Last active
April 25, 2023 01:38
-
-
Save lukehinds/9fcee6fdc451d44116086b13b6125db9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# This script has only been tested on Fedora 29 &> | |
if [[ $EUID -ne 0 ]]; then | |
echo -e "Please run as the root user" | |
exit 1 | |
fi | |
read -p "Name for vtpm vm: " vm_name | |
echo -e "Turn off SELinux for now" | |
setenforce 0 | |
echo -e "Updating Packages" | |
dnf update -y | |
echo -e "Install virtualization package group and deps" | |
dnf install -y @virtualization | |
dnf -y install make \ | |
libguestfs-tools-c \ | |
libseccomp-devel \ | |
wget \ | |
libtasn1-devel \ | |
expect \ | |
socat \ | |
python3-twisted \ | |
fuse-devel glib2-devel \ | |
gnutls \ | |
gnutls-devel \ | |
gnutls-utils \ | |
tpm-tools \ | |
tpm2-tools \ | |
openssl-devel \ | |
git \ | |
libtool \ | |
autoconf | |
echo -e "Starting / Enabling Libvirt virtualization package group" | |
systemctl start libvirtd | |
systemctl enable libvirt | |
echo -e "Clone and build libtmpms" | |
git clone https://github.com/stefanberger/libtpms | |
cd libtpms/ | |
./bootstrap.sh | |
./configure --prefix=/usr --with-openssl --with-tpm2 | |
make | |
make install | |
echo -e "Clone and build swtpm" | |
cd ../ | |
git clone https://github.com/stefanberger/swtpm | |
cd swtpm/ | |
./autogen.sh --with-openssl --prefix=/usr | |
make -j4 | |
make -j4 check | |
make install | |
echo -e "setting up vtpm socket" | |
swtpm socket --tpmstate dir=/tmp/mytpm1 --ctrl type=unixio,path=/tmp/tpm0/swtpm-sock --log level=20 & | |
echo -e "Grabbing qcow2 image" | |
wget -c https://download.fedoraproject.org/pub/fedora/linux/releases/30/Cloud/x86_64/images/Fedora-Cloud-Base-30-1.2.x86_64.qcow2 -O /var/lib/libvirt/images/fedora30.qcow2 | |
echo -e "Setting machine password" | |
password=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1) | |
cd /var/lib/libvirt/images | |
qemu-img create -f qcow2 -b fedora30.qcow2 ${vm_name}.qcow2 | |
virt-customize -a ${vm_name}.qcow2 --root-password password:${password} --uninstall cloud-init | |
virt-customize -a ${vm_name}.qcow2 --run-command 'sed -i s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config' | |
echo -e "root password is : ${password}" | |
echo -e "Installing ${vm_name}" | |
virt-install --ram 2048 --vcpus 2 --os-variant rhel7.0 \ | |
--disk path=/var/lib/libvirt/images/${vm_name}.qcow2,format=qcow2,bus=virtio,cache=none,device=disk \ | |
--import --noautoconsole --vnc --network network:default --name ${vm_name} | |
sleep 5 | |
echo -e "Injecting tpm2 to libvirt xml" | |
virt-xml ${vm_name} --add-device --tpm emulator,model=tpm-tis,version=2.0 | |
echo -e "Reboot for changes to take effect" | |
virsh reboot vtpm ${vm_name} | |
echo -e "To login to the vm run: virsh console ${vm_name}" | |
echo -e "Please then complete the following steps:" | |
echo -e "# dhclient should get an address for the vm" | |
echo -e "# dnf install tpm2-tools tpm2-tss tpm2-abrmd" | |
echo -e "Then run the abrmd as root:" | |
echo -e "# /usr/sbin/tpm2-abrmd --allow-root &" | |
echo -e "You should now be able to query the tpm with a command such as tpm2_pcrlist" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Something wrong with running tpm2-abrmd as a service which we need to figure out why, for now we can run as root.