From 0f18baee3148a8d29a0f81722732fe1238f1f454 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Tue, 14 Nov 2023 11:16:03 +0530 Subject: [PATCH 1/5] Update OpenSSL version to v3.0.12 and curl version to v8.4.0 (#260) Signed-off-by: Shrikant Temburwar --- docs/cse.md | 36 +++++++++++++++++------------------ docs/linux.md | 32 +++++++++++++++---------------- docs/tpm.md | 36 +++++++++++++++++------------------ utils/install_openssl_curl.sh | 4 ++-- 4 files changed, 54 insertions(+), 54 deletions(-) diff --git a/docs/cse.md b/docs/cse.md index d60929bc..dcc4fc09 100644 --- a/docs/cse.md +++ b/docs/cse.md @@ -6,9 +6,9 @@ # Intel® CSE Implementation -The development and execution OS used was `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO). +The development and execution OS used was `Ubuntu* OS version [20.04|22.04] / RHEL* OS version [8.4|8.6|8.8] / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The Intel® CSE (Intel® Converged Security Engine) enabled FDO Client SDK execution depends on OpenSSL* toolkit 3.0.8 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The Intel® CSE (Intel® Converged Security Engine) enabled FDO Client SDK execution depends on OpenSSL* toolkit 3.0.12 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. # Prerequisites for Intel® CSE support The system hardware should have the support for Intel® CSE FDO client with UUID: 125405e0-fca9-4110-8f88-b4dbcdcb876f @@ -16,13 +16,13 @@ The system hardware should have the support for Intel® CSE FDO cl The linux kernel should have the support to enable the Intel® CSE clients and have FDO in that list. This support is available in intel-next kernel version 5.9 onwards and is upstreamed in kernel.org version 6.2-rc7 onwards. ## 1. Packages Requirements when Building Binaries: -* For Ubuntu* OS version 20.04 or 22.04 / Debian 11.4: +* For Ubuntu* OS version [20.04|22.04] / Debian 11.4: ```shell sudo apt-get install build-essential python-setuptools clang-format dos2unix ruby \ libglib2.0-dev libpcap-dev autoconf libtool libproxy-dev doxygen cmake libssl-dev mercurial nghttp2 libnghttp2-dev ``` -* For RHEL* OS version 8.4 or 8.6: +* For RHEL* OS version [8.4|8.6|8.8]: ```shell sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm @@ -33,9 +33,9 @@ sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix rub ``` ## 2. Packages Requirements when Executing Binaries: -OpenSSL* toolkit version 3.0.8 +OpenSSL* toolkit version 3.0.12 GCC version > 7.5 -Curl version 8.1.2 +Curl version 8.4.0 Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. > ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script @@ -46,7 +46,7 @@ Following steps will replace the existing versions of OpenSSL and Curl from the * Command to install OpenSSL and Curl ``` - sudo ./install_openssl_curl.sh -i -v 3.0.8 + sudo ./install_openssl_curl.sh -i -v 3.0.12 ``` #### Steps to remove the older curl packages @@ -59,15 +59,15 @@ Following steps will replace the existing versions of OpenSSL and Curl from the yum remove curl libcurl-devel ``` -#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.8 +#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.12 1. Pull the tarball: ``` - wget https://www.openssl.org/source/openssl-3.0.8.tar.gz + wget https://www.openssl.org/source/openssl-3.0.12.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf openssl-3.0.8.tar.gz && cd openssl-3.0.8 + tar -zxf openssl-3.0.12.tar.gz && cd openssl-3.0.12 ``` 3. Issue the command: ``` @@ -106,20 +106,20 @@ Issue the following command from the terminal: ``` Your output should be as follows: ``` - OpenSSL* 3.0.8 7 Feb 2023 + OpenSSL* 3.0.12 24 Oct 2023 ``` -#### Steps to install curl version 8.1.2 configured with openssl +#### Steps to install curl version 8.4.0 configured with openssl After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://curl.se/download/curl-8.1.2.tar.gz + wget https://curl.se/download/curl-8.4.0.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf curl-8.1.2.tar.gz && cd curl-8.1.2 + tar -zxf curl-8.4.0.tar.gz && cd curl-8.4.0 ``` 3. Issue the command to configure the curl with openssl and nghttp2: ``` @@ -142,7 +142,7 @@ Issue the following command from the terminal: ``` Your output should point to the openssl version which you installed. ``` - curl 8.1.2 (x86_64-pc-linux-gnu) libcurl/8.1.2 OpenSSL/3.0.8 zlib/1.2.11 + curl 8.4.0 (x86_64-pc-linux-gnu) libcurl/8.4.0 OpenSSL/3.0.12 zlib/1.2.11 ``` Alternatively, execute [Installation-Script](../utils/install_openssl_curl.sh) which can be used for both installation and uninstallation of OpenSSL and Curl. > ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl to /opt/ by default. To provide different path, modify these variables in the script @@ -153,15 +153,15 @@ Alternatively, execute [Installation-Script](../utils/install_openssl_curl.sh) * Command to install OpenSSL and Curl ``` - sudo ./install_openssl_curl.sh -i -v 3.0.8 + sudo ./install_openssl_curl.sh -i -v 3.0.12 ``` * Command to uninstall OpenSSL ``` - sudo ./install_openssl_curl.sh -u -v 3.0.8 + sudo ./install_openssl_curl.sh -u -v 3.0.12 ``` -Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 8.1.2 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. +Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 8.4.0 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" diff --git a/docs/linux.md b/docs/linux.md index e102225d..5c10d2df 100644 --- a/docs/linux.md +++ b/docs/linux.md @@ -2,18 +2,18 @@ # Linux* OS -The development and execution OS used was `Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO). +The development and execution OS used was `Ubuntu* OS version [20.04|22.04] / RHEL* OS version [8.4|8.6|8.8] / Debian 11.4` on x86. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The FDO Client SDK execution depends on OpenSSL* toolkit 3.0.8 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The FDO Client SDK execution depends on OpenSSL* toolkit 3.0.12 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. ## 1. Packages Requirements when Building Binaries: -* For Ubuntu* OS version 20.04 or 22.04 / Debian 11.4: +* For Ubuntu* OS version [20.04|22.04] / Debian 11.4: ```shell sudo apt-get install build-essential python-setuptools clang-format dos2unix ruby \ libglib2.0-dev libpcap-dev autoconf libtool libproxy-dev doxygen cmake mercurial nghttp2 libnghttp2-dev ``` -* For RHEL* OS version 8.4 or 8.6: +* For RHEL* OS version [8.4|8.6|8.8]: ```shell sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm @@ -24,9 +24,9 @@ sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix rub ``` ## 2. Packages Requirements when Executing Binaries: -OpenSSL* toolkit version 3.0.8 +OpenSSL* toolkit version 3.0.12 GCC version > 7.5 -Curl version 8.1.2 +Curl version 8.4.0 Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. > ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script @@ -37,7 +37,7 @@ Following steps will replace the existing versions of OpenSSL and Curl from the * Command to install OpenSSL and Curl ``` - sudo ./install_openssl_curl.sh -i -v 3.0.8 + sudo ./install_openssl_curl.sh -i -v 3.0.12 ``` #### Steps to remove the older OpenSSL and curl packages @@ -55,15 +55,15 @@ Following steps will replace the existing versions of OpenSSL and Curl from the sudo yum remove libcurl-devel openssl-devel ``` -#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.8 +#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.12 1. Pull the tarball: ``` - wget https://www.openssl.org/source/openssl-3.0.8.tar.gz + wget https://www.openssl.org/source/openssl-3.0.12.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf openssl-3.0.8.tar.gz && cd openssl-3.0.8 + tar -zxf openssl-3.0.12.tar.gz && cd openssl-3.0.12 ``` 3. Issue the command: ``` @@ -103,20 +103,20 @@ Issue the following command from the terminal: ``` Your output should be as follows: ``` - OpenSSL* 3.0.8 7 Feb 2023 + OpenSSL* 3.0.12 24 Oct 2023 ``` -#### Steps to install curl version 8.1.2 configured with openssl +#### Steps to install curl version 8.4.0 configured with openssl After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://curl.se/download/curl-8.1.2.tar.gz + wget https://curl.se/download/curl-8.4.0.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf curl-8.1.2.tar.gz && cd curl-8.1.2 + tar -zxf curl-8.4.0.tar.gz && cd curl-8.4.0 ``` 3. Issue the command to configure the curl with openssl and nghttp2: ``` @@ -139,9 +139,9 @@ Issue the following command from the terminal: ``` Your output should point to the openssl version which you installed. ``` - curl 8.1.2 (x86_64-pc-linux-gnu) libcurl/8.1.2 OpenSSL/3.0.8 zlib/1.2.11 + curl 8.4.0 (x86_64-pc-linux-gnu) libcurl/8.4.0 OpenSSL/3.0.12 zlib/1.2.11 ``` -Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 8.1.2 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. +Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses along with curl 8.4.0 in your setup, ensure to use CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) as given in below examples. Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" diff --git a/docs/tpm.md b/docs/tpm.md index 4d9143ed..ea6a3618 100644 --- a/docs/tpm.md +++ b/docs/tpm.md @@ -8,19 +8,19 @@ # Linux* TPM* Implementation -`Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version 8.4 or 8.6 / Debian 11.4` on x86 was used as a development and execution OS. Follow these steps to compile and execute FIDO Device Onboard (FDO). +`Ubuntu* OS version 20.04 or 22.04 / RHEL* OS version [8.4|8.6|8.8] / Debian 11.4` on x86 was used as a development and execution OS. Follow these steps to compile and execute FIDO Device Onboard (FDO). -The FDO Client SDK execution depends on OpenSSL* toolkit 3.0.8 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. +The FDO Client SDK execution depends on OpenSSL* toolkit 3.0.12 version. Users must install or upgrade the toolkit before compilation if the toolkit is not available by default in the environment. ## 1. Packages Requirements when Building Binaries with TPM* 2.0: -* For Ubuntu* OS version 20.04 or 22.04 / Debian 11.4: +* For Ubuntu* OS version [20.04|22.04] / Debian 11.4: ```shell sudo apt-get install build-essential python-setuptools clang-format dos2unix ruby \ libglib2.0-dev libpcap-dev autoconf libtool libproxy-dev doxygen cmake mercurial nghttp2 libnghttp2-dev ``` -* For RHEL* OS version 8.4 or 8.6: +* For RHEL* OS version [8.4|8.6|8.8]: ```shell sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm @@ -30,10 +30,10 @@ sudo yum -y install gcc gcc-c++ python3-setuptools git-clang-format dos2unix rub glib2-devel libpcap-devel autoconf libtool libproxy-devel mozjs52-devel doxygen cmake make mercurial nghttp2 libnghttp2-devel ``` -OpenSSL* toolkit version 3.0.8. -Curl version 8.1.2 +OpenSSL* toolkit version 3.0.12. +Curl version 8.4.0 -#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.8 +#### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.12 Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. > ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script @@ -44,7 +44,7 @@ Following steps will replace the existing versions of OpenSSL and Curl from the * Command to install OpenSSL and Curl ``` - sudo ./install_openssl_curl.sh -i -v 3.0.8 + sudo ./install_openssl_curl.sh -i -v 3.0.12 ``` 1. If libssl-dev, curl and libcurl are installed, uninstall it: @@ -61,11 +61,11 @@ Following steps will replace the existing versions of OpenSSL and Curl from the ``` 2. Pull the tarball: ``` - wget https://www.openssl.org/source/openssl-3.0.8.tar.gz + wget https://www.openssl.org/source/openssl-3.0.12.tar.gz ``` 3. Unpack the tarball with: ``` - tar -zxf openssl-3.0.8.tar.gz && cd openssl-3.0.8 + tar -zxf openssl-3.0.12.tar.gz && cd openssl-3.0.12 ``` 4. Issue the command: ``` @@ -104,20 +104,20 @@ Issue the following command from the terminal: ``` Your output should be as follows: ``` - OpenSSL* 3.0.8 7 Feb 2023 + OpenSSL* 3.0.12 24 Oct 2023 ``` -#### Steps to install curl version 8.1.2 configured with openssl +#### Steps to install curl version 8.4.0 configured with openssl After installing openssl, proceed with the installation of curl. 1. Pull the tarball: ``` - wget https://curl.se/download/curl-8.1.2.tar.gz + wget https://curl.se/download/curl-8.4.0.tar.gz ``` 2. Unpack the tarball with: ``` - tar -zxf curl-8.1.2.tar.gz && cd curl-8.1.2 + tar -zxf curl-8.4.0.tar.gz && cd curl-8.4.0 ``` 3. Issue the command to configure the curl with openssl and nghttp2: ``` @@ -140,10 +140,10 @@ Issue the following command from the terminal: ``` Your output should point to the openssl version which you installed. ``` - curl 8.1.2 (x86_64-pc-linux-gnu) libcurl/8.1.2 OpenSSL/3.0.8 zlib/1.2.11 + curl 8.4.0 (x86_64-pc-linux-gnu) libcurl/8.4.0 OpenSSL/3.0.12 zlib/1.2.11 ``` -Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses, it may not work with curl 8.1.2. Workaround for this is to ensure the no_proxy IP is specified in CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) +Note 1: If you are using no_proxy environment variable to exclude proxying for any FDO server IP addresses, it may not work with curl 8.4.0. Workaround for this is to ensure the no_proxy IP is specified in CIDR notation (https://datatracker.ietf.org/doc/html/rfc1519) Single IP address example: no_proxy="10.60.132.45/32" Two IP addresses example: no_proxy="10.60.132.45/32,10.60.132.46/32" @@ -434,12 +434,12 @@ Use the tpm2_evictcontrol command to delete the content or clear TPM* from the B ``` - OpenSSL* Toolkit Library Linking Related Error While Building FDO Client SDK.
- There is a dependency on the OpenSSL* toolkit version 3.0.8 for building and running the FDO Client SDK. + There is a dependency on the OpenSSL* toolkit version 3.0.12 for building and running the FDO Client SDK. Check the version of the OpenSSL* toolkit installed in your machine with the command ```shell openssl version ``` - If the OpenSSL* toolkit version in your machine is earlier than version 3.0.8, follow the steps given in section 1 to update the OpenSSL* version to 3.0.8. + If the OpenSSL* toolkit version in your machine is earlier than version 3.0.12, follow the steps given in section 1 to update the OpenSSL* version to 3.0.12. diff --git a/utils/install_openssl_curl.sh b/utils/install_openssl_curl.sh index eb4752ef..9ad258b6 100644 --- a/utils/install_openssl_curl.sh +++ b/utils/install_openssl_curl.sh @@ -1,7 +1,7 @@ OPENSSL_ROOT=/opt/openssl CURL_ROOT=/opt/curl -CURL_VER="8.1.2" -CURL_LINK="https://curl.se/download/curl-8.1.2.tar.gz --no-check-certificate" +CURL_VER="8.4.0" +CURL_LINK="https://curl.se/download/curl-8.4.0.tar.gz --no-check-certificate" PARENT_DIR=`pwd` cd $PARENT_DIR From 691f8a41b69faaa5a97a6d6f11b224f3a9667dc1 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Tue, 21 Nov 2023 12:40:02 +0530 Subject: [PATCH 2/5] Add input validation in get_device_serial() function (#263) Add input validation in get_device_serial() function Add const to char *cmd Signed-off-by: Shrikant Temburwar --- storage/util.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/storage/util.c b/storage/util.c index 942f1c1a..5cacfadb 100644 --- a/storage/util.c +++ b/storage/util.c @@ -323,11 +323,18 @@ int print_timestamp(void) } #if defined(GET_DEV_SERIAL) -// Get device serial number +/** + * Internal API + * Get device serial number from system BIOS table + * */ int get_device_serial(char *serial_buff) { + if (!serial_buff) { + return -1; + } + FILE *fp; - char *cmd = "dmidecode -s system-serial-number"; + const char *cmd = "dmidecode -s system-serial-number"; int out_sz; char out[MAX_DEV_SERIAL_SZ]; int results_sz = 0; From 809bef40c332865f6964f58a91423dfeb64f9e16 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Wed, 22 Nov 2023 10:08:12 +0530 Subject: [PATCH 3/5] Add a check to ensure the response message type is valid or not (#262) * Add a check to ensure the response message type is valid or not. * Update msglen to 0 incase of invalid message type Signed-off-by: Shrikant Temburwar --- lib/fdoprotctx.c | 11 ++++++++-- network/include/network_al.h | 2 +- network/network_if_linux.c | 40 ++++++++++++++++++------------------ 3 files changed, 30 insertions(+), 23 deletions(-) diff --git a/lib/fdoprotctx.c b/lib/fdoprotctx.c index 9eed6cba..8c41e7af 100644 --- a/lib/fdoprotctx.c +++ b/lib/fdoprotctx.c @@ -339,12 +339,14 @@ int fdo_prot_ctx_run(fdo_prot_ctx_t *prot_ctx) if (memset_s(hdr_buf, REST_MAX_MSGHDR_SIZE, 0) != 0) { LOG(LOG_ERROR, "Memset() failed!\n"); - return false; + ret = -1; + break; } if (memset_s(body_buf, REST_MAX_MSGBODY_SIZE, 0) != 0) { LOG(LOG_ERROR, "Memset() failed!\n"); - return false; + ret = -1; + break; } n = -1; @@ -396,6 +398,11 @@ int fdo_prot_ctx_run(fdo_prot_ctx_t *prot_ctx) break; } + if ((fdor->msg_type < FDO_DI_APP_START) || + (fdor->msg_type > FDO_TYPE_ERROR)) { + msglen = 0; + } + // clear the block contents in preparation for the next FDOR // read operation fdo_block_reset(&fdor->b); diff --git a/network/include/network_al.h b/network/include/network_al.h index b8304d63..b5b83be5 100644 --- a/network/include/network_al.h +++ b/network/include/network_al.h @@ -116,7 +116,7 @@ int32_t fdo_con_parse_msg_header(uint32_t *protocol_version, int32_t fdo_con_parse_msg_body(uint8_t *buf, size_t length, char *body_buf); /* - * Send(write) data. + * Send(write) and receive(read) data. * * @param[in] protocol_version: FDO protocol version * @param[in] message_type: message type of outgoing FDO message. diff --git a/network/network_if_linux.c b/network/network_if_linux.c index 47658b85..ba47c3f9 100644 --- a/network/network_if_linux.c +++ b/network/network_if_linux.c @@ -471,8 +471,7 @@ int32_t fdo_curl_connect(fdo_ip_address_t *ip_addr, const char *dn, curlCode = curl_easy_setopt(curl, CURLOPT_URL, url); if (curlCode != CURLE_OK) { - LOG(LOG_ERROR, - "CURL_ERROR: Unable to pass url.\n"); + LOG(LOG_ERROR, "CURL_ERROR: Unable to pass url.\n"); goto err; } @@ -830,12 +829,13 @@ int32_t fdo_con_parse_msg_body(uint8_t *buf, size_t length, char *body_buf) /** * Send and Receive data. - * - * @param protocol_version - FDO protocol version - * @param message_type - message type of outgoing FDO message. - * @param buf - data buffer to write from. - * @param length - Number of sent bytes. - * @param tls: flag describing whether HTTP (false) or HTTPS (true) is + * @param[in] protocol_version: FDO protocol version + * @param[in] message_type: message type of outgoing FDO message. + * @param[in] buf: data buffer to write from. + * @param[in] length: Number of sent bytes. + * @param[in] tls: flag describing whether HTTP (false) or HTTPS (true) is + * @param[in] header_buf: header data buffer to read into msg received by curl. + * @param[in] body_buf: body data buffer to read into msg received by curl. * @retval -1 on failure, 0 on success. */ int32_t fdo_con_send_recv_message(uint32_t protocol_version, @@ -893,8 +893,7 @@ int32_t fdo_con_send_recv_message(uint32_t protocol_version, curlCode = curl_easy_setopt(curl, CURLOPT_SSLKEY, (char *)SSL_KEY); if (curlCode != CURLE_OK) { - LOG(LOG_ERROR, - "CURL_ERROR: Unable to select client key.\n"); + LOG(LOG_ERROR, "CURL_ERROR: Unable to select client key.\n"); goto err; } #endif @@ -925,8 +924,7 @@ int32_t fdo_con_send_recv_message(uint32_t protocol_version, curlCode = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, buf); if (curlCode != CURLE_OK) { - LOG(LOG_ERROR, - "CURL_ERROR: Unable to pass POST data.\n"); + LOG(LOG_ERROR, "CURL_ERROR: Unable to pass POST data.\n"); goto err; } @@ -957,8 +955,7 @@ int32_t fdo_con_send_recv_message(uint32_t protocol_version, curlCode = curl_easy_setopt(curl, CURLOPT_HEADERDATA, (void *)&temp_header_buf); if (curlCode != CURLE_OK) { - LOG(LOG_ERROR, - "CURL_ERROR: Unable to pass header buffer.\n"); + LOG(LOG_ERROR, "CURL_ERROR: Unable to pass header buffer.\n"); goto err; } @@ -973,8 +970,7 @@ int32_t fdo_con_send_recv_message(uint32_t protocol_version, curlCode = curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&temp_body_buf); if (curlCode != CURLE_OK) { - LOG(LOG_ERROR, - "CURL_ERROR: Unable to pass body buffer.\n"); + LOG(LOG_ERROR, "CURL_ERROR: Unable to pass body buffer.\n"); goto err; } @@ -1005,10 +1001,14 @@ int32_t fdo_con_send_recv_message(uint32_t protocol_version, goto err; } - if (memcpy_s(body_buf, temp_body_buf.size, temp_body_buf.memory, - temp_body_buf.size)) { - LOG(LOG_ERROR, "Failed to copy msg data in byte array\n"); - goto err; + if ((message_type >= FDO_DI_APP_START) && + (message_type < FDO_TYPE_ERROR)) { + if (memcpy_s(body_buf, temp_body_buf.size, temp_body_buf.memory, + temp_body_buf.size)) { + LOG(LOG_ERROR, + "Failed to copy msg data in byte array\n"); + goto err; + } } ret = 0; From 4de26a72a0e6cc804e11968da30e094437067779 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Fri, 24 Nov 2023 18:45:49 +0530 Subject: [PATCH 4/5] Disable setting "Expect 100" in request header when request data size is larger than 1024 bytes (#264) Curl automatically sets it when the request is a POST and the data size is larger than 1024 bytes. Requests with the Expect: 100-Continue header have an increased probability of becoming separated from one another, and hence returning with an error. It can be disabled via setting the Expect: header to the empty string. Signed-off-by: Shrikant Temburwar --- network/network_if_linux.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/network/network_if_linux.c b/network/network_if_linux.c index ba47c3f9..d559bc68 100644 --- a/network/network_if_linux.c +++ b/network/network_if_linux.c @@ -877,6 +877,10 @@ int32_t fdo_con_send_recv_message(uint32_t protocol_version, goto err; } + if (length > REST_MAX_MSGHDR_SIZE) { + msg_header = curl_slist_append(msg_header, "Expect:"); + } + curlCode = curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 0L); if (curlCode != CURLE_OK) { LOG(LOG_ERROR, "CURL_ERROR: Could not disable connect only.\n"); From ed6e092acd2ae9e08e273357625fc2300fb5f653 Mon Sep 17 00:00:00 2001 From: Shrikant Temburwar Date: Tue, 28 Nov 2023 11:23:50 +0530 Subject: [PATCH 5/5] Fix typos and text formatting in readmes (#265) Signed-off-by: Shrikant Temburwar --- docs/cse.md | 28 +++++++++++++++++----------- docs/linux.md | 28 ++++++++++++++++------------ docs/tpm.md | 32 ++++++++++++++++++-------------- 3 files changed, 51 insertions(+), 37 deletions(-) diff --git a/docs/cse.md b/docs/cse.md index dcc4fc09..029559c7 100644 --- a/docs/cse.md +++ b/docs/cse.md @@ -38,8 +38,8 @@ GCC version > 7.5 Curl version 8.4.0 Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. -> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script -> OPENSSL_ROOT=/opt/openssl +> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script +> OPENSSL_ROOT=/opt/openssl > CURL_ROOT=/opt/curl > **Script usage command** @@ -145,8 +145,8 @@ Issue the following command from the terminal: curl 8.4.0 (x86_64-pc-linux-gnu) libcurl/8.4.0 OpenSSL/3.0.12 zlib/1.2.11 ``` Alternatively, execute [Installation-Script](../utils/install_openssl_curl.sh) which can be used for both installation and uninstallation of OpenSSL and Curl. -> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl to /opt/ by default. To provide different path, modify these variables in the script -> OPENSSL_ROOT=/opt/openssl +> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl to /opt/ by default. To provide different path, modify these variables in the script +> OPENSSL_ROOT=/opt/openssl > CURL_ROOT=/opt/curl **Script usage command** @@ -219,12 +219,12 @@ make pristine cmake -DDA=cse_ecdsa384 . make -j$(nproc) ``` -> ***NOTE***: To run with mTLS connection, +> ***NOTE***: To run with mTLS connection, > 1. Compile the code with `-DMTLS=true` flag. > 2. If signing with external CA, copy CA cert and CA key to `data` folder. -> 3. Execute `bash utlils/user_csr_req.sh .` +> 3. Execute `bash utils/user_csr_req.sh .` > This will generate client CSR and private key. -> +> Refer to the section [FDO Build configurations](build_conf.md) for more build options. @@ -254,10 +254,16 @@ After a successful compilation, the Intel® CSE enabled FDO Client ```shell sudo ./build/linux-client ``` -> ***NOTE***: Usage: `linux-client -ip ://:` - if -ip not specified, manufacturer_addr.bin will be used - `-ss`: specify if backend servers are using self-signed certificates - `-r`: enable resale + +> ***NOTE***: Usage: +> +> ``` +>./build/linux-client -ip ://: +>if -ip not specified, manufacturer_addr.bin will be used +>-ss: specify if backend servers are using self-signed certificates +>-r: enable resale +>``` +> > ***NOTE***: To do the DI again we need to clear the Device status from CSE storage. > To clear the storage, compile the code with "-DCSE_CLEAR=true" flag and then execute the following command ```shell diff --git a/docs/linux.md b/docs/linux.md index 5c10d2df..160bcef8 100644 --- a/docs/linux.md +++ b/docs/linux.md @@ -29,8 +29,8 @@ GCC version > 7.5 Curl version 8.4.0 Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. -> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script -> OPENSSL_ROOT=/opt/openssl +> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script +> OPENSSL_ROOT=/opt/openssl > CURL_ROOT=/opt/curl > **Script usage command** @@ -54,7 +54,7 @@ Following steps will replace the existing versions of OpenSSL and Curl from the ``` sudo yum remove libcurl-devel openssl-devel ``` - + #### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.12 1. Pull the tarball: @@ -69,7 +69,7 @@ Following steps will replace the existing versions of OpenSSL and Curl from the ``` ./config --libdir=/usr/local/lib ``` - + 4. Issue the command: ``` make @@ -191,15 +191,15 @@ cmake . make bash utils/keys_gen.sh . ``` -> ***NOTE***: [Keys_Gen](../utils/keys_gen.sh) script will use OpenSSL from `/opt/` by default. To provide a different path, use `which openssl` command to get the exact path of OpenSSL and modify this variable in the script +> ***NOTE***: [Keys_Gen](../utils/keys_gen.sh) script will use OpenSSL from `/opt/` by default. To provide a different path, use `which openssl` command to get the exact path of OpenSSL and modify this variable in the script > OPENSSL3_BIN=/opt/openssl/bin (can be /usr/bin or /usr/local/bin) > -> ***NOTE***: To run with mTLS connection, +> ***NOTE***: To run with mTLS connection, > 1. Compile the code with `-DMTLS=true` flag. > 2. If signing with external CA, copy CA cert and CA key to `data` folder. -> 3. Execute `bash utlils/user_csr_req.sh .` +> 3. Execute `bash utils/user_csr_req.sh .` > This will generate client CSR and private key. -> +> Several other options to choose when building the device are, but not limited to, the following: device-attestation (DA) methods, Advanced Encryption Standard (AES) encryption modes (AES_MODE), and underlying cryptography library to use (TLS). Refer to the section. [FDO Build configurations](build_conf.md) @@ -231,7 +231,11 @@ After a successful compilation, the FDO Client SDK Linux device executable can b ./build/linux-client ``` -> ***NOTE***: Usage: `linux-client -ip ://:` - if -ip not specified, manufacturer_addr.bin will be used - `-ss`: specify if backend servers are using self-signed certificates - `-r`: enable resale +> ***NOTE***: Usage: +> +> ``` +>./build/linux-client -ip ://: +>if -ip not specified, manufacturer_addr.bin will be used +>-ss: specify if backend servers are using self-signed certificates +>-r: enable resale +>``` diff --git a/docs/tpm.md b/docs/tpm.md index ea6a3618..db262774 100644 --- a/docs/tpm.md +++ b/docs/tpm.md @@ -36,10 +36,10 @@ Curl version 8.4.0 #### Steps to Upgrade the OpenSSL* Toolkit to Version 3.0.12 Following steps will replace the existing versions of OpenSSL and Curl from the system. If you want to keep the existing versions then use [Installation-Script](../utils/install_openssl_curl.sh) script to install Openssl and Curl at a different location. -> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script -> OPENSSL_ROOT=/opt/openssl +> ***NOTE***: [Installation-Script](../utils/install_openssl_curl.sh) will install OpenSSL and Curl at /opt/ by default. To provide different path, modify these variables in the script +> OPENSSL_ROOT=/opt/openssl > CURL_ROOT=/opt/curl -> +> **Script usage command** * Command to install OpenSSL and Curl @@ -194,8 +194,8 @@ CURL_INCLUDE=/opt/curl/include (can be /usr/include or /usr/local/include) OPENSSL3_LIB=/opt/openssl/lib64 (can be /usr/lib or /usr/local/lib or /usr/lib/x86_64-linux-gnu) CURL_LIB=/opt/curl/lib (can be /usr/lib or /usr/local/lib or /usr/lib/x86_64-linux-gnu) * **On RHEL\* OS version 8.4 or 8.6:** -> ***NOTE***: Use [TPM-Library-Installation-Script-RHEL](../utils/install_tpm_libs_rhel.sh) for RHEL 8.4 or 8.6. -> Before executing [TPM-Library-Installation-Script-RHEL](../utils/install_tpm_libs_rhel.sh), make sure OpenSSL v3 and Curl is installed on the system (at /usr/local/ path). Use steps in section 1 to install OpenSSL and Curl on the system. +> ***NOTE***: Use [TPM-Library-Installation-Script-RHEL](../utils/install_tpm_libs_rhel.sh) for RHEL 8.4 or 8.6. +> Before executing [TPM-Library-Installation-Script-RHEL](../utils/install_tpm_libs_rhel.sh), make sure OpenSSL v3 and Curl is installed on the system (at /usr/local/ path). Use steps in section 1 to install OpenSSL and Curl on the system. ```shell sudo ./install_tpm_libs_rhel.sh -h ``` @@ -328,12 +328,12 @@ make pristine cmake -DDA=tpm20_ecdsa256 -DTPM2_TCTI_TYPE=tpmrm0 . make -j$(nproc) ``` -> ***NOTE***: To run with mTLS connection, +> ***NOTE***: To run with mTLS connection, > 1. Compile the code with `-DMTLS=true` flag. > 2. If signing with external CA, copy CA cert and CA key to `data` folder. -> 3. Execute `bash utlils/user_csr_req.sh .` +> 3. Execute `bash utils/user_csr_req.sh .` > This will generate client CSR and private key. -> +> Several other options to choose when building the device are, but not limited to, the following: device-attestation (DA) methods, Advanced Encryption Standard (AES) encryption modes (AES_MODE), and underlying cryptography library to use (TLS). Refer to the section [FDO Build configurations](build_conf.md) @@ -361,7 +361,7 @@ After a successful compilation, the FDO Client SDK Linux device executable can b ``` > ***NOTE 1***: [TPM Make Ready](../utils/tpm_make_ready_ecdsa.sh) script will use OpenSSL from `/opt/` by default. To provide a different path, use `which openssl` command to get the exact path of OpenSSL and modify this variable in the script > OPENSSL3_BIN=/opt/openssl/bin (can be /usr/bin or /usr/local/bin) -> +> > ***NOTE 2***: Some platforms do not have the support for ECDSA 384 in TPM. [TPM Make Ready](../utils/tpm_make_ready_ecdsa.sh) script with option "-e 384" will fail in those platforms. Please use ECDSA 256 in that case. > - Once the TPM* make ready script is executed successfully, the device is now initialized with the credentials and is ready for ownership transfer. To run the device against the FDO PRI Manufacturer for the DI protocol, do the following: @@ -376,13 +376,17 @@ After a successful compilation, the FDO Client SDK Linux device executable can b ```shell ./build/linux-client ``` -> ***NOTE***: linux-client may require elevated privileges. Please use 'sudo' to execute. -> ***NOTE***: Usage: `linux-client -ip ://:` - if -ip not specified, manufacturer_addr.bin will be used - `-ss`: specify if backend servers are using self-signed certificates - `-r`: enable resale +> ***NOTE***: Usage: +> +> ``` +>./build/linux-client -ip ://: +>if -ip not specified, manufacturer_addr.bin will be used +>-ss: specify if backend servers are using self-signed certificates +>-r: enable resale +>``` +> ***NOTE***: linux-client may require elevated privileges. Please use 'sudo' to execute. ### 7.1 Prepare FDO Client SDK Data Folder