forked from Fraunhofer-AISEC/cmc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup-full-ids
executable file
·132 lines (101 loc) · 4.87 KB
/
setup-full-ids
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash
set -e
function abs_path() {
if [ -d "$(dirname "$1")" ]
then
echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")"
fi
}
if [ "$#" -ne 3 ]; then
echo "Usage: ./setup-full-simple <cmc-folder> <data-folder> <cbor|json>"
exit 1
fi
CMC="$(abs_path $1)"
DATA="$(abs_path $2)"
SER="$3"
if [ ! -d "$CMC" ]; then
echo "CMC directory does not exist. Did you clone the repository? Abort.."
exit 1
fi
if [ -d "$DATA" ]; then
echo "Data directory does already exist. Please choose a new directory. Abort.."
exit 1
fi
echo "Using CMC: $CMC"
echo "Using $DATA as directory for local data"
export PATH=$PATH:$HOME/go/bin
# Create a folder for the cmc configuration and metadata
mkdir -p $DATA
sudo apt install moreutils golang-cfssl build-essential sqlite3
# Install tools
sudo apt install -y build-essential zlib1g-dev libssl-dev jq
git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git $DATA/tpm-pcr-tools
cd $DATA/tpm-pcr-tools
make
sudo make install
# Build CMC
cd $CMC
echo "Building CMC.."
go build ./...
# Install CMC to $GOPATH/bin
echo "Installing CMC"
go install ./...
# Copy metadata templates
cp -r $CMC/example-setup/* $DATA
# Generate a PKI suitable for your needs. You can use the IDS PKI example-setup for testing:
$DATA/setup-pki-ids -i $DATA/pki-input-ids -o $DATA/pki
# Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values
referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json)
# Delete existing reference values in the RTM Manifest
jq 'del(.referenceValues[])' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json
# Add new reference values
jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json
# Do this for the OS manifest as well
referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json)
jq 'del(.referenceValues[])' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json
jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json
# Sign the metadata*
IN=$DATA/metadata-raw
TMP=$DATA/metadata-tmp
OUT=$DATA/metadata-signed
KEY_DEV_A=$DATA/pki/developer_A-key.pem
CHAIN_DEV_A=$DATA/pki/developer_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
KEY_DEV_B=$DATA/pki/developer_B-key.pem
CHAIN_DEV_B=$DATA/pki/developer_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
KEY_EVA_A=$DATA/pki/evaluator_A-key.pem
CHAIN_EVA_A=$DATA/pki/evaluator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
KEY_EVA_B=$DATA/pki/evaluator_B-key.pem
CHAIN_EVA_B=$DATA/pki/evaluator_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
KEY_CERT_A=$DATA/pki/certifier_A-key.pem
CHAIN_CERT_A=$DATA/pki/certifier_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
KEY_CERT_B=$DATA/pki/certifier_B-key.pem
CHAIN_CERT_B=$DATA/pki/certifier_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
KEY_OP_A=$DATA/pki/operator_A-key.pem
CHAIN_OP_A=$DATA/pki/operator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
rm -rf $TMP
rm -rf $OUT
mkdir -p $TMP
mkdir -p $OUT
if [ "${SER,,}" = "json" ]; then
echo "using json serialization"
cp $IN/rtm.manifest.json $TMP/rtm.manifest.json
cp $IN/os.manifest.json $TMP/os.manifest.json
cp $IN/device.description.json $TMP/device.description.json
cp $IN/device.config.json $TMP/device.config.json
cp $IN/company.description.json $TMP/company.description.json
elif [ "${SER,,}" = "cbor" ]; then
echo "using cbor serialiation"
cmc-converter -in $IN/rtm.manifest.json -out $TMP/rtm.manifest.cbor -outform cbor
cmc-converter -in $IN/os.manifest.json -out $TMP/os.manifest.cbor -outform cbor
cmc-converter -in $IN/device.description.json -out $TMP/device.description.cbor -outform cbor
cmc-converter -in $IN/device.config.json -out $TMP/device.config.cbor -outform cbor
cmc-converter -in $IN/company.description.json -out $TMP/company.description.cbor -outform cbor
else
echo "serialization format ${SER} is not supported"
exit 1
fi
cmc-signing-tool -in $TMP/rtm.manifest."${SER}" -out $OUT/rtm.manifest."${SER}" -keys $KEY_DEV_A,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_A:$CHAIN_EVA_A:$CHAIN_CERT_A
cmc-signing-tool -in $TMP/os.manifest."${SER}" -out $OUT/os.manifest."${SER}" -keys $KEY_DEV_B,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_B:$CHAIN_EVA_A:$CHAIN_CERT_A
cmc-signing-tool -in $TMP/company.description."${SER}" -out $OUT/company.description."${SER}" -keys $KEY_OP_A,$KEY_EVA_B,$KEY_CERT_B -x5cs $CHAIN_OP_A:$CHAIN_EVA_B:$CHAIN_CERT_B
cmc-signing-tool -in $TMP/device.description."${SER}" -out $OUT/device.description."${SER}" -keys $KEY_OP_A -x5cs $CHAIN_OP_A
cmc-signing-tool -in $TMP/device.config."${SER}" -out $OUT/device.config."${SER}" -keys $KEY_OP_A -x5cs $CHAIN_OP_A