Merge #2129: add trusted computing components

This commit is contained in:
Vladimír Čunát 2014-08-12 19:43:34 +02:00
commit bcdbbf3ea1
13 changed files with 393 additions and 1 deletions

View File

@ -254,6 +254,7 @@
mopidy = 130;
docker = 131;
gdm = 132;
tss = 133;
# When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!

View File

@ -126,6 +126,7 @@
./services/hardware/pcscd.nix
./services/hardware/pommed.nix
./services/hardware/sane.nix
./services/hardware/tcsd.nix
./services/hardware/thinkfan.nix
./services/hardware/udev.nix
./services/hardware/udisks2.nix

View File

@ -30,7 +30,8 @@ with lib;
description = "Hardware RNG Entropy Gatherer Daemon";
serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f";
serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" +
(if config.services.tcsd.enable then " --no-tpm=1" else "");
restartTriggers = [ pkgs.rng_tools ];
};

View File

@ -0,0 +1,139 @@
# tcsd daemon.
{ config, pkgs, ... }:
with pkgs.lib;
let
cfg = config.services.tcsd;
tcsdConf = pkgs.writeText "tcsd.conf" ''
port = 30003
num_threads = 10
system_ps_file = ${cfg.stateDir}/system.data
# This is the log of each individual measurement done by the system.
# By re-calculating the PCR registers based on this information, even
# finer details about the measured environment can be inferred than
# what is available directly from the PCR registers.
firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
#firmware_pcrs = 0,1,2,3,4,5,6,7
#kernel_pcrs = 10,11
platform_cred = ${cfg.platformCred}
conformance_cred = ${cfg.conformanceCred}
endorsement_cred = ${cfg.endorsementCred}
#remote_ops = create_key,random
#host_platform_class = server_12
#all_platform_classes = pc_11,pc_12,mobile_12
'';
in
{
###### interface
options = {
services.tcsd = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable tcsd, a Trusted Computing management service
that provides TCG Software Stack (TSS). The tcsd daemon is
the only portal to the Trusted Platform Module (TPM), a hardware
chip on the motherboard.
'';
};
user = mkOption {
default = "tss";
type = types.string;
description = "User account under which tcsd runs.";
};
group = mkOption {
default = "tss";
type = types.string;
description = "Group account under which tcsd runs.";
};
stateDir = mkOption {
default = "/var/lib/tpm";
type = types.path;
description = ''
The location of the system persistent storage file.
The system persistent storage file holds keys and data across
restarts of the TCSD and system reboots.
'';
};
platformCred = mkOption {
default = "${cfg.stateDir}/platform.cert";
type = types.path;
description = ''
Path to the platform credential for your TPM. Your TPM
manufacturer may have provided you with a set of credentials
(certificates) that should be used when creating identities
using your TPM. When a user of your TPM makes an identity,
this credential will be encrypted as part of that process.
See the 1.1b TPM Main specification section 9.3 for information
on this process. '';
};
conformanceCred = mkOption {
default = "${cfg.stateDir}/conformance.cert";
type = types.path;
description = ''
Path to the conformance credential for your TPM.
See also the platformCred option'';
};
endorsementCred = mkOption {
default = "${cfg.stateDir}/endorsement.cert";
type = types.path;
description = ''
Path to the endorsement credential for your TPM.
See also the platformCred option'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.trousers ];
# system.activationScripts.tcsd =
# ''
# chown ${cfg.user}:${cfg.group} ${tcsdConf}
# '';
systemd.services.tcsd = {
description = "TCSD";
after = [ "systemd-udev-settle.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.trousers ];
preStart =
''
mkdir -m 0700 -p ${cfg.stateDir}
chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
'';
serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}";
};
users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton
{ name = "tss";
group = "tss";
uid = config.ids.uids.nginx;
});
users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton
{ name = "tss";
gid = config.ids.gids.nginx;
});
};
}

View File

@ -0,0 +1,33 @@
{ stdenv, fetchurl, trousers, openssl, zlib }:
stdenv.mkDerivation rec {
name = "tboot-1.8.0";
src = fetchurl {
url = "mirror://sourceforge/tboot/${name}.tar.gz";
sha256 = "04z1maryqnr714f3rcynqrpmlx76lxr6bb543xwj5rdl1yvdw2xr";
};
buildInputs = [ trousers openssl zlib ];
patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ];
configurePhase = ''
for a in lcptools utils tb_polgen; do
substituteInPlace $a/Makefile --replace /usr/sbin /sbin
done
substituteInPlace docs/Makefile --replace /usr/share /share
'';
installFlags = "DESTDIR=$(out)";
meta = with stdenv.lib; {
description = ''Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses
Intel(R) Trusted Execution Technology (Intel(R) TXT) to perform a measured
and verified launch of an OS kernel/VMM.'';
homepage = http://sourceforge.net/projects/tboot/;
license = licenses.bsd3;
maintainers = [ maintainers.ak ];
platforms = platforms.linux;
};
}

View File

@ -0,0 +1,50 @@
diff -urp tboot-1.8.0.orig/lcptools/writepol.c tboot-1.8.0/lcptools/writepol.c
--- tboot-1.8.0.orig/lcptools/writepol.c 2014-01-30 10:34:57.000000000 +0100
+++ tboot-1.8.0/lcptools/writepol.c 2014-02-12 01:48:51.523581057 +0100
@@ -40,6 +40,7 @@
#include <getopt.h>
#include <trousers/tss.h>
#include <trousers/trousers.h>
+#include <tss/tss_defines.h>
#define PRINT printf
#include "../include/uuid.h"
@@ -51,14 +52,15 @@ static uint32_t index_value = 0;
static char *file_arg=NULL;
static uint32_t fLeng;
static unsigned char *policy_data = NULL;
-static char *password = NULL;
+static const char *password = NULL;
static uint32_t passwd_length = 0;
+static const char well_known_secret[] = TSS_WELL_KNOWN_SECRET;
static int help_input = 0;
static unsigned char empty_pol_data[] = {0};
-static const char *short_option = "ehi:f:p:";
+static const char *short_option = "ehi:f:p:Z";
static const char *usage_string = "lcp_writepol -i index_value "
- "[-f policy_file] [-e] [-p passwd] [-h]";
+ "[-f policy_file] [-e] [-p passwd|-Z] [-h]";
static const char *option_strings[] = {
"-i index value: uint32/string.\n"
@@ -67,6 +69,7 @@ static const char *option_strings[] = {
"\tINDEX_AUX:0x50000002 or \"aux\"\n",
"-f file_name: string. File name of the policy data is stored. \n",
"-p password: string. \n",
+ "-Z use well known secret as password. \n",
"-e write 0 length data to the index.\n"
"\tIt will be used for some special index.\n"
"\tFor example, the index with permission WRITEDEFINE.\n",
@@ -119,6 +122,11 @@ parse_cmdline(int argc, const char * arg
fLeng = 0;
break;
+ case 'Z':
+ password = well_known_secret;
+ passwd_length = sizeof(well_known_secret);
+ break;
+
case 'h':
help_input = 1;
break;

View File

@ -0,0 +1,22 @@
{ stdenv, fetchurl, trousers, openssl }:
stdenv.mkDerivation {
name = "tpm-quote-tools-1.0.2";
src = fetchurl {
url = "mirror://sourceforge/project/tpmquotetools/1.0.2/tpm-quote-tools-1.0.2.tar.gz";
sha256 = "17bf9d1hiiaybx6rgl0sqcb0prjz6d2mv8fwp4bj1c0rsfw5dbk8";
};
buildInputs = [ trousers openssl ];
meta = with stdenv.lib; {
description = ''The TPM Quote Tools is a collection of programs that provide support
for TPM based attestation using the TPM quote mechanism. The manual
page for tpm_quote_tools provides a usage overview.'';
homepage = http://tpmquotetools.sourceforge.net/;
license = licenses.bsd3;
maintainers = [ maintainers.ak ];
platforms = platforms.linux;
};
}

View File

@ -0,0 +1,26 @@
{ stdenv, fetchurl, trousers, openssl }:
let
version = "1.3.8";
in
stdenv.mkDerivation rec {
name = "tpm-tools-${version}";
src = fetchurl {
url = "mirror://sourceforge/trousers/tpm-tools/${version}/${name}.tar.gz";
sha256 = "10za1gi89vi9m2lmm7jfzs281h55x1sbbm2bdgdh692ljpq4zsv6";
};
buildInputs = [ trousers openssl ];
meta = with stdenv.lib; {
description = ''tpm-tools is an open-source package designed to enable user and application
enablement of Trusted Computing using a Trusted Platform Module (TPM),
similar to a smart card environment.'';
homepage = http://sourceforge.net/projects/trousers/files/tpm-tools/;
license = licenses.cpl10;
maintainers = [ maintainers.ak ];
platforms = platforms.unix;
};
}

View File

@ -0,0 +1,19 @@
diff -ur trousers-0.3.11.2.orig/src/tcsd/tcsd_conf.c trousers-0.3.11.2/src/tcsd/tcsd_conf.c
--- trousers-0.3.11.2.orig/src/tcsd/tcsd_conf.c 2013-07-12 18:27:37.000000000 +0200
+++ trousers-0.3.11.2/src/tcsd/tcsd_conf.c 2013-08-21 14:29:42.917231648 +0200
@@ -763,6 +763,7 @@
return TCSERR(TSS_E_INTERNAL_ERROR);
}
+#ifndef ALLOW_NON_TSS_CONFIG_FILE
/* make sure user/group TSS owns the conf file */
if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
@@ -775,6 +776,7 @@
LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
return TCSERR(TSS_E_INTERNAL_ERROR);
}
+#endif
#endif /* SOLARIS */
if ((f = fopen(tcsd_config_file, "r")) == NULL) {

View File

@ -0,0 +1,33 @@
{ stdenv, fetchurl, openssl }:
let
ver_maj = "0.3.11";
ver_min = "2";
in
stdenv.mkDerivation rec {
name = "trousers-${ver_maj}.${ver_min}";
src = fetchurl {
url = "mirror://sourceforge/trousers/trousers/${ver_maj}/${name}.tar.gz";
sha256 = "1m9qi4452jr5yy4y9zyfi5ndwam5krq7ny8z2q3f91v1hcjgk5la";
};
buildInputs = [ openssl ];
patches = [ # ./double-installed-man-page.patch
./disable-install-rule.patch
./allow-non-tss-config-file-owner.patch
];
NIX_CFLAGS_COMPILE = "-DALLOW_NON_TSS_CONFIG_FILE";
NIX_LDFLAGS = "-lgcc_s";
meta = with stdenv.lib; {
description = "TrouSerS is an CPL (Common Public License) licensed Trusted Computing Software Stack.";
homepage = http://trousers.sourceforge.net/;
license = licenses.cpl10;
maintainers = [ maintainers.ak ];
platforms = platforms.unix;
};
}

View File

@ -0,0 +1,27 @@
--- trousers-0.3.11/dist/Makefile.in 2013-08-14 06:49:37.597558787 +0200
+++ trousers-0.3.11/dist/Makefile.in 2013-08-14 06:50:07.134510774 +0200
@@ -363,16 +363,16 @@
uninstall uninstall-am uninstall-hook
install: install-exec-hook
- if test ! -e ${DESTDIR}/@sysconfdir@/tcsd.conf; then mkdir -p ${DESTDIR}/@sysconfdir@ && cp tcsd.conf ${DESTDIR}/@sysconfdir@; fi
- /bin/chown tss:tss ${DESTDIR}/@sysconfdir@/tcsd.conf || true
- /bin/chmod 0600 ${DESTDIR}/@sysconfdir@/tcsd.conf
+# echo if test ! -e ${DESTDIR}/@sysconfdir@/tcsd.conf; then mkdir -p ${DESTDIR}/@sysconfdir@ && cp tcsd.conf ${DESTDIR}/@sysconfdir@; fi
+ echo /bin/chown tss:tss ${DESTDIR}/@sysconfdir@/tcsd.conf || true
+ echo /bin/chmod 0600 ${DESTDIR}/@sysconfdir@/tcsd.conf
install-exec-hook:
- /usr/sbin/groupadd tss || true
- /usr/sbin/useradd -r tss -g tss || true
- /bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi'
- /bin/chown tss:tss ${DESTDIR}/@localstatedir@/lib/tpm || true
- /bin/chmod 0700 ${DESTDIR}/@localstatedir@/lib/tpm
+ echo /usr/sbin/groupadd tss || true
+ echo /usr/sbin/useradd -r tss -g tss || true
+ echo /bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi'
+ echo /bin/chown tss:tss ${DESTDIR}/@localstatedir@/lib/tpm || true
+ echo /bin/chmod 0700 ${DESTDIR}/@localstatedir@/lib/tpm
uninstall-hook:
/usr/sbin/userdel tss || true

View File

@ -0,0 +1,32 @@
--- trousers-0.3.11/man/man3/Makefile.am 2013-08-14 04:57:47.018494495 +0200
+++ trousers-0.3.11/man/man3/Makefile.am 2013-08-14 04:58:10.353453471 +0200
@@ -75,7 +75,6 @@
Tspi_TPM_TakeOwnership.3 \
Tspi_TPM_GetAuditDigest.3 \
Tspi_TPM_OwnerGetSRKPubKey.3 \
- Tspi_TPM_Quote.3 \
Tspi_TPM_CMKSetRestrictions.3
if TSS_BUILD_DAA
man3_MANS += Tspi_DAA_IssueCredential.3 \
--- trousers-0.3.11/man/man3/Makefile.in 2013-08-14 05:06:25.029490899 +0200
+++ trousers-0.3.11/man/man3/Makefile.in 2013-08-14 05:06:43.153457942 +0200
@@ -243,7 +243,7 @@
Tspi_TPM_PcrExtend.3 Tspi_TPM_Quote.3 Tspi_TPM_SelfTestFull.3 \
Tspi_TPM_SetStatus.3 Tspi_TPM_StirRandom.3 \
Tspi_TPM_TakeOwnership.3 Tspi_TPM_GetAuditDigest.3 \
- Tspi_TPM_OwnerGetSRKPubKey.3 Tspi_TPM_Quote.3 \
+ Tspi_TPM_OwnerGetSRKPubKey.3 \
Tspi_TPM_CMKSetRestrictions.3 $(am__append_1)
EXTRA_DIST = $(man3_MANS)
all: all-am
--- trousers-0.3.11/man/man3/Makefile 2013-08-14 05:07:05.686414845 +0200
+++ trousers-0.3.11/man/man3/Makefile 2013-08-14 05:07:23.233381327 +0200
@@ -243,7 +243,7 @@
Tspi_TPM_PcrExtend.3 Tspi_TPM_Quote.3 Tspi_TPM_SelfTestFull.3 \
Tspi_TPM_SetStatus.3 Tspi_TPM_StirRandom.3 \
Tspi_TPM_TakeOwnership.3 Tspi_TPM_GetAuditDigest.3 \
- Tspi_TPM_OwnerGetSRKPubKey.3 Tspi_TPM_Quote.3 \
+ Tspi_TPM_OwnerGetSRKPubKey.3 \
Tspi_TPM_CMKSetRestrictions.3 $(am__append_1)
EXTRA_DIST = $(man3_MANS)
all: all-am

View File

@ -2166,6 +2166,8 @@ let
tcpcrypt = callPackage ../tools/security/tcpcrypt { };
tboot = callPackage ../tools/security/tboot { };
tcpdump = callPackage ../tools/networking/tcpdump { };
tcpflow = callPackage ../tools/networking/tcpflow { };
@ -2205,8 +2207,14 @@ let
torsocks = callPackage ../tools/security/tor/torsocks.nix { };
tpm-quote-tools = callPackage ../tools/security/tpm-quote-tools { };
tpm-tools = callPackage ../tools/security/tpm-tools { };
trickle = callPackage ../tools/networking/trickle {};
trousers = callPackage ../tools/security/trousers { };
ttf2pt1 = callPackage ../tools/misc/ttf2pt1 { };
ttysnoop = callPackage ../os-specific/linux/ttysnoop {};