Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / 1cbefaa36bb6030e223039c81838bc317c1d7995 / . / attestation / server / main.cc
blob: 5dd2f81b7579f5d5dba966f0258dcb5a7cef75e5 [file] [log] [blame]
// Copyright 2014 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <sysexits.h>
#include <unistd.h>
#include <cstdlib>
#include <memory>
#include <string>
#include <attestation/proto_bindings/google_key.pb.h>
#include <base/command_line.h>
#include <base/files/file_path.h>
#include <base/files/file_util.h>
#include <base/optional.h>
#include <base/strings/string_number_conversions.h>
#include <brillo/cryptohome.h>
#include <brillo/daemons/dbus_daemon.h>
#include <brillo/dbus/async_event_sequencer.h>
#include <brillo/minijail/minijail.h>
#include <brillo/secure_blob.h>
#include <brillo/syslog_logging.h>
#include <brillo/userdb_utils.h>
#include <dbus/attestation/dbus-constants.h>
#include "attestation/server/attestation_service.h"
#include "attestation/server/dbus_service.h"
#include "attestation/server/google_keys.h"
#include <chromeos/libminijail.h>
namespace {
const uid_t kRootUID = 0;
const char kAttestationUser[] = "attestation";
const char kAttestationGroup[] = "attestation";
const char kAttestationSeccompPath[] =
"/usr/share/policy/attestationd-seccomp.policy";
constexpr char kGoogleKeysPath[] = "/run/attestation/google_keys.data";
namespace env {
static const char kAttestationBasedEnrollmentDataFile[] = "ABE_DATA_FILE";
} // namespace env
// Returns the contents of the attestation-based enrollment data file.
std::string ReadAbeDataFileContents() {
std::string data;
const char* abe_data_file =
std::getenv(env::kAttestationBasedEnrollmentDataFile);
if (!abe_data_file) {
return data;
}
base::FilePath file_path(abe_data_file);
if (!base::ReadFileToString(file_path, &data)) {
LOG(FATAL) << "Could not read attestation-based enterprise enrollment data"
" in: "
<< file_path.value();
}
return data;
}
base::Optional<attestation::GoogleKeys> ReadGoogleKeysIfExists() {
base::FilePath file_path(kGoogleKeysPath);
std::string data;
if (!base::ReadFileToString(file_path, &data)) {
return {};
}
LOG(INFO) << "Found key set to be injected.";
attestation::DefaultGoogleRsaPublicKeySet default_key_set;
if (!default_key_set.ParseFromString(data)) {
LOG(WARNING) << "Failed ot parse google keys to be injected.";
return {};
}
return attestation::GoogleKeys(default_key_set);
}
bool GetAttestationEnrollmentData(const std::string& abe_data_hex,
brillo::SecureBlob* abe_data) {
abe_data->clear();
if (abe_data_hex.empty())
return true; // no data is ok.
// The data must be a valid 32-byte hex string.
return brillo::SecureBlob::HexStringToSecureBlob(abe_data_hex, abe_data) &&
abe_data->size() == 32;
}
void InitMinijailSandbox() {
uid_t attestation_uid;
gid_t attestation_gid;
CHECK(brillo::userdb::GetUserInfo(kAttestationUser, &attestation_uid,
&attestation_gid))
<< "Error getting attestation uid and gid.";
CHECK_EQ(getuid(), kRootUID) << "AttestationDaemon not initialized as root.";
brillo::Minijail* minijail = brillo::Minijail::GetInstance();
struct minijail* jail = minijail->New();
minijail_log_seccomp_filter_failures(jail);
minijail->DropRoot(jail, kAttestationUser, kAttestationGroup);
minijail_inherit_usergroups(jail);
minijail->UseSeccompFilter(jail, kAttestationSeccompPath);
minijail->Enter(jail);
minijail->Destroy(jail);
CHECK_EQ(getuid(), attestation_uid)
<< "AttestationDaemon was not able to drop to attestation user.";
CHECK_EQ(getgid(), attestation_gid)
<< "AttestationDaemon was not able to drop to attestation group.";
}
} // namespace
using brillo::dbus_utils::AsyncEventSequencer;
class AttestationDaemon : public brillo::DBusServiceDaemon {
public:
AttestationDaemon(brillo::SecureBlob abe_data,
base::Optional<attestation::GoogleKeys> google_keys)
: brillo::DBusServiceDaemon(attestation::kAttestationServiceName),
abe_data_(std::move(abe_data)),
attestation_service_(&abe_data_) {
if (google_keys) {
attestation_service_.set_google_keys(*google_keys);
}
}
AttestationDaemon(const AttestationDaemon&) = delete;
AttestationDaemon& operator=(const AttestationDaemon&) = delete;
protected:
int OnInit() override {
int result = brillo::DBusServiceDaemon::OnInit();
if (result != EX_OK) {
LOG(ERROR) << "Error starting attestation dbus daemon.";
return result;
}
attestation_service_.Initialize();
return EX_OK;
}
void RegisterDBusObjectsAsync(AsyncEventSequencer* sequencer) override {
dbus_service_.reset(
new attestation::DBusService(bus_, &attestation_service_));
dbus_service_->Register(sequencer->GetHandler("Register() failed.", true));
}
private:
brillo::SecureBlob abe_data_;
attestation::AttestationService attestation_service_;
std::unique_ptr<attestation::DBusService> dbus_service_;
};
int main(int argc, char* argv[]) {
base::CommandLine::Init(argc, argv);
base::CommandLine* cl = base::CommandLine::ForCurrentProcess();
int flags = brillo::kLogToSyslog;
if (cl->HasSwitch("log_to_stderr")) {
flags |= brillo::kLogToStderr;
}
brillo::InitLog(flags);
// read whole abe_data_file before we init minijail.
std::string abe_data_hex = ReadAbeDataFileContents();
// Reads the system salt before we init minijail.
if (!brillo::cryptohome::home::EnsureSystemSaltIsLoaded()) {
LOG(FATAL) << "Failed to ensure system salt to be loaded into memory.";
}
PLOG_IF(FATAL, daemon(0, 0) == -1) << "Failed to daemonize";
brillo::SecureBlob abe_data;
if (!GetAttestationEnrollmentData(abe_data_hex, &abe_data)) {
LOG(ERROR) << "Invalid attestation-based enterprise enrollment data.";
}
AttestationDaemon daemon(abe_data, ReadGoogleKeysIfExists());
LOG(INFO) << "Attestation Daemon Started.";
InitMinijailSandbox();
return daemon.Run();
}