Created
July 29, 2016 16:57
Set up swtpm cuse in fc24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # TPM creation script. | |
| # | |
| # Version: 0.1.0-Alpha (7/29/2016) | |
| # Only supports fc24. | |
| # | |
| # - Utilizes swtpm_cuse to set up and create a virtual TPM. | |
| # - See https://simp-project.atlassian.net/wiki/x/CgAVAg for information on how to | |
| # install swtpm and enable passthrough in libvirt. | |
| # - Creates a libvirt xml block corresponding to the TPM device info. | |
| # | |
| # Nick Miller <nmiller@onyxpoint.com> | |
| # Nick Markowski <nmarkowski@keywcorp.com> | |
| # | |
| # | |
| echo -n "Desired VTPM data path within /tmp [vtpm0]:" | |
| read data_path | |
| : ${data_path:="vtpm0"} | |
| data_path="/tmp/$data_path" | |
| echo -n "Desired VTPM device within /dev [vtpm0]:" | |
| read vtpm_device_path | |
| : ${vtpm_device_path:=vtpm0} | |
| vtpm_device_path="/dev/$vtpm_device_path" | |
| vtpm_name=${vtpm_device_path##*/} | |
| echo "Using parmeters:" | |
| echo "VTPM data path: $data_path" | |
| echo "VTPM device path: $vtpm_device_path" | |
| echo "VTPM name: $vtpm_name" | |
| echo | |
| echo "Killing old instance of VTPM" | |
| swtpm_ioctl -s $vtpm_device_path | |
| echo | |
| echo "Creating VTPM data path $data_path" | |
| mkdir -p $data_path | |
| chown -R tss:root $data_path | |
| echo | |
| echo "Running VTPM setup. This may take multiple attempts." | |
| attempt=1 | |
| until swtpm_setup --tpm-state $data_path --createek | |
| do | |
| echo "Attempt $attempt failed." | |
| let "attempt++" | |
| sleep .2 | |
| done | |
| echo "VTPM setup succeeded after attempt $attempt!" | |
| echo | |
| echo "Starting swtpm cuse service. This may take multiple attempts." | |
| attempt=1 | |
| until swtpm cuse --tpmstate dir=$data_path -n $vtpm_name | |
| do | |
| echo "Attempt $attempt failed." | |
| let "attempt++" | |
| sleep .2 | |
| done | |
| echo "SWTPM cuse service started after attempt $attempt!" | |
| echo | |
| # Try to fix permissions even tho the context is still wrong | |
| echo "Modifying ownership and context of $vtpm_device_path" | |
| chcon --reference=/dev/tpm0 $vtpm_device_path | |
| chown root:qemu $vtpm_device_path | |
| chmod 770 $vtpm_device_path | |
| echo | |
| if [ -d "/sys/fs/cgroup/devices" ]; then | |
| echo "Unmounting /sys/fs/cgroup/devices. See https://github.com/stefanberger/swtpm/issues/7#issuecomment-217748309" | |
| umount /sys/fs/cgroup/devices | |
| echo | |
| fi | |
| echo "You can't use a typical libvirt xml domain definition with a vTPM. You need to modify a pre-existing xml file and change the schema and add some qemu:commandline commands, as shown below. Note that we don't use the TPM device element from the Libvirt XML domain schema. The native element expects the wrong cancel path and does not suport the cuse-tpm driver yet." | |
| echo | |
| cat <<-EOF | |
| <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> | |
| <...> | |
| <qemu:commandline> | |
| <qemu:arg value='-tpmdev'/> | |
| <qemu:arg value='cuse-tpm,id=tpm-tpm0,path=$vtpm_device_path,cancel-path=/dev/null'/> | |
| <qemu:arg value='-device'/> | |
| <qemu:arg value='tpm-tis,tpmdev=tpm-tpm0,id=tpm0'/> | |
| </qemu:commandline> | |
| </domain> | |
| EOF | |
| echo | |
| #http://askubuntu.com/questions/623933/how-to-create-a-rotation-animation-using-shell-script | |
| spinner() { | |
| local i sp n | |
| sp='/-\|' | |
| n=${#sp} | |
| printf ' ' | |
| while sleep 0.1; do | |
| printf "%s\b" "${sp:i++%n:1}" | |
| done | |
| } | |
| printf 'Sleep 200 to ensure TPM consistency ' | |
| spinner & | |
| sleep 200 | |
| kill "$!" # kill the spinner | |
| printf '\n' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment