From 90a94434b15c99757a88e63260ceb1a573de0091 Mon Sep 17 00:00:00 2001 From: apldev4 Date: Fri, 29 Mar 2019 11:35:28 -0400 Subject: [PATCH] [#119] tpm_aca_provision no longer tries to guess the TPM version. (#120) The tpm_aca_provision script used to try to guess the version of the TPM on the machine and call the appropriate command to provision the TPM. However: 1. The guessing was error prone, 2. The command to provision the TPM is the same regardless of the TPM version, and 3. By the time the script is run, either the TPM Provisioner 1.2 package or the TPM Provisioner 2.0 package has already been installed. By that point, it's too late to be wondering which version of TPM is on the machine. The decision of which package to install is guided by the documentation. --- .../scripts/install/tpm_aca_provision | 80 +------------------ 1 file changed, 1 insertion(+), 79 deletions(-) diff --git a/HIRS_Provisioner/scripts/install/tpm_aca_provision b/HIRS_Provisioner/scripts/install/tpm_aca_provision index 4c83f2b4..2c904d25 100755 --- a/HIRS_Provisioner/scripts/install/tpm_aca_provision +++ b/HIRS_Provisioner/scripts/install/tpm_aca_provision @@ -1,81 +1,3 @@ #!/bin/bash -# This script checks for signs of a TPM on the host, and then executes the appropriate -# HIRS TPM ACA provisining process according to the version of TPM found. - -# check dmesg for TPM -dmesg | grep -iq "1\.2 TPM" -DMESG_1_2=$((1-$?)) - -dmesg | grep -iq "2\.0 TPM" -DMESG_2_0=$((1-$?)) - -# check /sys/class/tpm for TPM -DEV_1_2=0 -if [[ -f "/sys/class/tpm/tpm0/device/firmware_node/description" ]]; then - grep -q "TPM 1.2 Device" /sys/class/tpm/tpm0/device/firmware_node/description - DEV_1_2=$((1-$?)) -fi - -DEV_2_0=0 -if [[ -f "/sys/class/tpm/tpm0/device/description" ]]; then - grep -q "TPM 2.0 Device" /sys/class/tpm/tpm0/device/description - DEV_2_0=$((1-$?)) -fi - -# check to see whether emulators are present -EMU_1_2=0 -if hash tpm_version 2> /dev/null ; then - tpm_version > /dev/null 2>&1 - if [[ $? -eq 0 ]]; then - EMU_1_2=1 - fi -fi - -EMU_2_0=0 -if hash tpm2_nvlist 2> /dev/null ; then - tpm2_nvlist > /dev/null 2>&1 - if [[ $? -eq 0 ]]; then - EMU_2_0=1 - fi -fi - -rpm -q HIRS_Provisioner_TPM_1_2 > /dev/null -PROVISIONER_1_2_INSTALLED=$? -rpm -q HIRS_Provisioner_TPM_2_0 > /dev/null -PROVISIONER_2_0_INSTALLED=$? - -TPM_1_2_PRESENT=$(($DMESG_1_2 + $DEV_1_2 + $EMU_1_2)) -TPM_2_0_PRESENT=$(($DMESG_2_0 + $DEV_2_0 + $EMU_2_0)) - -if [ "$TPM_1_2_PRESENT" -gt 0 ] ; then - echo "TPM 1.2 detected." - if [ $PROVISIONER_1_2_INSTALLED -eq 0 ]; then - hirs-provisioner -p - RC=$? - else - echo "The package 'HIRS_Provisioner_TPM_1_2' must be installed to provision a TPM 1.2." - exit 1 - fi -elif [ "$TPM_2_0_PRESENT" -gt 0 ] ; then - echo "TPM 2.0 detected." - if [ $PROVISIONER_2_0_INSTALLED -eq 0 ]; then - /usr/local/bin/hirs-provisioner-tpm2 provision - RC=$? - else - echo "The package 'HIRS_Provisioner_TPM_2_0' must be installed to provision a TPM 2.0." - exit 1 - fi -else - echo "No evidence of a TPM was found in dmesg, /sys/class/tpm, or via an installed emulator. If this machine has a TPM, please ensure it is enabled in UEFI/BIOS, or that your emulator is installed and functioning with tpm-tools or tpm2-tools." - if [ $PROVISIONER_1_2_INSTALLED -eq 0 ]; then - echo "Running TPM 1.2 provisioner to support normal HIRS usage." - hirs-provisioner --provision - RC=$? - else - echo "TPM 1.2 provisioner is not installed; not running normal HIRS provisioning." - exit 1 - fi -fi - -exit $RC \ No newline at end of file +hirs-provisioner provision