Merge pull request #2278 from deitch/tpm-tools

tpm tools

pkg/tss/Dockerfile

@@ -0,0 +1,64 @@
+FROM linuxkit/alpine:43c139f87122e94af5fac9a9d1d96f0292ca1c0b AS build
+
+ENV TROUSERS_COMMIT de57f069ef2297d6a6b3a0353e217a5a2f66e444
+ENV TPM_TOOLS_COMMIT bdf9f1bc8f63cd6fc370c2deb58d03ac55079e84
+
+RUN apk add --no-cache --initdb \
+    automake \
+    autoconf \
+    gettext \
+    gettext-dev \
+    git \
+    pkgconfig \
+    libtool \
+    libc-dev \
+    linux-headers \
+    gcc \
+    make \
+    openssl-dev \
+    util-linux \
+    && true
+
+RUN mkdir -p /usr/src
+COPY src/glibc_stubs/ /usr/src/glibc_stubs
+WORKDIR /usr/src/glibc_stubs
+RUN make && make install
+
+RUN git clone https://git.code.sf.net/p/trousers/trousers /usr/src/trousers-trousers && cd /usr/src/trousers-trousers && git checkout $TROUSERS_COMMIT
+RUN git clone https://git.code.sf.net/p/trousers/tpm-tools /usr/src/trousers-tpm-tools && cd /usr/src/trousers-tpm-tools && git checkout $TPM_TOOLS_COMMIT
+WORKDIR /usr/src/trousers-trousers
+RUN sh bootstrap.sh && \
+    ./configure --prefix=/ --sysconfdir=/etc LDFLAGS="-L/out/lib/ -lgetpwent_r" && \
+    make && \
+    make install prefix=/out
+WORKDIR /usr/src/trousers-tpm-tools
+
+RUN sh bootstrap.sh && \
+    ./configure --prefix=/out CFLAGS="-I/out/include" LDFLAGS="-L/out/lib/ -lgetpwent_r" && \
+    make && \
+    make install
+
+COPY src/savedeps/ /usr/src/savedeps
+RUN /usr/src/savedeps/savedeps.sh /out /out
+
+RUN mkdir -p /out/var/lib/tpm
+
+# we need busybox to run chmod, chown, touch, etc.
+RUN mkdir -p /out/bin && cp /bin/busybox /out/bin/busybox && ln -s /bin/busybox /out/bin/sh
+
+
+
+FROM scratch
+WORKDIR /
+COPY --from=build /out /
+COPY etc/ /etc
+# set up the appropriate groups and perms
+RUN busybox chmod 0644 /etc/passwd /etc/group && \
+    busybox chmod 0640 /etc/shadow && \
+    busybox touch /etc/tcsd.conf && \
+    busybox chmod 0600 /etc/tcsd.conf && \
+    busybox chown -R tss.tss /var/lib/tpm/ /etc/tcsd.conf && \
+    busybox rm /bin/busybox /bin/sh
+
+CMD ["/sbin/tcsd","-f"]
+LABEL org.mobyproject.config='{"pid": "host", "net":"host", "binds": ["/dev:/dev"], "capabilities": ["all"]}'

pkg/tss/Makefile

@@ -0,0 +1,6 @@
+IMAGE=tss
+NETWORK=1
+DEPS=$(wildcard upload/out/*) $(wildcard upload/out/etc/*) $(wildacrd upload/src/savedeps/*) $(wildcard upload/src/glibc_stubs/*)
+
+include ../package.mk
+

pkg/tss/README.md

@@ -0,0 +1,35 @@
+# LinuxKit tpm
+Image to provide a tcsd daemon and tpm tools to support tpm, based on [trousers and tpm-tools](https://sourceforge.net/projects/trousers/) .
+
+
+## Usage
+If you want to interact with a tpm chip, you need a `tcsd` daemon running to control it and provide a communication endpoint for all of your tpm commands.
+
+This image provides both a `tcsd` daemon to run in a container, and the command line `tpm-tools`.
+
+### Daemon
+To run a `tcsd` daemon - you **must** run exactly one on a tpm-enabled host to interact with the tpm - just start the container.
+
+#### LinuxKit
+In LinuxKit, add the following to your moby `.yml`:
+
+```
+services:
+  - name: tcsd
+    image: "secureapp/tss:<hash>"
+```
+
+The above will launch `tcsd` listening on localhost only.
+
+#### Docker
+In regular docker or other container environment, start the container in the background. Be sure to map `/dev:/dev` and expose port `30003`.
+
+```
+docker run -d -v /dev:/dev -p 30003:30003 secureapp/tcsd
+```
+### CLI Tools
+To run the CLI tools, just run them:
+
+```
+docker run -it --rm secureapp/tcsd tpm_nvread
+```

pkg/tss/etc/group

@@ -0,0 +1,6 @@
+root:x:0:root
+bin:x:1:root,bin,daemon
+daemon:x:2:root,bin,daemon
+sys:x:3:root,bin,adm
+adm:x:4:root,adm,daemon
+tss:x:116:

pkg/tss/etc/passwd

@@ -0,0 +1,5 @@
+root:x:0:0:root:/root:/bin/false
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+tss:x:107:116::/var/lib/tpm:/bin/false

pkg/tss/etc/shadow

@@ -0,0 +1,5 @@
+root:!::0:::::
+bin:!::0:::::
+daemon:!::0:::::
+adm:!::0:::::
+tss:*:16901:0:99999:7:::

pkg/tss/src/glibc_stubs/Makefile

@@ -0,0 +1,18 @@
+
+.PHONY: all clean install
+
+SOLIB = libgetpwent_r.so
+
+DEPS = getpwent_r.o
+
+all: $(SOLIB)
+
+%.o: %.c
+	gcc -c -Wall -Werror -fpic ${CFLAGS} $<
+
+$(SOLIB): $(DEPS)
+	gcc -shared -o $(SOLIB) $^
+
+install:
+	mkdir -p /out/lib
+	cp $(SOLIB) /out/lib

pkg/tss/src/glibc_stubs/getpwent_r.c

@@ -0,0 +1,38 @@
+/*
+ * getpwent_r stub
+ *
+ * This is not really reentrant... but then again, neither is getpwent_r
+ * because getpwent_r is a GNU extension, and not posix compliant,
+ * a program using getpwent_r() will fail on a system with POSIX-compliant libc,
+ *   e.g. musl libc on Alpine
+ *
+ * This library simply stubs it through
+ * It does nothing but:
+ * 1. populate the pwbuf with the data
+ * 2. populate pwbufp with the pointer to *pwbuf
+ * 3. return correct error codes
+ *
+ * It was created to get trousers libtspi to work with POSIX-compliant musl libc
+ * when that is fixed - https://sourceforge.net/p/trousers/bugs/211/ - this will
+ * be unnecessary
+ */
+
+#include <errno.h>
+#include <stddef.h>
+#include <pwd.h>
+#include <string.h>
+
+struct passwd *pwp;
+int getpwent_r(struct passwd *pwbuf, char *buf, size_t buflen, struct passwd **pwbufp)
+{
+         struct passwd *pw;
+         // if NULL, we had an error, return the appropriate error code
+         if ((pw = getpwent()) == NULL) {
+                  return ERANGE;
+         }
+         // so really we should memcpy mot just the (struct passwd), but everything it points to as well
+         // in practice, we just copy the (struct passwd) because this isn't really thread-safe anyways
+         memcpy(pwbuf, pw, sizeof(*pw));
+         *pwbufp = pwbuf;
+         return 0;
+}

pkg/tss/src/savedeps/savedeps.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+# find all of my dependencies under $1 and save them to $2
+OUTDIR=$1
+
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$OUTDIR/lib:$OUTDIR/usr/lib
+# find the direct dependencies
+DIRECTDEPS=$(for i in $(find $OUTDIR/*bin $OUTDIR/*lib -type f); do ldd $i 2>/dev/null; done | awk '{print $3}' | grep -v '^ldd$' | sort | uniq)
+# find the secondary dependencies
+SECONDDEPS=$(for i in $DIRECTDEPS; do ldd $i 2>/dev/null; done | awk '{print $3}' | grep -v '^ldd$' | sort | uniq)
+# merge together into single unique list, excluding any already in OUTDIR
+ALLDEPS=$(echo "$DIRECTDEPS $SECONDDEPS" | sort | uniq | grep -v "^$OUTDIR")
+
+
+# recursively follows links
+copyfile() {
+	local infile=${1#/}
+	tar cvf - $infile | (cd $OUTDIR ; tar xvf - )
+	# if it was a symlink, dereference and copy that
+	if [ -L $infile ]; then
+		copyfile $(readlink -f $infile)
+	fi
+}
+
+# we remove the leadink / and then do everything from /
+cd /
+# save to OUTDIR
+mkdir -p $OUTDIR
+for infile in $ALLDEPS; do
+	if [ ! -e $OUTDIR/$infile ]; then
+		# symlinks should be copied but also followed
+		copyfile $infile
+	fi
+done