Merge pull request #584 from ionut-arm/audit-update

ionut-arm · web-flow · commit 67a22ccc11a8 · 2022-03-02T09:46:48.000Z
Updates for Release Candidate 2
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -1,5 +1,6 @@
 [advisories]
-ignore = []
+ignore = ["RUSTSEC-2020-0159", # Issue has been documented here: https://github.com/parallaxsecond/parsec/security/advisories/GHSA-45w3-v3g4-54pm
+          "RUSTSEC-2020-0071"] # Issue has been documented here: https://github.com/parallaxsecond/parsec/security/advisories/GHSA-45w3-v3g4-54pm
 informational_warnings = ["unmaintained"] # warn for categories of informational advisories
 severity_threshold = "low" # CVSS severity ("none", "low", "medium", "high", "critical")
 
@@ -19,7 +20,6 @@ show_tree = true # Show inverse dependency trees along with advisories
 
 # Target Configuration
 [target]
-arch = "x86_64" # Ignore advisories for CPU architectures other than this one
 os = "linux" # Ignore advisories for operating systems other than this one
 
 [packages]
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -70,7 +70,7 @@ pkcs11-provider = ["cryptoki", "picky-asn1-der", "picky-asn1", "picky-asn1-x509"
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "hex"]
 cryptoauthlib-provider = ["rust-cryptoauthlib"]
 trusted-service-provider = ["psa-crypto", "bindgen", "prost-build", "prost"]
-all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "trusted-service-provider"]
+all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "trusted-service-provider"]
 
 # Authenticators
 direct-authenticator = []
diff --git a/SECURITY.md b/SECURITY.md
@@ -9,10 +9,23 @@ disclosure of security problems are greatly appreciated and your contributions w
 Currently only the most recent version of the Parsec service is eligible for patching. This could
 change in the future.
 
-| Version         | Supported |
-|-----------------|-----------|
-| 0.7.0           | ✅       |
-| 0.6.0 and lower | ❌       |
+| Version          | Supported |
+|------------------|-----------|
+| 0.7.0 and higher | ✅       |
+| 0.6.0 and lower  | ❌       |
+
+## Our disclosure policy
+
+All security vulnerabilities affecting the Parsec service - including those reported using the steps
+highlighted below, those discovered during routine testing, and those found in our dependency tree
+either through `cargo-audit` or otherwise - will receive [security
+advisories](https://github.com/parallaxsecond/parsec/security/advisories) in a timely manner. The
+advisories should include sufficient information about the cause, effect, and possible mitigations
+for the vulnerability. If any information is missing, or you would like to raise a question about
+the advisories, please open an issue in [our repo](https://github.com/parallaxsecond/parsec).
+
+Efforts to mitigate for the reported vulnerabilities will be tracked using Github issues linked to
+the corresponding advisories.
 
 ## Reporting a vulnerability
 
diff --git a/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile b/e2e_tests/docker_image/parsec-service-test-cross-compile.Dockerfile
@@ -2,6 +2,26 @@
 # SPDX-License-Identifier: Apache-2.0
 FROM ghcr.io/parallaxsecond/parsec-service-test-all
 
+# Install aarch64-none-linux-gnu cross compilation toolchain
+RUN wget https://developer.arm.com/-/media/Files/downloads/gnu-a/9.2-2019.12/binrel/gcc-arm-9.2-2019.12-x86_64-aarch64-none-linux-gnu.tar.xz?revision=61c3be5d-5175-4db6-9030-b565aae9f766 -O aarch64-gcc.tar.xz
+RUN tar --strip-components=1 -C /usr/ -xvf aarch64-gcc.tar.xz
+RUN rm aarch64-gcc.tar.xz
+
+# Install Trusted Services lib compiled for aarch64
+# Setup git config for patching dependencies
+RUN git config --global user.email "some@email.com"
+RUN git config --global user.name "Parsec Team"
+RUN git clone https://git.trustedfirmware.org/TS/trusted-services.git --branch integration \
+    && cd trusted-services \
+    && git reset --hard 389b50624f25dae860bbbf8b16f75b32f1589c8d
+# Install correct python dependencies
+RUN pip3 install -r trusted-services/requirements.txt
+RUN cd trusted-services/deployments/libts/arm-linux/ \
+    && cmake . \
+    && make \
+    && cp libts.so* /usr/local/lib/
+RUN rm -rf trusted-services
+
 # Install cross-compilers
 RUN apt install -y gcc-multilib
 RUN apt install -y gcc-arm-linux-gnueabihf
diff --git a/e2e_tests/provider_cfg/all/config.toml b/e2e_tests/provider_cfg/all/config.toml
@@ -40,11 +40,13 @@ user_pin = "123456"
 # The slot_number mandatory field is going to replace the following line with a valid number
 # slot_number
 
-[[provider]]
-provider_type = "CryptoAuthLib"
-key_info_manager = "sqlite-manager"
-device_type = "always-success"
-iface_type = "test-interface"
+
+# CAL provider and hardware abstraction crate are unmaintained; See #585
+# [[provider]]
+# provider_type = "CryptoAuthLib"
+# key_info_manager = "sqlite-manager"
+# device_type = "always-success"
+# iface_type = "test-interface"
 # wake_delay = 1500
 # rx_retries = 20
 # # i2c parameters for i2c-pseudo proxy
diff --git a/e2e_tests/provider_cfg/all/on-disk-kim-all-providers.toml b/e2e_tests/provider_cfg/all/on-disk-kim-all-providers.toml
@@ -40,11 +40,12 @@ user_pin = "123456"
 # The slot_number mandatory field is going to replace the following line with a valid number
 # slot_number
 
-[[provider]]
-provider_type = "CryptoAuthLib"
-key_info_manager = "on-disk-manager"
-device_type = "always-success"
-iface_type = "test-interface"
+# CAL provider and hardware abstraction crate are unmaintained; See #585
+# [[provider]]
+# provider_type = "CryptoAuthLib"
+# key_info_manager = "on-disk-manager"
+# device_type = "always-success"
+# iface_type = "test-interface"
 # wake_delay = 1500
 # rx_retries = 20
 # # i2c parameters for i2c-pseudo proxy
diff --git a/e2e_tests/tests/all_providers/config/mod.rs b/e2e_tests/tests/all_providers/config/mod.rs
@@ -62,7 +62,8 @@ fn list_providers() {
             Uuid::parse_str("1c1139dc-ad7c-47dc-ad6b-db6fdb466552").unwrap(), // Mbed crypto provider
             Uuid::parse_str("1e4954a4-ff21-46d3-ab0c-661eeb667e1d").unwrap(), // Tpm provider
             Uuid::parse_str("30e39502-eba6-4d60-a4af-c518b7f5e38f").unwrap(), // Pkcs11 provider
-            Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap(), // CryptoAuthLib provider
+            // CAL provider and hardware abstraction crate are unmaintained; See #585
+            // Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap(), // CryptoAuthLib provider
             Uuid::parse_str("47049873-2a43-4845-9d72-831eab668784").unwrap(), // Core provider
         ]
     );
@@ -78,7 +79,8 @@ fn list_providers() {
             Uuid::parse_str("30e39502-eba6-4d60-a4af-c518b7f5e38f").unwrap(), // Pkcs11 provider
             Uuid::parse_str("1c1139dc-ad7c-47dc-ad6b-db6fdb466552").unwrap(), // Mbed crypto provider
             Uuid::parse_str("1e4954a4-ff21-46d3-ab0c-661eeb667e1d").unwrap(), // Tpm provider
-            Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap(), // CryptoAuthLib provider
+            // CAL provider and hardware abstraction crate are unmaintained; See #585
+            // Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap(), // CryptoAuthLib provider
             Uuid::parse_str("47049873-2a43-4845-9d72-831eab668784").unwrap(), // Core provider
         ]
     );
diff --git a/e2e_tests/tests/all_providers/config/tomls/list_providers_1.toml b/e2e_tests/tests/all_providers/config/tomls/list_providers_1.toml
@@ -34,14 +34,15 @@ user_pin = "123456"
 # The slot_number mandatory field is going to replace the following line with a valid number
 # slot_number
 
-[[provider]]
-provider_type = "CryptoAuthLib"
-key_info_manager = "sqlite-manager"
-device_type = "always-success"
-iface_type = "test-interface"
-wake_delay = 1500
-rx_retries = 20
-# i2c parameters for i2c-pseudo proxy
-slave_address = 0xc0
-bus = 1
-baud = 400000
+# CAL provider and hardware abstraction crate are unmaintained; See #585
+# [[provider]]
+# provider_type = "CryptoAuthLib"
+# key_info_manager = "sqlite-manager"
+# device_type = "always-success"
+# iface_type = "test-interface"
+# wake_delay = 1500
+# rx_retries = 20
+# # i2c parameters for i2c-pseudo proxy
+# slave_address = 0xc0
+# bus = 1
+# baud = 400000
diff --git a/e2e_tests/tests/all_providers/config/tomls/list_providers_2.toml b/e2e_tests/tests/all_providers/config/tomls/list_providers_2.toml
@@ -34,14 +34,15 @@ key_info_manager = "sqlite-manager"
 tcti = "mssim"
 owner_hierarchy_auth = "tpm_pass"
 
-[[provider]]
-provider_type = "CryptoAuthLib"
-key_info_manager = "sqlite-manager"
-device_type = "always-success"
-iface_type = "test-interface"
-wake_delay = 1500
-rx_retries = 20
-# i2c parameters for i2c-pseudo proxy
-slave_address = 0xc0
-bus = 1
-baud = 400000
+# CAL provider and hardware abstraction crate are unmaintained; See #585
+# [[provider]]
+# provider_type = "CryptoAuthLib"
+# key_info_manager = "sqlite-manager"
+# device_type = "always-success"
+# iface_type = "test-interface"
+# wake_delay = 1500
+# rx_retries = 20
+# # i2c parameters for i2c-pseudo proxy
+# slave_address = 0xc0
+# bus = 1
+# baud = 400000
diff --git a/e2e_tests/tests/all_providers/normal.rs b/e2e_tests/tests/all_providers/normal.rs
@@ -15,7 +15,7 @@ use std::iter::FromIterator;
 fn list_providers() {
     let mut client = TestClient::new();
     let providers = client.list_providers().expect("list providers failed");
-    assert_eq!(providers.len(), 5);
+    assert_eq!(providers.len(), 4);
     let uuids: HashSet<Uuid> = providers.iter().map(|p| p.uuid).collect();
     // Core provider
     assert!(uuids.contains(&Uuid::parse_str("47049873-2a43-4845-9d72-831eab668784").unwrap()));
@@ -25,8 +25,9 @@ fn list_providers() {
     assert!(uuids.contains(&Uuid::parse_str("30e39502-eba6-4d60-a4af-c518b7f5e38f").unwrap()));
     // TPM provider
     assert!(uuids.contains(&Uuid::parse_str("1e4954a4-ff21-46d3-ab0c-661eeb667e1d").unwrap()));
-    // CryptoAuthLib provider
-    assert!(uuids.contains(&Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap()));
+    // CAL provider and hardware abstraction crate are unmaintained; See #585
+    // // CryptoAuthLib provider
+    // assert!(uuids.contains(&Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap()));
 }
 
 #[test]
@@ -45,12 +46,13 @@ fn list_providers_order_respected() {
         providers[2].uuid,
         Uuid::parse_str("30e39502-eba6-4d60-a4af-c518b7f5e38f").unwrap()
     );
+    // CAL provider and hardware abstraction crate are unmaintained; See #585
+    // assert_eq!(
+    //     providers[3].uuid,
+    //     Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap()
+    // );
     assert_eq!(
         providers[3].uuid,
-        Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap()
-    );
-    assert_eq!(
-        providers[4].uuid,
         Uuid::parse_str("47049873-2a43-4845-9d72-831eab668784").unwrap()
     );
 }
@@ -101,9 +103,10 @@ fn list_opcodes() {
 
     let core_provider_opcodes = HashSet::from_iter(core_opcodes);
 
-    let mut crypto_providers_cal = HashSet::new();
-    // Not that much to be tested with test-interface
-    let _ = crypto_providers_cal.insert(Opcode::PsaGenerateRandom);
+    // CAL provider and hardware abstraction crate are unmaintained; See #585
+    // let mut crypto_providers_cal = HashSet::new();
+    // // Not that much to be tested with test-interface
+    // let _ = crypto_providers_cal.insert(Opcode::PsaGenerateRandom);
 
     let mut crypto_providers_tpm = HashSet::from_iter(common_opcodes.clone());
     let _ = crypto_providers_tpm.insert(Opcode::CanDoCrypto);
@@ -139,12 +142,13 @@ fn list_opcodes() {
             .expect("list providers failed"),
         crypto_providers_mbed_crypto
     );
-    assert_eq!(
-        client
-            .list_opcodes(ProviderId::CryptoAuthLib)
-            .expect("list providers failed"),
-        crypto_providers_cal
-    );
+    // CAL provider and hardware abstraction crate are unmaintained; See #585
+    // assert_eq!(
+    //     client
+    //         .list_opcodes(ProviderId::CryptoAuthLib)
+    //         .expect("list providers failed"),
+    //     crypto_providers_cal
+    // );
 }
 
 #[cfg(feature = "testing")]
diff --git a/e2e_tests/tests/per_provider/normal_tests/import_key.rs b/e2e_tests/tests/per_provider/normal_tests/import_key.rs
@@ -127,9 +127,8 @@ fn create_and_import_rsa_key() -> Result<()> {
         return Ok(());
     }
 
-    let status;
     client.generate_rsa_sign_key(key_name.clone())?;
-    status = client
+    let status = client
         .import_rsa_public_key(key_name, KEY_DATA.to_vec())
         .expect_err("Key should have already existed");
     assert_eq!(status, ResponseStatus::PsaErrorAlreadyExists);
diff --git a/src/providers/cryptoauthlib/mod.rs b/src/providers/cryptoauthlib/mod.rs
diff --git a/src/providers/mbed_crypto/mod.rs b/src/providers/mbed_crypto/mod.rs
diff --git a/src/providers/trusted_service/mod.rs b/src/providers/trusted_service/mod.rs
diff --git a/test/cross-compile.sh b/test/cross-compile.sh
