diff --git a/example-setup/setup-full-ids b/example-setup/setup-full-ids index 49b2abb8..dc7ea918 100755 --- a/example-setup/setup-full-ids +++ b/example-setup/setup-full-ids @@ -1,52 +1,53 @@ #!/bin/bash -set -e +set -euo pipefail + +trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +export PATH=${PATH}:${HOME}/go/bin function abs_path() { - if [ -d "$(dirname "$1")" ] + if [[ -d "$(dirname "$1")" ]] then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true fi } -if [ "$#" -ne 3 ]; then - echo "Usage: ./setup-full-simple " +if [[ "$#" -ne 3 ]]; then + echo "Usage: ./setup-full-ids " exit 1 fi -CMC="$(abs_path $1)" -DATA="$(abs_path $2)" -SER="$3" +cmc=$(set -e; abs_path "$1") +data=$(set -e; abs_path "$2") +ser="$3" -if [ ! -d "$CMC" ]; then +if [[ ! -d "${cmc}" ]]; then echo "CMC directory does not exist. Did you clone the repository? Abort.." exit 1 fi -if [ -d "$DATA" ]; then +if [[ -d "${data}" ]]; then echo "Data directory does already exist. Please choose a new directory. Abort.." exit 1 fi -echo "Using CMC: $CMC" -echo "Using $DATA as directory for local data" - -export PATH=$PATH:$HOME/go/bin +echo "Using CMC: ${cmc}" +echo "Using ${data} as directory for local data" # Create a folder for the cmc configuration and metadata -mkdir -p $DATA +mkdir -p "${data}" sudo apt install moreutils golang-cfssl build-essential sqlite3 # Install tools sudo apt install -y build-essential zlib1g-dev libssl-dev jq -git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git $DATA/tpm-pcr-tools -cd $DATA/tpm-pcr-tools +git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git "${data}/tpm-pcr-tools" +cd "${data}/tpm-pcr-tools" make sudo make install # Build CMC -cd $CMC +cd "${cmc}" echo "Building CMC.." go build ./... @@ -55,78 +56,12 @@ echo "Installing CMC" go install ./... # Copy metadata templates -cp -r $CMC/example-setup/* $DATA +cp -r "${cmc}/example-setup/"* "${data}" # Generate a PKI suitable for your needs. You can use the IDS PKI example-setup for testing: -$DATA/setup-pki-ids -i $DATA/pki-input-ids -o $DATA/pki - -# Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values -referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json) - -# Delete existing reference values in the RTM Manifest -jq 'del(.referenceValues[])' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json - -# Add new reference values -jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json - -# Do this for the OS manifest as well -referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json) -jq 'del(.referenceValues[])' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json -jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json - -# Sign the metadata* -IN=$DATA/metadata-raw -TMP=$DATA/metadata-tmp -OUT=$DATA/metadata-signed - -KEY_DEV_A=$DATA/pki/developer_A-key.pem -CHAIN_DEV_A=$DATA/pki/developer_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem - -KEY_DEV_B=$DATA/pki/developer_B-key.pem -CHAIN_DEV_B=$DATA/pki/developer_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem - -KEY_EVA_A=$DATA/pki/evaluator_A-key.pem -CHAIN_EVA_A=$DATA/pki/evaluator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem - -KEY_EVA_B=$DATA/pki/evaluator_B-key.pem -CHAIN_EVA_B=$DATA/pki/evaluator_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem - -KEY_CERT_A=$DATA/pki/certifier_A-key.pem -CHAIN_CERT_A=$DATA/pki/certifier_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem - -KEY_CERT_B=$DATA/pki/certifier_B-key.pem -CHAIN_CERT_B=$DATA/pki/certifier_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem - -KEY_OP_A=$DATA/pki/operator_A-key.pem -CHAIN_OP_A=$DATA/pki/operator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem - -rm -rf $TMP -rm -rf $OUT - -mkdir -p $TMP -mkdir -p $OUT - -if [ "${SER,,}" = "json" ]; then - echo "using json serialization" - cp $IN/rtm.manifest.json $TMP/rtm.manifest.json - cp $IN/os.manifest.json $TMP/os.manifest.json - cp $IN/device.description.json $TMP/device.description.json - cp $IN/device.config.json $TMP/device.config.json - cp $IN/company.description.json $TMP/company.description.json -elif [ "${SER,,}" = "cbor" ]; then - echo "using cbor serialiation" - cmc-converter -in $IN/rtm.manifest.json -out $TMP/rtm.manifest.cbor -outform cbor - cmc-converter -in $IN/os.manifest.json -out $TMP/os.manifest.cbor -outform cbor - cmc-converter -in $IN/device.description.json -out $TMP/device.description.cbor -outform cbor - cmc-converter -in $IN/device.config.json -out $TMP/device.config.cbor -outform cbor - cmc-converter -in $IN/company.description.json -out $TMP/company.description.cbor -outform cbor -else - echo "serialization format ${SER} is not supported" - exit 1 -fi +"${data}/setup-pki-ids" -i "${data}/pki-input-ids" -o "${data}/pki" + +# Update and sign metadata +"${data}/update-full-ids" "${data}" "${ser}" + -cmc-signing-tool -in $TMP/rtm.manifest."${SER}" -out $OUT/rtm.manifest."${SER}" -keys $KEY_DEV_A,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_A:$CHAIN_EVA_A:$CHAIN_CERT_A -cmc-signing-tool -in $TMP/os.manifest."${SER}" -out $OUT/os.manifest."${SER}" -keys $KEY_DEV_B,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_B:$CHAIN_EVA_A:$CHAIN_CERT_A -cmc-signing-tool -in $TMP/company.description."${SER}" -out $OUT/company.description."${SER}" -keys $KEY_OP_A,$KEY_EVA_B,$KEY_CERT_B -x5cs $CHAIN_OP_A:$CHAIN_EVA_B:$CHAIN_CERT_B -cmc-signing-tool -in $TMP/device.description."${SER}" -out $OUT/device.description."${SER}" -keys $KEY_OP_A -x5cs $CHAIN_OP_A -cmc-signing-tool -in $TMP/device.config."${SER}" -out $OUT/device.config."${SER}" -keys $KEY_OP_A -x5cs $CHAIN_OP_A diff --git a/example-setup/setup-full-simple b/example-setup/setup-full-simple index da9f626c..f9f0ad00 100755 --- a/example-setup/setup-full-simple +++ b/example-setup/setup-full-simple @@ -1,52 +1,53 @@ #!/bin/bash -set -e +set -euo pipefail -function abs_path() { - if [ -d "$(dirname "$1")" ] +trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +export PATH=${PATH}:${HOME}/go/bin + +abs_path() { + if [[ -d "$(dirname "$1")" ]] then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true fi } -if [ "$#" -ne 3 ]; then +if [[ "$#" -ne 3 ]]; then echo "Usage: ./setup-full-simple " exit fi -CMC="$(abs_path $1)" -DATA="$(abs_path $2)" -SER="$3" +cmc=$(set -e; abs_path "$1") +data=$(set -e; abs_path "$2") +ser="${3}" -if [ ! -d "$CMC" ]; then +if [[ ! -d "${cmc}" ]]; then echo "CMC directory does not exist. Did you clone the repository? Abort.." exit 1 fi -if [ -d "$DATA" ]; then +if [[ -d "${data}" ]]; then echo "Data directory does already exist. Please choose a new directory. Abort.." exit 1 fi -echo "Using CMC: $CMC" -echo "Using $DATA as directory for local data" - -export PATH=$PATH:$HOME/go/bin +echo "Using CMC: ${cmc}" +echo "Using ${data} as directory for local data" # Create a folder for the cmc configuration and metadata -mkdir -p $DATA +mkdir -p "${data}" # Install dependencies sudo apt install -y moreutils golang-cfssl build-essential zlib1g-dev libssl-dev jq # Intall tpm-pcr-tools -git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git $DATA/tpm-pcr-tools -cd $DATA/tpm-pcr-tools +git clone https://github.com/Fraunhofer-AISEC/tpm-pcr-tools.git "${data}/tpm-pcr-tools" +cd "${data}/tpm-pcr-tools" make sudo make install # Build CMC -cd $CMC +cd "${cmc}" echo "Building CMC.." go build ./... @@ -55,56 +56,10 @@ echo "Installing CMC" go install ./... # Copy metadata templates -cp -r $CMC/example-setup/* $DATA +cp -r "${cmc}/example-setup/"* "${data}" # Generate a PKI suitable for your needs. You can use the simple PKI example-setup for testing: -$DATA/setup-pki-simple -i $DATA -o $DATA/pki - -# Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values -referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json) - -# Delete existing reference values in the RTM Manifest -jq 'del(.referenceValues[])' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json - -# Add new reference values -jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json - -# Do this for the OS manifest as well -referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json) -jq 'del(.referenceValues[])' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json -jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json - -# Sign the metadata* -IN=$DATA/metadata-raw -TMP=$DATA/metadata-tmp -OUT=$DATA/metadata-signed -KEY=$DATA/pki/signing-cert-key.pem -CHAIN=$DATA/pki/signing-cert.pem,$DATA/pki/ca.pem - -rm -rf $TMP -rm -rf $OUT - -mkdir -p $TMP -mkdir -p $OUT - -if [ "${SER,,}" = "json" ]; then - echo "using json serialization" - cp $IN/rtm.manifest.json $TMP/rtm.manifest.json - cp $IN/os.manifest.json $TMP/os.manifest.json - cp $IN/device.description.json $TMP/device.description.json - cp $IN/device.config.json $TMP/device.config.json -elif [ "${SER,,}" = "cbor" ]; then - echo "using cbor serialiation" - cmc-converter -in $IN/rtm.manifest.json -out $TMP/rtm.manifest.cbor -outform cbor - cmc-converter -in $IN/os.manifest.json -out $TMP/os.manifest.cbor -outform cbor - cmc-converter -in $IN/device.description.json -out $TMP/device.description.cbor -outform cbor - cmc-converter -in $IN/device.config.json -out $TMP/device.config.cbor -outform cbor -else - echo "serialization format ${SER} is not supported" - exit 1 -fi +"${data}/setup-pki-simple" -i "${data}" -o "${data}/pki" -cmc-signing-tool -in $TMP/rtm.manifest."${SER}" -out $OUT/rtm.manifest."${SER}" -keys $KEY -x5cs $CHAIN -cmc-signing-tool -in $TMP/os.manifest."${SER}" -out $OUT/os.manifest."${SER}" -keys $KEY -x5cs $CHAIN -cmc-signing-tool -in $TMP/device.description."${SER}" -out $OUT/device.description."${SER}" -keys $KEY -x5cs $CHAIN -cmc-signing-tool -in $TMP/device.config."${SER}" -out $OUT/device.config."${SER}" -keys $KEY -x5cs $CHAIN +# Update and sign metadata +"${data}/update-full-simple" "${data}" "${ser}" diff --git a/example-setup/setup-pki-ids b/example-setup/setup-pki-ids index a6444d16..f3d2410c 100755 --- a/example-setup/setup-pki-ids +++ b/example-setup/setup-pki-ids @@ -1,24 +1,25 @@ #!/bin/bash -set -e +set -euo pipefail -DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd -P)" -CMC_DIR="$DIR/.." +trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +dir="$(CDPATH='' cd -- "$(dirname -- "$0")/.." && pwd -P)" -IN="$CMC_DIR/example-setup" -OUT="$DIR/pki" +cmc="${dir}/.." +input="${cmc}/example-setup" +out="${dir}" print_usage() { - printf "Usage: ./setup_simple_pki [-i ] [-o ] [-o "$OUT/sqlite_db_subcas.json" +# shellcheck disable=SC2002 +cat "${input}/certs_subcas.sql" | sqlite3 "${out}/certdb_subcas.db" +echo "{\"driver\":\"sqlite3\",\"data_source\":\"${out}/certdb_subcas.db\"}" > "${out}/sqlite_db_subcas.json" # Generate key/certificate for OCSP Signing -cfssl genkey "$IN/ocsp_subcas.json" | cfssljson -bare "$OUT/ocsp_subcas" -cfssl sign -ca "$OUT/ca.pem" -ca-key "$OUT/ca-key.pem" "$OUT/ocsp_subcas.csr" | cfssljson -bare "$OUT/ocsp_subcas" +cfssl genkey "${input}/ocsp_subcas.json" | cfssljson -bare "${out}/ocsp_subcas" +cfssl sign -ca "${out}/ca.pem" -ca-key "${out}/ca-key.pem" "${out}/ocsp_subcas.csr" | cfssljson -bare "${out}/ocsp_subcas" # 3. Set up the intermediate CAs (using device_sub_ca.json and user_sub_ca.json) -cfssl genkey "$IN/device_sub_ca.json" | cfssljson -bare "$OUT/device_sub_ca" -cfssl sign -ca "$OUT/ca.pem" -ca-key "$OUT/ca-key.pem" -db-config "$OUT/sqlite_db_subcas.json" --config "$IN/ca-config.json" -profile intermediate "$OUT/device_sub_ca.csr" | cfssljson -bare "$OUT/device_sub_ca" +cfssl genkey "${input}/device_sub_ca.json" | cfssljson -bare "${out}/device_sub_ca" +cfssl sign -ca "${out}/ca.pem" -ca-key "${out}/ca-key.pem" -db-config "${out}/sqlite_db_subcas.json" --config "${input}/ca-config.json" -profile intermediate "${out}/device_sub_ca.csr" | cfssljson -bare "${out}/device_sub_ca" -cfssl genkey "$IN/user_sub_ca.json" | cfssljson -bare "$OUT/user_sub_ca" -cfssl sign -ca "$OUT/ca.pem" -ca-key "$OUT/ca-key.pem" -db-config "$OUT/sqlite_db_subcas.json" --config "$IN/ca-config.json" -profile intermediate "$OUT/user_sub_ca.csr" | cfssljson -bare "$OUT/user_sub_ca" +cfssl genkey "${input}/user_sub_ca.json" | cfssljson -bare "${out}/user_sub_ca" +cfssl sign -ca "${out}/ca.pem" -ca-key "${out}/ca-key.pem" -db-config "${out}/sqlite_db_subcas.json" --config "${input}/ca-config.json" -profile intermediate "${out}/user_sub_ca.csr" | cfssljson -bare "${out}/user_sub_ca" # 4. Set up OCSP Servers for the User Sub CAs -cat "$IN/certs_users.sql" | sqlite3 "$OUT/certdb_users.db" -echo "{\"driver\":\"sqlite3\",\"data_source\":\"$OUT/certdb_users.db\"}" > "$OUT/sqlite_db_users.json" +# shellcheck disable=SC2002 +cat "${input}/certs_users.sql" | sqlite3 "${out}/certdb_users.db" +echo "{\"driver\":\"sqlite3\",\"data_source\":\"${out}/certdb_users.db\"}" > "${out}/sqlite_db_users.json" # Generate key/certificate for OCSP Signing -cfssl genkey "$IN/ocsp_users.json" | cfssljson -bare "$OUT/ocsp_users" -cfssl sign -ca "$OUT/user_sub_ca.pem" -ca-key "$OUT/user_sub_ca-key.pem" "$OUT/ocsp_users.csr" | cfssljson -bare "$OUT/ocsp_users" +cfssl genkey "${input}/ocsp_users.json" | cfssljson -bare "${out}/ocsp_users" +cfssl sign -ca "${out}/user_sub_ca.pem" -ca-key "${out}/user_sub_ca-key.pem" "${out}/ocsp_users.csr" | cfssljson -bare "${out}/ocsp_users" # 5. Set up OCSP Servers for the User Sub CAs -cat "$IN/certs_devices.sql" | sqlite3 "$OUT/certdb_devices.db" -echo "{\"driver\":\"sqlite3\",\"data_source\":\"$OUT/certdb_devices.db\"}" > "$OUT/sqlite_db_devices.json" +# shellcheck disable=SC2002 +cat "${input}/certs_devices.sql" | sqlite3 "${out}/certdb_devices.db" +echo "{\"driver\":\"sqlite3\",\"data_source\":\"${out}/certdb_devices.db\"}" > "${out}/sqlite_db_devices.json" # Generate key/certificate for OCSP Signing -cfssl genkey "$IN/ocsp_devices.json" | cfssljson -bare "$OUT/ocsp_devices" -cfssl sign -ca "$OUT/device_sub_ca.pem" -ca-key "$OUT/device_sub_ca-key.pem" "$OUT/ocsp_devices.csr" | cfssljson -bare "$OUT/ocsp_devices" +cfssl genkey "${input}/ocsp_devices.json" | cfssljson -bare "${out}/ocsp_devices" +cfssl sign -ca "${out}/device_sub_ca.pem" -ca-key "${out}/device_sub_ca-key.pem" "${out}/ocsp_devices.csr" | cfssljson -bare "${out}/ocsp_devices" # Generate and sign certs for all needed users gen () { - cfssl genkey -config "$IN/ca-config.json" -profile user "$IN/$1.json" | cfssljson -bare "$OUT/$1" - cfssl sign -ca "$OUT/user_sub_ca.pem" -ca-key "$OUT/user_sub_ca-key.pem" -db-config "$OUT/sqlite_db_users.json" "$OUT/$1.csr" | cfssljson -bare "$OUT/$1" + cfssl genkey -config "${input}/ca-config.json" -profile user "${input}/$1.json" | cfssljson -bare "${out}/$1" + cfssl sign -ca "${out}/user_sub_ca.pem" -ca-key "${out}/user_sub_ca-key.pem" -db-config "${out}/sqlite_db_users.json" "${out}/$1.csr" | cfssljson -bare "${out}/$1" } gen developer_A @@ -94,7 +98,7 @@ gen certifier_A gen certifier_B # Generate key and CSR for EST server -cfssl genkey -config "$IN/ca-config.json" -profile leafcert "$IN/cfssl-est.json" | cfssljson -bare "$OUT/est" +cfssl genkey -config "${input}/ca-config.json" -profile leafcert "${input}/cfssl-est.json" | cfssljson -bare "${out}/est" # Sign CSR and generate certificate for EST server -cfssl sign -ca "$OUT/ca.pem" -ca-key "$OUT/ca-key.pem" "$OUT/est.csr" | cfssljson -bare "$OUT/est" +cfssl sign -ca "${out}/ca.pem" -ca-key "${out}/ca-key.pem" "${out}/est.csr" | cfssljson -bare "${out}/est" diff --git a/example-setup/setup-pki-simple b/example-setup/setup-pki-simple index e8892b35..3ee993c3 100755 --- a/example-setup/setup-pki-simple +++ b/example-setup/setup-pki-simple @@ -1,24 +1,25 @@ #!/bin/bash -set -e +set -euo pipefail -DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd -P)" -CMC_DIR="$DIR/.." +trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +dir="$(CDPATH='' cd -- "$(dirname -- "$0")/.." && pwd -P)" -IN="$CMC_DIR/example-setup" -OUT="$DIR" +cmc="${dir}/.." +input="${cmc}/example-setup" +out="${dir}" print_usage() { - printf "Usage: ./setup_simple_pki [-i ] [-o ] [-o " exit 1 fi -data="$(abs_path $1)" +data=$(set -e; abs_path "$1") +input="${data}/metadata-raw" +tmp="${data}/metadata-tmp" +output="${data}/metadata-signed" ser="${2}" -if [ ! -d "${data}" ]; then +if [[ ! -d "${data}" ]]; then echo "Data directory ${data} does not exist. Did you run the setup-full-simple script? Abort.." exit 1 fi echo "Using ${data} as directory for local data" -export PATH=$PATH:$HOME/go/bin - -# Delete existing reference values in manifest -jq 'del(.referenceValues[])' ${data}/metadata-raw/app.manifest.json | sponge ${data}/metadata-raw/app.manifest.json - # Load manifest json=$(cat "${data}/metadata-raw/app.manifest.json") -# Hash apps on the system -sources=( - "/usr/bin" - "/usr/sbin" -) -echo "Hashing apps and configuration.." -for source in "${sources[@]}"; do - - echo "Hashing files in ${source}.." - - # Check if the directory exists - if [[ ! -d "${source}" ]]; then - echo "[generate-app-manifests] Path ${source} does not exist." - exit 1 - fi - - # Hash the software artifacts - while IFS= read -r -d '' path; do - if [[ -f "${path}" ]]; then - out=$(sha256sum "${path}") - hash="${out%% *}" - filename=$(basename "${path}") - index=$(echo "${path}" | grep -b -o 'target/' | head -n 1 | cut -d':' -f1) - if [[ -n "${index}" ]]; then - description="${path:$((index + 6))}" - else - description="" - fi - - ref="{ - \"type\" : \"TPM Reference Value\", - \"name\" : \"${filename}\", - \"pcr\" : 10, - \"sha256\" : \"${hash}\", - \"description\" : \"${description}\" - }" - - # Add reference value to manifests - extendarr "referenceValues" "${ref}" - fi - done < <(find "${source}" -type f -print0 2>/dev/null) -done - -echo "Finished hashing" - -printf "%s\n" "${json}" > "${data}/metadata-raw/app.manifest.json" +# Calculate the IMA app reference values +referenceValues=$(sudo calculate-ima-pcr -t 10 -i ima-ng -p /usr/bin) + +# Replace existing reference values with new reference values in the App Manifest +json=$(cat "${input}/app.manifest.json") +json=$(echo "${json}" | jq 'del(.referenceValues[])') +json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues += $ver') +printf "%s\n" "${json}" > "${input}/app.manifest.json" # Sign the metadata* -input=${data}/metadata-raw -tmp=${data}/metadata-tmp -output=${data}/metadata-signed -key=${data}/pki/signing-cert-key.pem -chain=${data}/pki/signing-cert.pem,${data}/pki/ca.pem +key="${data}/pki/signing-cert-key.pem" +chain="${data}/pki/signing-cert.pem,${data}/pki/ca.pem" -rm -rf ${tmp}/app.manifest.* -rm -rf ${out}/app.manifest.* +rm -rf "${tmp}"/app.manifest.* +rm -rf "${output}"/app.manifest.* # Convert to CBOR if specified -if [ "${ser,,}" = "json" ]; then +if [[ "${ser,,}" = "json" ]]; then echo "using json serialization" - cp ${input}/app.manifest.json ${tmp}/app.manifest.json -elif [ "${ser,,}" = "cbor" ]; then + cp "${input}/app.manifest.json" "${tmp}/app.manifest.json" +elif [[ "${ser,,}" = "cbor" ]]; then echo "using cbor serialiation" - cmc-converter -in ${input}/app.manifest.json -out ${tmp}/app.manifest.cbor -outform cbor + cmc-converter -in "${input}/app.manifest.json" -out "${tmp}/app.manifest.cbor" -outform cbor else echo "serialization format ${ser} is not supported" exit 1 fi -cmc-signing-tool -in ${tmp}/app.manifest."${ser}" -out ${output}/app.manifest."${ser}" -keys "${key}" -x5cs "${chain}" \ No newline at end of file +cmc-signing-tool -in "${tmp}/app.manifest.${ser}" -out "${output}/app.manifest.${ser}" -keys "${key}" -x5cs "${chain}" \ No newline at end of file diff --git a/example-setup/update-app-manifest-live b/example-setup/update-app-manifest-live index e3e56cc1..81f20e62 100755 --- a/example-setup/update-app-manifest-live +++ b/example-setup/update-app-manifest-live @@ -1,11 +1,14 @@ #!/bin/bash -set -e +set -euo pipefail -function abs_path() { - if [ -d "$(dirname "$1")" ] +trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +export PATH=${PATH}:${HOME}/go/bin + +abs_path() { + if [[ -d "$(dirname "$1")" ]] then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true fi } @@ -18,56 +21,54 @@ extendarr() { json="$(echo "${json}" | jq ".${key} += [${param}]")" } -if [ "$#" -ne 2 ]; then - echo "Usage: ./update-app-manifest " +if [[ "$#" -ne 2 ]]; then + echo "Usage: ./update-app-manifest-live " exit 1 fi -data="$(abs_path $1)" +data=$(set -e; abs_path "$1") +input="${data}/metadata-raw" +tmp="${data}/metadata-tmp" +out="${data}/metadata-signed" ser="${2}" -if [ ! -d "${data}" ]; then +if [[ ! -d "${data}" ]]; then echo "Data directory ${data} does not exist. Did you run the setup-full-simple script? Abort.." exit 1 fi echo "Using ${data} as directory for local data" -export PATH=$PATH:$HOME/go/bin - # Parse the IMA measurement lists referenceValues=$(sudo parse-ima-log) # Delete existing reference values in manifest -jq 'del(.referenceValues[])' ${data}/metadata-raw/app.manifest.json | sponge ${data}/metadata-raw/app.manifest.json +jq 'del(.referenceValues[])' "${data}/metadata-raw/app.manifest.json" | sponge "${data}/metadata-raw/app.manifest.json" # Insert new reference values json=$(cat "${data}/metadata-raw/app.manifest.json") while IFS= read -r element; do - json=$(echo "$json" | jq --argjson element "$element" '.referenceValues += [$element]') + json=$(echo "${json}" | jq --argjson element "${element}" '.referenceValues += [$element]') done < <(echo "${referenceValues}" | jq -c '.[]') printf "%s\n" "${json}" > "${data}/metadata-raw/app.manifest.json" # Sign the metadata* -input=${data}/metadata-raw -tmp=${data}/metadata-tmp -output=${data}/metadata-signed -key=${data}/pki/signing-cert-key.pem -chain=${data}/pki/signing-cert.pem,${data}/pki/ca.pem +key="${data}/pki/signing-cert-key.pem" +chain="${data}/pki/signing-cert.pem,${data}/pki/ca.pem" -rm -rf ${tmp}/app.manifest.* -rm -rf ${out}/app.manifest.* +rm -rf "${tmp}"/app.manifest.* +rm -rf "${out}"/app.manifest.* # Convert to CBOR if specified -if [ "${ser,,}" = "json" ]; then +if [[ "${ser,,}" = "json" ]]; then echo "using json serialization" - cp ${input}/app.manifest.json ${tmp}/app.manifest.json -elif [ "${ser,,}" = "cbor" ]; then + cp "${input}/app.manifest.json" "${tmp}/app.manifest.json" +elif [[ "${ser,,}" = "cbor" ]]; then echo "using cbor serialiation" - cmc-converter -in ${input}/app.manifest.json -out ${tmp}/app.manifest.cbor -outform cbor + cmc-converter -in "${input}/app.manifest.json" -out "${tmp}/app.manifest.cbor" -outform cbor else echo "serialization format ${ser} is not supported" exit 1 fi -cmc-signing-tool -in ${tmp}/app.manifest."${ser}" -out ${output}/app.manifest."${ser}" -keys "${key}" -x5cs "${chain}" \ No newline at end of file +cmc-signing-tool -in "${tmp}/app.manifest.${ser}" -out "${out}/app.manifest.${ser}" -keys "${key}" -x5cs "${chain}" \ No newline at end of file diff --git a/example-setup/update-full-ids b/example-setup/update-full-ids index 6b68001e..1c78115c 100755 --- a/example-setup/update-full-ids +++ b/example-setup/update-full-ids @@ -1,98 +1,102 @@ #!/bin/bash -set -e +set -euo pipefail + +trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +export PATH=${PATH}:${HOME}/go/bin function abs_path() { - if [ -d "$(dirname "$1")" ] + if [[ -d "$(dirname "$1")" ]] then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true fi } -if [ "$#" -ne 2 ]; then +if [[ "$#" -ne 2 ]]; then echo "Usage: ./update-full-ids " exit 1 fi -DATA="$(abs_path $1)" -SER="$2" +data=$(set -e; abs_path "$1") +input="${data}/metadata-raw" +tmp="${data}/metadata-tmp" +out="${data}/metadata-signed" +ser="$2" -if [ ! -d "$DATA" ]; then - echo "Data directory $DATA does not exist. Did you run the setup-full-ids script? Abort.." +if [[ ! -d "${data}" ]]; then + echo "Data directory ${data} does not exist. Did you run the setup-full-ids script? Abort.." exit 1 fi -export PATH=$PATH:$HOME/go/bin - -echo "Using $DATA as directory for local data" +echo "Using ${data} as directory for local data" # Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values -referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json) +referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json -e) -# Delete existing reference values in the RTM Manifest -jq 'del(.referenceValues[])' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json +# Replace existing reference values with new reference values in the RTM Manifest +json=$(cat "${input}/rtm.manifest.json") +json=$(echo "${json}" | jq 'del(.referenceValues[])') +json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues += $ver') +printf "%s\n" "${json}" > "${input}/rtm.manifest.json" -# Add new reference values -jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json +# Parse the values of the OS PCRs from the kernel's binary bios measurements as reference values +referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json -e) -# Do this for the OS manifest as well -referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json) -jq 'del(.referenceValues[])' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json -jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json +# Replace existing reference values with new reference values in the OS Manifest +json=$(cat "${input}/os.manifest.json") +json=$(echo "${json}" | jq 'del(.referenceValues[])') +json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues += $ver') +printf "%s\n" "${json}" > "${input}/os.manifest.json" # Sign the metadata* -IN=$DATA/metadata-raw -TMP=$DATA/metadata-tmp -OUT=$DATA/metadata-signed - -KEY_DEV_A=$DATA/pki/developer_A-key.pem -CHAIN_DEV_A=$DATA/pki/developer_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem +key_dev_a="${data}"/pki/developer_A-key.pem +chain_dev_a="${data}"/pki/developer_A.pem,"${data}"/pki/user_sub_ca.pem,"${data}"/pki/ca.pem -KEY_DEV_B=$DATA/pki/developer_B-key.pem -CHAIN_DEV_B=$DATA/pki/developer_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem +key_dev_b="${data}"/pki/developer_B-key.pem +chain_dev_b="${data}"/pki/developer_B.pem,"${data}"/pki/user_sub_ca.pem,"${data}"/pki/ca.pem -KEY_EVA_A=$DATA/pki/evaluator_A-key.pem -CHAIN_EVA_A=$DATA/pki/evaluator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem +key_eva_a="${data}"/pki/evaluator_A-key.pem +chain_eva_a="${data}"/pki/evaluator_A.pem,"${data}"/pki/user_sub_ca.pem,"${data}"/pki/ca.pem -KEY_EVA_B=$DATA/pki/evaluator_B-key.pem -CHAIN_EVA_B=$DATA/pki/evaluator_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem +key_eva_b="${data}"/pki/evaluator_B-key.pem +chain_eva_b="${data}"/pki/evaluator_B.pem,"${data}"/pki/user_sub_ca.pem,"${data}"/pki/ca.pem -KEY_CERT_A=$DATA/pki/certifier_A-key.pem -CHAIN_CERT_A=$DATA/pki/certifier_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem +key_cert_a="${data}"/pki/certifier_A-key.pem +chain_cert_a="${data}"/pki/certifier_A.pem,"${data}"/pki/user_sub_ca.pem,"${data}"/pki/ca.pem -KEY_CERT_B=$DATA/pki/certifier_B-key.pem -CHAIN_CERT_B=$DATA/pki/certifier_B.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem +key_cert_b="${data}"/pki/certifier_B-key.pem +chain_cert_b="${data}"/pki/certifier_B.pem,"${data}"/pki/user_sub_ca.pem,"${data}"/pki/ca.pem -KEY_OP_A=$DATA/pki/operator_A-key.pem -CHAIN_OP_A=$DATA/pki/operator_A.pem,$DATA/pki/user_sub_ca.pem,$DATA/pki/ca.pem +key_op_a="${data}"/pki/operator_A-key.pem +chain_op_a="${data}"/pki/operator_A.pem,"${data}"/pki/user_sub_ca.pem,"${data}"/pki/ca.pem -rm -rf $TMP -rm -rf $OUT +rm -rf "${tmp}" +rm -rf "${out}" -mkdir -p $TMP -mkdir -p $OUT +mkdir -p "${tmp}" +mkdir -p "${out}" -if [ "${SER,,}" = "json" ]; then +if [[ "${ser,,}" = "json" ]]; then echo "using json serialization" - cp $IN/rtm.manifest.json $TMP/rtm.manifest.json - cp $IN/os.manifest.json $TMP/os.manifest.json - cp $IN/device.description.json $TMP/device.description.json - cp $IN/device.config.json $TMP/device.config.json - cp $IN/company.description.json $TMP/company.description.json -elif [ "${SER,,}" = "cbor" ]; then + cp "${input}/rtm.manifest.json" "${tmp}/rtm.manifest.json" + cp "${input}/os.manifest.json" "${tmp}/os.manifest.json" + cp "${input}/device.description.json" "${tmp}/device.description.json" + cp "${input}/device.config.json" "${tmp}/device.config.json" + cp "${input}/company.description.json" "${tmp}/company.description.json" +elif [[ "${ser,,}" = "cbor" ]]; then echo "using cbor serialiation" - cmc-converter -in $IN/rtm.manifest.json -out $TMP/rtm.manifest.cbor -outform cbor - cmc-converter -in $IN/os.manifest.json -out $TMP/os.manifest.cbor -outform cbor - cmc-converter -in $IN/device.description.json -out $TMP/device.description.cbor -outform cbor - cmc-converter -in $IN/device.config.json -out $TMP/device.config.cbor -outform cbor - cmc-converter -in $IN/company.description.json -out $TMP/company.description.cbor -outform cbor + cmc-converter -in "${input}/rtm.manifest.json" -out "${tmp}/rtm.manifest.cbor" -outform cbor + cmc-converter -in "${input}/os.manifest.json" -out "${tmp}/os.manifest.cbor" -outform cbor + cmc-converter -in "${input}/device.description.json" -out "${tmp}/device.description.cbor" -outform cbor + cmc-converter -in "${input}/device.config.json" -out "${tmp}/device.config.cbor" -outform cbor + cmc-converter -in "${input}/company.description.json" -out "${tmp}/company.description.cbor" -outform cbor else - echo "serialization format ${SER} is not supported" + echo "serialization format ${ser} is not supported" exit 1 fi -cmc-signing-tool -in $TMP/rtm.manifest."${SER}" -out $OUT/rtm.manifest."${SER}" -keys $KEY_DEV_A,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_A:$CHAIN_EVA_A:$CHAIN_CERT_A -cmc-signing-tool -in $TMP/os.manifest."${SER}" -out $OUT/os.manifest."${SER}" -keys $KEY_DEV_B,$KEY_EVA_A,$KEY_CERT_A -x5cs $CHAIN_DEV_B:$CHAIN_EVA_A:$CHAIN_CERT_A -cmc-signing-tool -in $TMP/company.description."${SER}" -out $OUT/company.description."${SER}" -keys $KEY_OP_A,$KEY_EVA_B,$KEY_CERT_B -x5cs $CHAIN_OP_A:$CHAIN_EVA_B:$CHAIN_CERT_B -cmc-signing-tool -in $TMP/device.description."${SER}" -out $OUT/device.description."${SER}" -keys $KEY_OP_A -x5cs $CHAIN_OP_A -cmc-signing-tool -in $TMP/device.config."${SER}" -out $OUT/device.config."${SER}" -keys $KEY_OP_A -x5cs $CHAIN_OP_A \ No newline at end of file +cmc-signing-tool -in "${tmp}/rtm.manifest.${ser}" -out "${out}/rtm.manifest.${ser}" -keys "${key_dev_a},${key_eva_a},${key_cert_a}" -x5cs "${chain_dev_a}:${chain_eva_a}:${chain_cert_a}" +cmc-signing-tool -in "${tmp}/os.manifest.${ser}" -out "${out}/os.manifest.${ser}" -keys "${key_dev_b},${key_eva_a},${key_cert_a}" -x5cs "${chain_dev_b}:${chain_eva_a}:${chain_cert_a}" +cmc-signing-tool -in "${tmp}/company.description.${ser}" -out "${out}/company.description.${ser}" -keys "${key_op_a},${key_eva_b},${key_cert_b}" -x5cs "${chain_op_a}:${chain_eva_b}:${chain_cert_b}" +cmc-signing-tool -in "${tmp}/device.description.${ser}" -out "${out}/device.description.${ser}" -keys "${key_op_a}" -x5cs "${chain_op_a}" +cmc-signing-tool -in "${tmp}/device.config.${ser}" -out "${out}/device.config.${ser}" -keys "${key_op_a}" -x5cs "${chain_op_a}" \ No newline at end of file diff --git a/example-setup/update-full-simple b/example-setup/update-full-simple index 6b768c86..6c3785e2 100755 --- a/example-setup/update-full-simple +++ b/example-setup/update-full-simple @@ -1,76 +1,82 @@ #!/bin/bash -set -e +set -euo pipefail -function abs_path() { - if [ -d "$(dirname "$1")" ] +trap '[ $? -eq 0 ] && exit 0; printf "%s failed\n" "$0"' EXIT +export PATH=${PATH}:${HOME}/go/bin + +abs_path() { + if [[ -d "$(dirname "$1")" ]] then - echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" + echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")" || true fi } -if [ "$#" -ne 2 ]; then + +if [[ "$#" -ne 2 ]]; then echo "Usage: ./update-full-simple " exit 1 fi -DATA="$(abs_path $1)" -SER="$2" +data=$(set -e; abs_path "${1}") +input="${data}/metadata-raw" +tmp="${data}/metadata-tmp" +out="${data}/metadata-signed" +ser="${2}" -if [ ! -d "$DATA" ]; then - echo "Data directory $DATA does not exist. Did you run the setup-full-simple script? Abort.." +if [[ ! -d "${data}" ]]; then + echo "Data directory ${1} does not exist. Did you run the setup-full-simple script? Abort.." exit 1 fi -echo "Using $DATA as directory for local data" - -export PATH=$PATH:$HOME/go/bin +echo "Using ${data} as directory for local data" # Parse the values of the RTM PCRs from the kernel's binary bios measurements as reference values -referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json) +referenceValues=$(sudo parse-srtm-pcrs -p 0,1,2,3,4,5,6,7 -f json -e) -# Delete existing reference values in the RTM Manifest -jq 'del(.referenceValues[])' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json +# Replace existing reference values with new reference values in the RTM Manifest +json=$(cat "${input}/rtm.manifest.json") +json=$(echo "${json}" | jq 'del(.referenceValues[])') +json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues += $ver') +printf "%s\n" "${json}" > "${input}/rtm.manifest.json" -# Add new reference values -jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/rtm.manifest.json | sponge $DATA/metadata-raw/rtm.manifest.json +# Parse the values of the OS PCRs from the kernel's binary bios measurements as reference values +referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json -e) -# Do this for the OS manifest as well -referenceValues=$(sudo parse-srtm-pcrs -p 8,9 -f json) -jq 'del(.referenceValues[])' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json -jq --argjson ver "$referenceValues" '.referenceValues += $ver' $DATA/metadata-raw/os.manifest.json | sponge $DATA/metadata-raw/os.manifest.json +# Replace existing reference values with new reference values in the RTM Manifest +json=$(cat "${input}/os.manifest.json") +json=$(echo "${json}" | jq 'del(.referenceValues[])') +json=$(echo "${json}" | jq --argjson ver "${referenceValues}" '.referenceValues += $ver') +printf "%s\n" "${json}" > "${input}/os.manifest.json" # Sign the metadata* -IN=$DATA/metadata-raw -TMP=$DATA/metadata-tmp -OUT=$DATA/metadata-signed -KEY=$DATA/pki/signing-cert-key.pem -CHAIN=$DATA/pki/signing-cert.pem,$DATA/pki/ca.pem +key="${data}/pki/signing-cert-key.pem" +chain="${data}/pki/signing-cert.pem,${data}/pki/ca.pem" -rm -rf $TMP -rm -rf $OUT +rm -rf "${tmp}" +rm -rf "${out}" -mkdir -p $TMP -mkdir -p $OUT +mkdir -p "${tmp}" +mkdir -p "${out}" -if [ "${SER,,}" = "json" ]; then +if [[ "${ser,,}" = "json" ]]; then echo "using json serialization" - cp $IN/rtm.manifest.json $TMP/rtm.manifest.json - cp $IN/os.manifest.json $TMP/os.manifest.json - cp $IN/device.description.json $TMP/device.description.json - cp $IN/device.config.json $TMP/device.config.json -elif [ "${SER,,}" = "cbor" ]; then + cp "${input}/rtm.manifest.json" "${tmp}/rtm.manifest.json" + cp "${input}/os.manifest.json" "${tmp}/os.manifest.json" + cp "${input}/device.description.json" "${tmp}/device.description.json" + cp "${input}/device.config.json" "${tmp}/device.config.json" +elif [[ "${ser,,}" = "cbor" ]]; then echo "using cbor serialiation" - cmc-converter -in $IN/rtm.manifest.json -out $TMP/rtm.manifest.cbor -outform cbor - cmc-converter -in $IN/os.manifest.json -out $TMP/os.manifest.cbor -outform cbor - cmc-converter -in $IN/device.description.json -out $TMP/device.description.cbor -outform cbor - cmc-converter -in $IN/device.config.json -out $TMP/device.config.cbor -outform cbor + cmc-converter -in "${input}/rtm.manifest.json" -out "${tmp}/rtm.manifest.cbor" -outform cbor + cmc-converter -in "${input}/os.manifest.json" -out "${tmp}/os.manifest.cbor" -outform cbor + cmc-converter -in "${input}/device.description.json" -out "${tmp}/device.description.cbor" -outform cbor + cmc-converter -in "${input}/device.config.json" -out "${tmp}/device.config.cbor" -outform cbor else - echo "serialization format ${SER} is not supported" + echo "serialization format ${ser} is not supported" exit 1 fi -cmc-signing-tool -in $TMP/rtm.manifest."${SER}" -out $OUT/rtm.manifest."${SER}" -keys $KEY -x5cs $CHAIN -cmc-signing-tool -in $TMP/os.manifest."${SER}" -out $OUT/os.manifest."${SER}" -keys $KEY -x5cs $CHAIN -cmc-signing-tool -in $TMP/device.description."${SER}" -out $OUT/device.description."${SER}" -keys $KEY -x5cs $CHAIN -cmc-signing-tool -in $TMP/device.config."${SER}" -out $OUT/device.config."${SER}" -keys $KEY -x5cs $CHAIN +cmc-signing-tool -in "${tmp}/rtm.manifest.${ser}" -out "${out}/rtm.manifest.${ser}" -keys "${key}" -x5cs "${chain}" +cmc-signing-tool -in "${tmp}/os.manifest.${ser}" -out "${out}/os.manifest.${ser}" -keys "${key}" -x5cs "${chain}" +cmc-signing-tool -in "${tmp}/device.description.${ser}" -out "${out}/device.description.${ser}" -keys "${key}" -x5cs "${chain}" +cmc-signing-tool -in "${tmp}/device.config.${ser}" -out "${out}/device.config.${ser}" -keys "${key}" -x5cs "${chain}"