From 51449dab404b457264e1a36206773b9764241167 Mon Sep 17 00:00:00 2001 From: Pramod Raghavendra Jayathirth Date: Thu, 2 Aug 2018 10:41:31 -0700 Subject: Containerize TPM Initialization tool Modifying ABRMD container to support Init tool Change-Id: I8b2f8171688b67567e3ad4a3e4942ae76737bdfc Issue-ID: AAF-342 Signed-off-by: Pramod Raghavendra Jayathirth --- bin/abrmdcontainer/README.md | 39 ++++++++++++---- bin/abrmdcontainer/dockerfile | 14 +++++- bin/abrmdcontainer/entrypoint.sh | 11 ----- bin/abrmdcontainer/init.sh | 43 +++++++++++++++++ bin/abrmdcontainer/initialize_tpm.sh | 89 ++++++++++++++++++++++++++++++++++++ bin/abrmdcontainer/run_abrmd.sh | 17 +++++++ 6 files changed, 192 insertions(+), 21 deletions(-) mode change 100644 => 100755 bin/abrmdcontainer/README.md mode change 100644 => 100755 bin/abrmdcontainer/dockerfile delete mode 100755 bin/abrmdcontainer/entrypoint.sh create mode 100755 bin/abrmdcontainer/init.sh create mode 100755 bin/abrmdcontainer/initialize_tpm.sh create mode 100755 bin/abrmdcontainer/run_abrmd.sh (limited to 'bin/abrmdcontainer') diff --git a/bin/abrmdcontainer/README.md b/bin/abrmdcontainer/README.md old mode 100644 new mode 100755 index ad2f3bc..fb07ca1 --- a/bin/abrmdcontainer/README.md +++ b/bin/abrmdcontainer/README.md @@ -1,22 +1,45 @@ +### OOM - Onap Operations Manager will deploy this as part of CA service +### two stages +### Stage 1 - Initialize TPM and exit (init.sh script is used for this case) +### Stage 2 - Starts the abrmd process and keeps it running to provide the +### means for application to interact wit TPM (run_abrmd.sh is used) + +### Make a directory /tmp/volume (mkdir -p /tmp/volume) on the Host +### This directory (Sample Shared volume ABRMD_DATA) is mounted to abrmd +### container and is mounted as /tmp/files/ inside container +### the host's name "TPM_NODE_NAME" environmental variable + +### The input to this container is srkhandle(a file/environmental vatiable) +### tpm_status.yaml (TPM State) password (for TPM Primary key, +### password is encrypted using pgp and is extracted using the passphrase +### (provided in shared volume)) +### Output of this container is the public +### portion of the TPM's Primary key (out_parent_public) and the staus will +### be updated in the tpm_status.yaml file + + +### Input +### 1.srkhandle 2.password 3.passphrase 4.tpm_status.yaml + +### Output +### 1. out_parent_public + ### Building Docker Images ``` $ docker build -t -f dockerfile . ``` -### Running ABRMD Container +### Running ABRMD Container with Simulator ``` -$ docker run -d --privileged -v /tmp/run/dbus:/var/run/dbus --name +$ docker run -d --privileged -v /tmp/run/dbus:/var/run/dbus -v /tmp/volume:/tmp/files --name ``` -### Running Tools Container -This command will drop you into the tools container with everything setup appropriately: +### Running ABRMD Container with TPM Hardware + ``` -# Runs without any privileges. -# Requires that the dbus be mounted from the same host folder -# This is to enable communication between the tools and ABRMD -$ docker run -v /tmp/run/dbus:/var/run/dbus --name -it --entrypoint /bin/bash +$ docker run -d --privileged -device=/dev/tpm0 -v /tmp/run/dbus:/var/run/dbus -v /tmp/volume:/tmp/files --name ``` ##### Sanity Check diff --git a/bin/abrmdcontainer/dockerfile b/bin/abrmdcontainer/dockerfile old mode 100644 new mode 100755 index d1c9480..fc788b5 --- a/bin/abrmdcontainer/dockerfile +++ b/bin/abrmdcontainer/dockerfile @@ -31,6 +31,9 @@ RUN git clone https://github.com/tpm2-software/tpm2-tss.git RUN git clone https://github.com/tpm2-software/tpm2-abrmd.git RUN git clone https://github.com/tpm2-software/tpm2-tools.git +# Directory for the scripts +RUN mkdir -p /abrmd/bin + RUN cd tpm2-tss && \ git checkout 1.2.0 && \ ./bootstrap && \ @@ -58,5 +61,12 @@ RUN cd tpm2-tools && \ RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/tpm2.conf && \ ldconfig -ADD entrypoint.sh /entrypoint.sh -ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file +RUN rm -rf tpm2-tss +RUN rm -rf tpm2-abrmd +RUN rm -rf tpm2-tools + +COPY ./initialize_tpm.sh /abrmd/bin/ +COPY ./run_abrmd.sh /abrmd/bin/ +COPY ./init.sh /abrmd/bin/ + +RUN chmod -R +x /abrmd/bin diff --git a/bin/abrmdcontainer/entrypoint.sh b/bin/abrmdcontainer/entrypoint.sh deleted file mode 100755 index b13c681..0000000 --- a/bin/abrmdcontainer/entrypoint.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -set -e - -# Start DBUS -mkdir -p /var/run/dbus -stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log & - -# Start Resource Manager -hostip=$(ip route show | awk '/default/ {print $3}') -echo "Connecting to $hostip\n" -tpm2-abrmd -a $hostip -t socket \ No newline at end of file diff --git a/bin/abrmdcontainer/init.sh b/bin/abrmdcontainer/init.sh new file mode 100755 index 0000000..c74a870 --- /dev/null +++ b/bin/abrmdcontainer/init.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +set -e + +echo "Shared volume is ${ABRMD_DATA}" +FILE="${ABRMD_DATA}/tpm_status.yaml" +if [ -f $FILE ];then + flag=$(echo "$(cat ${ABRMD_DATA}/tpm_status.yaml)" | sed '/^flag/{s/[^0-9,]//g;y/,/\n/;}') + if [ "$flag" == 0 ];then + # Start DBUS + mkdir -p /var/run/dbus + stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log & + # Time for Daemon to start before executin next step + sleep 1m + # Start Resource Manager + if [ -z $TPM_SIMULATOR ]; then + echo "Using TPM Hardware for the operations" + tpm2-abrmd & + # Time for abrmd process to start + sleep 1m + state=$( ps aux | grep tpm2-abrmd | grep -v grep ) + echo "Staus of abrmd Process is $state" + else + echo "Using TPM Simulator for the opeations"; + hostip=$(ip route show | awk '/default/ {print $3}'); + echo "Connecting to $hostip\n"; + tpm2-abrmd -a $hostip -t socket& + fi + + /abrmd/bin/initialize_tpm.sh + status=$? + if [ $status -eq "0" ]; then + echo "TPM Initialization successful $status" + fi + exit $? + else + echo "TPM is already Initialized" + exit; + fi +else + echo " TPM Status file not found, Hence exiting" + exit; +fi diff --git a/bin/abrmdcontainer/initialize_tpm.sh b/bin/abrmdcontainer/initialize_tpm.sh new file mode 100755 index 0000000..6bd2c32 --- /dev/null +++ b/bin/abrmdcontainer/initialize_tpm.sh @@ -0,0 +1,89 @@ +#!/bin/sh + +# 1.Environmental variables + +# 1.a Location of Shared volume and Node's name +# These varaibles has to be made avaialble to this script + +echo "Shared Volume location is $ABRMD_DATA" +echo "Node name is $TPM_NODE_NAME" + +# 2. Create the directory with the host's name to store the output of Init tool +# This is demarcate the generated files which are specific to this host's TPM +srkhandle="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/srkhandle)" +passphrase="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password-passphrase)" +echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 password.txt.gpg +password="$(cat ${ABRMD_DATA}/host_${TPM_NODE_NAME}/password.txt)" + +# 3. Create initial Flag values which are reset upon failure +error="NULL" +flag="1" + +# 4. TPM initialize +echo "tpm2_startup -clear -T tabrmd -V" +tpm2_startup -clear -T tabrmd -V +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; +error=$(echo "TPM Startup failed"); flag="0"; +echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +exit 1; +fi +echo "" + +# 5. Take ownership +echo "tpm2_takeownership -o new -e new -l new -T tabrmd -V" +tpm2_takeownership -o new -e new -l new -T tabrmd -V +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; +error=$(echo "Error:TPM ownership acquire failed");flag="0"; +echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +echo "$error"; exit 1; +fi +echo "" + +# 6. Create Primary Key in RH_OWNER hierarchy +rm -f PrimaryKeyBlob +echo "tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob" +tpm2_createprimary -P $password -A o -g 0x000B -G 0x0001 -T tabrmd -V -C PrimaryKeyBlob +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; +error=$(echo "Error: TPM create Primary key failed"); +echo "$error"; flag="0"; +echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +exit 1; +fi +echo "" + +# 7. Store Primary Key in TPMs NV RAM +echo "tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password" +tpm2_evictcontrol -A o -c ./PrimaryKeyBlob -S ${srkhandle} -T tabrmd -V -P $password +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; +error=$(echo "Error: Inserting Primary Key failed"); +echo "$error"; flag="0"; +echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +echo "errror:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +exit 1; +fi +echo "" +rm -f PrimaryKeyBlob + +# 8. To test, Read public portion of TPM primary key with stored handle +rm -f $out_primary_public +echo "tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V" +tpm2_readpublic -H ${srkhandle} --opu out_primary_public -T tabrmd -V +if [ $? -ne 0 ]; then echo; echo -e "${RED}Error, Exit."; +error=$(echo" Error:Reading Public part of Primary Key failed"); +echo "$error"; flag="0"; +echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml; +exit 1; +fi +echo "" + +# 9. Update the tpm_status.yaml to report the status of this Script +echo "flag:${flag}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml +echo "error:${error}" >> ${ABRMD_DATA}/host_${TPM_NODE_NAME}/tpm_status.yaml + +# 10. Copy the public portion of the Primary key to the Shared volume +# Use environment variable TPM_NODE_NAME +cp out_parent_public ${ABRMD_DATA}/host_${TPM_NODE_NAME} diff --git a/bin/abrmdcontainer/run_abrmd.sh b/bin/abrmdcontainer/run_abrmd.sh new file mode 100755 index 0000000..bcfb233 --- /dev/null +++ b/bin/abrmdcontainer/run_abrmd.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -e + +# Start DBUS +mkdir -p /var/run/dbus +stdbuf -oL -eL dbus-daemon --system --nofork 2>&1 1> /var/log/dbus-daemon.log & + +# Start Resource Manager +if [ -z $TPM_SIMULATOR ]; then + echo "Using TPM Hardware for the operations"; + tpm2-abrmd +else + echo "Using TPM Simulator for the opeations"; + hostip=$(ip route show | awk '/default/ {print $3}'); + echo "Connecting to $hostip\n"; + tpm2-abrmd -a $hostip -t socket +fi -- cgit 1.2.3-korg