diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 50903aadd53..8a459ce5e88 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -254,6 +254,7 @@ mopidy = 130; docker = 131; gdm = 132; + tss = 133; # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399! diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a4c1896e09e..d90c56f2412 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -126,6 +126,7 @@ ./services/hardware/pcscd.nix ./services/hardware/pommed.nix ./services/hardware/sane.nix + ./services/hardware/tcsd.nix ./services/hardware/thinkfan.nix ./services/hardware/udev.nix ./services/hardware/udisks2.nix diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index c31e57e6f6f..4d8fabc7696 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -30,7 +30,8 @@ with lib; description = "Hardware RNG Entropy Gatherer Daemon"; - serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f"; + serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" + + (if config.services.tcsd.enable then " --no-tpm=1" else ""); restartTriggers = [ pkgs.rng_tools ]; }; diff --git a/nixos/modules/services/hardware/tcsd.nix b/nixos/modules/services/hardware/tcsd.nix new file mode 100644 index 00000000000..26b2c884b8f --- /dev/null +++ b/nixos/modules/services/hardware/tcsd.nix @@ -0,0 +1,139 @@ +# tcsd daemon. + +{ config, pkgs, ... }: + +with pkgs.lib; +let + + cfg = config.services.tcsd; + + tcsdConf = pkgs.writeText "tcsd.conf" '' + port = 30003 + num_threads = 10 + system_ps_file = ${cfg.stateDir}/system.data + # This is the log of each individual measurement done by the system. + # By re-calculating the PCR registers based on this information, even + # finer details about the measured environment can be inferred than + # what is available directly from the PCR registers. + firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements + kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements + #firmware_pcrs = 0,1,2,3,4,5,6,7 + #kernel_pcrs = 10,11 + platform_cred = ${cfg.platformCred} + conformance_cred = ${cfg.conformanceCred} + endorsement_cred = ${cfg.endorsementCred} + #remote_ops = create_key,random + #host_platform_class = server_12 + #all_platform_classes = pc_11,pc_12,mobile_12 + ''; + +in +{ + + ###### interface + + options = { + + services.tcsd = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable tcsd, a Trusted Computing management service + that provides TCG Software Stack (TSS). The tcsd daemon is + the only portal to the Trusted Platform Module (TPM), a hardware + chip on the motherboard. + ''; + }; + + user = mkOption { + default = "tss"; + type = types.string; + description = "User account under which tcsd runs."; + }; + + group = mkOption { + default = "tss"; + type = types.string; + description = "Group account under which tcsd runs."; + }; + + stateDir = mkOption { + default = "/var/lib/tpm"; + type = types.path; + description = '' + The location of the system persistent storage file. + The system persistent storage file holds keys and data across + restarts of the TCSD and system reboots. + ''; + }; + + platformCred = mkOption { + default = "${cfg.stateDir}/platform.cert"; + type = types.path; + description = '' + Path to the platform credential for your TPM. Your TPM + manufacturer may have provided you with a set of credentials + (certificates) that should be used when creating identities + using your TPM. When a user of your TPM makes an identity, + this credential will be encrypted as part of that process. + See the 1.1b TPM Main specification section 9.3 for information + on this process. ''; + }; + + conformanceCred = mkOption { + default = "${cfg.stateDir}/conformance.cert"; + type = types.path; + description = '' + Path to the conformance credential for your TPM. + See also the platformCred option''; + }; + + endorsementCred = mkOption { + default = "${cfg.stateDir}/endorsement.cert"; + type = types.path; + description = '' + Path to the endorsement credential for your TPM. + See also the platformCred option''; + }; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.trousers ]; + +# system.activationScripts.tcsd = +# '' +# chown ${cfg.user}:${cfg.group} ${tcsdConf} +# ''; + + systemd.services.tcsd = { + description = "TCSD"; + after = [ "systemd-udev-settle.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.trousers ]; + preStart = + '' + mkdir -m 0700 -p ${cfg.stateDir} + chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} + ''; + serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}"; + }; + + users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton + { name = "tss"; + group = "tss"; + uid = config.ids.uids.nginx; + }); + + users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton + { name = "tss"; + gid = config.ids.gids.nginx; + }); + }; +} diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix new file mode 100644 index 00000000000..86c4d96e97d --- /dev/null +++ b/pkgs/tools/security/tboot/default.nix @@ -0,0 +1,33 @@ +{ stdenv, fetchurl, trousers, openssl, zlib }: + +stdenv.mkDerivation rec { + name = "tboot-1.8.0"; + + src = fetchurl { + url = "mirror://sourceforge/tboot/${name}.tar.gz"; + sha256 = "04z1maryqnr714f3rcynqrpmlx76lxr6bb543xwj5rdl1yvdw2xr"; + }; + + buildInputs = [ trousers openssl zlib ]; + + patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; + + configurePhase = '' + for a in lcptools utils tb_polgen; do + substituteInPlace $a/Makefile --replace /usr/sbin /sbin + done + substituteInPlace docs/Makefile --replace /usr/share /share + ''; + installFlags = "DESTDIR=$(out)"; + + meta = with stdenv.lib; { + description = ''Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses + Intel(R) Trusted Execution Technology (Intel(R) TXT) to perform a measured + and verified launch of an OS kernel/VMM.''; + homepage = http://sourceforge.net/projects/tboot/; + license = licenses.bsd3; + maintainers = [ maintainers.ak ]; + platforms = platforms.linux; + }; +} + diff --git a/pkgs/tools/security/tboot/tboot-add-well-known-secret-option-to-lcp_writepol.patch b/pkgs/tools/security/tboot/tboot-add-well-known-secret-option-to-lcp_writepol.patch new file mode 100644 index 00000000000..a16ba9f4fba --- /dev/null +++ b/pkgs/tools/security/tboot/tboot-add-well-known-secret-option-to-lcp_writepol.patch @@ -0,0 +1,50 @@ +diff -urp tboot-1.8.0.orig/lcptools/writepol.c tboot-1.8.0/lcptools/writepol.c +--- tboot-1.8.0.orig/lcptools/writepol.c 2014-01-30 10:34:57.000000000 +0100 ++++ tboot-1.8.0/lcptools/writepol.c 2014-02-12 01:48:51.523581057 +0100 +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + + #define PRINT printf + #include "../include/uuid.h" +@@ -51,14 +52,15 @@ static uint32_t index_value = 0; + static char *file_arg=NULL; + static uint32_t fLeng; + static unsigned char *policy_data = NULL; +-static char *password = NULL; ++static const char *password = NULL; + static uint32_t passwd_length = 0; ++static const char well_known_secret[] = TSS_WELL_KNOWN_SECRET; + static int help_input = 0; + static unsigned char empty_pol_data[] = {0}; + +-static const char *short_option = "ehi:f:p:"; ++static const char *short_option = "ehi:f:p:Z"; + static const char *usage_string = "lcp_writepol -i index_value " +- "[-f policy_file] [-e] [-p passwd] [-h]"; ++ "[-f policy_file] [-e] [-p passwd|-Z] [-h]"; + + static const char *option_strings[] = { + "-i index value: uint32/string.\n" +@@ -67,6 +69,7 @@ static const char *option_strings[] = { + "\tINDEX_AUX:0x50000002 or \"aux\"\n", + "-f file_name: string. File name of the policy data is stored. \n", + "-p password: string. \n", ++ "-Z use well known secret as password. \n", + "-e write 0 length data to the index.\n" + "\tIt will be used for some special index.\n" + "\tFor example, the index with permission WRITEDEFINE.\n", +@@ -119,6 +122,11 @@ parse_cmdline(int argc, const char * arg + fLeng = 0; + break; + ++ case 'Z': ++ password = well_known_secret; ++ passwd_length = sizeof(well_known_secret); ++ break; ++ + case 'h': + help_input = 1; + break; diff --git a/pkgs/tools/security/tpm-quote-tools/default.nix b/pkgs/tools/security/tpm-quote-tools/default.nix new file mode 100644 index 00000000000..c178d401154 --- /dev/null +++ b/pkgs/tools/security/tpm-quote-tools/default.nix @@ -0,0 +1,22 @@ +{ stdenv, fetchurl, trousers, openssl }: + +stdenv.mkDerivation { + name = "tpm-quote-tools-1.0.2"; + + src = fetchurl { + url = "mirror://sourceforge/project/tpmquotetools/1.0.2/tpm-quote-tools-1.0.2.tar.gz"; + sha256 = "17bf9d1hiiaybx6rgl0sqcb0prjz6d2mv8fwp4bj1c0rsfw5dbk8"; + }; + + buildInputs = [ trousers openssl ]; + + meta = with stdenv.lib; { + description = ''The TPM Quote Tools is a collection of programs that provide support + for TPM based attestation using the TPM quote mechanism. The manual + page for tpm_quote_tools provides a usage overview.''; + homepage = http://tpmquotetools.sourceforge.net/; + license = licenses.bsd3; + maintainers = [ maintainers.ak ]; + platforms = platforms.linux; + }; +} diff --git a/pkgs/tools/security/tpm-tools/default.nix b/pkgs/tools/security/tpm-tools/default.nix new file mode 100644 index 00000000000..95b3b6b51f7 --- /dev/null +++ b/pkgs/tools/security/tpm-tools/default.nix @@ -0,0 +1,26 @@ +{ stdenv, fetchurl, trousers, openssl }: + +let + version = "1.3.8"; +in +stdenv.mkDerivation rec { + name = "tpm-tools-${version}"; + + src = fetchurl { + url = "mirror://sourceforge/trousers/tpm-tools/${version}/${name}.tar.gz"; + sha256 = "10za1gi89vi9m2lmm7jfzs281h55x1sbbm2bdgdh692ljpq4zsv6"; + }; + + buildInputs = [ trousers openssl ]; + + meta = with stdenv.lib; { + description = ''tpm-tools is an open-source package designed to enable user and application + enablement of Trusted Computing using a Trusted Platform Module (TPM), + similar to a smart card environment.''; + homepage = http://sourceforge.net/projects/trousers/files/tpm-tools/; + license = licenses.cpl10; + maintainers = [ maintainers.ak ]; + platforms = platforms.unix; + }; +} + diff --git a/pkgs/tools/security/trousers/allow-non-tss-config-file-owner.patch b/pkgs/tools/security/trousers/allow-non-tss-config-file-owner.patch new file mode 100644 index 00000000000..774a14f72ba --- /dev/null +++ b/pkgs/tools/security/trousers/allow-non-tss-config-file-owner.patch @@ -0,0 +1,19 @@ +diff -ur trousers-0.3.11.2.orig/src/tcsd/tcsd_conf.c trousers-0.3.11.2/src/tcsd/tcsd_conf.c +--- trousers-0.3.11.2.orig/src/tcsd/tcsd_conf.c 2013-07-12 18:27:37.000000000 +0200 ++++ trousers-0.3.11.2/src/tcsd/tcsd_conf.c 2013-08-21 14:29:42.917231648 +0200 +@@ -763,6 +763,7 @@ + return TCSERR(TSS_E_INTERNAL_ERROR); + } + ++#ifndef ALLOW_NON_TSS_CONFIG_FILE + /* make sure user/group TSS owns the conf file */ + if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { + LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, +@@ -775,6 +776,7 @@ + LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); + return TCSERR(TSS_E_INTERNAL_ERROR); + } ++#endif + #endif /* SOLARIS */ + + if ((f = fopen(tcsd_config_file, "r")) == NULL) { diff --git a/pkgs/tools/security/trousers/default.nix b/pkgs/tools/security/trousers/default.nix new file mode 100644 index 00000000000..4c2af359b96 --- /dev/null +++ b/pkgs/tools/security/trousers/default.nix @@ -0,0 +1,33 @@ +{ stdenv, fetchurl, openssl }: + +let + ver_maj = "0.3.11"; + ver_min = "2"; +in +stdenv.mkDerivation rec { + name = "trousers-${ver_maj}.${ver_min}"; + + src = fetchurl { + url = "mirror://sourceforge/trousers/trousers/${ver_maj}/${name}.tar.gz"; + sha256 = "1m9qi4452jr5yy4y9zyfi5ndwam5krq7ny8z2q3f91v1hcjgk5la"; + }; + + buildInputs = [ openssl ]; + + patches = [ # ./double-installed-man-page.patch + ./disable-install-rule.patch + ./allow-non-tss-config-file-owner.patch + ]; + + NIX_CFLAGS_COMPILE = "-DALLOW_NON_TSS_CONFIG_FILE"; + NIX_LDFLAGS = "-lgcc_s"; + + meta = with stdenv.lib; { + description = "TrouSerS is an CPL (Common Public License) licensed Trusted Computing Software Stack."; + homepage = http://trousers.sourceforge.net/; + license = licenses.cpl10; + maintainers = [ maintainers.ak ]; + platforms = platforms.unix; + }; +} + diff --git a/pkgs/tools/security/trousers/disable-install-rule.patch b/pkgs/tools/security/trousers/disable-install-rule.patch new file mode 100644 index 00000000000..698beac9ffd --- /dev/null +++ b/pkgs/tools/security/trousers/disable-install-rule.patch @@ -0,0 +1,27 @@ +--- trousers-0.3.11/dist/Makefile.in 2013-08-14 06:49:37.597558787 +0200 ++++ trousers-0.3.11/dist/Makefile.in 2013-08-14 06:50:07.134510774 +0200 +@@ -363,16 +363,16 @@ + uninstall uninstall-am uninstall-hook + + install: install-exec-hook +- if test ! -e ${DESTDIR}/@sysconfdir@/tcsd.conf; then mkdir -p ${DESTDIR}/@sysconfdir@ && cp tcsd.conf ${DESTDIR}/@sysconfdir@; fi +- /bin/chown tss:tss ${DESTDIR}/@sysconfdir@/tcsd.conf || true +- /bin/chmod 0600 ${DESTDIR}/@sysconfdir@/tcsd.conf ++# echo if test ! -e ${DESTDIR}/@sysconfdir@/tcsd.conf; then mkdir -p ${DESTDIR}/@sysconfdir@ && cp tcsd.conf ${DESTDIR}/@sysconfdir@; fi ++ echo /bin/chown tss:tss ${DESTDIR}/@sysconfdir@/tcsd.conf || true ++ echo /bin/chmod 0600 ${DESTDIR}/@sysconfdir@/tcsd.conf + + install-exec-hook: +- /usr/sbin/groupadd tss || true +- /usr/sbin/useradd -r tss -g tss || true +- /bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi' +- /bin/chown tss:tss ${DESTDIR}/@localstatedir@/lib/tpm || true +- /bin/chmod 0700 ${DESTDIR}/@localstatedir@/lib/tpm ++ echo /usr/sbin/groupadd tss || true ++ echo /usr/sbin/useradd -r tss -g tss || true ++ echo /bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi' ++ echo /bin/chown tss:tss ${DESTDIR}/@localstatedir@/lib/tpm || true ++ echo /bin/chmod 0700 ${DESTDIR}/@localstatedir@/lib/tpm + + uninstall-hook: + /usr/sbin/userdel tss || true diff --git a/pkgs/tools/security/trousers/double-installed-man-page.patch b/pkgs/tools/security/trousers/double-installed-man-page.patch new file mode 100644 index 00000000000..6b40716120e --- /dev/null +++ b/pkgs/tools/security/trousers/double-installed-man-page.patch @@ -0,0 +1,32 @@ +--- trousers-0.3.11/man/man3/Makefile.am 2013-08-14 04:57:47.018494495 +0200 ++++ trousers-0.3.11/man/man3/Makefile.am 2013-08-14 04:58:10.353453471 +0200 +@@ -75,7 +75,6 @@ + Tspi_TPM_TakeOwnership.3 \ + Tspi_TPM_GetAuditDigest.3 \ + Tspi_TPM_OwnerGetSRKPubKey.3 \ +- Tspi_TPM_Quote.3 \ + Tspi_TPM_CMKSetRestrictions.3 + if TSS_BUILD_DAA + man3_MANS += Tspi_DAA_IssueCredential.3 \ +--- trousers-0.3.11/man/man3/Makefile.in 2013-08-14 05:06:25.029490899 +0200 ++++ trousers-0.3.11/man/man3/Makefile.in 2013-08-14 05:06:43.153457942 +0200 +@@ -243,7 +243,7 @@ + Tspi_TPM_PcrExtend.3 Tspi_TPM_Quote.3 Tspi_TPM_SelfTestFull.3 \ + Tspi_TPM_SetStatus.3 Tspi_TPM_StirRandom.3 \ + Tspi_TPM_TakeOwnership.3 Tspi_TPM_GetAuditDigest.3 \ +- Tspi_TPM_OwnerGetSRKPubKey.3 Tspi_TPM_Quote.3 \ ++ Tspi_TPM_OwnerGetSRKPubKey.3 \ + Tspi_TPM_CMKSetRestrictions.3 $(am__append_1) + EXTRA_DIST = $(man3_MANS) + all: all-am +--- trousers-0.3.11/man/man3/Makefile 2013-08-14 05:07:05.686414845 +0200 ++++ trousers-0.3.11/man/man3/Makefile 2013-08-14 05:07:23.233381327 +0200 +@@ -243,7 +243,7 @@ + Tspi_TPM_PcrExtend.3 Tspi_TPM_Quote.3 Tspi_TPM_SelfTestFull.3 \ + Tspi_TPM_SetStatus.3 Tspi_TPM_StirRandom.3 \ + Tspi_TPM_TakeOwnership.3 Tspi_TPM_GetAuditDigest.3 \ +- Tspi_TPM_OwnerGetSRKPubKey.3 Tspi_TPM_Quote.3 \ ++ Tspi_TPM_OwnerGetSRKPubKey.3 \ + Tspi_TPM_CMKSetRestrictions.3 $(am__append_1) + EXTRA_DIST = $(man3_MANS) + all: all-am diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e445e140707..c88c136200e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2166,6 +2166,8 @@ let tcpcrypt = callPackage ../tools/security/tcpcrypt { }; + tboot = callPackage ../tools/security/tboot { }; + tcpdump = callPackage ../tools/networking/tcpdump { }; tcpflow = callPackage ../tools/networking/tcpflow { }; @@ -2205,8 +2207,14 @@ let torsocks = callPackage ../tools/security/tor/torsocks.nix { }; + tpm-quote-tools = callPackage ../tools/security/tpm-quote-tools { }; + + tpm-tools = callPackage ../tools/security/tpm-tools { }; + trickle = callPackage ../tools/networking/trickle {}; + trousers = callPackage ../tools/security/trousers { }; + ttf2pt1 = callPackage ../tools/misc/ttf2pt1 { }; ttysnoop = callPackage ../os-specific/linux/ttysnoop {};