Skip to content

Commit

Permalink
measured boot: move to new failure architecture
Browse files Browse the repository at this point in the history
Currently only has one event id. If necessary can be extended such that
policies can generate their own event ids.

Part of enhancement proposal keylime/enhancements#48

Signed-off-by: Thore Sommer <[email protected]>
  • Loading branch information
THS-on authored and mpeters committed Sep 13, 2021
1 parent 1ce3fe7 commit 3dbdeb8
Showing 1 changed file with 8 additions and 5 deletions.
13 changes: 8 additions & 5 deletions keylime/measured_boot.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@

from keylime import config
from keylime import keylime_logging

from keylime.failure import Failure, Component
logger = keylime_logging.init_logging('measured_boot')

def read_mb_refstate(mb_path=None):
Expand Down Expand Up @@ -61,20 +61,23 @@ def get_policy(mb_refstate_str):

return mb_policy, mb_refstate_data

def evaluate_policy(mb_policy, mb_refstate_data, mb_measurement_data, pcrsInQuote, pcrPrefix, agent_id):
def evaluate_policy(mb_policy, mb_refstate_data, mb_measurement_data, pcrsInQuote, pcrPrefix, agent_id) -> Failure:
failure = Failure(Component.MEASURED_BOOT)
missing = list(set(config.MEASUREDBOOT_PCRS).difference(pcrsInQuote))
if len(missing) > 0:
logger.error("%sPCRs specified for measured boot not in quote: %s", pcrPrefix, missing)
return False
failure.add_event("missing_pcrs", {"context": "PCRs are missing in quote", "data": missing}, True)
try:
reason = mb_policy.evaluate(mb_refstate_data, mb_measurement_data)
except Exception as exn:
reason= "policy evaluation failed: %s"%(str(exn))
if reason:
logger.error("Boot attestation failed for agent %s, configured policy %s, refstate=%s, reason=%s",
agent_id, config.MEASUREDBOOT_POLICYNAME, json.dumps(mb_refstate_data), reason)
return False
return True
failure.add_event("policy",
{"context": "Boot attestation failed", "policy": config.MEASUREDBOOT_POLICYNAME,
"refstate": mb_refstate_data, "reason": reason}, True)
return failure

def main():
parser = argparse.ArgumentParser()
Expand Down

0 comments on commit 3dbdeb8

Please sign in to comment.