utilities/security/stx-ssl/files/tpmdevice-setup
Paul-Emile Element 9a8bc17015 fix tpm certificate handling
fixed handling of security certificates in tpm mode

The code that handles the installation of tpm security
certificates stopped working after recent updates to
other packages

This commit updates the code to properly work with the
current system configuration

Closes-Bug: #1808163

Change-Id: I76e10cf1ed68cfeb0ce3ee560df0c34711f57af2
Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
2018-12-12 14:48:49 -05:00

123 lines
4.0 KiB
Bash

#!/bin/bash
#
# Copyright (c) 2013-2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# TPM setup (both active controller and remote)
export TPM_INTERFACE_TYPE=dev
CERTIFICATE_FILE="server-cert.pem"
LOGFILE="/etc/ssl/private/.install.log"
ORIGINAL_KEY=$1
TPM_OBJECT_CONTEXT=$2
PUBLIC_KEY=$3
TPM_KEY_HIERARCHY_HANDLE=0x81010002
if [ -z "$ORIGINAL_KEY" ] || [ -z "$TPM_OBJECT_CONTEXT" ] || [ -z "$PUBLIC_KEY" ]; then
echo "ERROR: Missing required parameters"
echo "USAGE: $0 <privatekey> <tpm_context> <publickey>"
exit 1
fi
CERTIFICATE_DIR=$(dirname "${ORIGINAL_KEY}")
export TPM_DATA_DIR=$CERTIFICATE_DIR
# TPM specific environment
TPM_OBJECT_NAME="$CERTIFICATE_DIR/key.blob.name"
RESOURCEMGR_DEFAULT_PORT="2323"
### Helper functions ###
# Echo's an error and exits with provided error code
# Input : error message ($1), ret code ($2)
# Output : None
# Note : If no retcode is provided, exits with 1
error_exit () {
echo "$1"
# remove previous object context
rm -f $TPM_OBJECT_CONTEXT &> /dev/null
exit "${2:-1}"
}
# func: checkTPMTools
# check if the appropriate TPM2.0-tools are installed
#
# Input : None
# Output : None
checkTPMTools () {
declare -a helper_scripts=("tss2_createprimary"
"tss2_importpem"
"tss2_getcapability"
"tss2_load"
"tss2_contextsave"
"tss2_evictcontrol"
"tss2_flushcontext"
"create_tpm2_key")
for src in "${helper_scripts[@]}"; do
if ! type "$src" &>/dev/null; then
error_exit "ERROR: Cannot find $src. Needed for TPM configuration"
fi
done
}
### Main ###
# remove previous object context
rm -f $TPM_OBJECT_CONTEXT &> /dev/null
rm -f $CERTIFICATE_DIR/*.bin &> /dev/null
tpmCheck=`lsmod | grep "tpm" -c`
[ "$tpmCheck" -ne 0 ] || error_exit "TPM Kernel Module not found. Check BIOS/Kernel configuration"
# Ensure that the appropriate TPM tool utilities are
# installed on the system
checkTPMTools
# Confirm that this is a TPM 2.0 device
TPM_VERSION=`tss2_getcapability -cap 6 | grep TPM_PT_FAMILY_INDICATOR | awk '{print $4}' | xxd -r -p`
if [ "$TPM_VERSION" != "2.0" ]; then
error_exit "ERROR: TPM Device is not version 2.0 compatible"
fi
# Clear the NV
# as well as all stale transient handles in
# the endorsement hierarchy.
tss2_clear -hi l
# Create the Endorsement Primary Key hierarchy which will be used
# for wrapping the private key. Use RSA as the primary key encryption
# and SHA 256 for hashing. Allow TPM to output the object
# handle as a file context
PRIMARY_HANDLE=`tss2_createprimary -hi e -rsa -halg sha256 | grep "Handle" | awk '{print $2}'`
[ ! -z "$PRIMARY_HANDLE" ] || error_exit "Unable to create TPM Key Hierarchy"
PRIMARY_HANDLE="0x$PRIMARY_HANDLE"
# The object context will be lost over node reboots, and needs to
# be persistently stored in TPM NV.
# evict the persistent handle if it exists previously
tss2_evictcontrol -hi o -ho $TPM_KEY_HIERARCHY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE
tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE >> $LOGFILE
[ $? -eq 0 ] || error_exit "Unable to persist Key Hierarchy in TPM memory"
tss2_flushcontext -ha $PRIMARY_HANDLE
# wrap the original private key in TPM's Endorsement key hierarchy
# this will generate a TSS key blob in ASN 1 encoding
create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT >> $LOGFILE
[ $? -eq 0 ] || error_exit "Unable to wrap provided private key into TPM Key Hierarchy"
# the apps will also need to the public key, place it in
# the certificate dirpath
mv $PUBLIC_KEY $CERTIFICATE_DIR/$CERTIFICATE_FILE
# ensure that the TPM object and the public cert are only readable by root
chown root $CERTIFICATE_DIR/$CERTIFICATE_FILE $TPM_OBJECT_CONTEXT
chmod 0600 $CERTIFICATE_DIR/$CERTIFICATE_FILE $TPM_OBJECT_CONTEXT
# remove all sysinv key copy artifacts
rm -f $ORIGINAL_KEY "${ORIGINAL_KEY}.sysinv" "${PUBLIC_KEY}.sysinv" &> /dev/null
exit 0