Skip to content

Commit

Permalink
tpm2-attest: fetch the TPM OEM certs as part of building the package
Browse files Browse the repository at this point in the history
  • Loading branch information
@osresearch
osresearch committed May 23, 2020
1 parent d1ff64f commit c9626a3
Show file tree
Hide file tree
Showing 4 changed files with 55 additions and 15 deletions.
21 changes: 6 additions & 15 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ BINS += bin/sbsign.safeboot
BINS += bin/sign-efi-sig-list.safeboot
BINS += bin/tpm2-totp

all: $(BINS)
all: $(BINS) certs

#
# sbsign needs to be built from a patched version to avoid a
Expand Down Expand Up @@ -73,6 +73,7 @@ requirements:
libssl-dev \
uuid-dev \
shellcheck \
curl \


# Remove the temporary files
Expand Down Expand Up @@ -103,17 +104,7 @@ shellcheck:
shellcheck $$file ; \
done

# Fetch several of the TPM certs
CERT_URLS=`cat certs/certs.txt`

foreach(u,$(CERT_URLS),$(eval $(call MAKE_CERT $u)))
define MAKE_CERT
all-certs: certs/$(basename $u).pem
certs/$(basename $u).pem:
curl '$u' | \
openssl x509 \
-inform DER \
-outform PEM \
-out $@ \
-noout
enddef
# Fetch several of the TPM certs and make them usable
# by the openssl verify tool.
certs:
./refresh-certs
6 changes: 6 additions & 0 deletions debian/install
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
# shell scripts in the tree
sbin/safeboot usr/sbin/
sbin/safeboot-tpm-unseal usr/sbin/
sbin/tpm2-attest usr/sbin/

# configuration files
safeboot.conf etc/safeboot/

# TPM certs and a script to refresh them
tpm-certs.txt etc/safeboot/
refresh-certs etc/safeboot/
certs/* etc/safeboot/certs/

# Compiled with modifications from source
# to add support for the pkcs11 engine and small qrcodes
bin/sbsign.safeboot usr/sbin/
Expand Down
34 changes: 34 additions & 0 deletions refresh-certs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#!/bin/bash
# Fetch vendor certificates and build the OpenSSL CApath structure
# so that TPM Endorsement Keys can be validated.
#
# shellcheck disable=SC2013
DIR="$(dirname "$0")"

if [ -n "$1" ]; then
DIR="$1"
fi

CERTS="$DIR/tpm-certs.txt"
CERTDIR="$DIR/certs"

mkdir -p "$CERTDIR"

for url in $(awk '{print $1}' "$CERTS"); do
echo "$url"
curl --silent "$url" \
| openssl x509 \
-inform "DER" \
-outform "PEM" \
-out "$CERTDIR/$(basename "$url" .crt).pem" \
|| die "$url: failed"
done

echo >&2 "Rebuilding symlinks"
c_rehash "$DIR/certs"

# Make the roots.pem file from the ones flagged as trusted roots
# in the certs list
for url in $(awk '/ trusted$/ {print $1}' "$CERTS"); do
cat "$CERTDIR/$(basename "$url" .crt).pem"
done > "$CERTDIR/roots.pem"
9 changes: 9 additions & 0 deletions tpm-certs.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
https://secure.globalsign.com/cacert/gstpmroot.crt trusted
https://secure.globalsign.com/cacert/stmtpmekroot.crt
https://secure.globalsign.com/cacert/stmtpmekint01.crt
https://secure.globalsign.com/cacert/stmtpmekint02.crt
https://secure.globalsign.com/cacert/stmtpmekint03.crt
https://secure.globalsign.com/cacert/stmtpmekint04.crt
https://secure.globalsign.com/cacert/stmtpmekint05.crt
https://secure.globalsign.com/cacert/stmtpmekint06.crt
https://secure.globalsign.com/cacert/stmtpmekint07.crt

0 comments on commit c9626a3

Please sign in to comment.