Merge branch 'main' of github.com:Cybersecurity-LINKS/embrave

Cybersecurity-LINKS · Jun 14, 2024 · 23d0613 · 23d0613
2 parents 4f58f91 + 7d3af5a
commit 23d0613
Show file tree

Hide file tree

Showing 11 changed files with 135 additions and 115 deletions.
diff --git a/TODO b/TODO
@@ -1,20 +1,12 @@
 
-1
-join service output integrity report and agent untrusted
-
-2
 agent ip from socket => https://stackoverflow.com/questions/2283494/get-ip-address-of-an-interface-on-linux
 goldevalues creation rework
 exclude list with regex
 dashboard
-
-3
-
 OEM server with golden value for the verifiers to download 
 parameter for config file path
 debug print level
-file log
 support multi db
 support for other attestation schemes
 PCR configurables at agent side and send them to js 
-
+sleep value for verifier thread as config params
diff --git a/embrave.conf.example b/embrave.conf.example
@@ -50,8 +50,10 @@ join_service_ip = localhost
 # Port where it runs the http Join Service server
 join_service_port = 8000
 
-# URI where download the whitelist
-whitelist_uri = https://location.where.whitelist/is/stored
+# URI whitelist
+# Format file://whitelistname.db or
+# https://location.where.whitelist/is/stored
+whitelist_uri = file://raspberrypi4b.db
 
 ##################################
 # Verifier configuration section #
@@ -79,6 +81,9 @@ tls_key = /var/embrave/verifier/tls/key.pem
 # Path of the verfier database (sqlite)
 db = file:/var/embrave/verifier/db.sqlite
 
+# Path where to store all whitelists databases (sqlite)
+whitelist_path = /var/embrave/verifier/whitelist/
+
 # Join Service IP address
 join_service_ip = localhost
 

diff --git a/include/config_parse.h b/include/config_parse.h
@@ -21,7 +21,7 @@
 #define MAX_BUF 255
 #define MAX_LINE_LENGTH 1023
 #define ATTESTER_NUM_CONFIG_PARAMS 12
-#define VERIFIER_NUM_CONFIG_PARAMS 11
+#define VERIFIER_NUM_CONFIG_PARAMS 12
 #define JOIN_SERVICE_NUM_CONFIG_PARAMS 11
 
 enum attester_keys_config{
@@ -46,6 +46,7 @@ enum verifier_keys_config{
     VERIFIER_TLS_KEY,
     VERIFIER_TLS_CERT_CA,
     VERIFIER_DB,
+    VERIFIER_WHITELIST_PATH,
     VERIFIER_JOIN_SERVICE_IP,
     VERIFIER_JOIN_SERVICE_PORT,
     VERIFIER_MQTT_BROKER_IP,
@@ -83,12 +84,13 @@ struct attester_conf {
 };
 
 struct verifier_conf {
-    char db[MAX_LINE_LENGTH];
     uint32_t topic_id;
     uint32_t port;
     uint32_t tls_port;
     uint32_t join_service_port;
     uint32_t mqtt_broker_port;
+    char db[MAX_LINE_LENGTH];
+    char whitelist_path[MAX_LINE_LENGTH];
     char ip[MAX_BUF];
     char tls_cert_ca[MAX_LINE_LENGTH];
     char tls_cert[MAX_LINE_LENGTH];

diff --git a/run_test.sh b/run_test.sh
diff --git a/src/attester/attester_server_http.c b/src/attester/attester_server_http.c
@@ -116,7 +116,6 @@ int send_challenge_reply(struct mg_connection *c, tpm_challenge_reply *rpl)
     i += rpl->ima_log_size;
     memcpy(byte_buff + i, &rpl->wholeLog, sizeof(uint8_t));
     i += sizeof(uint8_t);
-
   }
 
   //Encode in b64
@@ -230,8 +229,6 @@ int create_request_body(size_t *object_length, char *object){
     return -1;
   }
 
-  //printf("EK cert size: %ld\n", size);
-
   ret = fread(ek_cert, 1, (size_t) size, fd_ek_cert);
   if(ret != size){
     fclose(fd_ek_cert);
@@ -292,7 +289,7 @@ int create_request_body(size_t *object_length, char *object){
     free(b64_buff_ek);
     fclose(fd_ak_pub);
     free(ak_pub);
-    fprintf(stderr, "ERROR: cannot read the whole AK pem. %ld/%ld bytes read\n", ret, size);
+    fprintf(stderr, "ERROR: cannot read the whole AK pem\n");
     return -1;
   }
 
@@ -326,7 +323,7 @@ int create_request_body(size_t *object_length, char *object){
   if(ret != size){
     fclose(fd_ak_name);
     free(ak_name);
-    fprintf(stderr, "ERROR: cannot read the whole AK name. %ld/%ld bytes read\n", ret, size);
+    fprintf(stderr, "ERROR: cannot read the whole AK name\n");
     return -1;
   }
 
@@ -402,11 +399,9 @@ static void request_join(struct mg_connection *c, int ev, void *ev_data) {
       "%s\n",
       object_length,
       object);
-    get_finish_timer(2);
-  get_start_timer();
+
   } else if (ev == MG_EV_HTTP_MSG) {
-      get_finish_timer(3);
-  get_start_timer();
+
     // Response is received. Print it
     struct mg_http_message *hm = (struct mg_http_message *) ev_data;
     struct mkcred_out *mkcred_out = (struct mkcred_out *) c->fn_data;
@@ -548,13 +543,9 @@ static void confirm_credential(struct mg_connection *c, int ev, void *ev_data) {
     "%s\n",
     strlen(object),
     object); 
-    get_finish_timer(4);
-    get_start_timer();
 
   } else if (ev == MG_EV_HTTP_MSG) {
     // Response is received. Print it
-    get_finish_timer(5);
-    get_start_timer();
 #ifdef DEBUG
     struct mg_http_message *hm = (struct mg_http_message *) ev_data;
     printf("%.*s", (int) hm->message.len, hm->message.ptr);
@@ -635,35 +626,25 @@ int main(int argc, char *argv[]) {
   printf("attester_config->ip: %s\n", attester_config.ip);
   printf("attester_config->port: %d\n", attester_config.port);
   #endif
-  get_start_timer();
 
   /* Create TPM keys*/
   if((attester_init(&attester_config)) != 0) return -1;
-  get_finish_timer(1);
-  get_start_timer();
+
   //attester_config.use_ip = 0;
   /**/
   if(attester_config.use_ip == 0){
     while (!get_ipaddr_from_interface("eth1", attester_config.ip))
     {
       sleep(5);
     }
-
   }
 
-
   /* Perform the join procedure */
   if (join_procedure() != 0){
     fprintf(stderr, "ERROR: could not reach the join service\n");
     exit(-1);
   };
-  get_finish_timer(6);
-  save_timer("agent_text.txt");
-
-  //exit(0);
 
-
-
   mg_log_set(MG_LL_INFO);  /* Set log level */
   mg_mgr_init(&mgr);        /* Initialize event manager */
 

diff --git a/src/config_parse.c b/src/config_parse.c
@@ -18,7 +18,7 @@
 char* attester_params[ATTESTER_NUM_CONFIG_PARAMS] = {"uuid", "ip", "port","ek_rsa_cert",
             "ek_ecc_cert", "ak_pub", "ak_name", "ak_ctx", "ak_cert", "join_service_ip", "join_service_port", "whitelist_uri"};
 char* verifier_params[VERIFIER_NUM_CONFIG_PARAMS] = {"ip", "port", "tls_port", "tls_cert", "tls_key",
-            "tls_cert_ca", "db", "join_service_ip", "join_service_port", "mqtt_broker_ip", "mqtt_broker_port"};
+            "tls_cert_ca", "db", "whitelist_path", "join_service_ip", "join_service_port", "mqtt_broker_ip", "mqtt_broker_port"};
 char* join_service_params[JOIN_SERVICE_NUM_CONFIG_PARAMS] = {"ip", "port", "tls_port", "tls_cert",
             "tls_key", "tls_cert_ca", "db", "ca_x509_path", "mqtt_broker_ip", "mqtt_broker_port", "log_path"};
 
@@ -185,11 +185,11 @@ uint16_t read_config(char user, void* config_struct){
 
                         case ATTESTER_JOIN_SERVICE_PORT:
                             attester_config->join_service_port = (uint32_t) atoi(value);
-                        break;
+                            break;
 
                         case ATTESTER_WHITELIST_URI:
                             strcpy(attester_config->whitelist_uri, value);
-                        break;
+                            break;
 
                         case ATTESTER_NUM_CONFIG_PARAMS:
                             //unknown param
@@ -245,21 +245,25 @@ uint16_t read_config(char user, void* config_struct){
                             strcpy(verifier_config->db, value);
                             break;
 
+                        case VERIFIER_WHITELIST_PATH:
+                            strcpy(verifier_config->whitelist_path, value);
+                            break;
+
                         case VERIFIER_JOIN_SERVICE_IP:
                             strcpy(verifier_config->join_service_ip, value);
                             break;
 
                         case VERIFIER_JOIN_SERVICE_PORT:
                             verifier_config->join_service_port = (uint32_t) atoi(value);
-                        break;
+                            break;
 
                         case VERIFIER_MQTT_BROKER_IP:
                             strcpy(verifier_config->mqtt_broker_ip, value);
-                        break;
+                            break;
 
                         case VERIFIER_MQTT_BROKER_PORT:
                             verifier_config->mqtt_broker_port = (uint32_t) atoi(value);
-                        break;
+                            break;
 
                         case VERIFIER_NUM_CONFIG_PARAMS:
                             //unknown param
@@ -317,19 +321,19 @@ uint16_t read_config(char user, void* config_struct){
 
                         case JOIN_SERVICE_CA_X509:
                             strcpy(join_service_config->ca_x509_path, value);
-                        break;
+                            break;
 
                         case JOIN_SERVICE_BROKER_IP:
                             strcpy(join_service_config->mqtt_broker_ip, value);
-                        break;
+                            break;
 
                         case JOIN_SERVICE_BROKER_PORT:
                             join_service_config->mqtt_broker_port = (uint32_t) atoi(value);
-                        break;
+                            break;
 
                         case JOIN_SERVICE_LOG:
                             strcpy(join_service_config->log_path, value);
-                        break;
+                            break;
 
                         case JOIN_SERVICE_NUM_CONFIG_PARAMS:
                             //unknown param