From: Ross Philipson Date: Sun, 4 Oct 2009 13:33:12 +0000 (-0400) Subject: Fixed the tboot provisioning script. X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=67093ceb5e3ff03ab6ed0608e5d4239b07ee4cfd;p=xenclient%2Fbuild.git Fixed the tboot provisioning script. Changes to be committed: modified: package/xenclient/tboot/configure_tboot --- diff --git a/package/xenclient/tboot/configure_tboot b/package/xenclient/tboot/configure_tboot index 827765d..63edfba 100755 --- a/package/xenclient/tboot/configure_tboot +++ b/package/xenclient/tboot/configure_tboot @@ -1,10 +1,12 @@ #! /bin/sh -output_files[0]="/usr/share/xenclient/vlp.pol" -output_files[1]="/usr/share/xenclient/lcp.pol" -output_files[2]="/usr/share/xenclient/lcp_data.bin" -output_files[3]="/usr/share/xenclient/mle_hash" -output_files[4]="/boot/lcp_data.bin" +tboot_dir=/usr/share/xenclient/tboot +tboot_old_dir=/usr/share/xenclient/tboot_old +vlp_file=/usr/share/xenclient/tboot/vlp.pol +lcp_file=/usr/share/xenclient/tboot/lcp.pol +lcp_data_file=/usr/share/xenclient/tboot/lcp_data.bin +mle_hash_file=/usr/share/xenclient/tboot/mle_hash +lcp_data_dest_file=/boot/lcp_data.bin grub_file=/config/boot/grub/grub.cfg tboot_file=/boot/tboot.gz @@ -25,7 +27,7 @@ usage() echo -e "Also note, the TPM driver and Trouses stack must be running to provision" echo -e "the TMP. Please do the following before running this script:" echo -e " $ modprobe tpm_tis" - echo -e " $ tcsd -f &\n" + echo -e " $ tcsd\n" } # Check input and files @@ -67,28 +69,26 @@ if [ ! -r $grub_file ]; then exit 1 fi -# Backup any existing policies and create an empty -# verified launch policy, ensure target location is ok -for (( i = 0 ; i < 4 ; i++ )) -do - if [ -f ${output_files[i]} ]; then - rm -rf "${output_files[i]}.old" - mv ${output_files[i]} "${output_files[i]}.old" - fi -done +# Make a copy of the tboot output directory +if [ -d $tboot_old_dir ]; then + rm -rf $tboot_old_dir +fi + +if [ -d $tboot_dir ]; then + mv $tboot_dir $tboot_old_dir +fi -rm -rf ${output_files[3]} +mkdir $tboot_dir # Create a new empty VL policy -tb_polgen --create --type nonfatal ${output_files[0]} +tb_polgen --create --type nonfatal $vlp_file # Save some values ifs_orig=$IFS IFS=$(echo -en "\n\b") -exec 10<$grub_file # Process the grub.cfg file -while read line <&10 +while read line do item=$(echo $line | awk '{ print $1 }') if [ "$item" != "menuentry" ]; then @@ -96,7 +96,7 @@ do fi # In a new menu entry, process what should be there - read line <&10 + read line if [ -z "$line" ]; then echo "Invalid grub.cfg file, exiting." exit 2 @@ -104,28 +104,28 @@ do # Next should be tboot (note if commented, it will not be in the # correct place either). Then xen, vmlinuz, and initramfs. - read line <&10 + read line item=$(echo $line | awk '{ print $2 }') if [ "$item" != "$tboot_file" ]; then continue fi - cmdline[0]=$(echo $line | awk '{print(substr($0,index($0,$3)))}') + tboot_cmdline=$(echo $line | awk '{print(substr($0,index($0,$3)))}') - read line <&10 + read line item=$(echo $line | awk '{ print $2 }') if [ "$item" != "$xen_file" ]; then continue fi - cmdline[1]=$(echo $line | awk '{print(substr($0,index($0,$3)))}') + xen_cmdline=$(echo $line | awk '{print(substr($0,index($0,$3)))}') - read line <&10 + read line item=$(echo $line | awk '{ print $2 }') if [ "$item" != "$dom0_file" ]; then continue fi - cmdline[2]=$(echo $line | awk '{print(substr($0,index($0,$3)))}') + dom0_cmdline=$(echo $line | awk '{print(substr($0,index($0,$3)))}') - read line <&10 + read line item=$(echo $line | awk '{ print $2 }') if [ "$item" != "$initrd_file" ]; then continue @@ -134,73 +134,74 @@ do # Some feedback echo "Located GRUB tboot entry to add to the policy." - echo "tboot cmdline: ${cmdline[0]}" - echo "xen cmdline: ${cmdline[1]}" - echo "dom0 cmdline: ${cmdline[2]}" + echo "tboot cmdline: $tboot_cmdline" + echo "xen cmdline: $xen_cmdline" + echo "dom0 cmdline: $dom0_cmdline" # Now add a hash to the launch control policy - if [ -n "${cmdline[0]}" ]; then - lcp_mlehash -c ${cmdline[0]} $tboot_file >> ${output_files[3]} + if [ -n "$tboot_cmdline" ]; then + lcp_mlehash -c "$tboot_cmdline" $tboot_file >> $mle_hash_file else - lcp_mlehash $tboot_file >> ${output_files[3]} + lcp_mlehash $tboot_file >> $mle_hash_file fi echo "LCP hashes updated." - if [ -n "${cmdline[1]}" ]; then - tb_polgen --add --num 0 --pcr none --hash image --cmdline "${cmdline[1]}" --image $xen_file ${output_files[0]} + if [ -n "$xen_cmdline" ]; then + tb_polgen --add --num 0 --pcr none --hash image --cmdline "$xen_cmdline" --image $xen_file $vlp_file else - tb_polgen --add --num 0 --pcr none --hash image --image $xen_file ${output_files[0]} + tb_polgen --add --num 0 --pcr none --hash image --image $xen_file $vlp_file fi - if [ -n "${cmdline[2]}" ]; then - tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "${cmdline[2]}" --image $dom0_file ${output_files[0]} + if [ -n "$dom0_cmdline" ]; then + tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "$dom0_cmdline" --image $dom0_file $vlp_file else - tb_polgen --add --num 1 --pcr 19 --hash image --image $dom0_file ${output_files[0]} + tb_polgen --add --num 1 --pcr 19 --hash image --image $dom0_file $vlp_file fi - tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image $initrd_file ${output_files[0]} + tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image $initrd_file $vlp_file echo "VL policy updated." let "counter+=1" -done +done < $grub_file -echo "Processed boot file - added $counter entries." +# Restore some values +IFS=$ifs_orig -rm -rf "${output_files[3]}.old" +echo "Processed boot file - added $counter entries." # Create the final LCP files -lcp_crtpol -t unsigned -m ${output_files[3]} -o ${output_files[1]} -b ${output_files[2]} +lcp_crtpol -t unsigned -m $mle_hash_file -o $lcp_file -b $lcp_data_file # Note, for creating other types: # $ lcp_crtpol -t any -o lcp_any.pol # no hashes, allows any access, no checks # $ lcp_crtpol -t hashonly -m mle_hash -o lcp_hash.pol # single hash # Check that all the output files are present -if [ ! -f ${output_files[0]} ]; then - echo "Failed to create new VLP policy file: ${output_files[0]}" +if [ ! -f $vlp_file ]; then + echo "Failed to create new VLP policy file: $vlp_file" exit 3 fi -if [ ! -f ${output_files[1]} ]; then - echo "Failed to create new LCP policy file: ${output_files[1]}" +if [ ! -f $lcp_file ]; then + echo "Failed to create new LCP policy file: $lcp_file" exit 3 fi -if [ ! -f ${output_files[2]} ]; then - echo "Failed to create new LCP data file: ${output_files[2]}" +if [ ! -f $lcp_data_file ]; then + echo "Failed to create new LCP data file: $lcp_data_file" exit 3 fi # Exit here if only policy creation was requested if [ "$policy_only" = "1" ]; then echo "Policy creation without TPM updates requested, exiting" - echo "Created: Verified Launch Policy ${output_files[0]}" - echo " Launch Control Policy ${output_files[1]}" - echo " Launch Control Data ${output_files[2]}" + echo "Created: Verified Launch Policy $vlp_file" + echo " Launch Control Policy $lcp_file" + echo " Launch Control Data $lcp_data_file" exit 0 fi # Install the new LCP data file -rm -rf ${output_files[4]} -cp -f ${output_files[2]} ${output_files[4]} +rm -rf $lcp_data_dest_file +cp -f $lcp_data_file $lcp_data_dest_file # Check to see if we need to create the NV indices for TXT indices=$(tpmnv_getcap) @@ -227,17 +228,13 @@ else fi # Last step, load the policies into the TPM NV indices -lcp_writepol -i owner -f ${output_files[1]} -p $tpm_owner_pw -lcp_writepol -i 0x20000001 -f ${output_files[0]} -p $tpm_owner_pw +lcp_writepol -i owner -f $lcp_file -p $tpm_owner_pw +lcp_writepol -i 0x20000001 -f $vlp_file -p $tpm_owner_pw # Done, print summary echo "Complete - TPM provisioned for TXT/tboot" -echo " Verified Launch Policy ${output_files[0]} loaded to TPM NV" -echo " Launch Control Policy ${output_files[1]} loaded to TPM NV" -echo " Launch Control Data ${output_files[2]} copied to ${output_files[4]}" - -# Restore some values and done -exec 10>&- -IFS=$ifs_orig +echo " Verified Launch Policy $vlp_file loaded to TPM NV" +echo " Launch Control Policy $lcp_file loaded to TPM NV" +echo " Launch Control Data $lcp_data_file copied to $lcp_data_dest_file" exit 0