Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(281)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: bin/fix_pkcs11_token.sh

Issue 3362005: fix_pkcs11_token: detect if a token is from a previous tpm owner (Closed) Base URL: http://git.chromium.org/git/entd.git
Patch Set: Created 10 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 2
3 if [ -z "$1" ]; then 3 if [ -z "$1" ]; then
4 USERNAME="chronos" 4 USERNAME="chronos"
5 else 5 else
6 USERNAME="$1" 6 USERNAME="$1"
7 fi 7 fi
8 8
9 PKCS11_GROUP="pkcs11" 9 PKCS11_GROUP="pkcs11"
10 10
11 OPENCRYPTOKI_DIR="/var/lib/opencryptoki" 11 OPENCRYPTOKI_DIR="/var/lib/opencryptoki"
12 USER_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/$USERNAME" 12 USER_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/$USERNAME"
13 ROOT_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/root" 13 ROOT_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/root"
14 14
15 USER_TOKEN_DIR="/home/$USERNAME/user/.tpm" 15 USER_TOKEN_DIR="/home/$USERNAME/user/.tpm"
16 16
17 log() { 17 log() {
18 if [ -t 1 ]; then 18 if [ -t 1 ]; then
19 echo "$@" 1>&2 19 echo "$@" 1>&2
20 else 20 else
21 logger -t $(basename "$0") "$@" 21 logger -t $(basename "$0") "$@"
22 fi 22 fi
23 } 23 }
24 24
25 is_token_broken() {
26 if [ ! -e "/var/lib/.tpm_owned" ]; then
27 log "TPM is not owned, token for $USERNAME can't be valid."
28 return 0
29 fi
30
31 if [ "/var/lib/.tpm_owned" -nt "$USER_TOKEN_DIR" ]; then
32 log "PKCS#11 token for $USERNAME is from a previous TPM owner."
33 return 0
34 fi
35
36 if [ ! -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" -o \
37 ! -e "$USER_TOKEN_DIR/TOK_OBJ/70000000" ]; then
38 log "PKCS#11 token for $USERNAME is missing some files."
39 return 0
40 fi
41
42 log "PKCS#11 token for $USERNAME looks ok."
43 return 1
44 }
45
25 if [ ! -e "$USER_TOKEN_DIR/NVTOK.DAT" ]; then 46 if [ ! -e "$USER_TOKEN_DIR/NVTOK.DAT" ]; then
26 log "No PKCS#11 token found for $USERNAME." 47 log "No PKCS#11 token found for $USERNAME."
27 else 48 elif is_token_broken; then
28 if [ -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" -a \ 49 log "Removing $USER_TOKEN_DIR/*"
29 -e "$USER_TOKEN_DIR/TOK_OBJ/70000000" ]; then 50 rm -rf "$USER_TOKEN_DIR"/*
30 log "PKCS#11 token for $USERNAME looks ok."
31 else
32 # If these files are missing, it's a sign that initialization timed out.
33 # The only way to recover seems to be to wipe out the whole token and try
34 # again.
35 log "PKCS#11 token for $USERNAME appears to be broken, deleting:" \
36 "$USER_TOKEN_DIR/*"
37 rm -rf "$USER_TOKEN_DIR"/*
38 fi
39 fi 51 fi
40 52
41 # Ensure the directories exist 53 # Ensure the directories exist
42 mkdir -p "$OPENCRYPTOKI_DIR/tpm" 54 mkdir -p "$OPENCRYPTOKI_DIR/tpm"
43 chown -R "root:$PKCS11_GROUP" "$OPENCRYPTOKI_DIR" 55 chown -R "root:$PKCS11_GROUP" "$OPENCRYPTOKI_DIR"
44 56
45 # Ensure that they point to the user volume 57 # Ensure that they point to the user volume
46 [ -L "$USER_TOKEN_LINK" ] || \ 58 [ -L "$USER_TOKEN_LINK" ] || \
47 ln -sf "$USER_TOKEN_DIR" "$USER_TOKEN_LINK" 59 ln -sf "$USER_TOKEN_DIR" "$USER_TOKEN_LINK"
48 [ -L "$ROOT_TOKEN_LINK" ] || \ 60 [ -L "$ROOT_TOKEN_LINK" ] || \
49 ln -sf "./$USERNAME" "$ROOT_TOKEN_LINK" 61 ln -sf "./$USERNAME" "$ROOT_TOKEN_LINK"
50 62
51 # Always remove the old token entry. 63 # Always remove the old token entry.
52 rm -f /var/lib/opencryptoki/pk_config_data 64 rm -f /var/lib/opencryptoki/pk_config_data
53 65
54 # Creating this directory because if it's not there, token initialization 66 # Creating this directory because if it's not there, token initialization
55 # will neither create it nor populate it. 67 # will neither create it nor populate it.
56 mkdir -p "$USER_TOKEN_DIR/TOK_OBJ" 68 mkdir -p "$USER_TOKEN_DIR/TOK_OBJ"
57 69
58 # Configure the tpm as a token 70 # Configure the tpm as a token
59 pkcs_slot 0 tpm 71 pkcs_slot 0 tpm
60 72
61 # Make sure the user can access their own data 73 # Make sure the user can access their own data
62 chown -R "$USERNAME:$PKCS11_GROUP" "$USER_TOKEN_DIR" 74 chown -R "$USERNAME:$PKCS11_GROUP" "$USER_TOKEN_DIR"
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698