example-setup/update-full-ids

#!/bin/bash

set -e

function abs_path() {
  if [ -d "$(dirname "$1")" ]
  then
    echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")"
  fi
}

if [ "$#" -ne 2 ]; then
   echo "Usage: ./update-full-ids <data-folder> <cbor|json>"
   exit 1
fi

DATA="$(abs_path $1)"
SER="$2"

if [ ! -d "$DATA" ]; then
  echo "Data directory $DATA does not exist. Did you run the setup-full-ids script? Abort.."
  exit 1
fi

export PATH=$PATH:$HOME/go/bin

echo "Using $DATA as directory for local data"

# Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values
referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json)

# Delete existing reference values in the RTM Manifest
jq 'del(.referenceValues[])' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json

# Add new reference values
jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json

# Do this for the OS manifest as well
referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json)
jq 'del(.referenceValues[])' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json
jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json

# Sign the metadata*
IN=$DATA/metadata-raw
TMP=$DATA/metadata-tmp
OUT=$DATA/metadata-signed

KEY_DEV_A=$DATA/pki/developer_A-key.pem
CHAIN_DEV_A=$DATA/pki/developer_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem

KEY_DEV_B=$DATA/pki/developer_B-key.pem
CHAIN_DEV_B=$DATA/pki/developer_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem

KEY_EVA_A=$DATA/pki/evaluator_A-key.pem
CHAIN_EVA_A=$DATA/pki/evaluator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem

KEY_EVA_B=$DATA/pki/evaluator_B-key.pem
CHAIN_EVA_B=$DATA/pki/evaluator_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem

KEY_CERT_A=$DATA/pki/certifier_A-key.pem
CHAIN_CERT_A=$DATA/pki/certifier_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem

KEY_CERT_B=$DATA/pki/certifier_B-key.pem
CHAIN_CERT_B=$DATA/pki/certifier_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem

KEY_OP_A=$DATA/pki/operator_A-key.pem
CHAIN_OP_A=$DATA/pki/operator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem

rm -rf $TMP
rm -rf $OUT

mkdir -p $TMP
mkdir -p $OUT

if [ "${SER,,}" = "json" ]; then
  echo "using json serialization"
  cp $IN/rtm.manifest.json        $TMP/rtm.manifest.json
  cp $IN/os.manifest.json         $TMP/os.manifest.json
  cp $IN/device.description.json  $TMP/device.description.json
  cp $IN/device.config.json       $TMP/device.config.json
  cp $IN/company.description.json $TMP/company.description.json
elif [ "${SER,,}" = "cbor" ]; then
  echo "using cbor serialiation"
  cmc-converter -in $IN/rtm.manifest.json        -out $TMP/rtm.manifest.cbor        -outform cbor
  cmc-converter -in $IN/os.manifest.json         -out $TMP/os.manifest.cbor         -outform cbor
  cmc-converter -in $IN/device.description.json  -out $TMP/device.description.cbor  -outform cbor
  cmc-converter -in $IN/device.config.json       -out $TMP/device.config.cbor       -outform cbor
  cmc-converter -in $IN/company.description.json -out $TMP/company.description.cbor -outform cbor
else
  echo "serialization format ${SER} is not supported"
  exit 1
fi

cmc-signing-tool -in $TMP/rtm.manifest."${SER}"         -out $OUT/rtm.manifest."${SER}"         -keys $KEY_DEV_A,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_A:$CHAIN_EVA_A:$CHAIN_CERT_A
cmc-signing-tool -in $TMP/os.manifest."${SER}"          -out $OUT/os.manifest."${SER}"          -keys $KEY_DEV_B,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_B:$CHAIN_EVA_A:$CHAIN_CERT_A
cmc-signing-tool -in $TMP/company.description."${SER}"  -out $OUT/company.description."${SER}"  -keys $KEY_OP_A,$KEY_EVA_B,$KEY_CERT_B -x5cs $CHAIN_OP_A:$CHAIN_EVA_B:$CHAIN_CERT_B
cmc-signing-tool -in $TMP/device.description."${SER}"   -out $OUT/device.description."${SER}"   -keys $KEY_OP_A -x5cs $CHAIN_OP_A
cmc-signing-tool -in $TMP/device.config."${SER}"        -out $OUT/device.config."${SER}"        -keys $KEY_OP_A -x5cs $CHAIN_OP_A