ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-04-08 11:54:27 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

[#119] tpm_aca_provision no longer tries to guess the TPM version. (#120)

Browse Source 
The tpm_aca_provision script used to try to guess the version
of the TPM on the machine and call the appropriate command
to provision the TPM. However:
1. The guessing was error prone,
2. The command to provision the TPM is the same regardless of the
TPM version, and
3. By the time the script is run, either the TPM Provisioner 1.2
package or the TPM Provisioner 2.0 package has already been
installed. By that point, it's too late to be wondering which
version of TPM is on the machine. The decision of which package
to install is guided by the documentation.
This commit is contained in:
apldev4 2019-03-29 11:35:28 -04:00 committed by GitHub
parent c123e85a3d
commit 90a94434b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
HIRS_Provisioner/scripts/install/tpm_aca_provision
View File

@ -1,81 +1,3 @@
#!/bin/bash
# This script checks for signs of a TPM on the host, and then executes the appropriate
# HIRS TPM ACA provisining process according to the version of TPM found.
# check dmesg for TPM
dmesg | grep -iq "1\.2 TPM"
DMESG_1_2=$((1-$?))
dmesg | grep -iq "2\.0 TPM"
DMESG_2_0=$((1-$?))
# check /sys/class/tpm for TPM
DEV_1_2=0
if [[ -f "/sys/class/tpm/tpm0/device/firmware_node/description" ]]; then
grep -q "TPM 1.2 Device" /sys/class/tpm/tpm0/device/firmware_node/description
DEV_1_2=$((1-$?))
fi
DEV_2_0=0
if [[ -f "/sys/class/tpm/tpm0/device/description" ]]; then
grep -q "TPM 2.0 Device" /sys/class/tpm/tpm0/device/description
DEV_2_0=$((1-$?))
fi
# check to see whether emulators are present
EMU_1_2=0
if hash tpm_version 2> /dev/null ; then
tpm_version > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
EMU_1_2=1
fi
fi
EMU_2_0=0
if hash tpm2_nvlist 2> /dev/null ; then
tpm2_nvlist > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
EMU_2_0=1
fi
fi
rpm -q HIRS_Provisioner_TPM_1_2 > /dev/null
PROVISIONER_1_2_INSTALLED=$?
rpm -q HIRS_Provisioner_TPM_2_0 > /dev/null
PROVISIONER_2_0_INSTALLED=$?
TPM_1_2_PRESENT=$(($DMESG_1_2 + $DEV_1_2 + $EMU_1_2))
TPM_2_0_PRESENT=$(($DMESG_2_0 + $DEV_2_0 + $EMU_2_0))
if [ "$TPM_1_2_PRESENT" -gt 0 ] ; then
echo "TPM 1.2 detected."
if [ $PROVISIONER_1_2_INSTALLED -eq 0 ]; then
hirs-provisioner -p
RC=$?
else
echo "The package 'HIRS_Provisioner_TPM_1_2' must be installed to provision a TPM 1.2."
exit 1
fi
elif [ "$TPM_2_0_PRESENT" -gt 0 ] ; then
echo "TPM 2.0 detected."
if [ $PROVISIONER_2_0_INSTALLED -eq 0 ]; then
/usr/local/bin/hirs-provisioner-tpm2 provision
RC=$?
else
echo "The package 'HIRS_Provisioner_TPM_2_0' must be installed to provision a TPM 2.0."
exit 1
fi
else
echo "No evidence of a TPM was found in dmesg, /sys/class/tpm, or via an installed emulator. If this machine has a TPM, please ensure it is enabled in UEFI/BIOS, or that your emulator is installed and functioning with tpm-tools or tpm2-tools."
if [ $PROVISIONER_1_2_INSTALLED -eq 0 ]; then
echo "Running TPM 1.2 provisioner to support normal HIRS usage."
hirs-provisioner --provision
RC=$?
else
echo "TPM 1.2 provisioner is not installed; not running normal HIRS provisioning."
exit 1
fi
fi
exit $RC
hirs-provisioner provision