[#896] Add Platform Certificate Class Registry support to the ACA #898
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…iguring out places where this will work. Can successfully debug provisioner+aca.
…pots throughout out the app. Seems like we need to ensure that when we try to parse the pc from the identity claim, it needs to recognize the new kind of identifier.
…plat config v1 (which already exists), moved attribuutes associated with v2 to the v2 class, when validating the aca will now verify if the platform config associated with the cert is v1 or v2. Made corrections to attributes names to better align with tcg docs.
…ling corrections, deleted unused classes that were being referenced by componentinfo. pretty much done with the aca side of things.
…to be done. Will put in a WIP PR for now.
…r aspects of the SupplyChainCredentialValidator class. Will add more tests as more issues get fixed.
…registry-support-to-the-aca
… to the test classes.
ThatSilentCoder
changed the title
…n part. Started adding more logic to validation.
…will make github actions happy.
… a smart/efficient way of comparing the components from platform cert and device info report.
ThatSilentCoder
changed the title
ThatSilentCoder
changed the title
This was referenced Mar 11, 2025
ThatSilentCoder
changed the title
… for missing component info.
…s causing the docker tests to fail.
iadgovuser29
approved these changes
Apr 1, 2025
iadgovuser29
pushed a commit
that referenced
this pull request
Apr 2, 2025
…CA (#898) * issue_896: first cut at changing the logic on the validator * issue_896: Added more javadocs, still going through the process and figuring out places where this will work. Can successfully debug provisioner+aca. * issue_896: slowly introducing component identifier v2 into multiple spots throughout out the app. Seems like we need to ensure that when we try to parse the pc from the identity claim, it needs to recognize the new kind of identifier. * issue_896: deleted abstract plat form config class, replaced it with plat config v1 (which already exists), moved attribuutes associated with v2 to the v2 class, when validating the aca will now verify if the platform config associated with the cert is v1 or v2. Made corrections to attributes names to better align with tcg docs. * issue_896:Added a new property to component info, made some more spelling corrections, deleted unused classes that were being referenced by componentinfo. pretty much done with the aca side of things. * issue_896:I believe I have finished the issue. Further testing needs to be done. Will put in a WIP PR for now. * issue_896: Made some more changes after viewing PR * issue_896: Changed v3 to v4 in the github actions yaml files. * issue_896: Fixed issues in one of the test classes, can now test other aspects of the SupplyChainCredentialValidator class. Will add more tests as more issues get fixed. * issue_896: Hopefully GITHUB actions will be more forgiving. * issue_896: Placed test task in the root build.gradle. Made more fixes to the test classes. * issue_896: Realized there might be more work needed for the validation part. Started adding more logic to validation. * issue_896: Last change before the long weekend. Hoping these changes will make github actions happy. * issue_896: Verifying that this part works. We will need to figure out a smart/efficient way of comparing the components from platform cert and device info report. * testing * v3_issue_896: Should work for this PR. * v3_issue_821: fixed the NPE issue we were getting during provisioning for missing component info. * v3_issue_896: my copy/paste skills need work. Fixed the issue that was causing the docker tests to fail. * v3_issue_896: trying to see if reverting the return call null will make a difference. * v3_issue_896: should fix issues with pc found on certain devices * v3_issue_896: part ii of should fix issues with pc found on certain devices
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This issue covers necessary adjustments for the ACA to process the class registry information. This will include support for the TCG, PCI, SMBIOS, and Storage class registries.
Test Instructions:
Pull this branch in your favorite IDE and create a TPM Provisioner RPM/Debian (if you are on a Linux distribution):
If on an Rhel-based distro:
If on a Debian-based distro:
Now go to the directory that holds the newly created RPM/Debian file:
Install the RPM/Debian file on your system:
If on an Rhel-based distro:
If on a Debian-based distro:
Now go to the hirs-aca.service file and change the following line to the next line for testing purposes (the -d flag
will allow us to debug the installed application from our favorite IDE):
From:
To:
Create an RPM/Debian file:
If on an Rhel-based distro:
If on a Debian-based distro:
Go to the distrubitions directory:
Install your newly built RPM/Debian file:
If on an Rhel-based distro:
If on a Debian-based distro:
Verify that the two new applications are installed on your system:
For the Debugged-version of the HIRS-ACA:
If on an Rhel-based distro:
If on a Debian-based distro:
For the latest and greatest HIRS_Provisioner:
If on an Rhel-based distro:
If on a Debian-based distro:
Open up Intellij, pull this branch in the IDE, go to the top where it says Run and then click on Edit Configurations, a window with the title of Run/Debug Configurations will pop-up.
Click on the plus sign at the upper left corner of the window and click on Remote JVM Debug. Make sure to set Host to localhost and port to 9123. Make sure to set module classpath to HIRS.HIRS_AttestationCAPortal.
Last but not least, click on the plug sign on the box that's right after the words Before Launch and click on Launch Web Browser. Hit apply and then hit ok. Now every time you run the debugged version of the application, the site will pop up on your default browser.
Now go the Policy Page and enable the following options: Endorsement Credential Validation , Platform Credential Validation and Platform Attribute Credential Validation.
In order to see the new component classes, we will have to setup some breakpoints in the code. Set a breakpoint in the following lines:
Issues this PR addresses:
Closes #898