| # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "create validated caches of lockbox protected files" |
| author "chromium-os-dev@chromium.org" |
| |
| # Runs before ui.conf to ensure the cache is ready if possible. |
| start on starting ui |
| |
| env LOCKBOX_CACHE_DIR=/var/run/lockbox |
| env LOCKBOX_NVRAM_FILE=/tmp/lockbox.nvram |
| |
| env INSTALL_ATTRS_CACHE=/var/run/lockbox/install_attributes.pb |
| env INSTALL_ATTRS_FILE=/home/.shadow/install_attributes.pb |
| |
| pre-start script |
| bootstat lockbox-cache-start |
| umask 022 # create the cache world-readable. |
| mkdir -p -m 0711 $LOCKBOX_CACHE_DIR |
| # /sbin/mount-encrypted emits the TPM NVRAM contents, if they exist, to a |
| # file on tmpfs which is used to authenticate the lockbox during cache |
| # creation. |
| if [ -O $LOCKBOX_NVRAM_FILE ]; then |
| bootstat lockbox-cache-exec |
| lockbox-cache --cache=$INSTALL_ATTRS_CACHE \ |
| --nvram=$LOCKBOX_NVRAM_FILE \ |
| --lockbox=$INSTALL_ATTRS_FILE |
| # There are no other consumers; remove the nvram data. |
| rm $LOCKBOX_NVRAM_FILE |
| # For VMs and legacy firmware devices, pretend like lockbox is supported. |
| elif crossystem "mainfw_type?nonchrome"; then |
| cp $INSTALL_ATTRS_FILE $INSTALL_ATTRS_CACHE |
| fi |
| bootstat lockbox-cache-end |
| end script |
