From c9626a31c4bd0f8a08511ef7e6ba4b653df6df1b Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Sat, 23 May 2020 18:29:39 +0200 Subject: [PATCH] tpm2-attest: fetch the TPM OEM certs as part of building the package --- Makefile | 21 ++++++--------------- debian/install | 6 ++++++ refresh-certs | 34 ++++++++++++++++++++++++++++++++++ tpm-certs.txt | 9 +++++++++ 4 files changed, 55 insertions(+), 15 deletions(-) create mode 100755 refresh-certs create mode 100644 tpm-certs.txt diff --git a/Makefile b/Makefile index 55e578e9..5c80560c 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ BINS += bin/sbsign.safeboot BINS += bin/sign-efi-sig-list.safeboot BINS += bin/tpm2-totp -all: $(BINS) +all: $(BINS) certs # # sbsign needs to be built from a patched version to avoid a @@ -73,6 +73,7 @@ requirements: libssl-dev \ uuid-dev \ shellcheck \ + curl \ # Remove the temporary files @@ -103,17 +104,7 @@ shellcheck: shellcheck $$file ; \ done -# Fetch several of the TPM certs -CERT_URLS=`cat certs/certs.txt` - -foreach(u,$(CERT_URLS),$(eval $(call MAKE_CERT $u))) -define MAKE_CERT -all-certs: certs/$(basename $u).pem -certs/$(basename $u).pem: - curl '$u' | \ - openssl x509 \ - -inform DER \ - -outform PEM \ - -out $@ \ - -noout -enddef +# Fetch several of the TPM certs and make them usable +# by the openssl verify tool. +certs: + ./refresh-certs diff --git a/debian/install b/debian/install index 42faf21e..ac96f055 100644 --- a/debian/install +++ b/debian/install @@ -1,10 +1,16 @@ # shell scripts in the tree sbin/safeboot usr/sbin/ sbin/safeboot-tpm-unseal usr/sbin/ +sbin/tpm2-attest usr/sbin/ # configuration files safeboot.conf etc/safeboot/ +# TPM certs and a script to refresh them +tpm-certs.txt etc/safeboot/ +refresh-certs etc/safeboot/ +certs/* etc/safeboot/certs/ + # Compiled with modifications from source # to add support for the pkcs11 engine and small qrcodes bin/sbsign.safeboot usr/sbin/ diff --git a/refresh-certs b/refresh-certs new file mode 100755 index 00000000..f7199780 --- /dev/null +++ b/refresh-certs @@ -0,0 +1,34 @@ +#!/bin/bash +# Fetch vendor certificates and build the OpenSSL CApath structure +# so that TPM Endorsement Keys can be validated. +# +# shellcheck disable=SC2013 +DIR="$(dirname "$0")" + +if [ -n "$1" ]; then + DIR="$1" +fi + +CERTS="$DIR/tpm-certs.txt" +CERTDIR="$DIR/certs" + +mkdir -p "$CERTDIR" + +for url in $(awk '{print $1}' "$CERTS"); do + echo "$url" + curl --silent "$url" \ + | openssl x509 \ + -inform "DER" \ + -outform "PEM" \ + -out "$CERTDIR/$(basename "$url" .crt).pem" \ + || die "$url: failed" +done + +echo >&2 "Rebuilding symlinks" +c_rehash "$DIR/certs" + +# Make the roots.pem file from the ones flagged as trusted roots +# in the certs list +for url in $(awk '/ trusted$/ {print $1}' "$CERTS"); do + cat "$CERTDIR/$(basename "$url" .crt).pem" +done > "$CERTDIR/roots.pem" diff --git a/tpm-certs.txt b/tpm-certs.txt new file mode 100644 index 00000000..83ff953f --- /dev/null +++ b/tpm-certs.txt @@ -0,0 +1,9 @@ +https://secure.globalsign.com/cacert/gstpmroot.crt trusted +https://secure.globalsign.com/cacert/stmtpmekroot.crt +https://secure.globalsign.com/cacert/stmtpmekint01.crt +https://secure.globalsign.com/cacert/stmtpmekint02.crt +https://secure.globalsign.com/cacert/stmtpmekint03.crt +https://secure.globalsign.com/cacert/stmtpmekint04.crt +https://secure.globalsign.com/cacert/stmtpmekint05.crt +https://secure.globalsign.com/cacert/stmtpmekint06.crt +https://secure.globalsign.com/cacert/stmtpmekint07.crt