Skip to content

Instantly share code, notes, and snippets.

@nick-markowski

nick-markowski/tpm_setup.sh

Created July 29, 2016 16:57
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save nick-markowski/811949c39ea1395bfbd65c7bb388894e to your computer and use it in GitHub Desktop.
Save nick-markowski/811949c39ea1395bfbd65c7bb388894e to your computer and use it in GitHub Desktop.
Download ZIP
Set up swtpm cuse in fc24
Raw
tpm_setup.sh
#!/bin/bash
#
# TPM creation script.
#
# Version: 0.1.0-Alpha (7/29/2016)
# Only supports fc24.
#
# - Utilizes swtpm_cuse to set up and create a virtual TPM.
# - See https://simp-project.atlassian.net/wiki/x/CgAVAg for information on how to
# install swtpm and enable passthrough in libvirt.
# - Creates a libvirt xml block corresponding to the TPM device info.
#
# Nick Miller <nmiller@onyxpoint.com>
# Nick Markowski <nmarkowski@keywcorp.com>
#
#
echo -n "Desired VTPM data path within /tmp [vtpm0]:"
read data_path
: ${data_path:="vtpm0"}
data_path="/tmp/$data_path"
echo -n "Desired VTPM device within /dev [vtpm0]:"
read vtpm_device_path
: ${vtpm_device_path:=vtpm0}
vtpm_device_path="/dev/$vtpm_device_path"
vtpm_name=${vtpm_device_path##*/}
echo "Using parmeters:"
echo "VTPM data path: $data_path"
echo "VTPM device path: $vtpm_device_path"
echo "VTPM name: $vtpm_name"
echo
echo "Killing old instance of VTPM"
swtpm_ioctl -s $vtpm_device_path
echo
echo "Creating VTPM data path $data_path"
mkdir -p $data_path
chown -R tss:root $data_path
echo
echo "Running VTPM setup. This may take multiple attempts."
attempt=1
until swtpm_setup --tpm-state $data_path --createek
do
echo "Attempt $attempt failed."
let "attempt++"
sleep .2
done
echo "VTPM setup succeeded after attempt $attempt!"
echo
echo "Starting swtpm cuse service. This may take multiple attempts."
attempt=1
until swtpm cuse --tpmstate dir=$data_path -n $vtpm_name
do
echo "Attempt $attempt failed."
let "attempt++"
sleep .2
done
echo "SWTPM cuse service started after attempt $attempt!"
echo
# Try to fix permissions even tho the context is still wrong
echo "Modifying ownership and context of $vtpm_device_path"
chcon --reference=/dev/tpm0 $vtpm_device_path
chown root:qemu $vtpm_device_path
chmod 770 $vtpm_device_path
echo
if [ -d "/sys/fs/cgroup/devices" ]; then
echo "Unmounting /sys/fs/cgroup/devices. See https://github.com/stefanberger/swtpm/issues/7#issuecomment-217748309"
umount /sys/fs/cgroup/devices
echo
fi
echo "You can't use a typical libvirt xml domain definition with a vTPM. You need to modify a pre-existing xml file and change the schema and add some qemu:commandline commands, as shown below. Note that we don't use the TPM device element from the Libvirt XML domain schema. The native element expects the wrong cancel path and does not suport the cuse-tpm driver yet."
echo
cat <<-EOF
<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
<...>
<qemu:commandline>
<qemu:arg value='-tpmdev'/>
<qemu:arg value='cuse-tpm,id=tpm-tpm0,path=$vtpm_device_path,cancel-path=/dev/null'/>
<qemu:arg value='-device'/>
<qemu:arg value='tpm-tis,tpmdev=tpm-tpm0,id=tpm0'/>
</qemu:commandline>
</domain>
EOF
echo
#http://askubuntu.com/questions/623933/how-to-create-a-rotation-animation-using-shell-script
spinner() {
local i sp n
sp='/-\|'
n=${#sp}
printf ' '
while sleep 0.1; do
printf "%s\b" "${sp:i++%n:1}"
done
}
printf 'Sleep 200 to ensure TPM consistency '
spinner &
sleep 200
kill "$!" # kill the spinner
printf '\n'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment