Last active
May 4, 2021 23:36
-
-
Save williamcroberts/17a291137dd5b95e0f8dd1cdeb6ac6b3 to your computer and use it in GitHub Desktop.
Ubuntu 20.10 Installer and Demo of tpm2-tss
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# SPDX: BSD-3-Clause | |
# Usage: | |
# ./script.sh or bash script.sh | |
# | |
# Arguments: | |
# (optional) arg1: A aorking directory to use. Defaults to $HOME. | |
# | |
# Example: mkdir tmp | |
# ./script.sh tmp | |
# | |
# | |
# This script build **tests** and installs the following components from source: | |
# - ibmtpm1637 | |
# - tpm2-tss v3.0.3 | |
# - tpm2-abrmd v2.4.0 | |
# - tpm2-tools v4.2 | |
# - keylime v6.1.0 | |
# | |
# It also provides an example of starting the simulator (tpm_server), tpm2-abrmd and running tpm2-tools. | |
# | |
# This script is designed and tested for ubuntu-20.10, but with minor tweaks should work across the newer | |
# ubuntu distros. | |
# | |
set -exo pipefail | |
# From a fresh install of ubuntu-20.10 in a Virtual Box VM, post running all updates and required update | |
# reboots. | |
# | |
# Set root to a directory we can build in. This can be passed as arg1 | |
# | |
ROOT="$(realpath "${1:-$HOME}")" | |
cd "$ROOT" | |
# | |
# Fixup Python: TL;DR we need python to point to something and its not present by default. | |
# Note: one could use update-alternatives as well or manually create a system wide link. | |
# PEP-394 has some of the details: | |
# - https://www.python.org/dev/peps/pep-0394/ | |
# Older versions of tpm2-tools didn't use AM_PYTHON_PATH and just checked for python. AM_PYTHON_PATH | |
# is smart enough to find an actual python interpreter via the python2, python2.X, python3 and python3.X | |
# names (for most versions of autoconf archive). | |
# | |
mkdir "$ROOT/.bin" | |
ln -s "$(command -v python3)" "$ROOT/.bin/python" | |
export PATH="$PATH:$ROOT/.bin" | |
# | |
# Dependencies | |
# | |
# We shouldn't need pandoc, but it looks like a bug in the 4.2 release package prevents | |
# it from building as make tries to run pandoc. I filed a bug, but for now, just install | |
# pandoc to avoid the bug. | |
# - https://github.com/tpm2-software/tpm2-tools/issues/2716 | |
# | |
sudo apt-get install -y \ | |
build-essential \ | |
libssl-dev \ | |
libcmocka-dev \ | |
uthash-dev \ | |
libcurl4-openssl-dev \ | |
uuid-dev \ | |
python3-pip \ | |
libglib2.0-dev \ | |
expect \ | |
pandoc \ | |
swig | |
# | |
# Use PIP to satisfy python module dependencies. Note that most package managers have these bundled, so you | |
# can apt-get install python3-yaml as well. However, I prefer pip, as you can install it to the local user. | |
# Note: pyyaml is already installed as a dependency of package python3-pip but it's included here for | |
# completeness. | |
# | |
python -m pip install --user pyyaml | |
# | |
# Install a TPM Simulator. I see that 1661 is available, however I haven't tested against it yet. However, 1637 works, | |
# but you have to fix up the memory issue as described in this PR: | |
# - https://github.com/kgoldman/ibmswtpm2/pull/4 | |
# | |
# We also need to make it respect CFLAGS, so we insert the CFLAGS variable into the Makefile, so we can pass the fixups. | |
# | |
mkdir ibmtpm1637 | |
cd ibmtpm1637 | |
wget https://downloads.sourceforge.net/project/ibmswtpm2/ibmtpm1637.tar.gz | |
sha256sum --check <<< 'dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327 ibmtpm1637.tar.gz' | |
tar -xavf ibmtpm1637.tar.gz | |
cd src | |
sed -i 's/-DTPM_NUVOTON/-DTPM_NUVOTON $(CFLAGS)/' makefile | |
CFLAGS="-DNV_MEMORY_SIZE=32768 -DMIN_EVICT_OBJECTS=7" make -j"$(nproc)" | |
sudo make install | |
# | |
# Build, test and install tpm2-tss libraries | |
# | |
wget https://github.com/tpm2-software/tpm2-tss/releases/download/3.0.3/tpm2-tss-3.0.3.tar.gz | |
sha256sum --check <<< '78392be7309baf47f51b122f566ac915fd4d1760ea78571cba2e1484f9b5be17 tpm2-tss-3.0.3.tar.gz' | |
tar -xavf tpm2-tss-3.0.3.tar.gz | |
cd tpm2-tss-3.0.3 | |
./configure --disable-doxygen-doc --disable-fapi --enable-unit --enable-integration | |
make -j"$(nproc)" check | |
sudo make install | |
#update the shared libraries for the dynamic linker | |
sudo ldconfig | |
cd "$ROOT" | |
# | |
# Build test and install tpm2-abrmd | |
# | |
wget https://github.com/tpm2-software/tpm2-abrmd/releases/download/2.4.0/tpm2-abrmd-2.4.0.tar.gz | |
sha256sum --check <<< '044522f1568f3d5334878f0564f808ec9fdd6a4ac5d0f3bd75ae6f2c7551a96c tpm2-abrmd-2.4.0.tar.gz' | |
tar -xavf tpm2-abrmd-2.4.0.tar.gz | |
cd tpm2-abrmd-2.4.0 | |
# patch dbus policy to allow THIS user to access dbus and thus start tpm2-abrmd on the system bus if they would like. | |
# this is not a production config, but makes casual use and development easy. For users, we could also attach it to | |
# the session bus. The session bus is restricted to the user and the system bus is global, for more details see: | |
# - https://developer.gnome.org/platform-overview/unstable/tech-d-bus.html.en | |
# | |
patch -p1 << PATCH | |
--- tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf 2017-05-15 19:13:38.000000000 -0500 | |
+++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf 2021-05-04 13:56:26.478244361 -0500 | |
@@ -8,6 +8,9 @@ | |
<policy user="root"> | |
<allow own="com.intel.tss2.Tabrmd"/> | |
</policy> | |
+ <policy user="$USER"> | |
+ <allow own="com.intel.tss2.Tabrmd"/> | |
+ </policy> | |
<policy context="default"> | |
<allow send_destination="com.intel.tss2.Tabrmd"/> | |
<allow receive_sender="com.intel.tss2.Tabrmd"/> | |
PATCH | |
./configure --enable-unit --enable-integration --with-dbuspolicydir='/etc/dbus-1/system.d/' | |
make -j"$(nproc)" check | |
sudo make install | |
#update the shared libraries for the dynamic linker | |
sudo ldconfig | |
cd "$ROOT" | |
# | |
# Build, test and install tpm2-tools tools | |
# | |
wget https://github.com/tpm2-software/tpm2-tools/releases/download/4.2/tpm2-tools-4.2.tar.gz | |
sha256sum --check <<< '1baaccd8bd663e9dd70cf6d8f99f16897ea32b9106860967ebb259d81954f904 tpm2-tools-4.2.tar.gz' | |
tar -xavf tpm2-tools-4.2.tar.gz | |
cd tpm2-tools-4.2 | |
./configure --enable-unit | |
make -j"$(nproc)" check | |
sudo make install | |
cd "$ROOT" | |
# | |
# Run a sample command against the tpm2 simulator | |
# You need sleeps or something that is smarter and waits on the sockets to become avaialble. Since it will race | |
# the subsequent command on socket initialization of the first process. | |
# | |
tpm_server & | |
sleep 1 | |
tpm2-abrmd --tcti=mssim & | |
sleep 1 | |
tpm2_getrandom --hex 4 | |
kill %2 | |
kill %1 | |
# | |
# Build and install keylime | |
# | |
wget https://github.com/keylime/keylime/archive/refs/tags/6.1.0.tar.gz | |
sha256sum --check <<< 'c95b060fea3b5e1114d0c0912704490f281021bc7ad53e452f373abf329bafec 6.1.0.tar.gz' | |
mv 6.1.0.tar.gz keylime-6.1.0.tar.gz | |
tar -xavf keylime-6.1.0.tar.gz | |
cd keylime-6.1.0 | |
python3 -m pip install --user . -r requirements.txt | |
# No idea what to do with keylime past this point. | |
cd "$ROOT" | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment