-
Notifications
You must be signed in to change notification settings - Fork 31
/
Copy pathinstallTPM2Tools.sh
172 lines (138 loc) · 4.62 KB
/
installTPM2Tools.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#!/bin/bash
set -euo pipefail
# based on https://azure.github.io/iot-identity-service/pkcs11/tpm2-pkcs11.html
# Install build dependencies
sudo apt install \
git curl gnutls-bin opensc autoconf make automake doxygen libtool libcurl4-openssl-dev libdbus-1-dev libgcrypt-dev \
libglib2.0-dev libjson-c-dev libsqlite3-dev libssl-dev python3-cryptography python3-pyasn1-modules python3-yaml uuid-dev libyaml-dev -y
# Create base source directory
mkdir -p ~/src
declare -A checkouts
checkouts['tpm2-abrmd']='2.4.0'
checkouts['tpm2-pkcs11']='1.5.0'
checkouts['tpm2-tools']='5.0'
checkouts['tpm2-tss']='3.0.3'
# Download `autoconf-2019.01.06` and extract it.
# There is a newer autoconfig-archive, but the tpm2-* autoconf files have
# hard-coded things for 2019_01_06
if ! [ -f ~/src/autoconf-archive-2019.01.06.tar.gz ]; then
curl -L \
-o ~/src/autoconf-archive-2019.01.06.tar.gz \
'https://github.com/autoconf-archive/autoconf-archive/archive/v2019.01.06.tar.gz'
fi
if ! [ -d ~/src/autoconf-archive-2019.01.06 ]; then
(cd ~/src/ && tar xf ~/src/autoconf-archive-2019.01.06.tar.gz)
fi
# Clone and bootstrap the repositories
for d in "${!checkouts[@]}"; do
(
set -euo pipefail
if ! [ -d ~/src/"$d" ]; then
git clone "https://github.com/tpm2-software/$d" ~/src/"$d"
fi
cd ~/src/"$d"
git fetch --all --prune
git clean -xffd
git reset --hard
git checkout "${checkouts["$d"]}"
cp -R ~/src/autoconf-archive-2019.01.06/m4 .
./bootstrap -I m4
) & :
done
wait $(jobs -pr)
# Build `tpm2-tss`
(
set -euo pipefail
cd ~/src/tpm2-tss
./configure \
--with-udevrulesdir=/etc/udev/rules.d \
--with-udevrulesprefix=70-
make "-j$(nproc)"
sudo make install
id -u tss || sudo useradd --system --user-group tss
sudo udevadm control --reload-rules
sudo udevadm trigger
sudo ldconfig
)
# Build `tpm2-abrmd`
(
set -euo pipefail
cd ~/src/tpm2-abrmd
./configure \
--with-dbuspolicydir=/etc/dbus-1/system.d \
--with-systemdsystemunitdir=/lib/systemd/system \
--with-systemdpresetdir=/lib/systemd/system-preset \
--datarootdir=/usr/share
make "-j$(nproc)"
sudo make install
sudo ldconfig
sudo pkill -HUP dbus-daemon
sudo systemctl daemon-reload
sudo systemctl enable tpm2-abrmd.service
sudo systemctl restart tpm2-abrmd.service
# Verify that the service started and registered itself with dbus
dbus-send \
--system \
--dest=org.freedesktop.DBus --type=method_call \
--print-reply \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames |
(grep -q 'com.intel.tss2.Tabrmd' || :)
)
# Build `tpm2-tools`
(
set -euo pipefail
cd ~/src/tpm2-tools
./configure
make "-j$(nproc)"
sudo make install
)
# Build tpm2-pkcs11
(
set -euo pipefail
cd ~/src/tpm2-pkcs11
# The `tpm2-pkcs11` library uses a filesystem directory
# to store wrapped keys.
sudo mkdir -p /opt/tpm2-pkcs11
# aziotks was created by the aziot-identity-service package.
sudo chown aziotks:aziotks /opt/tpm2-pkcs11
sudo chmod 0700 /opt/tpm2-pkcs11
# --enable-debug=!yes is needed to disable assert() in
# CKR_FUNCTION_NOT_SUPPORTED-returning unimplemented functions.
./configure \
--enable-debug=info \
--enable-esapi-session-manage-flags \
--with-storedir=/opt/tpm2-pkcs11
make "-j$(nproc)"
sudo make install
)
# A friendly name for the new token
TOKEN='IoTEdgeCert'
# The PKCS#11 user PIN for the new token
PIN='1234'
# The PKCS#11 SO PIN for the new token
SO_PIN="so$PIN"
sudo tpm2_clear
# This is the directory tpm2-pkcs11 was configured to use.
export TPM2_PKCS11_STORE='/opt/tpm2-pkcs11'
# tpm2_ptool requires Python 3 >= 3.7 and expects `python3`
# checking the python version and resolving if needed
pythonversion=$(python3 -V 2>&1 | sed 's/.* \([0-9]\).\([0-9]\).*/\1\2/')
if [ "$pythonversion" -lt "37" ]; then
echo "This script requires python 3.7 or greater, installing python 3.8"
sudo apt install -y python3.8
cd /usr/bin
sudo ln -f -s python3.8 python3
cd ~
sudo apt install -y python3-pip
sudo pip3 install cryptography cffi
fi
sudo rm -f "$TPM2_PKCS11_STORE/tpm2_pkcs11.sqlite3"
(
cd ~/src/tpm2-pkcs11/tools &&
sudo -u aziotks ./tpm2_ptool init --primary-auth '1234' --path /opt/tpm2-pkcs11 &&
sudo -u aziotks ./tpm2_ptool addtoken \
--path /opt/tpm2-pkcs11 \
--sopin "$SO_PIN" --userpin "$PIN" \
--label "$TOKEN" --pid '1'
)
echo "PKCS#11 base slot URI is pkcs11:token=${TOKEN}?pin-value=${PIN}"