cryptohome/init/cryptohomed.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Start the cryptohome daemon"
 author          "chromium-os-dev@chromium.org"

 # Starts the cryptohome daemon, which handles mounting and
 # unmounting users' encrypted home directories.  Also supports
 # offline login checks.
 start on started boot-services and started tcsd and started chapsd
 stop on stopping boot-services
 respawn

 # Where we store the attestation-based enterprise enrollment data. The
 # daemon will check for this environment variable and read the file at
 # startup before forking.
 env ABE_DATA_FILE=/run/cryptohomed.abe_data

 env OLD_ATTESTATION_PATH="/mnt/stateful_partition/home/.shadow/attestation.epb"
 env NEW_ATTESTATION_PATH="/mnt/stateful_partition/unencrypted/preserve/attestation.epb"

 # Set in the ebuild.
 env DIRENCRYPTION_FLAG=""
 env DISTRIBUTED_MODE_FLAG=""

 # Directory to store ephemeral cryptohome underlying sparse file.
 env CRYPTOHOME_EPHEMERAL_PATH="/run/cryptohome"

 # File for passing user data auth flag from pre-start to actual script block.
 env USERDATAAUTH_FLAG_STORAGE_FILE="/run/cryptohome/cryptohomed.upstart_userdataauth_flag"

 # If attestation.epb still exists in its old location, move it to the new
 # location where cryptohome will look for it.
 pre-start script
   # Paths under the stateful partition cannot be trusted. Only operate
   # on them after verifying that they don't contain symlinks pointing
   # elsewhere.
   has_symlink() {
     local path="$1"
     [ "$(realpath "${path}")" != "${path}" ]
   }

   if [ -f "${OLD_ATTESTATION_PATH}" ] &&
      ! has_symlink "${OLD_ATTESTATION_PATH}" &&
      ! has_symlink "${NEW_ATTESTATION_PATH}"; then
     mv "${OLD_ATTESTATION_PATH}" "${NEW_ATTESTATION_PATH}"
   fi

   # Read the value of a VPD entry by key, trying all given keys
   # until finding a non-empty value. A default can be specified
   # by passing -d default as two consecutive arguments.
   read_vpd() {
     local default_value=
     local value=
     while [ -z "${value}" -a $# -gt 0 ]; do
       if [ "$1" = -d ]; then
         shift
         default_value="$1"
      else
        # Don't create a VPD cache in this case if the cache file doesn't exist.
        # This prevents a VM from keeping trying and failing to read vendor data
        # from flashrom.
        #
        # It is important to use printf here because the value may
        # have a spurious newline at its end that will then be removed.
        value="$(printf '%s' "$(VPD_NEVER_CREATE_CACHE=1 vpd_get_value "$1")")"
       fi
       shift
     done
     printf '%s' "${value:-${default_value}}"
   }

   # Compute alternate data for attestation-based enrollment.
   compute_alternate_abe_data() {
     read_vpd serial_number Product_S/N |
       openssl sha256 -hmac "$(read_vpd -d '----' rlz_brand_code)" |
       sed 's/^.*= //'
   }

   # Get attestation-based enrollment data from either the default or
   # alternate source.
   get_abe_data() {
     local abe_data="$(read_vpd stable_device_secret_DO_NOT_SHARE)"
     printf '%s' "${abe_data:-$(compute_alternate_abe_data)}"
   }

   # Obtain data for attestation-based enrollment.
   get_abe_data >"${ABE_DATA_FILE}"

   # Create dir for ephemeral mounts while running as root.
   if [ ! -d "${CRYPTOHOME_EPHEMERAL_PATH}" ]; then
     mkdir -m 0700 "${CRYPTOHOME_EPHEMERAL_PATH}"
   fi

   if /usr/libexec/cryptohome/shall-use-userdataauth.sh; then
     # Yes, we are using the new UserDataAuth interface.
     touch "${USERDATAAUTH_FLAG_STORAGE_FILE}"
   else
     rm -rf "${USERDATAAUTH_FLAG_STORAGE_FILE}"
   fi
 end script

 expect fork

 script
   # Note that cat is not used here to prevent confusing upstart's fork
   # tracking.
   set -- "$@" --noclose ${DIRENCRYPTION_FLAG} ${DISTRIBUTED_MODE_FLAG}
   [ -f "${USERDATAAUTH_FLAG_STORAGE_FILE}" ] &&
     set -- "$@" --user_data_auth_interface
   exec cryptohomed "$@"
 end script

 post-start exec rm -f "${ABE_DATA_FILE}" "${USERDATAAUTH_FLAG_STORAGE_FILE}"
	# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the cryptohome daemon"
	author "chromium-os-dev@chromium.org"

	# Starts the cryptohome daemon, which handles mounting and
	# unmounting users' encrypted home directories. Also supports
	# offline login checks.
	start on started boot-services and started tcsd and started chapsd
	stop on stopping boot-services
	respawn

	# Where we store the attestation-based enterprise enrollment data. The
	# daemon will check for this environment variable and read the file at
	# startup before forking.
	env ABE_DATA_FILE=/run/cryptohomed.abe_data

	env OLD_ATTESTATION_PATH="/mnt/stateful_partition/home/.shadow/attestation.epb"
	env NEW_ATTESTATION_PATH="/mnt/stateful_partition/unencrypted/preserve/attestation.epb"

	# Set in the ebuild.
	env DIRENCRYPTION_FLAG=""
	env DISTRIBUTED_MODE_FLAG=""

	# Directory to store ephemeral cryptohome underlying sparse file.
	env CRYPTOHOME_EPHEMERAL_PATH="/run/cryptohome"

	# File for passing user data auth flag from pre-start to actual script block.
	env USERDATAAUTH_FLAG_STORAGE_FILE="/run/cryptohome/cryptohomed.upstart_userdataauth_flag"

	# If attestation.epb still exists in its old location, move it to the new
	# location where cryptohome will look for it.
	pre-start script
	# Paths under the stateful partition cannot be trusted. Only operate
	# on them after verifying that they don't contain symlinks pointing
	# elsewhere.
	has_symlink() {
	local path="$1"
	[ "$(realpath "${path}")" != "${path}" ]
	}

	if [ -f "${OLD_ATTESTATION_PATH}" ] &&
	! has_symlink "${OLD_ATTESTATION_PATH}" &&
	! has_symlink "${NEW_ATTESTATION_PATH}"; then
	mv "${OLD_ATTESTATION_PATH}" "${NEW_ATTESTATION_PATH}"
	fi

	# Read the value of a VPD entry by key, trying all given keys
	# until finding a non-empty value. A default can be specified
	# by passing -d default as two consecutive arguments.
	read_vpd() {
	local default_value=
	local value=
	while [ -z "${value}" -a $# -gt 0 ]; do
	if [ "$1" = -d ]; then
	shift
	default_value="$1"
	else
	# Don't create a VPD cache in this case if the cache file doesn't exist.
	# This prevents a VM from keeping trying and failing to read vendor data
	# from flashrom.
	#
	# It is important to use printf here because the value may
	# have a spurious newline at its end that will then be removed.
	value="$(printf '%s' "$(VPD_NEVER_CREATE_CACHE=1 vpd_get_value "$1")")"
	fi
	shift
	done
	printf '%s' "${value:-${default_value}}"
	}

	# Compute alternate data for attestation-based enrollment.
	compute_alternate_abe_data() {
	read_vpd serial_number Product_S/N \|
	openssl sha256 -hmac "$(read_vpd -d '----' rlz_brand_code)" \|
	sed 's/^.*= //'
	}

	# Get attestation-based enrollment data from either the default or
	# alternate source.
	get_abe_data() {
	local abe_data="$(read_vpd stable_device_secret_DO_NOT_SHARE)"
	printf '%s' "${abe_data:-$(compute_alternate_abe_data)}"
	}

	# Obtain data for attestation-based enrollment.
	get_abe_data >"${ABE_DATA_FILE}"

	# Create dir for ephemeral mounts while running as root.
	if [ ! -d "${CRYPTOHOME_EPHEMERAL_PATH}" ]; then
	mkdir -m 0700 "${CRYPTOHOME_EPHEMERAL_PATH}"
	fi

	if /usr/libexec/cryptohome/shall-use-userdataauth.sh; then
	# Yes, we are using the new UserDataAuth interface.
	touch "${USERDATAAUTH_FLAG_STORAGE_FILE}"
	else
	rm -rf "${USERDATAAUTH_FLAG_STORAGE_FILE}"
	fi
	end script

	expect fork

	script
	# Note that cat is not used here to prevent confusing upstart's fork
	# tracking.
	set -- "$@" --noclose ${DIRENCRYPTION_FLAG} ${DISTRIBUTED_MODE_FLAG}
	[ -f "${USERDATAAUTH_FLAG_STORAGE_FILE}" ] &&
	set -- "$@" --user_data_auth_interface
	exec cryptohomed "$@"
	end script

	post-start exec rm -f "${ABE_DATA_FILE}" "${USERDATAAUTH_FLAG_STORAGE_FILE}"