├── .gitignore ├── LICENSE ├── README.md ├── debian ├── changelog ├── chaps.default ├── chaps.init ├── chaps.install ├── chaps.postinst ├── chaps.postrm ├── compat ├── control ├── copyright ├── libchaps0.install ├── rules └── source │ └── format ├── extrasrc ├── Makefile ├── Sconstruct.libchrome ├── Sconstruct.libchromeos ├── build_config.h ├── gtest_prod.h └── scoped_tss_type.h ├── makefile ├── man ├── chaps_client.8 └── chapsd.8 └── patches └── platform2 └── 0001-Update-Makefile-for-moved-code.patch /.gitignore: -------------------------------------------------------------------------------- 1 | deb 2 | chaps-* 3 | chaps_*_amd64.deb 4 | chaps_*_amd64.changes 5 | libchaps0_*_amd64.deb 6 | libchaps0_*_amd64.changes 7 | chaps_*.orig.tar.gz 8 | chaps_*.debian.tar.gz 9 | chaps_*.dsc 10 | chaps_*_source.changes 11 | build.out 12 | test.out 13 | package.out 14 | results.out 15 | README.html -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2014, Google Inc. All rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are 5 | met: 6 | 7 | * Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | * Redistributions in binary form must reproduce the above 10 | copyright notice, this list of conditions and the following disclaimer 11 | in the documentation and/or other materials provided with the 12 | distribution. 13 | * Neither the name of Google Inc. nor the names of its 14 | contributors may be used to endorse or promote products derived from 15 | this software without specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 20 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 21 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 23 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Chaps: A PKCS #11 Implementation For Linux 2 | ========================================== 3 | 4 | **NOTE: As of ~May 2017 this repository is unmaintained and does not build** 5 | 6 | This repository is a framework for building and packaging the Chaps 7 | [PKCS #11](http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-11-cryptographic-token-interface-standard.htm) 8 | implementation from 9 | [ChromiumOS](http://www.chromium.org/developers/design-documents/chaps-technical-design) 10 | on Linux. Chaps provides an alternative to [OpenCryptoKi](http://sourceforge.net/projects/opencryptoki/) 11 | that has been [designed](http://www.chromium.org/developers/design-documents/chaps-technical-design#TOC-Rationale) 12 | to be faster and more maintainable. 13 | 14 | This repo does **not** hold the source code for Chaps; instead, the build files here retrieve the 15 | source code from the 16 | [ChromiumOS open source project](https://chromium.googlesource.com/chromiumos/platform2/), 17 | together with the other required source code from the 18 | [Chromium open source project](https://chromium.googlesource.com/chromium/src/base.git). 19 | 20 | The Linux build of Chaps is still under development, and should be considered to be **alpha status**. 21 | 22 | This is NOT an official Google product. 23 | 24 | 25 | Installing Chaps 26 | ---------------- 27 | 28 | To build and install Chaps on a Debian-based Linux system: 29 | 30 | - Build the Chaps packages: 31 | - Install the prerequisites: `sudo apt-get install debhelper scons protobuf-compiler libdbus-1-dev libdbus-c++-dev 32 | libprotobuf-dev libsnappy-dev libleveldb-dev libglib2.0-dev libctemplate-dev libssl-dev libtspi-dev libpam0g-dev` 33 | - Ensure that the TPM is initialized and accessible (see below). 34 | - Build a source tree (under `chaps-`) with `make src_generate` 35 | - Build the packages with `make package` 36 | - Install the Chaps packages: 37 | - Install the packages with `sudo dpkg -i chaps_*_amd64.deb libchaps0_*_amd64.deb` 38 | - This needs some pre-requisite packages to be installed, notably [TrouSerS](http://trousers.sourceforge.net/) 39 | (the key library that allows software access to the hardware TPM). 40 | - Log out and in again, so that Chaps can create a per-user token. 41 | 42 | 43 | Package Configuration 44 | --------------------- 45 | 46 | The behavior of the Chaps package is influenced by two configuration values: 47 | 48 | - If the `CHAPS_SYSTEM_TOKEN` variable in `/etc/default/chaps` is set (the default), the 49 | Chaps daemon will load a system-wide token on startup. 50 | - If the Chaps PAM module is enabled (via `pam-auth-update`) then per-user tokens will be 51 | created when a user logs in. 52 | 53 | 54 | PKCS#11 and TPMs 55 | ---------------- 56 | 57 | [PKCS #11](http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-11-cryptographic-token-interface-standard.htm) 58 | is a standard C API for accessing cryptographic hardware. The API allows encryption/decryption with both symmetric and 59 | asymmetric keys, together with signature generation/verification and random number generation. 60 | 61 | In Chaps, the majority of these cryptographic operations are performed in software (using the OpenSSL libraries); however, the 62 | presence of a *trusted platform module* (TPM) on the system allows for a few key operations to be performed in hardware: 63 | 64 | - Random number generation. 65 | - Generation of RSA public/private keypairs. 66 | - Wrapping/unwrapping of other keys (i.e. encrypting/decrypting them). 67 | 68 | This enables a key use case for PKCS#11: storing cryptographic material so that it can only be used on the local 69 | machine. A key can be stored in encrypted form, where decrypting the key (eventually) requires the use of a private 70 | key that is held in the TPM, and which cannot be extracted from the TPM. This means that an attacker with that gets 71 | full access to the local machine's disk still can't access the key. (If a TPM is not available, this protection is 72 | obviously not available, but Chaps will continue to work.) 73 | 74 | 75 | PKCS#11 Slots and Users 76 | ----------------------- 77 | 78 | In the PKCS#11 API, an item of cryptographic hardware is known as a *token*, and tokens are accessed via a particular 79 | *slot*. 80 | 81 | ``` 82 | % pkcs11-tool --module /usr/lib/libchaps.so.0 --list-slots 83 | Available slots: 84 | Slot 0 (0x0): TPM Slot 85 | token label : System TPM Token 86 | token manufacturer : Chromium OS 87 | token model : 88 | token flags : rng, PIN initialized, PIN pad present, token initialized 89 | hardware version : 1.0 90 | firmware version : 1.0 91 | serial num : Not Available 92 | ``` 93 | 94 | The PKCS#11 API also includes authentication to allow token contents to be secured, where the API user needs to log-in to 95 | access *private* objects on the token. However, there is only a single user PIN/password for the whole API; the PKCS#11 96 | API has no mechanism to allow different users to store cryptographic material and be isolated from each other. 97 | (The API does include another role with a distinct PIN/password, the *security officer*, but this role is intended for 98 | administrative operations – such as resetting the token or the user's PIN – rather than cryptographic operations.) 99 | 100 | Therefore, to allow multi-user use, Chaps does not make use of the PKCS#11 login mechanism (`C_Login`). Instead, Chaps 101 | creates a token (held under `/var/lib/chaps/tokens//`) for each user when it first sees that user log in to the 102 | system, together with a blob of authentication data that is only visible to that user (in 103 | `/var/lib/chaps/isolates/`). When that user subsequently makes PKCS#11 API calls, only their own slot/token 104 | contents are visible to them. 105 | (To ease compatibility with other PKCS#11 implementations, Chaps will accept a `C_Login` operation with a PIN of 106 | '111111', although this is a no-op; Chaps does not allow `C_Login` for the security office role.) 107 | 108 | The contents of the per-user token are encrypted using a hash of the user's password, which means that the user's 109 | token is only available when they are properly logged in (i.e. `su ` as `root` does not give access). However, 110 | this does impose a requirement for the user to re-login after installation (and after anything that restarts the Chaps 111 | system daemon). 112 | 113 | Chaps also optionally provides a system token, which is visible to users that do not have their own per-user token, 114 | because no PAM login event has occurred for them (e.g. for privileged users like `root`, or because PAM notifications 115 | are administratively disabled on the system). This option is configured via `CHAPS_SYSTEM_TOKEN` variable in 116 | `/etc/default/chaps`, which controls the `--auto_load_system_token` option for the `chapsd` system daemon. 117 | 118 | 119 | TPM Initialization and Configuration 120 | ------------------------------------ 121 | 122 | A system with a hardware TPM may need configuration and initialization before the TPM is available for use by Chaps. 123 | Working upwards from the hardware, the things to configure and check are as follows; **note that re-initializing the TPM 124 | will make any pre-existing TPM-backed cryptographic material inaccessible**: 125 | 126 | - Check the TPM is visible to the system with the `tpm_version` command (from the 127 | [`tpm-tools` package](https://packages.debian.org/wheezy/tpm-tools)). If not: 128 | - Confirm that the TPM is enabled. This is usually a BIOS setup option, although note that accessing all of 129 | the relevant BIOS TPM options may require a [cold boot](http://support.lenovo.com/us/en/documents/ht003928). 130 | - If the TPM has been configured previously and the owner password is not known, it will need to be cleared via 131 | the cold-boot BIOS options or `tpm_clear --force`. Obviously **this will destroy any previous cryptographic 132 | material**. 133 | - The TPM needs to be *enabled* and *ownable*. 134 | - Confirm that the local kernel has been configured with TPM support 135 | - either compiled-in to the kernel: `grep -i tpm /boot/config-$(uname -r)` 136 | - or available as a module: `lsmod | grep -i tpm` 137 | - Confirm that [Trousers](https://packages.debian.org/wheezy/trousers) is installed and running (`ps -ef | grep tcsd`). 138 | - The system also needs to have *taken ownership* of the TPM, which generates the *storage root key* (SRK) that will 139 | encrypt sensitive material. This operation also involves setting two passwords: 140 | - The *SRK password* governs use of the storage root key, and so is needed for most TPM operations. 141 | - The *owner password* governs authentication of the TPM itself; in particular, it is needed to change the SRK 142 | password. 143 | - The `tpm_takeownership` command performs the take-ownership operation, if required. To use the TPM with Chaps, 144 | specify an empty SRK password, and whatever you like for the owner password. (Note that an empty password is 145 | **different** than the `--well-known` option to this tool, which uses a 20-bytes-of-zero password.) 146 | - If the SRK already has a non-empty password, Chaps can be configured to use this password with the 147 | `--srk_password` or `--srk_zeros` options to `chapsd`. However, these options are not currently exposed 148 | externally (i.e. they cannot be configured in `/etc/default/chaps`), and a non-empty SRK password would 149 | prevent current Debian versions of OpenCryptoKi from using the TPM. 150 | 151 | 152 | Troubleshooting 153 | --------------- 154 | 155 | Chaps emits log messages to the system log (e.g. `/var/log/syslog`); the verbosity of these logs can be altered 156 | with `chaps_client --set_log_level=`. 157 | 158 | - If any operation fails with a "No EK" error, ensure that the TPM has generated an *endorsement key* (EK) that 159 | identifies the TPM (which is normally only created once at first use of the TPM). The `tpm_getpubek` command displays 160 | this (and requires the owner password); if no EK is available, generate one with `tpm_createek`. 161 | - Check for the following errors from `chapsd` in the system log: 162 | - `TPM_E_NOSRK` indicates that the TPM has not been taken ownership of. Use `tpm_takeownership` to take ownership, 163 | which generates an SRK and setting the owner and SRK passwords. 164 | - `TPM_E_AUTHFAIL` indicates that the Chaps and the TPM have different ideas of what the SRK password is. Use 165 | `tpm_changeownerauth` (which requires the TPM owner password) to set an empty SRK password. 166 | - `TPM_E_DEFEND_LOCK_RUNNING` indicates that the TPM is defending against dictionary attacks after multiple failed 167 | password attempts. Wait for the timer to expire, or use `tpm_resetdalock` (which requires the TPM owner 168 | password) to reset the lock. 169 | - If no slots are visible (with `pkcs11-tool --module /usr/lib/libchaps.so.0 --list-slots`): 170 | - Try logging out and in again. 171 | - Check that PAM authentication is enabled. 172 | - For users that never log in, check whether the system token option is enabled. 173 | 174 | 175 | Detailed Build Instructions 176 | --------------------------- 177 | 178 | First ensure the prerequisites are available. The master list is given in the `Build-Depends` section of the 179 | `debian/control` file, but specifically includes: 180 | 181 | - The `` header file, available in the `liblevedb-dev` Debian package. 182 | - The SCons build tool (typically from the `scons` Debian package). 183 | - Development headers for GLib 2.0 (`libglib2.0-dev` package). 184 | - Development headers for the DBus C++ library (`libdbus-c++-dev` package). 185 | - Development headers for protocol buffers (`libprotobuf-dev` package). 186 | - Development headers for OpenSSL (`libssl-dev` package). 187 | - Development headers for PAM modules (`libpam0g-dev` package). 188 | - Development headers for TSS (`libtspi-dev` package). 189 | 190 | At the top level of this repository, run `make`. This will: 191 | 192 | - Create a source tree under `chaps-/` via the `src_generate` target: 193 | - Download the relevant ChromiumOS and Chromium code under `chaps-/`. 194 | - Copy additional files needed for the Linux build. 195 | - Build the library code that Chaps needs: 196 | - `chaps-/libchrome-$(BASE_VER).a`: Chromium utility code 197 | - `chaps-/libchromeos-$(BASE_VER).a`: ChromiumOS utility code 198 | - Build the Chaps code into binaries in `chaps-/out/`. 199 | 200 | To build Debian packages, run `make package`. This will generate two packages: 201 | 202 | - `chaps__.deb`: Chaps system daemon 203 | - `libchaps0__.deb`: PKCS#11 client library 204 | 205 | A corresponding source package can be generated with `make src-package`. 206 | 207 | Repository Layout 208 | ----------------- 209 | 210 | This small repo contains the following: 211 | 212 | - `README.md`: this file 213 | - `makefile`: master makefile 214 | - `extrasrc/`: additional source files needed for the Linux build 215 | - `patches/`: source code changes needed for the Linux build 216 | - `debian/`: Debian packaging files 217 | - `man/`: vestigial man pages 218 | 219 | 220 | Source Code Layout 221 | ------------------ 222 | 223 | Executing the `src_generate` target of the master `makefile` will retrieve 224 | additional source code from various upstream locations, and will place it 225 | under `chaps-/`. 226 | 227 | - `chaps-/base`: Chromium base library code from 228 | [https://chromium.googlesource.com/chromium/src/base](https://chromium.googlesource.com/chromium/src/base) 229 | - `chaps-/platform2`: ChromiumOS core code, including Chaps and utility libraries required by Chaps, from 230 | [https://chromium.googlesource.com/chromiumos/platform2](https://chromium.googlesource.com/chromiumos/platform2) 231 | - `chaps-/googletest-release-`: GoogleMock and GoogleTest code 232 | - `chaps-/include`: Local include files 233 | - `chaps-/debian`: Local Debian packaging files 234 | - `chaps-/man`: man pages 235 | 236 | 237 | Versioning 238 | ---------- 239 | 240 | The Chaps source code tree is primarily built from two upstream repositories, 241 | ChromiumOS's [platform2](https://chromium.googlesource.com/chromiumos/platform2) 242 | repo together with the 243 | [base](https://chromium.googlesource.com/chromium/src/base) repo from Chromium. 244 | 245 | The platform2 code has branches named like `release-R42-6812.B` that correspond 246 | to CrOS releases, and the equivalent Debian package for Chaps will have version 247 | 0.42-6812-. 248 | 249 | To update Chaps so that it corresponds to a new CrOS release: 250 | - Change the `CROS_VERSION` variable in `Makefile` to match the numeric part of 251 | the CrOS release ID; for example, release-R42-6812.B gives 252 | `CROS_VERSION=42-6812` 253 | - Find the value of `BASE_VER` in `platform2/chaps/Makefile` (as of the 254 | relevant CrOS branch for the release, e.g. `origin/release-R42-6812.B`). 255 | This indicates the revision of the Chromium base repo that is expected. 256 | - Update the `CHROMEBASE_VER` value in `Makefile` to match that value. 257 | - Follow the instructions in `Makefile` to determine a commit ID for 258 | the Chromium [base](https://chromium.googlesource.com/chromium/src/base) repo 259 | that matches that `BASE_VER` revision. 260 | - Update the `CHROMEBASE_COMMIT` value in `Makefile` to hold that commit ID. 261 | - Update the `debian/changelog` file to include a stanza for the new version, 262 | and describe the changes therein. 263 | - Reset the `DEB_REVISION` value in `Makefile` to 1. 264 | - Force a re-generation of the source tree with `make distclean`. 265 | 266 | If the upstream source remains the same, but there are local packaging changes 267 | or patches, then just the `DEB_REVISION` value in `Makefile` needs to be incremented. 268 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | chaps (0.49-7834-1) unstable; urgency=low 2 | 3 | * Update for current Chrome[OS] code. 4 | 5 | -- David Drysdale Wed, 10 Feb 2016 17:12:10 +0000 6 | 7 | 8 | chaps (0.42-6812-1) unstable; urgency=low 9 | 10 | * Initial public release, with upstream code as of 11 | R42-6812 (closes: Bug#772818) 12 | 13 | -- David Drysdale Thu, 11 Dec 2014 11:03:47 +0000 14 | -------------------------------------------------------------------------------- /debian/chaps.default: -------------------------------------------------------------------------------- 1 | # If the CHAPS_SYSTEM_TOKEN variable is set, then the init script for 2 | # the chapsd daemon will load a system token at daemon startup. 3 | # 4 | CHAPS_SYSTEM_TOKEN=true 5 | -------------------------------------------------------------------------------- /debian/chaps.init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ### BEGIN INIT INFO 3 | # Provides: chaps 4 | # Required-Start: $network $local_fs $remote_fs trousers dbus 5 | # Required-Stop: $remote_fs 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 0 1 6 8 | # Short-Description: PKCS #11 implementation for TPM backed services. 9 | # Description: Chaps is a PKCS #11 implementation that provides trusted 10 | # platform module (TPM) backed cryptographic services. It 11 | # aims to improve speed and reliability of cryptographic 12 | # token operations as well as to provide a simpler and more 13 | # flexible codebase for future enhancements. Chaps works 14 | # with a TCG Software Stack (TSS). Typically the TrouSerS 15 | # TSS implementation is used, but Chaps is not limited to 16 | # working with TrouSerS. 17 | ### END INIT INFO 18 | 19 | # PATH should only include /usr/* if it runs after the mountnfs.sh script 20 | PATH=/sbin:/usr/sbin:/bin:/usr/bin 21 | NAME=chapsd 22 | DESC="Chaps daemon" 23 | DAEMON=/usr/sbin/chapsd 24 | DAEMON_ARGS="" 25 | PIDFILE=/var/run/$NAME.pid 26 | SCRIPTNAME=/etc/init.d/$NAME 27 | 28 | # Exit if the package is not installed 29 | [ -x $DAEMON ] || exit 0 30 | 31 | . /lib/lsb/init-functions 32 | 33 | # Include chaps defaults if available 34 | test -r /etc/default/chaps && . /etc/default/chaps 35 | 36 | if [ "$CHAPS_SYSTEM_TOKEN" != "" ] ; then 37 | DAEMON_ARGS="--auto_load_system_token" 38 | fi 39 | 40 | # 41 | # Function that starts the daemon/service 42 | # 43 | do_start() 44 | { 45 | # Return 46 | # 0 if daemon has been started 47 | # 1 if daemon was already running 48 | # 2 if daemon could not be started 49 | start-stop-daemon --start --background --make-pidfile --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ 50 | || return 1 51 | start-stop-daemon --start --background --make-pidfile --quiet --pidfile $PIDFILE --exec $DAEMON -- \ 52 | $DAEMON_ARGS \ 53 | || return 2 54 | } 55 | 56 | # 57 | # Function that stops the daemon/service 58 | # 59 | do_stop() 60 | { 61 | # Return 62 | # 0 if daemon has been stopped 63 | # 1 if daemon was already stopped 64 | # 2 if daemon could not be stopped 65 | # other if a failure occurred 66 | start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME 67 | RETVAL="$?" 68 | [ "$RETVAL" = 2 ] && return 2 69 | # Wait for children to finish too if this is a daemon that forks 70 | # and if the daemon is only ever run from this initscript. 71 | # If the above conditions are not satisfied then add some other code 72 | # that waits for the process to drop all resources that could be 73 | # needed by services started subsequently. A last resort is to 74 | # sleep for some time. 75 | start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON 76 | [ "$?" = 2 ] && return 2 77 | # Many daemons don't delete their pidfiles when they exit. 78 | rm -f $PIDFILE 79 | return "$RETVAL" 80 | } 81 | 82 | case "$1" in 83 | start) 84 | [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME" 85 | do_start 86 | case "$?" in 87 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 88 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 89 | esac 90 | ;; 91 | stop) 92 | [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" 93 | do_stop 94 | case "$?" in 95 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 96 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 97 | esac 98 | ;; 99 | status) 100 | status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? 101 | ;; 102 | restart|force-reload) 103 | # 104 | # If the "reload" option is implemented then remove the 105 | # 'force-reload' alias 106 | # 107 | log_daemon_msg "Restarting $DESC" "$NAME" 108 | do_stop 109 | case "$?" in 110 | 0|1) 111 | do_start 112 | case "$?" in 113 | 0) log_end_msg 0 ;; 114 | 1) log_end_msg 1 ;; # Old process is still running 115 | *) log_end_msg 1 ;; # Failed to start 116 | esac 117 | ;; 118 | *) 119 | # Failed to stop 120 | log_end_msg 1 121 | ;; 122 | esac 123 | ;; 124 | *) 125 | echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 126 | exit 3 127 | ;; 128 | esac 129 | 130 | : 131 | -------------------------------------------------------------------------------- /debian/chaps.install: -------------------------------------------------------------------------------- 1 | /etc/dbus-1/system.d/org.chromium.Chaps.conf 2 | /usr/share/pam-configs/chaps 3 | /usr/share/man/man8/chaps_client.8 4 | /usr/share/man/man8/chapsd.8 5 | /usr/share/dbus-1/system-services/org.chromium.Chaps.service 6 | /usr/bin/chaps_client 7 | /usr/sbin/chapsd 8 | /lib/security/pam_chaps.so 9 | -------------------------------------------------------------------------------- /debian/chaps.postinst: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # postinst script for chaps 3 | # 4 | # see: dh_installdeb(1) 5 | 6 | set -e 7 | 8 | # summary of how this script can be called: 9 | # * `configure' 10 | # * `abort-upgrade' 11 | # * `abort-remove' `in-favour' 12 | # 13 | # * `abort-remove' 14 | # * `abort-deconfigure' `in-favour' 15 | # `removing' 16 | # 17 | # for details, see http://www.debian.org/doc/debian-policy/ or 18 | # the debian-policy package 19 | 20 | 21 | case "$1" in 22 | configure|abort-upgrade|abort-remove|abort-deconfigure) 23 | install -m 700 -d /var/lib/chaps/tokens/ 24 | install -m 755 -d /var/lib/chaps/isolates/ 25 | pam-auth-update --package 26 | ;; 27 | 28 | *) 29 | echo "postinst called with unknown argument \`$1'" >&2 30 | exit 1 31 | ;; 32 | esac 33 | 34 | if [ -x "/etc/init.d/chaps" ]; then 35 | if [ ! -e "/etc/init/chaps.conf" ]; then 36 | # Manually force a later start than trousers 37 | update-rc.d chaps defaults 40 60 >/dev/null 38 | fi 39 | invoke-rc.d chaps start || exit $? 40 | fi 41 | 42 | exit 0 43 | -------------------------------------------------------------------------------- /debian/chaps.postrm: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # postrm script for chaps 3 | # 4 | # see: dh_installdeb(1) 5 | 6 | set -e 7 | 8 | # summary of how this script can be called: 9 | # * `remove' 10 | # * `purge' 11 | # * `upgrade' 12 | # * `failed-upgrade' 13 | # * `abort-install' 14 | # * `abort-install' 15 | # * `abort-upgrade' 16 | # * `disappear' 17 | # 18 | # for details, see http://www.debian.org/doc/debian-policy/ or 19 | # the debian-policy package 20 | 21 | 22 | case "$1" in 23 | purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) 24 | pam-auth-update --package 25 | ;; 26 | 27 | *) 28 | echo "postrm called with unknown argument \`$1'" >&2 29 | exit 1 30 | ;; 31 | esac 32 | 33 | # dh_installdeb will replace this with shell code automatically 34 | # generated by other debhelper scripts. 35 | 36 | #DEBHELPER# 37 | 38 | exit 0 39 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 9 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: chaps 2 | Section: admin 3 | Priority: extra 4 | Maintainer: David Drysdale 5 | Build-Depends: debhelper (>= 8.0.0), 6 | scons (>= 2.1.0), 7 | protobuf-compiler (>= 2.4.1), 8 | libdbus-1-dev (>= 1.4.18), 9 | libdbus-c++-dev (>= 0.9.0), 10 | libprotobuf-dev (>= 2.4.1), 11 | libsnappy-dev, 12 | libleveldb-dev (>= 1.12.0), 13 | libglib2.0-dev (>= 2.32.1), 14 | libctemplate-dev, 15 | libssl-dev (>= 1.0.1), 16 | libtspi-dev (>= 0.3.7), 17 | libpam0g-dev 18 | Standards-Version: 3.9.3 19 | Vcs-Git: git://github.org/google/chaps-linux.git 20 | Vcs-Browser: https://github.org/google/chaps-linux 21 | 22 | Package: chaps 23 | Architecture: any 24 | Depends: trousers (>= 0.3.7), ${shlibs:Depends}, ${misc:Depends} 25 | Description: PKCS #11 implementation for TPM backed services 26 | Chaps is a PKCS #11 implementation that provides trusted platform module (TPM) 27 | backed cryptographic services. It aims to improve speed and reliability of 28 | cryptographic token operations as well as to provide a simpler and more 29 | flexible codebase for future enhancements. Chaps works with a TCG Software 30 | Stack (TSS). Typically the TrouSerS TSS implementation is used, but Chaps 31 | is not limited to working with TrouSerS. The name "Chaps" has no real 32 | significance other than its fitness as a name for a layer above TrouSerS. 33 | . 34 | This package includes the daemon and a PAM module which, if enabled, 35 | generates a PKCS #11 token for each user that logs into the system. 36 | . 37 | To generate a PKCS #11 token, the installing user should log out and in again 38 | to get access to their token. 39 | 40 | Package: libchaps0 41 | Architecture: any 42 | Depends: chaps (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} 43 | Description: PKCS #11 implementation library 44 | Chaps is a PKCS #11 implementation that provides trusted platform module (TPM) 45 | backed cryptographic services. It aims to improve speed and reliability of 46 | cryptographic token operations as well as to provide a simpler and more 47 | flexible codebase for future enhancements. Chaps works with a TCG Software 48 | Stack (TSS). Typically the TrouSerS TSS implementation is used, but Chaps 49 | is not limited to working with TrouSerS. The name "Chaps" has no real 50 | significance other than its fitness as a name for a layer above TrouSerS. 51 | . 52 | This package includes the shared library that provides application 53 | access to the PKCS #11 API. 54 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | Upstream-Name: Chaps 3 | Source: https://chromium.googlesource.com/chromiumos/platform2 4 | 5 | Files: * 6 | Copyright: 2011-2014 The Chromium OS Authors. 7 | License: 8 | Copyright (c) 2011-2014 The Chromium OS Authors. All rights reserved. 9 | 10 | Redistribution and use in source and binary forms, with or without 11 | modification, are permitted provided that the following conditions are 12 | met: 13 | 14 | * Redistributions of source code must retain the above copyright 15 | notice, this list of conditions and the following disclaimer. 16 | * Redistributions in binary form must reproduce the above 17 | copyright notice, this list of conditions and the following disclaimer 18 | in the documentation and/or other materials provided with the 19 | distribution. 20 | * Neither the name of Google Inc. nor the names of its 21 | contributors may be used to endorse or promote products derived from 22 | this software without specific prior written permission. 23 | 24 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 25 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 26 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 27 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 28 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 29 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 30 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 34 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 | 36 | -------------------------------------------------------------------------------- /debian/libchaps0.install: -------------------------------------------------------------------------------- 1 | /usr/lib/libchaps.so.* 2 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | # -*- makefile -*- 3 | # Sample debian/rules that uses debhelper. 4 | # This file was originally written by Joey Hess and Craig Small. 5 | # As a special exception, when this file is copied by dh-make into a 6 | # dh-make output file, you may use that output file without restriction. 7 | # This special exception was added by Craig Small in version 0.37 of dh-make. 8 | 9 | # Uncomment this to turn on verbose mode. 10 | export DH_VERBOSE=1 11 | 12 | %: 13 | dh $@ 14 | 15 | -------------------------------------------------------------------------------- /debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /extrasrc/Makefile: -------------------------------------------------------------------------------- 1 | # Top-level Makefile for Chaps standalone Linux build. 2 | BASE_VER ?= @BASE_VER@ 3 | GMOCK_VER ?= @GMOCK_VER@ 4 | CHAPS_VERSION_MAJOR ?= @CHAPS_VERSION_MAJOR@ 5 | CHAPS_VERSION_MINOR ?= @CHAPS_VERSION_MINOR@ 6 | CHAPS_VERSION=$(CHAPS_VERSION_MAJOR).$(CHAPS_VERSION_MINOR) 7 | 8 | SRCDIR=$(CURDIR) 9 | OUTDIR=$(SRCDIR)/out 10 | GMOCK_DIR=$(SRCDIR)/googletest-release-$(GMOCK_VER)/googlemock 11 | GTEST_DIR=$(SRCDIR)/googletest-release-$(GMOCK_VER)/googletest 12 | 13 | INCLUDES="-I$(SRCDIR)/include -I$(SRCDIR)/libchromeos -isystem $(GTEST_DIR)/include -I$(GMOCK_DIR)/include -I$(SRCDIR)/leveldb/include" 14 | 15 | # To build Chaps, defer to platform2/chaps/Makefile 16 | all: libchrome-$(BASE_VER).a libbrillo-$(BASE_VER).a pb_files | out 17 | cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE) 18 | 19 | # To build required Chromium components, defer to scons file. 20 | libchrome-$(BASE_VER).a: 21 | BASE_VER=$(BASE_VER) GTEST_DIR=$(GTEST_DIR) scons -f Sconstruct.libchrome 22 | 23 | # To build required Brillo/ChromiumOS components, defer to scons file. 24 | libbrillo-$(BASE_VER).a: 25 | BASE_VER=$(BASE_VER) scons -f Sconstruct.libchromeos 26 | 27 | # Build generated files from .proto file 28 | pb_files: out/chaps/proto_bindings/ck_structs.pb.h 29 | out/chaps/proto_bindings/ck_structs.pb.h: system_api/dbus/chaps/ck_structs.proto | out/chaps/proto_bindings 30 | cd system_api/dbus/chaps && protoc --cpp_out=../../../out/chaps/proto_bindings ck_structs.proto 31 | 32 | out: 33 | mkdir -p $@ 34 | out/chaps/proto_bindings: | out 35 | mkdir -p $@ 36 | 37 | 38 | out/gtest-all.o: | out 39 | $(CXX) -isystem $(GTEST_DIR)/include -I$(GTEST_DIR) -pthread -c $(GTEST_DIR)/src/gtest-all.cc -o $@ 40 | out/libgtest.a: out/gtest-all.o 41 | ar -rv $@ $< 42 | out/gmock-all.o: | out 43 | $(CXX) -isystem $(GTEST_DIR)/include -I$(GTEST_DIR) -isystem $(GMOCK_DIR)/include -I$(GMOCK_DIR) -pthread -std=gnu++11 -c $(GMOCK_DIR)/src/gmock-all.cc -o $@ 44 | out/libgmock.a: out/gmock-all.o 45 | ar -rv $@ $< 46 | 47 | test: out/libgtest.a out/libgmock.a libchrome-$(BASE_VER).a libbrillo-$(BASE_VER).a | out 48 | cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) LDLIBS="-L$(OUTDIR)" OUT=$(OUTDIR) $(MAKE) tests 49 | 50 | clean: clean_chaps clean_chromeos clean_chromebase clean_gmock clean_debian 51 | clean_gmock: 52 | rm -rf $(OUTDIR)/gtest-all.out $(OUTDIR)/libgtest.a 53 | rm -rf $(OUTDIR)/gmock-all.out $(OUTDIR)/libgmock.a 54 | clean_chromebase: 55 | -BASE_VER=$(BASE_VER) scons -f Sconstruct.libchrome -c 56 | clean_chromeos: 57 | -BASE_VER=$(BASE_VER) scons -f Sconstruct.libchromeos -c 58 | clean_chaps: 59 | -cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) $(MAKE) clean 60 | rm -rf out 61 | clean_debian: 62 | dh_clean 63 | 64 | 65 | distclean: clean 66 | rm -f .sconsign.dblite 67 | 68 | INSTALL ?= install 69 | MANDIR=$(DESTDIR)/usr/share/man 70 | install_man: 71 | $(INSTALL) -m 0644 -D man/chapsd.8 $(MANDIR)/man8/chapsd.8 72 | $(INSTALL) -m 0644 -D man/chaps_client.8 $(MANDIR)/man8/chaps_client.8 73 | install: install_man 74 | cd platform2/chaps && BASE_VER=$(BASE_VER) LINUX_BUILD=1 PKG_CONFIG_PATH=$(SRCDIR) CXXFLAGS=$(INCLUDES) OUT=$(OUTDIR) CHAPS_VERSION_MAJOR=$(CHAPS_VERSION_MAJOR) CHAPS_VERSION_MINOR=$(CHAPS_VERSION_MINOR) $(MAKE) install_files 75 | -------------------------------------------------------------------------------- /extrasrc/Sconstruct.libchrome: -------------------------------------------------------------------------------- 1 | # -*- python -*- 2 | 3 | # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 4 | # Use of this source code is governed by a BSD-style license that can be 5 | # found in the LICENSE file. 6 | 7 | import os 8 | 9 | # This block will most likely need updating whenever libchrome gets updated. 10 | # The order of the libs below doesn't matter (as scons will take care of 11 | # building things in the required order). 12 | base_name = 'base' 13 | base_lib = { 14 | 'sources' : """ 15 | base/at_exit.cc 16 | base/base_switches.cc 17 | base/callback_internal.cc 18 | base/command_line.cc 19 | base/debug/alias.cc 20 | base/debug/debugger.cc 21 | base/debug/debugger_posix.cc 22 | base/debug/stack_trace.cc 23 | base/debug/stack_trace_posix.cc 24 | base/environment.cc 25 | base/files/file.cc 26 | base/files/file_enumerator.cc 27 | base/files/file_enumerator_posix.cc 28 | base/files/file_path.cc 29 | base/files/file_path_constants.cc 30 | base/files/file_posix.cc 31 | base/files/file_tracing.cc 32 | base/files/file_util.cc 33 | base/files/file_util_posix.cc 34 | base/files/scoped_file.cc 35 | base/files/scoped_temp_dir.cc 36 | base/json/json_parser.cc 37 | base/json/json_reader.cc 38 | base/json/json_string_value_serializer.cc 39 | base/json/json_writer.cc 40 | base/json/string_escape.cc 41 | base/lazy_instance.cc 42 | base/location.cc 43 | base/logging.cc 44 | base/md5.cc 45 | base/memory/ref_counted.cc 46 | base/memory/ref_counted_memory.cc 47 | base/memory/singleton.cc 48 | base/memory/weak_ptr.cc 49 | base/message_loop/message_pump.cc 50 | base/message_loop/message_pump_default.cc 51 | base/metrics/bucket_ranges.cc 52 | base/metrics/histogram_base.cc 53 | base/metrics/histogram_samples.cc 54 | base/metrics/histogram.cc 55 | base/metrics/metrics_hashes.cc 56 | base/metrics/sample_map.cc 57 | base/metrics/sample_vector.cc 58 | base/metrics/sparse_histogram.cc 59 | base/metrics/statistics_recorder.cc 60 | base/pickle.cc 61 | base/posix/safe_strerror.cc 62 | base/process/process_handle_posix.cc 63 | base/profiler/alternate_timer.cc 64 | base/profiler/tracked_time.cc 65 | base/rand_util.cc 66 | base/rand_util_posix.cc 67 | base/strings/string16.cc 68 | base/strings/string_piece.cc 69 | base/strings/stringprintf.cc 70 | base/strings/string_util.cc 71 | base/strings/string_util_constants.cc 72 | base/strings/string_split.cc 73 | base/strings/string_number_conversions.cc 74 | base/strings/sys_string_conversions_posix.cc 75 | base/strings/utf_string_conversions.cc 76 | base/strings/utf_string_conversion_utils.cc 77 | base/synchronization/condition_variable_posix.cc 78 | base/synchronization/lock.cc 79 | base/synchronization/lock_impl_posix.cc 80 | base/synchronization/waitable_event_posix.cc 81 | base/sys_info_posix.cc 82 | base/test/test_file_util.cc 83 | base/test/test_file_util_linux.cc 84 | base/test/test_file_util_posix.cc 85 | base/test/test_switches.cc 86 | base/test/test_timeouts.cc 87 | base/third_party/dmg_fp/dtoa.cc 88 | base/third_party/dmg_fp/g_fmt.cc 89 | base/third_party/dynamic_annotations/dynamic_annotations.c 90 | base/third_party/icu/icu_utf.cc 91 | base/third_party/nspr/prtime.cc 92 | base/threading/non_thread_safe_impl.cc 93 | base/threading/platform_thread_linux.cc 94 | base/threading/platform_thread_internal_posix.cc 95 | base/threading/platform_thread_posix.cc 96 | base/threading/thread_id_name_manager.cc 97 | base/threading/thread_checker_impl.cc 98 | base/threading/thread_collision_warner.cc 99 | base/threading/thread_local_posix.cc 100 | base/threading/thread_local_storage.cc 101 | base/threading/thread_local_storage_posix.cc 102 | base/threading/thread_restrictions.cc 103 | base/time/time.cc 104 | base/time/time_posix.cc 105 | base/timer/elapsed_timer.cc 106 | base/tracked_objects.cc 107 | base/strings/utf_string_conversions.cc 108 | base/values.cc 109 | base/vlog.cc 110 | """, 111 | 'libs' : 'pthread rt', 112 | 'pc_libs' : 'glib-2.0', 113 | } 114 | 115 | env = Environment() 116 | 117 | BASE_VER = os.environ.get('BASE_VER', '0') 118 | GTEST_DIR = os.environ.get('GTEST_DIR', '0') 119 | PKG_CONFIG = os.environ.get('PKG_CONFIG', 'pkg-config') 120 | PWD = Dir('.').srcnode().abspath 121 | 122 | env.Append( 123 | CCFLAGS=['-g'] 124 | ) 125 | for key in Split('CC CXX AR RANLIB LD NM CFLAGS CCFLAGS'): 126 | value = os.environ.get(key) 127 | if value: 128 | env[key] = Split(value) 129 | 130 | env['CCFLAGS'] += ['-fPIC', 131 | '-O2', 132 | '-Wall', 133 | '-Werror', 134 | '-Wno-unused-local-typedefs', 135 | '-DOS_LINUX=1', 136 | '-DMIN_LIBBASE=1', 137 | '-DTOOLKIT_VIEWS=1', 138 | '-DUSE_AURA=1', 139 | '-DUSE_SYSTEM_LIBEVENT=1', 140 | '-DBASE_VER=%s' % BASE_VER, 141 | '-isystem', '%s/include' % GTEST_DIR, 142 | '-Iinclude', 143 | '-I.'] 144 | env['CXXFLAGS'] += ['-std=gnu++11'] 145 | 146 | # Fix issue with scons not passing some vars through the environment. 147 | for key in Split('PKG_CONFIG SYSROOT'): 148 | if os.environ.has_key(key): 149 | env['ENV'][key] = os.environ[key] 150 | 151 | # Build the library. 152 | e = env.Clone() 153 | e.Append( 154 | LIBS = Split(base_lib['libs']), 155 | LIBPATH = ['.'], 156 | LINKFLAGS = ['-Wl,-z,defs'], 157 | ) 158 | if base_lib['pc_libs']: 159 | e.ParseConfig(PKG_CONFIG + ' --cflags --libs %s' % base_lib['pc_libs']) 160 | 161 | e.StaticLibrary('libchrome-%s' % BASE_VER, Split(base_lib['sources'])) 162 | 163 | # Build the pkg-config text file. 164 | 165 | def lib_list(libs): 166 | return ' '.join(['-l' + l for l in libs]) 167 | 168 | subst_dict = { 169 | '@PWD@' : PWD, 170 | '@BSLOT@' : BASE_VER, 171 | '@PRIVATE_PC@' : base_lib['pc_libs'], 172 | '@LIBS@' : lib_list(Split(base_lib['libs'])), 173 | } 174 | env = Environment(tools = ['textfile'], SUBST_DICT = subst_dict) 175 | 176 | env.Substfile('libchrome-%s.pc' % BASE_VER, 177 | [Value(""" 178 | pkg_dir=@PWD@ 179 | bslot=@BSLOT@ 180 | 181 | Name: libchrome 182 | Description: Chrome base library 183 | Version: ${bslot} 184 | Requires: @PRIVATE_PC@ 185 | Libs: -L${pkg_dir} -lchrome-${bslot} @LIBS@ 186 | Cflags: -I${pkg_dir} 187 | """)]) 188 | -------------------------------------------------------------------------------- /extrasrc/Sconstruct.libchromeos: -------------------------------------------------------------------------------- 1 | # -*- python -*- 2 | 3 | # Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 4 | # Use of this source code is governed by a BSD-style license that can be 5 | # found in the LICENSE file. 6 | 7 | import os 8 | 9 | # This block will most likely need updating whenever libchromeos gets updated. 10 | # The order of the libs below doesn't matter (as scons will take care of 11 | # building things in the required order). 12 | base_lib = { 13 | 'sources' : """ 14 | libchromeos/brillo/secure_blob.cc 15 | libchromeos/brillo/syslog_logging.cc 16 | """, 17 | 'libs' : '', 18 | 'pc_libs' : 'dbus-c++-1', 19 | } 20 | 21 | env = Environment() 22 | 23 | PKG_CONFIG = os.environ.get('PKG_CONFIG', 'pkg-config') 24 | BASE_VER = os.environ.get('BASE_VER', '0') 25 | PWD = Dir('.').srcnode().abspath 26 | 27 | env.Append( 28 | CPPPATH=['.'], 29 | CCFLAGS=['-g'] 30 | ) 31 | for key in Split('CC CXX AR RANLIB LD NM CFLAGS CCFLAGS'): 32 | value = os.environ.get(key) 33 | if value: 34 | env[key] = Split(value) 35 | 36 | env['CCFLAGS'] += ['-fPIC', 37 | '-fno-exceptions', 38 | '-std=gnu++11', 39 | '-Wall', 40 | '-Werror', 41 | '-DOS_LINUX=1', 42 | '-DTOOLKIT_VIEWS=1', 43 | '-DUSE_AURA=1', 44 | '-DUSE_SYSTEM_LIBEVENT=1', 45 | '-DBASE_VER=%s' % BASE_VER, 46 | '-Iinclude', 47 | '-Ilibchromeos'] 48 | 49 | # Fix issue with scons not passing some vars through the environment. 50 | for key in Split('PKG_CONFIG SYSROOT'): 51 | if os.environ.has_key(key): 52 | env['ENV'][key] = os.environ[key] 53 | 54 | # Build the library. 55 | e = env.Clone() 56 | e.Append( 57 | LIBS = Split(base_lib['libs']), 58 | LIBPATH = ['.'], 59 | LINKFLAGS = ['-Wl,-z,defs'], 60 | ) 61 | if base_lib['pc_libs']: 62 | e.ParseConfig(PKG_CONFIG + ' --cflags --libs %s' % base_lib['pc_libs']) 63 | 64 | e.StaticLibrary("libbrillo-%s" % BASE_VER, Split(base_lib['sources'])) 65 | 66 | # Build the pkg-config text file. 67 | 68 | def lib_list(libs): 69 | return ' '.join(['-l' + l for l in libs]) 70 | 71 | subst_dict = { 72 | '@PWD@' : PWD, 73 | '@BSLOT@' : BASE_VER, 74 | '@PRIVATE_PC@' : base_lib['pc_libs'], 75 | } 76 | 77 | env = Environment(tools = ['textfile'], SUBST_DICT = subst_dict) 78 | 79 | env.Substfile('libbrillo-%s.pc' % BASE_VER, 80 | [Value(""" 81 | pkg_dir=@PWD@ 82 | bslot=@BSLOT@ 83 | 84 | Name: libbrillo 85 | Description: chromeos base library 86 | Version: ${bslot} 87 | Requires: libchrome-${bslot} @PRIVATE_PC@ 88 | Libs: -L${pkg_dir} -lbrillo-${bslot} 89 | Cflags: -I${pkg_dir} 90 | """)]) 91 | -------------------------------------------------------------------------------- /extrasrc/build_config.h: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | // This file adds defines about the platform we're currently building on. 6 | // Operating System: 7 | // OS_WIN / OS_MACOSX / OS_LINUX / OS_POSIX (MACOSX or LINUX) 8 | // Compiler: 9 | // COMPILER_MSVC / COMPILER_GCC 10 | // Processor: 11 | // ARCH_CPU_X86 / ARCH_CPU_X86_64 / ARCH_CPU_X86_FAMILY (X86 or X86_64) 12 | // ARCH_CPU_32_BITS / ARCH_CPU_64_BITS 13 | 14 | #ifndef BUILD_BUILD_CONFIG_H_ 15 | #define BUILD_BUILD_CONFIG_H_ 16 | 17 | #if defined(__APPLE__) 18 | #include <TargetConditionals.h> 19 | #endif 20 | 21 | // A set of macros to use for platform detection. 22 | #if defined(__APPLE__) 23 | #define OS_MACOSX 1 24 | #if defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE 25 | #define OS_IOS 1 26 | #endif // defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE 27 | #elif defined(ANDROID) 28 | #define OS_ANDROID 1 29 | #elif defined(__native_client__) 30 | #define OS_NACL 1 31 | #elif defined(__linux__) 32 | #define OS_LINUX 1 33 | // Use TOOLKIT_GTK on linux if TOOLKIT_VIEWS isn't defined. 34 | #if !defined(TOOLKIT_VIEWS) 35 | #define TOOLKIT_GTK 36 | #endif 37 | #elif defined(_WIN32) 38 | #define OS_WIN 1 39 | #define TOOLKIT_VIEWS 1 40 | #elif defined(__FreeBSD__) 41 | #define OS_FREEBSD 1 42 | #define TOOLKIT_GTK 43 | #elif defined(__OpenBSD__) 44 | #define OS_OPENBSD 1 45 | #define TOOLKIT_GTK 46 | #elif defined(__sun) 47 | #define OS_SOLARIS 1 48 | #define TOOLKIT_GTK 49 | #else 50 | #error Please add support for your platform in build/build_config.h 51 | #endif 52 | 53 | #if defined(USE_OPENSSL) && defined(USE_NSS) 54 | #error Cannot use both OpenSSL and NSS 55 | #endif 56 | 57 | // For access to standard BSD features, use OS_BSD instead of a 58 | // more specific macro. 59 | #if defined(OS_FREEBSD) || defined(OS_OPENBSD) 60 | #define OS_BSD 1 61 | #endif 62 | 63 | // For access to standard POSIXish features, use OS_POSIX instead of a 64 | // more specific macro. 65 | #if defined(OS_MACOSX) || defined(OS_LINUX) || defined(OS_FREEBSD) || \ 66 | defined(OS_OPENBSD) || defined(OS_SOLARIS) || defined(OS_ANDROID) || \ 67 | defined(OS_NACL) 68 | #define OS_POSIX 1 69 | #endif 70 | 71 | #if defined(OS_POSIX) && !defined(OS_MACOSX) && !defined(OS_ANDROID) && \ 72 | !defined(OS_NACL) 73 | #define USE_X11 1 // Use X for graphics. 74 | #endif 75 | 76 | // Use tcmalloc 77 | #if (defined(OS_WIN) || defined(OS_LINUX)) && !defined(NO_TCMALLOC) 78 | #define USE_TCMALLOC 1 79 | #endif 80 | 81 | // Compiler detection. 82 | #if defined(__GNUC__) 83 | #define COMPILER_GCC 1 84 | #elif defined(_MSC_VER) 85 | #define COMPILER_MSVC 1 86 | #else 87 | #error Please add support for your compiler in build/build_config.h 88 | #endif 89 | 90 | // Processor architecture detection. For more info on what's defined, see: 91 | // http://msdn.microsoft.com/en-us/library/b0084kay.aspx 92 | // http://www.agner.org/optimize/calling_conventions.pdf 93 | // or with gcc, run: "echo | gcc -E -dM -" 94 | #if defined(_M_X64) || defined(__x86_64__) 95 | #define ARCH_CPU_X86_FAMILY 1 96 | #define ARCH_CPU_X86_64 1 97 | #define ARCH_CPU_64_BITS 1 98 | #define ARCH_CPU_LITTLE_ENDIAN 1 99 | #elif defined(_M_IX86) || defined(__i386__) 100 | #define ARCH_CPU_X86_FAMILY 1 101 | #define ARCH_CPU_X86 1 102 | #define ARCH_CPU_32_BITS 1 103 | #define ARCH_CPU_LITTLE_ENDIAN 1 104 | #elif defined(__ARMEL__) 105 | #define ARCH_CPU_ARM_FAMILY 1 106 | #define ARCH_CPU_ARMEL 1 107 | #define ARCH_CPU_32_BITS 1 108 | #define ARCH_CPU_LITTLE_ENDIAN 1 109 | #elif defined(__pnacl__) 110 | #define ARCH_CPU_32_BITS 1 111 | #elif defined(__MIPSEL__) 112 | #define ARCH_CPU_MIPS_FAMILY 1 113 | #define ARCH_CPU_MIPSEL 1 114 | #define ARCH_CPU_32_BITS 1 115 | #define ARCH_CPU_LITTLE_ENDIAN 1 116 | #else 117 | #error Please add support for your architecture in build/build_config.h 118 | #endif 119 | 120 | // Type detection for wchar_t. 121 | #if defined(OS_WIN) 122 | #define WCHAR_T_IS_UTF16 123 | #elif defined(OS_POSIX) && defined(COMPILER_GCC) && \ 124 | defined(__WCHAR_MAX__) && \ 125 | (__WCHAR_MAX__ == 0x7fffffff || __WCHAR_MAX__ == 0xffffffff) 126 | #define WCHAR_T_IS_UTF32 127 | #elif defined(OS_POSIX) && defined(COMPILER_GCC) && \ 128 | defined(__WCHAR_MAX__) && \ 129 | (__WCHAR_MAX__ == 0x7fff || __WCHAR_MAX__ == 0xffff) 130 | // On Posix, we'll detect short wchar_t, but projects aren't guaranteed to 131 | // compile in this mode (in particular, Chrome doesn't). This is intended for 132 | // other projects using base who manage their own dependencies and make sure 133 | // short wchar works for them. 134 | #define WCHAR_T_IS_UTF16 135 | #else 136 | #error Please add support for your compiler in build/build_config.h 137 | #endif 138 | 139 | #if defined(__ARMEL__) && !defined(OS_IOS) 140 | #define WCHAR_T_IS_UNSIGNED 1 141 | #elif defined(__MIPSEL__) 142 | #define WCHAR_T_IS_UNSIGNED 0 143 | #endif 144 | 145 | #if defined(OS_ANDROID) 146 | // The compiler thinks std::string::const_iterator and "const char*" are 147 | // equivalent types. 148 | #define STD_STRING_ITERATOR_IS_CHAR_POINTER 149 | // The compiler thinks base::string16::const_iterator and "char16*" are 150 | // equivalent types. 151 | #define BASE_STRING16_ITERATOR_IS_CHAR16_POINTER 152 | #endif 153 | 154 | #endif // BUILD_BUILD_CONFIG_H_ 155 | -------------------------------------------------------------------------------- /extrasrc/gtest_prod.h: -------------------------------------------------------------------------------- 1 | #include 2 | -------------------------------------------------------------------------------- /extrasrc/scoped_tss_type.h: -------------------------------------------------------------------------------- 1 | // Copyright (c) 2011 The Chromium OS Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | // Implements a simple framework for scoping TSS values. 6 | // Based on chrome's base/memory/scoped_ptr_malloc implementation. 7 | // 8 | // Example usage: 9 | // ScopedTssContext context_handle; 10 | // TSS_RESULT result; 11 | // if (!OpenAndConnectTpm(context_handle.ptr(), &result)) 12 | // ... 13 | // ScopedTssKey srk(context_handle); 14 | // if (!LoadSrk(context_handle, srk_handle.ptr(), &result)) 15 | // ... 16 | // 17 | // See the bottom of this file for common typedefs. 18 | #ifndef TROUSERS_SCOPED_TSS_TYPE_H_ 19 | #define TROUSERS_SCOPED_TSS_TYPE_H_ 20 | 21 | #ifdef __cplusplus 22 | 23 | #include 24 | 25 | #include 26 | #include 27 | #include 28 | 29 | namespace trousers { 30 | 31 | class ScopedTssContextRelease { 32 | public: 33 | inline void operator()(TSS_HCONTEXT unused, TSS_HCONTEXT context) const { 34 | // Usually, only |context| is used, but if the ScopedTssContext is 35 | // used slightly differently, it may end up with a context in |unused|. 36 | // For now, treat that as a bug. 37 | assert(unused == 0); 38 | if (context) 39 | Tspi_Context_Close(context); 40 | } 41 | }; 42 | 43 | class ScopedTssMemoryRelease { 44 | public: 45 | inline void operator()(TSS_HCONTEXT context, BYTE* memory) const { 46 | // TODO(wad) make the test code friendly for assert()ing context/memory != 0 47 | if (context && memory) 48 | Tspi_Context_FreeMemory(context, memory); 49 | } 50 | }; 51 | 52 | class ScopedTssObjectRelease { 53 | public: 54 | inline void operator()(TSS_HCONTEXT context, TSS_HOBJECT handle) const { 55 | // TODO(wad) make the test code friendly for assert() context/handle != 0 56 | if (context && handle) 57 | Tspi_Context_CloseObject(context, handle); 58 | } 59 | }; 60 | 61 | // Provide a basic scoped container for TSS managed objects. 62 | template 63 | class ScopedTssType { 64 | public: 65 | explicit ScopedTssType(TSS_HCONTEXT c = 0, TssType t = 0) : 66 | context_(c), 67 | type_(t) {} 68 | virtual ~ScopedTssType() { 69 | release_(context_, type_); 70 | } 71 | 72 | // Provide a means to access the value without conversion. 73 | virtual TssType value() { 74 | return type_; 75 | } 76 | 77 | // Allow direct referencing of the wrapped value. 78 | virtual TssType* ptr() { 79 | return &type_; 80 | } 81 | 82 | // Returns the assigned context. 83 | virtual TSS_HCONTEXT context() { 84 | return context_; 85 | } 86 | 87 | virtual TssType release() __attribute__((warn_unused_result)) { 88 | TssType tmp = type_; 89 | type_ = 0; 90 | context_ = 0; 91 | return tmp; 92 | } 93 | 94 | virtual void reset(TSS_HCONTEXT c = 0, TssType t = 0) { 95 | release_(context_, type_); 96 | context_ = c; 97 | type_ = t; 98 | } 99 | 100 | private: 101 | static ReleaseProc const release_; 102 | TSS_HCONTEXT context_; 103 | TssType type_; 104 | }; 105 | 106 | // Wrap ScopedTssObject to allow implicit conversion only when safe. 107 | template 109 | class ScopedTssObject : public ScopedTssType { 110 | public: 111 | // Enforce a context for scoped objects. 112 | explicit ScopedTssObject(TSS_HCONTEXT c, TssType t = 0) {} 113 | virtual ~ScopedTssObject() {} 114 | 115 | // Allow implicit conversion to anything TSS_HOBJECT based. 116 | virtual operator TssType() { 117 | return this->value(); 118 | } 119 | }; 120 | 121 | class ScopedTssContext 122 | : public ScopedTssObject { 123 | public: 124 | // Enforce a context for scoped objects. 125 | explicit ScopedTssContext(TSS_HCONTEXT t = 0) 126 | : ScopedTssObject(0, t) {} 127 | virtual ~ScopedTssContext() {} 128 | }; 129 | 130 | // Provide clear-cut typedefs for the common cases. 131 | typedef ScopedTssType ScopedTssMemory; 132 | 133 | typedef ScopedTssObject ScopedTssKey; 134 | typedef ScopedTssObject ScopedTssPolicy; 135 | typedef ScopedTssObject ScopedTssPcrs; 136 | typedef ScopedTssObject ScopedTssNvStore; 137 | 138 | } // namespace trousers 139 | 140 | #endif // __cplusplus 141 | #endif // TROUSERS_SCOPED_TSS_TYPE_H_ 142 | -------------------------------------------------------------------------------- /makefile: -------------------------------------------------------------------------------- 1 | # Version information 2 | CROS_VERSION=49-7834 3 | CROS_BRANCH=origin/master 4 | CHAPS_VERSION_MAJOR=0 5 | CHAPS_VERSION_MINOR=$(CROS_VERSION) 6 | CHAPS_VERSION=$(CHAPS_VERSION_MAJOR).$(CHAPS_VERSION_MINOR) 7 | DEB_REVISION=1 8 | DEB_VERSION=$(CHAPS_VERSION)-$(DEB_REVISION) 9 | 10 | # The following should match platform2/common-mk/BASE_VER 11 | CHROMEBASE_VER=369476 12 | GMOCK_VERSION=1.8.0 13 | 14 | # Absolute location of the source tree 15 | SRCDIR_REL=chaps-$(CHAPS_VERSION) 16 | SRCDIR=$(CURDIR)/$(SRCDIR_REL) 17 | # Output from Chaps build. 18 | OUTDIR=$(SRCDIR)/out 19 | 20 | # Package signing options 21 | DPKGSIGN ?= --force-sign 22 | 23 | all: version-check build 24 | 25 | version-check: src_generate 26 | @awk '/BASE_VER \?= / {if ($$3 != $(CHROMEBASE_VER)) {exit 1;}}' $(SRCDIR)/platform2/common-mk/common.mk 27 | 28 | ###################################### 29 | # Generate a source tree 30 | src_generate: src_includes src_makefiles src_gmock src_chromebase src_libchromeos src_systemapi src_platform2 src_man src_debian 31 | $(SRCDIR): 32 | mkdir -p $@ 33 | 34 | # Copy across some include files from the build directory 35 | src_includes: $(SRCDIR)/include/build/build_config.h $(SRCDIR)/include/trousers/scoped_tss_type.h $(SRCDIR)/include/testing/gtest/include/gtest/gtest_prod.h $(SRCDIR)/include/leveldb/memenv.h 36 | $(SRCDIR)/include: | $(SRCDIR) 37 | mkdir -p $@ 38 | $(SRCDIR)/include/build: | $(SRCDIR)/include 39 | mkdir -p $@ 40 | $(SRCDIR)/include/trousers: | $(SRCDIR)/include 41 | mkdir -p $@ 42 | $(SRCDIR)/include/leveldb: | $(SRCDIR)/include 43 | mkdir -p $@ 44 | $(SRCDIR)/include/testing/gtest/include/gtest: | $(SRCDIR)/include 45 | mkdir -p $@ 46 | 47 | # Build configuration file for Chromium source code build. 48 | $(SRCDIR)/include/build/build_config.h: extrasrc/build_config.h | $(SRCDIR)/include/build 49 | cp $< $@ 50 | # ChromiumOS's version of Trousers has an additional utility class to allow RAII use 51 | # of TSS types. Include a local copy of this, as Chaps uses it. 52 | $(SRCDIR)/include/trousers/scoped_tss_type.h: extrasrc/scoped_tss_type.h | $(SRCDIR)/include/trousers 53 | cp $< $@ 54 | # Chromium includes . This requires an install of libleveldb-dev that has 55 | # memenv support included; move this into a local leveldb/ subdirectory 56 | $(SRCDIR)/include/leveldb/memenv.h: /usr/include/leveldb/helpers/memenv.h | $(SRCDIR)/include/leveldb 57 | cp $< $@ 58 | # Chromium includes , so have a local copy. 59 | $(SRCDIR)/include/testing/gtest/include/gtest/gtest_prod.h: extrasrc/gtest_prod.h | $(SRCDIR)/include/testing/gtest/include/gtest 60 | cp $< $@ 61 | 62 | 63 | # Copy across some build files from the build directory into source directory. 64 | BUILDFILES=Makefile Sconstruct.libchrome Sconstruct.libchromeos 65 | SRC_BUILDFILES=$(addprefix $(SRCDIR_REL)/, $(BUILDFILES)) 66 | src_makefiles: $(SRC_BUILDFILES) 67 | $(SRCDIR_REL)/Makefile: extrasrc/Makefile | $(SRCDIR) 68 | sed 's/@BASE_VER@/$(CHROMEBASE_VER)/' $< | sed 's/@GMOCK_VER@/$(GMOCK_VERSION)/' |\ 69 | sed 's/@CHAPS_VERSION_MAJOR@/$(CHAPS_VERSION_MAJOR)/' | sed s'/@CHAPS_VERSION_MINOR@/$(CHAPS_VERSION_MINOR)/' >$@ 70 | $(SRCDIR_REL)/Sconstruct.libchrome: extrasrc/Sconstruct.libchrome | $(SRCDIR) 71 | cp $< $@ 72 | $(SRCDIR_REL)/Sconstruct.libchromeos: extrasrc/Sconstruct.libchromeos | $(SRCDIR) 73 | cp $< $@ 74 | 75 | 76 | # Various parts of Chromium include gTest files. To ensure consistency, get a local 77 | # copy of gMock and gTest (rather than picking up whatever version is installed). 78 | GMOCK_URL=https://github.com/google/googletest/archive/release-$(GMOCK_VERSION).zip 79 | GMOCK_DIR=$(SRCDIR)/googletest-release-$(GMOCK_VERSION)/googlemock 80 | GTEST_DIR=$(SRCDIR)/googletest-release-$(GMOCK_VERSION)/googletest 81 | src_gmock: $(GMOCK_DIR)/LICENSE 82 | $(GMOCK_DIR)/LICENSE: | $(SRCDIR) 83 | cd $(SRCDIR) && wget $(GMOCK_URL) 84 | cd $(SRCDIR) && unzip -q release-$(GMOCK_VERSION).zip 85 | rm $(SRCDIR)/release-$(GMOCK_VERSION).zip 86 | touch $@ 87 | 88 | 89 | # Chaps relies on utility code from Chromium base libraries, at: 90 | CHROMEBASE_GIT=https://chromium.googlesource.com/chromium/src/base.git 91 | # The particular version of the Chromium base library required by platforms2/chaps 92 | # is indicated by the BASE_VER value in platform2/common-mk/BASE_VER 93 | # - http://crrev.com/$BASE_VER returns a 302-redirect to the corresponding Git commit 94 | # in the Chromium source code at https://chromium.googlesource.com/chromium/src. 95 | # Call this SHA_A 96 | # - However, this is a commit-ID in the master src.git repository, which is huge. 97 | # We're only interested in code under base/, which gets pulled into a separate 98 | # (smaller) Git repo base.git. 99 | # - Running `git log -n 1 $SHA_A base/` in the full src.git repo gives the SHA1 100 | # for the last commit in src.git that affected base/ and so should also be present 101 | # (as a copy) in base.git. Call this SHA_B. 102 | # - Under base.git, running `git log --grep $SHA_B origin/master` gives the 103 | # corresponding commit in the base.git tree. Call this SHA_C. 104 | # - This $SHA_C hash value from base.git is used here. 105 | CHROMEBASE_COMMIT=e428d62b50cf091c19750cd742c5cead7b1f55c7 106 | src_chromebase: $(SRCDIR)/base/base64.h 107 | $(SRCDIR)/base: | $(SRCDIR) 108 | mkdir -p $@ 109 | $(SRCDIR)/base/base64.h: | $(SRCDIR)/base 110 | git clone $(CHROMEBASE_GIT) $(SRCDIR)/base 111 | cd $(SRCDIR)/base && git checkout $(CHROMEBASE_COMMIT) 112 | 113 | # Chaps relies on utility code from libchromeos, at: 114 | LIBCHROMEOS_GIT=https://android.googlesource.com/platform/external/libchromeos 115 | # TODO(drysdale): figure out which commit/branch/tag of libchromeos goes with current code. 116 | LIBCHROMEOS_COMMIT=origin/master 117 | src_libchromeos: $(SRCDIR)/libchromeos/brillo/secure_blob.cc 118 | $(SRCDIR)/libchromeos: | $(SRCDIR) 119 | mkdir -p $@ 120 | $(SRCDIR)/libchromeos/brillo/secure_blob.cc: | $(SRCDIR)/libchromeos 121 | git clone $(LIBCHROMEOS_GIT) $(SRCDIR)/libchromeos 122 | cd $(SRCDIR)/libchromeos && git checkout $(LIBCHROMEOS_COMMIT) 123 | 124 | # Chaps relies on .proto files from the Chromium/ChromiumOS system API at: 125 | SYSTEMAPI_GIT=https://chromium.googlesource.com/chromiumos/platform/system_api.git 126 | SYSTEMAPI_COMMIT=master 127 | src_systemapi: $(SRCDIR)/system_api/dbus/chaps/ck_structs.proto 128 | $(SRCDIR)/system_api: | $(SRCDIR) 129 | mkdir -p $@ 130 | $(SRCDIR)/system_api/dbus/chaps/ck_structs.proto: | $(SRCDIR)/system_api 131 | git clone $(SYSTEMAPI_GIT) $(SRCDIR)/system_api 132 | cd $(SRCDIR)/system_api && git checkout $(SYSTEMAPI_COMMIT) 133 | 134 | # We only need the chaps/, dbus/ and common-mk/ subdirectories from the platform2 repository from ChromiumOS. 135 | src_platform2: $(SRCDIR)/platform2/chaps/Makefile 136 | $(SRCDIR)/platform2: 137 | mkdir -p $@ 138 | PLATFORM2_GIT=https://chromium.googlesource.com/chromiumos/platform2 139 | PATCHES=$(wildcard $(CURDIR)/patches/platform2/*.patch) 140 | $(SRCDIR)/platform2/chaps/Makefile: | $(SRCDIR)/platform2 141 | cd $(SRCDIR)/platform2 && git init . && git remote add -f origin $(PLATFORM2_GIT) 142 | cd $(SRCDIR)/platform2 && git config core.sparsecheckout true 143 | cd $(SRCDIR)/platform2 && echo "chaps" > .git/info/sparse-checkout 144 | cd $(SRCDIR)/platform2 && echo "common-mk" >> .git/info/sparse-checkout 145 | cd $(SRCDIR)/platform2 && git pull origin master 146 | cd $(SRCDIR)/platform2 && git checkout $(CROS_BRANCH) 147 | cd $(SRCDIR)/platform2 && if [ ! -z "$(PATCHES)" ]; then git am $(PATCHES); fi 148 | 149 | 150 | # Copy man pages 151 | src_man: $(SRCDIR)/man/chapsd.8 $(SRCDIR)/man/chaps_client.8 152 | $(SRCDIR)/man: 153 | mkdir -p $@ 154 | $(SRCDIR)/man/%: man/% | $(SRCDIR)/man 155 | cp $< $@ 156 | 157 | 158 | # Copy Debian packaging files 159 | DEBIAN_MASTER_FILES=$(wildcard debian/* debian/source/*) 160 | DEBIAN_FILES=$(addprefix $(SRCDIR)/,$(DEBIAN_MASTER_FILES)) 161 | src_debian: $(DEBIAN_FILES) 162 | $(SRCDIR)/debian: 163 | mkdir -p $@ 164 | $(SRCDIR)/debian/%: debian/% | $(SRCDIR)/debian 165 | cp $< $@ 166 | $(SRCDIR)/debian/source: 167 | mkdir -p $@ 168 | $(SRCDIR)/debian/source/%: debian/source/% | $(SRCDIR)/debian/source 169 | cp $< $@ 170 | 171 | 172 | ###################################### 173 | # Build/Clean/Test - defer to chaps-/Makefile 174 | build: src_generate 175 | cd $(SRCDIR) && $(MAKE) 176 | clean: src_generate 177 | cd $(SRCDIR) && $(MAKE) clean 178 | test: src_generate 179 | cd $(SRCDIR) && $(MAKE) test 180 | 181 | 182 | ###################################### 183 | # Source tarball 184 | SRC_TARBALL=chaps-$(CHAPS_VERSION).tar.gz 185 | dist: $(SRC_TARBALL) 186 | 187 | $(SRC_TARBALL): src_generate clean 188 | tar --exclude-vcs -czf $@ $(SRCDIR_REL)/base $(SRCDIR_REL)/platform2/chaps $(SRCDIR_REL)/platform2/libchromeos/chromeos $(SRCDIR_REL)/platform2/common-mk $(SRCDIR_REL)/include $(SRCDIR_REL)/gmock-$(GMOCK_VERSION) $(SRC_BUILDFILES) $(SRCDIR_REL)/man 189 | clean_dist: 190 | rm -f $(SRC_TARBALL) 191 | 192 | 193 | ###################################### 194 | # Debian source package: an .orig.tar.gz, a .dsc and a .debian.gz. 195 | src-package: chaps_$(CHAPS_VERSION).orig.tar.gz 196 | cd $(SRCDIR) && dpkg-buildpackage $(DPKGSIGN) -S 197 | src_package: src-package 198 | chaps_$(CHAPS_VERSION).orig.tar.gz: $(SRC_TARBALL) 199 | cp -f $< $@ 200 | 201 | 202 | ###################################### 203 | # Debian binary packages 204 | package: chaps_$(DEB_VERSION)_amd64.deb 205 | chaps_$(DEB_VERSION)_amd64.deb: src_generate 206 | cd $(SRCDIR) && dpkg-buildpackage $(DPKGSIGN) -b 207 | clean_package: 208 | rm -f chaps_$(DEB_VERSION)_amd64.deb libchaps0_$(DEB_VERSION)_amd64.deb 209 | 210 | 211 | ###################################### 212 | # Distclean: remove source and packages 213 | distclean: 214 | rm -rf $(SRCDIR) 215 | rm -f chaps_$(DEB_VERSION)_amd64.deb chaps_$(DEB_VERSION)_amd64.changes 216 | rm -f libchaps$(CHAPS_VERSION_MAJOR)_$(DEB_VERSION)_amd64.deb libchaps$(CHAPS_VERSION_MAJOR)_$(DEB_VERSION)_amd64.changes 217 | rm -f chaps_$(CHAPS_VERSION).orig.tar.gz chaps_$(DEB_VERSION).debian.tar.gz chaps_$(DEB_VERSION)_source.changes chaps_$(DEB_VERSION).dsc 218 | rm -f $(SRC_TARBALL) 219 | -------------------------------------------------------------------------------- /man/chaps_client.8: -------------------------------------------------------------------------------- 1 | .TH CHAPS_CLIENT 8 2014-09-16 "Linux" "Linux Programmer's Manual" 2 | .SH NAME 3 | chaps_client \- controller for Chaps PKCS#11 service daemon 4 | .SH DESCRIPTION 5 | This program allows the administrator to control and configure the Chaps daemon. 6 | .SH OPTIONS 7 | .TP 8 | .B \-\-ping 9 | Check that the Chaps daemon is available. 10 | .TP 11 | .B \-\-list 12 | List all loaded token paths. 13 | .TP 14 | .B \-\-load \-\-path=PATH \-\-auth=AUTH [\-\-label=LABEL] 15 | Loads the token at the given path into the Chaps daemon. 16 | .TP 17 | .B \-\-unload \-\-path=PATH 18 | Unloads the token at the given path from the Chaps daemon. 19 | .TP 20 | .B \-\-change_auth \-\-path=PATH \-\-auth=AUTH \-\-new_auth=NEWAUTH 21 | Changes the authorization data for the token at the given path. 22 | .TP 23 | .B \-\-set_log_level=LEVEL 24 | Set the logging level for the Chaps daemon. The levels are: 25 | .RS 4 26 | .IP 2 4 27 | Errors only. 28 | .IP 1 4 29 | Warnings and errors. 30 | .IP 0 4 31 | Normal. 32 | .IP \-1 4 33 | Verbose (logs PKCS#11 calls). 34 | .IP \-2 4 35 | More verbose (logs PKCS#11 calls and arguments). 36 | .RE 37 | .SH SEE ALSO 38 | .BR chapsd (8) 39 | -------------------------------------------------------------------------------- /man/chapsd.8: -------------------------------------------------------------------------------- 1 | .TH CHAPSD 8 2014-09-16 "Linux" "Linux Programmer's Manual" 2 | .SH NAME 3 | chapsd \- Chaps PKCS#11 service daemon 4 | .SH DESCRIPTION 5 | Chapsd is a daemon that provides core functionality for the Chaps implementation of the PKCS#11 API. 6 | .SH OPTIONS 7 | .TP 8 | .B \-\-auto_load_system_token 9 | Automatically load a system wide PKCS#11 token. 10 | .TP 11 | .B \-\-srk_password=PASSWORD 12 | Use PASSWORD as the password for the TPM's storage root key (SRK). 13 | .TP 14 | .B \-\-srk_zeros=COUNT 15 | Use a sequence of COUNT zeroes as the password for the TPM's storage root key (SRK). 16 | .SH SEE ALSO 17 | .BR chaps_client (8) 18 | -------------------------------------------------------------------------------- /patches/platform2/0001-Update-Makefile-for-moved-code.patch: -------------------------------------------------------------------------------- 1 | From 0f6cf6a8ef654d2968822c21019ec97b44fe7507 Mon Sep 17 00:00:00 2001 2 | From: David Drysdale 3 | Date: Tue, 16 May 2017 13:09:52 +0100 4 | Subject: [PATCH] Update Makefile for moved code 5 | 6 | --- 7 | chaps/Makefile | 24 ++++++++++++++---------- 8 | 1 file changed, 14 insertions(+), 10 deletions(-) 9 | 10 | diff --git a/chaps/Makefile b/chaps/Makefile 11 | index 494c52122c9e..6477fba9c1b9 100644 12 | --- a/chaps/Makefile 13 | +++ b/chaps/Makefile 14 | @@ -58,25 +58,25 @@ DBUS_ADAPTORS_DIR = $(OUT)/chaps/dbus_adaptors 15 | DBUS_PROXIES_DIR = $(OUT)/chaps/dbus_proxies 16 | 17 | # Rules for Generated Code 18 | -$(DBUS_PROXIES_DIR)/chaps_interface.h: $(SRC)/chaps_interface.xml 19 | +$(DBUS_PROXIES_DIR)/org.chromium.Chaps.h: $(SRC)/dbus_bindings/org.chromium.Chaps.xml 20 | mkdir -p $(DBUS_PROXIES_DIR) 21 | $(DBUSXX_XML2CPP) $< --proxy=$@ 22 | -clean: CLEAN($(DBUS_PROXIES_DIR)/chaps_interface.h) 23 | +clean: CLEAN($(DBUS_PROXIES_DIR)/org.chromium.Chaps.h) 24 | 25 | chaps_client.o.depends \ 26 | chaps_proxy.o.depends \ 27 | chapsd_test.o.depends \ 28 | chaps.o.depends \ 29 | chaps_event_generator.o.depends \ 30 | -token_manager_client.o.depends: $(DBUS_PROXIES_DIR)/chaps_interface.h 31 | +token_manager_client.o.depends: $(DBUS_PROXIES_DIR)/org.chromium.Chaps.h 32 | 33 | -$(DBUS_ADAPTORS_DIR)/chaps_interface.h: $(SRC)/chaps_interface.xml 34 | +$(DBUS_ADAPTORS_DIR)/org.chromium.Chaps.h: $(SRC)/dbus_bindings/org.chromium.Chaps.xml 35 | mkdir -p $(DBUS_ADAPTORS_DIR) 36 | $(DBUSXX_XML2CPP) $< --adaptor=$@ 37 | -clean: CLEAN($(DBUS_ADAPTORS_DIR)/chaps_interface.h) 38 | +clean: CLEAN($(DBUS_ADAPTORS_DIR)/org.chromium.Chaps.h) 39 | 40 | chaps_adaptor.o.depends \ 41 | -chapsd.o.depends : $(DBUS_ADAPTORS_DIR)/chaps_interface.h 42 | +chapsd.o.depends : $(DBUS_ADAPTORS_DIR)/org.chromium.Chaps.h 43 | 44 | PROTO_DIR = $(OUT)/chaps/proto_bindings 45 | 46 | @@ -91,8 +91,11 @@ object_pool_impl.o.depends \ 47 | object_pool_test.o.depends \ 48 | attributes.o.depends: $(PROTO_DIR)/attributes.pb.h 49 | 50 | +$(eval $(call add_object_rules,$(PROTO_DIR)/ck_structs.pb.o,CXX,cc,CXXFLAGS)) 51 | + 52 | + 53 | # Common Files 54 | -COMMON_OBJS = chaps_utility.o $(PROTO_DIR)/attributes.pb.o attributes.o 55 | +COMMON_OBJS = chaps_utility.o $(PROTO_DIR)/attributes.pb.o attributes.o $(PROTO_DIR)/ck_structs.pb.o 56 | 57 | # Chaps Daemon 58 | chapsd_OBJS = $(COMMON_OBJS) \ 59 | @@ -113,6 +116,7 @@ chapsd_OBJS = $(COMMON_OBJS) \ 60 | object_policy_secret_key.o \ 61 | object_pool_impl.o \ 62 | platform_globals_$(PLATFORM).o \ 63 | + proto_conversion.o \ 64 | tpm_utility_impl.o \ 65 | chaps_factory_impl.o \ 66 | object_store_impl.o \ 67 | @@ -144,7 +148,7 @@ clean: CLEAN($(OUT)/org.chromium.Chaps.conf) 68 | 69 | # Chaps Client Library 70 | libchaps_OBJS = $(COMMON_OBJS) chaps.o chaps_proxy.o token_manager_client.o \ 71 | - isolate_$(PLATFORM).o 72 | + isolate_$(PLATFORM).o proto_conversion.o 73 | CXX_LIBRARY(libchaps.so): $(libchaps_OBJS) 74 | clean: CLEAN(libchaps.so) 75 | all: CXX_LIBRARY(libchaps.so) 76 | @@ -168,7 +172,7 @@ clean: CLEAN(chaps_client) 77 | all: CXX_BINARY(chaps_client) 78 | 79 | # PKCS #11 Replay Utility 80 | -p11_replay_OBJS = p11_replay.o 81 | +p11_replay_OBJS = p11_replay.o $(PROTO_DIR)/ck_structs.pb.o 82 | CXX_BINARY(p11_replay): $(p11_replay_OBJS) CXX_LIBRARY(libchaps.so) 83 | clean: CLEAN(p11_replay) 84 | all: CXX_BINARY(p11_replay) 85 | @@ -260,7 +264,7 @@ tests: TEST(CXX_BINARY(chaps_test)) 86 | 87 | chaps_service_test_OBJS = $(COMMON_OBJS) $(MOCK_OBJS) \ 88 | chaps_service_test.o chaps_service.o \ 89 | - isolate_$(PLATFORM).o 90 | + isolate_$(PLATFORM).o proto_conversion.o 91 | chaps_service_test_LIBS = $(GMOCK_LIBS) 92 | CXX_BINARY(chaps_service_test): $(chaps_service_test_OBJS) 93 | CXX_BINARY(chaps_service_test): LDLIBS += $(chaps_service_test_LIBS) 94 | -- 95 | 2.13.0.303.g4ebf302169-goog 96 | 97 | --------------------------------------------------------------------------------