diff options
| author |   Kiran Kamineni <kiran.k.kamineni@intel.com> | 2018-08-28 16:24:42 -0700 |
|---|---|---|
| committer | Kiran Kamineni <kiran.k.kamineni@intel.com> | 2018-08-31 11:07:54 -0700 |
| commit | 72d45a672a5ea45439f9d4f630063e70872ed8cb (patch) | |
| tree | 16a6e3b8f21d8b2309e89191d31eee3e6e61e06f /bin/abrmdcontainer/create_primary.sh | |
| parent | b4133b73e86c4f8cbd4284dde9970c2e8216baa4 (diff) | |
Modify initialization to remove ownership step
TPM ownership and primary key creation is assumed to be a step that is
executed by the system administrator who will provide the credentials
to pods during startup [Srini]. Now, init only reads the public portion of the
primary key and puts it the host folder.
P9: Remove init.sh. Not needed as initialize will directly talk to device now.
Initialize is called during Step 1 and run_abrmd is called during Step 2
Issue-ID: AAF-409
Change-Id: Id0d1860f257c98045613e90b6b88e37858a9aceb
Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>
Diffstat (limited to 'bin/abrmdcontainer/create_primary.sh')
| -rwxr-xr-x | bin/abrmdcontainer/create_primary.sh | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/bin/abrmdcontainer/create_primary.sh b/bin/abrmdcontainer/create_primary.sh new file mode 100755 index 0000000..3d4f0f9 --- /dev/null +++ b/bin/abrmdcontainer/create_primary.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +# Utility Script to create a primary key +# Uses TCTI as device +# It takes three arguments, a STORAGE HANDLE, the RH_OWNER Password and the KEY PASSWORD +SRKHANDLE=$1 +O_PASSWORD=$2 +KEY_PASSWORD=$3 + +# TPM Startup +echo "tpm2_startup --clear -T device --verbose" +tpm2_startup --clear -T device --verbose +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; +error=$(echo "TPM Startup failed"); flag="0"; +echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml; +echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml; +exit 1; +fi +echo "" + +#Check if Primary Key already exists +echo "tpm2_readpublic -H ${SRKHANDLE} --opu out_primary_public -T device --verbose" +tpm2_readpublic -H ${SRKHANDLE} --opu out_primary_public -T device -V + +if [ $? -ne 0 ]; then echo; echo -e "${YELLOW} Primary Key does not exist, creating..."; + rm -f PrimaryKeyBlob + echo "tpm2_createprimary -P ${O_PASSWORD} -K ${KEY_PASSWORD} -A o -g 0x000B + -G 0x0001 -T device -V -C PrimaryKeyBlob" + + tpm2_createprimary -P ${O_PASSWORD} -K ${KEY_PASSWORD} -A o -g 0x000B \ + -G 0x0001 -T device -V -C PrimaryKeyBlob + + if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; + error=$(echo "Error: TPM create Primary key failed"); + echo "$error"; flag="0"; + echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml; + echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml; + exit 1; + fi + echo "" + + + #Store Primary Key in TPMs NV RAM + echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${SRKHANDLE} + -T device -V -P ${O_PASSWORD}" + + tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${SRKHANDLE} \ + -T device -V -P ${O_PASSWORD} + + if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; + error=$(echo "Error: Inserting Primary Key failed"); + echo "$error"; flag="0"; + echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml; + echo "errror:${error}" >> ${WORKDIR}/tpm_status.yaml; + rm -f PrimaryKeyBlob + exit 1; + fi + echo "" + rm -f PrimaryKeyBlob +fi + +#END
\ No newline at end of file |