Release 2021 3 (#1)

* Update ovsa_get_started.md

Initial Changes for 2021.3

* Update ovsa_get_started.md

Fixed Indentation

* Update ovsa_get_started.md

Added changes to command line options

* changed dependent sw versions in the scripts

* changes for 2021.3

* Update ovsa_get_started.md

Fixing Indentation

* Update ovsa_get_started.md

Fixed Indentation

* Add files via upload

HW-SW TPM binding

* Update fingerprint-changes.md

* Update ovsa_get_started.md

DB/ovsa_create_db.py

@@ -0,0 +1,102 @@
+#!/usr/bin/env python3 
+#
+# Copyright (c) 2020-2021 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import sys, json
+import sqlite3
+from sqlite3 import Error
+import datetime
+
+def create_connection(db_file):
+
+    """ create a database connection to the SQLite database
+        specified by db_file
+    :param db_file: database file
+    :return: Connection object or None
+    """
+    conn = None
+    try:
+        conn = sqlite3.connect(db_file)
+    except Error as e:
+        print(e)
+
+    return conn
+
+def main():
+    # validate command line arguments
+    if len(sys.argv) != 2:
+        print('Invalid arguments. ovsa_create_db.py <db file>')
+        return
+
+    database = sys.argv[1]
+
+    try:
+        open(database)
+        print("DB already exists!")
+    except IOError as e:
+        if (e.args[0] == 2): # DB does not exists
+            print("Creating DB!")
+            sqlite3.connect(database)
+        else:
+            print("Error: " + str(e))
+            exit()
+
+    conn = create_connection(database)
+
+    # create table customer_license_info
+    sql_customer_license = """create table if not exists customer_license_info (
+        customer_license_id integer primary key autoincrement, 
+        license_guid text, 
+        model_guid text, 
+        isv_certificate text, 
+        customer_certificate text, 
+        license_type integer, 
+        limit_count integer, 
+        usage_count numeric, 
+        time_limit numeric, 
+        created_date numeric, 
+        updated_date numeric) """
+    print("Creating customer_license_info table...")
+    conn.execute(sql_customer_license)
+
+    # create table tcb_info
+    sql_tcb_info = """create table if not exists tcb_info (
+        tcb_info_id integer primary key autoincrement,
+        tcb_name text,
+        version text,
+        mrsigner_id text,
+        mrenclave_id text,
+        product_id text,
+        svn text,
+        hw_quote text,
+        sw_quote text,
+        hw_pubkey text,
+        sw_pubkey text)"""
+    print("Creating tcb_info table...")
+    conn.execute(sql_tcb_info)
+
+    #cur = conn.cursor()
+    #cur.execute("SELECT name FROM sqlite_master WHERE type='table' ORDER BY name; ")
+    #rows = cur.fetchall()
+    #for row in rows:
+    #    print(row)
+
+    conn.close
+
+
+
+if __name__ == "__main__":
+    main()

DB/ovsa_store_customer_lic_cert_db.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3 
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

Dockerfile-build-ovsa

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -24,44 +24,56 @@ ARG build_type=dbg
 #TPM Tool Specific installs
 RUN yum install -y \
         autoconf-archive \
+        bison \
         dbus-devel \
-        doxygen \
+        flex \
         glib2-devel \
-	glibc-static \
+        glibc-static \
         json-c-devel \
+        libiconv \
         libstdc++-devel  \
         libgcrypt-devel \
         openssl-devel \
+        strip \
         uriparser-devel && \
         yum clean all
 
 SHELL [ "/usr/bin/scl", "enable", "devtoolset-8" ]
 ENV CC=/opt/rh/devtoolset-8/root/bin/gcc
 ENV CXX=/opt/rh/devtoolset-8/root/bin/g++
 
+#DOXYGEN
+WORKDIR /doxygen
+RUN git clone https://github.com/doxygen/doxygen.git  && \
+    cd doxygen  && \
+    git checkout Release_1_8_7 && \
+    ./configure && \
+    make && \
+    make install
+
 #TPM2 TSS Build
 WORKDIR /tpm2-tss-build
 
-RUN wget https://github.com/tpm2-software/tpm2-tss/releases/download/2.4.4/tpm2-tss-2.4.4.tar.gz && \
-    tar -xzf tpm2-tss-2.4.4.tar.gz && \
-    cd tpm2-tss-2.4.4 && \
-    ./configure --disable-doxygen-man --prefix=/opt/tpm2-tools && \
+RUN wget https://github.com/tpm2-software/tpm2-tss/releases/download/3.0.3/tpm2-tss-3.0.3.tar.gz && \
+    tar -xvzf tpm2-tss-3.0.3.tar.gz && \
+    cd tpm2-tss-3.0.3 && \
+    ./configure  --with-udevrulesdir=/etc/udev/rules.d/ --prefix=/opt/tpm2-tools && \
     make -j8 && \
     make install
 
 ENV PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig:/opt/tpm2-tools/lib/pkgconfig
 WORKDIR /tpm2-abrmd
-RUN wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.3.3/tpm2-abrmd-2.3.3.tar.gz && \
-    tar -xvzf tpm2-abrmd-2.3.3.tar.gz && \
-    pushd tpm2-abrmd-2.3.3 && \
+RUN wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.4.0/tpm2-abrmd-2.4.0.tar.gz && \
+    tar -xvzf tpm2-abrmd-2.4.0.tar.gz && \
+    pushd tpm2-abrmd-2.4.0 && \
     ./configure --with-dbuspolicydir=/etc/dbus-1/system.d --prefix=/opt/tpm2-tools && \
     make -j8 && \
     make install
 
 WORKDIR /tpm2-tools-build
-RUN wget https://github.com/tpm2-software/tpm2-tools/releases/download/4.3.0/tpm2-tools-4.3.0.tar.gz && \
-        tar -xzf tpm2-tools-4.3.0.tar.gz && \
-        cd tpm2-tools-4.3.0 && \
+RUN wget https://github.com/tpm2-software/tpm2-tools/releases/download/5.0/tpm2-tools-5.0.tar.gz && \
+        tar -xzf tpm2-tools-5.0.tar.gz && \
+        cd tpm2-tools-5.0 && \
         ./configure --prefix=/opt/tpm2-tools && \
         make -j8 && \
         make install
@@ -85,5 +97,3 @@ RUN cp -rv /opt/tpm2-tools/* /ovsa-runtime/tpm2-tools/
 
 WORKDIR /
 RUN tar cvzf ovsa-runtime.tar.gz /ovsa-runtime
-
-

Dockerfile-pkg-ovsa-nginx

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

Example/client/client_utils.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

Example/runtime/generate_certs.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -x
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

Example/runtime/openssl_ca.conf

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

Example/runtime/sample.json

@@ -10,9 +10,9 @@
   "model_config_list":[
     {
       "config":{
-        "name":"protected-model",
+        "name":"controlled-access-model",
         "base_path":"/sampleloader/model/fd",
-        "custom_loader_options": {"loader_name":  "ovsa", "keystore":  "custkeystore", "protected_file": "face_detection_model"}
+        "custom_loader_options": {"loader_name":  "ovsa", "keystore":  "custkeystore", "controlled_access_file": "face_detection_model"}
       }
     }
 

Example/runtime/start_secure_ovsa_model_server.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -x
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

License_service/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -60,7 +60,7 @@ openssl_build: openssl/libcrypto.a
 openssl/libcrypto.a:
 ifeq ($(wildcard  $(SRC_BUILD_DIR)/src/lib/openssl),)
 	cd $(SRC_BUILD_DIR)/src/lib && git clone https://github.com/openssl/openssl.git
-	cd $(SRC_BUILD_DIR)/src/lib/openssl && git checkout --quiet OpenSSL_1_1_1h
+	cd $(SRC_BUILD_DIR)/src/lib/openssl && git checkout --quiet OpenSSL_1_1_1j
 	cd $(SRC_BUILD_DIR)/src/lib/openssl && ./config --prefix=$(shell readlink -f crypto/) shared -fPIC
 	cd $(SRC_BUILD_DIR)/src/lib/openssl && $(MAKE) && $(MAKE) -j1 install
 	cd $(SRC_BUILD_DIR)/src/lib/openssl && mv libcrypto.a ../../../lib
@@ -107,10 +107,10 @@ endif
 
 
 ############################# MBEDTLS DEPENDENCY ##############################
-MBEDTLS_VERSION ?= 2.21.0
+MBEDTLS_VERSION ?= 2.26.0
 MBEDTLS_SRC ?= mbedtls-$(MBEDTLS_VERSION).tar.gz
 MBEDTLS_URI ?= https://github.com/ARMmbed/mbedtls/archive/
-MBEDTLS_CHECKSUM ?= 320e930b7596ade650ae4fc9ba94b510d05e3a7d63520e121d8fdc7a21602db9
+MBEDTLS_CHECKSUM ?= 35d8d87509cd0d002bddbd5508b9d2b931c5e83747d087234cc7ad551d53fe05
 
 # mbedTLS uses a submodule mbedcrypto, need to download it and move under mbedtls/crypto
 MBEDCRYPTO_VERSION ?= 3.1.0

License_service/download.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (c) 2020 Intel Corporation
+# Copyright (c) 2020-2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.