Use new uefi_log_handler to fix count issues

Signed-off-by: Sergio Arroutbi <[email protected]>

Author: sarroutbi

Cargo.lock

@@ -4,6 +4,7 @@ use keylime::algorithms::HashAlgorithm;
 use keylime::config::PushModelConfigTrait;
 use keylime::context_info::ContextInfo;
 use keylime::structures;
+use keylime::uefi::uefi_log_handler;
 use log::error;
 
 pub trait StructureFiller {
@@ -46,11 +47,30 @@ impl StructureFiller for FillerFromHardware<'_> {
 
 pub struct FillerFromHardware<'a> {
     pub tpm_context_info: &'a mut ContextInfo,
+    pub uefi_log_handler: Option<uefi_log_handler::UefiLogHandler>,
 }
 
 impl<'a> FillerFromHardware<'a> {
     pub fn new(tpm_context_info: &'a mut ContextInfo) -> Self {
-        FillerFromHardware { tpm_context_info }
+        // TODO: Change config obtaining here to avoid repetitions
+        let config = keylime::config::PushModelConfig::default();
+        let uefi_log_handler = uefi_log_handler::UefiLogHandler::new(
+            &config.get_uefi_logs_binary_file_path(),
+        );
+        if uefi_log_handler.is_err() {
+            error!(
+                "Failed to create UEFI log handler: {}",
+                uefi_log_handler.unwrap_err()
+            );
+            return FillerFromHardware {
+                tpm_context_info,
+                uefi_log_handler: None,
+            };
+        }
+        FillerFromHardware {
+            tpm_context_info,
+            uefi_log_handler: Some(uefi_log_handler.unwrap()),
+        }
     }
     // TODO: Change this function to use the attestation request appropriately
     // Add self to the function signature to use the tpm_context
@@ -71,6 +91,10 @@ impl<'a> FillerFromHardware<'a> {
                 error!("Failed to get PCR banks for SHA256");
                 vec![]
             });
+        let uefi_count = self
+            .uefi_log_handler
+            .as_ref()
+            .map_or(0, |handler| handler.get_entry_count());
         structures::AttestationRequest {
             data: structures::RequestData {
                 type_: "attestation".to_string(),
@@ -101,17 +125,7 @@ impl<'a> FillerFromHardware<'a> {
                             evidence_type: "uefi_log".to_string(),
                             capabilities: structures::LogCapabilities {
                                 evidence_version: Some(config.get_uefi_logs_evidence_version()),
-                                entry_count: keylime::file_ops::read_file(config.get_measuredboot_ml_count_file().as_str())
-                                    .map(|content| {
-                                        content
-                                            .trim()
-                                            .parse::<u32>()
-                                            .unwrap_or(0)
-                                    })
-                                    .unwrap_or_else(|_| {
-                                        error!("Failed to read UEFI logs entry count file");
-                                        0
-                                    }),
+                                entry_count: uefi_count,
                                 supports_partial_access: config.get_uefi_logs_supports_partial_access(),
                                 appendable: config.get_uefi_logs_appendable(),
                                 formats: config.get_uefi_logs_formats(),
@@ -121,17 +135,7 @@ impl<'a> FillerFromHardware<'a> {
                             evidence_type: "ima_log".to_string(),
                             capabilities: structures::LogCapabilities {
                                 evidence_version: None,
-                                entry_count: keylime::file_ops::read_file(config.get_ima_ml_count_file().as_str())
-                                    .map(|content| {
-                                        content
-                                            .trim()
-                                            .parse::<u32>()
-                                            .unwrap_or(0)
-                                    })
-                                    .unwrap_or_else(|_| {
-                                        error!("Failed to read IMA log entry count file");
-                                        0
-                                    }),
+                                entry_count: 0, // Placeholder, will be filled later
                                 supports_partial_access: config.get_ima_logs_supports_partial_access(),
                                 appendable: config.get_ima_logs_appendable(),
                                 formats: config.get_ima_logs_formats(),

keylime-push-model-agent/src/struct_filler.rs

@@ -9,10 +9,6 @@ pub const DEFAULT_CONTACT_PORT: u32 = 9002;
 pub const DEFAULT_IMA_ML_DIRECTORY_PATH: &str = "/sys/kernel/security/ima";
 pub static DEFAULT_IMA_ML_COUNT_FILE: Lazy<String> =
     Lazy::new(|| format!("{}/measurements", DEFAULT_IMA_ML_DIRECTORY_PATH));
-pub const DEFAULT_MEASUREDBOOT_ML_DIRECTORY_PATH: &str =
-    "/sys/kernel/security/tpm0";
-pub static DEFAULT_MEASUREDBOOT_ML_COUNT_FILE: Lazy<String> =
-    Lazy::new(|| format!("{}/count", DEFAULT_MEASUREDBOOT_ML_DIRECTORY_PATH));
 pub const DEFAULT_EK_HANDLE: &str = "";
 pub const DEFAULT_ENABLE_IAK_IDEVID: bool = false;
 pub const DEFAULT_IP: &str = "127.0.0.1";
@@ -26,6 +22,16 @@ pub const DEFAULT_SERVER_KEY_PASSWORD: &str = "";
 pub const DEFAULT_TPM_HASH_ALG: &str = "sha256";
 pub const DEFAULT_TPM_ENCRYPTION_ALG: &str = "rsa";
 pub const DEFAULT_TPM_SIGNING_ALG: &str = "rsassa";
+pub const DEFAULT_UEFI_LOGS_BINARY_PATH: &str = "/sys/kernel/security/tpm0";
+pub const DEFAULT_UEFI_LOGS_BINARY_FILE: &str = "binary_bios_measurements";
+pub static DEFAULT_UEFI_LOGS_BINARY_FILE_PATH: Lazy<String> =
+    Lazy::new(|| {
+        format!(
+            "{}/{}",
+            DEFAULT_UEFI_LOGS_BINARY_PATH, DEFAULT_UEFI_LOGS_BINARY_FILE
+        )
+    });
+
 pub const DEFAULT_UUID: &str = "b0acd25f-2205-4c37-932d-e8f99a8d39ef";
 
 // IMA logs specific defaults
@@ -45,8 +51,6 @@ pub trait PushModelConfigTrait {
     fn get_contact_port(&self) -> u32;
     fn get_enable_iak_idevid(&self) -> bool;
     fn get_ek_handle(&self) -> String;
-    fn get_measuredboot_ml_directory_path(&self) -> String;
-    fn get_measuredboot_ml_count_file(&self) -> String;
     fn get_ima_logs_appendable(&self) -> bool;
     fn get_ima_logs_formats(&self) -> Vec<String>;
     fn get_ima_logs_supports_partial_access(&self) -> bool;
@@ -63,6 +67,7 @@ pub trait PushModelConfigTrait {
     fn get_registrar_api_versions(&self) -> Vec<String>;
     fn get_api_versions(&self) -> Vec<String>;
     fn get_uefi_logs_appendable(&self) -> bool;
+    fn get_uefi_logs_binary_file_path(&self) -> String;
     fn get_uefi_logs_evidence_version(&self) -> String;
     fn get_uefi_logs_formats(&self) -> Vec<String>;
     fn get_uefi_logs_supports_partial_access(&self) -> bool;
@@ -88,8 +93,6 @@ pub struct PushModelConfig {
     ima_logs_supports_partial_access: bool,
     ima_ml_directory_path: String,
     ima_ml_count_file: String,
-    measuredboot_ml_directory_path: String,
-    measuredboot_ml_count_file: String,
     registrar_api_versions: Vec<String>,
     registrar_ip: String,
     registrar_port: u32,
@@ -99,10 +102,11 @@ pub struct PushModelConfig {
     tpm_encryption_alg: String,
     tpm_hash_alg: String,
     tpm_signing_alg: String,
-    uefi_logs_evidence_version: String,
-    uefi_logs_supports_partial_access: bool,
     uefi_logs_appendable: bool,
+    uefi_logs_binary_file_path: String,
+    uefi_logs_evidence_version: String,
     uefi_logs_formats: Vec<String>,
+    uefi_logs_supports_partial_access: bool,
     uuid: String,
 }
 
@@ -126,11 +130,6 @@ impl PushModelConfig {
                 .to_string()
                 .clone(),
             ima_ml_count_file: DEFAULT_IMA_ML_COUNT_FILE.to_string().clone(),
-            measuredboot_ml_directory_path:
-                DEFAULT_MEASUREDBOOT_ML_DIRECTORY_PATH.to_string().clone(),
-            measuredboot_ml_count_file: DEFAULT_MEASUREDBOOT_ML_COUNT_FILE
-                .to_string()
-                .clone(),
             registrar_ip: DEFAULT_REGISTRAR_IP.to_string(),
             registrar_port: DEFAULT_REGISTRAR_PORT,
             registrar_api_versions: DEFAULT_REGISTRAR_API_VERSIONS
@@ -149,6 +148,8 @@ impl PushModelConfig {
                 .collect(),
             uefi_logs_supports_partial_access:
                 DEFAULT_UEFI_LOGS_SUPPORTS_PARTIAL_ACCESS,
+            uefi_logs_binary_file_path: DEFAULT_UEFI_LOGS_BINARY_FILE_PATH
+                .to_string(),
             tpm_encryption_alg: DEFAULT_TPM_ENCRYPTION_ALG.to_string(),
             tpm_hash_alg: DEFAULT_TPM_HASH_ALG.to_string(),
             tpm_signing_alg: DEFAULT_TPM_SIGNING_ALG.to_string(),
@@ -186,14 +187,6 @@ impl PushModelConfigTrait for PushModelConfig {
         self.ima_logs_appendable
     }
 
-    fn get_ima_logs_formats(&self) -> Vec<String> {
-        self.ima_logs_formats.clone()
-    }
-
-    fn get_ima_logs_supports_partial_access(&self) -> bool {
-        self.ima_logs_supports_partial_access
-    }
-
     fn get_ima_ml_count_file(&self) -> String {
         self.ima_ml_count_file.clone()
     }
@@ -202,12 +195,12 @@ impl PushModelConfigTrait for PushModelConfig {
         self.ima_ml_directory_path.clone()
     }
 
-    fn get_measuredboot_ml_directory_path(&self) -> String {
-        self.measuredboot_ml_directory_path.clone()
+    fn get_ima_logs_formats(&self) -> Vec<String> {
+        self.ima_logs_formats.clone()
     }
 
-    fn get_measuredboot_ml_count_file(&self) -> String {
-        self.measuredboot_ml_count_file.clone()
+    fn get_ima_logs_supports_partial_access(&self) -> bool {
+        self.ima_logs_supports_partial_access
     }
 
     fn get_registrar_ip(&self) -> String {
@@ -238,6 +231,10 @@ impl PushModelConfigTrait for PushModelConfig {
         self.uefi_logs_appendable
     }
 
+    fn get_uefi_logs_binary_file_path(&self) -> String {
+        self.uefi_logs_binary_file_path.clone()
+    }
+
     fn get_uefi_logs_evidence_version(&self) -> String {
         self.uefi_logs_evidence_version.clone()
     }
@@ -277,9 +274,9 @@ impl PushModelConfigTrait for PushModelConfig {
             enable_iak_idevid: {}, ek_handle: {},
             ima_logs_appendable: {}, ima_logs_formats: {:?}, ima_logs_supports_partial_access: {},
             ima_ml_directory_path: {}, ima_ml_count_file: {},
-            measuredboot_ml_directory_path: {}, measuredboot_ml_count_file: {},
             registrar_ip: {}, registrar_port: {}, server_cert: {},
             server_key: {}, server_key_password: {},
+            uefi_logs_binary_file_path: {},
             uefi_logs_evidence_version: {}, uefi_logs_supports_partial_access: {},
             uefi_logs_appendable: {}, uefi_logs_formats: {:?},
             tpm_encryption_alg: {}, tpm_hash_alg: {}, tpm_signing_alg: {},
@@ -294,13 +291,12 @@ impl PushModelConfigTrait for PushModelConfig {
             self.ima_logs_supports_partial_access,
             self.ima_ml_directory_path,
             self.ima_ml_count_file,
-            self.measuredboot_ml_directory_path,
-            self.measuredboot_ml_count_file,
             self.registrar_ip,
             self.registrar_port,
             self.server_cert,
             self.server_key,
             self.server_key_password,
+            self.uefi_logs_binary_file_path,
             self.uefi_logs_evidence_version,
             self.uefi_logs_supports_partial_access,
             self.uefi_logs_appendable,
@@ -355,14 +351,6 @@ mod tests {
             pmc.get_ima_ml_count_file()
                 == DEFAULT_IMA_ML_COUNT_FILE.to_string()
         );
-        assert!(
-            pmc.get_measuredboot_ml_directory_path()
-                == DEFAULT_MEASUREDBOOT_ML_DIRECTORY_PATH
-        );
-        assert!(
-            pmc.get_measuredboot_ml_count_file()
-                == DEFAULT_MEASUREDBOOT_ML_COUNT_FILE.to_string()
-        );
         assert!(pmc.get_registrar_ip() == DEFAULT_REGISTRAR_IP);
         assert!(pmc.get_registrar_port() == DEFAULT_REGISTRAR_PORT);
         assert!(pmc.get_server_cert() == DEFAULT_SERVER_CERT);
@@ -416,11 +404,6 @@ mod tests {
         ));
         assert!(display_string.contains(&pmc.get_ima_ml_directory_path()));
         assert!(display_string.contains(&pmc.get_ima_ml_count_file()));
-        assert!(display_string
-            .contains(&pmc.get_measuredboot_ml_directory_path()));
-        assert!(
-            display_string.contains(&pmc.get_measuredboot_ml_count_file())
-        );
         assert!(display_string.contains(&pmc.get_registrar_ip()));
         assert!(
             display_string.contains(&pmc.get_registrar_port().to_string())

keylime/src/config/push_model_config.rs

@@ -41,7 +41,7 @@ pub enum EvidenceSupported {
 pub struct LogCapabilities {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub evidence_version: Option<String>,
-    pub entry_count: u32,
+    pub entry_count: usize,
     pub supports_partial_access: bool,
     pub appendable: bool,
     pub formats: Vec<String>,