| # Copyright 2014 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Chromium OS device attestation service." |
| author "chromium-os-dev@chromium.org" |
| |
| start on started tpm_managerd and started boot-services |
| stop on stopping boot-services |
| respawn |
| |
| # Where we store the attestation-based enterprise enrollment data. The |
| # daemon will check for this environment variable and read the file at |
| # startup before forking. |
| env ABE_DATA_FILE=/run/attestationd.abe_data |
| |
| env OLD_ATTESTATION_PATH="/mnt/stateful_partition/home/.shadow/attestation.epb" |
| env NEW_ATTESTATION_PATH=\ |
| "/mnt/stateful_partition/unencrypted/preserve/attestation.epb" |
| |
| pre-start script |
| # Paths under the stateful partition cannot be trusted. Only operate |
| # on them after verifying that they don't contain symlinks pointing |
| # elsewhere. |
| has_symlink() { |
| local path="$1" |
| [ "$(realpath "${path}")" != "${path}" ] |
| } |
| |
| # If attestation.epb still exists in its old location, move it to the new |
| # location where attestation will look for it. |
| if [ -f "${OLD_ATTESTATION_PATH}" ] && |
| ! has_symlink "${OLD_ATTESTATION_PATH}" && |
| ! has_symlink "${NEW_ATTESTATION_PATH}"; then |
| mv "${OLD_ATTESTATION_PATH}" "${NEW_ATTESTATION_PATH}" |
| fi |
| |
| # Ensure attestationd will have permissions for attestation.epb. |
| chgrp preserve /mnt/stateful_partition/unencrypted/preserve |
| chmod 775 /mnt/stateful_partition/unencrypted/preserve |
| |
| # Read the value of a VPD entry by key, trying all given keys |
| # until finding a non-empty value. A default can be specified |
| # by passing -d default as two consecutive arguments. |
| read_vpd() { |
| local default_value= |
| local value= |
| while [ -z "${value}" -a $# -gt 0 ]; do |
| if [ "$1" = -d ]; then |
| shift |
| default_value="$1" |
| else |
| # It is important to use printf here because the value may |
| # have a spurious newline at its end that will then be removed. |
| value="$(printf '%s' "$(vpd_get_value "$1")")" |
| fi |
| shift |
| done |
| printf '%s' "${value:-${default_value}}" |
| } |
| |
| # Compute alternate data for attestation-based enrollment. |
| compute_alternate_abe_data() { |
| read_vpd serial_number Product_S/N | |
| openssl sha256 -hmac "$(read_vpd -d '----' rlz_brand_code)" | |
| sed 's/^.*= //' |
| } |
| |
| # Get attestation-based enrollment data from either the default or |
| # alternate source. |
| get_abe_data() { |
| local abe_data="$(read_vpd stable_device_secret_DO_NOT_SHARE)" |
| printf '%s' "${abe_data:-$(compute_alternate_abe_data)}" |
| } |
| |
| # Obtain data for attestation-based enrollment. |
| get_abe_data >"${ABE_DATA_FILE}" |
| end script |
| |
| expect fork |
| exec /usr/sbin/attestationd |
| post-start exec rm -f "${ABE_DATA_FILE}" |