| OLD | NEW |
|---|
| (Empty) |
| 1 #!/bin/sh | |
| 2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | |
| 3 # Use of this source code is governed by a BSD-style license that can be | |
| 4 # found in the LICENSE file. | |
| 5 # | |
| 6 # Stop-gap tpm initialization code until it is integrate to the | |
| 7 # setup process. | |
| 8 # | |
| 9 # Note: this will run and fail if the TPM is configured. | |
| 10 # | |
| 11 # Must be run in a terminal-less environment. | |
| 12 | |
| 13 # Command wrapper since there are occasionally transient bus | |
| 14 # errors with TPM calls -- especially long-lived calls like | |
| 15 # TPM_TakeOwnership. | |
| 16 try () { | |
| 17 local cmd="$1" | |
| 18 shift | |
| 19 local args="$@" | |
| 20 | |
| 21 local max_attempts=3 | |
| 22 local attempt=0 | |
| 23 local ret=1 | |
| 24 while [ $attempt -lt $max_attempts ]; do | |
| 25 echo -n "[*] $(date +%s): running $cmd . . ." | |
| 26 $cmd $args | |
| 27 ret=$? | |
| 28 if [ $ret -ne 0 ]; then | |
| 29 echo "fail" | |
| 30 else | |
| 31 echo "ok" | |
| 32 return 0 | |
| 33 fi | |
| 34 attempt=$((attempt + 1)) | |
| 35 done | |
| 36 return $ret | |
| 37 } | |
| 38 | |
| 39 # Simple bail. We don't use set -e because not all commands are terminal. | |
| 40 err () { | |
| 41 echo -n "Something is wrong with the TPM. " 1>&2 | |
| 42 echo "Try clearing it from the BIOS." 1>&2 | |
| 43 exit 1 | |
| 44 } | |
| 45 | |
| 46 # 8 is the magic tpm password length. | |
| 47 OWNER_PW=$(openssl rand -base64 8 | head -c 8) | |
| 48 | |
| 49 # temporary password so that we can reset it to nothing afterwards | |
| 50 SRK_PW=1234567890 | |
| 51 | |
| 52 # For debugging. | |
| 53 # echo "owner: $OWNER_PW" | |
| 54 # echo "srk: $SRK_PW" | |
| 55 | |
| 56 OWNED_FILE="/var/lib/.tpm_owned" | |
| 57 | |
| 58 take_ownership () { | |
| 59 (echo ${OWNER_PW}; echo ${OWNER_PW}; echo ${SRK_PW}; echo ${SRK_PW}) | | |
| 60 tpm_takeownership "$@" | |
| 61 } | |
| 62 | |
| 63 change_srk_pw () { | |
| 64 (echo ${OWNER_PW}; echo; echo) | tpm_changeownerauth -s "$@" | |
| 65 } | |
| 66 | |
| 67 unrestrict_srk () { | |
| 68 echo ${OWNER_PW} | tpm_restrictsrk -a "$@" | |
| 69 } | |
| 70 | |
| 71 check_ek () { | |
| 72 # We don't want to log this. | |
| 73 tpm_getpubek "$@" &> /dev/null | |
| 74 } | |
| 75 | |
| 76 # Log to /tmp (tmpfs) since this may leak TPM identifiable information. | |
| 77 LOG_DIR=$(mktemp -d /tmp/chromeos_tpm_init.XXXXXX) | |
| 78 exec 1>${LOG_DIR}/stdout | |
| 79 exec 2>${LOG_DIR}/stderr | |
| 80 | |
| 81 # Drop a line in the system logs just so it's easy to check out | |
| 82 logger "TPM initialization log directory: ${LOG_DIR}" | |
| 83 | |
| 84 if [ "0" = $(cat /sys/class/misc/tpm0/device/enabled) ]; then | |
| 85 logger "TPM is not enabled!" | |
| 86 exit 1 | |
| 87 fi | |
| 88 | |
| 89 if [ "1" = $(cat /sys/class/misc/tpm0/device/owned) ]; then | |
| 90 logger "TPM is already owned!" | |
| 91 exit 0 | |
| 92 else | |
| 93 # Clean up existing opencryptoki state, flag for tpm ownership. | |
| 94 rm -rf /var/lib/opencryptoki "$OWNED_FILE" | |
| 95 fi | |
| 96 | |
| 97 echo "[-] Creating the endorsement key if needed." | |
| 98 try tpm_createek | |
| 99 | |
| 100 echo "[-] Verifying the ek is available." | |
| 101 try check_ek || err | |
| 102 | |
| 103 echo "[-] Setting up an owner." | |
| 104 try take_ownership || err | |
| 105 | |
| 106 echo "[-] Ensuring the SRK has an empty password." | |
| 107 try change_srk_pw || err | |
| 108 | |
| 109 echo "[-] Unrestricting the SRK for PKCS#11 use." | |
| 110 try unrestrict_srk || err | |
| 111 | |
| 112 echo "[-] TPM has been configured for general use." | |
| 113 touch "$OWNED_FILE" | |
| 114 exit 0 | |
| 115 | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3152039:
Remove obsolete file chromeos_tpm_init (Closed)
Base URL: ssh://git@chromiumos-git/entd.git