verifier: convert (v)tpm_policy in DB from string to JSONPickleType

We now enforce that the (v)tpm_policy should be a JSON object which
then is converted to a dict.

This also fixes the issue were tpm_policy.keys() was called even when
tpm_policy was a string.

Signed-off-by: Thore Sommer <[email protected]>

keylime/db/verifier_db.py

@@ -29,8 +29,8 @@ class VerfierMain(Base):
     port = Column(Integer)
     operational_state = Column(Integer)
     public_key = Column(String(500))
-    tpm_policy = Column(String(1000))
-    vtpm_policy = Column(String(1000))
+    tpm_policy = Column(JSONPickleType(pickler=json))
+    vtpm_policy = Column(JSONPickleType(pickler=json))
     meta_data = Column(String(200))
     allowlist = Column(Text(429400000))
     ima_sign_verification_keys = Column(Text(429400000))

keylime/migrations/versions/f35cdd35eb83_move_v_tpm_policy_to_jsonpickletype.py

@@ -0,0 +1,49 @@
+"""Move (v)tpm_policy to JSONPickleType
+
+Revision ID: f35cdd35eb83
+Revises: 7d5db1a6ffb0
+Create Date: 2021-08-02 15:26:34.427156
+
+"""
+import sqlalchemy as sa
+from alembic import op
+
+import keylime
+
+# revision identifiers, used by Alembic.
+revision = 'f35cdd35eb83'
+down_revision = '7d5db1a6ffb0'
+branch_labels = None
+depends_on = None
+
+
+def upgrade(engine_name):
+    globals()["upgrade_%s" % engine_name]()
+
+
+def downgrade(engine_name):
+    globals()["downgrade_%s" % engine_name]()
+
+
+def upgrade_registrar():
+    pass
+
+
+def downgrade_registrar():
+    pass
+
+
+def upgrade_cloud_verifier():
+    with op.batch_alter_table('verifiermain') as batch_op:
+        batch_op.alter_column('tpm_policy', existing_type=sa.String(1000),
+                              type_=keylime.db.verifier_db.JSONPickleType(), existing_nullable=True)
+        batch_op.alter_column('vtpm_policy', existing_type=sa.String(1000),
+                              type_=keylime.db.verifier_db.JSONPickleType(), existing_nullable=True)
+
+
+def downgrade_cloud_verifier():
+    with op.batch_alter_table('verifiermain') as batch_op:
+        batch_op.alter_column('tpm_policy', type_=sa.String(1000),
+                              existing_type=keylime.db.verifier_db.JSONPickleType(), existing_nullable=True)
+        batch_op.alter_column('vtpm_policy', type_=sa.String(1000),
+                              existing_type=keylime.db.verifier_db.JSONPickleType(), existing_nullable=True)

keylime/tpm/tpm_abstract.py

@@ -4,7 +4,6 @@
 '''
 
 from abc import ABCMeta, abstractmethod
-import ast
 import hashlib
 import os
 import string
@@ -233,11 +232,8 @@ def __parse_pcrs(self, pcrs, virtual) -> typing.Dict[int, str]:
         return output
 
     def check_pcrs(self, agentAttestState, tpm_policy, pcrs, data, virtual, ima_measurement_list, allowlist, ima_keyring, mb_measurement_list, mb_refstate_str):
-        try:
-            tpm_policy_ = ast.literal_eval(tpm_policy)
-        except ValueError:
-            tpm_policy_ = {}
-        pcr_allowlist = tpm_policy_.copy()
+
+        pcr_allowlist = tpm_policy.copy()
 
         if 'mask' in pcr_allowlist:
             del pcr_allowlist['mask']
@@ -310,9 +306,8 @@ def check_pcrs(self, agentAttestState, tpm_policy, pcrs, data, virtual, ima_meas
         # Check the remaining non validated PCRs
         for pcr_num in pcr_nums - pcrs_in_quote:
             if pcr_num not in list(pcr_allowlist.keys()):
-                if len(list(tpm_policy.keys())) > 0:
-                    logger.warning("%sPCR #%s in quote not found in %stpm_policy, skipping.",
-                                   ("", "v")[virtual], pcr_num, ("", "v")[virtual])
+                logger.warning("%sPCR #%s in quote not found in %stpm_policy, skipping.",
+                               ("", "v")[virtual], pcr_num, ("", "v")[virtual])
                 continue
             if pcrs[pcr_num] not in pcr_allowlist[pcr_num]:
                 logger.error("%sPCR #%s: %s from quote does not match expected value %s",