| # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Extract Chrome OS machine info for Enterprise enrollment" |
| author "chromium-os-dev@chromium.org" |
| |
| # /tmp/machine-info contains the serial number and other information that may |
| # identify the device. This information is required by OOBE and enterprise |
| # enrollment, but we don't want it around otherwise for privacy reasons. Thus, |
| # we generate as long as /home/.shadow/install_attributes.pb is not present. |
| # That file is created by cryptohome once the device has been |
| # enterprise-enrolled or been claimed by a local user. |
| # |
| # Old versions of Chromium OS (11 and earlier) didn't have the code generating |
| # install_attributes.pb in cryptohome when claiming the device, so the check |
| # would fail for users upgrading from devices that have been setup originally |
| # on these versions. Our best-effort attmept at catching this is to also check |
| # for /var/lib/whitelist/owner.key. Note that this may not work perfectly once |
| # we have support for transitioning ownership. |
| |
| # This starts every time the UI (re)starts in order to restore |
| # /tmp/machine-info if needed. |
| start on starting ui |
| |
| # Remove /tmp/machine-info when a user logs in, in which case session_manager |
| # emits the start-user-session signal. Also stop when the ui terminates so |
| # restarts of the ui job trigger a full stop/start cycle. |
| stop on start-user-session or stopping ui |
| |
| env MACHINE_INFO=/tmp/machine-info |
| |
| # This is a pre-start so that this task will run before the "start" stanza |
| # of the ui job. |
| pre-start script |
| if [ -e /var/lib/enterprise_serial_number_recovery -o \ |
| ! -e /var/lib/whitelist/owner.key ]; then |
| touch $MACHINE_INFO |
| chmod 0644 $MACHINE_INFO |
| if crossystem "mainfw_type?nonchrome"; then |
| echo "serial_number=\"nonchrome-$(date -u +%s)\"" |
| else |
| # Dump full information in the VPD, including the serial number. |
| dump_vpd_log --full --stdout |
| fi >> $MACHINE_INFO |
| |
| # Dump the disk serial number. It is used to generate non-predictable |
| # opaque machine identifiers by running it through a cryptographic hash |
| # function along with other stable machine information and a time stamp. |
| # The disk serial number is chosen here because it provides some entropy |
| # only known to the device. Device serial numbers, MAC addresses etc. are |
| # public identifiers potentially known to the environment and/or servers. |
| # Solely relying on public identifiers for opaque identifier derivation |
| # would increase the chances of external parties being able to forge valid |
| # opaque identifiers and defeat non-predictability. |
| udevadm info --query=property --name=$(rootdev -d) |\ |
| awk -F = '/^ID_SERIAL=/ { print "root_disk_serial_number=" $2 }' \ |
| >> $MACHINE_INFO |
| fi |
| end script |
| |
| post-stop exec rm -f $MACHINE_INFO |