func outputPrincipal() { if path := *options.String["program"]; path != "" { subprin, err := makeProgramSubPrin(path) options.FailIf(err, "Can't create program principal") pt := auth.PrinTail{Ext: subprin} fmt.Println(pt) } if path := *options.String["container"]; path != "" { subprin, err := makeContainerSubPrin(path) options.FailIf(err, "Can't create container principal") pt := auth.PrinTail{Ext: subprin} fmt.Println(pt) } if *options.Bool["tpm"] { tpmPath, aikFile, pcrVals := getTPMConfig() prin := makeTPMPrin(tpmPath, aikFile, pcrVals) // In the domain template the host name is in quotes. We need to escape // quote strings in the Principal string so that domain_template.pb gets // parsed correctly. name := strings.Replace(prin.String(), "\"", "\\\"", -1) fmt.Println(name) } if lhpath := *options.String["soft"]; lhpath != "" { if !path.IsAbs(lhpath) { lhpath = path.Join(apps.TaoDomainPath(), lhpath) } k, err := tao.NewOnDiskPBEKeys(tao.Signing, nil, lhpath, nil) options.FailIf(err, "Can't create soft tao keys") fmt.Println(k.VerifyingKey.ToPrincipal()) } }
func hostPath() string { hostPath := *options.String["host"] if hostPath == "" { hostPath = "linux_tao_host" } if !path.IsAbs(hostPath) { hostPath = path.Join(apps.TaoDomainPath(), hostPath) } return hostPath }
func hostPath() string { hostPath := *options.String["host"] if hostPath == "" { // options.Usage("Must supply a -host path") hostPath = "linux_tao_host" } if !path.IsAbs(hostPath) { hostPath = path.Join(apps.TaoDomainPath(), hostPath) } return hostPath }
func Main() { flag.Usage = help verbose.Set(true) // Get options before the command verb flag.Parse() // Get command verb cmd := "help" if flag.NArg() > 0 { cmd = flag.Arg(0) } // Get options after the command verb if flag.NArg() > 1 { flag.CommandLine.Parse(flag.Args()[1:]) } // Load the domain. cpath := path.Join(apps.TaoDomainPath(), "tao.config") domain, err := tao.LoadDomain(cpath, nil) options.FailIf(err, "Can't load domain") // Set $TAO_DOMAIN so it will be inherited by hosted programs os.Unsetenv("TAO_DOMAIN") err = os.Setenv("TAO_DOMAIN", apps.TaoDomainPath()) options.FailIf(err, "Can't set $TAO_DOMAIN") switch cmd { case "help": help() case "init": initHost(domain) case "show": showHost(domain) case "start": startHost(domain) case "stop", "shutdown": stopHost(domain) default: options.Usage("Unrecognized command: %s", cmd) } }
func template() *tao.DomainTemplate { if savedTemplate == nil { configTemplate := *options.String["config_template"] if configTemplate == "" { configTemplate = path.Join(apps.TaoDomainPath(), "domain_template.pb") } savedTemplate = new(tao.DomainTemplate) pbtext, err := ioutil.ReadFile(configTemplate) options.FailIf(err, "Can't read config template. Try -config_template instead?") err = proto.UnmarshalText(string(pbtext), savedTemplate) options.FailIf(err, "Can't parse config template: %s", configTemplate) } return savedTemplate }
func loadHost(domain *tao.Domain, cfg *tao.LinuxHostConfig) (*tao.LinuxHost, error) { var tc tao.Config // Sanity check host type var stacked bool switch cfg.GetType() { case "root": stacked = false case "stacked": stacked = true case "": options.Usage("Must supply -root or -stacked flag") default: options.Usage("Invalid host type: %s", cfg.GetType()) } // Sanity check hosting type hosting := make(map[string]bool) for _, h := range cfg.GetHosting() { switch h { case "process", "docker", "kvm_coreos", "kvm_coreos_linuxhost": hosting[h] = true default: options.Usage("Invalid hosting type: %s", cfg.GetHosting()) } } if len(hosting) == 0 { options.Usage("Must supply -hosting flag") } // For stacked hosts, figure out the channel type: TPM, pipe, file, or unix if stacked { switch cfg.GetParentType() { case "TPM": tc.HostChannelType = "tpm" case "pipe": tc.HostChannelType = "pipe" case "file": tc.HostChannelType = "file" case "unix": tc.HostChannelType = "unix" case "": // leave channel type blank, tao may find it in env vars tc.HostChannelType = "" default: options.Usage("Invalid parent type: %s", cfg.GetParentType()) } // For stacked hosts, we may also have a parent spec from command line tc.HostSpec = cfg.GetParentSpec() // For stacked hosts on a TPM, we may also have tpm info from domain config if domain.Config.TpmInfo != nil { tc.TPMAIKPath = path.Join(apps.TaoDomainPath(), domain.Config.TpmInfo.GetAikPath()) tc.TPMPCRs = domain.Config.TpmInfo.GetPcrs() tc.TPMDevice = domain.Config.TpmInfo.GetTpmPath() } } rulesPath := "" if p := domain.RulesPath(); p != "" { rulesPath = path.Join(apps.TaoDomainPath(), p) } // Create the hosted program factory socketPath := hostPath() if subPath := cfg.GetSocketDir(); subPath != "" { if path.IsAbs(subPath) { socketPath = subPath } else { socketPath = path.Join(socketPath, subPath) } } // TODO(cjpatton) How do the NewLinuxDockerContainterFactory and the // NewLinuxKVMCoreOSHostFactory need to be modified to support the new // CachedGuard? They probably don't. childFactory := make(map[string]tao.HostedProgramFactory) if hosting["process"] { childFactory["process"] = tao.NewLinuxProcessFactory("pipe", socketPath) } if hosting["docker"] { childFactory["docker"] = tao.NewLinuxDockerContainerFactory(socketPath, rulesPath) } if hosting["kvm_coreos"] { // TODO(kwalsh) re-enable this code path in new kvm factory // sshFile := cfg.GetKvmCoreosSshAuthKeys() // if sshFile != "" { // if !path.IsAbs(sshFile) { // sshFile = path.Join(apps.TaoDomainPath(), sshFile) // } // sshKeysCfg, err := io.ReadFile(sshFile) // options.FailIf(err, "Can't read ssh authorized keys") coreOSImage := cfg.GetKvmCoreosImg() if coreOSImage == "" { options.Usage("Must specify -kvm_coreos_image for hosting QEMU/KVM CoreOS") } if !path.IsAbs(coreOSImage) { coreOSImage = path.Join(apps.TaoDomainPath(), coreOSImage) } // TODO(kwalsh) re-enable this code path in new kvm factory // vmMemory := cfg.GetKvmCoreosVmMemory() // if vmMemory == 0 { // vmMemory = 1024 // } var err error childFactory["kvm_coreos"], err = tao.NewKVMCoreOSFactory(coreOSImage, false) options.FailIf(err, "Can't create KVM CoreOS factory") } if hosting["kvm_coreos_linuxhost"] { sshFile := cfg.GetKvmCoreosSshAuthKeys() if sshFile == "" { options.Usage("Must specify -kvm_coreos_ssh_auth_keys for hosting QEMU/KVM CoreOS") } if !path.IsAbs(sshFile) { sshFile = path.Join(apps.TaoDomainPath(), sshFile) } sshKeysCfg, err := tao.CloudConfigFromSSHKeys(sshFile) options.FailIf(err, "Can't read ssh keys") coreOSImage := cfg.GetKvmCoreosImg() if coreOSImage == "" { options.Usage("Must specify -kvm_coreos_image for hosting QEMU/KVM CoreOS") } if !path.IsAbs(coreOSImage) { coreOSImage = path.Join(apps.TaoDomainPath(), coreOSImage) } vmMemory := cfg.GetKvmCoreosVmMemory() if vmMemory == 0 { vmMemory = 1024 } cfg := &tao.CoreOSLinuxhostConfig{ ImageFile: coreOSImage, Memory: int(vmMemory), RulesPath: rulesPath, SSHKeysCfg: sshKeysCfg, } childFactory["kvm_coreos_linuxhost"], err = tao.NewLinuxKVMCoreOSHostFactory(socketPath, cfg) options.FailIf(err, "Can't create KVM CoreOS LinuxHost factory") } if !stacked { pwd := options.Password("root host key password", "pass") return tao.NewRootLinuxHost(hostPath(), domain.Guard, pwd, childFactory) } else { parent := tao.ParentFromConfig(tc) if parent == nil { options.Usage("No host tao available, verify -parent_type (or $%s) and associated variables\n", tao.HostChannelTypeEnvVar) } return tao.NewStackedLinuxHost(hostPath(), domain.Guard, parent, childFactory) } }
func configPath() string { return path.Join(apps.TaoDomainPath(), "tao.config") }