Merge pull request #433 from nsacyber/issue-432

Adds FW validation test to ACA policy system tests

.ci/docker/docker-compose-system-test.yml

@@ -9,7 +9,7 @@ services:
       ports:
          - "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
       entrypoint: /bin/bash -c
-      command: [HIRS/.ci/setup/setup-aca.sh]
+      command: [HIRS/.ci/setup/setup_aca.sh]
       hostname: ${HIRS_ACA_HOSTNAME}
       networks:
          hirs_aca_system_tests:

.ci/setup/certs/RIMCaCert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDjDCCAnSgAwIBAgIJALEA1Q472tZoMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwI
+UENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVDQTAeFw0yMDAyMTAxNzI2MDdaFw0y
+OTEyMTkxNzI2MDdaMFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UE
+CgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPN0k+ULqFxdHZ14CCio
+HAvn56T1Ca4t3ClmZoHSAiKsqzLV+rErk5SbMTIdi0vHQ+3sPYf9Opy0EeUXzh4J
+g6CeGdDn247has1k135KBD9iJCaErJfZPnJ22CjKey8rvJM8fH3CAR7M/5uwYcPH
+yRICwGAJMA/Qss4nsMRQpfZg4ReKVW+kAoa9eekG3q1sLu/QlCb0NC766X0ANP+8
+AuGuHJmNV22fjvwSNfWbsJElcMrLbK4kliPyy05YVs19p+cBM1ADxGw2fJqsNsUy
+34SXL1ATqOp7VCslRR5TJBzhxfM56xZbszry7BaqTSFDRGn1FuMw/4+qtPMAB88u
+eXECAwEAAaNjMGEwHQYDVR0OBBYEFEahuO3bpnFf0NLneoo8XW6aw5Y4MB8GA1Ud
+IwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MA8GA1UdEwEB/wQFMAMBAf8wDgYD
+VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCwCUSV6VjOR+v85z18q5UX
+bla0gEsfbc2mx0kGtNqi2im2Xt8UoSJDnfMXzfQq3IP3en943mqgIeYUl3f9UQBT
+KgGfyHNbEfa0FzqfKpxJdT37C9ilSQ85GtThffc4I50QgBHaRXOvwBdrGpU2O11V
+x35VLyYoycIlg+CizVywEX53aoMil1hEbv0TPtbNnFZGwM/fxvere65GeQld9gEP
+9krGtSXYlMktvr66cqPzmG0ciA6dMBZN8dpTgUopmYNz8HVoHDq/KBmXYA7CMzrX
+pVNx4kMW/KxA+XAHT82xE7PCiLIJx4z9uPn0O4PBDw0tQ0mxuDpeoi1i9PuBfe6Y
+-----END CERTIFICATE-----

.ci/setup/certs/RimSignCert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIJAIKly+6bklZlMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwI
+UENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVDQTAeFw0yMDA2MTExNjUzMDFaFw0z
+MDA0MjAxNjUzMDFaMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UE
+CgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxGzAZBgNVBAMMEmV4YW1wbGUu
+UklNLnNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKd1lWGk
+SRuxAAY2wHag2GVxUk1dZx2PTpfQOflvLeccAVwa8mQhlsRERq+QK8ilj8Xfqs44
+/nBaccZDOjdfIxIUCMfwhGXjxCaqZbgTucNsExDnu4arTGraoAwzHg0cVLiKT/Cx
+j9NL4dcMgxRXsPdHfXb0923C7xYd2t2qfW05umgaj7qeQl6c68CFNsGX4JA8rWFQ
+ZvvGx5DGlK4KTcjPuQQINs5fxasNKqLY2hq+z82x/rqwr2hmyizD6FpFSyIABPEM
+PfB036GEhRwu1WEMkq8yIp2jgRUoFYke9pB3ph9pVow0Hh4mNFSKD4pP41VSKY1n
+us83mdkuukPy5o0CAwEAAaNvMG0wHQYDVR0OBBYEFC/euOfQMKIgnaoBhhqWT+3s
+8rzBMB8GA1UdIwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MAkGA1UdEwQCMAAw
+CwYDVR0PBAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUA
+A4IBAQC1mG0naE0W4E9vujPhygf7LXHMFkMPs5uWyvkxe4zWgTg0RHTClbOFJQJ+
+pGLOcthSG6vIC6xYJxT5EKtB9rzRlEYHOi4MxuwXz9rLWQhA2zdbSo54Fb/BPoca
+5K9kxvAanRltEfqEFhCcRmqIX1i6mpOWiZsrdMs7IflHKBsylUTn+v636BAz3p2H
+8/lpJbF4LUFUxFU5FWB3tLuasxYTsbeE6YyNAnQIS95ML7c5H8z2aEQs5TCNHZJD
+yc0PZT2aPOuEj5lGv9oyBHbYDitszUWSVxF7z86uVGmYR/2oTIj6tqb+IwuvFtnO
+wiXFRS5ctLCdESr3SjdQF5wmIN4n
+-----END CERTIFICATE-----

.ci/setup/setup_tpm2provisioner.sh

@@ -4,23 +4,47 @@
 #
 #########################################################################################
 set -e
-pushd /
+pushd /  > /dev/null
 echo "Setting up TPM emulator for the TPM2 Provisioner"
 
 # Function to make and install TPM 2.0 Provisioner packages
-function InstallProvisioner {
+function installProvisioner {
    echo "===========Installing TPM 2.0 Provisioner Packages...==========="
-   pushd /HIRS
+   pushd /HIRS  > /dev/null
     echo "Building the HIRS Provisioner ..."
     mkdir -p /HIRS/logs/provisioner/
     sh package/package.centos.sh &> /HIRS/logs/provisioner/provisioner_build.log
     echo "Installing the HIRS Provisioner ..."
-   yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm
-   popd
+    yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm
+  popd  > /dev/null
+}
+
+# use ibm tss to properly clear tpm pcr values
+function setTpmPcrValues {
+  mkdir /ibmtss
+  pushd /ibmtss  > /dev/null
+    echo "Installing IBM TSS to set the TPM simulator intial values correctly..."
+    wget --no-check-certificate https://downloads.sourceforge.net/project/ibmtpm20tss/ibmtss1.5.0.tar.gz > /dev/null
+    tar -zxvf ibmtss1.5.0.tar.gz > /dev/null
+    cd utils
+    make -f makefiletpmc > /dev/null
+    cd ../utils
+    ./startup
+  popd  > /dev/null
+}
+
+# Set default values tcg_boot_properties
+function setTcgProperties {
+  propFile="/etc/hirs/tcg_boot.properties";
+
+  echo "tcg.rim.dir=/boot/tcg/manifest/rim/" > $propFile;
+  echo "tcg.swidtag.dir=/boot/tcg/manifest/swidtag/" >> $propFile;
+  echo "tcg.cert.dir=/boot/tcg/cert/platform/" >> $propFile;
+  echo "tcg.event.file=/sys/kernel/security/tpm0/binary_bios_measurements" >> $propFile;
 }
 
 # Function to initialize the TPM 2.0 Emulator
-function InitTpm2Emulator {
+function initTpm2Emulator {
    echo "===========Initializing TPM 2.0 Emulator...==========="
 
    mkdir -p /var/run/dbus
@@ -42,8 +66,11 @@ function InitTpm2Emulator {
    /ibmtpm/src/./tpm_server &
    echo "TPM Emulator started"
 
+   sleep 1
+   # Use the ibmtss to clear the PCR values (tpm2-abrmd will currupt PCR0)
+   setTpmPcrValues
    # Give tpm_server time to start and register on the DBus
-   sleep 2
+   sleep 1
 
    tpm2-abrmd -t socket &
    echo "TPM2-Abrmd started"
@@ -86,7 +113,7 @@ function InitTpm2Emulator {
 }
 
 # Function to update the hirs-site.config file
-function UpdateHirsSiteConfigFile {
+function updateHirsSiteConfigFile {
    HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
 
    echo ""
@@ -115,28 +142,31 @@ DEFAULT_SITE_CONFIG_FILE
    cat /etc/hirs/hirs-site.config
 }
 
-function WaitForAca {
+function waitForAca {
 # Wait for ACA to boot
-echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
-until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
-  sleep 5;
+  echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
+  until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
+    sleep 1;
   #echo "Checking on the ACA..."
-done
-echo "ACA is up!"
+  done
+  echo "ACA is up!"
 }
 
 #Wait for the ACA to spin up, if it hasnt already
-WaitForAca
+waitForAca
 
 # Install packages
-InstallProvisioner
+installProvisioner
+
+# set location of tcg artifacts
+setTcgProperties
+#echo "Contents of /etc/hirs is $(ls -al /etc/hirs)";
 
 # Install TPM 2.0 Emulator
-InitTpm2Emulator
+initTpm2Emulator
 
 # Update the hirs-site.config file
-UpdateHirsSiteConfigFile
-
+updateHirsSiteConfigFile
 
 echo "TPM 2.0 Emulator NV RAM list"
 tpm2_nvlist
@@ -144,4 +174,4 @@ tpm2_nvlist
 echo ""
 echo "===========HIRS ACA TPM 2.0 Provisioner Setup Complete!==========="
 
-popd
+popd > /dev/null

.ci/system-tests/aca_policy_tests.sh

@@ -10,32 +10,37 @@ failedTests=0;
 # Start ACA Policy Tests
 # provision_tpm takes 1 parameter (the expected result): "pass" or "fail"
 
-write_to_logs "ACA POLICY TEST 1: Test ACA default policy "
+writeToLogs "### ACA POLICY TEST 1: Test ACA default policy  ###"
 setPlatformCerts "laptop" "empty"
-provision_tpm2 "pass"
+provisionTpm2 "pass"
 
-write_to_logs "ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store"
+writeToLogs "### ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store ###"
 setPolicyEkOnly
-provision_tpm2 "fail"
+provisionTpm2 "fail"
 
-write_to_logs "ACA POLICY TEST 3: Test EK Only Validation Policy" 
+writeToLogs "### ACA POLICY TEST 3: Test EK Only Validation Policy ###" 
 uploadTrustedCerts
-provision_tpm2 "pass"
+provisionTpm2 "pass"
 
-write_to_logs "ACA POLICY TEST 4: Test PC Validation Policy with no PC" 
+writeToLogs "### ACA POLICY TEST 4: Test PC Validation Policy with no PC ###" 
 setPolicyEkPc_noAttCheck
-provision_tpm2 "fail"
+provisionTpm2 "fail"
 
-write_to_logs "ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC" 
+writeToLogs "### ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC ###" 
 setPolicyEkPcFw
-provision_tpm2 "fail"
+provisionTpm2 "fail"
 
-write_to_logs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC ###"
+writeToLogs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC ###"
 clearAcaDb
 setPolicyEkPc
 uploadTrustedCerts
 setPlatformCerts "laptop" "default"
-provision_tpm2 "pass"
+provisionTpm2 "pass"
+
+writeToLogs "### ACA POLICY TEST 7: Test PC with RIM Validation Policy with valid PC and RIM ###"
+setPolicyEkPcFw
+setRims "laptop" "default"
+provisionTpm2 "pass"
 
 #  Process Test Results, any single failure will send back a failed result.
 if [[ $failedTests != 0 ]]; then

.ci/system-tests/container/rim_setup.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+#########################################################################################
+#   Setup for PC Client Reference Integrity Manifest (RIM) tests
+#
+#########################################################################################
+
+profile=$1
+test=$2
+tcgDir="/boot/tcg"
+testDir="/HIRS/.ci/system-tests/profiles/$profile/$test"
+propFile="/etc/hirs/tcg_boot.properties";
+eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements
+
+mkdir -p $tcgDir/manifest/rim/;  # Create the platform cert folder if its not there
+rm -f $tcgDir/manifest/rim/*;   # clear out any previous data
+
+mkdir -p $tcgDir/manifest/swidtag/;  # Create the platform cert folder if its not there
+rm -f $tcgDir/manifest/swidtag/*;   # clear out any previous data
+
+echo "Test is using RIM files from $profile : $test"
+
+# update tcg_boot.properties to use test specific binary_bios_measurement file
+sed -i "s:tcg.event.file=.*:tcg.event.file=$eventLog:g" "$propFile"
+
+#echo "Contents of $propFile after sed is $(cat $propFile)";
+
+# Step 2: Copy Base RIM files to the TCG folder
+pushd $testDir/swidtags/ > /dev/null
+
+  if [[ ! -f ".gitignore" ]]; then
+    for swidtag in * ; do
+          cp -f $swidtag $tcgDir/manifest/swidtag/$swidtag;
+    done
+  fi
+popd > /dev/null
+# Step 3: Copy Support RIM files to the TCG folder
+pushd $testDir/rims/ > /dev/null
+
+  if [[ ! -f ".gitignore" ]]; then
+    for rim in * ; do
+          cp -f $rim $tcgDir/manifest/rim/$rim;
+    done
+  fi
+popd > /dev/null
+
+#  echo "Contents of tcg swidtag folder $tcgDir/manifest/swidtag/ : $(ls $tcgDir/manifest/swidtag/)"
+#  echo "Contents of tcg rim folder tcgDir/manifest/rim/: $(ls $tcgDir/manifest/rim/)"
+
+#Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file
+sh $testDir/"$profile"_"$test"_setpcrs.sh
+#tpm2_pcrlist -g sha256 
+
+# Done with rim_setup 

.ci/system-tests/run_system_tests.sh

@@ -19,19 +19,19 @@ echo "********  Setting up for HIRS System Tests for TPM 2.0 ******** "
 # expand dmi files for mounting to the provisioner containers
 unzip -q .ci/system-tests/profiles/laptop/laptop_dmi.zip -d .ci/system-tests/profiles/laptop/
 # Start System Testing Docker Environment
-pushd .ci/docker
+pushd .ci/docker > /dev/null
 
 docker-compose -f docker-compose-system-test.yml up -d
 
-popd
-pushd .ci/system-tests
+popd > /dev/null
+pushd .ci/system-tests > /dev/null
 source sys_test_common.sh
 
 echo "ACA Container info: $(checkContainerStatus $aca_container)";
 echo "TPM2 Provisioner Container info: $(checkContainerStatus $tpm2_container)";
 
 # Install HIRS provioner and setup tpm2 emulator
-docker exec $tpm2_container /HIRS/.ci/setup/setup-tpm2provisioner.sh
+docker exec $tpm2_container /HIRS/.ci/setup/setup_tpm2provisioner.sh
 
 # ********* Execute system tests here, add tests as needed ************* 
 echo "******** Setup Complete Begin HIRS System Tests ******** "
@@ -53,16 +53,15 @@ docker exec $tpm2_container chmod -R 777 /HIRS/logs/;
 # Display container log
 echo ""
 echo "===========HIRS Tests and Log collection complete ==========="
-#docker logs $tpm2_container_id 
 
 echo ""
 echo "End of System Tests for TPM 2.0, cleaning up..."
 echo ""
 # Clean up services and network
-popd
+popd > /dev/null
 pushd .ci/docker
 docker-compose -f docker-compose-system-test.yml down -v
-popd
+popd > /dev/null
 # Clean up dangling containers
 echo "Cleaning up dangling containers..."
 echo ""

.ci/system-tests/sys_test_common.sh

@@ -61,13 +61,19 @@ docker exec $aca_container mysql -u root -e "use hirs_db; set foreign_key_checks
 
 # Upload Certs to the ACA DB
 uploadTrustedCerts() {
-  curl -k -s -F "file=@$issuerCert" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
+pushd ../setup/certs > /dev/null
+
+  curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
+  curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
+  curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload
+
+popd > /dev/null
 }
 
 # provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail"
 # updates totalTests and failedTests counts
 # provision_tpm2 <expected_results>
-provision_tpm2() {
+provisionTpm2() {
    expected_result=$1
    ((totalTests++))
    provisionOutput=$(docker exec $tpm2_container tpm_aca_provision);
@@ -98,25 +104,19 @@ setPlatformCerts() {
   #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
 }
 
-# Places platform cert held in the test folder in the provisioners tcg folder
-# setRimBundle <profile> <test>
-setRimBundles() {
-  profile=$1
-  test=$2
-  docker exec $tpm2_container rm /boot/tcg/manifest/rim/*;
-  docker exec $tpm2_container rm /boot/tcg/manifest/swidtag/*;
-  docker exec $tpm2_container cp /HIRS/.ci/system-tests/$profile/$test/rims/* /boot/tcg/manifest/rim; 
-  docker exec $tpm2_container cp /HIRS/.ci/system-tests/$profile/$test/swidtags/* /boot/tcg/manifest/swidtag;
-  docker exec $tpm2_container ls /boot/tcg/manifest/rim/
-  docker exec $tpm2_container ls /boot/tcg/manifest/swidtag/
+# Places RIM files held in the test folder in the provisioners tcg folder
+# setRims <profile> <test>
+setRims() {
+docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/rim_setup.sh $1 $2 
+#docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
 }
 
 # Writes to the Action ouput, ACA log, and Provisioner Log
 # Used for marking the start of system tests and noting the result
 # write_to_logs <log statement>
-write_to_logs() {
+writeToLogs() {
   line=$1
   echo $line;
   docker exec $aca_container sh -c "echo '$line' >> /var/log/tomcat/HIRS_AttestationCA.log"
-  docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log"
+ # docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log"
 }

.github/workflows/system_test.yml

@@ -29,7 +29,7 @@ jobs:
       run: |
         sudo apt-get install -y curl
         echo ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
-        bash .ci/system-tests/run-system-tests.sh
+        bash .ci/system-tests/run_system_tests.sh
     - name: Archive System Test Log files
       uses: actions/upload-artifact@v2
       with:
@@ -42,5 +42,5 @@ jobs:
         if [ ${TEST_STATUS} == "0" ]; then
           exit 0;
         else
-          exit 1;  
-        fi
+          exit 1;
+        fi

HIRS_ProvisionerTPM2/package/rpm-post-install.sh

@@ -40,6 +40,7 @@ DEFAULT_SITE_CONFIG_FILE
 fi
 ln -s -f /etc/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner
 
+TCG_TEMP_FILE="/tmp/boot_properties"
 TCG_BOOT_FILE="/etc/hirs/tcg_boot.properties"
 TCG_DIRECTORY="/boot/tcg"
 RIM_FILE_LOCATION="$TCG_DIRECTORY/manifest/rim/"
@@ -47,24 +48,27 @@ SWIDTAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/"
 CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/"
 BINARY_BIOS_MEASUREMENTS="/sys/kernel/security/tpm0/binary_bios_measurements"
 
-if [ ! -f "$TCG_BOOT_FILE" ]; then
-  touch "$TCG_BOOT_FILE"
-fi
-
+touch "$TCG_TEMP_FILE"
 if [ -d "$RIM_FILE_LOCATION" ]; then
-  echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_BOOT_FILE"
+  echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_TEMP_FILE"
 fi
 
 if [ -d "$SWIDTAG_FILE_LOCATION" ]; then
-  echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_BOOT_FILE"
+  echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_TEMP_FILE"
 fi
 
 if [ -d "$CREDENTIALS_LOCATION" ]; then
-  echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_BOOT_FILE"
+  echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_TEMP_FILE"
 fi
 
 if [ -f "$BINARY_BIOS_MEASUREMENTS" ]; then
-  echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_BOOT_FILE"
+  echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_TEMP_FILE"
+fi
+
+
+if [ ! -f "$TCG_BOOT_FILE" ]; then
+  install -m 644 $TCG_TEMP_FILE $TCG_BOOT_FILE
+else
+  echo $TCG_TEMP_FILE > $TCG_BOOT_FILE
 fi
 
-chmod -w "$TCG_BOOT_FILE"