attestation/server/attestationd.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2014 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Chromium OS device attestation service."
 author          "chromium-os-dev@chromium.org"

 start on started tpm_managerd and started boot-services
 stop on stopping boot-services
 respawn

 # Where we store the attestation-based enterprise enrollment data. The
 # daemon will check for this environment variable and read the file at
 # startup before forking.
 env ABE_DATA_FILE=/run/attestationd.abe_data

 env OLD_ATTESTATION_PATH="/mnt/stateful_partition/home/.shadow/attestation.epb"
 env NEW_ATTESTATION_PATH=\
 "/mnt/stateful_partition/unencrypted/preserve/attestation.epb"

 pre-start script
   # Paths under the stateful partition cannot be trusted. Only operate
   # on them after verifying that they don't contain symlinks pointing
   # elsewhere.
   has_symlink() {
     local path="$1"
     [ "$(realpath "${path}")" != "${path}" ]
   }

   # If attestation.epb still exists in its old location, move it to the new
   # location where attestation will look for it.
   if [ -f "${OLD_ATTESTATION_PATH}" ] &&
      ! has_symlink "${OLD_ATTESTATION_PATH}" &&
      ! has_symlink "${NEW_ATTESTATION_PATH}"; then
     mv "${OLD_ATTESTATION_PATH}" "${NEW_ATTESTATION_PATH}"
   fi

   # Ensure attestationd will have permissions for attestation.epb.
   chgrp preserve /mnt/stateful_partition/unencrypted/preserve
   chmod 775 /mnt/stateful_partition/unencrypted/preserve

   # Read the value of a VPD entry by key, trying all given keys
   # until finding a non-empty value. A default can be specified
   # by passing -d default as two consecutive arguments.
   read_vpd() {
     local default_value=
     local value=
     while [ -z "${value}" -a $# -gt 0 ]; do
       if [ "$1" = -d ]; then
         shift
         default_value="$1"
      else
        # It is important to use printf here because the value may
        # have a spurious newline at its end that will then be removed.
        value="$(printf '%s' "$(vpd_get_value "$1")")"
       fi
       shift
     done
     printf '%s' "${value:-${default_value}}"
   }

   # Compute alternate data for attestation-based enrollment.
   compute_alternate_abe_data() {
     read_vpd serial_number Product_S/N |
       openssl sha256 -hmac "$(read_vpd -d '----' rlz_brand_code)" |
       sed 's/^.*= //'
   }

   # Get attestation-based enrollment data from either the default or
   # alternate source.
   get_abe_data() {
     local abe_data="$(read_vpd stable_device_secret_DO_NOT_SHARE)"
     printf '%s' "${abe_data:-$(compute_alternate_abe_data)}"
   }

   # Obtain data for attestation-based enrollment.
   get_abe_data >"${ABE_DATA_FILE}"
 end script

 expect fork
 exec /usr/sbin/attestationd
 post-start exec rm -f "${ABE_DATA_FILE}"
	# Copyright 2014 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Chromium OS device attestation service."
	author "chromium-os-dev@chromium.org"

	start on started tpm_managerd and started boot-services
	stop on stopping boot-services
	respawn

	# Where we store the attestation-based enterprise enrollment data. The
	# daemon will check for this environment variable and read the file at
	# startup before forking.
	env ABE_DATA_FILE=/run/attestationd.abe_data

	env OLD_ATTESTATION_PATH="/mnt/stateful_partition/home/.shadow/attestation.epb"
	env NEW_ATTESTATION_PATH=\
	"/mnt/stateful_partition/unencrypted/preserve/attestation.epb"

	pre-start script
	# Paths under the stateful partition cannot be trusted. Only operate
	# on them after verifying that they don't contain symlinks pointing
	# elsewhere.
	has_symlink() {
	local path="$1"
	[ "$(realpath "${path}")" != "${path}" ]
	}

	# If attestation.epb still exists in its old location, move it to the new
	# location where attestation will look for it.
	if [ -f "${OLD_ATTESTATION_PATH}" ] &&
	! has_symlink "${OLD_ATTESTATION_PATH}" &&
	! has_symlink "${NEW_ATTESTATION_PATH}"; then
	mv "${OLD_ATTESTATION_PATH}" "${NEW_ATTESTATION_PATH}"
	fi

	# Ensure attestationd will have permissions for attestation.epb.
	chgrp preserve /mnt/stateful_partition/unencrypted/preserve
	chmod 775 /mnt/stateful_partition/unencrypted/preserve

	# Read the value of a VPD entry by key, trying all given keys
	# until finding a non-empty value. A default can be specified
	# by passing -d default as two consecutive arguments.
	read_vpd() {
	local default_value=
	local value=
	while [ -z "${value}" -a $# -gt 0 ]; do
	if [ "$1" = -d ]; then
	shift
	default_value="$1"
	else
	# It is important to use printf here because the value may
	# have a spurious newline at its end that will then be removed.
	value="$(printf '%s' "$(vpd_get_value "$1")")"
	fi
	shift
	done
	printf '%s' "${value:-${default_value}}"
	}

	# Compute alternate data for attestation-based enrollment.
	compute_alternate_abe_data() {
	read_vpd serial_number Product_S/N \|
	openssl sha256 -hmac "$(read_vpd -d '----' rlz_brand_code)" \|
	sed 's/^.*= //'
	}

	# Get attestation-based enrollment data from either the default or
	# alternate source.
	get_abe_data() {
	local abe_data="$(read_vpd stable_device_secret_DO_NOT_SHARE)"
	printf '%s' "${abe_data:-$(compute_alternate_abe_data)}"
	}

	# Obtain data for attestation-based enrollment.
	get_abe_data >"${ABE_DATA_FILE}"
	end script

	expect fork
	exec /usr/sbin/attestationd
	post-start exec rm -f "${ABE_DATA_FILE}"