example-setup: Adjust scripts for new PCR handling.

Signed-off-by: Simon Ott <[email protected]>

example-setup/metadata-raw/app.description.json

@@ -0,0 +1,7 @@
+{
+	"type": "App Description",
+	"name": "de.test.app-description.example",
+	"version": "2024-02-22T15:36:34Z",
+	"appManifest": "de.test.app.example",
+	"externalConnections": []
+}

example-setup/metadata-raw/device.description.json

@@ -7,13 +7,5 @@
 	"rtmManifest" : "de.test.rtm",
 	"osManifest" : "de.test.os",
 	"appDescriptions": [
-		{
-			"type": "App Description",
-			"name": "de.test.app.description",
-			"version": "2024-02-22T15:36:34Z",
-			"appManifest": "de.test.app",
-			"externalConnections": []
-		}
-
 	]
 }

example-setup/update-app-manifest

@@ -18,6 +18,8 @@ tmp="${data}/metadata-tmp"
 output="${data}/metadata-signed"
 ser="${2}"
 
+name="de.test.host-apps"
+
 if [[ ! -d "${data}" ]]; then
   echo "Data directory ${data} does not exist. Did you run the setup-full-simple script? Abort.."
   exit 1
@@ -28,11 +30,37 @@ echo "Using ${data} as directory for local data"
 # Calculate the IMA app reference values
 referenceValues=$(sudo calculate-ima-pcr -t 10 -i ima-ng -p /usr/bin)
 
-# Replace existing reference values with new reference values in the App Manifest
+# App Manifest: Replace existing reference values with new reference values
 json=$(cat "${input}/app.manifest.json")
 json=$(echo "${json}" | jq 'del(.referenceValues[])')
 json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues += $ver')
-printf "%s\n" "${json}" > "${input}/app.manifest.json"
+
+# App Manifest: Set name
+json=$(echo "${json}" | jq ".name = \"${name}\"")
+
+# App Manifest: Store
+echo "Writing ${input}/app.manifest.json"
+printf "%s\n" "${json}" > "${data}/metadata-raw/app.manifest.json"
+
+# App Description: Create corresponding app description
+appdesc=$(cat "${input}/app.description.json")
+appdesc=$(echo "${appdesc}" | jq ".name = \"${name}.description\"")
+appdesc=$(echo "${appdesc}" | jq ".appManifest = \"${name}\"")
+
+# Device Description: Add/replace app description to/in device description
+devdesc=$(cat "${input}/device.description.json")
+exists=$(echo "${devdesc}" | jq "any(.appDescriptions[]; .name == \"${name}.description\")")
+if [[ "${exists}" = false ]]; then
+  echo "Adding app description to device description"
+else
+  echo "Replacing existing app description"
+  devdesc=$(echo "$devdesc" | jq ".appDescriptions |= map(select(.name != \"${name}.description\"))")
+fi
+devdesc=$(echo "${devdesc}" | jq --argjson desc "[${appdesc}]" '.appDescriptions += $desc')
+
+# Device Description: Store
+echo "Writing ${input}/device.description.json"
+printf "%s\n" "${devdesc}" > "${input}/device.description.json"
 
 # Sign the metadata*
 key="${data}/pki/signing-cert-key.pem"

example-setup/update-app-manifest-live

@@ -3,6 +3,8 @@
 set -euo pipefail
 
 trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT
+dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd -P)"
+source "${dir}/utils.sh"
 export PATH=${PATH}:${HOME}/go/bin
 
 if [[ "$#" -ne 2 ]]; then
@@ -16,6 +18,8 @@ tmp="${data}/metadata-tmp"
 out="${data}/metadata-signed"
 ser="${2}"
 
+name="de.test.host-apps"
+
 if [[ ! -d "${data}" ]]; then
   echo "Data directory ${data} does not exist. Did you run the setup-full-simple script? Abort.."
   exit 1
@@ -24,18 +28,44 @@ fi
 echo "Using ${data} as directory for local data"
 
 # Parse the IMA measurement lists
-referenceValues=$(sudo parse-ima-log)
-
-# Delete existing reference values in manifest
-jq 'del(.referenceValues[])' "${data}/metadata-raw/app.manifest.json" | sponge "${data}/metadata-raw/app.manifest.json"
+referenceValues=$(sudo parse-ima-pcr)
 
-# Insert new reference values
+# App Manifest: Delete existing reference values
 json=$(cat "${data}/metadata-raw/app.manifest.json")
+json=$(echo "${json}" | jq 'del(.referenceValues[])')
+
+# App Manifest: Insert new reference values
 while IFS= read -r element; do
     json=$(echo "${json}" | jq --argjson element "${element}" '.referenceValues += [$element]')
 done < <(echo "${referenceValues}" | jq -c '.[]')
+
+# App Manifest: Set name
+json=$(echo "${json}" | jq ".name = \"${name}\"")
+
+# App Manifest: Store
+echo "Writing ${input}/app.manifest.json"
 printf "%s\n" "${json}" > "${data}/metadata-raw/app.manifest.json"
 
+# App Description: Create corresponding app description
+appdesc=$(cat "${input}/app.description.json")
+appdesc=$(echo "${appdesc}" | jq ".name = \"${name}.description\"")
+appdesc=$(echo "${appdesc}" | jq ".appManifest = \"${name}\"")
+
+# Device Description: Add/replace app description to/in device description
+devdesc=$(cat "${input}/device.description.json")
+exists=$(echo "${devdesc}" | jq "any(.appDescriptions[]; .name == \"${name}.description\")")
+if [[ "${exists}" = false ]]; then
+  echo "Adding app description to device description"
+else
+  echo "Replacing existing app description"
+  devdesc=$(echo "$devdesc" | jq ".appDescriptions |= map(select(.name != \"${name}.description\"))")
+fi
+devdesc=$(echo "${devdesc}" | jq --argjson desc "[${appdesc}]" '.appDescriptions += $desc')
+
+# Device Description: Store
+echo "Writing ${input}/device.description.json"
+printf "%s\n" "${devdesc}" > "${input}/device.description.json"
+
 # Sign the metadata*
 key="${data}/pki/signing-cert-key.pem"
 chain="${data}/pki/signing-cert.pem,${data}/pki/ca.pem"
@@ -47,12 +77,15 @@ rm -rf "${out}"/app.manifest.*
 if [[ "${ser,,}" = "json" ]]; then
   echo "using json serialization"
   cp "${input}/app.manifest.json" "${tmp}/app.manifest.json"
+  cp "${input}/device.description.json" "${tmp}/device.description.json"
 elif [[ "${ser,,}" = "cbor" ]]; then
   echo "using cbor serialiation"
   cmc-converter -in "${input}/app.manifest.json" -out "${tmp}/app.manifest.cbor" -outform cbor
+  cmc-converter -in "${input}/device.description.json" -out "${tmp}/device.description.cbor" -outform cbor
 else
   echo "serialization format ${ser} is not supported"
   exit 1
 fi
 
-cmc-signing-tool -in "${tmp}/app.manifest.${ser}" -out "${out}/app.manifest.${ser}" -keys "${key}" -x5cs "${chain}"
+cmc-signing-tool -in "${tmp}/app.manifest.${ser}" -out "${out}/app.manifest.${ser}" -keys "${key}" -x5cs "${chain}"
+cmc-signing-tool -in "${tmp}/device.description.${ser}" -out "${out}/device.description.${ser}" -keys "${key}" -x5cs "${chain}"

example-setup/update-full-simple

@@ -35,7 +35,7 @@ json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues
 printf "%s\n" "${json}" > "${input}/rtm.manifest.json"
 
 # Parse the values of the OS PCRs from the kernel's binary bios measurements as reference values
-referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json -e)
+referenceValues=$(sudo parse-srtm-pcrs -p 8,9,12,13,14,15 -f json -e)
 
 # Replace existing reference values with new reference values in the RTM Manifest
 json=$(cat "${input}/os.manifest.json")
@@ -48,7 +48,6 @@ key="${data}/pki/signing-cert-key.pem"
 chain="${data}/pki/signing-cert.pem,${data}/pki/ca.pem"
 
 rm -rf "${tmp}"
-rm -rf "${out}"
 
 mkdir -p "${tmp}"
 mkdir -p "${out}"