223 5.7 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
#
# DB state for secure boot and loading.
#
use strict;
use libdb;

sub DoUpdate($$$)
{
    my ($dbhandle, $dbname, $version) = @_;
    my @mode_transitions = (
	["SECUREBOOT","TPMSIGNOFF","MINIMAL","SHUTDOWN",""],
	["SECUREBOOT","TPMSIGNOFF","NORMAL","SHUTDOWN",""],
	["SECUREBOOT","TPMSIGNOFF","NORMALv2","SHUTDOWN",""],
	["SECUREBOOT","TPMSIGNOFF","PXEFBSD","SHUTDOWN",""]
    );
    my @timeouts = (
	["SECUREBOOT","BOOTING",3600,"STATE:SECVIOLATION"],
	["SECUREBOOT","GPXEBOOTING",3600,"STATE:SECVIOLATION"],
	["SECUREBOOT","PXEBOOTING",3600,"STATE:SECVIOLATION"],
	["SECUREBOOT","SHUTDOWN",3600,"STATE:SECVIOLATION"],
	["SECUREBOOT","TPMSIGNOFF",3600,"STATE:SECVIOLATION"],
	["SECURELOAD","BOOTING",3600,"STATE:SECVIOLATION"],
	["SECURELOAD","GPXEBOOTING",3600,"STATE:SECVIOLATION"],
	["SECURELOAD","PXEBOOTING",3600,"STATE:SECVIOLATION"],
	["SECURELOAD","RELOADDONE",3600,"STATE:SECVIOLATION"],
	["SECURELOAD","RELOADING",3600,"STATE:SECVIOLATION"],
	["SECURELOAD","RELOADSETUP",3600,"STATE:SECVIOLATION"],
	["SECURELOAD","SHUTDOWN",3600,"STATE:SECVIOLATION"],
	["SECURELOAD","TPMSIGNOFF",3600,"STATE:SECVIOLATION"]
    );
    my @transitions = (
	["SECUREBOOT","BOOTING","SECVIOLATION","QuoteFailed"],
	["SECUREBOOT","BOOTING","TPMSIGNOFF","QuoteOK"],
	["SECUREBOOT","GPXEBOOTING","PXEBOOTING","DHCP"],
	["SECUREBOOT","PXEBOOTING","BOOTING","BootInfo"],
	["SECURELOAD","BOOTING","PXEBOOTING","re-BootInfo"],
	["SECURELOAD","BOOTING","RELOADSETUP","QuoteOK"],
	["SECURELOAD","BOOTING","SECVIOLATION","QuoteFailed"],
	["SECURELOAD","GPXEBOOTING","PXEBOOTING","DHCP"],
	["SECURELOAD","PXEBOOTING","BOOTING","BootInfo"],
	["SECURELOAD","RELOADDONE","SECVIOLATION","QuoteFailed"],
	["SECURELOAD","RELOADDONE","TPMSIGNOFF","QuoteOK"],
	["SECURELOAD","RELOADING","RELOADDONE","ImageOK"],
	["SECURELOAD","RELOADING","SECVIOLATION","ImageBad"],
	["SECURELOAD","RELOADSETUP","RELOADING","ReloadReady"],
	["SECURELOAD","SHUTDOWN","GPXEBOOTING","QuoteOK"],
	["SECURELOAD","SHUTDOWN","SECVIOLATION","QuoteFailed"]
    );
    my @triggers = (
	["*","*","GPXEBOOTING","SECUREBOOT"],
	["*","*","SECVIOLATION","POWEROFF, EMAILNOTIFY"],
	["*","SECUREBOOT","BOOTING",""],
	["*","SECUREBOOT","PXEBOOTING",""],
	["*","SECUREBOOT","TPMSIGNOFF","PXEBOOT, BOOTING, CHECKGENISUP"],
	["*","SECURELOAD","BOOTING",""],
	["*","SECURELOAD","PXEBOOTING",""],
	["*","SECURELOAD","RELOADDONE","RESET, RELOADDONE"]
    );

    foreach my $row (@mode_transitions) {
	my ($opm1,$s1,$opm2,$s2,$lab) = @$row;
	my $query_result =
	    DBQueryFatal("SELECT op_mode1 FROM mode_transitions WHERE ".
			 "op_mode1='$opm1' AND state1='$s1' AND ".
			 "op_mode2='$opm2' AND state2='$s2'");
	if ($query_result->numrows == 0) {
	    DBQueryFatal("INSERT INTO mode_transitions VALUES ".
			 "('$opm1','$s1','$opm2', '$s2','$lab')");
	}
    }

    foreach my $row (@timeouts) {
	my ($opm,$s,$to,$act) = @$row;
	my $query_result =
	    DBQueryFatal("SELECT op_mode FROM state_timeouts WHERE ".
			 "op_mode='$opm' AND state='$s'");
	if ($query_result->numrows == 0) {
	    DBQueryFatal("INSERT INTO state_timeouts VALUES ".
			 "('$opm','$s','$to', '$act')");
	}
    }

    foreach my $row (@transitions) {
	my ($opm,$s1,$s2,$lab) = @$row;
	my $query_result =
	    DBQueryFatal("SELECT op_mode FROM state_transitions WHERE ".
			 "op_mode='$opm' AND state1='$s1' AND state2='$s2'");
	if ($query_result->numrows == 0) {
	    DBQueryFatal("INSERT INTO state_transitions VALUES ".
			 "('$opm','$s1','$s2','$lab')");
	}
    }

    foreach my $row (@triggers) {
	my ($node,$opm,$s,$trig) = @$row;
	my $query_result =
	    DBQueryFatal("SELECT node_id FROM state_triggers WHERE ".
			 "node_id='$node' AND op_mode='$opm' AND state='$s'");
	if ($query_result->numrows == 0) {
	    DBQueryFatal("INSERT INTO state_triggers VALUES ".
			 "('$node','$opm','$s','$trig')");
	}
    }

    #
    # Add fields to images table for authentication/decryption keys
    #
    if (!DBSlotExists("images", "auth_uuid")) {
        DBQueryFatal("ALTER TABLE images ADD `auth_uuid`".
		     "  varchar(64) DEFAULT NULL AFTER access_key");
    }
    DBQueryFatal("REPLACE INTO table_regex VALUES ".
		 "('images','auth_uuid','text','regex', ".
		 "  '^[0-9a-fA-F]+\$',0,0,NULL)");
    if (!DBSlotExists("images", "auth_key")) {
        DBQueryFatal("ALTER TABLE images ADD `auth_key` ".
		     "  varchar(512) DEFAULT NULL AFTER auth_uuid");
    }
    DBQueryFatal("REPLACE INTO table_regex VALUES ".
		 "('images','auth_key','text','regex', ".
		 "  '^[0-9a-fA-F,]+\$',0,0,NULL)");
    if (!DBSlotExists("images", "decryption_key")) {
        DBQueryFatal("ALTER TABLE images ADD `decryption_key` ".
		     "  varchar(256) DEFAULT NULL AFTER auth_key");
    }
    DBQueryFatal("REPLACE INTO table_regex VALUES ".
		 "('images','decryption_key','text','regex', ".
		 "  '^[0-9a-fA-F]+\$',0,0,NULL)");

    if (!DBSlotExists("node_hostkeys", "tpmidentity")) {
	DBQueryFatal("ALTER TABLE node_hostkeys ADD `tpmidentity` ".
		     " mediumtext AFTER tpmx509");
    }

    #
    # Add nonces/quotes tables
    #
    if (!DBTableExists("nonces")) {
	DBQueryFatal("CREATE TABLE `nonces` ( ".
		     "  `node_id` varchar(32) NOT NULL, ".
		     "  `purpose` varchar(64) NOT NULL, ".
		     "  `nonce` mediumtext, ".
		     "  `expires` int(10) NOT NULL, ".
		     "  PRIMARY KEY (`node_id`,`purpose`) ".
		     ") ENGINE=MyISAM DEFAULT CHARSET=latin1");
    }
    if (!DBTableExists("tpm_quote_values")) {
	DBQueryFatal("CREATE TABLE `tpm_quote_values` ( ".
		     "  `node_id` varchar(32) NOT NULL default '', ".
		     "  `op_mode` varchar(20) NOT NULL, ".
		     "  `state` varchar(20) NOT NULL, ".
		     "  `pcr` int(11) NOT NULL, ".
		     "  `value` mediumtext, ".
		     "  PRIMARY KEY (`node_id`,`op_mode`,`state`,`pcr`) ".
		     ") ENGINE=MyISAM DEFAULT CHARSET=latin1");
    }

    return 0;
}
1;