Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(306)

Side by Side Diff: tpm_helpers/chromeos_tpm_init

Issue 3152039: Remove obsolete file chromeos_tpm_init (Closed) Base URL: ssh://git@chromiumos-git/entd.git
Patch Set: moved to new build flow Created 10 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 #!/bin/sh
2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
3 # Use of this source code is governed by a BSD-style license that can be
4 # found in the LICENSE file.
5 #
6 # Stop-gap tpm initialization code until it is integrate to the
7 # setup process.
8 #
9 # Note: this will run and fail if the TPM is configured.
10 #
11 # Must be run in a terminal-less environment.
12
13 # Command wrapper since there are occasionally transient bus
14 # errors with TPM calls -- especially long-lived calls like
15 # TPM_TakeOwnership.
16 try () {
17 local cmd="$1"
18 shift
19 local args="$@"
20
21 local max_attempts=3
22 local attempt=0
23 local ret=1
24 while [ $attempt -lt $max_attempts ]; do
25 echo -n "[*] $(date +%s): running $cmd . . ."
26 $cmd $args
27 ret=$?
28 if [ $ret -ne 0 ]; then
29 echo "fail"
30 else
31 echo "ok"
32 return 0
33 fi
34 attempt=$((attempt + 1))
35 done
36 return $ret
37 }
38
39 # Simple bail. We don't use set -e because not all commands are terminal.
40 err () {
41 echo -n "Something is wrong with the TPM. " 1>&2
42 echo "Try clearing it from the BIOS." 1>&2
43 exit 1
44 }
45
46 # 8 is the magic tpm password length.
47 OWNER_PW=$(openssl rand -base64 8 | head -c 8)
48
49 # temporary password so that we can reset it to nothing afterwards
50 SRK_PW=1234567890
51
52 # For debugging.
53 # echo "owner: $OWNER_PW"
54 # echo "srk: $SRK_PW"
55
56 OWNED_FILE="/var/lib/.tpm_owned"
57
58 take_ownership () {
59 (echo ${OWNER_PW}; echo ${OWNER_PW}; echo ${SRK_PW}; echo ${SRK_PW}) |
60 tpm_takeownership "$@"
61 }
62
63 change_srk_pw () {
64 (echo ${OWNER_PW}; echo; echo) | tpm_changeownerauth -s "$@"
65 }
66
67 unrestrict_srk () {
68 echo ${OWNER_PW} | tpm_restrictsrk -a "$@"
69 }
70
71 check_ek () {
72 # We don't want to log this.
73 tpm_getpubek "$@" &> /dev/null
74 }
75
76 # Log to /tmp (tmpfs) since this may leak TPM identifiable information.
77 LOG_DIR=$(mktemp -d /tmp/chromeos_tpm_init.XXXXXX)
78 exec 1>${LOG_DIR}/stdout
79 exec 2>${LOG_DIR}/stderr
80
81 # Drop a line in the system logs just so it's easy to check out
82 logger "TPM initialization log directory: ${LOG_DIR}"
83
84 if [ "0" = $(cat /sys/class/misc/tpm0/device/enabled) ]; then
85 logger "TPM is not enabled!"
86 exit 1
87 fi
88
89 if [ "1" = $(cat /sys/class/misc/tpm0/device/owned) ]; then
90 logger "TPM is already owned!"
91 exit 0
92 else
93 # Clean up existing opencryptoki state, flag for tpm ownership.
94 rm -rf /var/lib/opencryptoki "$OWNED_FILE"
95 fi
96
97 echo "[-] Creating the endorsement key if needed."
98 try tpm_createek
99
100 echo "[-] Verifying the ek is available."
101 try check_ek || err
102
103 echo "[-] Setting up an owner."
104 try take_ownership || err
105
106 echo "[-] Ensuring the SRK has an empty password."
107 try change_srk_pw || err
108
109 echo "[-] Unrestricting the SRK for PKCS#11 use."
110 try unrestrict_srk || err
111
112 echo "[-] TPM has been configured for general use."
113 touch "$OWNED_FILE"
114 exit 0
115
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698