mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-23 04:48:35 +00:00
35c63efe19
* This is new code that parses a new field in the upcoming TCG spec for the platform components fields. The new field indicates the type of hardware (ex Memory - DDR3). This information wasn't provided before so it wasn't always clear what the component was. The new information is provided in a json file. A unit test was created to test the different variations. This commit does not include hooks in the base code to use this class yet. This commit is mainly to include the added library and correct bug and checkstyle issues associated with the new code. Closes #24 * Removed duplicate CONSTANT variable. * Added newline * Added Newline * Updated variable names for json object. * Fixed line length style error.
303 lines
12 KiB
RPMSpec
303 lines
12 KiB
RPMSpec
# need to run rpmbuild with either:
|
|
# --define 'build6 1' --define 'dist .el6'
|
|
# --define 'build7 1' --define 'dist .el7'
|
|
|
|
# rpm runs scripts with $1 holding the number of currently installed version of the package in question:
|
|
# Install the first time: 1
|
|
# Upgrade: 2 or higher (depending on the number of versions installed)
|
|
# Remove last version of package: 0
|
|
# from RedHat RPM Guide by Eric Foster-Johnston
|
|
|
|
Name : HIRS
|
|
Version : %{?VERSION}
|
|
Release : %{?RELEASE}%{?dist}
|
|
Source : %{name}-%{?GIT_HASH}.tar
|
|
Group : System Environment/Base
|
|
License : ASL 2.0
|
|
Summary : HIRS
|
|
BuildArch : noarch
|
|
BuildRoot : %{_tmppath}/%{name}-%{version}-root
|
|
BuildRequires : java-1.8.0-openjdk-devel
|
|
|
|
%description
|
|
Host Integrity at Runtime and Startup (HIRS) parent spec.
|
|
|
|
%prep
|
|
%setup -q -c
|
|
|
|
%define provisioner_package_name HIRS_Provisioner_TPM_1_2%{?PACKAGE_NAME_ADDENDUM}
|
|
%define __jar_repack 0
|
|
|
|
##########################
|
|
# HIRS_Provisioner_TPM_1_2
|
|
##########################
|
|
%package -n %{provisioner_package_name}
|
|
Summary : Host Integrity at Runtime and Startup (HIRS) Provisioner
|
|
Group : System Environment/Base
|
|
|
|
%if 0%{?build6}
|
|
Requires : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, initscripts, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES}
|
|
%endif
|
|
|
|
%if 0%{?build7}
|
|
Requires : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, systemd, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES}
|
|
%endif
|
|
|
|
%description -n %{provisioner_package_name}
|
|
Host Integrity at Runtime and Startup (HIRS) Provisioner.
|
|
|
|
%pre -n %{provisioner_package_name}
|
|
if [[ $(find /sys/devices -name "tpm0") ]]; then
|
|
echo "TPM detected"
|
|
if [ -f "/usr/lib/systemd/system/tcsd.service" ]; then
|
|
echo "Starting tcsd service"
|
|
systemctl start tcsd
|
|
ret=$?
|
|
if [[ $ret -ne 0 ]]; then
|
|
echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
|
|
fi
|
|
echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
|
|
chkconfig --level 1356 tcsd on
|
|
else
|
|
echo "Starting tcsd service"
|
|
service tcsd start
|
|
ret=$?
|
|
if [[ $ret -ne 0 ]]; then
|
|
echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
|
|
fi
|
|
echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
|
|
chkconfig --level 1356 tcsd on
|
|
fi
|
|
if [ ! -d "/sys/kernel/security/tpm0" ]; then
|
|
echo "Mounting security fs partition"
|
|
sed -i '$a securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0' /etc/fstab
|
|
mount -a
|
|
if [ -d "/sys/kernel/security/tpm0" ]; then
|
|
echo "SUCCESS: security fs partition mounted"
|
|
fi
|
|
fi
|
|
else
|
|
echo "WARNING: UNABLE TO LOCATE TPM DEVICE, TPM PROVISIONING WILL FAIL"
|
|
fi
|
|
|
|
%post -n %{provisioner_package_name}
|
|
# copy default property files into /etc/hirs if not present
|
|
mkdir -p /etc/hirs/
|
|
cp -n /opt/hirs/default-properties/provisioner/* /etc/hirs/
|
|
|
|
# copy common scripts into /opt/hirs/scripts/common
|
|
cp -f /opt/hirs/scripts/common/provisioner/* /opt/hirs/scripts/common/
|
|
|
|
echo 'Creating symlink for hirs-provisioner command'
|
|
ln -s -f /usr/share/hirs/provisioner/tpm_aca_provision /usr/sbin/tpm_aca_provision
|
|
chmod +x /usr/share/hirs/provisioner/tpm_aca_provision
|
|
ln -s -f /usr/share/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner
|
|
chmod +x /usr/share/hirs/provisioner/hirs-provisioner.sh
|
|
hirs-provisioner -c
|
|
|
|
%postun -n %{provisioner_package_name}
|
|
# don't run these during an upgrade
|
|
if [ "$1" = "0" ]; then
|
|
rm -rf /etc/hirs/provisioner
|
|
rm -rf /etc/hirs/certificates
|
|
rm -f /usr/sbin/hirs-provisioner
|
|
rm -rf /usr/share/hirs/provisioner
|
|
|
|
rm -rf /var/log/hirs/provisioner
|
|
|
|
# if there are no more HIRS packages remaining,
|
|
# remove all HIRS directories
|
|
if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_Provisioner_TPM_1_2` ]]; then
|
|
rm -rf /etc/hirs
|
|
rm -rf /opt/hirs
|
|
rm -rf /usr/share/hirs
|
|
rm -rf /var/log/hirs
|
|
fi
|
|
fi
|
|
|
|
%files -n %{provisioner_package_name}
|
|
%license NOTICE
|
|
/etc/hirs/provisioner
|
|
%attr(664, root, root) /opt/hirs/default-properties/provisioner/logging.properties
|
|
%attr(774, root, root) /opt/hirs/scripts/common/provisioner/
|
|
/usr/share/hirs/provisioner
|
|
%{_mandir}/man1/hirs-provisioner.1.gz
|
|
|
|
####################
|
|
# HIRS_AttestationCA
|
|
####################
|
|
|
|
%package -n HIRS_AttestationCA
|
|
Summary : Host Integrity at Runtime and Startup (HIRS) Attestation Certificate Authority (HIRS AttestationCA)
|
|
Group : System Environment/Base
|
|
|
|
%if 0%{?build6}
|
|
Requires : mysql-server, openssl, tomcat6, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, iptables
|
|
Prefix : /usr/share/tomcat6
|
|
%endif
|
|
|
|
%if 0%{?build7}
|
|
Requires : mariadb-server, openssl, tomcat, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, firewalld, policycoreutils
|
|
Prefix : /usr/share/tomcat
|
|
%endif
|
|
|
|
%description -n HIRS_AttestationCA
|
|
Host Integrity at Runtime and Startup (HIRS) Attestation CA. Installs and creates keys for HIRS Attestation CA to support generating AIKs
|
|
|
|
%pre -n HIRS_AttestationCA
|
|
if [ ! -d $RPM_INSTALL_PREFIX ]; then
|
|
echo "error: Tomcat directory not found. Re-run this rpm installation with --prefix=\"<absolute-tomcat-directory>\""
|
|
exit 1
|
|
fi
|
|
|
|
%post -n HIRS_AttestationCA
|
|
# copy default property files into /etc/hirs if not present
|
|
mkdir -p /etc/hirs
|
|
cp -n /opt/hirs/default-properties/attestationca/* /etc/hirs/
|
|
|
|
# loop over common scripts and place into /opt/hirs/scripts/common
|
|
mkdir -p /opt/hirs/scripts/common/
|
|
cp -f /opt/hirs/scripts/common/aca/* /opt/hirs/scripts/common/
|
|
|
|
# run these only on a fresh install of the package
|
|
if [ "$1" = "1" ]; then
|
|
# open necessary ports
|
|
sh /opt/hirs/scripts/common/firewall_configure_tomcat.sh
|
|
|
|
# Allow Tomcat to use port 3306 to communicate with MySQL
|
|
%if 0%{?build7}
|
|
if [ selinuxenabled ]; then
|
|
semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
|
|
fi
|
|
%endif
|
|
|
|
# create trust stores, configure tomcat and db
|
|
sh /opt/hirs/scripts/common/ssl_configure.sh server
|
|
|
|
# create the database
|
|
sh /opt/hirs/scripts/common/db_create.sh
|
|
fi
|
|
|
|
sh /opt/hirs/scripts/aca/certificate_generate.sh
|
|
|
|
%preun -n HIRS_AttestationCA
|
|
# don't run these during an upgrade
|
|
if [ "$1" = "0" ]; then
|
|
# if the Server isn't installed, deconfigure Tomcat and MySQL SSL and drop the database
|
|
if [[ -z `rpm -qa HIRS_Server` ]]; then
|
|
echo 'Restoring Tomcat and MySQL configuration'
|
|
sh /opt/hirs/scripts/common/ssl_deconfigure.sh server
|
|
|
|
echo 'Dropping local HIRS database'
|
|
sh /opt/hirs/scripts/common/db_drop.sh
|
|
fi
|
|
fi
|
|
|
|
%postun -n HIRS_AttestationCA
|
|
# don't run these during an upgrade
|
|
if [ "$1" = "0" ]; then
|
|
# Removes WARS from the Tomcat installation as well as ACA configuration files and certificates
|
|
# (/etc/hirs/aca), and ACA installation (/opt/hirs/attestation-ca). Do not run during an upgrade
|
|
rm -f %{prefix}/webapps/HIRS_AttestationCA*.war
|
|
rm -rf %{prefix}/webapps/HIRS_AttestationCA*
|
|
rm -rf /etc/hirs/aca
|
|
rm -rf /opt/hirs/attestation-ca
|
|
|
|
# if the Server and Appraiser are not installed, remove certificates directory
|
|
if [[ -z `rpm -qa "HIRS_(Server|Appraiser)"` ]]; then
|
|
rm -rf /etc/hirs/certificates
|
|
fi
|
|
|
|
# if there are no more HIRS packages remaining,
|
|
# remove all HIRS directories
|
|
if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_AttestationCA` ]]; then
|
|
rm -rf /etc/hirs
|
|
rm -rf /opt/hirs
|
|
rm -rf /usr/share/hirs
|
|
rm -rf /var/log/hirs
|
|
fi
|
|
fi
|
|
|
|
%files -n HIRS_AttestationCA
|
|
%license NOTICE
|
|
%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCA.war
|
|
%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCAPortal.war
|
|
%attr(774, root, tomcat) /etc/hirs/aca/
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/logging.properties
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/banner.properties
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/persistence.properties
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/component-class.json
|
|
%attr(774, root, tomcat) /opt/hirs/scripts/common/aca
|
|
%attr(774, root, tomcat) /opt/hirs/scripts/aca
|
|
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
|
|
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.te
|
|
|
|
####################
|
|
# Build and install
|
|
####################
|
|
|
|
%build
|
|
./gradlew -PpluginDir=%{?PLUGIN_SOURCE} -PdisplayVersion=%{?DISPLAY_VERSION} :HIRS_Provisioner:installDist :HIRS_AttestationCA:war :HIRS_AttestationCAPortal:war
|
|
|
|
%install
|
|
# prepare provisioner for packaging
|
|
cd HIRS_Provisioner
|
|
mkdir -p %{buildroot}/usr/share/hirs/provisioner
|
|
mkdir -p %{buildroot}/%{_mandir}/man1
|
|
cp -r build/install/HIRS_Provisioner/* %{buildroot}/usr/share/hirs/provisioner
|
|
|
|
sed -i '/exec "$JAVACMD" "$@"/i /opt/hirs/scripts/common/jvm_version_check.sh $JAVACMD' %{buildroot}/usr/share/hirs/provisioner/bin/HIRS_Provisioner
|
|
|
|
mkdir -p %{buildroot}/etc/hirs/provisioner/certs
|
|
cp scripts/install/hirs-provisioner.sh %{buildroot}/usr/share/hirs/provisioner/
|
|
cp scripts/install/tpm_aca_provision %{buildroot}/usr/share/hirs/provisioner/
|
|
cp hirs-provisioner-config.sh %{buildroot}/etc/hirs/provisioner
|
|
cp create-ek-cert.sh %{buildroot}/etc/hirs/provisioner
|
|
cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/provisioner/provisioner.properties
|
|
cp -r setup %{buildroot}/etc/hirs/provisioner/
|
|
gzip -c man/hirs-provisioner.1 > %{buildroot}/%{_mandir}/man1/hirs-provisioner.1.gz
|
|
|
|
mkdir -p %{buildroot}/opt/hirs/scripts/common/provisioner
|
|
cp ../scripts/common/jvm_version_check.sh %{buildroot}/opt/hirs/scripts/common/provisioner/
|
|
|
|
# copy common scripts
|
|
mkdir -p %{buildroot}/opt/hirs/scripts/common/aca
|
|
cp ../scripts/common/* %{buildroot}/opt/hirs/scripts/common/aca/
|
|
|
|
# prepare ACA for packaging
|
|
cd ../HIRS_AttestationCA
|
|
mkdir -p %{buildroot}/opt/hirs/scripts/aca
|
|
cp ../scripts/aca/* %{buildroot}/opt/hirs/scripts/aca
|
|
mkdir -p %{buildroot}/opt/hirs/attestation-ca/
|
|
mkdir -p %{buildroot}/etc/hirs/aca/certificates/
|
|
mkdir -p %{buildroot}/etc/hirs/aca/client-files/
|
|
mkdir -p %{buildroot}%{prefix}/webapps/
|
|
cp build/libs/HIRS_AttestationCA.war %{buildroot}%{prefix}/webapps/
|
|
cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/aca/aca.properties
|
|
|
|
# prepare ACA Portal for packaging
|
|
cd ../HIRS_AttestationCAPortal
|
|
mkdir -p %{buildroot}%{prefix}/webapps/
|
|
cp build/libs/HIRS_AttestationCAPortal.war %{buildroot}%{prefix}/webapps/
|
|
# note: no ACA Portal specific resource files to copy yet...
|
|
|
|
# creates the home directory for activemq user so SELinux doesn't complain
|
|
mkdir -p %{buildroot}/srv/activemq
|
|
mkdir -p %{buildroot}/etc/hirs/portal
|
|
|
|
cd ..
|
|
|
|
# copy over the properties files
|
|
mkdir -p %{buildroot}/opt/hirs/default-properties/provisioner
|
|
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/provisioner/logging.properties
|
|
|
|
mkdir -p %{buildroot}/opt/hirs/default-properties/attestationca
|
|
cp HIRS_Utils/src/main/resources/persistence.properties %{buildroot}/opt/hirs/default-properties/attestationca/
|
|
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/attestationca/
|
|
cp HIRS_Utils/src/main/resources/banner.properties %{buildroot}/opt/hirs/default-properties/attestationca/
|
|
cp HIRS_Utils/src/main/resources/component-class.json %{buildroot}/opt/hirs/default-properties/
|
|
|
|
# install extras
|
|
mkdir -p %{buildroot}/opt/hirs/extras
|
|
cp -r extras/ %{buildroot}/opt/hirs/
|