def add_vtpm(inputfile):
# read in the file
with open(inputfile, encoding="utf-8") as f:
group = yaml.load(f, Loader=SafeLoader)
# fetch configuration parameters
provider_reg_port = config.get('registrar', 'provider_registrar_port')
provider_reg_ip = config.get('registrar', 'provider_registrar_ip')
# request a vtpm uuid from the manager
vtpm_uuid = vtpm_manager.add_vtpm_to_group(group['uuid'])
# registrar it and get back a blob
keyblob = registrar_client.doRegisterAgent(provider_reg_ip,
provider_reg_port, vtpm_uuid,
group['pubekpem'],
group['ekcert'],
group['aikpem'])
# get the ephemeral registrar key by activating in the hardware tpm
key = base64.b64encode(vtpm_manager.activate_group(group['uuid'], keyblob))
# tell the registrar server we know the key
registrar_client.doActivateAgent(provider_reg_ip, provider_reg_port,
vtpm_uuid, key)
logger.info("Registered new vTPM with UUID: %s", vtpm_uuid)
return vtpm_uuid
def main(argv=sys.argv):
if len(argv) < 3:
print("usage: provider_platform_init.py pubek.pem tpm_ekcert.der")
print("\tassociates a hypervisor host to its TPM and registers it")
print()
print(
"\tYou must obtain the public EK and the EK certificate from outside of Xen"
)
print(
"\ttake ownership first, then obtain pubek, and ekcert as follows")
print("\t takeown -pwdo <owner_password>")
print("\t getpubek -pwdo <owner-password>")
print(
"\t nv_readvalue -pwdo <owner-password> -in 1000f000 -cert -of tpm_ekcert.der"
)
sys.exit(-1)
f = open(argv[1], 'r')
ek = f.read()
f.close()
f = open(argv[2], 'r')
ekcert = base64.b64encode(f.read())
f.close()
# fetch configuration parameters
provider_reg_port = config.get('registrar', 'provider_registrar_port')
provider_reg_ip = config.get('registrar', 'provider_registrar_ip')
# create a new group
(group_uuid, group_aik, group_num, _) = vtpm_manager.add_vtpm_group()
# registrar it and get back a blob
keyblob = registrar_client.doRegisterAgent(provider_reg_ip,
provider_reg_port, group_uuid,
ek, ekcert, group_aik)
# get the ephemeral registrar key by activating in the hardware tpm
key = base64.b64encode(vtpm_manager.activate_group(group_uuid, keyblob))
# create a new group
(group_uuid, group_aik, group_num, _) = vtpm_manager.add_vtpm_group()
# tell the registrar server we know the key
registrar_client.doActivateAgent(provider_reg_ip, provider_reg_port,
group_uuid, key)
output = {
'uuid': group_uuid,
'aikpem': group_aik,
'pubekpem': ek,
'ekcert': ekcert,
}
# store the key and the group UUID in a file to add to vtpms later
with open("group-%d-%s.tpm" % (group_num, group_uuid), 'w') as f:
yaml.dump(output, f, Dumper=SafeDumper)
logger.info("Activated VTPM group %d, UUID %s" % (group_num, group_uuid))
if group_num == 0:
logger.info(
"WARNING: Group 0 created, repeating activation again to create Group 1"
)
main(argv)
else:
# create a symlink to the most recently create group
symlink_force("group-%d-%s.tpm" % (group_num, group_uuid),
"current_group.tpm")