This repository has been archived by the owner on Apr 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathtpm_clear_own.sh
executable file
·141 lines (107 loc) · 2.97 KB
/
tpm_clear_own.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "You must be root to run this script"
exit 1
fi
#tpm sys moved, so let's check for the new dir...
#https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=313d21eeab9282e01fdcecd40e9ca87e0953627f
sys_tpm="/sys/class/tpm"
if [ ! -d ${sys_tpm}/tpm0/ ] ; then
sys_tpm="/sys/class/misc"
fi
crypto_cape_attached_p(){
dmesg | grep "dtbo 'BB-BONE-CRYPTO-00A0.dtbo' loaded"
}
tpm_active(){
TPM_ACTIVE=$(cat ${sys_tpm}/tpm0/device/active)
}
tpm_enabled(){
TPM_ENABLED=$(cat ${sys_tpm}/tpm0/device/enabled)
}
tpm_owned(){
TPM_OWNED=$(cat ${sys_tpm}/tpm0/device/owned)
}
if [[ crypto_cape_attached_p -ne 0 ]]; then
echo "You must boot with the CryptoCape attached"
exit 1
fi
prelude(){
apt-get install -y git trousers tpm-tools libtspi1 libtspi-dev build-essential
}
part1(){
prelude
gcc tpm_assert/tpm_assertpp.c -o tpm_assertpp
echo Killing tcsd
pkill tcsd
echo Setting PP
./tpm_assertpp
if [[ "$?" != 0 ]]; then
echo "Setting PP failed. We can't continue."
exit 1
fi
echo Restarting tcsd
tcsd
echo Clearing the TPM
tpm_clear -f
echo Enabling the TPM
tpm_setenable -e -f
tpm_setactive -a
rm tpm_assertpp
echo Halting the BBB. Pull power and re-connect to continue.
halt
}
print_tpm_status(){
tpm_active
tpm_enabled
tpm_owned
echo "TPM Active: $TPM_ACTIVE"
echo "TPM Enabled: $TPM_ENABLED"
echo "TPM Owned: $TPM_OWNED"
}
is_compliance_vector_loaded(){
C_PUBEK_START="AB 56 7C 0E 60 8C 5C 18 9E 90 2C 37 32 CF E3 FE"
cat ${sys_tpm}/tpm0/device/pubek | grep "^$C_PUBEK_START"
}
need_EK(){
IS_EK=$(tpm_getpubek 2>&1)
echo "$IS_EK" | grep "No EK"
}
part2(){
need_EK
if [[ "$?" == "0" ]]; then
echo "Creating a new EK"
tpm_createek
fi
echo "***************************************************************"
echo "***************************************************************"
echo "About to take ownership. Using the well-known password for the SRK."
echo "This command will take a few seconds, please be patient."
echo "***************************************************************"
echo "***************************************************************"
echo "Enter a new owner password"
OWN_RESULT=$(tpm_takeownership -z 2>&1)
if [[ "$?" != "0" ]]; then
echo "Command failed."
echo "$OWN_RESULT" | grep "Internal software error"
if [[ "$?" == 0 ]]; then
echo "Internal Software Error: halting. Remove and re-apply power and try again."
halt
fi
else
echo "Congrats! Your TPM is now ready to use."
fi
}
## main
print_tpm_status
if [[ $TPM_ACTIVE == "1" ]] &&
[[ $TPM_ENABLED == "1" ]] &&
[[ $TPM_OWNED == "0" ]]; then
is_compliance_vector_loaded
if [[ "$?" == 0 ]]; then
part1
else
part2
fi
else
part1
fi