#! /bin/sh
-output_files[0]="/usr/share/xenclient/vlp.pol"
-output_files[1]="/usr/share/xenclient/lcp.pol"
-output_files[2]="/usr/share/xenclient/lcp_data.bin"
-output_files[3]="/usr/share/xenclient/mle_hash"
-output_files[4]="/boot/lcp_data.bin"
+tboot_dir=/usr/share/xenclient/tboot
+tboot_old_dir=/usr/share/xenclient/tboot_old
+vlp_file=/usr/share/xenclient/tboot/vlp.pol
+lcp_file=/usr/share/xenclient/tboot/lcp.pol
+lcp_data_file=/usr/share/xenclient/tboot/lcp_data.bin
+mle_hash_file=/usr/share/xenclient/tboot/mle_hash
+lcp_data_dest_file=/boot/lcp_data.bin
grub_file=/config/boot/grub/grub.cfg
tboot_file=/boot/tboot.gz
echo -e "Also note, the TPM driver and Trouses stack must be running to provision"
echo -e "the TMP. Please do the following before running this script:"
echo -e " $ modprobe tpm_tis"
- echo -e " $ tcsd -f &\n"
+ echo -e " $ tcsd\n"
}
# Check input and files
exit 1
fi
-# Backup any existing policies and create an empty
-# verified launch policy, ensure target location is ok
-for (( i = 0 ; i < 4 ; i++ ))
-do
- if [ -f ${output_files[i]} ]; then
- rm -rf "${output_files[i]}.old"
- mv ${output_files[i]} "${output_files[i]}.old"
- fi
-done
+# Make a copy of the tboot output directory
+if [ -d $tboot_old_dir ]; then
+ rm -rf $tboot_old_dir
+fi
+
+if [ -d $tboot_dir ]; then
+ mv $tboot_dir $tboot_old_dir
+fi
-rm -rf ${output_files[3]}
+mkdir $tboot_dir
# Create a new empty VL policy
-tb_polgen --create --type nonfatal ${output_files[0]}
+tb_polgen --create --type nonfatal $vlp_file
# Save some values
ifs_orig=$IFS
IFS=$(echo -en "\n\b")
-exec 10<$grub_file
# Process the grub.cfg file
-while read line <&10
+while read line
do
item=$(echo $line | awk '{ print $1 }')
if [ "$item" != "menuentry" ]; then
fi
# In a new menu entry, process what should be there
- read line <&10
+ read line
if [ -z "$line" ]; then
echo "Invalid grub.cfg file, exiting."
exit 2
# Next should be tboot (note if commented, it will not be in the
# correct place either). Then xen, vmlinuz, and initramfs.
- read line <&10
+ read line
item=$(echo $line | awk '{ print $2 }')
if [ "$item" != "$tboot_file" ]; then
continue
fi
- cmdline[0]=$(echo $line | awk '{print(substr($0,index($0,$3)))}')
+ tboot_cmdline=$(echo $line | awk '{print(substr($0,index($0,$3)))}')
- read line <&10
+ read line
item=$(echo $line | awk '{ print $2 }')
if [ "$item" != "$xen_file" ]; then
continue
fi
- cmdline[1]=$(echo $line | awk '{print(substr($0,index($0,$3)))}')
+ xen_cmdline=$(echo $line | awk '{print(substr($0,index($0,$3)))}')
- read line <&10
+ read line
item=$(echo $line | awk '{ print $2 }')
if [ "$item" != "$dom0_file" ]; then
continue
fi
- cmdline[2]=$(echo $line | awk '{print(substr($0,index($0,$3)))}')
+ dom0_cmdline=$(echo $line | awk '{print(substr($0,index($0,$3)))}')
- read line <&10
+ read line
item=$(echo $line | awk '{ print $2 }')
if [ "$item" != "$initrd_file" ]; then
continue
# Some feedback
echo "Located GRUB tboot entry to add to the policy."
- echo "tboot cmdline: ${cmdline[0]}"
- echo "xen cmdline: ${cmdline[1]}"
- echo "dom0 cmdline: ${cmdline[2]}"
+ echo "tboot cmdline: $tboot_cmdline"
+ echo "xen cmdline: $xen_cmdline"
+ echo "dom0 cmdline: $dom0_cmdline"
# Now add a hash to the launch control policy
- if [ -n "${cmdline[0]}" ]; then
- lcp_mlehash -c ${cmdline[0]} $tboot_file >> ${output_files[3]}
+ if [ -n "$tboot_cmdline" ]; then
+ lcp_mlehash -c "$tboot_cmdline" $tboot_file >> $mle_hash_file
else
- lcp_mlehash $tboot_file >> ${output_files[3]}
+ lcp_mlehash $tboot_file >> $mle_hash_file
fi
echo "LCP hashes updated."
- if [ -n "${cmdline[1]}" ]; then
- tb_polgen --add --num 0 --pcr none --hash image --cmdline "${cmdline[1]}" --image $xen_file ${output_files[0]}
+ if [ -n "$xen_cmdline" ]; then
+ tb_polgen --add --num 0 --pcr none --hash image --cmdline "$xen_cmdline" --image $xen_file $vlp_file
else
- tb_polgen --add --num 0 --pcr none --hash image --image $xen_file ${output_files[0]}
+ tb_polgen --add --num 0 --pcr none --hash image --image $xen_file $vlp_file
fi
- if [ -n "${cmdline[2]}" ]; then
- tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "${cmdline[2]}" --image $dom0_file ${output_files[0]}
+ if [ -n "$dom0_cmdline" ]; then
+ tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$dom0_cmdline" --image $dom0_file $vlp_file
else
- tb_polgen --add --num 1 --pcr 19 --hash image --image $dom0_file ${output_files[0]}
+ tb_polgen --add --num 1 --pcr 19 --hash image --image $dom0_file $vlp_file
fi
- tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image $initrd_file ${output_files[0]}
+ tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image $initrd_file $vlp_file
echo "VL policy updated."
let "counter+=1"
-done
+done < $grub_file
-echo "Processed boot file - added $counter entries."
+# Restore some values
+IFS=$ifs_orig
-rm -rf "${output_files[3]}.old"
+echo "Processed boot file - added $counter entries."
# Create the final LCP files
-lcp_crtpol -t unsigned -m ${output_files[3]} -o ${output_files[1]} -b ${output_files[2]}
+lcp_crtpol -t unsigned -m $mle_hash_file -o $lcp_file -b $lcp_data_file
# Note, for creating other types:
# $ lcp_crtpol -t any -o lcp_any.pol # no hashes, allows any access, no checks
# $ lcp_crtpol -t hashonly -m mle_hash -o lcp_hash.pol # single hash
# Check that all the output files are present
-if [ ! -f ${output_files[0]} ]; then
- echo "Failed to create new VLP policy file: ${output_files[0]}"
+if [ ! -f $vlp_file ]; then
+ echo "Failed to create new VLP policy file: $vlp_file"
exit 3
fi
-if [ ! -f ${output_files[1]} ]; then
- echo "Failed to create new LCP policy file: ${output_files[1]}"
+if [ ! -f $lcp_file ]; then
+ echo "Failed to create new LCP policy file: $lcp_file"
exit 3
fi
-if [ ! -f ${output_files[2]} ]; then
- echo "Failed to create new LCP data file: ${output_files[2]}"
+if [ ! -f $lcp_data_file ]; then
+ echo "Failed to create new LCP data file: $lcp_data_file"
exit 3
fi
# Exit here if only policy creation was requested
if [ "$policy_only" = "1" ]; then
echo "Policy creation without TPM updates requested, exiting"
- echo "Created: Verified Launch Policy ${output_files[0]}"
- echo " Launch Control Policy ${output_files[1]}"
- echo " Launch Control Data ${output_files[2]}"
+ echo "Created: Verified Launch Policy $vlp_file"
+ echo " Launch Control Policy $lcp_file"
+ echo " Launch Control Data $lcp_data_file"
exit 0
fi
# Install the new LCP data file
-rm -rf ${output_files[4]}
-cp -f ${output_files[2]} ${output_files[4]}
+rm -rf $lcp_data_dest_file
+cp -f $lcp_data_file $lcp_data_dest_file
# Check to see if we need to create the NV indices for TXT
indices=$(tpmnv_getcap)
fi
# Last step, load the policies into the TPM NV indices
-lcp_writepol -i owner -f ${output_files[1]} -p $tpm_owner_pw
-lcp_writepol -i 0x20000001 -f ${output_files[0]} -p $tpm_owner_pw
+lcp_writepol -i owner -f $lcp_file -p $tpm_owner_pw
+lcp_writepol -i 0x20000001 -f $vlp_file -p $tpm_owner_pw
# Done, print summary
echo "Complete - TPM provisioned for TXT/tboot"
-echo " Verified Launch Policy ${output_files[0]} loaded to TPM NV"
-echo " Launch Control Policy ${output_files[1]} loaded to TPM NV"
-echo " Launch Control Data ${output_files[2]} copied to ${output_files[4]}"
-
-# Restore some values and done
-exec 10>&-
-IFS=$ifs_orig
+echo " Verified Launch Policy $vlp_file loaded to TPM NV"
+echo " Launch Control Policy $lcp_file loaded to TPM NV"
+echo " Launch Control Data $lcp_data_file copied to $lcp_data_dest_file"
exit 0
projects / xenclient / build.git / commitdiff