[yocto] [meta-security][PATCH] swtpm-wrappers: wrap more commands

Patrick Ohly patrick.ohly at intel.com
Fri Mar 24 02:12:22 PDT 2017 

Soon it might be possible to let qemu start swtpm directly, without
requiring root privileges as for swtpm_cuse. For that to work
we also need to wrap the swtpm binary. Just in case we now also
do it for everything.

Signed-off-by: Patrick Ohly <patrick.ohly at intel.com>
---
 recipes-tpm/swtpm/swtpm-wrappers.bb | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/recipes-tpm/swtpm/swtpm-wrappers.bb b/recipes-tpm/swtpm/swtpm-wrappers.bb
index 676c35e..0af1db6 100644
--- a/recipes-tpm/swtpm/swtpm-wrappers.bb
+++ b/recipes-tpm/swtpm/swtpm-wrappers.bb
@@ -9,7 +9,13 @@ inherit native
 RM_WORK_EXCLUDE += "${PN}"
 
 do_create_wrapper () {
-    cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
+    # Wrap (almost) all swtpm binaries. Some get special wrappers and some
+    # are not needed.
+    for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
+        exe=`basename $i`
+        case $exe in
+            swtpm_setup.sh)
+                cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
 #! /bin/sh
 #
 # Wrapper around swtpm_setup.sh which adds parameters required to
@@ -21,19 +27,25 @@ export PATH
 # tcsd only allows to be run as root or tss. Pretend to be root...
 exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
 EOF
-
-    cat >${WORKDIR}/swtpm_cuse_oe.sh <<EOF
+                ;;
+            swtpm_setup)
+                true
+                ;;
+            *)
+                cat >${WORKDIR}/${exe}_oe.sh <<EOF
 #! /bin/sh
 #
-# Wrapper around swtpm_cuse which makes it easier to invoke
-# the right binary. Has to be run as root with TPM_PATH set
-# to a directory initialized as virtual TPM by swtpm_setup_oe.sh.
+# Wrapper around $exe which makes it easier to invoke
+# the right binary.
 
 PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
 export PATH
 
-exec swtpm_cuse "\$@"
+exec ${exe} "\$@"
 EOF
+                ;;
+        esac
+    done
 
     chmod a+rx ${WORKDIR}/*.sh
 }

base-commit: 8b38c93f2387793fb03d082e47723002cf667ae9
-- 
git-series 0.9.1

More information about the yocto mailing list