Modify initialization to remove ownership step

TPM ownership and primary key creation is assumed to be a step that is
executed by the system administrator who will provide the credentials
to pods during startup [Srini]. Now, init only reads the public portion of the
primary key and puts it the host folder.
P9: Remove init.sh. Not needed as initialize will directly talk to device now.
Initialize is called during Step 1 and run_abrmd is called during Step 2

Issue-ID: AAF-409
Change-Id: Id0d1860f257c98045613e90b6b88e37858a9aceb
Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>

1 files changed, 27 insertions, 66 deletions

diff --git a/bin/abrmdcontainer/initialize_tpm.sh b/bin/abrmdcontainer/initialize_tpm.sh
index 6bd2c32..f9d0b68 100755
--- a/bin/abrmdcontainer/initialize_tpm.sh
+++ b/bin/abrmdcontainer/initialize_tpm.sh
@@ -1,89 +1,50 @@
 #!/bin/sh
 
-# 1.Environmental variables
-
-# 1.a Location of Shared volume and Node's name
-# These varaibles has to be made avaialble to this script
+# Location of Shared volume and Node's name
+# These variables have to be made available to this script
 
 echo "Shared Volume location is $ABRMD_DATA"
 echo "Node name is $TPM_NODE_NAME"
 
-# 2. Create the directory with the host's name to store the output of Init tool
+# 1. Create the directory with the host's name to store the output of Init tool
 # This is demarcate the generated files which are specific to this host's TPM
-srkhandle="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/srkhandle)"
-passphrase="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password-passphrase)"
-echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 password.txt.gpg
-password="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password.txt)"
-
-# 3. Create initial Flag values which are reset upon failure
+mkdir -p ${ABRMD_DATA}/host_${TPM_NODE_NAME}
+WORKDIR=${ABRMD_DATA}/host_${TPM_NODE_NAME}
+cd ${WORKDIR}
+# /abrmd/cred will contain srk_handle and tpm owner hierarchy password
+# provided by the admin of the TPM node
+SRKHANDLE="$(cat /abrmd/cred/srk_handle | base64 -d)"
+
+# 2. Create initial Flag values which are reset upon failure
 error="NULL"
 flag="1"
 
-# 4. TPM initialize
-echo "tpm2_startup -clear -T tabrmd -V"
-tpm2_startup -clear -T tabrmd -V
+# 3. TPM Startup
+echo "tpm2_startup --clear -T device --verbose"
+tpm2_startup --clear -T device -V
 if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
 error=$(echo "TPM Startup failed"); flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml;
+echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml;
 exit 1;
 fi
 echo ""
 
-# 5. Take ownership
-echo "tpm2_takeownership -o new -e new -l new -T tabrmd -V"
-tpm2_takeownership -o new -e new -l new -T tabrmd -V
-if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
-error=$(echo "Error:TPM ownership acquire failed");flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "$error"; exit 1;
-fi
-echo ""
-
-# 6. Create Primary Key in RH_OWNER hierarchy
-rm -f PrimaryKeyBlob
-echo "tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob"
-tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob
-if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
-error=$(echo "Error: TPM create Primary key failed");
-echo "$error"; flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-exit 1;
-fi
-echo ""
-
-# 7. Store Primary Key in TPMs NV RAM
-echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password"
-tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password
-if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
-error=$(echo "Error: Inserting Primary Key failed");
-echo "$error"; flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "errror:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-exit 1;
-fi
-echo ""
-rm -f PrimaryKeyBlob
-
-# 8. To test, Read public portion of TPM primary key with stored handle
-rm -f $out_primary_public
-echo "tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V"
-tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V
+# 4. Read public portion of TPM primary key with stored handle
+#    It is expected that the Admin would have created this already
+#    using the create_primary.sh script
+rm -f out_parent_public
+echo "tpm2_readpublic -H ${SRKHANDLE} --opu out_parent_public -T device -V"
+tpm2_readpublic -H ${SRKHANDLE} --opu out_parent_public -T device -V
 if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
 error=$(echo" Error:Reading Public part of Primary Key failed");
 echo "$error"; flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml;
+echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml;
 exit 1;
 fi
 echo ""
 
-# 9. Update the tpm_status.yaml to report the status of this Script
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml
-
-# 10. Copy the public portion of the Primary key to the Shared volume
-# Use environment variable TPM_NODE_NAME
-cp out_parent_public ${ABRMD_DATA}/host_${TPM_NODE_NAME}
+# 5. Update the tpm_status.yaml to report the status of this Script
+echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml
+echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml