我正在尝试使用像Anti-Evil-Maid这样的自编写版本来保护工作站的启动过程,但是我无法让TPM守护程序运行。问题似乎是,一旦连接客户端触发.getaddrinfo()调用,TCSD就会失败。这意味着,程序启动,但一旦使用就会退出。
到目前为止,我已经尝试通过strace确定TCSD的先决条件,并将相关的文件和库复制到initrd中,但截至目前我还没有超越这一点。不幸的是我无法将init进程中的日志复制到这篇文章中,因为一旦root被更改,所有文件都会消失,但我可以告诉你,到目前为止我尝试了什么。我假设,问题通常与glibc或bootprocess相关联,但我不知道,我如何进一步调试它。
让我们从我复制到initramfs中的文件开始。 hook-script看起来如下:
#!/bin/sh
# trousers TPM software
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
# Here it begins
copy_exec /home/dev/build/aem/tpm_pcr_extend /bin
copy_exec /usr/bin/shasum /bin
copy_exec /usr/sbin/adduser /sbin
copy_exec /usr/bin/strace /bin
copy_exec /usr/bin/getent /bin
copy_exec /usr/sbin/tcsd /sbin
copy_exec /usr/bin/tpm_unsealdata /bin
copy_exec /usr/bin/tpm_sealdata /bin
copy_exec /usr/sbin/tpm_nvinfo /sbin
copy_exec /usr/sbin/tpm_nvread /sbin
copy_exec /usr/sbin/tpm_resetdalock /sbin
copy_exec /usr/sbin/tpm_selftest /sbin
copy_exec /usr/sbin/tpm_version /sbin
# copy_exec /etc/tcsd.conf /etc
copy_exec /usr/src/initrd/etc/passwd /etc
copy_exec /usr/src/initrd/etc/shadow /etc
copy_exec /usr/src/initrd/etc/group /etc
copy_exec /usr/src/initrd/etc/hosts /etc
copy_exec /usr/src/initrd/etc/hostname /etc
copy_exec /etc/host.conf /etc
copy_exec /etc/hosts /etc
copy_exec /etc/nsswitch.conf /etc
copy_exec /etc/services /etc
copy_modules_dir kernel/drivers/char/tpm
copy_exec /usr/lib/libopencryptoki.so.0 /lib
copy_exec /usr/lib/opencryptoki/stdll/* /lib/opencryptoki
copy_exec /usr/lib/x86_64-linux-gnu/libcrypto.a /lib
copy_exec /usr/lib/x86_64-linux-gnu/libcrypto.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /lib
copy_exec /usr/lib/x86_64-linux-gnu/libtspi.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libtpm_unseal.so /lib
copy_exec /lib/x86_64-linux-gnu/libdl-2.19.so /lib
copy_exec /lib/x86_64-linux-gnu/libdl.so.2 /lib
copy_exec /lib/x86_64-linux-gnu/libc.so.6 /lib
copy_exec /usr/lib/libdns.so.100 /lib
copy_exec /usr/lib/libbind9.so.90 /lib
copy_exec /lib/x86_64-linux-gnu/libresolv.so.2 /lib
copy_exec /usr/lib/x86_64-linux-gnu/libnss3.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libnss_compat.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libnss_dns.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libnss_files.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libnss_hesiod.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libnss_nis.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libnss_nisplus.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libnssutil3.so /lib
copy_exec /usr/lib/x86_64-linux-gnu/libssl.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 /lib/
copy_exec /usr/lib/x86_64-linux-gnu/libssl3.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/lib4758cca.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libaep.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libatalla.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libcapi.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libchil.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libcswift.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgmp.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libnuron.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpadlock.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libsureware.so /lib/
copy_exec /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libubsec.so /lib/
接下来,有一个缩短版本的脚本,我想运行:
的/ etc / initramfs的工具/脚本/本地顶/裤子
#!/bin/sh
PREREQ="lvm2"
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
# Begin real processing below this line
UNSEALED_SECRET="/tmp/aem/unsealed_secret"
SEALED_SECRET="/mnt/sealed_secret"
TCSD_EXE="/sbin/tcsd"
TCSD_PATH="/var/lib/tpm"
BOOT_PARTITION="/dev/mapper/linux-boot"
TPM_UNSEAL="/bin/tpm_unsealdata"
# Necessary to get the lvm files in /dev/mapper/
udevadm trigger
udevadm settle
vgchange -a y
# test, whether the relevant stuff is there
if [ ! -x $TCSD_EXE ]; then
echo "TCSD executable not found"
fi
if [ ! -e $BOOT_PARTITION ]; then
echo "Boot Partition not found"
fi
if [ ! -x $TPM_UNSEAL ]; then
echo "TPM Unseal not found"
fi
mkdir -p /tmp/aem
touch $UNSEALED_SECRET
if [ ! -e $UNSEALED_SECRET ]; then
echo "Unsealed Secret File could not be written"
fi
# mount boot volume into /mnt
mkdir /mnt
mount $BOOT_PARTITION /mnt
if [ ! -e $SEALED_SECRET ]; then
echo "Sealed Secret File not found"
fi
echo "Starting TCSD"
# /etc/passwd is overwritten by mkinitramfs, but TCSD needs the user tss
echo "tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin" >> /etc/passwd
# basic network configuration. I'm not sure, if it's allright
echo "domain localhost" > /etc/resolv.conf
echo "127.0.0.1 localhost" > /etc/hosts
echo "multi on" > /etc/host.conf
echo "order hosts" >> /etc/hosts.conf
# make sure, the libs are in the searchpath
PATS=$PATH:/lib
PATH=$PATH:/usr/lib
PATH=$PATH:/usr/lib/x86_64-linux-gnu
PATH=$PATH:/usr/lib/opencryptoki
PATH=$PATH:/lib/x86_64-linux-gnu
PATH=$PATH:/lib64
# fixes an old bug in dynamically linked binaries, but is probably useless nowadays
export LD_LIBRARY_PATH="/lib64:/usr/lib:/usr/lib/x86_64-linux-gnu:/usr/lib/opencryptoki:/lib/x86_64-linux-gnu"
# import TPM modules
modprobe tpm
modprobe tpm_tis interrupt=0 force=1
modprobe tpm_i2c_stm_st33
# set up loopback network
ip link set dev lo up
ip route add 127.0.0.1 dev lo
# create /var/lib/tpm which TCSD wants
mkdir -p $TCSD_PATH
chmod 700 $TCSD_PATH
chown tss:tss $TCSD_PATH
# start tcsd with the default settings.
tcsd || panic "TCSD failed"
# try to decrypt a sealed file:
echo "Unsealing Secret"
echo "Starting Unseal"
mkdir -p /tmp/aem
chmod ugo=rwx /tmp/aem
# Here it fails:
tpm_unsealdata -i $SEALED_SECRET -o $UNSEALED_SECRET
echo ""
echo "-----------"
echo "File: $UNSEALED_SECRET"
cat $UNSEALED_SECRET
echo "-----------"
echo ""
echo "starting shell"
sh
echo "Cleaning up"
killall tcsd
rm -f /tmp/aem
umount /mnt
因此。而已。当tpm_unsealdata尝试连接到TCSD时,TCSD会调用getaddrinfo(),失败并退出。对于trousers / tpm-tools包中的所有其他工具也是如此。
老实说,我对启动过程的这个早期阶段并不太了解,所以我可能没有看到任何东西,而无法进一步调试。一些帮助将不胜感激。