[yocto] [meta-security][PATCH] swtpm-wrappers: wrap more commands
Patrick Ohly
patrick.ohly at intel.com
Fri Mar 24 02:12:22 PDT 2017
Soon it might be possible to let qemu start swtpm directly, without
requiring root privileges as for swtpm_cuse. For that to work
we also need to wrap the swtpm binary. Just in case we now also
do it for everything.
Signed-off-by: Patrick Ohly <patrick.ohly at intel.com>
---
recipes-tpm/swtpm/swtpm-wrappers.bb | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/recipes-tpm/swtpm/swtpm-wrappers.bb b/recipes-tpm/swtpm/swtpm-wrappers.bb
index 676c35e..0af1db6 100644
--- a/recipes-tpm/swtpm/swtpm-wrappers.bb
+++ b/recipes-tpm/swtpm/swtpm-wrappers.bb
@@ -9,7 +9,13 @@ inherit native
RM_WORK_EXCLUDE += "${PN}"
do_create_wrapper () {
- cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
+ # Wrap (almost) all swtpm binaries. Some get special wrappers and some
+ # are not needed.
+ for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
+ exe=`basename $i`
+ case $exe in
+ swtpm_setup.sh)
+ cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
#! /bin/sh
#
# Wrapper around swtpm_setup.sh which adds parameters required to
@@ -21,19 +27,25 @@ export PATH
# tcsd only allows to be run as root or tss. Pretend to be root...
exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
EOF
-
- cat >${WORKDIR}/swtpm_cuse_oe.sh <<EOF
+ ;;
+ swtpm_setup)
+ true
+ ;;
+ *)
+ cat >${WORKDIR}/${exe}_oe.sh <<EOF
#! /bin/sh
#
-# Wrapper around swtpm_cuse which makes it easier to invoke
-# the right binary. Has to be run as root with TPM_PATH set
-# to a directory initialized as virtual TPM by swtpm_setup_oe.sh.
+# Wrapper around $exe which makes it easier to invoke
+# the right binary.
PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
export PATH
-exec swtpm_cuse "\$@"
+exec ${exe} "\$@"
EOF
+ ;;
+ esac
+ done
chmod a+rx ${WORKDIR}/*.sh
}
base-commit: 8b38c93f2387793fb03d082e47723002cf667ae9
--
git-series 0.9.1
More information about the yocto
mailing list