fix tpm certificate handling
fixed handling of security certificates in tpm mode The code that handles the installation of tpm security certificates stopped working after recent updates to other packages This commit updates the code to properly work with the current system configuration Closes-Bug: #1808163 Change-Id: I76e10cf1ed68cfeb0ce3ee560df0c34711f57af2 Signed-off-by: Paul-Emile Element <Paul-Emile.Element@windriver.com>
This commit is contained in:
Paul-Emile Element
parent
59bf414a63
commit
9a8bc17015
@ -7,6 +7,8 @@
|
||||
|
||||
# TPM setup (both active controller and remote)
|
||||
|
||||
export TPM_INTERFACE_TYPE=dev
|
||||
|
||||
CERTIFICATE_FILE="server-cert.pem"
|
||||
LOGFILE="/etc/ssl/private/.install.log"
|
||||
ORIGINAL_KEY=$1
|
||||
@ -53,8 +55,7 @@ declare -a helper_scripts=("tss2_createprimary"
|
||||
"tss2_contextsave"
|
||||
"tss2_evictcontrol"
|
||||
"tss2_flushcontext"
|
||||
"create_tpm2_key"
|
||||
"resourcemgr")
|
||||
"create_tpm2_key")
|
||||
for src in "${helper_scripts[@]}"; do
|
||||
if ! type "$src" &>/dev/null; then
|
||||
error_exit "ERROR: Cannot find $src. Needed for TPM configuration"
|
||||
@ -62,41 +63,6 @@ for src in "${helper_scripts[@]}"; do
|
||||
done
|
||||
}
|
||||
|
||||
startResourceMgr () {
|
||||
resourcemgr &>> $LOGFILE 2>&1 &
|
||||
|
||||
# ensure the resourcemgr is started
|
||||
for i in {1..5}
|
||||
do
|
||||
sleep 0.5
|
||||
MGR_RUNNING=`pidof resourcemgr`
|
||||
if [ ! -z $MGR_RUNNING ]; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
[ ! -z $MGR_RUNNING ] || error_exit "Unable to start TPM resourcemgr"
|
||||
|
||||
# check to see if the resourcemgr port is open
|
||||
IS_OPEN=0
|
||||
for i in {1..5}
|
||||
do
|
||||
sleep 0.5
|
||||
_test=`netstat -an | grep $RESOURCEMGR_DEFAULT_PORT | grep -i listen`
|
||||
if [ ! -z "$_test" ]; then
|
||||
IS_OPEN=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
[ $IS_OPEN -ne 0 ] || error_exit "Unable to initialize resourcemgr"
|
||||
}
|
||||
|
||||
stopResourceMgr () {
|
||||
# Kill any previous instances of resourcemgr
|
||||
pkill -c -TERM resourcemgr &> /dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
|
||||
### Main ###
|
||||
# remove previous object context
|
||||
rm -f $TPM_OBJECT_CONTEXT &> /dev/null
|
||||
@ -115,14 +81,10 @@ if [ "$TPM_VERSION" != "2.0" ]; then
|
||||
error_exit "ERROR: TPM Device is not version 2.0 compatible"
|
||||
fi
|
||||
|
||||
# Start the Intel ResourceMgr to clear the NV
|
||||
# Clear the NV
|
||||
# as well as all stale transient handles in
|
||||
# the endorsement hierarchy.
|
||||
# Since ResourceMgr has a number of stability,
|
||||
# and security issues, we will stop it after it
|
||||
# initializes the NV and Handle space
|
||||
startResourceMgr
|
||||
stopResourceMgr
|
||||
tss2_clear -hi l
|
||||
|
||||
# Create the Endorsement Primary Key hierarchy which will be used
|
||||
# for wrapping the private key. Use RSA as the primary key encryption
|
||||
@ -136,14 +98,14 @@ PRIMARY_HANDLE="0x$PRIMARY_HANDLE"
|
||||
# be persistently stored in TPM NV.
|
||||
# evict the persistent handle if it exists previously
|
||||
tss2_evictcontrol -hi o -ho $TPM_KEY_HIERARCHY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE
|
||||
tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE &>> $LOGFILE
|
||||
tss2_evictcontrol -hi o -ho $PRIMARY_HANDLE -hp $TPM_KEY_HIERARCHY_HANDLE >> $LOGFILE
|
||||
[ $? -eq 0 ] || error_exit "Unable to persist Key Hierarchy in TPM memory"
|
||||
|
||||
tss2_flushcontext -ha $PRIMARY_HANDLE
|
||||
|
||||
# wrap the original private key in TPM's Endorsement key hierarchy
|
||||
# this will generate a TSS key blob in ASN 1 encoding
|
||||
create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT &>> $LOGFILE
|
||||
create_tpm2_key -p $TPM_KEY_HIERARCHY_HANDLE -w $ORIGINAL_KEY $TPM_OBJECT_CONTEXT >> $LOGFILE
|
||||
[ $? -eq 0 ] || error_exit "Unable to wrap provided private key into TPM Key Hierarchy"
|
||||
|
||||
# the apps will also need to the public key, place it in
|
||||
|
||||
@ -312,6 +312,14 @@ static int tpm_engine_init(ENGINE * e)
|
||||
* N.B: This assumes that the kernel-modules-tpm
|
||||
* pkg is installed with the modified tpm_crb KLM
|
||||
*/
|
||||
if ((result = p_tpm2_Set_Property(hContext,
|
||||
TPM_INTERFACE_TYPE, "dev"))) {
|
||||
DBG("Failed to set Resource Manager in context (%p): rc %d",
|
||||
hContext, (int)result);
|
||||
TSSerr(TPM_F_TPM_ENGINE_INIT, TPM_R_UNIT_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((result = p_tpm2_Set_Property(hContext,
|
||||
TPM_DEVICE, "/dev/tpmrm0"))) {
|
||||
DBG("Failed to set Resource Manager in context (%p): rc %d",
|
||||
|
||||
Loading…
Reference in New Issue
Block a user