# Copyright 2014 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

description     "Chromium OS device attestation service."
author          "chromium-os-dev@chromium.org"

start on started tpm_managerd and started boot-services
stop on stopping boot-services
respawn

# Where we store the attestation-based enterprise enrollment data. The
# daemon will check for this environment variable and read the file at
# startup before forking.
env ABE_DATA_FILE=/run/attestationd.abe_data

pre-start script
  # Ensure attestationd will have permissions for attestation.epb.
  chgrp preserve /mnt/stateful_partition/unencrypted/preserve
  chmod 775 /mnt/stateful_partition/unencrypted/preserve

  # Read the value of a VPD entry by key, trying all given keys
  # until finding a non-empty value. A default can be specified
  # by passing -d default as two consecutive arguments.
  read_vpd() {
    local default_value=
    local value=
    while [ -z "${value}" -a $# -gt 0 ]; do
      if [ "$1" = -d ]; then
        shift
        default_value="$1"
     else
       # It is important to use printf here because the value may
       # have a spurious newline at its end that will then be removed.
       value="$(printf '%s' "$(vpd_get_value "$1")")"
      fi
      shift
    done
    printf '%s' "${value:-${default_value}}"
  }

  # Compute alternate data for attestation-based enrollment.
  compute_alternate_abe_data() {
    read_vpd serial_number Product_S/N |
      openssl sha256 -hmac "$(read_vpd -d '----' rlz_brand_code)" |
      sed 's/^.*= //'
  }

  # Get attestation-based enrollment data from either the default or
  # alternate source.
  get_abe_data() {
    local abe_data="$(read_vpd stable_device_secret_DO_NOT_SHARE)"
    printf '%s' "${abe_data:-$(compute_alternate_abe_data)}"
  }

  # Obtain data for attestation-based enrollment.
  get_abe_data >"${ABE_DATA_FILE}"
end script

expect fork
exec /usr/sbin/attestationd
post-start exec rm -f "${ABE_DATA_FILE}"