The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/4a25d627ce6310fefb40325eb42ba705d9323233

commit 4a25d627ce6310fefb40325eb42ba705d9323233
Author: Yves Arrouye <drcrash@google.com>
Date: Thu May 24 07:23:17 2018

cryptohome, attestation: Generate attestation-based data as needed.

If there is no device stable secret, use other data (SN and RLZ code)
to generate attestation-based data.

Use get_vpd_value to read the VPD. Note that as a side effect of using
get_vpd_value we now allow the device stable secret to be in the RW VPD,
but that is okay. Also get_vpd_value adds a trailing newline that the
vpd command doe not have.

To test, deploy on devices with the following properties, before the
device is owned:

1. A stable secret in the RO VPD, e.g. a device where:

  # vpd -g device_stable_secret_DO_NOT_SHARE

returns a value (64 hex characters).

2. No stable secret (e.g. the command in 1 returns an empty string). On
that device, write a secret in the RW VPD and reboot:

  # vpd -i RW_VPD -s device_stable_secret_DO_NOT_SHARE=$(openssl
      rand -hex 32) && reboot

3. No stable secret. Just do not generate one.

Test by enrolling each device with the PCA and requesting an enrollment
certificate. Obtention of that certificate means that the secret was
properly read.

Because this is cryptohomed, you will need a device with a TPM 1.2 (e.g.
a veyron_minnie or samus, not an eve or gru etc.).

Initialize:

  # cryptohome --action=tpm_take_ownership
  # cryptohome --action=tpm_clear_stored_password

Wait until there is no owner password shown when asking for status,
e.g.:

  # cryptohome --action=tpm_more_status
  [cryptohome.GetTpmStatusReply.reply] {
    enabled: true
    owned: true
    initialized: true
    attestation_prepared: true
    attestation_enrolled: true
    dictionary_attack_counter: 0
    dictionary_attack_threshold: 10
    dictionary_attack_lockout_in_effect: false
    dictionary_attack_lockout_seconds_remaining: 0
    install_lockbox_finalized: false
    boot_lockbox_finalized: false
    verified_boot_measured: false
  }
  GetTpmStatus success.

Then enroll:

  # cryptohome --action=tpm_attestation_start_enroll \
      --output=/tmp/enroll3552_request
  # curl -s -H Content-Type: application/octet-stream \
      --data-binary @/tmp/enroll3552_request \
      -o /tmp/enroll3552_response https://chromeos-ca.gstatic.com/enroll
  # cryptohome --action=tpm_attestation_finish_enroll \
      --input=/tmp/enroll3552_response --output=/tmp/enroll3552_result
  # rm /tmp/enroll3552_*

Then request an enrollment certificate:

  # cryptohome --action=tpm_attestation_start_cert_request
      --profile=enrollment --output=/tmp/cert4990_request
  # curl -s -H Content-Type: application/octet-stream \
      --data-binary @/tmp/cert4990_request -o /tmp/cert4990_response
      https://chromeos-ca.gstatic.com/sign
  # cryptohome --action=tpm_attestation_finish_cert_request \
      --name=attest-4990-enrollment --input=/tmp/cert4990_response
      --output=/tmp/cert4990_result
  # cat /tmp/cert4990_result && echo
  -----BEGIN CERTIFICATE-----

If the last cryptohome gives an error, this is not working.

BUG= chromium:835324 
TEST=See detailed steps above.

Change-Id: If542268583dba12589bca361d953f12770711130
Reviewed-on: https://chromium-review.googlesource.com/1022078
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/4a25d627ce6310fefb40325eb42ba705d9323233/cryptohome/init/cryptohomed.conf
[modify] https://crrev.com/4a25d627ce6310fefb40325eb42ba705d9323233/attestation/server/attestationd.conf