func outputPrincipal() {
if path := *options.String["program"]; path != "" {
subprin, err := makeProgramSubPrin(path)
options.FailIf(err, "Can't create program principal")
pt := auth.PrinTail{Ext: subprin}
fmt.Println(pt)
}
if path := *options.String["container"]; path != "" {
subprin, err := makeContainerSubPrin(path)
options.FailIf(err, "Can't create container principal")
pt := auth.PrinTail{Ext: subprin}
fmt.Println(pt)
}
if *options.Bool["tpm"] {
tpmPath, aikFile, pcrVals := getTPMConfig()
prin := makeTPMPrin(tpmPath, aikFile, pcrVals)
// In the domain template the host name is in quotes. We need to escape
// quote strings in the Principal string so that domain_template.pb gets
// parsed correctly.
name := strings.Replace(prin.String(), "\"", "\\\"", -1)
fmt.Println(name)
}
if lhpath := *options.String["soft"]; lhpath != "" {
if !path.IsAbs(lhpath) {
lhpath = path.Join(apps.TaoDomainPath(), lhpath)
}
k, err := tao.NewOnDiskPBEKeys(tao.Signing, nil, lhpath, nil)
options.FailIf(err, "Can't create soft tao keys")
fmt.Println(k.VerifyingKey.ToPrincipal())
}
}
func hostPath() string {
hostPath := *options.String["host"]
if hostPath == "" {
hostPath = "linux_tao_host"
}
if !path.IsAbs(hostPath) {
hostPath = path.Join(apps.TaoDomainPath(), hostPath)
}
return hostPath
}
func hostPath() string {
hostPath := *options.String["host"]
if hostPath == "" {
// options.Usage("Must supply a -host path")
hostPath = "linux_tao_host"
}
if !path.IsAbs(hostPath) {
hostPath = path.Join(apps.TaoDomainPath(), hostPath)
}
return hostPath
}
func Main() {
flag.Usage = help
verbose.Set(true)
// Get options before the command verb
flag.Parse()
// Get command verb
cmd := "help"
if flag.NArg() > 0 {
cmd = flag.Arg(0)
}
// Get options after the command verb
if flag.NArg() > 1 {
flag.CommandLine.Parse(flag.Args()[1:])
}
// Load the domain.
cpath := path.Join(apps.TaoDomainPath(), "tao.config")
domain, err := tao.LoadDomain(cpath, nil)
options.FailIf(err, "Can't load domain")
// Set $TAO_DOMAIN so it will be inherited by hosted programs
os.Unsetenv("TAO_DOMAIN")
err = os.Setenv("TAO_DOMAIN", apps.TaoDomainPath())
options.FailIf(err, "Can't set $TAO_DOMAIN")
switch cmd {
case "help":
help()
case "init":
initHost(domain)
case "show":
showHost(domain)
case "start":
startHost(domain)
case "stop", "shutdown":
stopHost(domain)
default:
options.Usage("Unrecognized command: %s", cmd)
}
}
func template() *tao.DomainTemplate {
if savedTemplate == nil {
configTemplate := *options.String["config_template"]
if configTemplate == "" {
configTemplate = path.Join(apps.TaoDomainPath(), "domain_template.pb")
}
savedTemplate = new(tao.DomainTemplate)
pbtext, err := ioutil.ReadFile(configTemplate)
options.FailIf(err, "Can't read config template. Try -config_template instead?")
err = proto.UnmarshalText(string(pbtext), savedTemplate)
options.FailIf(err, "Can't parse config template: %s", configTemplate)
}
return savedTemplate
}
func loadHost(domain *tao.Domain, cfg *tao.LinuxHostConfig) (*tao.LinuxHost, error) {
var tc tao.Config
// Sanity check host type
var stacked bool
switch cfg.GetType() {
case "root":
stacked = false
case "stacked":
stacked = true
case "":
options.Usage("Must supply -root or -stacked flag")
default:
options.Usage("Invalid host type: %s", cfg.GetType())
}
// Sanity check hosting type
hosting := make(map[string]bool)
for _, h := range cfg.GetHosting() {
switch h {
case "process", "docker", "kvm_coreos", "kvm_coreos_linuxhost":
hosting[h] = true
default:
options.Usage("Invalid hosting type: %s", cfg.GetHosting())
}
}
if len(hosting) == 0 {
options.Usage("Must supply -hosting flag")
}
// For stacked hosts, figure out the channel type: TPM, pipe, file, or unix
if stacked {
switch cfg.GetParentType() {
case "TPM":
tc.HostChannelType = "tpm"
case "pipe":
tc.HostChannelType = "pipe"
case "file":
tc.HostChannelType = "file"
case "unix":
tc.HostChannelType = "unix"
case "":
// leave channel type blank, tao may find it in env vars
tc.HostChannelType = ""
default:
options.Usage("Invalid parent type: %s", cfg.GetParentType())
}
// For stacked hosts, we may also have a parent spec from command line
tc.HostSpec = cfg.GetParentSpec()
// For stacked hosts on a TPM, we may also have tpm info from domain config
if domain.Config.TpmInfo != nil {
tc.TPMAIKPath = path.Join(apps.TaoDomainPath(), domain.Config.TpmInfo.GetAikPath())
tc.TPMPCRs = domain.Config.TpmInfo.GetPcrs()
tc.TPMDevice = domain.Config.TpmInfo.GetTpmPath()
}
}
rulesPath := ""
if p := domain.RulesPath(); p != "" {
rulesPath = path.Join(apps.TaoDomainPath(), p)
}
// Create the hosted program factory
socketPath := hostPath()
if subPath := cfg.GetSocketDir(); subPath != "" {
if path.IsAbs(subPath) {
socketPath = subPath
} else {
socketPath = path.Join(socketPath, subPath)
}
}
// TODO(cjpatton) How do the NewLinuxDockerContainterFactory and the
// NewLinuxKVMCoreOSHostFactory need to be modified to support the new
// CachedGuard? They probably don't.
childFactory := make(map[string]tao.HostedProgramFactory)
if hosting["process"] {
childFactory["process"] = tao.NewLinuxProcessFactory("pipe", socketPath)
}
if hosting["docker"] {
childFactory["docker"] = tao.NewLinuxDockerContainerFactory(socketPath, rulesPath)
}
if hosting["kvm_coreos"] {
// TODO(kwalsh) re-enable this code path in new kvm factory
// sshFile := cfg.GetKvmCoreosSshAuthKeys()
// if sshFile != "" {
// if !path.IsAbs(sshFile) {
// sshFile = path.Join(apps.TaoDomainPath(), sshFile)
// }
// sshKeysCfg, err := io.ReadFile(sshFile)
// options.FailIf(err, "Can't read ssh authorized keys")
coreOSImage := cfg.GetKvmCoreosImg()
if coreOSImage == "" {
options.Usage("Must specify -kvm_coreos_image for hosting QEMU/KVM CoreOS")
}
if !path.IsAbs(coreOSImage) {
coreOSImage = path.Join(apps.TaoDomainPath(), coreOSImage)
}
// TODO(kwalsh) re-enable this code path in new kvm factory
// vmMemory := cfg.GetKvmCoreosVmMemory()
// if vmMemory == 0 {
// vmMemory = 1024
// }
var err error
childFactory["kvm_coreos"], err = tao.NewKVMCoreOSFactory(coreOSImage, false)
options.FailIf(err, "Can't create KVM CoreOS factory")
}
if hosting["kvm_coreos_linuxhost"] {
sshFile := cfg.GetKvmCoreosSshAuthKeys()
if sshFile == "" {
options.Usage("Must specify -kvm_coreos_ssh_auth_keys for hosting QEMU/KVM CoreOS")
}
if !path.IsAbs(sshFile) {
sshFile = path.Join(apps.TaoDomainPath(), sshFile)
}
sshKeysCfg, err := tao.CloudConfigFromSSHKeys(sshFile)
options.FailIf(err, "Can't read ssh keys")
coreOSImage := cfg.GetKvmCoreosImg()
if coreOSImage == "" {
options.Usage("Must specify -kvm_coreos_image for hosting QEMU/KVM CoreOS")
}
if !path.IsAbs(coreOSImage) {
coreOSImage = path.Join(apps.TaoDomainPath(), coreOSImage)
}
vmMemory := cfg.GetKvmCoreosVmMemory()
if vmMemory == 0 {
vmMemory = 1024
}
cfg := &tao.CoreOSLinuxhostConfig{
ImageFile: coreOSImage,
Memory: int(vmMemory),
RulesPath: rulesPath,
SSHKeysCfg: sshKeysCfg,
}
childFactory["kvm_coreos_linuxhost"], err = tao.NewLinuxKVMCoreOSHostFactory(socketPath, cfg)
options.FailIf(err, "Can't create KVM CoreOS LinuxHost factory")
}
if !stacked {
pwd := options.Password("root host key password", "pass")
return tao.NewRootLinuxHost(hostPath(), domain.Guard, pwd, childFactory)
} else {
parent := tao.ParentFromConfig(tc)
if parent == nil {
options.Usage("No host tao available, verify -parent_type (or $%s) and associated variables\n", tao.HostChannelTypeEnvVar)
}
return tao.NewStackedLinuxHost(hostPath(), domain.Guard, parent, childFactory)
}
}
func configPath() string {
return path.Join(apps.TaoDomainPath(), "tao.config")
}