| #!/bin/sh |
| # Copyright 2021 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| if [ -z "${LOCKBOX_CACHE_DIR}" ]; then |
| echo "LOCKBOX_CACHE_DIR is unset"; |
| exit 1 |
| fi |
| |
| if [ -z "${LOCKBOX_NVRAM_FILE}" ]; then |
| echo "LOCKBOX_NVRAM_FILE is unset"; |
| exit 1 |
| fi |
| |
| if [ -z "${INSTALL_ATTRS_CACHE}" ]; then |
| echo "INSTALL_ATTRS_CACHE is unset"; |
| exit 1 |
| fi |
| |
| if [ -z "${INSTALL_ATTRS_FILE}" ]; then |
| echo "INSTALL_ATTRS_FILE is unset"; |
| exit 1 |
| fi |
| |
| umask 022 |
| mkdir -p -m 0711 "${LOCKBOX_CACHE_DIR}" |
| |
| if [ "$(tpm_version_client)" -eq 2 ]; then |
| LOCKBOX_INDEX=0x9da5b0 |
| else |
| LOCKBOX_INDEX=0x20000004 |
| fi |
| |
| # Use tpm_manager to read the NV space. |
| /usr/bin/gdbus wait --system -t 15 org.chromium.TpmManager |
| tpm_manager_client read_space --index="${LOCKBOX_INDEX}" \ |
| --file="${LOCKBOX_NVRAM_FILE}" |
| |
| # If the nvram file is not empty. |
| if [ -s "${LOCKBOX_NVRAM_FILE}" ]; then |
| lockbox-cache --cache="${INSTALL_ATTRS_CACHE}" \ |
| --nvram="${LOCKBOX_NVRAM_FILE}" \ |
| --lockbox="${INSTALL_ATTRS_FILE}" |
| else |
| # For TPM-less devices and legacy CR1 devices, |
| # pretend like lockbox is supported. |
| cp "${INSTALL_ATTRS_FILE}" "${INSTALL_ATTRS_CACHE}" |
| fi |
| |
| # There are no other consumers; remove the nvram data. |
| rm "${LOCKBOX_NVRAM_FILE}" |
