diff --git a/sdk/python3/cima/cima_server_pb2.py b/sdk/python3/cima/cima_server_pb2.py index 59c6241..866c996 100644 --- a/sdk/python3/cima/cima_server_pb2.py +++ b/sdk/python3/cima/cima_server_pb2.py @@ -13,7 +13,7 @@ -DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x16\x63\x63np/cima-server.proto\x12\x0e\x63\x63np_server_pb\"%\n\x12HealthCheckRequest\x12\x0f\n\x07service\x18\x01 \x01(\t\"\xa9\x01\n\x13HealthCheckResponse\x12\x41\n\x06status\x18\x01 \x01(\x0e\x32\x31.cima_server_pb.HealthCheckResponse.ServingStatus\"O\n\rServingStatus\x12\x0b\n\x07UNKNOWN\x10\x00\x12\x0b\n\x07SERVING\x10\x01\x12\x0f\n\x0bNOT_SERVING\x10\x02\x12\x13\n\x0fSERVICE_UNKNOWN\x10\x03\"\x1c\n\x1aGetDefaultAlgorithmRequest\".\n\x1bGetDefaultAlgorithmResponse\x12\x0f\n\x07\x61lgo_id\x18\x01 \x01(\r\"\x1c\n\x1aGetMeasurementCountRequest\",\n\x1bGetMeasurementCountResponse\x12\r\n\x05\x63ount\x18\x01 \x01(\r\"n\n\x12GetCcReportRequest\x12\x14\n\x0c\x63ontainer_id\x18\x01 \x01(\t\x12\x16\n\tuser_data\x18\x02 \x01(\tH\x00\x88\x01\x01\x12\x12\n\x05nonce\x18\x03 \x01(\tH\x01\x88\x01\x01\x42\x0c\n\n_user_dataB\x08\n\x06_nonce\"9\n\x13GetCcReportResponse\x12\x0f\n\x07\x63\x63_type\x18\x01 \x01(\x05\x12\x11\n\tcc_report\x18\x02 \x01(\x0c\"O\n\x17GetCcMeasurementRequest\x12\x14\n\x0c\x63ontainer_id\x18\x01 \x01(\t\x12\r\n\x05index\x18\x02 \x01(\r\x12\x0f\n\x07\x61lgo_id\x18\x03 \x01(\r\"J\n\x18GetCcMeasurementResponse\x12.\n\x0bmeasurement\x18\x01 \x01(\x0b\x32\x19.cima_server_pb.TcgDigest\"h\n\x14GetCcEventlogRequest\x12\x14\n\x0c\x63ontainer_id\x18\x01 \x01(\t\x12\x12\n\x05start\x18\x02 \x01(\rH\x00\x88\x01\x01\x12\x12\n\x05\x63ount\x18\x03 \x01(\rH\x01\x88\x01\x01\x42\x08\n\x06_startB\x08\n\x06_count\"*\n\tTcgDigest\x12\x0f\n\x07\x61lgo_id\x18\x01 \x01(\r\x12\x0c\n\x04hash\x18\x02 \x01(\x0c\"\x86\x02\n\x0bTcgEventlog\x12\x0f\n\x07rec_num\x18\x01 \x01(\r\x12\x11\n\timr_index\x18\x02 \x01(\r\x12\x12\n\nevent_type\x18\x03 \x01(\r\x12*\n\x07\x64igests\x18\x04 \x03(\x0b\x32\x19.cima_server_pb.TcgDigest\x12\x12\n\nevent_size\x18\x05 \x01(\r\x12\r\n\x05\x65vent\x18\x06 \x01(\x0c\x12>\n\nextra_info\x18\x07 \x03(\x0b\x32*.cima_server_pb.TcgEventlog.ExtraInfoEntry\x1a\x30\n\x0e\x45xtraInfoEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"H\n\x15GetCcEventlogResponse\x12/\n\nevent_logs\x18\x01 \x03(\x0b\x32\x1b.cima_server_pb.TcgEventlog2\x87\x04\n\x04\x63\x63np\x12n\n\x13GetDefaultAlgorithm\x12*.cima_server_pb.GetDefaultAlgorithmRequest\x1a+.cima_server_pb.GetDefaultAlgorithmResponse\x12n\n\x13GetMeasurementCount\x12*.cima_server_pb.GetMeasurementCountRequest\x1a+.cima_server_pb.GetMeasurementCountResponse\x12V\n\x0bGetCcReport\x12\".cima_server_pb.GetCcReportRequest\x1a#.cima_server_pb.GetCcReportResponse\x12g\n\x10GetCcMeasurement\x12\'.cima_server_pb.GetCcMeasurementRequest\x1a(.cima_server_pb.GetCcMeasurementResponse\"\x00\x12^\n\rGetCcEventlog\x12$.cima_server_pb.GetCcEventlogRequest\x1a%.cima_server_pb.GetCcEventlogResponse\"\x00\x62\x06proto3') +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x16\x63ima/cima-server.proto\x12\x0e\x63ima_server_pb\"%\n\x12HealthCheckRequest\x12\x0f\n\x07service\x18\x01 \x01(\t\"\xa9\x01\n\x13HealthCheckResponse\x12\x41\n\x06status\x18\x01 \x01(\x0e\x32\x31.cima_server_pb.HealthCheckResponse.ServingStatus\"O\n\rServingStatus\x12\x0b\n\x07UNKNOWN\x10\x00\x12\x0b\n\x07SERVING\x10\x01\x12\x0f\n\x0bNOT_SERVING\x10\x02\x12\x13\n\x0fSERVICE_UNKNOWN\x10\x03\"\x1c\n\x1aGetDefaultAlgorithmRequest\".\n\x1bGetDefaultAlgorithmResponse\x12\x0f\n\x07\x61lgo_id\x18\x01 \x01(\r\"\x1c\n\x1aGetMeasurementCountRequest\",\n\x1bGetMeasurementCountResponse\x12\r\n\x05\x63ount\x18\x01 \x01(\r\"n\n\x12GetCcReportRequest\x12\x14\n\x0c\x63ontainer_id\x18\x01 \x01(\t\x12\x16\n\tuser_data\x18\x02 \x01(\tH\x00\x88\x01\x01\x12\x12\n\x05nonce\x18\x03 \x01(\tH\x01\x88\x01\x01\x42\x0c\n\n_user_dataB\x08\n\x06_nonce\"9\n\x13GetCcReportResponse\x12\x0f\n\x07\x63\x63_type\x18\x01 \x01(\x05\x12\x11\n\tcc_report\x18\x02 \x01(\x0c\"O\n\x17GetCcMeasurementRequest\x12\x14\n\x0c\x63ontainer_id\x18\x01 \x01(\t\x12\r\n\x05index\x18\x02 \x01(\r\x12\x0f\n\x07\x61lgo_id\x18\x03 \x01(\r\"J\n\x18GetCcMeasurementResponse\x12.\n\x0bmeasurement\x18\x01 \x01(\x0b\x32\x19.cima_server_pb.TcgDigest\"h\n\x14GetCcEventlogRequest\x12\x14\n\x0c\x63ontainer_id\x18\x01 \x01(\t\x12\x12\n\x05start\x18\x02 \x01(\rH\x00\x88\x01\x01\x12\x12\n\x05\x63ount\x18\x03 \x01(\rH\x01\x88\x01\x01\x42\x08\n\x06_startB\x08\n\x06_count\"*\n\tTcgDigest\x12\x0f\n\x07\x61lgo_id\x18\x01 \x01(\r\x12\x0c\n\x04hash\x18\x02 \x01(\x0c\"\x86\x02\n\x0bTcgEventlog\x12\x0f\n\x07rec_num\x18\x01 \x01(\r\x12\x11\n\timr_index\x18\x02 \x01(\r\x12\x12\n\nevent_type\x18\x03 \x01(\r\x12*\n\x07\x64igests\x18\x04 \x03(\x0b\x32\x19.cima_server_pb.TcgDigest\x12\x12\n\nevent_size\x18\x05 \x01(\r\x12\r\n\x05\x65vent\x18\x06 \x01(\x0c\x12>\n\nextra_info\x18\x07 \x03(\x0b\x32*.cima_server_pb.TcgEventlog.ExtraInfoEntry\x1a\x30\n\x0e\x45xtraInfoEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"H\n\x15GetCcEventlogResponse\x12/\n\nevent_logs\x18\x01 \x03(\x0b\x32\x1b.cima_server_pb.TcgEventlog2\x87\x04\n\x04\x63ima\x12n\n\x13GetDefaultAlgorithm\x12*.cima_server_pb.GetDefaultAlgorithmRequest\x1a+.cima_server_pb.GetDefaultAlgorithmResponse\x12n\n\x13GetMeasurementCount\x12*.cima_server_pb.GetMeasurementCountRequest\x1a+.cima_server_pb.GetMeasurementCountResponse\x12V\n\x0bGetCcReport\x12\".cima_server_pb.GetCcReportRequest\x1a#.cima_server_pb.GetCcReportResponse\x12g\n\x10GetCcMeasurement\x12\'.cima_server_pb.GetCcMeasurementRequest\x1a(.cima_server_pb.GetCcMeasurementResponse\"\x00\x12^\n\rGetCcEventlog\x12$.cima_server_pb.GetCcEventlogRequest\x1a%.cima_server_pb.GetCcEventlogResponse\"\x00\x62\x06proto3') _globals = globals() _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals) diff --git a/service/cima-server/deny.toml b/service/cima-server/deny.toml index 9f16b9a..94fe0be 100644 --- a/service/cima-server/deny.toml +++ b/service/cima-server/deny.toml @@ -1,11 +1,9 @@ [advisories] -vulnerability = "deny" -unmaintained = "warn" -yanked = "warn" -notice = "warn" +# https://github.com/EmbarkStudios/cargo-deny/pull/611 +version = 2 [licenses] -unlicensed = "warn" +version = 2 allow = [ "MIT", "Apache-2.0", @@ -13,10 +11,6 @@ allow = [ "BSD-3-Clause", "Unicode-DFS-2016", ] - -copyleft = "warn" -allow-osi-fsf-free = "neither" -default = "deny" confidence-threshold = 0.8 [[licenses.clarify]] diff --git a/service/cima-server/src/agent.rs b/service/cima-server/src/agent.rs index 571d792..174b8cd 100644 --- a/service/cima-server/src/agent.rs +++ b/service/cima-server/src/agent.rs @@ -1,9 +1,10 @@ use anyhow::{anyhow, Error}; -use evidence_api::{api::EvidenceApi, api_data::ExtraArgs, tcg}; use cctrusted_vm::sdk::API; +use evidence_api::{api::EvidenceApi, api_data::ExtraArgs, tcg}; use log::info; use std::cmp::Ordering; use std::collections::HashMap; +use std::fs::read_to_string; use crate::{ cima_pb::{TcgDigest, TcgEventlog}, @@ -12,6 +13,8 @@ use crate::{ policy::PolicyConfig, }; +pub const IMA_PATTERN: &str = "ima_template=ima-cgpath"; + pub enum IMR { FIRMWARE = 0, KERNEL = 1, @@ -23,6 +26,7 @@ pub struct Agent { measurement: Option, containers: HashMap, event_logs: Vec, + ima_enabled: bool, } impl Default for Agent { @@ -37,20 +41,27 @@ impl Agent { measurement: None, containers: HashMap::new(), event_logs: vec![], + ima_enabled: false, } } pub fn init(&mut self, policy: PolicyConfig) -> Result<(), Error> { - // Measure the system when Agent initialization - self.measurement = Some(Measurement::new(policy)); - match self - .measurement - .as_mut() - .expect("The measurement was not initialized.") - .measure() - { - Ok(_) => info!("The system has been measured as the policy defined."), - Err(e) => return Err(e), + let cmdline = read_to_string("/proc/cmdline").expect("Failed to read /proc/cmdline."); + if !cmdline.contains(IMA_PATTERN) { + self.ima_enabled = false; + } else { + self.ima_enabled = true; + // Measure the system when Agent initialization + self.measurement = Some(Measurement::new(policy)); + match self + .measurement + .as_mut() + .expect("The measurement was not initialized.") + .measure() + { + Ok(_) => info!("The system has been measured as the policy defined."), + Err(e) => return Err(e), + } } self.fetch_all_event_logs() @@ -198,26 +209,30 @@ impl Agent { let _ = self.fetch_all_event_logs(); let mut event_logs = vec![]; - let measurement = match self.measurement.as_mut() { - Some(v) => v, - None => return Err(anyhow!("The measurement was not initialized.")), - }; + if self.ima_enabled { + let measurement = match self.measurement.as_mut() { + Some(v) => v, + None => return Err(anyhow!("The measurement was not initialized.")), + }; - if measurement.container_isolated() { - if !self.containers.contains_key(&container_id) { - return Err(anyhow!("Container cannot be found.")); - } + if measurement.container_isolated() { + if !self.containers.contains_key(&container_id) { + return Err(anyhow!("Container cannot be found.")); + } - for event_log in &self.event_logs { - if event_log.imr_index == IMR::FIRMWARE as u32 - || event_log.imr_index == IMR::KERNEL as u32 - { - event_logs.push(event_log.clone()); + for event_log in &self.event_logs { + if event_log.imr_index == IMR::FIRMWARE as u32 + || event_log.imr_index == IMR::KERNEL as u32 + { + event_logs.push(event_log.clone()); + } } - } - let container = &self.containers[&container_id]; - event_logs.extend(container.event_logs().clone()); + let container = &self.containers[&container_id]; + event_logs.extend(container.event_logs().clone()); + } else { + event_logs.extend(self.event_logs.to_vec()); + } } else { event_logs.extend(self.event_logs.to_vec()); } @@ -262,23 +277,27 @@ impl Agent { ) -> Result<(Vec, i32), Error> { let _ = self.fetch_all_event_logs(); - let measurement = match self.measurement.as_mut() { - Some(v) => v, - None => return Err(anyhow!("The measurement was not initialized.")), - }; + let new_nonce = if self.ima_enabled { + let measurement = match self.measurement.as_mut() { + Some(v) => v, + None => return Err(anyhow!("The measurement was not initialized.")), + }; - let new_nonce = if measurement.container_isolated() { - if !self.containers.contains_key(&container_id) { - return Err(anyhow!("Container cannot be found.")); - } + if measurement.container_isolated() { + if !self.containers.contains_key(&container_id) { + return Err(anyhow!("Container cannot be found.")); + } - let container = &self.containers[&container_id]; - match nonce { - Some(v) => match base64::decode(v) { - Ok(v) => Some(base64::encode([container.imr().hash.to_vec(), v].concat())), - Err(e) => return Err(anyhow!("nonce is not base64 encoded: {:?}", e)), - }, - None => None, + let container = &self.containers[&container_id]; + match nonce { + Some(v) => match base64::decode(v) { + Ok(v) => Some(base64::encode([container.imr().hash.to_vec(), v].concat())), + Err(e) => return Err(anyhow!("nonce is not base64 encoded: {:?}", e)), + }, + None => None, + } + } else { + nonce.clone() } } else { nonce.clone() @@ -300,28 +319,32 @@ impl Agent { ) -> Result { let _ = self.fetch_all_event_logs(); - let measurement = match self.measurement.as_mut() { - Some(v) => v, - None => return Err(anyhow!("The measurement was not initialized.")), - }; + if self.ima_enabled { + let measurement = match self.measurement.as_mut() { + Some(v) => v, + None => return Err(anyhow!("The measurement was not initialized.")), + }; - if measurement.container_isolated() { - if !self.containers.contains_key(&container_id) { - return Err(anyhow!("Container cannot be found.")); - } + if measurement.container_isolated() { + if !self.containers.contains_key(&container_id) { + return Err(anyhow!("Container cannot be found.")); + } - if index == IMR::SYSTEM as u32 { - return Err(anyhow!("Cannot access IMR according to the policy.")); - } + if index == IMR::SYSTEM as u32 { + return Err(anyhow!("Cannot access IMR according to the policy.")); + } - if index == IMR::CONTAINER as u32 { - let container = match self.containers.get_mut(&container_id) { - Some(v) => v, - None => { - return Err(anyhow!("The container is on the list but fails to get it.")) - } - }; - return Ok(container.imr().clone()); + if index == IMR::CONTAINER as u32 { + let container = match self.containers.get_mut(&container_id) { + Some(v) => v, + None => { + return Err(anyhow!( + "The container is on the list but fails to get it." + )) + } + }; + return Ok(container.imr().clone()); + } } } diff --git a/service/cima-server/src/main.rs b/service/cima-server/src/main.rs index 336a594..231a965 100644 --- a/service/cima-server/src/main.rs +++ b/service/cima-server/src/main.rs @@ -80,10 +80,10 @@ async fn main() -> Result<(), Box> { mod cima_server_test { use super::*; use crate::agent::IMR; - use evidence_api::{cc_type::TeeType, tcg}; use cima_pb::{ cima_client::CimaClient, GetCcEventlogRequest, GetCcMeasurementRequest, GetCcReportRequest, }; + use evidence_api::{cc_type::TeeType, tcg}; use policy::PolicyConfig; use rand::Rng; use serial_test::serial;