forked from keylime/keylime
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstaller.sh
executable file
·319 lines (277 loc) · 11.2 KB
/
installer.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
#!/bin/bash
##########################################################################################
#
# DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited.
#
# This material is based upon work supported by the Assistant Secretary of Defense for
# Research and Engineering under Air Force Contract No. FA8721-05-C-0002 and/or
# FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in
# this material are those of the author(s) and do not necessarily reflect the views of the
# Assistant Secretary of Defense for Research and Engineering.
#
# Copyright 2017 Massachusetts Institute of Technology.
#
# The software/firmware is provided to you on an As-Is basis
#
# Delivered to the US Government with Unlimited Rights, as defined in DFARS Part
# 252.227-7013 or 7014 (Feb 2014). Notwithstanding any copyright notice, U.S. Government
# rights in this work are defined by DFARS 252.227-7013 or DFARS 252.227-7014 as detailed
# above. Use of this work other than as specifically authorized by the U.S. Government may
# violate any copyrights that exist in this work.
#
##########################################################################################
# Configure the installer here
KEYLIME_GIT=https://github.com/mit-ll/python-keylime.git
TPM4720_GIT=https://github.com/mit-ll/tpm4720-keylime.git
KEYLIME_VER="master"
TPM4720_VER="master"
# Minimum version requirements
MIN_PYTHON_VERSION="2.7.10"
MIN_PYSETUPTOOLS_VERSION="0.7"
MIN_PYTORNADO_VERSION="4.3"
MIN_PYM2CRYPTO_VERSION="0.21.1"
MIN_PYCRYPTODOMEX_VERSION="3.4.1"
MIN_GO_VERSION="1.6.3"
# Check to ensure version is at least minversion
version_checker () {
newest=$( printf "$1\n$2" | sort -V | tail -n1 )
[[ "$1" == "$2" || "$1" != "$newest" ]]
}
confirm_force_install () {
echo $1
read -r -p "This may introduce security issues, instability or an incomplete install! Continue? [y/N] " resp
case "$resp" in
[yY]) return 0 ;;
*) return 1 ;;
esac
}
# Which package management system are we using?
if [[ -n "$(command -v yum)" ]]; then
PACKAGE_MGR=$(command -v yum)
PYTHON_PREIN="epel-release git"
PYTHON_DEPS="python python-pip python-devel python-setuptools python-zmq gcc openssl-devel"
PYTHON_PIPS="pycryptodomex m2crypto tornado"
BUILD_TOOLS="openssl-devel libtool gcc automake"
elif [[ -n "$(command -v apt-get)" ]]; then
PACKAGE_MGR=$(command -v apt-get)
PYTHON_PREIN="git"
PYTHON_DEPS="python python-pip python-dev python-setuptools python-m2crypto python-zmq"
PYTHON_PIPS="pycryptodomex tornado"
BUILD_TOOLS="build-essential libssl-dev libtool automake"
else
echo "No recognized package manager found on this system!" 1>&2
exit 1
fi
# Command line params
STUB=0
KEYLIME_DIR=
OPENSSL=0
TARBALL=0
TPM_SOCKET=0
while getopts ":shortkp:" opt; do
case $opt in
k) STUB=1 ;;
p)
KEYLIME_DIR=$OPTARG
# Ensure absolute path
if [[ "$KEYLIME_DIR" != "/"* ]] ; then
KEYLIME_DIR=`pwd`"/$KEYLIME_DIR"
fi
;;
o) OPENSSL=1 ;;
t) TARBALL=1 ;;
s) TPM_SOCKET=1 ;;
h)
echo "Usage: $0 [option...]"
echo "Options:"
echo $'-k \t\t\t\t Download Keylime (stub installer mode)'
echo $'-o \t\t\t\t Use OpenSSL instead of CFSSL'
echo $'-t \t\t\t\t Create tarball with keylime_node'
echo $'-s \t\t\t\t Install TPM 4720 in socket mode (vs. chardev)'
echo $'-p PATH \t\t\t Use PATH as Keylime path'
echo $'-h \t\t\t\t This help info'
exit
;;
esac
done
if [[ $EUID -ne 0 ]]; then
echo -e "This script must be run as root in order to install keylime and its dependencies" 1>&2
exit 1
fi
# Keylime python-related dependencies
echo
echo "=================================================================================="
echo $'\t\t\tInstalling python & crypto libs'
echo "=================================================================================="
$PACKAGE_MGR install -y $PYTHON_PREIN
$PACKAGE_MGR install -y $PYTHON_DEPS
pip install $PYTHON_PIPS
# Ensure Python installed is new enough for us
if [[ ! `command -v python` ]] ; then
echo "ERROR: Python failed to install properly!"
exit 1
else
# Ensure Python installed meets min requirements
py_ver=$(python -c 'import platform; print platform.python_version()')
if ! $(version_checker "$MIN_PYTHON_VERSION" "$py_ver"); then
confirm_force_install "ERROR: Minimum Python version is $MIN_PYTHON_VERSION, but $py_ver is installed!" || exit 1
fi
# Ensure Python setuptools installed meets min requirements
pyset_ver=$(python -c 'import setuptools; print setuptools.__version__')
if ! $(version_checker "$MIN_PYSETUPTOOLS_VERSION" "$pyset_ver"); then
confirm_force_install "ERROR: Minimum python-setuptools version is $MIN_PYSETUPTOOLS_VERSION, but $pyset_ver is installed!" || exit 1
fi
# Ensure Python tornado installed meets min requirements
pynado_ver=$(python -c 'import tornado; print tornado.version')
if ! $(version_checker "$MIN_PYTORNADO_VERSION" "$pynado_ver"); then
confirm_force_install "ERROR: Minimum python-tornado version is $MIN_PYTORNADO_VERSION, but $pynado_ver is installed!" || exit 1
fi
# Ensure Python M2Crypto installed meets min requirements
pym2_ver=$(python -c 'import M2Crypto; print M2Crypto.version')
if ! $(version_checker "$MIN_PYM2CRYPTO_VERSION" "$pym2_ver"); then
confirm_force_install "ERROR: Minimum python-M2Crypto version is $MIN_PYM2CRYPTO_VERSION, but $pym2_ver is installed!" || exit 1
fi
# Ensure Python pycryptodomex installed meets min requirements
pycdom_ver=$(pip freeze | grep pycryptodomex | cut -d"=" -f3)
if ! $(version_checker "$MIN_PYCRYPTODOMEX_VERSION" "$pycdom_ver"); then
confirm_force_install "ERROR: Minimum python-pycryptodomex version is $MIN_PYM2CRYPTO_VERSION, but $pycdom_ver is installed!" || exit 1
fi
fi
# Download Keylime (if necessary)
if [[ "$STUB" -eq "1" ]] ; then
if [[ -z "$KEYLIME_DIR" ]] ; then
KEYLIME_DIR=`pwd`
KEYLIME_DIR+="/keylime"
if [[ ! -d "$KEYLIME_DIR" ]] ; then
mkdir -p $KEYLIME_DIR
fi
fi
echo
echo "=================================================================================="
echo $'\t\t\t\tDownloading Keylime'
echo "=================================================================================="
git clone $KEYLIME_GIT $KEYLIME_DIR
pushd $KEYLIME_DIR
git checkout $KEYLIME_VER
popd
fi
# If all else fails, assume they already have Keylime (we're in it!)
if [[ -z "$KEYLIME_DIR" ]] ; then
KEYLIME_DIR=`pwd`
fi
# Sanity check
if [[ ! -d "$KEYLIME_DIR/scripts" || ! -d "$KEYLIME_DIR/keylime" ]] ; then
echo "ERROR: Invalid keylime directory at $KEYLIME_DIR"
exit 1
fi
echo "INFO: Using Keylime directory: $KEYLIME_DIR"
# OpenSSL or cfssl?
if [[ "$OPENSSL" -eq "1" ]] ; then
# Patch config file to use openssl
echo
echo "=================================================================================="
echo $'\t\t\tSwitching config to OpenSSL'
echo "=================================================================================="
cd $KEYLIME_DIR
patch --forward --verbose -s -p1 < $KEYLIME_DIR/patches/opensslconf-patch.txt \
&& echo "INFO: Keylime config patched!"
else
if [[ -z "$GOPATH" ]] ; then
# Install golang (if not already)
echo
echo "=================================================================================="
echo $'\t\t\tInstalling golang (for cfssl)'
echo "=================================================================================="
$PACKAGE_MGR install -y golang git
mkdir -p $HOME/.go
export GOPATH=$HOME/.go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
echo "export GOPATH=~/.go" >> $HOME/.bashrc
echo "export PATH=\$PATH:\$GOROOT/bin:\$GOPATH/bin" >> $HOME/.bashrc
fi
# Ensure Go installed meets min requirements
go_ver=$(go version | cut -d" " -f3 | sed "s/go//")
if ! $(version_checker "$MIN_GO_VERSION" "$go_ver"); then
confirm_force_install "ERROR: Minimum Go version is $MIN_GO_VERSION, but $go_ver is installed!" || exit 1
fi
if [[ ! `command -v cfssl` ]] ; then
# Install cfssl (if not already)
echo
echo "=================================================================================="
echo $'\t\t\t\tInstalling cfssl'
echo "=================================================================================="
# Go is stupid with ENV vars, so we have to spawn a child shell
bash -c 'go get -v -u github.com/cloudflare/cfssl/cmd/cfssl'
install -c $GOPATH/bin/cfssl /usr/local/bin/cfssl
fi
fi
# Build tpm4720
echo
echo "=================================================================================="
echo $'\t\t\t\tBuild and install tpm4720'
echo "=================================================================================="
# Create temp dir for building tpm
TMPDIR=`mktemp -d` || exit 1
echo -n "INFO: Using temp tpm directory: "
echo $TMPDIR
$PACKAGE_MGR -y install $BUILD_TOOLS
mkdir -p $TMPDIR/tpm4720
cd $TMPDIR/tpm4720
git clone $TPM4720_GIT tpm4720-keylime
cd $TMPDIR/tpm4720/tpm4720-keylime
git checkout $TPM4720_VER
# Install tpm4720
cd tpm
make -f makefile-tpm
install -c tpm_server /usr/local/bin/tpm_server
cd ../libtpm
if [[ "$TPM_SOCKET" -eq "1" ]] ; then
chmod +x comp-sockets.sh
./comp-sockets.sh
else
chmod +x comp-chardev.sh
./comp-chardev.sh
fi
make install
if [[ "$TPM_SOCKET" -eq "1" ]] ; then
cd ../scripts
install -c tpm_serverd /usr/local/bin/tpm_serverd
install -c init_tpm_server /usr/local/bin/init_tpm_server
# clear TPM on first use
init_tpm_server
# Start tpm4720
echo
echo "=================================================================================="
echo $'\t\t\t\tStart tpm4720'
echo "=================================================================================="
chmod +x init_tpm_server
chmod +x tpm_serverd
# starts emulator and IMA stub at boot
cd $KEYLIME_DIR/ima_stub_service
./installer.sh
fi
# Install keylime
echo
echo "=================================================================================="
echo $'\t\t\t\tInstall Keylime'
echo "=================================================================================="
cd $KEYLIME_DIR
python setup.py install
if [ -f /etc/keylime.conf ] ; then
if ! cmp -s /etc/keylime.conf keylime.conf ; then
echo "Modified keylime.conf found in /etc/, creating /etc/keylime.conf.new instead"
cp keylime.conf /etc/keylime.conf.new
fi
else
echo "Installing keylime.conf to /etc/"
cp -n keylime.conf /etc/
fi
# Run node packager (tarball)
if [[ "$TARBALL" -eq "1" ]] ; then
echo
echo "=================================================================================="
echo $'\t\t\t\tGenerate node tarball'
echo "=================================================================================="
cd $KEYLIME_DIR/keylime
./make_node_bundle_tarball.sh
fi