OLD | NEW |
| (Empty) |
1 #!/bin/sh | |
2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | |
3 # Use of this source code is governed by a BSD-style license that can be | |
4 # found in the LICENSE file. | |
5 # | |
6 # Stop-gap tpm initialization code until it is integrate to the | |
7 # setup process. | |
8 # | |
9 # Note: this will run and fail if the TPM is configured. | |
10 # | |
11 # Must be run in a terminal-less environment. | |
12 | |
13 # Command wrapper since there are occasionally transient bus | |
14 # errors with TPM calls -- especially long-lived calls like | |
15 # TPM_TakeOwnership. | |
16 try () { | |
17 local cmd="$1" | |
18 shift | |
19 local args="$@" | |
20 | |
21 local max_attempts=3 | |
22 local attempt=0 | |
23 local ret=1 | |
24 while [ $attempt -lt $max_attempts ]; do | |
25 echo -n "[*] $(date +%s): running $cmd . . ." | |
26 $cmd $args | |
27 ret=$? | |
28 if [ $ret -ne 0 ]; then | |
29 echo "fail" | |
30 else | |
31 echo "ok" | |
32 return 0 | |
33 fi | |
34 attempt=$((attempt + 1)) | |
35 done | |
36 return $ret | |
37 } | |
38 | |
39 # Simple bail. We don't use set -e because not all commands are terminal. | |
40 err () { | |
41 echo -n "Something is wrong with the TPM. " 1>&2 | |
42 echo "Try clearing it from the BIOS." 1>&2 | |
43 exit 1 | |
44 } | |
45 | |
46 # 8 is the magic tpm password length. | |
47 OWNER_PW=$(openssl rand -base64 8 | head -c 8) | |
48 | |
49 # temporary password so that we can reset it to nothing afterwards | |
50 SRK_PW=1234567890 | |
51 | |
52 # For debugging. | |
53 # echo "owner: $OWNER_PW" | |
54 # echo "srk: $SRK_PW" | |
55 | |
56 OWNED_FILE="/var/lib/.tpm_owned" | |
57 | |
58 take_ownership () { | |
59 (echo ${OWNER_PW}; echo ${OWNER_PW}; echo ${SRK_PW}; echo ${SRK_PW}) | | |
60 tpm_takeownership "$@" | |
61 } | |
62 | |
63 change_srk_pw () { | |
64 (echo ${OWNER_PW}; echo; echo) | tpm_changeownerauth -s "$@" | |
65 } | |
66 | |
67 unrestrict_srk () { | |
68 echo ${OWNER_PW} | tpm_restrictsrk -a "$@" | |
69 } | |
70 | |
71 check_ek () { | |
72 # We don't want to log this. | |
73 tpm_getpubek "$@" &> /dev/null | |
74 } | |
75 | |
76 # Log to /tmp (tmpfs) since this may leak TPM identifiable information. | |
77 LOG_DIR=$(mktemp -d /tmp/chromeos_tpm_init.XXXXXX) | |
78 exec 1>${LOG_DIR}/stdout | |
79 exec 2>${LOG_DIR}/stderr | |
80 | |
81 # Drop a line in the system logs just so it's easy to check out | |
82 logger "TPM initialization log directory: ${LOG_DIR}" | |
83 | |
84 if [ "0" = $(cat /sys/class/misc/tpm0/device/enabled) ]; then | |
85 logger "TPM is not enabled!" | |
86 exit 1 | |
87 fi | |
88 | |
89 if [ "1" = $(cat /sys/class/misc/tpm0/device/owned) ]; then | |
90 logger "TPM is already owned!" | |
91 exit 0 | |
92 else | |
93 # Clean up existing opencryptoki state, flag for tpm ownership. | |
94 rm -rf /var/lib/opencryptoki "$OWNED_FILE" | |
95 fi | |
96 | |
97 echo "[-] Creating the endorsement key if needed." | |
98 try tpm_createek | |
99 | |
100 echo "[-] Verifying the ek is available." | |
101 try check_ek || err | |
102 | |
103 echo "[-] Setting up an owner." | |
104 try take_ownership || err | |
105 | |
106 echo "[-] Ensuring the SRK has an empty password." | |
107 try change_srk_pw || err | |
108 | |
109 echo "[-] Unrestricting the SRK for PKCS#11 use." | |
110 try unrestrict_srk || err | |
111 | |
112 echo "[-] TPM has been configured for general use." | |
113 touch "$OWNED_FILE" | |
114 exit 0 | |
115 | |
OLD | NEW |