utility/chromeos-tpm-recovery - platform/external/vboot_reference - Gitiles

 #!/bin/sh -u
 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
 # Run TPM diagnostics in recovery mode, and attempt to fix problems.  This is
 # specific to devices with chromeos firmware.
 #
 # Usage: chromeos-tpm-recovery <log file>
 #
 # Most of the diagnostics examine the TPM state and try to fix it.  This may
 # require clearing TPM ownership.

 tpmc=${USR_BIN:=/usr/bin}/tpmc
 nvtool=${USR_LOCAL_BIN:=/usr/local/bin}/tpm-nvtool
 tpm_takeownership=${USR_LOCAL_SBIN:=/usr/local/sbin}/tpm_takeownership
 tcsd=${USR_SBIN:=/usr/sbin}/tcsd
 dot_recovery=${DOT_RECOVERY:=/mnt/stateful_partition/.recovery}
 acpi=${ACPI_DIR:=/sys/devices/platform/chromeos_acpi}
 awk=/usr/bin/awk

 # At the time this script starts, we assume the following holds:
 #
 # - TPM may be owned, but not with the well-known password
 # - tcsd has not been started

 tpm_owned_with_well_known_password=0
 tpm_unowned=0
 tcsd_pid=0

 log() {
   echo "$(date): $*" >> $RECOVERY_LOG
 }

 quit() {
   log "ERROR: $*"
   log "exiting"
   exit 1
 }

 log_tryfix() {
   log "$*: attempting to fix"
 }

 # bit <n> <i> outputs bit i of number n, with bit 0 being the lsb.

 bit () {
   echo $(( ( $1 >> $2 ) & 1 ))
 }

 ensure_tcsd_is_running () {
   if [ $tcsd_pid = 0 ]; then
     $tcsd -f &
     tcsd_pid=$!
     sleep 2    # give tcsd time to initialize
   fi
 }

 ensure_tcsd_is_not_running () {
   if [ $tcsd_pid != 0 ]; then
     kill $tcsd_pid
     sleep 0.5
     kill $tcsd_pid > /dev/null 2>&1
     sleep 0.5
     wait $tcsd_pid > /dev/null 2>&1  # we trust that tcsd will agree to die
     tcsd_pid=0
   fi
 }

 tpm_clear_and_reenable () {
   ensure_tcsd_is_not_running
   $tpmc clear
   $tpmc enable
   $tpmc activate
   tpm_owned_with_well_known_password=0
   tpm_unowned=1
 }

 # We want the TPM owned with the well-known password.

 ensure_tpm_is_owned () {
   if [ $tpm_owned_with_well_known_password = 0 ]; then
     tpm_clear_and_reenable
     ensure_tcsd_is_running
     $tpm_takeownership -y -z || log "takeownership failed with status $?"
     tpm_owned_with_well_known_password=1
     tpm_unowned=0
   fi
 }

 ensure_tpm_is_unowned () {
   if [ $tpm_unowned = 0 ]; then
     tpm_clear_and_reenable
   fi
 }

 remove_space () {
   index=$1
   log "removing space $index"
   ensure_tpm_is_owned
   ensure_tcsd_is_running
   $nvtool --release --index "$index" --owner_password "" >> $RECOVERY_LOG 2>&1
   log "nvtool --release: status $?"
 }

 # Makes some room by removing a TPM space it doesn't recognize.  It would be
 # nice to let the user choose which space, but we may not have a UI.

 make_room () {

   # Check NVRAM spaces.
   AWK_PROGRAM=/tmp/tpm_recovery_$$.awk
   cat > $AWK_PROGRAM <<"EOF"
 /# NV Index 0xffffffff/ { next } # NV_INDEX_LOCK
 /# NV Index 0x00000000/ { next } # NV_INDEX0
 /# NV Index 0x00000001/ { next } # NV_INDEX_DIR
 /# NV Index 0x0000f.../ { next } # reserved for TPM use
 /# NV Index 0x0001..../ { next } # reserved for TCG WGs
 /# NV Index 0x00001007/ { next } # firmware space index
 /# NV Index 0x00001008/ { next } # kernel space index
 /# NV Index / { print $4 } #unexpected space
 EOF

   local index

   log "trying to make room by freeing one space"
   ensure_tcsd_is_running
   ensure_tpm_is_owned
   unexpected_spaces=$($nvtool --list | $awk -f $AWK_PROGRAM)

   status=1

   if [ "$unexpected_spaces" != "" ]; then
     log_tryfix "unexpected spaces: $unexpected_spaces"
     for index in $unexpected_spaces; do
       log "trying to remove space $index"
       if remove_space $(printf "0x%x" $(( $index )) ); then
         status=0
         break;
       fi
     done
   fi

   return $status
 }

 # define_space <index> <size> <permissions>

 define_space () {
   local index=$1
   local size=$2
   local permissions=$3
   # 0xf004 is for testing if there is enough room without side effects.
   local test_space=0xf004
   local perm_ppwrite=0x1
   local enough_room

   ensure_tpm_is_unowned
   while true; do
     log "checking for NVRAM room for space with size $size"
     if $tpmc definespace $test_space $size $perm_ppwrite; then
       log "there is enough room"
       enough_room=1
       break
     else
       log "definespace $test_space $size failed with status $?"
       if ! make_room; then
         enough_room=0
         break
       fi
     fi
   done

   if [ $enough_room -eq 0 ]; then
     log "not enough room to define space $index"
     return 1
   fi
   $tpmc definespace $index $size $permissions
 }

 fix_space () {
   local index=$1
   local permissions=$2
   local size=$3
   local bytes="$4"

   local space_exists=1

   ensure_tcsd_is_not_running
   observed_permissions=$($tpmc getp $index | $awk '{print $5;}')
   if [ $? -ne 0 ]; then
     space_exists=0
   fi

   # Check kernel space ID.
   if [ $space_exists -eq 1 -a $index = 0x1008 ]; then
     if ! $tpmc read 0x1008 0x5 | grep -q " 4c 57 52 47[ ]*$"; then
       log "bad kernel space id"
       remove_space $index
       space_exists=0
     fi
   fi

   # Check that space is large enough (we don't care if it's larger)
   if [ $space_exists -eq 1 ]; then
     if ! $tpmc read $index $size > /dev/null; then
       log "space $index read of size $size failed"
       remove_space $index
       space_exists=0
     fi
   fi

   # If space exists but permissions are bad, delete the space.
   if [ $space_exists -eq 1 -a $observed_permissions != $permissions ]; then
     log "space $index has unexpected permissions $permissions"
     remove_space $index
     space_exists=0
   fi

   # If space does not exist, reconstruct it.
   if [ $space_exists -eq 0 ]; then
     log_tryfix "space $index is gone"
     if ! define_space $index $size $permissions; then
       log "could not redefine space $index"
       return 1
     fi
     # do not quote "$bytes", as we mean to expand it here
     $tpmc write $index $bytes || log "writing to $index failed with code $?"
     log "space $index was recreated successfully"
   fi
 }


 # ------------
 # MAIN PROGRAM
 # ------------

 # Set up logging and announce ourselves.

 if [ $# = 1 ]; then
   RECOVERY_LOG="$1"
   /usr/bin/logger "$0 started, output in $RECOVERY_LOG"
   log "starting $0"
 else
   /usr/bin/logger "$0 usage error"
   echo "usage: $0 <log file>"
   exit 1
 fi

 # Sanity check: are we executing in a recovery image?

 if [ ! -e $dot_recovery ]; then
   quit "not a recovery image"
 fi

 # Mnemonic: "B, I, N, F, O, and BINFO was his name-o."
 # Except it's a zero (0), not an O.
 BINF0=$acpi/BINF.0
 CHSW=$acpi/CHSW

 # There is no point running unless this a ChromeOS device.

 if [ ! -e $BINF0 ]; then
   log "not a chromeos device, exiting"
   exit 0
 fi

 BOOT_REASON=$(cat $BINF0)
 log "boot reason is $BOOT_REASON"

 # Sanity check: did we boot in recovery mode?

 if ! echo $BOOT_REASON | grep -q "^[345678]$"; then
   quit "unexpected boot reason $BOOT_REASON"
 fi

 # Do we even have these tools in the image?

 if [ ! -e $tpmc -o ! -e $nvtool -o ! -e $tpm_takeownership ]; then
   quit "tpmc or nvtool or tpm_takeownership are missing"
 fi

 # Is the state of the PP enable flags correct?

 if ! ($tpmc getpf | grep -q "physicalPresenceLifetimeLock 1" &&
       $tpmc getpf | grep -q "physicalPresenceHWEnable 0" &&
       $tpmc getpf | grep -q "physicalPresenceCMDEnable 1"); then
   log_tryfix "bad state of physical presence enable flags"
   if $tpmc ppfin; then
     log "physical presence enable flags are now correctly set"
   else
     quit "could not set physical presence enable flags"
   fi
 fi

 # Is physical presence turned on?

 if $tpmc getvf | grep -q "physicalPresence 0"; then
   log_tryfix "physical presence is OFF, expected ON"
   # attempt to turn on physical presence
   if $tpmc ppon; then
     log "physical presence is now on"
   else
     quit "could not turn physical presence on"
   fi
 fi

 DEV_MODE_NOW=$(bit $(cat $CHSW) 4)
 DEV_MODE_AT_BOOT=$(bit $(cat $CHSW) 5)

 # Check that bGlobalLock is unset

 if [ $DEV_MODE_NOW != $DEV_MODE_AT_BOOT ]; then
   # this is either too weird or malicious, so we give up
   quit "dev mode is $DEV_MODE_NOW, but was $DEV_MODE_AT_BOOT at boot"
 fi

 BGLOBALLOCK=$($tpmc getvf | $awk '/bGlobalLock/ {print $2;}')

 if [ 0 -ne $BGLOBALLOCK ]; then
   # this indicates either TPM malfunction or firmware malfunction.
   log "bGlobalLock is $BGLOBALLOCK (dev mode is $DEV_MODE_NOW)."
 fi

 # Check firmware and kernel spaces
 fix_space 0x1007 0x8001 0xa "01 00    00 00 00 00    00 00 00 00" || \
   log "could not fix firmware space"
 fix_space 0x1008 0x1 0xd "01    4c 57 52 47    00 00 00 00    00 00 00 00" || \
   log "could not fix kernel space"

 # Cleanup: don't leave the tpm owned with the well-known password.
 if [ $tpm_owned_with_well_known_password -eq 1 ]; then
   tpm_clear_and_reenable
 fi

 ensure_tcsd_is_not_running
 log "tpm recovery has completed"
	#!/bin/sh -u
	# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.
	#
	# Run TPM diagnostics in recovery mode, and attempt to fix problems. This is
	# specific to devices with chromeos firmware.
	#
	# Usage: chromeos-tpm-recovery <log file>
	#
	# Most of the diagnostics examine the TPM state and try to fix it. This may
	# require clearing TPM ownership.

	tpmc=${USR_BIN:=/usr/bin}/tpmc
	nvtool=${USR_LOCAL_BIN:=/usr/local/bin}/tpm-nvtool
	tpm_takeownership=${USR_LOCAL_SBIN:=/usr/local/sbin}/tpm_takeownership
	tcsd=${USR_SBIN:=/usr/sbin}/tcsd
	dot_recovery=${DOT_RECOVERY:=/mnt/stateful_partition/.recovery}
	acpi=${ACPI_DIR:=/sys/devices/platform/chromeos_acpi}
	awk=/usr/bin/awk

	# At the time this script starts, we assume the following holds:
	#
	# - TPM may be owned, but not with the well-known password
	# - tcsd has not been started

	tpm_owned_with_well_known_password=0
	tpm_unowned=0
	tcsd_pid=0

	log() {
	echo "$(date): $*" >> $RECOVERY_LOG
	}

	quit() {
	log "ERROR: $*"
	log "exiting"
	exit 1
	}

	log_tryfix() {
	log "$*: attempting to fix"
	}

	# bit <n> <i> outputs bit i of number n, with bit 0 being the lsb.

	bit () {
	echo $(( ( $1 >> $2 ) & 1 ))
	}

	ensure_tcsd_is_running () {
	if [ $tcsd_pid = 0 ]; then
	$tcsd -f &
	tcsd_pid=$!
	sleep 2 # give tcsd time to initialize
	fi
	}

	ensure_tcsd_is_not_running () {
	if [ $tcsd_pid != 0 ]; then
	kill $tcsd_pid
	sleep 0.5
	kill $tcsd_pid > /dev/null 2>&1
	sleep 0.5
	wait $tcsd_pid > /dev/null 2>&1 # we trust that tcsd will agree to die
	tcsd_pid=0
	fi
	}

	tpm_clear_and_reenable () {
	ensure_tcsd_is_not_running
	$tpmc clear
	$tpmc enable
	$tpmc activate
	tpm_owned_with_well_known_password=0
	tpm_unowned=1
	}

	# We want the TPM owned with the well-known password.

	ensure_tpm_is_owned () {
	if [ $tpm_owned_with_well_known_password = 0 ]; then
	tpm_clear_and_reenable
	ensure_tcsd_is_running
	$tpm_takeownership -y -z \|\| log "takeownership failed with status $?"
	tpm_owned_with_well_known_password=1
	tpm_unowned=0
	fi
	}

	ensure_tpm_is_unowned () {
	if [ $tpm_unowned = 0 ]; then
	tpm_clear_and_reenable
	fi
	}

	remove_space () {
	index=$1
	log "removing space $index"
	ensure_tpm_is_owned
	ensure_tcsd_is_running
	$nvtool --release --index "$index" --owner_password "" >> $RECOVERY_LOG 2>&1
	log "nvtool --release: status $?"
	}

	# Makes some room by removing a TPM space it doesn't recognize. It would be
	# nice to let the user choose which space, but we may not have a UI.

	make_room () {

	# Check NVRAM spaces.
	AWK_PROGRAM=/tmp/tpm_recovery_$$.awk
	cat > $AWK_PROGRAM <<"EOF"
	/# NV Index 0xffffffff/ { next } # NV_INDEX_LOCK
	/# NV Index 0x00000000/ { next } # NV_INDEX0
	/# NV Index 0x00000001/ { next } # NV_INDEX_DIR
	/# NV Index 0x0000f.../ { next } # reserved for TPM use
	/# NV Index 0x0001..../ { next } # reserved for TCG WGs
	/# NV Index 0x00001007/ { next } # firmware space index
	/# NV Index 0x00001008/ { next } # kernel space index
	/# NV Index / { print $4 } #unexpected space
	EOF

	local index

	log "trying to make room by freeing one space"
	ensure_tcsd_is_running
	ensure_tpm_is_owned
	unexpected_spaces=$($nvtool --list \| $awk -f $AWK_PROGRAM)

	status=1

	if [ "$unexpected_spaces" != "" ]; then
	log_tryfix "unexpected spaces: $unexpected_spaces"
	for index in $unexpected_spaces; do
	log "trying to remove space $index"
	if remove_space $(printf "0x%x" $(( $index )) ); then
	status=0
	break;
	fi
	done
	fi

	return $status
	}

	# define_space <index> <size> <permissions>

	define_space () {
	local index=$1
	local size=$2
	local permissions=$3
	# 0xf004 is for testing if there is enough room without side effects.
	local test_space=0xf004
	local perm_ppwrite=0x1
	local enough_room

	ensure_tpm_is_unowned
	while true; do
	log "checking for NVRAM room for space with size $size"
	if $tpmc definespace $test_space $size $perm_ppwrite; then
	log "there is enough room"
	enough_room=1
	break
	else
	log "definespace $test_space $size failed with status $?"
	if ! make_room; then
	enough_room=0
	break
	fi
	fi
	done

	if [ $enough_room -eq 0 ]; then
	log "not enough room to define space $index"
	return 1
	fi
	$tpmc definespace $index $size $permissions
	}

	fix_space () {
	local index=$1
	local permissions=$2
	local size=$3
	local bytes="$4"

	local space_exists=1

	ensure_tcsd_is_not_running
	observed_permissions=$($tpmc getp $index \| $awk '{print $5;}')
	if [ $? -ne 0 ]; then
	space_exists=0
	fi

	# Check kernel space ID.
	if [ $space_exists -eq 1 -a $index = 0x1008 ]; then
	if ! $tpmc read 0x1008 0x5 \| grep -q " 4c 57 52 47[ ]*$"; then
	log "bad kernel space id"
	remove_space $index
	space_exists=0
	fi
	fi

	# Check that space is large enough (we don't care if it's larger)
	if [ $space_exists -eq 1 ]; then
	if ! $tpmc read $index $size > /dev/null; then
	log "space $index read of size $size failed"
	remove_space $index
	space_exists=0
	fi
	fi

	# If space exists but permissions are bad, delete the space.
	if [ $space_exists -eq 1 -a $observed_permissions != $permissions ]; then
	log "space $index has unexpected permissions $permissions"
	remove_space $index
	space_exists=0
	fi

	# If space does not exist, reconstruct it.
	if [ $space_exists -eq 0 ]; then
	log_tryfix "space $index is gone"
	if ! define_space $index $size $permissions; then
	log "could not redefine space $index"
	return 1
	fi
	# do not quote "$bytes", as we mean to expand it here
	$tpmc write $index $bytes \|\| log "writing to $index failed with code $?"
	log "space $index was recreated successfully"
	fi
	}


	# ------------
	# MAIN PROGRAM
	# ------------

	# Set up logging and announce ourselves.

	if [ $# = 1 ]; then
	RECOVERY_LOG="$1"
	/usr/bin/logger "$0 started, output in $RECOVERY_LOG"
	log "starting $0"
	else
	/usr/bin/logger "$0 usage error"
	echo "usage: $0 <log file>"
	exit 1
	fi

	# Sanity check: are we executing in a recovery image?

	if [ ! -e $dot_recovery ]; then
	quit "not a recovery image"
	fi

	# Mnemonic: "B, I, N, F, O, and BINFO was his name-o."
	# Except it's a zero (0), not an O.
	BINF0=$acpi/BINF.0
	CHSW=$acpi/CHSW

	# There is no point running unless this a ChromeOS device.

	if [ ! -e $BINF0 ]; then
	log "not a chromeos device, exiting"
	exit 0
	fi

	BOOT_REASON=$(cat $BINF0)
	log "boot reason is $BOOT_REASON"

	# Sanity check: did we boot in recovery mode?

	if ! echo $BOOT_REASON \| grep -q "^[345678]$"; then
	quit "unexpected boot reason $BOOT_REASON"
	fi

	# Do we even have these tools in the image?

	if [ ! -e $tpmc -o ! -e $nvtool -o ! -e $tpm_takeownership ]; then
	quit "tpmc or nvtool or tpm_takeownership are missing"
	fi

	# Is the state of the PP enable flags correct?

	if ! ($tpmc getpf \| grep -q "physicalPresenceLifetimeLock 1" &&
	$tpmc getpf \| grep -q "physicalPresenceHWEnable 0" &&
	$tpmc getpf \| grep -q "physicalPresenceCMDEnable 1"); then
	log_tryfix "bad state of physical presence enable flags"
	if $tpmc ppfin; then
	log "physical presence enable flags are now correctly set"
	else
	quit "could not set physical presence enable flags"
	fi
	fi

	# Is physical presence turned on?

	if $tpmc getvf \| grep -q "physicalPresence 0"; then
	log_tryfix "physical presence is OFF, expected ON"
	# attempt to turn on physical presence
	if $tpmc ppon; then
	log "physical presence is now on"
	else
	quit "could not turn physical presence on"
	fi
	fi

	DEV_MODE_NOW=$(bit $(cat $CHSW) 4)
	DEV_MODE_AT_BOOT=$(bit $(cat $CHSW) 5)

	# Check that bGlobalLock is unset

	if [ $DEV_MODE_NOW != $DEV_MODE_AT_BOOT ]; then
	# this is either too weird or malicious, so we give up
	quit "dev mode is $DEV_MODE_NOW, but was $DEV_MODE_AT_BOOT at boot"
	fi

	BGLOBALLOCK=$($tpmc getvf \| $awk '/bGlobalLock/ {print $2;}')

	if [ 0 -ne $BGLOBALLOCK ]; then
	# this indicates either TPM malfunction or firmware malfunction.
	log "bGlobalLock is $BGLOBALLOCK (dev mode is $DEV_MODE_NOW)."
	fi

	# Check firmware and kernel spaces
	fix_space 0x1007 0x8001 0xa "01 00 00 00 00 00 00 00 00 00" \|\| \
	log "could not fix firmware space"
	fix_space 0x1008 0x1 0xd "01 4c 57 52 47 00 00 00 00 00 00 00 00" \|\| \
	log "could not fix kernel space"

	# Cleanup: don't leave the tpm owned with the well-known password.
	if [ $tpm_owned_with_well_known_password -eq 1 ]; then
	tpm_clear_and_reenable
	fi

	ensure_tcsd_is_not_running
	log "tpm recovery has completed"