Changelog:

- Partially revert swtpm review
sebanc · Sep 13, 2024 · b0e36f6 · b0e36f6
1 parent e2c18b6
commit b0e36f6
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 3 deletions.
diff --git a/brunch-patches/20-swtpm.sh b/brunch-patches/20-swtpm.sh
@@ -16,7 +16,7 @@ end script
 expect fork
 
 script
-  swtpm chardev --daemon --vtpm-proxy --tpm2 --tpmstate dir=/mnt/stateful_partition/brunch/swtpm --ctrl type=tcp,port=10001 --flags not-need-init
+  swtpm chardev --daemon --vtpm-proxy --tpm2 --tpmstate dir=/mnt/stateful_partition/brunch/swtpm --ctrl type=tcp,port=10001 --flags startup-clear
   until [ -c /dev/tpm0 ]; do sleep 1; done
 end script
 

diff --git a/brunch-patches/40-disable_stateful_encryption.sh b/brunch-patches/40-disable_stateful_encryption.sh
@@ -0,0 +1,28 @@
+# This patch disables stateful partition encryption (which does not work without official TPM since r103)
+
+ret=0
+
+mv /roota/usr/sbin/mount-encrypted /roota/usr/sbin/mount-encrypted.real
+cat >/roota/usr/sbin/mount-encrypted <<'MOUNTS'
+#!/bin/bash
+#touch /test
+#echo "mount-encrypted called with args \"$@\"" >> /test
+if [ $# -eq 0 ]; then
+	/usr/sbin/mount-encrypted.real
+	umount /home/chronos
+	umount /var
+	umount /mnt/stateful_partition/encrypted
+	rm -f /mnt/stateful_partition/encrypted.*
+	mount --bind /mnt/stateful_partition/encrypted /mnt/stateful_partition/encrypted
+	mkdir -p  /mnt/stateful_partition/encrypted/chronos /mnt/stateful_partition/encrypted/var
+	mount --bind /mnt/stateful_partition/encrypted/var /var
+	chown chronos:chronos /mnt/stateful_partition/encrypted/chronos
+	mount --bind /mnt/stateful_partition/encrypted/chronos /home/chronos
+else
+	/usr/sbin/mount-encrypted.real "$@"
+fi
+MOUNTS
+chmod 0755 /roota/usr/sbin/mount-encrypted
+if [ ! "$?" -eq 0 ]; then ret=$((ret + (2 ** 0))); fi
+
+exit $ret
diff --git a/brunch-patches/80-unibuild.sh b/brunch-patches/80-unibuild.sh
@@ -45,6 +45,7 @@ if [ "$enable_updates" -eq 1 ]; then
 #!/bin/bash
 if [ "\$EUID" -eq 0 ] && [ "\$1" == "." ] && [ "\$2" == "/usr/bin/cros_installer" ]; then
 	rm -rf /var/lib/ureadahead
+	touch /mnt/stateful_partition/.install_completed
 	exit 0
 else
 	chroot.orig "\$@"

diff --git a/scripts/build-init b/scripts/build-init
@@ -188,8 +188,8 @@ rm -rf ./efibootmgr-pkg || { echo "Failed to make efibootmgr package"; exit 1; }
 git clone https://github.com/stefanberger/libtpms.git libtpms || { echo "Failed to make libtpms"; exit 1; }
 cd ./libtpms || { echo "Failed to make libtpms"; exit 1; }
 git checkout df1c3e98d697f3c1f09262d2ba161a7db784d6cc || { echo "Failed to make libtpms"; exit 1; }
-sed -i -z 's@if(!IS_ATTRIBUTE(attributes, TPMA_NV, PPREAD))\n\t\treturn TPM_RC_NV_AUTHORIZATION;@return TPM_RC_SUCCESS;@g' ./src/tpm2/NV_spt.c || { echo "Failed to make libtpms"; exit 1; }
-sed -i -z 's@if(!IS_ATTRIBUTE(attributes, TPMA_NV, PPWRITE))\n\t\treturn TPM_RC_NV_AUTHORIZATION;@return TPM_RC_SUCCESS;@g' ./src/tpm2/NV_spt.c || { echo "Failed to make libtpms"; exit 1; }
+#sed -i -z 's@if(!IS_ATTRIBUTE(attributes, TPMA_NV, PPREAD))\n\t\treturn TPM_RC_NV_AUTHORIZATION;@return TPM_RC_SUCCESS;@g' ./src/tpm2/NV_spt.c || { echo "Failed to make libtpms"; exit 1; }
+#sed -i -z 's@if(!IS_ATTRIBUTE(attributes, TPMA_NV, PPWRITE))\n\t\treturn TPM_RC_NV_AUTHORIZATION;@return TPM_RC_SUCCESS;@g' ./src/tpm2/NV_spt.c || { echo "Failed to make libtpms"; exit 1; }
 ./autogen.sh --prefix=/usr/local --libdir=/usr/local/lib64 --with-openssl --with-tpm2 --enable-debug || { echo "Failed to make libtpms"; exit 1; }
 make -j"$NTHREADS" || { echo "Failed to make libtpms"; exit 1; }
 make install || { echo "Failed to make libtpms"; exit 1; }