Commit a5e70952 authored by Mike Hibler's avatar Mike Hibler

Integrate rc.tpmsetup.

This script will only do something in a Linux MFS which has trousers installed.
parent 000ac229
#!/usr/bin/perl -w #!/usr/bin/perl -w
# #
# EMULAB-COPYRIGHT # EMULAB-COPYRIGHT
# Copyright (c) 2004-2011 University of Utah and the Flux Group. # Copyright (c) 2004-2012 University of Utah and the Flux Group.
# All rights reserved. # All rights reserved.
# #
use English; use English;
...@@ -86,7 +86,8 @@ my %bootscript_args = ( 'rc.accounts' => $updatemasterpasswdfiles ? ...@@ -86,7 +86,8 @@ my %bootscript_args = ( 'rc.accounts' => $updatemasterpasswdfiles ?
if (MFS()) { if (MFS()) {
@bootscripts = ("rc.misc", "rc.localize", "rc.mounts", "rc.accounts", @bootscripts = ("rc.misc", "rc.localize", "rc.mounts", "rc.accounts",
"rc.hostnames", "rc.keys", "rc.tarfiles", "rc.rpms"); "rc.hostnames", "rc.keys", "rc.tarfiles", "rc.rpms",
"rc.tpmsetup");
} }
elsif (FAKEJAILED()) { elsif (FAKEJAILED()) {
@bootscripts = ("rc.misc", "rc.keys", "rc.route", "rc.tunnels", @bootscripts = ("rc.misc", "rc.keys", "rc.route", "rc.tunnels",
......
#!/usr/bin/perl -w #!/usr/bin/perl -w
# #
# EMULAB-COPYRIGHT # EMULAB-COPYRIGHT
# Copyright (c) 2009 University of Utah and the Flux Group. # Copyright (c) 2009-2012 University of Utah and the Flux Group.
# All rights reserved. # All rights reserved.
# #
use English; use English;
...@@ -42,10 +42,33 @@ use librc; ...@@ -42,10 +42,33 @@ use librc;
#my $RCDIR = "$BINDIR/rc"; #my $RCDIR = "$BINDIR/rc";
# #
# Not all clients support this. # Make sure we have a TPM.
# For now this means we are running Linux MFS and trousers is installed.
# #
#exit(0) sub gottpm()
# if (MFS()); {
# must be MFS..
if (MFS()) {
my $sysname = `uname -s`;
chomp($sysname);
# ..and Linux
if ($sysname eq "Linux") {
# ..and have trousers
if (-x "/usr/sbin/tcsd") {
return 1;
}
# XXX right now only warn if Linux MFS
print STDERR "WARNING: no TPM support, setup skipped\n";
}
}
return 0;
}
exit(0)
if (!gottpm());
# Protos. # Protos.
sub doboot(); sub doboot();
...@@ -97,77 +120,77 @@ exit(0); ...@@ -97,77 +120,77 @@ exit(0);
# #
sub doboot() sub doboot()
{ {
# Here we get the keyblob which is ready to be loaded into the TPM # Here we get the keyblob which is ready to be loaded into the TPM
# via tpm-openssl-engine. This key is saved in $BINDIR/tpm.key. # via tpm-openssl-engine. This key is saved in $BINDIR/tpm.key.
# I am not sure if this is the best place to save this stuff. I also # I am not sure if this is the best place to save this stuff. I also
# get the tpm x509 cert (which is supposed to be signed by the CA) # get the tpm x509 cert (which is supposed to be signed by the CA)
# from tmcd. It is also stored as $BINDIR/tpm.cert # from tmcd. It is also stored as $BINDIR/tpm.cert
my @tpmblob; my @tpmblob;
my @tpmpub; my @tpmpub;
#if (tmcc(TMCCCMD_TPMBLOB, "hex", \@tpmblob) < 0) { #if (tmcc(TMCCCMD_TPMBLOB, "hex", \@tpmblob) < 0) {
if (tmcc(TMCCCMD_TPMBLOB, undef, \@tpmblob) < 0) { if (tmcc(TMCCCMD_TPMBLOB, undef, \@tpmblob) < 0) {
#fatal("Could not get tpmblob from server"); #fatal("Could not get tpmblob from server");
print STDOUT "Could not get tpmblob from server"; print STDOUT "Could not get tpmblob from server\n";
return; return;
} }
$str = $tpmblob[0]; $str = $tpmblob[0];
if(!$str) { if (!$str) {
#fatal("no tpmblob in database") #fatal("no tpmblob in database")
print STDOUT "no tpmblob in database"; print STDOUT "no tpmblob in database\n";
return; return;
} }
# Sanity check and trim BLOB= or BLOBHEX= # Sanity check and trim BLOB= or BLOBHEX=
if($str =~ /^BLOBHEX=/){ if ($str =~ /^BLOBHEX=/) {
$str = substr($str, 8); $str = substr($str, 8);
}elsif($str =~ /^BLOB=/){ } elsif ($str =~ /^BLOB=/) {
$str = substr($str, 5); $str = substr($str, 5);
}else{ } else {
#fatal("corrupt key blob: @tpmblob"); #fatal("corrupt key blob: @tpmblob");
print STDOUT "corrupt key blob: @tpmblob"; print STDOUT "corrupt key blob: @tpmblob\n";
return; return;
} }
# Strip off newline # Strip off newline
# XXX: should check the newline probably # XXX: should check the newline probably
$len = length($str); $len = length($str);
$str = substr($str, 0, $len-1); $str = substr($str, 0, $len-1);
open(FD, ">$BINDIR/tpm.key"); open(FD, ">$BINDIR/tpm.key");
print FD pack("H*", $str); print FD pack("H*", $str);
close(FD); close(FD);
if (tmcc(TMCCCMD_TPMPUB, undef, \@tpmpub) < 0) { if (tmcc(TMCCCMD_TPMPUB, undef, \@tpmpub) < 0) {
#fatal("Could not get tpmpub from server"); #fatal("Could not get tpmpub from server");
print STDOUT "Could not get tpmpub from server"; print STDOUT "Could not get tpmpub from server\n";
return; return;
} }
$str = $tpmpub[0]; $str = $tpmpub[0];
if(!$str) { if (!$str) {
#fatal("no tpm x509 cert in database") #fatal("no tpm x509 cert in database")
print STDOUT "no tpm x509 cert in database"; print STDOUT "no tpm x509 cert in database\n";
return; return;
} }
# Trim TPMPUB= # Trim TPMPUB=
if($str =~ /^TPMPUB=/){ if ($str =~ /^TPMPUB=/){
$str = substr($str, 7); $str = substr($str, 7);
}else{ } else {
#fatal("bogus tpmpub: @tpmpub"); #fatal("bogus tpmpub: @tpmpub");
print STDOUT "bogus tpmpub: @tpmpub"; print STDOUT "bogus tpmpub: @tpmpub\n";
return; return;
} }
open(FD, ">$BINDIR/tpm.cert"); open(FD, ">$BINDIR/tpm.cert");
print FD $str; print FD $str;
$size = @tpmpub; $size = @tpmpub;
for($i = 1;$i < $size;$i++){ for($i = 1; $i < $size; $i++) {
print FD $tpmpub[$i]; print FD $tpmpub[$i];
} }
close(FD); close(FD);
} }
# #
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment