACK_RPM_PACKAGE_NAME "HIRS_Provisioner_TPM_2_0")
+    set(CPACK_RPM_PACKAGE_RELEASE_DIST "el7")
+    set(CPACK_RPM_PACKAGE_LICENSE "Apache License, Version 2.0")
+    set(CPACK_RPM_PACKAGE_GROUP "System Environment/Base")
+    set(CPACK_RPM_PACKAGE_REQUIRES "log4cplus >= 1.1.2, tpm2-tss >= 1.0, tpm2-tools >= 1.1.0, protobuf >= 2.4.1, re2 >= 20160401, libcurl >= 7.0.0, lshw")
+    set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE ${CMAKE_SOURCE_DIR}/package/rpm-post-install.sh)
+    set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/local /usr/local/bin /usr/local/include /usr/local/lib)
+    set(CPACK_PACKAGE_FILE_NAME "${CPACK_RPM_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CPACK_PACKAGE_RELEASE}.${CPACK_RPM_PACKAGE_RELEASE_DIST}.${CMAKE_SYSTEM_PROCESSOR}")
+endif()
 
 # Set command to allow for running of CPack tool in build directory
 include(CPack)

diff --git a/HIRS_ProvisionerTPM2/include/Utils.h b/HIRS_ProvisionerTPM2/include/Utils.h
@@ -56,6 +56,15 @@ namespace string_utils {
      */
     std::string binaryToHex(const std::string& bin);
 
+    /**
+     * Checks if a string contains another string.
+     *
+     * @param str containing string
+     * @param substring string to search for
+     * @return true, if the string is found / false, otherwise
+     */
+    bool contains(const std::string& str, const std::string& substring);
+
     /**
      * Converts an unsigned long (uint32) value to a hex string.
      *
@@ -98,6 +107,23 @@ namespace string_utils {
      */
     std::string trimNewLines(std::string str);
 
+    /**
+     * Removes any double-quote characters in the input string and returns the
+     * pruned, input string.
+     * @param str string to remove double-quotes characters from.
+     * @return str with double-quote characters removed.
+     */
+    std::string trimQuotes(std::string str);
+
+    /**
+     * Removes any occurrences of the target character in the input string and
+     * returns the pruned, input string.
+     * @param str string to characters from.
+     * @param targetChar char to prune from the string
+     * @return str with the characters removed.
+     */
+    std::string trimChar(std::string str, char targetChar);
+
     std::string trimWhitespaceFromLeft(std::string str);
 
     std::string trimWhitespaceFromRight(std::string str);
@@ -112,6 +138,7 @@ namespace tpm2_tools_utils {
  */
 enum class Tpm2ToolsVersion {
     VERSION_1_1_0,
+    VERSION_2_1_0,
     VERSION_3_0_1
 };
 
@@ -122,6 +149,10 @@ enum class Tpm2ToolsVersion {
 class Tpm2ToolsVersionChecker {
  private:
     static const std::unordered_map<std::string, Tpm2ToolsVersion> kVersionMap;
+    static const std::unordered_map<std::string,
+                                    Tpm2ToolsVersion> kMaxSupportedVersionMap;
+
+    static std::string getDistribution();
 
  public:
     /**

diff --git a/HIRS_ProvisionerTPM2/package/package.tpm2.centos7.sh b/HIRS_ProvisionerTPM2/package/package.tpm2.centos7.sh
@@ -12,8 +12,8 @@ fi
 cd $( dirname "${BASH_SOURCE[0]}" )
 
 # Ensure clean build environment
-rm -rf BUILD RPMS
-mkdir BUILD RPMS
+rm -rf BUILD
+mkdir BUILD
 
 # Navigate to build directory
 cd BUILD

diff --git a/HIRS_ProvisionerTPM2/package/package.tpm2.ubuntu.sh b/HIRS_ProvisionerTPM2/package/package.tpm2.ubuntu.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+
+# Check packager OS is Ubuntu
+OS_NAME=$(awk -F= '/^NAME/{print $2}' /etc/os-release)
+if [ "$OS_NAME" != "\"Ubuntu\"" ]; then
+    echo "Error: DEBs must be built with Ubuntu"
+    exit 1
+fi
+
+# Find package directory
+cd $( dirname "${BASH_SOURCE[0]}" )
+
+# Ensure clean build environment
+rm -rf BUILD
+mkdir BUILD
+
+# Navigate to build directory
+cd BUILD
+
+# Build HIRS_ProvisionerTPM2 DEB
+cmake ../..
+
+# If the current directory is empty, there may be an existing CmakeCache.txt
+# file that prevents cmake from building in the current directory
+if ! [ "$(ls -A)" ]; then
+    echo "CMake failed to generate files in the target directory. Is there "
+    echo "an existing CMakeCache.txt file in the CMake source directory? "
+    echo "If so, delete it."
+    exit 1
+fi
+make
+cpack
+
+# Move HIRS_ProvisionerTPM2 DEB
+rm -f ../../../package/deb/DEBS/HIRSProvisionerTPM2.0*.deb
+if [ ! -d "../../../package/deb/DEBS" ]; then
+    mkdir -p ../../../package/deb/DEBS
+fi
+mv *.deb ../../../package/deb/DEBS
diff --git a/HIRS_ProvisionerTPM2/package/postinst b/HIRS_ProvisionerTPM2/package/postinst
@@ -0,0 +1,31 @@
+HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
+
+mkdir -p /var/log/hirs/provisioner
+ln -s -f /usr/local/bin/hirs-provisioner-tpm2 /usr/sbin/hirs-provisioner-tpm2
+ln -s -f /usr/local/bin/tpm_aca_provision /usr/sbin/tpm_aca_provision
+
+if [ ! -f $HIRS_SITE_CONFIG ]; then
+    # Create template site config if it does not exist
+    cat <<DEFAULT_SITE_CONFIG_FILE > $HIRS_SITE_CONFIG
+#*******************************************
+#* HIRS site configuration properties file
+#*******************************************
+
+# Client configuration
+CLIENT_HOSTNAME=$(hostname -f)
+TPM_ENABLED=
+IMA_ENABLED=
+
+# Site-specific configuration
+ATTESTATION_CA_FQDN=
+ATTESTATION_CA_PORT=8443
+BROKER_FQDN=
+BROKER_PORT=61616
+PORTAL_FQDN=
+PORTAL_PORT=8443
+
+DEFAULT_SITE_CONFIG_FILE
+
+    echo "$HIRS_SITE_CONFIG not found - a template has been created"
+    echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner-tpm2 provision' to provision this system"
+fi
diff --git a/HIRS_ProvisionerTPM2/src/CommandTpm2.cpp b/HIRS_ProvisionerTPM2/src/CommandTpm2.cpp
@@ -23,6 +23,7 @@ using hirs::log::Logger;
 using hirs::pb::IdentityClaim;
 using hirs::tpm2::CommandTpm2;
 using hirs::string_utils::binaryToHex;
+using hirs::string_utils::contains;
 using hirs::string_utils::longToHex;
 using hirs::string_utils::hexToLong;
 using hirs::tpm2_tools_utils::Tpm2ToolsVersion;
@@ -133,20 +134,19 @@ void CommandTpm2::setAuthData() {
     stringstream argsStream;
 
     switch (version) {
-        case Tpm2ToolsVersion::VERSION_1_1_0: {
+        case Tpm2ToolsVersion::VERSION_1_1_0:
+        case Tpm2ToolsVersion::VERSION_2_1_0:
             argsStream << " -X -o " << kWellKnownSecret
                        << " -e " << kWellKnownSecret
                        << " -l " << kWellKnownSecret
                        << endl;
             break;
-        }
-        case Tpm2ToolsVersion::VERSION_3_0_1: {
+        case Tpm2ToolsVersion::VERSION_3_0_1:
             argsStream << " -o hex:" << kWellKnownSecret
                        << " -e hex:" << kWellKnownSecret
                        << " -l hex:" << kWellKnownSecret
                        << endl;
             break;
-        }
     }
 
     LOGGER.info("Attempting to set auth data.");
@@ -165,16 +165,14 @@ string CommandTpm2::getEndorsementCredentialDefault(
     LOGGER.info("Attempting to retrieve endorsement credential");
     string endorsementCredential;
     switch (keyType) {
-        case AsymmetricKeyType::RSA: {
+        case AsymmetricKeyType::RSA:
             endorsementCredential = getStoredCredential(
                     kDefaultRsaEkCredentialHandle);
             break;
-        }
-        case AsymmetricKeyType::ECC: {
+        case AsymmetricKeyType::ECC:
             endorsementCredential = getStoredCredential(
                     kDefaultEccEkCredentialHandle);
             break;
-        }
     }
     if (endorsementCredential == "") {
         LOGGER.info("Unable to retrieve endorsement credential");
@@ -265,14 +263,12 @@ void CommandTpm2::createEndorsementKey(const AsymmetricKeyType& keyType) {
     LOGGER.info("Attempting to create EK at: " + string(kDefaultEkHandle));
     stringstream argsStream;
     switch (keyType) {
-        case AsymmetricKeyType::RSA: {
+        case AsymmetricKeyType::RSA:
             argsStream << " -g " << kRsaAlgorithmId;
             break;
-        }
-        case AsymmetricKeyType::ECC: {
+        case AsymmetricKeyType::ECC:
             argsStream << " -g " << kEccAlgorithmId;
             break;
-        }
     }
     argsStream << " -H " << kDefaultEkHandle
                << " -f " << kDefaultEkPubFilename
@@ -497,8 +493,11 @@ string CommandTpm2::createNvWriteCommandArgs(const string& nvIndex,
                           << " -a " << kDefaultOwnerAuthHandle
                           << " ";
 
-    if (version == Tpm2ToolsVersion::VERSION_1_1_0) {
-        argumentsStringStream << "-f ";
+    switch (version) {
+        case Tpm2ToolsVersion::VERSION_1_1_0:
+        case Tpm2ToolsVersion::VERSION_2_1_0:
+            argumentsStringStream << "-f ";
+            break;
     }
 
     argumentsStringStream << writeFile
@@ -525,7 +524,17 @@ void CommandTpm2::getQuote(const string& akLocation,
  * @return the size of the data at nvIndex, or 0 if it's not found
  */
 uint16_t CommandTpm2::getNvIndexDataSize(const string& nvIndex) {
-    string listOutput = runTpm2CommandWithRetry(kTpm2ToolsNvListCommand, "");
+    string listOutput;
+    try {
+        listOutput = runTpm2CommandWithRetry(kTpm2ToolsNvListCommand, "");
+    } catch (HirsRuntimeException& ex) {
+        // Due to bug in tpm2-tools 2.1.0, check to see if error was success
+        if (contains(ex.what(), "NV indexes defined.")) {
+            listOutput = ex.what();
+        } else {
+            throw;
+        }
+    }
     return Tpm2ToolsOutputParser::parseNvDataSize(nvIndex, listOutput);
 }
 
@@ -564,15 +573,14 @@ string CommandTpm2::readNvIndex(const string& nvIndex,
                 kTpm2ToolsNvReadCommand, nvReadArguments);
 
         switch (version) {
-            case Tpm2ToolsVersion::VERSION_1_1_0: {
+            case Tpm2ToolsVersion::VERSION_1_1_0:
+            case Tpm2ToolsVersion::VERSION_2_1_0:
                 nvReadOutput << Tpm2ToolsOutputParser::parseNvReadOutput(
                         rawNvReadOutput);
                 break;
-            }
-            case Tpm2ToolsVersion::VERSION_3_0_1: {
+            case Tpm2ToolsVersion::VERSION_3_0_1:
                 nvReadOutput << rawNvReadOutput;
                 break;
-            }
         }
 
         if (i != nvReadIterations) {
@@ -608,6 +616,7 @@ void CommandTpm2::releaseNvIndex(const string& nvIndex) {
     stringstream argsStream;
     switch (version) {
         case Tpm2ToolsVersion::VERSION_1_1_0:
+        case Tpm2ToolsVersion::VERSION_2_1_0:
             argsStream << " -X -P " << kWellKnownSecret;
             break;
         case Tpm2ToolsVersion::VERSION_3_0_1:
@@ -718,13 +727,16 @@ string CommandTpm2::getPublicArea(const std::string& filename) {
                                    "CommandTpm2::getPublicArea");
     }
 
-    // TPM2 Tools version 1.1.0 affixes 2 bytes of zeroes to files
+    // TPM2 Tools versions 1.1.0 and 2.1.0 affix 2 bytes of zeroes to files
     // containing a public area, but the ACA does not know which version of
     // TPM2 Tools is running on the client machine. So we remove the extra
     // bytes here.
-    if (version == Tpm2ToolsVersion::VERSION_1_1_0) {
-        binaryEncodedPublicArea.erase(binaryEncodedPublicArea.end() - 2,
-                                      binaryEncodedPublicArea.end());
+    switch (version) {
+        case Tpm2ToolsVersion::VERSION_1_1_0:
+        case Tpm2ToolsVersion::VERSION_2_1_0:
+            binaryEncodedPublicArea.erase(binaryEncodedPublicArea.end() - 2,
+                                          binaryEncodedPublicArea.end());
+            break;
     }
 
     LOGGER.debug("Successfully read public data");

diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
@@ -143,7 +143,7 @@ int main(int argc, char** argv) {
             if (provision()) {
                 cout << "----> Provisioning successful" << endl;
             }
-        } catch (HirsRuntimeException & hirsRuntimeException) {
+        } catch (HirsRuntimeException& hirsRuntimeException) {
             mainLogger.error(hirsRuntimeException.what());
             cout << "----> Fatal error during provisioning. See "
                  << "/var/log/hirs/provisioner/HIRS_ProvisionerTPM2.log for "