[#7] Ensure Ubuntu support pending end-user installation of supported…

… TPM2 Libraries
nsacyber · Nov 1, 2018 · 37ba6de · 37ba6de
1 parent ce380db
commit 37ba6de
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 17 deletions.
diff --git a/HIRS_ProvisionerTPM2/CMakeLists.txt b/HIRS_ProvisionerTPM2/CMakeLists.txt
@@ -257,12 +257,12 @@ if (${DISTRIBUTION} STREQUAL "Ubuntu")
     set(CPACK_GENERATOR "DEB")
     set(CPACK_DEBIAN_PACKAGE_NAME "HIRSProvisionerTPM2.0")
     set(CPACK_DEBIAN_PACKAGE_SECTION "admin")
-    set(CPACK_DEBIAN_PACKAGE_DEPENDS "liblog4cplus-1.1-9(>=1.1.2), tpm2-tools(>=1.0), libcurlpp0(>=0.7), lshw")
+    set(CPACK_DEBIAN_PACKAGE_DEPENDS "liblog4cplus-1.1-9(>=1.1.2), libcurlpp0(>=0.7), lshw")
     # Set variables specific to Ubuntu release version
     if (${DISTRIBUTION_VERSION} STREQUAL "16.04")
-        set(CPACK_DEBIAN_PACKAGE_DEPENDS "${CPACK_DEBIAN_PACKAGE_DEPENDS}, libre2-1v5(>=20160201), libtss2-utils(>=0.98), libprotobuf9v5(>=2.4.1)")
+        set(CPACK_DEBIAN_PACKAGE_DEPENDS "${CPACK_DEBIAN_PACKAGE_DEPENDS}, libre2-1v5(>=20160201), libprotobuf9v5(>=2.4.1)")
     else()
-        set(CPACK_DEBIAN_PACKAGE_DEPENDS "${CPACK_DEBIAN_PACKAGE_DEPENDS}, libsapi-utils(>=1.0), libprotobuf10(>=2.4.1)")
+        set(CPACK_DEBIAN_PACKAGE_DEPENDS "${CPACK_DEBIAN_PACKAGE_DEPENDS}, libprotobuf10(>=2.4.1)")
         if (${DISTRIBUTION_VERSION} STREQUAL "17.10")
             set(CPACK_DEBIAN_PACKAGE_DEPENDS "${CPACK_DEBIAN_PACKAGE_DEPENDS}, libre2-3(>=20160201)")
         elseif(${DISTRIBUTION_VERSION} STREQUAL "18.04" OR ${DISTRIBUTION_VERSION} STREQUAL "18.10")

diff --git a/HIRS_ProvisionerTPM2/include/Utils.h b/HIRS_ProvisionerTPM2/include/Utils.h
@@ -160,7 +160,7 @@ namespace tpm2_tools_utils {
 enum class Tpm2ToolsVersion {
     VERSION_1_1_0,
     VERSION_2_1_0,
-    VERSION_3_0_1
+    VERSION_3
 };
 
 /**
@@ -237,6 +237,15 @@ class Tpm2ToolsOutputParser {
      * @return a tpm2_tools version if found, or an empty string, otherwise
      */
     static std::string parseTpm2ToolsVersion(const std::string& toolOutput);
+
+    /**
+     * Parses the provided tpm2-tool version for the major version.
+     *
+     * @param toolVersion the output from a call to parseTpm2ToolsVersion
+     * @return tpm2_tools major version if found, or an empty string, otherwise
+     */
+    static std::string parseTpm2ToolsMajorVersion(
+            const std::string& toolVersion);
 };
 
 }  // namespace tpm2_tools_utils

diff --git a/HIRS_ProvisionerTPM2/src/CommandTpm2.cpp b/HIRS_ProvisionerTPM2/src/CommandTpm2.cpp
@@ -141,7 +141,7 @@ void CommandTpm2::setAuthData() {
                        << " -l " << kWellKnownSecret
                        << endl;
             break;
-        case Tpm2ToolsVersion::VERSION_3_0_1:
+        case Tpm2ToolsVersion::VERSION_3:
             argsStream << " -o hex:" << kWellKnownSecret
                        << " -e hex:" << kWellKnownSecret
                        << " -l hex:" << kWellKnownSecret
@@ -387,11 +387,11 @@ string CommandTpm2::activateIdentity() {
                 "CommandTpm2::activateIdentity");
     }
 
-    // TPM2 Tools version 3.0.1 prepends 4 bytes of a MAGIC NUMBER and
+    // TPM2 Tools major version 3.X.X prepends 4 bytes of a MAGIC NUMBER and
     // 4 bytes of a version number to the file containing the cert and secret,
     // but the ACA does not, nor does the ACA know which version of TPM2 Tools
     // is running on the client machine. So we add the bytes here.
-    if (version == Tpm2ToolsVersion::VERSION_3_0_1) {
+    if (version == Tpm2ToolsVersion::VERSION_3) {
         string s = fileToString(kDefaultIdentityClaimResponseFilename);
         union {
             UINT16 value;
@@ -578,7 +578,7 @@ string CommandTpm2::readNvIndex(const string& nvIndex,
                 nvReadOutput << Tpm2ToolsOutputParser::parseNvReadOutput(
                         rawNvReadOutput);
                 break;
-            case Tpm2ToolsVersion::VERSION_3_0_1:
+            case Tpm2ToolsVersion::VERSION_3:
                 nvReadOutput << rawNvReadOutput;
                 break;
         }
@@ -619,7 +619,7 @@ void CommandTpm2::releaseNvIndex(const string& nvIndex) {
         case Tpm2ToolsVersion::VERSION_2_1_0:
             argsStream << " -X -P " << kWellKnownSecret;
             break;
-        case Tpm2ToolsVersion::VERSION_3_0_1:
+        case Tpm2ToolsVersion::VERSION_3:
             argsStream << " -P hex:" << kWellKnownSecret;
             break;
     }

diff --git a/HIRS_ProvisionerTPM2/src/Utils.cpp b/HIRS_ProvisionerTPM2/src/Utils.cpp
@@ -265,35 +265,50 @@ const unordered_map<string, Tpm2ToolsVersion>
         Tpm2ToolsVersionChecker::kVersionMap = {
         {"1.1.0", Tpm2ToolsVersion::VERSION_1_1_0 },
         {"2.1.0", Tpm2ToolsVersion::VERSION_2_1_0 },
-        {"3.0.1", Tpm2ToolsVersion::VERSION_3_0_1 }
+        {"3", Tpm2ToolsVersion::VERSION_3 }
 };
 
 const unordered_map<string, Tpm2ToolsVersion>
         Tpm2ToolsVersionChecker::kMaxSupportedVersionMap = {
         {"Ubuntu 17.10", Tpm2ToolsVersion::VERSION_1_1_0 },
         {"Ubuntu 18.04", Tpm2ToolsVersion::VERSION_2_1_0 },
         {"Ubuntu 18.10", Tpm2ToolsVersion::VERSION_2_1_0 },
-        {"CentOS Linux 7", Tpm2ToolsVersion::VERSION_3_0_1 }
+        {"CentOS Linux 7", Tpm2ToolsVersion::VERSION_3 }
 };
 
 Tpm2ToolsVersion Tpm2ToolsVersionChecker::findTpm2ToolsVersion() {
-    string versionOutput = RUN_PROCESS_OR_THROW("tpm2_rc_decode", "-v");
+    string versionOutput = RUN_PROCESS_OR_THROW("tpm2_nvlist", "-v");
     string version = Tpm2ToolsOutputParser::parseTpm2ToolsVersion(
             versionOutput);
+    string majorVersion = Tpm2ToolsOutputParser::parseTpm2ToolsMajorVersion(
+            version);
 
     if (!version.empty()) {
         try {
-            return kVersionMap.at(version);
+            // Look to see if tpm2-tools major version is supported
+            return kVersionMap.at(majorVersion);
         }
         catch (const out_of_range& oor) {
-            stringstream ss;
-            ss << "Unsupported Tpm2 Tools Version Detected: " << version;
-            throw HirsRuntimeException(ss.str(),
-                        "Tpm2ToolsVersionChecker::findTpm2ToolsVersion");
+            // If major version not supported, then look for specific version
+            try {
+                return kVersionMap.at(version);
+            }
+            catch (const out_of_range& oor) {
+                // If no version found, version is unsupported, throw exception
+                stringstream ss;
+                ss << "Unsupported Tpm2 Tools Version Detected: " << version;
+                throw HirsRuntimeException(ss.str(),
+                      "Tpm2ToolsVersionChecker::findTpm2ToolsVersion");
+            }
         }
     } else {
+        // If version check returns empty, instead of throwing exception,
+        // then tpm2-tools is installed but version lookup is faulty.
+        // Get current runtime environment distribution.
         string currentDistribution = getDistribution();
         try {
+            // Look to see if current distribution has a supported version
+            // and use that as best guess at version number
             return kMaxSupportedVersionMap.at(currentDistribution);
         } catch (const out_of_range& oor) {
             stringstream ss;
@@ -396,6 +411,20 @@ string Tpm2ToolsOutputParser::parseTpm2ToolsVersion(const string& toolOutput) {
     }
 }
 
+string Tpm2ToolsOutputParser::parseTpm2ToolsMajorVersion(
+        const string& toolVersion) {
+    stringstream regexPatternStream;
+    regexPatternStream << "^([0-9]+)\\.[0-9]+\\.[0-9]+$";
+
+    string majorVersion;
+    if (RE2::PartialMatch(toolVersion, regexPatternStream.str(),
+            &majorVersion)) {
+        return majorVersion;
+    } else {
+        return "";
+    }
+}
+
 }  // namespace tpm2_tools_utils
 
 }  // namespace hirs
diff --git a/HIRS_ProvisionerTPM2/test/Utils_Test.cpp b/HIRS_ProvisionerTPM2/test/Utils_Test.cpp
@@ -588,6 +588,46 @@ TEST_F(UtilsTest, ParseTpm2ToolsVersionFailNonSemanticVersion) {
     ASSERT_EQ(expectedOutput, version);
 }
 
+TEST_F(UtilsTest, ParseTpm2ToolsMajorVersionSuccess) {
+    stringstream versionOutput;
+    versionOutput << "3.0.1";
+
+    string expectedOutput = "3";
+    string majorVersion = Tpm2ToolsOutputParser::parseTpm2ToolsMajorVersion(
+            versionOutput.str());
+    ASSERT_EQ(expectedOutput, majorVersion);
+}
+
+TEST_F(UtilsTest, ParseTpm2ToolsMajorVersionSuccessMultiNumeralVersion) {
+    stringstream versionOutput;
+    versionOutput << "10.29.970";
+
+    string expectedOutput = "10";
+    string majorVersion = Tpm2ToolsOutputParser::parseTpm2ToolsMajorVersion(
+            versionOutput.str());
+    ASSERT_EQ(expectedOutput, majorVersion);
+}
+
+TEST_F(UtilsTest, ParseTpm2ToolsMajorVersionFailNonSemanticVersion) {
+    stringstream versionOutput;
+    versionOutput << "3.0";
+
+    string expectedOutput = "";
+    string majorVersion = Tpm2ToolsOutputParser::parseTpm2ToolsMajorVersion(
+            versionOutput.str());
+    ASSERT_EQ(expectedOutput, majorVersion);
+}
+
+TEST_F(UtilsTest, ParseTpm2ToolsMajorVersionFailLongNonSemanticVersion) {
+    stringstream versionOutput;
+    versionOutput << "3.0.1.27";
+
+    string expectedOutput = "";
+    string majorVersion = Tpm2ToolsOutputParser::parseTpm2ToolsMajorVersion(
+            versionOutput.str());
+    ASSERT_EQ(expectedOutput, majorVersion);
+}
+
 }  // namespace
 
 int main(int argc, char **argv) {