Containerize TPM Initialization tool

Modifying ABRMD container to support Init tool

Change-Id: I8b2f8171688b67567e3ad4a3e4942ae76737bdfc
Issue-ID: AAF-342
Signed-off-by: Pramod Raghavendra Jayathirth <pramod.raghavendra.jayathirth@intel.com>

6 files changed, 192 insertions, 21 deletions

diff --git a/bin/abrmdcontainer/README.md b/bin/abrmdcontainer/README.md
index ad2f3bc..fb07ca1 100644..100755
--- a/bin/abrmdcontainer/README.md
+++ b/bin/abrmdcontainer/README.md
@@ -1,22 +1,45 @@
+### OOM - Onap Operations Manager will deploy this as part of CA service
+### two stages
+### Stage 1 - Initialize TPM and exit (init.sh script is used for this case)
+### Stage 2 - Starts the abrmd process and keeps it running to provide the
+### means for application to interact wit TPM (run_abrmd.sh is used)
+
+### Make  a directory /tmp/volume (mkdir -p /tmp/volume) on the Host
+### This directory (Sample Shared volume ABRMD_DATA) is mounted to abrmd
+### container and is mounted as /tmp/files/ inside container
+### the host's name "TPM_NODE_NAME" environmental variable
+
+### The input to this container is srkhandle(a file/environmental vatiable)
+### tpm_status.yaml (TPM State) password (for TPM Primary key,
+### password is encrypted using pgp and is extracted using the passphrase
+### (provided in shared volume))
+### Output of this container is the public
+### portion of the TPM's Primary key (out_parent_public) and the staus will
+### be updated in the tpm_status.yaml file
+
+
+### Input
+### 1.srkhandle 2.password 3.passphrase 4.tpm_status.yaml
+
+### Output
+### 1. out_parent_public
+
 ### Building Docker Images
 
 ```
 $ docker build -t <image name> -f dockerfile .
 ```
 
-### Running ABRMD Container
+### Running ABRMD Container with Simulator
 
 ```
-$ docker run -d --privileged -v /tmp/run/dbus:/var/run/dbus --name <container name> <image name>
+$ docker run -d --privileged -v /tmp/run/dbus:/var/run/dbus -v /tmp/volume:/tmp/files --name <container name> <image name>
 ```
 
-### Running Tools Container
-This command will drop you into the tools container with everything setup appropriately:
+### Running ABRMD Container with TPM Hardware
+
 ```
-# Runs without any privileges.
-# Requires that the dbus be mounted from the same host folder
-# This is to enable communication between the tools and ABRMD
-$ docker run -v /tmp/run/dbus:/var/run/dbus --name <container name> -it --entrypoint /bin/bash <image name>
+$ docker run -d --privileged -device=/dev/tpm0 -v /tmp/run/dbus:/var/run/dbus -v /tmp/volume:/tmp/files --name <container name> <image name>
 ```
 
 ##### Sanity Check
diff --git a/bin/abrmdcontainer/dockerfile b/bin/abrmdcontainer/dockerfile
index d1c9480..fc788b5 100644..100755
--- a/bin/abrmdcontainer/dockerfile
+++ b/bin/abrmdcontainer/dockerfile
@@ -31,6 +31,9 @@ RUN git clone https://github.com/tpm2-software/tpm2-tss.git
 RUN git clone https://github.com/tpm2-software/tpm2-abrmd.git
 RUN git clone https://github.com/tpm2-software/tpm2-tools.git
 
+# Directory for the scripts
+RUN mkdir -p /abrmd/bin
+
 RUN cd tpm2-tss && \
   git checkout 1.2.0 && \
   ./bootstrap && \
@@ -58,5 +61,12 @@ RUN cd tpm2-tools && \
 RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/tpm2.conf && \
   ldconfig
 
-ADD entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
\ No newline at end of file
+RUN rm -rf tpm2-tss
+RUN rm -rf tpm2-abrmd
+RUN rm -rf tpm2-tools
+
+COPY ./initialize_tpm.sh /abrmd/bin/
+COPY ./run_abrmd.sh /abrmd/bin/
+COPY ./init.sh /abrmd/bin/
+
+RUN chmod -R +x /abrmd/bin
diff --git a/bin/abrmdcontainer/entrypoint.sh b/bin/abrmdcontainer/entrypoint.sh
deleted file mode 100755
index b13c681..0000000
--- a/bin/abrmdcontainer/entrypoint.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-set -e
-
-# Start DBUS
-mkdir -p /var/run/dbus
-stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log &
-
-# Start Resource Manager
-hostip=$(ip route show | awk '/default/ {print $3}')
-echo "Connecting to $hostip\n"
-tpm2-abrmd -a $hostip -t socket
\ No newline at end of file
diff --git a/bin/abrmdcontainer/init.sh b/bin/abrmdcontainer/init.sh
new file mode 100755
index 0000000..c74a870
--- /dev/null
+++ b/bin/abrmdcontainer/init.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -e
+
+echo "Shared volume is ${ABRMD_DATA}"
+FILE="${ABRMD_DATA}/tpm_status.yaml"
+if [ -f $FILE ];then
+    flag=$(echo "$(cat ${ABRMD_DATA}/tpm_status.yaml)" | sed '/^flag/{s/[^0-9,]//g;y/,/\n/;}')
+    if [ "$flag" == 0 ];then
+        # Start DBUS
+        mkdir -p /var/run/dbus
+        stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log &
+        # Time for Daemon to start before executin next step
+        sleep 1m
+        # Start Resource Manager
+        if [ -z $TPM_SIMULATOR ]; then
+            echo "Using TPM Hardware for the operations"
+            tpm2-abrmd &
+            # Time for abrmd process to start
+            sleep 1m
+            state=$( ps aux | grep tpm2-abrmd | grep -v grep )
+            echo "Staus of abrmd Process is $state"
+        else
+            echo "Using TPM Simulator for the opeations";
+            hostip=$(ip route show | awk '/default/ {print $3}');
+            echo "Connecting to $hostip\n";
+            tpm2-abrmd -a $hostip -t socket&
+        fi
+
+        /abrmd/bin/initialize_tpm.sh
+        status=$?
+        if [ $status -eq "0" ]; then
+            echo "TPM Initialization successful $status"
+        fi
+        exit $?
+    else
+        echo "TPM is already Initialized"
+        exit;
+    fi
+else
+    echo " TPM Status file not found, Hence exiting"
+    exit;
+fi
diff --git a/bin/abrmdcontainer/initialize_tpm.sh b/bin/abrmdcontainer/initialize_tpm.sh
new file mode 100755
index 0000000..6bd2c32
--- /dev/null
+++ b/bin/abrmdcontainer/initialize_tpm.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+# 1.Environmental variables
+
+# 1.a Location of Shared volume and Node's name
+# These varaibles has to be made avaialble to this script
+
+echo "Shared Volume location is $ABRMD_DATA"
+echo "Node name is $TPM_NODE_NAME"
+
+# 2. Create the directory with the host's name to store the output of Init tool
+# This is demarcate the generated files which are specific to this host's TPM
+srkhandle="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/srkhandle)"
+passphrase="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password-passphrase)"
+echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 password.txt.gpg
+password="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password.txt)"
+
+# 3. Create initial Flag values which are reset upon failure
+error="NULL"
+flag="1"
+
+# 4. TPM initialize
+echo "tpm2_startup -clear -T tabrmd -V"
+tpm2_startup -clear -T tabrmd -V
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
+error=$(echo "TPM Startup failed"); flag="0";
+echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+exit 1;
+fi
+echo ""
+
+# 5. Take ownership
+echo "tpm2_takeownership -o new -e new -l new -T tabrmd -V"
+tpm2_takeownership -o new -e new -l new -T tabrmd -V
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
+error=$(echo "Error:TPM ownership acquire failed");flag="0";
+echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "$error"; exit 1;
+fi
+echo ""
+
+# 6. Create Primary Key in RH_OWNER hierarchy
+rm -f PrimaryKeyBlob
+echo "tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob"
+tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
+error=$(echo "Error: TPM create Primary key failed");
+echo "$error"; flag="0";
+echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+exit 1;
+fi
+echo ""
+
+# 7. Store Primary Key in TPMs NV RAM
+echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password"
+tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
+error=$(echo "Error: Inserting Primary Key failed");
+echo "$error"; flag="0";
+echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "errror:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+exit 1;
+fi
+echo ""
+rm -f PrimaryKeyBlob
+
+# 8. To test, Read public portion of TPM primary key with stored handle
+rm -f $out_primary_public
+echo "tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V"
+tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
+error=$(echo" Error:Reading Public part of Primary Key failed");
+echo "$error"; flag="0";
+echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+exit 1;
+fi
+echo ""
+
+# 9. Update the tpm_status.yaml to report the status of this Script
+echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml
+echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml
+
+# 10. Copy the public portion of the Primary key to the Shared volume
+# Use environment variable TPM_NODE_NAME
+cp out_parent_public ${ABRMD_DATA}/host_${TPM_NODE_NAME}
diff --git a/bin/abrmdcontainer/run_abrmd.sh b/bin/abrmdcontainer/run_abrmd.sh
new file mode 100755
index 0000000..bcfb233
--- /dev/null
+++ b/bin/abrmdcontainer/run_abrmd.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+
+# Start DBUS
+mkdir -p /var/run/dbus
+stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log &
+
+# Start Resource Manager
+if [ -z $TPM_SIMULATOR ]; then
+  echo "Using TPM Hardware for the operations";
+  tpm2-abrmd
+else
+  echo "Using TPM Simulator for the opeations";
+  hostip=$(ip route show | awk '/default/ {print $3}');
+  echo "Connecting to $hostip\n";
+  tpm2-abrmd -a $hostip -t socket
+fi