First upload of GA10

README

@@ -0,0 +1,96 @@
+# A10 - Nokia Attestation Engine
+
+This is the source for the Nokia Attestation Engine A10.
+
+This software is used as the remote attestation engine as part of a trusted computing environment. THis is the system that holds the known good values about devices and other elements, and provides the attestation and validation mechanisms.
+
+The software here is provided as-is - there is no security (http for the win!) and the error checking in places is completely missing. The point of this was to explore more interesting mechanisms for remote attestation and to implement ideas from the IEFT RATS specification.
+
+## Contents
+
+Each directory contains a local README.md file with more information
+
+   * ga10 - The main server-side engine.
+   * ta10 - A reference trust agent for /dev/tpm* devices
+   * v0.11.0 - the older python3 based NAE.
+
+## Getting it running QUICKLY
+
+Ensure that Go is installed and correctly configured
+
+Write a configuration file and ensure that it is available to ga10 in some suitable directory. A config file example is below.
+
+To start the server
+
+   cd ga10
+   go get -u
+   go run . -config=/somewhere/config.yaml
+
+To start the TA
+
+   cd ta10
+   go get -u
+   go run .
+
+The TA requires access to /dev/tpm* devices (eg: /dev/tpmrm0), IMA log file, TXT log file and the UEFI event log. Either use sudo or setup permissions on these files.
+
+## Security
+
+A self-signed key is provided called temporary.key/crt - DO NOT USE THIS IN PRODUCTION OR ANYWHERE. Browsers will complain if you use this.
+THIS IS NOT SECURE!!!
+
+PUTTING PRIVATE KEYS ON GITHUB FOR ANYTHING ELSE THAN A DEMONSTRATION IS CRAZY. DO NOT DO THIS.
+
+TO SAVE YOURSELF, SET THE usehttp FIELDS TO true.  
+
+GENERATE YOUR OWN KEYS AND KEEP THEM SECURE.
+
+
+## Example Config File 
+
+Note the lines with "CHANGE ME"
+
+   * The name of the system can set to anything you want.
+   * The MQTT client ID must be unique if you indent running more than one instance
+
+See the note on security above
+
+```yaml
+#Some general naming
+system:
+  name: ASVR_GO_1
+
+#MongoDB Configuration
+database: 
+  connection: mongodb://192.168.1.203:27017    "CHANGE ME"
+  name: test1                                  "CHANGE ME"
+
+#MQTT Configuration
+messaging:
+  broker: 192.168.1.203                        "CHANGE ME"
+  port: 1883                                   "CHANGE ME"
+  clientid: asvrgo1                            "CHANGE ME"
+
+#REST Interface Configuration
+rest:
+  port: 8520
+  crt: temporary.crt                     
+  key: temporary.key
+  usehttp: true
+
+#Web Interface Configuration
+web:
+  port: 8540
+  crt: temporary.crt
+  key: temporary.key
+  usehttp: true
+
+#Log file
+logging:
+  logfilelocation: /tmp/ga10.log
+  sessionupdatelogging: false
+```
+
+
+# Use in a Production Environment
+Don't.  This is not secure and many points where errors and exceptions should be captured are not implemented.

ga10/Makefile

@@ -0,0 +1,22 @@
+BINARY_NAME=ga10
+DATE=`date +%s%3N`
+LD_RELEASE_FLAGS=-X 'main.BUILD=${DATE}'
+
+build:
+	go build -o dist/${BINARY_NAME} ga10.go
+
+clean:
+	go clean
+	rm dist/${BINARY_NAME}*
+
+update:
+	go get -u
+	go mod tidy
+
+distribution: update
+	GOOS=linux GOARCH=amd64 go build   -ldflags="${LD_RELEASE_FLAGS}" -o dist/${BINARY_NAME}_linuxamd64 ga10.go
+	GOOS=illumos GOARCH=amd64 go build -ldflags="${LD_RELEASE_FLAGS}" -o dist/${BINARY_NAME}_illumosamd64 ga10.go
+	GOOS=windows GOARCH=amd64 go build -ldflags="${LD_RELEASE_FLAGS}" -o dist/${BINARY_NAME}_windowsamd64 ga10.go
+	GOOS=linux GOARCH=arm64 go build   -ldflags="${LD_RELEASE_FLAGS}" -o dist/${BINARY_NAME}_linuxarm64 ga10.go
+	GOOS=linux GOARCH=arm go build     -ldflags="${LD_RELEASE_FLAGS}" -o dist/${BINARY_NAME}_linuxarm ga10.go
+	GOOS=openbsd GOARCH=amd64 go build -ldflags="${LD_RELEASE_FLAGS}" -o dist/${BINARY_NAME}_openBSDamd64 ga10.go

ga10/README

@@ -0,0 +1,85 @@
+To build
+
+make build
+make distribution
+make
+
+go build .
+./a10 --config=config.yaml --runtests=True
+
+
+To run (without build)
+
+go run . --config=config.yaml --runtests=True
+
+
+To set build version numbers for releases
+
+go build -ldflags="-X 'main.BUILD=123'"
+
+with a datetime
+
+go build -ldflags="-X 'main.BUILD=`date`'"
+
+
+
+To generate HTTPS keys
+
+openssl genrsa 2048 > temporary.key
+chmod 400 temporary.key 
+openssl req -new -x509 -nodes -sha256 -days 365 -key temporary.key -out temporary.crt
+
+
+To encryption in Go
+levelup.gitconnected.com/a-guide-to-rsa-encryption-in-go-1a18d827f35d
+
+
+To reduce binary size
+
+ian@ian-virtual-machine:~/ga10$ go build -ldflags "-w" .
+ian@ian-virtual-machine:~/ga10$ ls -l a10 
+-rwxrwxr-x 1 ian ian 13545955 huhti  25 15:37 a10
+ian@ian-virtual-machine:~/ga10$ go build -ldflags "-s -w" .
+ian@ian-virtual-machine:~/ga10$ ls -l a10 
+-rwxrwxr-x 1 ian ian 12517376 huhti  25 15:38 a10
+ian@ian-virtual-machine:~/ga10$ 
+
+
+Installation
+
+NB: choose the correct operating system and architecture
+
+make distribution
+cp dist/a10_linuxamd64 /usr/local/bin/a10
+cp config.yaml /etc/a10config.yaml
+cp a10.service to /etc/systemd/system
+
+Modify the config.yaml file
+
+sudo systemctl daemon-reload
+sudo systemctl start a10.service
+journalctl -xe
+
+sudo systemctl stop a10.service
+
+
+sudo systemctl enable a10.service
+
+sudo systemctl disable a10.service
+
+
+
+
+PKCS#11
+
+Find the yubihsm.so file
+$ ls /usr/lib/x86_64-linux-gnu/pkcs11/
+gnome-keyring-pkcs11.so  p11-kit-client.so  p11-kit-trust.so  yubihsm_pkcs11.so
+
+github.com/miekg/pkcs11
+
+Or which ever user can see the YubiHSM (sudo is probably not good)
+sudo yubihsm-connector -d
+
+specify where the yubihsm conf file is
+export YUBIHSM_PKCS11_CONF=/home/ian/pkcs11test/yubihsm_pkcs1.conf

ga10/a10.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=A10 Attestation Service
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+User=ian
+ExecStart=/usr/local/bin/a10 -config=/etc/a10config.yaml
+
+[Install]
+WantedBy=multi-user.target

ga10/config.yaml

@@ -0,0 +1,33 @@
+#Some general naming
+system:
+  name: ASVR_GO_1
+
+#MongoDB Configuration
+database:
+  connection: mongodb://192.168.1.203:27017
+  name: test1
+
+#MQTT Configuration
+messaging:
+  broker: 192.168.1.203
+  port: 1883
+  clientid: asvrgo1
+
+#REST Interface Configuration
+rest:
+  port: 8520
+  crt: temporary.crt
+  key: temporary.key
+  usehttp: false
+
+#Web Interface Configuration
+web:
+  port: 8540
+  crt: temporary.crt
+  key: temporary.key
+  usehttp: true  
+
+#Log file
+logging:
+  logfilelocation: /tmp/ga10.log
+  sessionupdatelogging: false

ga10/configuration/configuration.go

@@ -0,0 +1,84 @@
+package configuration
+
+import(
+	"fmt"
+	"io/ioutil"
+
+	"gopkg.in/yaml.v3"
+)	
+
+// The configuration structure also gives the format of the YAML config file
+//
+// For example
+//#Some general naming
+//system:
+//  name: ASVR_GO_1                             -- name of the ASVR system. Can be anything sensible
+//
+//#MongoDB Configuration
+//database:
+//  connection: mongodb://192.168.1.203:27017   -- connection string for the mongodb
+//  name: test1                                 -- name of the database to use 
+//
+//#MQTT Configuration
+//messaging:
+//  broker: 192.168.1.203                       -- IP address of the MQTT broker
+//  port: 1883                                  -- Port to use, typically 1883
+//
+//#REST Interface Configuration
+//rest:
+//  port: 8520                                  -- Port to use for the REST API, default is 8520
+//  crt: temporary.crt                          -- File containing the certificate to use for the HTTPS server
+//  key: temporary.key                          -- File containing the private key for the HTTPS server
+//  usehttp: true                               -- Use HTTP (true) instead of HTTPS. Default is false
+
+type ConfigurationStruct struct {
+	System struct {
+		Name		string   
+	}
+	Database struct {
+		Connection	string 
+		Name		string 
+	}
+	Messaging struct {
+		Broker		string  
+		Port		uint16 
+		ClientID	string
+	}
+	Rest struct {
+		Port        string
+		Crt  		string
+		Key         string
+		UseHTTP		bool
+	}
+	Web struct {
+		Port        string
+		Crt  		string
+		Key         string
+		UseHTTP		bool
+	}	
+	Logging struct {
+		LogFileLocation			 string
+		SessionUpdateLogging	 bool
+	}
+}
+
+// The exported variable for accessing the configuration structure
+var ConfigData *ConfigurationStruct
+
+// The function that reads the configuraiton file and sets up the configuration structure
+//
+// If the file is unavailable or in unparsable then this function will panic and exit.
+// There is no need to continue if the configuration is borked.
+func SetupConfiguration(f string) {
+	fmt.Println("GA10: Configuration file location: ",f)
+
+	configFile, err := ioutil.ReadFile(f)
+	if err != nil {
+		panic(fmt.Sprintf("Configuration file missing. Exiting with error ",err))
+	}
+
+	err = yaml.Unmarshal(configFile,&ConfigData)
+	if err != nil {
+		panic(fmt.Sprintf("Unable to parse configuration file. Exiting with error ",err))
+	}
+}

ga10/datalayer/count.go

@@ -0,0 +1,23 @@
+package datalayer
+
+import(
+    "context"
+    "log"
+    "reflect"
+
+   //     "go.mongodb.org/mongo-driver/mongo/options"
+        "go.mongodb.org/mongo-driver/bson"    
+)
+
+func Count(coll string) int64 {
+	//options := options.Count()
+	count, err := DB.Collection(coll).CountDocuments(context.TODO(), bson.D{})
+
+	log.Printf("count for %v is %v %v, err is %v",coll,count,reflect.TypeOf(count),err)
+
+    if err != nil {
+        return -1
+    } else {
+        return count
+    }
+}

ga10/datalayer/initialisation.go

@@ -0,0 +1,9 @@
+package datalayer
+
+
+func InitialiseDatalayer() {
+
+	initialiseDatabase()
+	initialiseMessaging()
+	initialiseInternalDBs()
+}

ga10/datalayer/internaldbs.go

@@ -0,0 +1,12 @@
+package datalayer
+
+import(
+    "a10/structures"        
+)
+
+var RulesDatabase map[string]structures.Rule = make(map[string]structures.Rule)
+var ProtocolsDatabase map[string]structures.Protocol = make(map[string]structures.Protocol)
+
+func initialiseInternalDBs() {
+	// No initialisation required as the current two internal databases are empty
+}