blob: 3f3ca2590ee5034c1a55a90b84c81aaf5a23f278 [file] [log] [blame]
Yi Chou9d24b462020-12-04 01:12:57 +08001// Copyright 2021 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include <string>
6#include <utility>
7
8#include <base/callback.h>
Qijiang Fan713061e2021-03-08 15:45:12 +09009#include <base/check.h>
10#include <base/check_op.h>
Yi Chou9d24b462020-12-04 01:12:57 +080011#include <base/files/file_util.h>
12#include <base/files/file.h>
Yi Chou9d24b462020-12-04 01:12:57 +080013#include <base/logging.h>
14#include <base/posix/eintr_wrapper.h>
Yi Chou9d24b462020-12-04 01:12:57 +080015#include <fcntl.h>
Yi Choudee22a52020-12-07 15:06:22 +080016#include <libminijail.h>
Yi Chou9d24b462020-12-04 01:12:57 +080017#include <linux/vtpm_proxy.h>
Yi Choudee22a52020-12-07 15:06:22 +080018#include <scoped_minijail.h>
19#include <signal.h>
Yi Chou9d24b462020-12-04 01:12:57 +080020#include <sys/ioctl.h>
21#include <sys/stat.h>
22#include <sys/types.h>
23#include <sysexits.h>
Yi Chou9d24b462020-12-04 01:12:57 +080024#include <unistd.h>
25
26#include "tpm2-simulator/simulator.h"
27
28namespace {
Yi Choudee22a52020-12-07 15:06:22 +080029constexpr char kSimulatorUser[] = "tpm2-simulator";
30constexpr char kSimulatorGroup[] = "tpm2-simulator";
31constexpr char kSimulatorSeccompPath[] =
32 "/usr/share/policy/tpm2-simulator.policy";
Yi Chou9d24b462020-12-04 01:12:57 +080033constexpr char kVtpmxPath[] = "/dev/vtpmx";
Yi Choudee22a52020-12-07 15:06:22 +080034constexpr char kDevTpmPathPrefix[] = "/dev/tpm";
Yi Chouf964bab2020-12-10 11:50:28 +080035constexpr size_t kMaxCommandSize = 4096;
Yi Chou9d24b462020-12-04 01:12:57 +080036constexpr size_t kHeaderSize = 10;
Yi Chou9d24b462020-12-04 01:12:57 +080037
Yi Choudee22a52020-12-07 15:06:22 +080038base::ScopedFD RegisterVTPM(base::FilePath* tpm_path) {
Yi Chou9d24b462020-12-04 01:12:57 +080039 struct vtpm_proxy_new_dev new_dev = {};
40 new_dev.flags = VTPM_PROXY_FLAG_TPM2;
41 base::ScopedFD vtpmx_fd(HANDLE_EINTR(open(kVtpmxPath, O_RDWR | O_CLOEXEC)));
42 if (!vtpmx_fd.is_valid()) {
43 return vtpmx_fd;
44 }
45 if (ioctl(vtpmx_fd.get(), VTPM_PROXY_IOC_NEW_DEV, &new_dev) < 0) {
46 PLOG(ERROR) << "Create vTPM failed.";
47 // return an invalid FD.
48 return {};
49 }
Yi Choudee22a52020-12-07 15:06:22 +080050 *tpm_path =
51 base::FilePath(kDevTpmPathPrefix + std::to_string(new_dev.tpm_num));
Yi Chou9d24b462020-12-04 01:12:57 +080052 LOG(INFO) << "Create TPM at: /dev/tpm" << new_dev.tpm_num;
53 return base::ScopedFD(new_dev.fd);
54}
55
Yi Choudee22a52020-12-07 15:06:22 +080056void InitMinijailSandbox() {
57 ScopedMinijail j(minijail_new());
58 minijail_no_new_privs(j.get());
59 minijail_log_seccomp_filter_failures(j.get());
60 minijail_parse_seccomp_filters(j.get(), kSimulatorSeccompPath);
61 minijail_use_seccomp_filter(j.get());
62 minijail_change_user(j.get(), kSimulatorUser);
63 minijail_change_group(j.get(), kSimulatorGroup);
64 minijail_inherit_usergroups(j.get());
65 minijail_enter(j.get());
66}
67
Yi Chou9d24b462020-12-04 01:12:57 +080068} // namespace
69
70namespace tpm2_simulator {
71
Yi Chouf964bab2020-12-10 11:50:28 +080072SimulatorDaemon::SimulatorDaemon(TpmExecutor* tpm_executor)
73 : tpm_executor_(tpm_executor) {}
74
Yi Chou9d24b462020-12-04 01:12:57 +080075int SimulatorDaemon::OnInit() {
Yi Chouf964bab2020-12-10 11:50:28 +080076 CHECK(tpm_executor_);
Yi Chou9d24b462020-12-04 01:12:57 +080077 int exit_code = Daemon::OnInit();
78 if (exit_code != EX_OK)
79 return exit_code;
Yi Chouf964bab2020-12-10 11:50:28 +080080 tpm_executor_->InitializeVTPM();
Yi Choudee22a52020-12-07 15:06:22 +080081 base::FilePath tpm_path;
82 command_fd_ = RegisterVTPM(&tpm_path);
Yi Chou9d24b462020-12-04 01:12:57 +080083 if (!command_fd_.is_valid()) {
84 LOG(ERROR) << "Failed to register vTPM";
85 return EX_OSERR;
86 }
87 command_fd_watcher_ = base::FileDescriptorWatcher::WatchReadable(
88 command_fd_.get(),
89 base::BindRepeating(&SimulatorDaemon::OnCommand, base::Unretained(this)));
Yi Choudee22a52020-12-07 15:06:22 +080090 tpm_watcher_.reset(new base::FilePathWatcher);
91 tpm_watcher_->Watch(
hscham3fbc8982021-02-26 16:25:41 +090092 tpm_path, base::FilePathWatcher::Type::kNonRecursive,
Yi Choudee22a52020-12-07 15:06:22 +080093 base::Bind(&SimulatorDaemon::OnTpmPathChange, base::Unretained(this)));
Yi Chou9d24b462020-12-04 01:12:57 +080094 return EX_OK;
95}
96
97void SimulatorDaemon::OnCommand() {
Yi Chouf964bab2020-12-10 11:50:28 +080098 CHECK(tpm_executor_);
Yi Chou9d24b462020-12-04 01:12:57 +080099 char buffer[kMaxCommandSize];
100 do {
101 std::string request;
102 remain_request_.swap(request);
103
104 // Read request header.
105 while (kHeaderSize > request.size()) {
106 ssize_t size =
107 HANDLE_EINTR(read(command_fd_.get(), buffer, kMaxCommandSize));
108 CHECK_GE(size, 0);
109 request.append(buffer, size);
110 }
111
Yi Chouf964bab2020-12-10 11:50:28 +0800112 const uint32_t command_size = tpm_executor_->GetCommandSize(request);
Yi Chou9d24b462020-12-04 01:12:57 +0800113
114 // Read request body.
115 while (command_size > request.size()) {
116 ssize_t size =
117 HANDLE_EINTR(read(command_fd_.get(), buffer, kMaxCommandSize));
118 CHECK_GE(size, 0);
119 request.append(buffer, size);
120 }
121
122 // Trim request.
123 if (command_size < request.size()) {
124 remain_request_ = request.substr(command_size);
125 request.resize(command_size);
126 }
127
128 // Run command.
Yi Chouf964bab2020-12-10 11:50:28 +0800129 std::string response = tpm_executor_->RunCommand(request);
Yi Chou9d24b462020-12-04 01:12:57 +0800130
131 // Write response.
132 if (!base::WriteFileDescriptor(command_fd_.get(), response.c_str(),
133 response.size())) {
134 PLOG(ERROR) << "WriteFileDescriptor failed.";
135 }
136 } while (!remain_request_.empty());
137}
138
Yi Choudee22a52020-12-07 15:06:22 +0800139void SimulatorDaemon::OnTpmPathChange(const base::FilePath& path, bool error) {
140 if (error) {
141 LOG(ERROR) << "Got error while hearing about change to " << path.value();
142 return;
143 }
144 if (!initialized_ && base::PathExists(path)) {
145 LOG(INFO) << "vTPM initialized: " << path.value();
146 tpm_watcher_.reset();
147 initialized_ = true;
148 if (sigstop_on_initialized_) {
149 // Raise the SIGSTOP, so upstart would know the initialization process had
150 // been finished.
151 raise(SIGSTOP);
152 }
153 // Initialize the minijail.
154 InitMinijailSandbox();
155 }
156}
157
Yi Chou9d24b462020-12-04 01:12:57 +0800158} // namespace tpm2_simulator