mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-30 09:49:00 +00:00
81 lines
2.2 KiB
Bash
Executable File
81 lines
2.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# This script checks for signs of a TPM on the host, and then executes the appropriate
|
|
# HIRS TPM ACA provisining process according to the version of TPM found.
|
|
|
|
# check dmesg for TPM
|
|
dmesg | grep -iq "1\.2 TPM"
|
|
DMESG_1_2=$((1-$?))
|
|
|
|
dmesg | grep -iq "2\.0 TPM"
|
|
DMESG_2_0=$((1-$?))
|
|
|
|
# check /sys/class/tpm for TPM
|
|
DEV_1_2=0
|
|
if [[ -f "/sys/class/tpm/tpm0/device/firmware_node/description" ]]; then
|
|
grep -q "TPM 1.2 Device" /sys/class/tpm/tpm0/device/firmware_node/description
|
|
DEV_1_2=$((1-$?))
|
|
fi
|
|
|
|
DEV_2_0=0
|
|
if [[ -f "/sys/class/tpm/tpm0/device/description" ]]; then
|
|
grep -q "TPM 2.0 Device" /sys/class/tpm/tpm0/device/description
|
|
DEV_2_0=$((1-$?))
|
|
fi
|
|
|
|
# check to see whether emulators are present
|
|
EMU_1_2=0
|
|
if hash tpm_version 2> /dev/null ; then
|
|
tpm_version > /dev/null 2>&1
|
|
if [[ $? -eq 0 ]]; then
|
|
EMU_1_2=1
|
|
fi
|
|
fi
|
|
|
|
EMU_2_0=0
|
|
if hash tpm2_nvlist 2> /dev/null ; then
|
|
tpm2_nvlist > /dev/null 2>&1
|
|
if [[ $? -eq 0 ]]; then
|
|
EMU_2_0=1
|
|
fi
|
|
fi
|
|
|
|
rpm -q HIRS_Provisioner_TPM_1_2 > /dev/null
|
|
PROVISIONER_1_2_INSTALLED=$?
|
|
rpm -q HIRS_Provisioner_TPM_2_0 > /dev/null
|
|
PROVISIONER_2_0_INSTALLED=$?
|
|
|
|
TPM_1_2_PRESENT=$(($DMESG_1_2 + $DEV_1_2 + $EMU_1_2))
|
|
TPM_2_0_PRESENT=$(($DMESG_2_0 + $DEV_2_0 + $EMU_2_0))
|
|
|
|
if [ "$TPM_1_2_PRESENT" -gt 0 ] ; then
|
|
echo "TPM 1.2 detected."
|
|
if [ $PROVISIONER_1_2_INSTALLED -eq 0 ]; then
|
|
hirs-provisioner -p
|
|
RC=$?
|
|
else
|
|
echo "The package 'HIRS_Provisioner_TPM_1_2' must be installed to provision a TPM 1.2."
|
|
exit 1
|
|
fi
|
|
elif [ "$TPM_2_0_PRESENT" -gt 0 ] ; then
|
|
echo "TPM 2.0 detected."
|
|
if [ $PROVISIONER_2_0_INSTALLED -eq 0 ]; then
|
|
/usr/local/bin/hirs-provisioner-tpm2 provision
|
|
RC=$?
|
|
else
|
|
echo "The package 'HIRS_Provisioner_TPM_2_0' must be installed to provision a TPM 2.0."
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "No evidence of a TPM was found in dmesg, /sys/class/tpm, or via an installed emulator. If this machine has a TPM, please ensure it is enabled in UEFI/BIOS, or that your emulator is installed and functioning with tpm-tools or tpm2-tools."
|
|
if [ $PROVISIONER_1_2_INSTALLED -eq 0 ]; then
|
|
echo "Running TPM 1.2 provisioner to support normal HIRS usage."
|
|
hirs-provisioner --provision
|
|
RC=$?
|
|
else
|
|
echo "TPM 1.2 provisioner is not installed; not running normal HIRS provisioning."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
exit $RC |