Chromium Code Reviews Chromium Code Reviews
Issue 3200009:
entd: Cope with timeout during user pin initialization (Closed)
Base URL: http://src.chromium.org/git/entd.git| OLD | NEW |
|---|---|
| 1 #!/bin/sh | 1 #!/bin/sh |
| 2 | 2 |
| 3 if [ -z "$1" ]; then | 3 if [ -z "$1" ]; then |
| 4 USERNAME="chronos" | 4 USERNAME="chronos" |
| 5 else | 5 else |
| 6 USERNAME="$1" | 6 USERNAME="$1" |
| 7 fi | 7 fi |
| 8 | 8 |
| 9 PKCS11_GROUP="pkcs11" | 9 PKCS11_GROUP="pkcs11" |
| 10 | 10 |
| 11 OPENCRYPTOKI_DIR="/var/lib/opencryptoki" | 11 OPENCRYPTOKI_DIR="/var/lib/opencryptoki" |
| 12 USER_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/$USERNAME" | 12 USER_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/$USERNAME" |
| 13 ROOT_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/root" | 13 ROOT_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/root" |
| 14 | 14 |
| 15 USER_TOKEN_DIR="/home/$USERNAME/user/.tpm" | 15 USER_TOKEN_DIR="/home/$USERNAME/user/.tpm" |
| 16 | 16 |
| 17 if [ -e "$USER_TOKEN_DIR/PUBLIC_ROOT_KEY.pem" -a \ | 17 log() { |
| 18 ! -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" ]; then | 18 if [ -t 1 ]; then |
| 19 # A token with a public key but no private key is a sign that | 19 echo "$@" 1>&2 |
| 20 # initialization timed out. The only way to recover seems to be to wipe | 20 else |
| 21 # out the whole token and try again. | 21 logger -t $(basename "$0") "$@" |
| 22 logger "PKCS#11 token appears to be broken, deleting: $USER_TOKEN_DIR/*" | 22 fi |
| 23 rm -rf "$USER_TOKEN_DIR"/* | 23 } |
| 24 | |
| 25 if [ ! -f "$USER_TOKEN_DIR/PUBLIC_ROOT_KEY.pem" ]; then | |
| 26 log "No PKCS#11 token found for $USERNAME." | |
| 27 else | |
| 28 if [ -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" -a \ | |
| 29 -e "$USER_TOKEN_DIR/TOK_OBJ/70000000" ]; then | |
|
Chris Masone
2010/08/25 00:33:13
-f or -e, be consistent.
| |
| 30 log "PKCS#11 token for $USERNAME looks ok." | |
| 31 else | |
| 32 # If these files are missing, it's a sign that initialization timed out. | |
| 33 # The only way to recover seems to be to wipe out the whole token and try | |
| 34 # again. | |
| 35 log "PKCS#11 token for $USERNAME appears to be broken, deleting:" \ | |
| 36 "$USER_TOKEN_DIR/*" | |
| 37 rm -rf "$USER_TOKEN_DIR"/* | |
| 38 fi | |
| 24 fi | 39 fi |
| 25 | 40 |
| 26 # Ensure the directories exist | 41 # Ensure the directories exist |
| 27 mkdir -p "$OPENCRYPTOKI_DIR/tpm" | 42 mkdir -p "$OPENCRYPTOKI_DIR/tpm" |
| 28 chown -R "root:$PKCS11_GROUP" "$OPENCRYPTOKI_DIR" | 43 chown -R "root:$PKCS11_GROUP" "$OPENCRYPTOKI_DIR" |
| 29 | 44 |
| 30 # Ensure that they point to the user volume | 45 # Ensure that they point to the user volume |
| 31 [ -L "$USER_TOKEN_LINK" ] || \ | 46 [ -L "$USER_TOKEN_LINK" ] || \ |
| 32 ln -sf "$USER_TOKEN_DIR" "$USER_TOKEN_LINK" | 47 ln -sf "$USER_TOKEN_DIR" "$USER_TOKEN_LINK" |
| 33 [ -L "$ROOT_TOKEN_LINK" ] || \ | 48 [ -L "$ROOT_TOKEN_LINK" ] || \ |
| 34 ln -sf "./$USERNAME" "$ROOT_TOKEN_LINK" | 49 ln -sf "./$USERNAME" "$ROOT_TOKEN_LINK" |
| 35 | 50 |
| 36 # Always remove the old token entry. | 51 # Always remove the old token entry. |
| 37 rm -f /var/lib/opencryptoki/pk_config_data | 52 rm -f /var/lib/opencryptoki/pk_config_data |
| 38 | 53 |
| 39 # Creating this directory because if it's not there, token initialization | 54 # Creating this directory because if it's not there, token initialization |
| 40 # will neither create it nor populate it. | 55 # will neither create it nor populate it. |
| 41 mkdir -p "$USER_TOKEN_DIR/TOK_OBJ" | 56 mkdir -p "$USER_TOKEN_DIR/TOK_OBJ" |
| 42 | 57 |
| 43 # Configure the tpm as a token | 58 # Configure the tpm as a token |
| 44 pkcs_slot 0 tpm | 59 pkcs_slot 0 tpm |
| 45 | 60 |
| 46 # Make sure the user can access their own data | 61 # Make sure the user can access their own data |
| 47 chown -R "$USERNAME:$PKCS11_GROUP" "$USER_TOKEN_DIR" | 62 chown -R "$USERNAME:$PKCS11_GROUP" "$USER_TOKEN_DIR" |
| OLD | NEW |
