tcsd.conf - chromiumos/platform/init - Git at Google

 # Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "TrouSerS daemon"
 author          "chromium-os-dev@chromium.org"

 # The TrouSerS daemon implements TSS, a standard API for access to
 # TPM hardware (or to a TPM emulator).
 #
 # No 'start on'; the job is started with 'start' from tpm-probe.
 stop on stopping boot-services
 respawn

 pre-start script
   # If we're booting in recovery mode, first do a sanity check of the TPM and
   # try to bring it to a sane state.  Then clear the TPM owner and lock the
   # TPM down.
   if ! crossystem "recovery_reason?0" ; then
     chromeos-tpm-recovery /var/log/tpm-recovery.log ||
       logger -t "$UPSTART_JOB" "tpm-recovery status $?"
     tpmc clear  || logger -t "$UPSTART_JOB" "tpmc clear:  status $?"
     tpmc enable || logger -t "$UPSTART_JOB" "tpmc enable: status $?"
     tpmc act    || logger -t "$UPSTART_JOB" "tpmc act:    status $?"
     tpmc block  || logger -t "$UPSTART_JOB" "tpmc block:  status $?"
     tpmc pplock || logger -t "$UPSTART_JOB" "tpmc pplock: status $?"
   fi

   if [ -e /sys/class/misc/tpm0/device/owned ]; then
     owned=$(cat /sys/class/misc/tpm0/device/owned || echo "")
     if [ "$owned" -eq "0" ]; then
       # Clean up any existing tcsd state.
       rm -rf /var/lib/tpm/*
     elif [ "$owned" -eq "1" ]; then
       # Already owned.
       # Check if trousers' system.data is size zero.  If so, then the TPM has
       # been owned already and we need to copy over an empty system.data to be
       # able to use it in trousers.
       if [ ! -f /var/lib/tpm/system.data ] ||
          [ ! -s /var/lib/tpm/system.data ]; then
         if [ ! -e /var/lib/tpm ]; then
           mkdir -m 0700 -p /var/lib/tpm
         fi
         umask 0177
         cp --no-preserve=mode /etc/trousers/system.data.auth \
           /var/lib/tpm/system.data
         umask 0133
         touch /var/lib/.tpm_owned
       fi
     fi
   fi

   # On some TPMs we can check the dictionary-attack counter.
   if grep -q "Manufacturer: 0x49465800" /sys/class/misc/tpm0/device/caps; then
     tpm_command="00 c1 00 00 00 16 00 00 00 65 00 00 00 10 00 00 00 04 00 00 \
                  08 02"
     counter=$(tpmc raw $tpm_command | awk 'NR == 3 { print $8; }' || \
               echo "0x00")
     metrics_client -b -e Platform.TPM.DictionaryAttackCounter $counter 30
     if [ "$counter" != "0x00" ]; then
       logger tcsd: WARNING: Non-zero dictionary attack counter found: $counter
       metrics_client -b -v TPM.NonZeroDictionaryAttackCounter
     fi
   fi
 end script

 expect fork
 exec tcsd
	# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "TrouSerS daemon"
	author "chromium-os-dev@chromium.org"

	# The TrouSerS daemon implements TSS, a standard API for access to
	# TPM hardware (or to a TPM emulator).
	#
	# No 'start on'; the job is started with 'start' from tpm-probe.
	stop on stopping boot-services
	respawn

	pre-start script
	# If we're booting in recovery mode, first do a sanity check of the TPM and
	# try to bring it to a sane state. Then clear the TPM owner and lock the
	# TPM down.
	if ! crossystem "recovery_reason?0" ; then
	chromeos-tpm-recovery /var/log/tpm-recovery.log \|\|
	logger -t "$UPSTART_JOB" "tpm-recovery status $?"
	tpmc clear \|\| logger -t "$UPSTART_JOB" "tpmc clear: status $?"
	tpmc enable \|\| logger -t "$UPSTART_JOB" "tpmc enable: status $?"
	tpmc act \|\| logger -t "$UPSTART_JOB" "tpmc act: status $?"
	tpmc block \|\| logger -t "$UPSTART_JOB" "tpmc block: status $?"
	tpmc pplock \|\| logger -t "$UPSTART_JOB" "tpmc pplock: status $?"
	fi

	if [ -e /sys/class/misc/tpm0/device/owned ]; then
	owned=$(cat /sys/class/misc/tpm0/device/owned \|\| echo "")
	if [ "$owned" -eq "0" ]; then
	# Clean up any existing tcsd state.
	rm -rf /var/lib/tpm/*
	elif [ "$owned" -eq "1" ]; then
	# Already owned.
	# Check if trousers' system.data is size zero. If so, then the TPM has
	# been owned already and we need to copy over an empty system.data to be
	# able to use it in trousers.
	if [ ! -f /var/lib/tpm/system.data ] \|\|
	[ ! -s /var/lib/tpm/system.data ]; then
	if [ ! -e /var/lib/tpm ]; then
	mkdir -m 0700 -p /var/lib/tpm
	fi
	umask 0177
	cp --no-preserve=mode /etc/trousers/system.data.auth \
	/var/lib/tpm/system.data
	umask 0133
	touch /var/lib/.tpm_owned
	fi
	fi
	fi

	# On some TPMs we can check the dictionary-attack counter.
	if grep -q "Manufacturer: 0x49465800" /sys/class/misc/tpm0/device/caps; then
	tpm_command="00 c1 00 00 00 16 00 00 00 65 00 00 00 10 00 00 00 04 00 00 \
	08 02"
	counter=$(tpmc raw $tpm_command \| awk 'NR == 3 { print $8; }' \|\| \
	echo "0x00")
	metrics_client -b -e Platform.TPM.DictionaryAttackCounter $counter 30
	if [ "$counter" != "0x00" ]; then
	logger tcsd: WARNING: Non-zero dictionary attack counter found: $counter
	metrics_client -b -v TPM.NonZeroDictionaryAttackCounter
	fi
	fi
	end script

	expect fork
	exec tcsd