blob: 31ccf228dbf2f9a667a944d87fcebe1412598006 [file] [log] [blame]
#!/bin/sh
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
if [ -z "$1" ]; then
USERNAME="chronos"
else
USERNAME="$1"
fi
PKCS11_GROUP="pkcs11"
OPENCRYPTOKI_DIR="/var/lib/opencryptoki"
USER_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/$USERNAME"
ROOT_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/root"
USER_TOKEN_DIR="/home/$USERNAME/user/.tpm"
log() {
if [ -t 1 ]; then
echo "$@" 1>&2
else
logger -t $(basename "$0") "$@"
fi
}
is_token_broken() {
if [ ! -e "/var/lib/.tpm_owned" ]; then
log "TPM is not owned, token for $USERNAME can't be valid."
return 0
fi
if [ "/var/lib/.tpm_owned" -nt "$USER_TOKEN_DIR" ]; then
log "PKCS#11 token for $USERNAME is from a previous TPM owner."
return 0
fi
if [ ! -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" -o \
! -e "$USER_TOKEN_DIR/TOK_OBJ/70000000" ]; then
log "PKCS#11 token for $USERNAME is missing some files."
return 0
fi
log "PKCS#11 token for $USERNAME looks ok."
return 1
}
if [ ! -e "$USER_TOKEN_DIR/NVTOK.DAT" ]; then
log "No PKCS#11 token found for $USERNAME."
elif is_token_broken; then
log "Removing $USER_TOKEN_DIR/*"
rm -rf "$USER_TOKEN_DIR"/*
fi
# Ensure the directories exist
mkdir -p "$OPENCRYPTOKI_DIR/tpm"
chown -R "root:$PKCS11_GROUP" "$OPENCRYPTOKI_DIR"
# Ensure that they point to the user volume
[ -L "$USER_TOKEN_LINK" ] || \
ln -sf "$USER_TOKEN_DIR" "$USER_TOKEN_LINK"
[ -L "$ROOT_TOKEN_LINK" ] || \
ln -sf "./$USERNAME" "$ROOT_TOKEN_LINK"
# Always remove the old token entry.
rm -f /var/lib/opencryptoki/pk_config_data
# Creating this directory because if it's not there, token initialization
# will neither create it nor populate it.
mkdir -p "$USER_TOKEN_DIR/TOK_OBJ"
# Configure the tpm as a token
pkcs_slot 0 tpm
# Make sure the user can access their own data
chown -R "$USERNAME:$PKCS11_GROUP" "$USER_TOKEN_DIR"