aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xbin/abrmdcontainer/create_primary.sh62
-rwxr-xr-xbin/abrmdcontainer/dockerfile68
-rwxr-xr-xbin/abrmdcontainer/init.sh43
-rwxr-xr-xbin/abrmdcontainer/initialize_tpm.sh93
-rwxr-xr-xbin/abrmdcontainer/run_abrmd.sh2
-rw-r--r--tpm-util/import/main.c55
6 files changed, 123 insertions, 200 deletions
diff --git a/bin/abrmdcontainer/create_primary.sh b/bin/abrmdcontainer/create_primary.sh
new file mode 100755
index 0000000..3d4f0f9
--- /dev/null
+++ b/bin/abrmdcontainer/create_primary.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# Utility Script to create a primary key
+# Uses TCTI as device
+# It takes three arguments, a STORAGE HANDLE, the RH_OWNER Password and the KEY PASSWORD
+SRKHANDLE=$1
+O_PASSWORD=$2
+KEY_PASSWORD=$3
+
+# TPM Startup
+echo "tpm2_startup --clear -T device --verbose"
+tpm2_startup --clear -T device --verbose
+if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
+error=$(echo "TPM Startup failed"); flag="0";
+echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml;
+echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml;
+exit 1;
+fi
+echo ""
+
+#Check if Primary Key already exists
+echo "tpm2_readpublic -H ${SRKHANDLE} --opu out_primary_public -T device --verbose"
+tpm2_readpublic -H ${SRKHANDLE} --opu out_primary_public -T device -V
+
+if [ $? -ne 0 ]; then echo; echo -e "${YELLOW} Primary Key does not exist, creating...";
+ rm -f PrimaryKeyBlob
+ echo "tpm2_createprimary -P ${O_PASSWORD} -K ${KEY_PASSWORD} -A o -g 0x000B
+ -G 0x0001 -T device -V -C PrimaryKeyBlob"
+
+ tpm2_createprimary -P ${O_PASSWORD} -K ${KEY_PASSWORD} -A o -g 0x000B \
+ -G 0x0001 -T device -V -C PrimaryKeyBlob
+
+ if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
+ error=$(echo "Error: TPM create Primary key failed");
+ echo "$error"; flag="0";
+ echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml;
+ echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml;
+ exit 1;
+ fi
+ echo ""
+
+
+ #Store Primary Key in TPMs NV RAM
+ echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${SRKHANDLE}
+ -T device -V -P ${O_PASSWORD}"
+
+ tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${SRKHANDLE} \
+ -T device -V -P ${O_PASSWORD}
+
+ if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
+ error=$(echo "Error: Inserting Primary Key failed");
+ echo "$error"; flag="0";
+ echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml;
+ echo "errror:${error}" >> ${WORKDIR}/tpm_status.yaml;
+ rm -f PrimaryKeyBlob
+ exit 1;
+ fi
+ echo ""
+ rm -f PrimaryKeyBlob
+fi
+
+#END \ No newline at end of file
diff --git a/bin/abrmdcontainer/dockerfile b/bin/abrmdcontainer/dockerfile
index fc788b5..095d6e2 100755
--- a/bin/abrmdcontainer/dockerfile
+++ b/bin/abrmdcontainer/dockerfile
@@ -1,72 +1,6 @@
-FROM ubuntu:xenial
-
-RUN apt-get -y update && \
- apt-get -y install \
- autoconf \
- autoconf-archive \
- libglib2.0-dev \
- libdbus-1-dev \
- automake \
- libtool \
- autotools-dev \
- libcppunit-dev \
- p11-kit \
- libcurl4-gnutls-dev \
- libcmocka0 \
- libcmocka-dev \
- build-essential \
- git \
- pkg-config \
- gcc \
- g++ \
- m4 \
- wget \
- liburiparser-dev \
- libssl-dev \
- pandoc
-
-RUN apt-get -y install libgcrypt20-dev
-
-RUN git clone https://github.com/tpm2-software/tpm2-tss.git
-RUN git clone https://github.com/tpm2-software/tpm2-abrmd.git
-RUN git clone https://github.com/tpm2-software/tpm2-tools.git
-
-# Directory for the scripts
-RUN mkdir -p /abrmd/bin
-
-RUN cd tpm2-tss && \
- git checkout 1.2.0 && \
- ./bootstrap && \
- ./configure && \
- make && \
- make install
-
-RUN cd tpm2-abrmd && \
- git checkout 1.1.1 && \
- useradd --system --user-group tss && \
- ./bootstrap && \
- ./configure --with-dbuspolicydir=/etc/dbus-1/system.d \
- --with-udevrulesdir=/etc/udev/rules.d/ \
- --with-systemdsystemunitdir=/lib/systemd/system && \
- make && \
- make install
-
-RUN cd tpm2-tools && \
- git checkout 2.1.0 && \
- ./bootstrap && \
- ./configure --with-tcti-tabrmd=yes && \
- make && \
- make install
-
-RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/tpm2.conf && \
- ldconfig
-
-RUN rm -rf tpm2-tss
-RUN rm -rf tpm2-abrmd
-RUN rm -rf tpm2-tools
+FROM nexus3.onap.org:10001/onap/aaf/aaf-base-xenial:latest
COPY ./initialize_tpm.sh /abrmd/bin/
COPY ./run_abrmd.sh /abrmd/bin/
-COPY ./init.sh /abrmd/bin/
RUN chmod -R +x /abrmd/bin
diff --git a/bin/abrmdcontainer/init.sh b/bin/abrmdcontainer/init.sh
deleted file mode 100755
index c74a870..0000000
--- a/bin/abrmdcontainer/init.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/bash
-
-set -e
-
-echo "Shared volume is ${ABRMD_DATA}"
-FILE="${ABRMD_DATA}/tpm_status.yaml"
-if [ -f $FILE ];then
- flag=$(echo "$(cat ${ABRMD_DATA}/tpm_status.yaml)" | sed '/^flag/{s/[^0-9,]//g;y/,/\n/;}')
- if [ "$flag" == 0 ];then
- # Start DBUS
- mkdir -p /var/run/dbus
- stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log &
- # Time for Daemon to start before executin next step
- sleep 1m
- # Start Resource Manager
- if [ -z $TPM_SIMULATOR ]; then
- echo "Using TPM Hardware for the operations"
- tpm2-abrmd &
- # Time for abrmd process to start
- sleep 1m
- state=$( ps aux | grep tpm2-abrmd | grep -v grep )
- echo "Staus of abrmd Process is $state"
- else
- echo "Using TPM Simulator for the opeations";
- hostip=$(ip route show | awk '/default/ {print $3}');
- echo "Connecting to $hostip\n";
- tpm2-abrmd -a $hostip -t socket&
- fi
-
- /abrmd/bin/initialize_tpm.sh
- status=$?
- if [ $status -eq "0" ]; then
- echo "TPM Initialization successful $status"
- fi
- exit $?
- else
- echo "TPM is already Initialized"
- exit;
- fi
-else
- echo " TPM Status file not found, Hence exiting"
- exit;
-fi
diff --git a/bin/abrmdcontainer/initialize_tpm.sh b/bin/abrmdcontainer/initialize_tpm.sh
index 6bd2c32..f9d0b68 100755
--- a/bin/abrmdcontainer/initialize_tpm.sh
+++ b/bin/abrmdcontainer/initialize_tpm.sh
@@ -1,89 +1,50 @@
#!/bin/sh
-# 1.Environmental variables
-
-# 1.a Location of Shared volume and Node's name
-# These varaibles has to be made avaialble to this script
+# Location of Shared volume and Node's name
+# These variables have to be made available to this script
echo "Shared Volume location is $ABRMD_DATA"
echo "Node name is $TPM_NODE_NAME"
-# 2. Create the directory with the host's name to store the output of Init tool
+# 1. Create the directory with the host's name to store the output of Init tool
# This is demarcate the generated files which are specific to this host's TPM
-srkhandle="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/srkhandle)"
-passphrase="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password-passphrase)"
-echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 password.txt.gpg
-password="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password.txt)"
-
-# 3. Create initial Flag values which are reset upon failure
+mkdir -p ${ABRMD_DATA}/host_${TPM_NODE_NAME}
+WORKDIR=${ABRMD_DATA}/host_${TPM_NODE_NAME}
+cd ${WORKDIR}
+# /abrmd/cred will contain srk_handle and tpm owner hierarchy password
+# provided by the admin of the TPM node
+SRKHANDLE="$(cat /abrmd/cred/srk_handle | base64 -d)"
+
+# 2. Create initial Flag values which are reset upon failure
error="NULL"
flag="1"
-# 4. TPM initialize
-echo "tpm2_startup -clear -T tabrmd -V"
-tpm2_startup -clear -T tabrmd -V
+# 3. TPM Startup
+echo "tpm2_startup --clear -T device --verbose"
+tpm2_startup --clear -T device -V
if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
error=$(echo "TPM Startup failed"); flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml;
+echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml;
exit 1;
fi
echo ""
-# 5. Take ownership
-echo "tpm2_takeownership -o new -e new -l new -T tabrmd -V"
-tpm2_takeownership -o new -e new -l new -T tabrmd -V
-if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
-error=$(echo "Error:TPM ownership acquire failed");flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "$error"; exit 1;
-fi
-echo ""
-
-# 6. Create Primary Key in RH_OWNER hierarchy
-rm -f PrimaryKeyBlob
-echo "tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob"
-tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob
-if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
-error=$(echo "Error: TPM create Primary key failed");
-echo "$error"; flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-exit 1;
-fi
-echo ""
-
-# 7. Store Primary Key in TPMs NV RAM
-echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password"
-tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password
-if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
-error=$(echo "Error: Inserting Primary Key failed");
-echo "$error"; flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "errror:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-exit 1;
-fi
-echo ""
-rm -f PrimaryKeyBlob
-
-# 8. To test, Read public portion of TPM primary key with stored handle
-rm -f $out_primary_public
-echo "tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V"
-tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V
+# 4. Read public portion of TPM primary key with stored handle
+# It is expected that the Admin would have created this already
+# using the create_primary.sh script
+rm -f out_parent_public
+echo "tpm2_readpublic -H ${SRKHANDLE} --opu out_parent_public -T device -V"
+tpm2_readpublic -H ${SRKHANDLE} --opu out_parent_public -T device -V
if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit.";
error=$(echo" Error:Reading Public part of Primary Key failed");
echo "$error"; flag="0";
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml;
+echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml;
+echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml;
exit 1;
fi
echo ""
-# 9. Update the tpm_status.yaml to report the status of this Script
-echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml
-echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml
-
-# 10. Copy the public portion of the Primary key to the Shared volume
-# Use environment variable TPM_NODE_NAME
-cp out_parent_public ${ABRMD_DATA}/host_${TPM_NODE_NAME}
+# 5. Update the tpm_status.yaml to report the status of this Script
+echo "flag:${flag}" >> ${WORKDIR}/tpm_status.yaml
+echo "error:${error}" >> ${WORKDIR}/tpm_status.yaml
diff --git a/bin/abrmdcontainer/run_abrmd.sh b/bin/abrmdcontainer/run_abrmd.sh
index bcfb233..00fbf24 100755
--- a/bin/abrmdcontainer/run_abrmd.sh
+++ b/bin/abrmdcontainer/run_abrmd.sh
@@ -3,7 +3,9 @@ set -e
# Start DBUS
mkdir -p /var/run/dbus
+rm -f /var/run/dbus/*
stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log &
+sleep 1m
# Start Resource Manager
if [ -z $TPM_SIMULATOR ]; then
diff --git a/tpm-util/import/main.c b/tpm-util/import/main.c
index c498f6c..8f66fd6 100644
--- a/tpm-util/import/main.c
+++ b/tpm-util/import/main.c
@@ -19,17 +19,14 @@
//
#include <stdio.h>
-#include <stdlib.h>
+#include <stdlib.h>
#include <string.h>
-#include <unistd.h>
+#include <unistd.h>
#include <sapi/tpm20.h>
-#include "tpm_wrapper.h"
-#include "util.h"
-
-char* tpm_pwd = "";
-int tpm_pwd_len = 0;
+#include "tpm_wrapper.h"
+#include "util.h"
void PrintHelp();
char version[] = "0.1";
@@ -37,10 +34,11 @@ char version[] = "0.1";
void PrintHelp()
{
printf(
- "OSSL key to tpm import tool, Version %s\nUsage:"
- "./ossl_tpm_import "
- "[-dupPub out_dupPubFile] [-dupPriv out_dupPrivFile] [-dupSymSeed out_dupSymSeedFile] [-dupEncKey out_dupEncKeyFile]"
- "[-pub out_keyPub] [-priv out_KeyPriv]\n"
+ "OSSL key to tpm import tool, Version %s\nUsage:"
+ "./ossl_tpm_import "
+ "[-dupPub out_dupPubFile] [-dupPriv out_dupPrivFile] [-dupSymSeed out_dupSymSeedFile] "
+ "[-dupEncKey out_dupEncKeyFile] [-password keyPassword] "
+ "[-pub out_keyPub] [-priv out_KeyPriv] [-H primaryKeyHandle]\n"
"\n"
, version);
}
@@ -61,10 +59,11 @@ int main(int argc, char* argv[])
int dupSymSeed_flag = 0;
char dupEncKey_Filename[256];
int dupEncKey_flag = 0;
- TPM2B_DATA encryptionKey;
- TPM2B_PUBLIC swKeyPublic;
- TPM2B_PRIVATE swKeyPrivate;
- TPM2B_ENCRYPTED_SECRET encSymSeed;
+ char keyPassword[256] = {0};
+ TPM2B_DATA encryptionKey;
+ TPM2B_PUBLIC swKeyPublic;
+ TPM2B_PRIVATE swKeyPrivate;
+ TPM2B_ENCRYPTED_SECRET encSymSeed;
// SW Key Import O/P variables
char pub_Filename[256];
@@ -128,6 +127,15 @@ int main(int argc, char* argv[])
}
dupEncKey_flag = 1;
}
+ else if( 0 == strcmp( argv[count], "-password" ) ) {
+ count++;
+ // Read no more than a fixed length of characters
+ if ( (1 != sscanf(argv[count], "%255s", keyPassword )) )
+ {
+ PrintHelp();
+ return 1;
+ }
+ }
else if( 0 == strcmp( argv[count], "-pub" ) ) {
count++;
if( (1 != sscanf( argv[count], "%s", pub_Filename )) )
@@ -170,11 +178,11 @@ int main(int argc, char* argv[])
// For TPM Import functionality, check all input params are present
if( (!dupPub_flag) ||
- (!dupPriv_flag) ||
- (!dupSymSeed_flag) ||
- (!dupEncKey_flag) ||
- (!pub_flag) ||
- (!priv_flag)
+ (!dupPriv_flag) ||
+ (!dupSymSeed_flag) ||
+ (!dupEncKey_flag) ||
+ (!pub_flag) ||
+ (!priv_flag)
) {
printf("Error: One or more Inputs for TPM import functionality is missing ! \n");
return -1;
@@ -215,9 +223,9 @@ int main(int argc, char* argv[])
TPM2B_PRIVATE importPrivate;
INIT_SIMPLE_TPM2B_SIZE(importPrivate);
- rval = swKeyTpmImport(sysContext, primaryKeyHandle,
- &encryptionKey, &swKeyPublic, &swKeyPrivate, &encSymSeed,
- tpm_pwd, tpm_pwd_len,
+ rval = swKeyTpmImport(sysContext, primaryKeyHandle,
+ &encryptionKey, &swKeyPublic, &swKeyPrivate, &encSymSeed,
+ keyPassword, strlen(keyPassword),
&importPrivate);
if(rval != 0) {
printf("\nswKeyTpmImport failed: 0x%x ! \n", rval);
@@ -241,4 +249,3 @@ end:
return rval;
}
-