Record container data to the TPM event log at startup

We can store certain pieces of container configuration in the TPM event log for later audit purposes. For now let's stash the hash of the root FS, the manifest and the arguments passed to stage 1.
mjg59 · Nov 21, 2015 · 73ab334 · 73ab334
1 parent 61ce4d8
commit 73ab334
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 12 deletions.
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/Godeps/_workspace/src/github.com/coreos/go-tspi/attestation/attestation.go b/Godeps/_workspace/src/github.com/coreos/go-tspi/attestation/attestation.go
diff --git a/Godeps/_workspace/src/github.com/coreos/go-tspi/tpmclient/tpmclient.go b/Godeps/_workspace/src/github.com/coreos/go-tspi/tpmclient/tpmclient.go
diff --git a/Godeps/_workspace/src/github.com/coreos/go-tspi/tspi/tpm.go b/Godeps/_workspace/src/github.com/coreos/go-tspi/tspi/tpm.go
diff --git a/pkg/tpm/tpm.go b/pkg/tpm/tpm.go
@@ -0,0 +1,26 @@
+// Copyright 2015 CoreOS, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// +build tpm
+
+package tpm
+
+import (
+	"github.com/coreos/rkt/Godeps/_workspace/src/github.com/coreos/go-tspi/tpmclient"
+)
+
+func Extend(desription string) error {
+	connection := tpmclient.New("localhost:12041")
+	err := connection.Extend(15, 0x1000, nil, description)
+	return err
+}
diff --git a/pkg/tpm/tpm_stub.go b/pkg/tpm/tpm_stub.go
@@ -0,0 +1,21 @@
+// Copyright 2015 CoreOS, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !tpm
+
+package tpm
+
+func Extend(description string) error {
+	return nil
+}
diff --git a/stage0/run.go b/stage0/run.go
@@ -45,6 +45,7 @@ import (
 	"github.com/coreos/rkt/pkg/fileutil"
 	"github.com/coreos/rkt/pkg/label"
 	"github.com/coreos/rkt/pkg/sys"
+	"github.com/coreos/rkt/pkg/tpm"
 	"github.com/coreos/rkt/pkg/uid"
 	"github.com/coreos/rkt/store"
 	"github.com/coreos/rkt/version"
@@ -92,6 +93,8 @@ type CommonConfig struct {
 	Store        *store.Store // store containing all of the configured application images
 	Stage1Image  types.Hash   // stage1 image containing usable /init and /enter entrypoints
 	UUID         *types.UUID  // UUID of the pod
+	RootHash     string       // Hash of the root filesystem
+	ManifestData string       // The pod manifest data
 	Debug        bool
 	MountLabel   string // selinux label to use for fs
 	ProcessLabel string // selinux label to use for process
@@ -308,6 +311,8 @@ func Prepare(cfg PrepareConfig, dir string, uuid *types.UUID) error {
 		return err
 	}
 
+	cfg.CommonConfig.ManifestData = string(pmb)
+
 	debug("Writing pod manifest")
 	fn := common.PodManifestPath(dir)
 	if err := ioutil.WriteFile(fn, pmb, defaultRegularFilePerm); err != nil {
@@ -452,6 +457,8 @@ func Run(cfg RunConfig, dir string, dataDir string) {
 		log.Fatalf("error clearing FD_CLOEXEC on lock fd")
 	}
 
+	tpmevent := fmt.Sprintf("rkt: Rootfs: %s Manifest: %s Stage 1 args: %s", cfg.CommonConfig.RootHash, cfg.CommonConfig.ManifestData, strings.Join(args, " "))
+	tpm.Extend(tpmevent)
 	if err := syscall.Exec(args[0], args, os.Environ()); err != nil {
 		log.Fatalf("error execing init: %v", err)
 	}
@@ -492,14 +499,18 @@ func prepareAppImage(cfg PrepareConfig, appName types.ACName, img types.Hash, cd
 		if err != nil {
 			return fmt.Errorf("error rendering tree image: %v", err)
 		}
-		if _, err := cfg.Store.CheckTreeStore(treeStoreID); err != nil {
+		hash, err := cfg.Store.CheckTreeStore(treeStoreID)
+		if err != nil {
 			log.Printf("Warning: tree cache is in a bad state: %v. Rebuilding...", err)
 			var err error
-			if treeStoreID, _, err = cfg.Store.RenderTreeStore(img.String(), true); err != nil {
+			treeStoreID, hash, err = cfg.Store.RenderTreeStore(img.String(), true)
+			if err != nil {
 				return fmt.Errorf("error rendering tree image: %v", err)
 			}
 		}
 
+		cfg.CommonConfig.RootHash = hash
+
 		if err := ioutil.WriteFile(common.AppTreeStoreIDPath(cdir, appName), []byte(treeStoreID), defaultRegularFilePerm); err != nil {
 			return fmt.Errorf("error writing app treeStoreID: %v", err)
 		}
@@ -567,14 +578,18 @@ func prepareStage1Image(cfg PrepareConfig, img types.Hash, cdir string, useOverl
 	if err != nil {
 		return fmt.Errorf("error rendering tree image: %v", err)
 	}
-	if _, err := cfg.Store.CheckTreeStore(treeStoreID); err != nil {
+	hash, err := cfg.Store.CheckTreeStore(treeStoreID)
+	if err != nil {
 		log.Printf("Warning: tree cache is in a bad state: %v. Rebuilding...", err)
 		var err error
-		if treeStoreID, _, err = cfg.Store.RenderTreeStore(img.String(), true); err != nil {
+		treeStoreID, hash, err = cfg.Store.RenderTreeStore(img.String(), true)
+		if err != nil {
 			return fmt.Errorf("error rendering tree image: %v", err)
 		}
 	}
 
+	cfg.CommonConfig.RootHash = hash
+
 	if err := writeManifest(*cfg.CommonConfig, img, s1); err != nil {
 		return fmt.Errorf("error writing manifest: %v", err)
 	}