HIRS/.ci/setup/setup-tpm2provisioner-base-delta-good.sh

238 lines
9.8 KiB
Bash
Raw Normal View History

#!/bin/bash
# Script to setup the TPM 2.0 Provisioner Docker Image for System Tests Base/Delta(Good)
set -e
# Wait for ACA to boot
echo "Waiting for ACA to spin up..."
until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
:
done
echo "ACA is up!"
# Function to install TPM 2.0 Provisioner packages
function InstallProvisioner {
echo "===========Installing TPM 2.0 Provisioner Packages...==========="
pushd /HIRS
if [ ! -d package/rpm/RPMS ]; then
./package/package.centos.sh
fi
yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm
popd
}
# Function to initialize the TPM 2.0 Emulator with a good base certificate
function InitTpm2Emulator {
echo "===========Initializing TPM 2.0 Emulator with good base certificate...==========="
mkdir -p /var/run/dbus
if [ -e /var/run/dbus/pid ]; then
rm /var/run/dbus/pid
fi
if [ -e /var/run/dbus/system_bus_socket ]; then
rm /var/run/dbus/system_bus_socket
fi
# Start the DBus
dbus-daemon --fork --system
echo "DBus started"
# Give DBus time to start up
sleep 5
/ibmtpm/src/./tpm_server &
echo "TPM Emulator started"
# Give tpm_server time to start and register on the DBus
sleep 5
tpm2-abrmd -t socket &
echo "TPM2-Abrmd started"
# Give ABRMD time to start and register on the DBus
sleep 5
# Certificates
ek_cert="/HIRS/.ci/setup/certs/ek_cert.der"
ca_key="/HIRS/.ci/setup/certs/ca.key"
ca_cert="/HIRS/.ci/setup/certs/ca.crt"
pBase_certA="PBaseCertA.der"
pBase_certB="PBaseCertB.der"
si_delta_cert_A1="SIDeltaCertA1.der"
si_delta_cert_A2="SIDeltaCertA2.der"
si_delta_cert_A2_resolved="SIDeltaCertA2_resolved.der"
si_delta_cert_A3="SIDeltaCertA3.der"
var_delta_cert_A1="VARDeltaCertA1.der"
var_delta_cert_A2="VARDeltaCertA2.der"
var_delta_cert_A2_resolved="VARDeltaCertA2_resolved.der"
# PACCOR directory
PC_DIR=/var/hirs/pc_generation
mkdir -p $PC_DIR
echo "Running PACCOR to generate local component information..."
# Use specific PACCOR script for system testing.
# Will provide default component SN#s when needed.
cp -f /HIRS/.ci/system-tests/allcomponents_hirs_system_tests.sh /opt/paccor/scripts/allcomponents.sh
/opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile
# Split into JSON files needed to generate the certificates
python /HIRS/.ci/setup/createDeltaComponentsForPBaseCertA.py
echo
# Generate certificates in the order they'll be used in the system tests.
# And stager the begin dates properly (the -b option for the /opt/paccor/bin/signer)
echo "Generating certificates..."
echo "Generating $pBase_certA..."
/opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile
/opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile
/opt/paccor/bin/observer -c $PC_DIR/PBaseCertA.componentlist.json -p $PC_DIR/optionsFile -e $ek_cert -f $PC_DIR/observerFile
/opt/paccor/bin/signer -c $PC_DIR/PBaseCertA.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -f $PC_DIR/$pBase_certA
echo "Done"
# Generate the PBaseCertB certificate. Just need to copy from PBaseCertA.
echo "Generating $pBase_certB..."
cp $PC_DIR/$pBase_certA $PC_DIR/$pBase_certB
echo "Done"
# Generate the SIDeltaCertA1 certificate
echo "Generating $si_delta_cert_A1, using $pBase_certA..."
rm -f $PC_DIR/observerFile
/opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile
/opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180201 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A1
echo "Done"
# Generate the VARDeltaCertA1 certificate
echo "Generating $var_delta_cert_A1, using $pBase_certA..."
rm -f $PC_DIR/observerFile
/opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA1.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile
/opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA1.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180301 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A1
echo "Done"
# Generate the SIDeltaCertA2 certificate
echo "Generating $si_delta_cert_A2, using $pBase_certA..."
rm -f $PC_DIR/observerFile
/opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA2.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile
/opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA2.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180401 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A2
echo "Done"
# Generate the SIDeltaCertA2_resolved certificate
echo "Generating $si_delta_cert_A2_resolved, using $pBase_certA..."
rm -f $PC_DIR/observerFile
/opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA2.resolved.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile
/opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA2.resolved.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180501 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$si_delta_cert_A2_resolved
echo "Done"
# Generate the VARDeltaCertA2 certificate
echo "Generating $var_delta_cert_A2, using $pBase_certA..."
rm -f $PC_DIR/observerFile
/opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA2.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile
/opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA2.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180601 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A2
echo "Done"
# Generate the VARDeltaCertA2_resolved certificate
echo "Generating $var_delta_cert_A2_resolved, using $pBase_certA..."
rm -f $PC_DIR/observerFile
/opt/paccor/bin/observer -c $PC_DIR/VARDeltaCertA2.resolved.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$pBase_certA -f $PC_DIR/observerFile
/opt/paccor/bin/signer -c $PC_DIR/VARDeltaCertA2.resolved.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180701 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$pBase_certA -f $PC_DIR/$var_delta_cert_A2_resolved
echo "Done"
# Generate the SIDeltaCertA3 certificate
echo "Generating $si_delta_cert_A3, using $si_delta_cert_A1 as Base..."
rm -f $PC_DIR/observerFile
/opt/paccor/bin/observer -c $PC_DIR/SIDeltaCertA3.componentlist.json -p $PC_DIR/optionsFile -e $PC_DIR/$si_delta_cert_A1 -f $PC_DIR/observerFile
/opt/paccor/bin/signer -c $PC_DIR/SIDeltaCertA3.componentlist.json -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180801 -a 20280101 -N $RANDOM -k $ca_key -P $ca_cert -e $PC_DIR/$si_delta_cert_A1 -f $PC_DIR/$si_delta_cert_A3
echo "Done"
# Release EK nvram
if tpm2_nvlist | grep -q 0x1c00002; then
echo "Released NVRAM for EK."
tpm2_nvrelease -x 0x1c00002 -a 0x40000001
fi
# Define nvram space to enable loading of EK cert (-x NV Index, -a handle to
# authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t
# specifies attribute value in publicInfo struct
# [0x2000A = ownerread|ownerwrite|policywrite])
size=$(cat $ek_cert | wc -c)
echo "Define NVRAM location for EK cert of size $size."
tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size
# Load key into TPM nvram
echo "Loading EK cert $ek_cert into NVRAM."
tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert
# Release PC nvram
if tpm2_nvlist | grep -q 0x1c90000; then
echo "Released NVRAM for PC."
tpm2_nvrelease -x 0x1c90000 -a 0x40000001
fi
# Store the platform certificate in the TPM's NVRAM
size=$(cat $PC_DIR/$pBase_certA | wc -c)
echo "Define NVRAM location for PC cert of size $size."
tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size
echo "Loading PC cert $PC_DIR/$pBase_certA into NVRAM."
tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$pBase_certA
echo "===========TPM 2.0 Emulator Initialization Complete!==========="
# Set Logging to INFO Level
sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini
}
# Function to update the hirs-site.config file
function UpdateHirsSiteConfigFile {
HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
echo ""
echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...==========="
cat /HIRS/.ci/docker/.env
cat <<DEFAULT_SITE_CONFIG_FILE > $HIRS_SITE_CONFIG
#*******************************************
#* HIRS site configuration properties file
#*******************************************
CLIENT_HOSTNAME=${HIRS_ACA_PROVISIONER_TPM2_IP}
TPM_ENABLED=${TPM_ENABLED}
IMA_ENABLED=${IMA_ENABLED}
# Site-specific configuration
ATTESTATION_CA_FQDN=${HIRS_ACA_HOSTNAME}
ATTESTATION_CA_PORT=${HIRS_ACA_PORTAL_PORT}
BROKER_FQDN=${HIRS_ACA_PORTAL_IP}
BROKER_PORT=${HIRS_BROKER_PORT}
PORTAL_FQDN=${HIRS_ACA_PORTAL_IP}
PORTAL_PORT=${HIRS_ACA_PORTAL_PORT}
DEFAULT_SITE_CONFIG_FILE
echo "===========New HIRS Config File==========="
cat /etc/hirs/hirs-site.config
}
# Install packages
InstallProvisioner
# Install TPM 2.0 Emulator
InitTpm2Emulator
# Update the hirs-site.config file
UpdateHirsSiteConfigFile
# Set alias to use python3
echo "===========Python Version==========="
python3 --version
alias python='/usr/bin/python3.6'
alias
echo ""
echo "TPM 2.0 Emulator NV RAM list"
tpm2_nvlist
echo ""
echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!==========="