Merge branch 'master' into rvbypass-fix

fido-device-onboard · Nov 13, 2023 · 06810c5 · 06810c5
2 parents dfb507b + 1ff59f9
commit 06810c5
Show file tree

Hide file tree

Showing 12 changed files with 244 additions and 32 deletions.
diff --git a/app/main.c b/app/main.c
@@ -229,10 +229,42 @@ int app_main(bool is_resale)
 {
 	fdo_sdk_service_info_module *module_info = NULL;
 	int ret = -1;
-
+	bool resale = false;
 	bool do_resale = false;
+	int strcmp_res = 0;
+
 	LOG(LOG_DEBUG, "Starting FIDO Device Onboard\n");
 
+	for (int index = 1; index < argc; index++) {
+		if (index + 1 < argc &&
+		    (!strcmp_s((char *)argv[index], DATA_CONTENT_SIZE, "-ip",
+			       &strcmp_res) &&
+		     !strcmp_res)) {
+			index++;
+			mfg_addr = argv[index];
+			use_mfg_addr_bin = false;
+		} else if (!strcmp_s((char *)argv[index], DATA_CONTENT_SIZE,
+				     "-ss", &strcmp_res) &&
+			   !strcmp_res) {
+#if defined SELF_SIGNED_CERTS_SUPPORTED
+			useSelfSignedCerts = true;
+#endif
+		} else if (!strcmp_s((char *)argv[index], DATA_CONTENT_SIZE,
+				     "-r", &strcmp_res) &&
+			   !strcmp_res) {
+			resale = true;
+		} else {
+			printf("Usage: linux-client -ip <http|https>://<mfg "
+			       "addr>:<port>\n"
+			       "\tif -ip not specified, manufacturer_addr.bin "
+			       "will be used\n"
+			       "\t-ss: specify if backend servers are using "
+			       "self-signed certificates\n"
+			       "\t-r: enable resale\n");
+			exit(1);
+		}
+	}
+
 #ifdef SECURE_ELEMENT
 	if (-1 == se_provisioning()) {
 		LOG(LOG_ERROR, "Provisioning Secure element failed!\n");
@@ -278,25 +310,15 @@ int app_main(bool is_resale)
 #endif
 
 #if defined TARGET_OS_LINUX
-	if (argc > 1 && *argv[1] == '1') {
+	if (resale == true) {
 		do_resale = true;
 	}
 #else
 	if (is_resale == true) {
 		do_resale = true;
 	}
 #endif
-#if defined SELF_SIGNED_CERTS_SUPPORTED
-	int strcmp_ss = 1;
-	int res = -1;
-
-	res = (int)strcmp_s((char *)argv[1], DATA_CONTENT_SIZE, "-ss",
-			    &strcmp_ss);
 
-	if (argc > 1 && (!res && !strcmp_ss)) {
-		useSelfSignedCerts = true;
-	}
-#endif
 	if (is_ownership_transfer(do_resale)) {
 		ret = 0;
 		goto end;

diff --git a/cmake/cli_input.cmake b/cmake/cli_input.cmake
@@ -30,6 +30,7 @@ set (TPM2_TCTI_TYPE tabrmd)
 set (RESALE true)
 set (REUSE true)
 set (MTLS false)
+set (GET_DEV_SERIAL false)
 
 #for CSE
 set (CSE_SHUTDOWN true)
@@ -855,3 +856,30 @@ endif()
 set(CACHED_MTLS ${MTLS} CACHE STRING "Selected MTLS")
 message("Selected MTLS ${MTLS}")
 ###########################################
+# FOR GET_DEV_SERIAL
+get_property(cached_get_dev_serial_value CACHE GET_DEV_SERIAL PROPERTY VALUE)
+
+set(get_dev_serial_cli_arg ${cached_get_dev_serial_value})
+if(get_dev_serial_cli_arg STREQUAL CACHED_GET_DEV_SERIAL)
+  unset(get_dev_serial_cli_arg)
+endif()
+
+set(get_dev_serial_app_cmake_lists ${GET_DEV_SERIAL})
+if(cached_get_dev_serial_value STREQUAL GET_DEV_SERIAL)
+  unset(get_dev_serial_app_cmake_lists)
+endif()
+
+if(DEFINED CACHED_GET_DEV_SERIAL)
+  if ((DEFINED get_dev_serial_cli_arg) AND (NOT(CACHED_GET_DEV_SERIAL STREQUAL get_dev_serial_cli_arg)))
+    message(WARNING "Need to do make pristine before cmake args can change.")
+  endif()
+  set(GET_DEV_SERIAL ${CACHED_GET_DEV_SERIAL})
+elseif(DEFINED get_dev_serial_cli_arg)
+  set(GET_DEV_SERIAL ${get_dev_serial_cli_arg})
+elseif(DEFINED get_dev_serial_app_cmake_lists)
+  set(GET_DEV_SERIAL ${get_dev_serial_app_cmake_lists})
+endif()
+
+set(CACHED_GET_DEV_SERIAL ${GET_DEV_SERIAL} CACHE STRING "Selected GET_DEV_SERIAL")
+message("Selected GET_DEV_SERIAL ${GET_DEV_SERIAL}")
+###########################################
diff --git a/cmake/extension.cmake b/cmake/extension.cmake
@@ -275,4 +275,8 @@ endif()
 if(${MTLS} STREQUAL true)
   client_sdk_compile_definitions(-DMTLS)
 endif()
+
+if(${GET_DEV_SERIAL} STREQUAL true)
+  client_sdk_compile_definitions(-DGET_DEV_SERIAL)
+endif()
 ############################################################
diff --git a/docs/build_conf.md b/docs/build_conf.md
@@ -89,7 +89,7 @@ server name in that list for SNI enablement to work as expected.
 ```
 Option to enable/disable mTLS connection:
 MTLS=true 	# mTLS connection enabled
-MTLS=false 	# mTLS connection disabled (default) 
+MTLS=false 	# mTLS connection disabled (default)
 
 Option to enable/disable Device credential resue and resale feature:
 REUSE=true            # Reuse feature enabled (default)
@@ -101,6 +101,10 @@ Option to enable/disable Error Recovery:
 RETRY=true            # Error Recovery enabled (default)
 RETRY=false           # Error Recovery disabled
 
+Option to get device serial from system BIOS table:
+GET_DEV_SERIAL=true            # get device serial enabled
+GET_DEV_SERIAL=false           # get device serial disabled (default)
+
 List of options to clean targets:
 pristine              # cleanup by remove generated files
 

diff --git a/docs/cse.md b/docs/cse.md
@@ -254,6 +254,10 @@ After a successful compilation, the Intel<sup>&reg;</sup> CSE enabled FDO Client
   ```shell
   sudo ./build/linux-client
   ```
+> ***NOTE***: Usage: `linux-client -ip <http|https>://<mfg addr>:<port>`
+        if -ip not specified, manufacturer_addr.bin will be used
+        `-ss`: specify if backend servers are using self-signed certificates
+        `-r`: enable resale
 > ***NOTE***: To do the DI again we need to clear the Device status from CSE storage.
 > To clear the storage, compile the code with "-DCSE_CLEAR=true" flag and then execute the following command
 ```shell

diff --git a/docs/linux.md b/docs/linux.md
@@ -1,5 +1,6 @@
 
 
+
 # Linux* OS
 The development and execution OS used was `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO).
 
@@ -229,3 +230,8 @@ After a successful compilation, the FDO Client SDK Linux device executable can b
   ```shell
   ./build/linux-client
   ```
+
+> ***NOTE***: Usage: `linux-client -ip <http|https>://<mfg addr>:<port>`
+        if -ip not specified, manufacturer_addr.bin will be used
+        `-ss`: specify if backend servers are using self-signed certificates
+        `-r`: enable resale
diff --git a/docs/tpm.md b/docs/tpm.md
@@ -377,6 +377,10 @@ After a successful compilation, the FDO Client SDK Linux device executable can b
   ./build/linux-client
   ```
 > ***NOTE***:  linux-client may require elevated privileges. Please use 'sudo' to execute.
+> ***NOTE***: Usage: `linux-client -ip <http|https>://<mfg addr>:<port>`
+        if -ip not specified, manufacturer_addr.bin will be used
+        `-ss`: specify if backend servers are using self-signed certificates
+        `-r`: enable resale
 
 
 

diff --git a/include/fdo.h b/include/fdo.h
@@ -43,6 +43,9 @@ typedef enum {
 	FDO_STATE_ERROR
 } fdo_sdk_device_state;
 
+extern char *mfg_addr;
+extern bool use_mfg_addr_bin;
+
 #if defined(SELF_SIGNED_CERTS_SUPPORTED)
 extern bool useSelfSignedCerts;
 #endif

diff --git a/lib/fdo.c b/lib/fdo.c
@@ -55,6 +55,9 @@ static app_data_t *g_fdo_data = NULL;
 extern int g_argc;
 extern char **g_argv;
 
+char *mfg_addr = NULL;
+bool use_mfg_addr_bin = true;
+
 #if defined(DEVICE_CSE_ENABLED)
 TEEHANDLE fdo_cse_handle;
 #endif
@@ -1256,32 +1259,47 @@ static bool _STATE_DI(void)
 
 	fdo_prot_di_init(&g_fdo_data->prot, g_fdo_data->devcred);
 
-	fsize = fdo_blob_size((char *)MANUFACTURER_ADDR, FDO_SDK_RAW_DATA);
-	if (fsize > 0) {
-		buffer = fdo_alloc(fsize + 1);
-		if (buffer == NULL) {
-			LOG(LOG_ERROR, "malloc failed\n");
-			goto end;
-		}
+	if (use_mfg_addr_bin) {
+		fsize =
+		    fdo_blob_size((char *)MANUFACTURER_ADDR, FDO_SDK_RAW_DATA);
+		if (fsize > 0) {
+			buffer = fdo_alloc(fsize + 1);
+			if (buffer == NULL) {
+				LOG(LOG_ERROR, "malloc failed\n");
+				goto end;
+			}
 
-		if (fdo_blob_read((char *)MANUFACTURER_ADDR, FDO_SDK_RAW_DATA,
-				  (uint8_t *)buffer, fsize) == -1) {
-			LOG(LOG_ERROR, "Failed to read Manufacturer address\n");
-			goto end;
-		}
+			if (fdo_blob_read((char *)MANUFACTURER_ADDR,
+					  FDO_SDK_RAW_DATA, (uint8_t *)buffer,
+					  fsize) == -1) {
+				LOG(LOG_ERROR,
+				    "Failed to read Manufacturer address\n");
+				goto end;
+			}
 
-		buffer[fsize] = '\0';
+			buffer[fsize] = '\0';
 
-		if (!parse_manufacturer_address(buffer, fsize, &tls, &mfg_ip,
+			if (!parse_manufacturer_address(
+				buffer, fsize, &tls, &mfg_ip, mfg_dns,
+				sizeof(mfg_dns), &mfg_port)) {
+				LOG(LOG_ERROR, "Failed to parse Manufacturer "
+					       "Network address.\n");
+				goto end;
+			}
+		} else {
+			LOG(LOG_ERROR,
+			    "Manufacturer Network address file is empty.\n");
+			goto end;
+		}
+	} else {
+		fsize = strnlen_s(mfg_addr, FDO_MAX_STR_SIZE);
+		if (!parse_manufacturer_address(mfg_addr, fsize, &tls, &mfg_ip,
 						mfg_dns, sizeof(mfg_dns),
 						&mfg_port)) {
 			LOG(LOG_ERROR,
 			    "Failed to parse Manufacturer Network address.\n");
 			goto end;
 		}
-	} else {
-		LOG(LOG_ERROR, "Manufacturer Network address file is empty.\n");
-		goto end;
 	}
 
 	g_fdo_data->delaysec = default_delay;

diff --git a/lib/include/util.h b/lib/include/util.h
@@ -158,6 +158,11 @@ char *strdup_s(const char *str);
 /* Print timestamp */
 int print_timestamp(void);
 
+#if defined(GET_DEV_SERIAL)
+/* Get device serial number */
+int get_device_serial(char *str);
+#endif
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/lib/m-string.c b/lib/m-string.c
@@ -69,20 +69,73 @@ static int read_fill_modelserial(void)
 	uint8_t def_model_sz = 0;
 	size_t fsize = 0;
 
+#if defined(GET_DEV_SERIAL)
+	int strcmp_res = -1;
+	char temp_device_serial[MAX_DEV_SERIAL_SZ];
+	uint8_t temp_serial_sz = 0;
+
+	if (memset_s(temp_device_serial, sizeof(temp_device_serial), 0) != 0) {
+		LOG(LOG_ERROR, "Memset() failed!\n");
+		goto err;
+	}
+
+	ret = get_device_serial(temp_device_serial);
+	if (ret) {
+		LOG(LOG_ERROR, "Failed to get serial no.\n");
+	}
+
+	if (ret || (!strcmp_s((char *)temp_device_serial, MAX_DEV_SERIAL_SZ,
+			      "Not Specified\n", &strcmp_res) &&
+		    !strcmp_res)) {
+		LOG(LOG_DEBUG, "Defaulting serial num to 'abcdef'\n");
+		def_serial_sz = strnlen_s(DEF_SERIAL_NO, MAX_DEV_SERIAL_SZ);
+		if (!def_serial_sz || def_serial_sz == MAX_DEV_SERIAL_SZ) {
+			LOG(LOG_ERROR, "Default serial number string isn't "
+				       "NULL terminated\n");
+			goto err;
+		}
+
+		ret = strncpy_s(device_serial, MAX_DEV_SERIAL_SZ, DEF_SERIAL_NO,
+				def_serial_sz);
+		if (ret) {
+			LOG(LOG_ERROR, "Failed to copy serial no!\n");
+			goto err;
+		}
+	} else {
+		temp_serial_sz =
+		    strnlen_s(temp_device_serial, MAX_DEV_SERIAL_SZ);
+		if (!temp_serial_sz || temp_serial_sz == MAX_DEV_SERIAL_SZ) {
+			LOG(LOG_ERROR, "Default serial number string isn't "
+				       "NULL terminated\n");
+			goto err;
+		}
+
+		if (*temp_device_serial &&
+		    temp_device_serial[temp_serial_sz - 1] == '\n') {
+			temp_device_serial[temp_serial_sz - 1] = '\0';
+		}
+
+		ret = strncpy_s(device_serial, MAX_DEV_SERIAL_SZ,
+				temp_device_serial, temp_serial_sz);
+		if (ret) {
+			LOG(LOG_ERROR, "Failed to copy serial no!\n");
+			goto err;
+		}
+	}
+#else
 	fsize = fdo_blob_size((const char *)SERIAL_FILE, FDO_SDK_RAW_DATA);
 	if ((fsize > 0) && (fsize <= MAX_DEV_SERIAL_SZ)) {
 
 		if (fdo_blob_read((const char *)SERIAL_FILE, FDO_SDK_RAW_DATA,
 				  (uint8_t *)device_serial, fsize) <= 0) {
-
 			LOG(LOG_ERROR, "Failed to get serial no\n");
 			goto err;
 		}
 	} else {
 		if (fsize > MAX_DEV_SERIAL_SZ) {
 			LOG(LOG_INFO, "Serialno exceeds 255 characters. "
 				      "Defaulting it to 'abcdef'\n");
-		} else {
+		} else if (!fsize) {
 			LOG(LOG_INFO, "No serialno file present!\n");
 		}
 
@@ -100,6 +153,8 @@ static int read_fill_modelserial(void)
 			goto err;
 		}
 	}
+#endif
+	LOG(LOG_DEBUG, "Device serial = %s\n", device_serial);
 
 	fsize = fdo_blob_size((const char *)MODEL_FILE, FDO_SDK_RAW_DATA);
 	if ((fsize > 0) && (fsize <= MAX_MODEL_NO_SZ)) {