Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 1 | // Copyright 2021 The Chromium OS Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #include <string> |
| 6 | #include <utility> |
| 7 | |
| 8 | #include <base/callback.h> |
Qijiang Fan | 713061e | 2021-03-08 15:45:12 +0900 | [diff] [blame] | 9 | #include <base/check.h> |
| 10 | #include <base/check_op.h> |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 11 | #include <base/files/file_util.h> |
| 12 | #include <base/files/file.h> |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 13 | #include <base/logging.h> |
| 14 | #include <base/posix/eintr_wrapper.h> |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 15 | #include <fcntl.h> |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 16 | #include <libminijail.h> |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 17 | #include <linux/vtpm_proxy.h> |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 18 | #include <scoped_minijail.h> |
| 19 | #include <signal.h> |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 20 | #include <sys/ioctl.h> |
| 21 | #include <sys/stat.h> |
| 22 | #include <sys/types.h> |
| 23 | #include <sysexits.h> |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 24 | #include <unistd.h> |
| 25 | |
| 26 | #include "tpm2-simulator/simulator.h" |
| 27 | |
| 28 | namespace { |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 29 | constexpr char kSimulatorUser[] = "tpm2-simulator"; |
| 30 | constexpr char kSimulatorGroup[] = "tpm2-simulator"; |
| 31 | constexpr char kSimulatorSeccompPath[] = |
| 32 | "/usr/share/policy/tpm2-simulator.policy"; |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 33 | constexpr char kVtpmxPath[] = "/dev/vtpmx"; |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 34 | constexpr char kDevTpmPathPrefix[] = "/dev/tpm"; |
Yi Chou | f964bab | 2020-12-10 11:50:28 +0800 | [diff] [blame] | 35 | constexpr size_t kMaxCommandSize = 4096; |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 36 | constexpr size_t kHeaderSize = 10; |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 37 | |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 38 | base::ScopedFD RegisterVTPM(base::FilePath* tpm_path) { |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 39 | struct vtpm_proxy_new_dev new_dev = {}; |
| 40 | new_dev.flags = VTPM_PROXY_FLAG_TPM2; |
| 41 | base::ScopedFD vtpmx_fd(HANDLE_EINTR(open(kVtpmxPath, O_RDWR | O_CLOEXEC))); |
| 42 | if (!vtpmx_fd.is_valid()) { |
| 43 | return vtpmx_fd; |
| 44 | } |
| 45 | if (ioctl(vtpmx_fd.get(), VTPM_PROXY_IOC_NEW_DEV, &new_dev) < 0) { |
| 46 | PLOG(ERROR) << "Create vTPM failed."; |
| 47 | // return an invalid FD. |
| 48 | return {}; |
| 49 | } |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 50 | *tpm_path = |
| 51 | base::FilePath(kDevTpmPathPrefix + std::to_string(new_dev.tpm_num)); |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 52 | LOG(INFO) << "Create TPM at: /dev/tpm" << new_dev.tpm_num; |
| 53 | return base::ScopedFD(new_dev.fd); |
| 54 | } |
| 55 | |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 56 | void InitMinijailSandbox() { |
| 57 | ScopedMinijail j(minijail_new()); |
| 58 | minijail_no_new_privs(j.get()); |
| 59 | minijail_log_seccomp_filter_failures(j.get()); |
| 60 | minijail_parse_seccomp_filters(j.get(), kSimulatorSeccompPath); |
| 61 | minijail_use_seccomp_filter(j.get()); |
| 62 | minijail_change_user(j.get(), kSimulatorUser); |
| 63 | minijail_change_group(j.get(), kSimulatorGroup); |
| 64 | minijail_inherit_usergroups(j.get()); |
| 65 | minijail_enter(j.get()); |
| 66 | } |
| 67 | |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 68 | } // namespace |
| 69 | |
| 70 | namespace tpm2_simulator { |
| 71 | |
Yi Chou | f964bab | 2020-12-10 11:50:28 +0800 | [diff] [blame] | 72 | SimulatorDaemon::SimulatorDaemon(TpmExecutor* tpm_executor) |
| 73 | : tpm_executor_(tpm_executor) {} |
| 74 | |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 75 | int SimulatorDaemon::OnInit() { |
Yi Chou | f964bab | 2020-12-10 11:50:28 +0800 | [diff] [blame] | 76 | CHECK(tpm_executor_); |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 77 | int exit_code = Daemon::OnInit(); |
| 78 | if (exit_code != EX_OK) |
| 79 | return exit_code; |
Yi Chou | f964bab | 2020-12-10 11:50:28 +0800 | [diff] [blame] | 80 | tpm_executor_->InitializeVTPM(); |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 81 | base::FilePath tpm_path; |
| 82 | command_fd_ = RegisterVTPM(&tpm_path); |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 83 | if (!command_fd_.is_valid()) { |
| 84 | LOG(ERROR) << "Failed to register vTPM"; |
| 85 | return EX_OSERR; |
| 86 | } |
| 87 | command_fd_watcher_ = base::FileDescriptorWatcher::WatchReadable( |
| 88 | command_fd_.get(), |
| 89 | base::BindRepeating(&SimulatorDaemon::OnCommand, base::Unretained(this))); |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 90 | tpm_watcher_.reset(new base::FilePathWatcher); |
| 91 | tpm_watcher_->Watch( |
hscham | 3fbc898 | 2021-02-26 16:25:41 +0900 | [diff] [blame] | 92 | tpm_path, base::FilePathWatcher::Type::kNonRecursive, |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 93 | base::Bind(&SimulatorDaemon::OnTpmPathChange, base::Unretained(this))); |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 94 | return EX_OK; |
| 95 | } |
| 96 | |
| 97 | void SimulatorDaemon::OnCommand() { |
Yi Chou | f964bab | 2020-12-10 11:50:28 +0800 | [diff] [blame] | 98 | CHECK(tpm_executor_); |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 99 | char buffer[kMaxCommandSize]; |
| 100 | do { |
| 101 | std::string request; |
| 102 | remain_request_.swap(request); |
| 103 | |
| 104 | // Read request header. |
| 105 | while (kHeaderSize > request.size()) { |
| 106 | ssize_t size = |
| 107 | HANDLE_EINTR(read(command_fd_.get(), buffer, kMaxCommandSize)); |
| 108 | CHECK_GE(size, 0); |
| 109 | request.append(buffer, size); |
| 110 | } |
| 111 | |
Yi Chou | f964bab | 2020-12-10 11:50:28 +0800 | [diff] [blame] | 112 | const uint32_t command_size = tpm_executor_->GetCommandSize(request); |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 113 | |
| 114 | // Read request body. |
| 115 | while (command_size > request.size()) { |
| 116 | ssize_t size = |
| 117 | HANDLE_EINTR(read(command_fd_.get(), buffer, kMaxCommandSize)); |
| 118 | CHECK_GE(size, 0); |
| 119 | request.append(buffer, size); |
| 120 | } |
| 121 | |
| 122 | // Trim request. |
| 123 | if (command_size < request.size()) { |
| 124 | remain_request_ = request.substr(command_size); |
| 125 | request.resize(command_size); |
| 126 | } |
| 127 | |
| 128 | // Run command. |
Yi Chou | f964bab | 2020-12-10 11:50:28 +0800 | [diff] [blame] | 129 | std::string response = tpm_executor_->RunCommand(request); |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 130 | |
| 131 | // Write response. |
| 132 | if (!base::WriteFileDescriptor(command_fd_.get(), response.c_str(), |
| 133 | response.size())) { |
| 134 | PLOG(ERROR) << "WriteFileDescriptor failed."; |
| 135 | } |
| 136 | } while (!remain_request_.empty()); |
| 137 | } |
| 138 | |
Yi Chou | dee22a5 | 2020-12-07 15:06:22 +0800 | [diff] [blame] | 139 | void SimulatorDaemon::OnTpmPathChange(const base::FilePath& path, bool error) { |
| 140 | if (error) { |
| 141 | LOG(ERROR) << "Got error while hearing about change to " << path.value(); |
| 142 | return; |
| 143 | } |
| 144 | if (!initialized_ && base::PathExists(path)) { |
| 145 | LOG(INFO) << "vTPM initialized: " << path.value(); |
| 146 | tpm_watcher_.reset(); |
| 147 | initialized_ = true; |
| 148 | if (sigstop_on_initialized_) { |
| 149 | // Raise the SIGSTOP, so upstart would know the initialization process had |
| 150 | // been finished. |
| 151 | raise(SIGSTOP); |
| 152 | } |
| 153 | // Initialize the minijail. |
| 154 | InitMinijailSandbox(); |
| 155 | } |
| 156 | } |
| 157 | |
Yi Chou | 9d24b46 | 2020-12-04 01:12:57 +0800 | [diff] [blame] | 158 | } // namespace tpm2_simulator |