example-setup: updated scripts

Fix all shellcheck warnings Signed-off-by: Simon Ott <[email protected]>
Fraunhofer-AISEC · Mar 7, 2024 · 66fb459 · 66fb459
1 parent 514f1b0
commit 66fb459
Show file tree

Hide file tree

Showing 8 changed files with 275 additions and 409 deletions.
diff --git a/example-setup/setup-full-ids b/example-setup/setup-full-ids
@@ -1,52 +1,53 @@
 #!/bin/bash
 
-set -e
+set -euo pipefail
+
+trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT
+export PATH=${PATH}:${HOME}/go/bin
 
 function abs_path() {
-  if [ -d "$(dirname "$1")" ]
+  if [[ -d "$(dirname "$1")" ]]
   then
-    echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")"
+    echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true
   fi
 }
 
-if [ "$#" -ne 3 ]; then
-   echo "Usage: ./setup-full-simple <cmc-folder> <data-folder> <cbor|json>"
+if [[ "$#" -ne 3 ]]; then
+   echo "Usage: ./setup-full-ids <cmc-folder> <data-folder> <cbor|json>"
    exit 1
 fi
 
-CMC="$(abs_path $1)"
-DATA="$(abs_path $2)"
-SER="$3"
+cmc=$(set -e; abs_path "$1")
+data=$(set -e; abs_path "$2")
+ser="$3"
 
-if [ ! -d "$CMC" ]; then
+if [[ ! -d "${cmc}" ]]; then
   echo "CMC directory does not exist. Did you clone the repository? Abort.."
   exit 1
 fi
 
-if [ -d "$DATA" ]; then
+if [[ -d "${data}" ]]; then
   echo "Data directory does already exist. Please choose a new directory. Abort.."
   exit 1
 fi
 
-echo "Using CMC: $CMC"
-echo "Using $DATA as directory for local data"
-
-export PATH=$PATH:$HOME/go/bin
+echo "Using CMC: ${cmc}"
+echo "Using ${data} as directory for local data"
 
 # Create a folder for the cmc configuration and metadata
-mkdir -p $DATA
+mkdir -p "${data}"
 
 sudo apt install moreutils golang-cfssl build-essential sqlite3
 
 # Install tools
 sudo apt install -y build-essential zlib1g-dev libssl-dev jq
-git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git $DATA/tpm-pcr-tools
-cd $DATA/tpm-pcr-tools
+git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git "${data}/tpm-pcr-tools"
+cd "${data}/tpm-pcr-tools"
 make
 sudo make install
 
 # Build CMC
-cd $CMC
+cd "${cmc}"
 echo "Building CMC.."
 go build ./...
 
@@ -55,78 +56,12 @@ echo "Installing CMC"
 go install ./...
 
 # Copy metadata templates
-cp -r $CMC/example-setup/* $DATA
+cp -r "${cmc}/example-setup/"* "${data}"
 
 # Generate a PKI suitable for your needs. You can use the IDS PKI example-setup for testing:
-$DATA/setup-pki-ids -i $DATA/pki-input-ids -o $DATA/pki
-
-# Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values
-referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json)
-
-# Delete existing reference values in the RTM Manifest
-jq 'del(.referenceValues[])' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json
-
-# Add new reference values
-jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json
-
-# Do this for the OS manifest as well
-referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json)
-jq 'del(.referenceValues[])' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json
-jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json
-
-# Sign the metadata*
-IN=$DATA/metadata-raw
-TMP=$DATA/metadata-tmp
-OUT=$DATA/metadata-signed
-
-KEY_DEV_A=$DATA/pki/developer_A-key.pem
-CHAIN_DEV_A=$DATA/pki/developer_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
-
-KEY_DEV_B=$DATA/pki/developer_B-key.pem
-CHAIN_DEV_B=$DATA/pki/developer_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
-
-KEY_EVA_A=$DATA/pki/evaluator_A-key.pem
-CHAIN_EVA_A=$DATA/pki/evaluator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
-
-KEY_EVA_B=$DATA/pki/evaluator_B-key.pem
-CHAIN_EVA_B=$DATA/pki/evaluator_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
-
-KEY_CERT_A=$DATA/pki/certifier_A-key.pem
-CHAIN_CERT_A=$DATA/pki/certifier_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
-
-KEY_CERT_B=$DATA/pki/certifier_B-key.pem
-CHAIN_CERT_B=$DATA/pki/certifier_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
-
-KEY_OP_A=$DATA/pki/operator_A-key.pem
-CHAIN_OP_A=$DATA/pki/operator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem
-
-rm -rf $TMP
-rm -rf $OUT
-
-mkdir -p $TMP
-mkdir -p $OUT
-
-if [ "${SER,,}" = "json" ]; then
-  echo "using json serialization"
-  cp $IN/rtm.manifest.json        $TMP/rtm.manifest.json
-  cp $IN/os.manifest.json         $TMP/os.manifest.json
-  cp $IN/device.description.json  $TMP/device.description.json
-  cp $IN/device.config.json       $TMP/device.config.json
-  cp $IN/company.description.json $TMP/company.description.json
-elif [ "${SER,,}" = "cbor" ]; then
-  echo "using cbor serialiation"
-  cmc-converter -in $IN/rtm.manifest.json        -out $TMP/rtm.manifest.cbor        -outform cbor
-  cmc-converter -in $IN/os.manifest.json         -out $TMP/os.manifest.cbor         -outform cbor
-  cmc-converter -in $IN/device.description.json  -out $TMP/device.description.cbor  -outform cbor
-  cmc-converter -in $IN/device.config.json       -out $TMP/device.config.cbor       -outform cbor
-  cmc-converter -in $IN/company.description.json -out $TMP/company.description.cbor -outform cbor
-else
-  echo "serialization format ${SER} is not supported"
-  exit 1
-fi
+"${data}/setup-pki-ids" -i "${data}/pki-input-ids" -o "${data}/pki"
+
+# Update and sign metadata
+"${data}/update-full-ids" "${data}" "${ser}"
+
 
-cmc-signing-tool -in $TMP/rtm.manifest."${SER}"         -out $OUT/rtm.manifest."${SER}"         -keys $KEY_DEV_A,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_A:$CHAIN_EVA_A:$CHAIN_CERT_A
-cmc-signing-tool -in $TMP/os.manifest."${SER}"          -out $OUT/os.manifest."${SER}"          -keys $KEY_DEV_B,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_B:$CHAIN_EVA_A:$CHAIN_CERT_A
-cmc-signing-tool -in $TMP/company.description."${SER}"  -out $OUT/company.description."${SER}"  -keys $KEY_OP_A,$KEY_EVA_B,$KEY_CERT_B -x5cs $CHAIN_OP_A:$CHAIN_EVA_B:$CHAIN_CERT_B
-cmc-signing-tool -in $TMP/device.description."${SER}"   -out $OUT/device.description."${SER}"   -keys $KEY_OP_A -x5cs $CHAIN_OP_A
-cmc-signing-tool -in $TMP/device.config."${SER}"        -out $OUT/device.config."${SER}"        -keys $KEY_OP_A -x5cs $CHAIN_OP_A
diff --git a/example-setup/setup-full-simple b/example-setup/setup-full-simple
@@ -1,52 +1,53 @@
 #!/bin/bash
 
-set -e
+set -euo pipefail
 
-function abs_path() {
-  if [ -d "$(dirname "$1")" ]
+trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT
+export PATH=${PATH}:${HOME}/go/bin
+
+abs_path() {
+  if [[ -d "$(dirname "$1")" ]]
   then
-    echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")"
+    echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true
   fi
 }
 
-if [ "$#" -ne 3 ]; then
+if [[ "$#" -ne 3 ]]; then
    echo "Usage: ./setup-full-simple <cmc-folder> <data-folder> <cbor|json>"
    exit
 fi
 
-CMC="$(abs_path $1)"
-DATA="$(abs_path $2)"
-SER="$3"
+cmc=$(set -e; abs_path "$1")
+data=$(set -e; abs_path "$2")
+ser="${3}"
 
-if [ ! -d "$CMC" ]; then
+if [[ ! -d "${cmc}" ]]; then
   echo "CMC directory does not exist. Did you clone the repository? Abort.."
   exit 1
 fi
 
-if [ -d "$DATA" ]; then
+if [[ -d "${data}" ]]; then
   echo "Data directory does already exist. Please choose a new directory. Abort.."
   exit 1
 fi
 
-echo "Using CMC: $CMC"
-echo "Using $DATA as directory for local data"
-
-export PATH=$PATH:$HOME/go/bin
+echo "Using CMC: ${cmc}"
+echo "Using ${data} as directory for local data"
 
 # Create a folder for the cmc configuration and metadata
-mkdir -p $DATA
+mkdir -p "${data}"
 
 # Install dependencies
 sudo apt install -y moreutils golang-cfssl build-essential zlib1g-dev libssl-dev jq
 
 # Intall tpm-pcr-tools
-git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git $DATA/tpm-pcr-tools
-cd $DATA/tpm-pcr-tools
+git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git "${data}/tpm-pcr-tools"
+cd "${data}/tpm-pcr-tools"
 make
 sudo make install
 
 # Build CMC
-cd $CMC
+cd "${cmc}"
 echo "Building CMC.."
 go build ./...
 
@@ -55,56 +56,10 @@ echo "Installing CMC"
 go install ./...
 
 # Copy metadata templates
-cp -r $CMC/example-setup/* $DATA
+cp -r "${cmc}/example-setup/"* "${data}"
 
 # Generate a PKI suitable for your needs. You can use the simple PKI example-setup for testing:
-$DATA/setup-pki-simple -i $DATA -o $DATA/pki
-
-# Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values
-referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json)
-
-# Delete existing reference values in the RTM Manifest
-jq 'del(.referenceValues[])' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json
-
-# Add new reference values
-jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json
-
-# Do this for the OS manifest as well
-referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json)
-jq 'del(.referenceValues[])' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json
-jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json
-
-# Sign the metadata*
-IN=$DATA/metadata-raw
-TMP=$DATA/metadata-tmp
-OUT=$DATA/metadata-signed
-KEY=$DATA/pki/signing-cert-key.pem
-CHAIN=$DATA/pki/signing-cert.pem,$DATA/pki/ca.pem
-
-rm -rf $TMP
-rm -rf $OUT
-
-mkdir -p $TMP
-mkdir -p $OUT
-
-if [ "${SER,,}" = "json" ]; then
-  echo "using json serialization"
-  cp $IN/rtm.manifest.json        $TMP/rtm.manifest.json
-  cp $IN/os.manifest.json         $TMP/os.manifest.json
-  cp $IN/device.description.json  $TMP/device.description.json
-  cp $IN/device.config.json       $TMP/device.config.json
-elif [ "${SER,,}" = "cbor" ]; then
-  echo "using cbor serialiation"
-  cmc-converter -in $IN/rtm.manifest.json        -out $TMP/rtm.manifest.cbor       -outform cbor
-  cmc-converter -in $IN/os.manifest.json         -out $TMP/os.manifest.cbor        -outform cbor
-  cmc-converter -in $IN/device.description.json  -out $TMP/device.description.cbor -outform cbor
-  cmc-converter -in $IN/device.config.json       -out $TMP/device.config.cbor      -outform cbor
-else
-  echo "serialization format ${SER} is not supported"
-  exit 1
-fi
+"${data}/setup-pki-simple" -i "${data}" -o "${data}/pki"
 
-cmc-signing-tool -in $TMP/rtm.manifest."${SER}"        -out $OUT/rtm.manifest."${SER}"        -keys $KEY -x5cs $CHAIN
-cmc-signing-tool -in $TMP/os.manifest."${SER}"         -out $OUT/os.manifest."${SER}"         -keys $KEY -x5cs $CHAIN
-cmc-signing-tool -in $TMP/device.description."${SER}"  -out $OUT/device.description."${SER}"  -keys $KEY -x5cs $CHAIN
-cmc-signing-tool -in $TMP/device.config."${SER}"       -out $OUT/device.config."${SER}"       -keys $KEY -x5cs $CHAIN
+# Update and sign metadata
+"${data}/update-full-simple" "${data}" "${ser}"