iadgovuser26
commented
2 years ago There are 2 options for support RIM as defined by The PC Client RIM specification: TCG Event Log Assertions and TPM PCR Assertion. The HIRS ACA currently only support the TCG Event Log Assertion, both are binary files. A "a human readable support RIM" is not defined nor supported, however, the error shown is not very helpful. We will try to address that in a future release.
The current functionality of the HIRS ACA requires a Base RIM (swidtag) along with the corresponding Support RIM in order for the GUI to correctly pull in the corresponding details into any pages that reference RIM related details. The ACA uses the Hash within the Base RIMS payload to match up the Support RIM with the Base RIM, so it is important to assure that the Hash is correct.
When attempting to load a human readable support RIM into the ACA, a dialog box appears with the following message:
DataTables warning: table id=referenceManifestTable - Ajax error. For more information about this error, please see http://datatables.net/tn/7
Salient points:
1) Note that we can load .swidtag files produced by a Windows build of the RIM Tool and view them successfully in the GUI.
2) After loading the Support RIM in question, this is no longer possible. When the above dialog is acknowledged, the previously loaded swidtag is no longer displayed.
3) The download functionality works, however i.e. we can download a zip file that contains both the swidtag and the support RIM that produced the failure dialog.
4) For the purpose of our investigations, we decided to use a support RIM produced by this tool: https://github.com/mattifestation/TCGLogTools. This produces a JSON file which we have edited (via C# code as part of a toolchain) to include the PCR0 value only.
5) Regardless of whether this file is valid or not, the ACA code needs to defend itself from entering the inoperable state described above. It seems impossible to recover from without some sort of intervention. Any recommendations on how to clear the support RIM from the database would be appreciated in the short term.
6) Using the debugger, it is apparent that the support RIM is not being treated as a human readable file. Relevant Java classes appear to be SupportReferenceManifest.java, TCGEventLog.java and TpmPcrEvent1.java. Breakpoints reveal that this support RIM is being treated as a binary file.
7) The above leads to the following question: is the loading of human readable support RIMs supposed to be supported at this time? If not, will it be supported in the future? If so, any idea when?
Note the behaviour seems similar to #467 where the provisioner was erroneously posting a swidtag file as a both a swidtag file AND a RIM Support file.