Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
emulab
emulab-devel
Commits
a5e70952
Commit
a5e70952
authored
Mar 08, 2012
by
Mike Hibler
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Integrate rc.tpmsetup.
This script will only do something in a Linux MFS which has trousers installed.
parent
000ac229
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
101 additions
and
77 deletions
+101
-77
clientside/tmcc/common/config/rc.config
clientside/tmcc/common/config/rc.config
+3
-2
clientside/tmcc/common/config/rc.tpmsetup
clientside/tmcc/common/config/rc.tpmsetup
+98
-75
No files found.
clientside/tmcc/common/config/rc.config
View file @
a5e70952
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2004-201
1
University of Utah and the Flux Group.
# Copyright (c) 2004-201
2
University of Utah and the Flux Group.
# All rights reserved.
#
use
English
;
...
...
@@ -86,7 +86,8 @@ my %bootscript_args = ( 'rc.accounts' => $updatemasterpasswdfiles ?
if
(
MFS
()) {
@
bootscripts
= (
"rc.misc"
,
"rc.localize"
,
"rc.mounts"
,
"rc.accounts"
,
"rc.hostnames"
,
"rc.keys"
,
"rc.tarfiles"
,
"rc.rpms"
);
"rc.hostnames"
,
"rc.keys"
,
"rc.tarfiles"
,
"rc.rpms"
,
"rc.tpmsetup"
);
}
elsif
(
FAKEJAILED
()) {
@
bootscripts
= (
"rc.misc"
,
"rc.keys"
,
"rc.route"
,
"rc.tunnels"
,
...
...
clientside/tmcc/common/config/rc.tpmsetup
View file @
a5e70952
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2009 University of Utah and the Flux Group.
# Copyright (c) 2009
-2012
University of Utah and the Flux Group.
# All rights reserved.
#
use
English
;
...
...
@@ -42,10 +42,33 @@ use librc;
#my $RCDIR = "$BINDIR/rc";
#
# Not all clients support this.
# Make sure we have a TPM.
# For now this means we are running Linux MFS and trousers is installed.
#
#exit(0)
# if (MFS());
sub
gottpm
()
{
# must be MFS..
if
(
MFS
())
{
my
$sysname
=
`
uname -s
`;
chomp
(
$sysname
);
# ..and Linux
if
(
$sysname
eq
"
Linux
")
{
# ..and have trousers
if
(
-
x
"
/usr/sbin/tcsd
")
{
return
1
;
}
# XXX right now only warn if Linux MFS
print
STDERR
"
WARNING: no TPM support, setup skipped
\n
";
}
}
return
0
;
}
exit
(
0
)
if
(
!
gottpm
());
# Protos.
sub
doboot
();
...
...
@@ -97,77 +120,77 @@ exit(0);
#
sub
doboot
()
{
# Here we get the keyblob which is ready to be loaded into the TPM
# via tpm-openssl-engine. This key is saved in $BINDIR/tpm.key.
# I am not sure if this is the best place to save this stuff. I also
# get the tpm x509 cert (which is supposed to be signed by the CA)
# from tmcd. It is also stored as $BINDIR/tpm.cert
my
@tpmblob
;
my
@tpmpub
;
#if (tmcc(TMCCCMD_TPMBLOB, "hex", \@tpmblob) < 0) {
if
(
tmcc
(
TMCCCMD_TPMBLOB
,
undef
,
\
@tpmblob
)
<
0
)
{
#fatal("Could not get tpmblob from server");
print
STDOUT
"
Could not get tpmblob from server
";
return
;
}
$str
=
$tpmblob
[
0
];
if
(
!
$str
)
{
#fatal("no tpmblob in database")
print
STDOUT
"
no tpmblob in database
";
return
;
}
# Sanity check and trim BLOB= or BLOBHEX=
if
(
$str
=~
/^BLOBHEX=/
){
$str
=
substr
(
$str
,
8
);
}
elsif
(
$str
=~
/^BLOB=/
){
$str
=
substr
(
$str
,
5
);
}
else
{
#fatal("corrupt key blob: @tpmblob");
print
STDOUT
"
corrupt key blob:
@tpmblob
";
return
;
}
# Strip off newline
# XXX: should check the newline probably
$len
=
length
(
$str
);
$str
=
substr
(
$str
,
0
,
$len
-
1
);
open
(
FD
,
"
>
$BINDIR
/tpm.key
");
print
FD
pack
("
H*
",
$str
);
close
(
FD
);
if
(
tmcc
(
TMCCCMD_TPMPUB
,
undef
,
\
@tpmpub
)
<
0
)
{
#fatal("Could not get tpmpub from server");
print
STDOUT
"
Could not get tpmpub from server
";
return
;
}
$str
=
$tpmpub
[
0
];
if
(
!
$str
)
{
#fatal("no tpm x509 cert in database")
print
STDOUT
"
no tpm x509 cert in database
";
return
;
}
# Trim TPMPUB=
if
(
$str
=~
/^TPMPUB=/
){
$str
=
substr
(
$str
,
7
);
}
else
{
#fatal("bogus tpmpub: @tpmpub");
print
STDOUT
"
bogus tpmpub:
@tpmpub
";
return
;
}
open
(
FD
,
"
>
$BINDIR
/tpm.cert
");
print
FD
$str
;
$size
=
@tpmpub
;
for
(
$i
=
1
;
$i
<
$size
;
$i
++
){
print
FD
$tpmpub
[
$i
];
}
close
(
FD
);
# Here we get the keyblob which is ready to be loaded into the TPM
# via tpm-openssl-engine. This key is saved in $BINDIR/tpm.key.
# I am not sure if this is the best place to save this stuff. I also
# get the tpm x509 cert (which is supposed to be signed by the CA)
# from tmcd. It is also stored as $BINDIR/tpm.cert
my
@tpmblob
;
my
@tpmpub
;
#if (tmcc(TMCCCMD_TPMBLOB, "hex", \@tpmblob) < 0) {
if
(
tmcc
(
TMCCCMD_TPMBLOB
,
undef
,
\
@tpmblob
)
<
0
)
{
#fatal("Could not get tpmblob from server");
print
STDOUT
"
Could not get tpmblob from server
\n
";
return
;
}
$str
=
$tpmblob
[
0
];
if
(
!
$str
)
{
#fatal("no tpmblob in database")
print
STDOUT
"
no tpmblob in database
\n
";
return
;
}
# Sanity check and trim BLOB= or BLOBHEX=
if
(
$str
=~
/^BLOBHEX=/
)
{
$str
=
substr
(
$str
,
8
);
}
elsif
(
$str
=~
/^BLOB=/
)
{
$str
=
substr
(
$str
,
5
);
}
else
{
#fatal("corrupt key blob: @tpmblob");
print
STDOUT
"
corrupt key blob:
@tpmblob
\n
";
return
;
}
# Strip off newline
# XXX: should check the newline probably
$len
=
length
(
$str
);
$str
=
substr
(
$str
,
0
,
$len
-
1
);
open
(
FD
,
"
>
$BINDIR
/tpm.key
");
print
FD
pack
("
H*
",
$str
);
close
(
FD
);
if
(
tmcc
(
TMCCCMD_TPMPUB
,
undef
,
\
@tpmpub
)
<
0
)
{
#fatal("Could not get tpmpub from server");
print
STDOUT
"
Could not get tpmpub from server
\n
";
return
;
}
$str
=
$tpmpub
[
0
];
if
(
!
$str
)
{
#fatal("no tpm x509 cert in database")
print
STDOUT
"
no tpm x509 cert in database
\n
";
return
;
}
# Trim TPMPUB=
if
(
$str
=~
/^TPMPUB=/
){
$str
=
substr
(
$str
,
7
);
}
else
{
#fatal("bogus tpmpub: @tpmpub");
print
STDOUT
"
bogus tpmpub:
@tpmpub
\n
";
return
;
}
open
(
FD
,
"
>
$BINDIR
/tpm.cert
");
print
FD
$str
;
$size
=
@tpmpub
;
for
(
$i
=
1
;
$i
<
$size
;
$i
++
)
{
print
FD
$tpmpub
[
$i
];
}
close
(
FD
);
}
#
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment