diff options
-rwxr-xr-x | bin/abrmdcontainer/create_primary.sh | 62 | ||||
-rwxr-xr-x | bin/abrmdcontainer/dockerfile | 68 | ||||
-rwxr-xr-x | bin/abrmdcontainer/init.sh | 43 | ||||
-rwxr-xr-x | bin/abrmdcontainer/initialize_tpm.sh | 93 | ||||
-rwxr-xr-x | bin/abrmdcontainer/run_abrmd.sh | 2 | ||||
-rw-r--r-- | tpm-util/import/main.c | 55 |
6 files changed, 123 insertions, 200 deletions
diff --git a/bin/abrmdcontainer/create_primary.sh b/bin/abrmdcontainer/create_primary.sh new file mode 100755 index 0000000..3d4f0f9 --- /dev/null +++ b/bin/abrmdcontainer/create_primary.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +# Utility Script to create a primary key +# Uses TCTI as device +# It takes three arguments, a STORAGE HANDLE, the RH_OWNER Password and the KEY PASSWORD +SRKHANDLE=$1 +O_PASSWORD=$2 +KEY_PASSWORD=$3 + +# TPM Startup +echo "tpm2_startup --clear -T device --verbose" +tpm2_startup --clear -T device --verbose +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; +error=$(echo "TPM Startup failed"); flag="0"; +echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml; +echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml; +exit 1; +fi +echo "" + +#Check if Primary Key already exists +echo "tpm2_readpublic -H ${SRKHANDLE} --opu out_primary_public -T device --verbose" +tpm2_readpublic -H ${SRKHANDLE} --opu out_primary_public -T device -V + +if [ $? -ne 0 ]; then echo; echo -e "${YELLOW} Primary Key does not exist, creating..."; + rm -f PrimaryKeyBlob + echo "tpm2_createprimary -P ${O_PASSWORD} -K ${KEY_PASSWORD} -A o -g 0x000B + -G 0x0001 -T device -V -C PrimaryKeyBlob" + + tpm2_createprimary -P ${O_PASSWORD} -K ${KEY_PASSWORD} -A o -g 0x000B \ + -G 0x0001 -T device -V -C PrimaryKeyBlob + + if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; + error=$(echo "Error: TPM create Primary key failed"); + echo "$error"; flag="0"; + echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml; + echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml; + exit 1; + fi + echo "" + + + #Store Primary Key in TPMs NV RAM + echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${SRKHANDLE} + -T device -V -P ${O_PASSWORD}" + + tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${SRKHANDLE} \ + -T device -V -P ${O_PASSWORD} + + if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; + error=$(echo "Error: Inserting Primary Key failed"); + echo "$error"; flag="0"; + echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml; + echo "errror:${error}" >> ${WORKDIR}/tpm_status.yaml; + rm -f PrimaryKeyBlob + exit 1; + fi + echo "" + rm -f PrimaryKeyBlob +fi + +#END
\ No newline at end of file diff --git a/bin/abrmdcontainer/dockerfile b/bin/abrmdcontainer/dockerfile index fc788b5..095d6e2 100755 --- a/bin/abrmdcontainer/dockerfile +++ b/bin/abrmdcontainer/dockerfile @@ -1,72 +1,6 @@ -FROM ubuntu:xenial - -RUN apt-get -y update && \ - apt-get -y install \ - autoconf \ - autoconf-archive \ - libglib2.0-dev \ - libdbus-1-dev \ - automake \ - libtool \ - autotools-dev \ - libcppunit-dev \ - p11-kit \ - libcurl4-gnutls-dev \ - libcmocka0 \ - libcmocka-dev \ - build-essential \ - git \ - pkg-config \ - gcc \ - g++ \ - m4 \ - wget \ - liburiparser-dev \ - libssl-dev \ - pandoc - -RUN apt-get -y install libgcrypt20-dev - -RUN git clone https://github.com/tpm2-software/tpm2-tss.git -RUN git clone https://github.com/tpm2-software/tpm2-abrmd.git -RUN git clone https://github.com/tpm2-software/tpm2-tools.git - -# Directory for the scripts -RUN mkdir -p /abrmd/bin - -RUN cd tpm2-tss && \ - git checkout 1.2.0 && \ - ./bootstrap && \ - ./configure && \ - make && \ - make install - -RUN cd tpm2-abrmd && \ - git checkout 1.1.1 && \ - useradd --system --user-group tss && \ - ./bootstrap && \ - ./configure --with-dbuspolicydir=/etc/dbus-1/system.d \ - --with-udevrulesdir=/etc/udev/rules.d/ \ - --with-systemdsystemunitdir=/lib/systemd/system && \ - make && \ - make install - -RUN cd tpm2-tools && \ - git checkout 2.1.0 && \ - ./bootstrap && \ - ./configure --with-tcti-tabrmd=yes && \ - make && \ - make install - -RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/tpm2.conf && \ - ldconfig - -RUN rm -rf tpm2-tss -RUN rm -rf tpm2-abrmd -RUN rm -rf tpm2-tools +FROM nexus3.onap.org:10001/onap/aaf/aaf-base-xenial:latest COPY ./initialize_tpm.sh /abrmd/bin/ COPY ./run_abrmd.sh /abrmd/bin/ -COPY ./init.sh /abrmd/bin/ RUN chmod -R +x /abrmd/bin diff --git a/bin/abrmdcontainer/init.sh b/bin/abrmdcontainer/init.sh deleted file mode 100755 index c74a870..0000000 --- a/bin/abrmdcontainer/init.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -set -e - -echo "Shared volume is ${ABRMD_DATA}" -FILE="${ABRMD_DATA}/tpm_status.yaml" -if [ -f $FILE ];then - flag=$(echo "$(cat ${ABRMD_DATA}/tpm_status.yaml)" | sed '/^flag/{s/[^0-9,]//g;y/,/\n/;}') - if [ "$flag" == 0 ];then - # Start DBUS - mkdir -p /var/run/dbus - stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log & - # Time for Daemon to start before executin next step - sleep 1m - # Start Resource Manager - if [ -z $TPM_SIMULATOR ]; then - echo "Using TPM Hardware for the operations" - tpm2-abrmd & - # Time for abrmd process to start - sleep 1m - state=$( ps aux | grep tpm2-abrmd | grep -v grep ) - echo "Staus of abrmd Process is $state" - else - echo "Using TPM Simulator for the opeations"; - hostip=$(ip route show | awk '/default/ {print $3}'); - echo "Connecting to $hostip\n"; - tpm2-abrmd -a $hostip -t socket& - fi - - /abrmd/bin/initialize_tpm.sh - status=$? - if [ $status -eq "0" ]; then - echo "TPM Initialization successful $status" - fi - exit $? - else - echo "TPM is already Initialized" - exit; - fi -else - echo " TPM Status file not found, Hence exiting" - exit; -fi diff --git a/bin/abrmdcontainer/initialize_tpm.sh b/bin/abrmdcontainer/initialize_tpm.sh index 6bd2c32..f9d0b68 100755 --- a/bin/abrmdcontainer/initialize_tpm.sh +++ b/bin/abrmdcontainer/initialize_tpm.sh @@ -1,89 +1,50 @@ #!/bin/sh -# 1.Environmental variables - -# 1.a Location of Shared volume and Node's name -# These varaibles has to be made avaialble to this script +# Location of Shared volume and Node's name +# These variables have to be made available to this script echo "Shared Volume location is $ABRMD_DATA" echo "Node name is $TPM_NODE_NAME" -# 2. Create the directory with the host's name to store the output of Init tool +# 1. Create the directory with the host's name to store the output of Init tool # This is demarcate the generated files which are specific to this host's TPM -srkhandle="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/srkhandle)" -passphrase="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password-passphrase)" -echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 password.txt.gpg -password="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password.txt)" - -# 3. Create initial Flag values which are reset upon failure +mkdir -p ${ABRMD_DATA}/host_${TPM_NODE_NAME} +WORKDIR=${ABRMD_DATA}/host_${TPM_NODE_NAME} +cd ${WORKDIR} +# /abrmd/cred will contain srk_handle and tpm owner hierarchy password +# provided by the admin of the TPM node +SRKHANDLE="$(cat /abrmd/cred/srk_handle | base64 -d)" + +# 2. Create initial Flag values which are reset upon failure error="NULL" flag="1" -# 4. TPM initialize -echo "tpm2_startup -clear -T tabrmd -V" -tpm2_startup -clear -T tabrmd -V +# 3. TPM Startup +echo "tpm2_startup --clear -T device --verbose" +tpm2_startup --clear -T device -V if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; error=$(echo "TPM Startup failed"); flag="0"; -echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; -echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml; +echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml; exit 1; fi echo "" -# 5. Take ownership -echo "tpm2_takeownership -o new -e new -l new -T tabrmd -V" -tpm2_takeownership -o new -e new -l new -T tabrmd -V -if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; -error=$(echo "Error:TPM ownership acquire failed");flag="0"; -echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; -echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; -echo "$error"; exit 1; -fi -echo "" - -# 6. Create Primary Key in RH_OWNER hierarchy -rm -f PrimaryKeyBlob -echo "tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob" -tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob -if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; -error=$(echo "Error: TPM create Primary key failed"); -echo "$error"; flag="0"; -echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; -echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; -exit 1; -fi -echo "" - -# 7. Store Primary Key in TPMs NV RAM -echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password" -tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password -if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; -error=$(echo "Error: Inserting Primary Key failed"); -echo "$error"; flag="0"; -echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; -echo "errror:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; -exit 1; -fi -echo "" -rm -f PrimaryKeyBlob - -# 8. To test, Read public portion of TPM primary key with stored handle -rm -f $out_primary_public -echo "tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V" -tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V +# 4. Read public portion of TPM primary key with stored handle +# It is expected that the Admin would have created this already +# using the create_primary.sh script +rm -f out_parent_public +echo "tpm2_readpublic -H ${SRKHANDLE} --opu out_parent_public -T device -V" +tpm2_readpublic -H ${SRKHANDLE} --opu out_parent_public -T device -V if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; error=$(echo" Error:Reading Public part of Primary Key failed"); echo "$error"; flag="0"; -echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; -echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml; +echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml; exit 1; fi echo "" -# 9. Update the tpm_status.yaml to report the status of this Script -echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml -echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml - -# 10. Copy the public portion of the Primary key to the Shared volume -# Use environment variable TPM_NODE_NAME -cp out_parent_public ${ABRMD_DATA}/host_${TPM_NODE_NAME} +# 5. Update the tpm_status.yaml to report the status of this Script +echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml +echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml diff --git a/bin/abrmdcontainer/run_abrmd.sh b/bin/abrmdcontainer/run_abrmd.sh index bcfb233..00fbf24 100755 --- a/bin/abrmdcontainer/run_abrmd.sh +++ b/bin/abrmdcontainer/run_abrmd.sh @@ -3,7 +3,9 @@ set -e # Start DBUS mkdir -p /var/run/dbus +rm -f /var/run/dbus/* stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log & +sleep 1m # Start Resource Manager if [ -z $TPM_SIMULATOR ]; then diff --git a/tpm-util/import/main.c b/tpm-util/import/main.c index c498f6c..8f66fd6 100644 --- a/tpm-util/import/main.c +++ b/tpm-util/import/main.c @@ -19,17 +19,14 @@ // #include <stdio.h> -#include <stdlib.h> +#include <stdlib.h> #include <string.h> -#include <unistd.h> +#include <unistd.h> #include <sapi/tpm20.h> -#include "tpm_wrapper.h" -#include "util.h" - -char* tpm_pwd = ""; -int tpm_pwd_len = 0; +#include "tpm_wrapper.h" +#include "util.h" void PrintHelp(); char version[] = "0.1"; @@ -37,10 +34,11 @@ char version[] = "0.1"; void PrintHelp() { printf( - "OSSL key to tpm import tool, Version %s\nUsage:" - "./ossl_tpm_import " - "[-dupPub out_dupPubFile] [-dupPriv out_dupPrivFile] [-dupSymSeed out_dupSymSeedFile] [-dupEncKey out_dupEncKeyFile]" - "[-pub out_keyPub] [-priv out_KeyPriv]\n" + "OSSL key to tpm import tool, Version %s\nUsage:" + "./ossl_tpm_import " + "[-dupPub out_dupPubFile] [-dupPriv out_dupPrivFile] [-dupSymSeed out_dupSymSeedFile] " + "[-dupEncKey out_dupEncKeyFile] [-password keyPassword] " + "[-pub out_keyPub] [-priv out_KeyPriv] [-H primaryKeyHandle]\n" "\n" , version); } @@ -61,10 +59,11 @@ int main(int argc, char* argv[]) int dupSymSeed_flag = 0; char dupEncKey_Filename[256]; int dupEncKey_flag = 0; - TPM2B_DATA encryptionKey; - TPM2B_PUBLIC swKeyPublic; - TPM2B_PRIVATE swKeyPrivate; - TPM2B_ENCRYPTED_SECRET encSymSeed; + char keyPassword[256] = {0}; + TPM2B_DATA encryptionKey; + TPM2B_PUBLIC swKeyPublic; + TPM2B_PRIVATE swKeyPrivate; + TPM2B_ENCRYPTED_SECRET encSymSeed; // SW Key Import O/P variables char pub_Filename[256]; @@ -128,6 +127,15 @@ int main(int argc, char* argv[]) } dupEncKey_flag = 1; } + else if( 0 == strcmp( argv[count], "-password" ) ) { + count++; + // Read no more than a fixed length of characters + if ( (1 != sscanf(argv[count], "%255s", keyPassword )) ) + { + PrintHelp(); + return 1; + } + } else if( 0 == strcmp( argv[count], "-pub" ) ) { count++; if( (1 != sscanf( argv[count], "%s", pub_Filename )) ) @@ -170,11 +178,11 @@ int main(int argc, char* argv[]) // For TPM Import functionality, check all input params are present if( (!dupPub_flag) || - (!dupPriv_flag) || - (!dupSymSeed_flag) || - (!dupEncKey_flag) || - (!pub_flag) || - (!priv_flag) + (!dupPriv_flag) || + (!dupSymSeed_flag) || + (!dupEncKey_flag) || + (!pub_flag) || + (!priv_flag) ) { printf("Error: One or more Inputs for TPM import functionality is missing ! \n"); return -1; @@ -215,9 +223,9 @@ int main(int argc, char* argv[]) TPM2B_PRIVATE importPrivate; INIT_SIMPLE_TPM2B_SIZE(importPrivate); - rval = swKeyTpmImport(sysContext, primaryKeyHandle, - &encryptionKey, &swKeyPublic, &swKeyPrivate, &encSymSeed, - tpm_pwd, tpm_pwd_len, + rval = swKeyTpmImport(sysContext, primaryKeyHandle, + &encryptionKey, &swKeyPublic, &swKeyPrivate, &encSymSeed, + keyPassword, strlen(keyPassword), &importPrivate); if(rval != 0) { printf("\nswKeyTpmImport failed: 0x%x ! \n", rval); @@ -241,4 +249,3 @@ end: return rval; } - |