Skip to content

Commit

Permalink
Merge branch 'opiproject:main' into nm-dbus
Browse files Browse the repository at this point in the history
  • Loading branch information
bhoopesh369 authored Jul 3, 2024
2 parents 4d2eadb + aa2f320 commit 9f1d25f
Show file tree
Hide file tree
Showing 27 changed files with 261 additions and 92 deletions.
26 changes: 26 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!-- Thanks for sending a pull request! -->

## Proposed changes

Summarize your changes here to communicate with the maintainers and make sure to put the link of that issue

## Types of changes

What types of changes does your code introduce to the repo? Put an `x` in the boxes that apply
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bugfix (non-breaking change which fixes an issue)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Documentation Update (if none of the other choices applies)

## Checklist

Put an `x` in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.
- [ ] I have signed the commit for DCO to be passed.
- [ ] Lint and unit tests pass locally with my changes
- [ ] I have added tests that prove my fix is effective or that my feature works (if appropriate)
- [ ] I have added necessary documentation (if appropriate)

## Dependency
- Please add the links to the dependent PR need to be merged before this (if any).

## Special notes for your reviewer:
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
133 changes: 132 additions & 1 deletion doc/qemu_tpm_setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,11 @@ qemu-system-x86_64 -smp 2 -cdrom init.iso -m 1G \
--nographic
```

Login using fedora/fedora and run few tests
Login using `fedora/fedora` and run few tests

### Testing TPM device

Sanity checks

```bash
[fedora@fed38 ~]$ dmesg | grep -i tpm
Expand All @@ -113,4 +117,131 @@ crw-rw----. 1 root tss 253, 65536 Jun 18 23:17 /dev/tpmrm0

[fedora@fed38 ~]$ sudo tpm2_clear
[fedora@fed38 ~]$ sudo tpm2_selftest

[fedora@fed38 ~]$ sudo tpm2_getcap algorithms | grep -A 9 'sha384'
sha384:
value: 0xC
asymmetric: 0
symmetric: 0
hash: 1
object: 0
reserved: 0x0
signing: 0
encrypting: 0
method: 0
```

Working with Keys, from <https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/keys.md>

```bash
[fedora@fed38 ~]$ sudo tpm2_createek -G rsa -c ek_rsa.ctx
[fedora@fed38 ~]$ sudo tpm2_createak -C ek_rsa.ctx -G rsa -g sha256 -s rsassa --ak-context ak_rsa.ctx
loaded-key:
name: 000b42319d115beaaa57c3f2b385d8cb1e2e6834b65e5da97be1e8339a74a053d7ff
qualified name: 000b1f2b91b573baeb8d3e37b9ce48eafb0542bde0ff2fac9366f31bf178680440e6
[fedora@fed38 ~]$ sudo tpm2_evictcontrol --object-context=ak_rsa.ctx 0x81000000
persistent-handle: 0x81000000
action: persisted

[fedora@fed38 ~]$ sudo tpm2_getcap handles-persistent
- 0x81000000

[fedora@fed38 ~]$ sudo tpm2_evictcontrol --hierarchy=o --object-context=0x81000000
persistent-handle: 0x81000000
action: evicted
[fedora@fed38 ~]$ sudo tpm2_getcap handles-persistent
[fedora@fed38 ~]$

# Primary key generation

[fedora@fed38 ~]$ sudo tpm2_createprimary --hierarchy=o --hash-algorithm=sha256 --key-algorithm=ecc256:aes128cfb --key-context=tpm_primary_key.ctx --attributes="decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted" -V
name-alg:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt
raw: 0x30472
type:
value: ecc
raw: 0x23
curve-id:
value: NIST p256
raw: 0x3
kdfa-alg:
value: null
raw: 0x10
kdfa-halg:
value: (null)
raw: 0x0
scheme:
value: null
raw: 0x10
scheme-halg:
value: (null)
raw: 0x0
sym-alg:
value: aes
raw: 0x6
sym-mode:
value: cfb
raw: 0x43
sym-keybits: 128
x: 50ae5635be637d617fb1d9499fda0b618b63e8f27cc750ec65bcb9d9655e08e2
y: 531a72b1039f2441bfb59f9086119b0c50d3fa7acd86d432325dd8726b4b22e6
[fedora@fed38 ~]$ sudo tpm2_evictcontrol --hierarchy=o 0x81020004 --object-context=tpm_primary_key.ctx -V
persistent-handle: 0x81020004
action: persisted
[fedora@fed38 ~]$ sudo tpm2_getcap handles-persistent
- 0x81000000
- 0x81020004

# TPM ECDSA key generation (Device attestation key)

[fedora@fed38 ~]$ sudo tpm2_create --parent-context=0x81020004 --hash-algorithm=sha256 --key-algorithm=ecc256:ecdsa-sha256 --public=tpm_ecdsa_pub.key --private=tpm_ecdsa_priv.key --attributes="sign|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"
name-alg:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|sign
raw: 0x40472
type:
value: ecc
raw: 0x23
curve-id:
value: NIST p256
raw: 0x3
kdfa-alg:
value: null
raw: 0x10
kdfa-halg:
value: (null)
raw: 0x0
scheme:
value: ecdsa
raw: 0x18
scheme-halg:
value: sha256
raw: 0xb
sym-alg:
value: null
raw: 0x10
sym-mode:
value: (null)
raw: 0x0
sym-keybits: 0
x: 66d3f05041cd5b39ee5bb191ea1b1b61dfdb1d31040a3742c47db1395eb997e9
y: 6a70ed0b486dd094a4bf37a2ef8051cc71c81c6e760025086f8bd44751bb690f

[fedora@fed38 ~]$ sudo tpm2_load --public=tpm_ecdsa_pub.key --private=tpm_ecdsa_priv.key --key-context tpm_ecdsa_key.ctx --parent-context=0x81020004
name: 000b47b51aa53335f1521b45382f194d4ca9291daee4ba3d4f9191bbdf56e789c61f

[fedora@fed38 ~]$ sudo tpm2_evictcontrol --hierarchy=o 0x81000002 --object-context=tpm_ecdsa_key.ctx -V
persistent-handle: 0x81000002
action: persisted

# Flushing memory

[fedora@fed38 ~]$ sudo tpm2_flushcontext --transient-object -V
INFO on line: "44" in file: "lib/tpm2_capability.c": GetCapability: capability: 0x1, property: 0x80000000

```
8 changes: 4 additions & 4 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ services:
volumes:
- server-certs:/certs
- ./images:/media
- ./sztp-server/config:/mnt
- ./sztp-server/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
- ./config:/mnt
- ./scripts/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
entrypoint: /usr/local/bin/docker-entrypoint.sh
environment:
SZTPD_INIT_PORT: 6080
Expand All @@ -40,8 +40,8 @@ services:
condition: service_completed_successfully
volumes:
- server-certs:/certs
- ./sztp-server/config/sztpd.redirect.json.template:/mnt/sztpd.redirect.json.template
- ./sztp-server/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
- ./config/sztpd.redirect.json.template:/mnt/sztpd.redirect.json.template
- ./scripts/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
entrypoint: /usr/local/bin/docker-entrypoint.sh
environment:
SZTPD_INIT_PORT: 6080
Expand Down
File renamed without changes.
33 changes: 33 additions & 0 deletions sztp-agent/cmd/cli.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package cmd

import (
"log"
"os"

"github.com/TwiN/go-color"
"github.com/spf13/cobra"
)

// commands hold a slice of all cobra commands for cli tool
var commands []*cobra.Command

// RootCmd is the main entrypoint for the cli
func RootCmd() *cobra.Command {
c := &cobra.Command{
Use: "opi-sztp-agent",
Short: "opi-sztp-agent is the agent command line interface to work with the sztp workflow",
Run: func(cmd *cobra.Command, _ []string) {
err := cmd.Help()
if err != nil {
log.Fatalf(color.InRed("[ERROR]")+"%s", err.Error())
}
os.Exit(1)
},
}

for _, cmd := range commands {
c.AddCommand(cmd)
}

return c
}
13 changes: 8 additions & 5 deletions sztp-agent/cmd/daemon.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,13 @@ import (
"github.com/spf13/cobra"
)

// NewDaemonCommand returns the daemon command
func NewDaemonCommand() *cobra.Command {
//nolint:gochecknoinits
func init() {
commands = append(commands, Daemon())
}

// Daemon returns the daemon command
func Daemon() *cobra.Command {
var (
bootstrapURL string
serialNumber string
Expand All @@ -32,7 +37,7 @@ func NewDaemonCommand() *cobra.Command {
cmd := &cobra.Command{
Use: "daemon",
Short: "Run the daemon command",
RunE: func(c *cobra.Command, _ []string) error {
RunE: func(_ *cobra.Command, _ []string) error {
arrayChecker := []string{devicePrivateKey, deviceEndEntityCert, bootstrapTrustAnchorCert}
if bootstrapURL != "" && dhcpLeaseFile != "" {
return fmt.Errorf("'--bootstrap-url' and '--dhcp-lease-file' are mutualy exclusive")
Expand All @@ -54,8 +59,6 @@ func NewDaemonCommand() *cobra.Command {
return fmt.Errorf("must not be folder: %q", filePath)
}
}
err := c.Help()
cobra.CheckErr(err)
a := secureagent.NewAgent(bootstrapURL, serialNumber, dhcpLeaseFile, devicePassword, devicePrivateKey, deviceEndEntityCert, bootstrapTrustAnchorCert)
return a.RunCommandDaemon()
},
Expand Down
12 changes: 5 additions & 7 deletions sztp-agent/cmd/daemon_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,28 +11,26 @@ import (
"github.com/spf13/cobra"
)

func TestNewDaemonCommand(t *testing.T) {
func TestDaemonCommand(t *testing.T) {
tests := []struct {
name string
want *cobra.Command
}{
{
name: "TestNewDaemonCommand",
name: "TestDaemonCommand",
want: &cobra.Command{
Use: "daemon",
Short: "Run the daemon command",
RunE: func(c *cobra.Command, _ []string) error {
err := c.Help()
cobra.CheckErr(err)
RunE: func(_ *cobra.Command, _ []string) error {
return nil
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := NewDaemonCommand(); !reflect.DeepEqual(got.Commands(), tt.want.Commands()) {
t.Errorf("NewDaemonCommand() = %v, want %v", got, tt.want)
if got := Daemon(); !reflect.DeepEqual(got.Commands(), tt.want.Commands()) {
t.Errorf("Daemon() = %v, want %v", got, tt.want)
}
})
}
Expand Down
13 changes: 8 additions & 5 deletions sztp-agent/cmd/disable.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,13 @@ import (
"github.com/spf13/cobra"
)

// NewDisableCommand returns the disable command
func NewDisableCommand() *cobra.Command {
//nolint:gochecknoinits
func init() {
commands = append(commands, Disable())
}

// Disable returns the disable command
func Disable() *cobra.Command {
var (
bootstrapURL string
serialNumber string
Expand All @@ -28,9 +33,7 @@ func NewDisableCommand() *cobra.Command {
cmd := &cobra.Command{
Use: "disable",
Short: "Run the disable command",
RunE: func(c *cobra.Command, _ []string) error {
err := c.Help()
cobra.CheckErr(err)
RunE: func(_ *cobra.Command, _ []string) error {
a := secureagent.NewAgent(bootstrapURL, serialNumber, dhcpLeaseFile, devicePassword, devicePrivateKey, deviceEndEntityCert, bootstrapTrustAnchorCert)
return a.RunCommandDisable()
},
Expand Down
12 changes: 5 additions & 7 deletions sztp-agent/cmd/disable_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,28 +11,26 @@ import (
"github.com/spf13/cobra"
)

func TestNewDisableCommand(t *testing.T) {
func TestDisableCommand(t *testing.T) {
tests := []struct {
name string
want *cobra.Command
}{
{
name: "TestNewDisableCommand",
name: "TestDisableCommand",
want: &cobra.Command{
Use: "disable",
Short: "Run the disable command",
RunE: func(c *cobra.Command, _ []string) error {
err := c.Help()
cobra.CheckErr(err)
RunE: func(_ *cobra.Command, _ []string) error {
return nil
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := NewDisableCommand(); !reflect.DeepEqual(got.Commands(), tt.want.Commands()) {
t.Errorf("NewDisableCommand() = %v, want %v", got, tt.want)
if got := Disable(); !reflect.DeepEqual(got.Commands(), tt.want.Commands()) {
t.Errorf("Disable() = %v, want %v", got, tt.want)
}
})
}
Expand Down
13 changes: 8 additions & 5 deletions sztp-agent/cmd/enable.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,13 @@ import (
"github.com/spf13/cobra"
)

// NewEnableCommand returns the enable command
func NewEnableCommand() *cobra.Command {
//nolint:gochecknoinits
func init() {
commands = append(commands, Enable())
}

// Enable returns the enable command
func Enable() *cobra.Command {
var (
bootstrapURL string
serialNumber string
Expand All @@ -28,9 +33,7 @@ func NewEnableCommand() *cobra.Command {
cmd := &cobra.Command{
Use: "enable",
Short: "Run the enable command",
RunE: func(c *cobra.Command, _ []string) error {
err := c.Help()
cobra.CheckErr(err)
RunE: func(_ *cobra.Command, _ []string) error {
a := secureagent.NewAgent(bootstrapURL, serialNumber, dhcpLeaseFile, devicePassword, devicePrivateKey, deviceEndEntityCert, bootstrapTrustAnchorCert)
return a.RunCommandEnable()
},
Expand Down
Loading

0 comments on commit 9f1d25f

Please sign in to comment.