Skip to content

Commit

Permalink
cima/server: support the environment without ima enabled
Browse files Browse the repository at this point in the history 
Signed-off-by: Xiaocheng Dong <[email protected]>
  • Loading branch information
@dongx1x
dongx1x committed Aug 27, 2024
1 parent 4316709 commit df05311
Show file tree
Hide file tree
Showing 4 changed files with 89 additions and 72 deletions.
2 changes: 1 addition & 1 deletion sdk/python3/cima/cima_server_pb2.py
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 3 additions & 9 deletions service/cima-server/deny.toml
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,16 @@
[advisories]
vulnerability = "deny"
unmaintained = "warn"
yanked = "warn"
notice = "warn"
# https://github.com/EmbarkStudios/cargo-deny/pull/611
version = 2

[licenses]
unlicensed = "warn"
version = 2
allow = [
"MIT",
"Apache-2.0",
"ISC",
"BSD-3-Clause",
"Unicode-DFS-2016",
]

copyleft = "warn"
allow-osi-fsf-free = "neither"
default = "deny"
confidence-threshold = 0.8

[[licenses.clarify]]
Expand Down
145 changes: 84 additions & 61 deletions service/cima-server/src/agent.rs
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
use anyhow::{anyhow, Error};
use evidence_api::{api::EvidenceApi, api_data::ExtraArgs, tcg};
use cctrusted_vm::sdk::API;
use evidence_api::{api::EvidenceApi, api_data::ExtraArgs, tcg};
use log::info;
use std::cmp::Ordering;
use std::collections::HashMap;
use std::fs::read_to_string;

use crate::{
cima_pb::{TcgDigest, TcgEventlog},
Expand All @@ -12,6 +13,8 @@ use crate::{
policy::PolicyConfig,
};

pub const IMA_PATTERN: &str = "ima_template=ima-cgpath";

pub enum IMR {
FIRMWARE = 0,
KERNEL = 1,
Expand All @@ -23,6 +26,7 @@ pub struct Agent {
measurement: Option<Measurement>,
containers: HashMap<String, Container>,
event_logs: Vec<TcgEventlog>,
ima_enabled: bool,
}

impl Default for Agent {
Expand All @@ -37,20 +41,27 @@ impl Agent {
measurement: None,
containers: HashMap::new(),
event_logs: vec![],
ima_enabled: false,
}
}

pub fn init(&mut self, policy: PolicyConfig) -> Result<(), Error> {
// Measure the system when Agent initialization
self.measurement = Some(Measurement::new(policy));
match self
.measurement
.as_mut()
.expect("The measurement was not initialized.")
.measure()
{
Ok(_) => info!("The system has been measured as the policy defined."),
Err(e) => return Err(e),
let cmdline = read_to_string("/proc/cmdline").expect("Failed to read /proc/cmdline.");
if !cmdline.contains(IMA_PATTERN) {
self.ima_enabled = false;
} else {
self.ima_enabled = true;
// Measure the system when Agent initialization
self.measurement = Some(Measurement::new(policy));
match self
.measurement
.as_mut()
.expect("The measurement was not initialized.")
.measure()
{
Ok(_) => info!("The system has been measured as the policy defined."),
Err(e) => return Err(e),
}
}

self.fetch_all_event_logs()
Expand Down Expand Up @@ -198,26 +209,30 @@ impl Agent {
let _ = self.fetch_all_event_logs();
let mut event_logs = vec![];

let measurement = match self.measurement.as_mut() {
Some(v) => v,
None => return Err(anyhow!("The measurement was not initialized.")),
};
if self.ima_enabled {
let measurement = match self.measurement.as_mut() {
Some(v) => v,
None => return Err(anyhow!("The measurement was not initialized.")),
};

if measurement.container_isolated() {
if !self.containers.contains_key(&container_id) {
return Err(anyhow!("Container cannot be found."));
}
if measurement.container_isolated() {
if !self.containers.contains_key(&container_id) {
return Err(anyhow!("Container cannot be found."));
}

for event_log in &self.event_logs {
if event_log.imr_index == IMR::FIRMWARE as u32
|| event_log.imr_index == IMR::KERNEL as u32
{
event_logs.push(event_log.clone());
for event_log in &self.event_logs {
if event_log.imr_index == IMR::FIRMWARE as u32
|| event_log.imr_index == IMR::KERNEL as u32
{
event_logs.push(event_log.clone());
}
}
}

let container = &self.containers[&container_id];
event_logs.extend(container.event_logs().clone());
let container = &self.containers[&container_id];
event_logs.extend(container.event_logs().clone());
} else {
event_logs.extend(self.event_logs.to_vec());
}
} else {
event_logs.extend(self.event_logs.to_vec());
}
Expand Down Expand Up @@ -262,23 +277,27 @@ impl Agent {
) -> Result<(Vec<u8>, i32), Error> {
let _ = self.fetch_all_event_logs();

let measurement = match self.measurement.as_mut() {
Some(v) => v,
None => return Err(anyhow!("The measurement was not initialized.")),
};
let new_nonce = if self.ima_enabled {
let measurement = match self.measurement.as_mut() {
Some(v) => v,
None => return Err(anyhow!("The measurement was not initialized.")),
};

let new_nonce = if measurement.container_isolated() {
if !self.containers.contains_key(&container_id) {
return Err(anyhow!("Container cannot be found."));
}
if measurement.container_isolated() {
if !self.containers.contains_key(&container_id) {
return Err(anyhow!("Container cannot be found."));
}

let container = &self.containers[&container_id];
match nonce {
Some(v) => match base64::decode(v) {
Ok(v) => Some(base64::encode([container.imr().hash.to_vec(), v].concat())),
Err(e) => return Err(anyhow!("nonce is not base64 encoded: {:?}", e)),
},
None => None,
let container = &self.containers[&container_id];
match nonce {
Some(v) => match base64::decode(v) {
Ok(v) => Some(base64::encode([container.imr().hash.to_vec(), v].concat())),
Err(e) => return Err(anyhow!("nonce is not base64 encoded: {:?}", e)),
},
None => None,
}
} else {
nonce.clone()
}
} else {
nonce.clone()
Expand All @@ -300,28 +319,32 @@ impl Agent {
) -> Result<TcgDigest, Error> {
let _ = self.fetch_all_event_logs();

let measurement = match self.measurement.as_mut() {
Some(v) => v,
None => return Err(anyhow!("The measurement was not initialized.")),
};
if self.ima_enabled {
let measurement = match self.measurement.as_mut() {
Some(v) => v,
None => return Err(anyhow!("The measurement was not initialized.")),
};

if measurement.container_isolated() {
if !self.containers.contains_key(&container_id) {
return Err(anyhow!("Container cannot be found."));
}
if measurement.container_isolated() {
if !self.containers.contains_key(&container_id) {
return Err(anyhow!("Container cannot be found."));
}

if index == IMR::SYSTEM as u32 {
return Err(anyhow!("Cannot access IMR according to the policy."));
}
if index == IMR::SYSTEM as u32 {
return Err(anyhow!("Cannot access IMR according to the policy."));
}

if index == IMR::CONTAINER as u32 {
let container = match self.containers.get_mut(&container_id) {
Some(v) => v,
None => {
return Err(anyhow!("The container is on the list but fails to get it."))
}
};
return Ok(container.imr().clone());
if index == IMR::CONTAINER as u32 {
let container = match self.containers.get_mut(&container_id) {
Some(v) => v,
None => {
return Err(anyhow!(
"The container is on the list but fails to get it."
))
}
};
return Ok(container.imr().clone());
}
}
}

Expand Down
2 changes: 1 addition & 1 deletion service/cima-server/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,10 +80,10 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
mod cima_server_test {
use super::*;
use crate::agent::IMR;
use evidence_api::{cc_type::TeeType, tcg};
use cima_pb::{
cima_client::CimaClient, GetCcEventlogRequest, GetCcMeasurementRequest, GetCcReportRequest,
};
use evidence_api::{cc_type::TeeType, tcg};
use policy::PolicyConfig;
use rand::Rng;
use serial_test::serial;
Expand Down

0 comments on commit df05311

Please sign in to comment.