many: add tee-supplicant on arm64/armhf systems#340
many: add tee-supplicant on arm64/armhf systems#340alexclewontin wants to merge 1 commit intocanonical:mainfrom
Conversation
Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
| # Adapted from https://github.com/OP-TEE/optee_client/blob/6486773583b5983af8250a47cf07eca938e0e422/tee-supplicant/tee-supplicant%40.service.in | ||
| [Unit] | ||
| DefaultDependencies=no | ||
| BindsTo=dev-teepriv0.device var-lib-optee\x2dclient-data-tee.mount |
There was a problem hiding this comment.
Does it really BindsTo the mount rather than Requires?
Would RequireMountsFor=/var/lib/optee-client/data/tee not work?
| Type=notify | ||
| ExecStartPre=-/usr/sbin/modprobe -v -r tpm_ftpm_tee | ||
| ExecStartPost=-/usr/sbin/modprobe -v tpm_ftpm_tee | ||
| ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID" |
| After=dev-teepriv0.device var-lib-optee\x2dclient-data-tee.mount | ||
|
|
||
| [Service] | ||
| Type=notify |
There was a problem hiding this comment.
I am not sure you should override this one. This is a drop-in. And the original looks like having that set.
There was a problem hiding this comment.
Oh, I see... it comes from the package.
There was a problem hiding this comment.
I would really drop all the configuration that comes from the Debian package. And just take upstream configuration including udev. I do not think the debian package configuration makes much sense.
There was a problem hiding this comment.
Eventually, we should maybe build it ourselves. That is a universe package anyway.
| ExecStartPre=-/usr/sbin/modprobe -v -r tpm_ftpm_tee | ||
| ExecStartPost=-/usr/sbin/modprobe -v tpm_ftpm_tee |
There was a problem hiding this comment.
Not sure why we need that. So you want to remove tpm_ftpm_tee before starting. Then once tee-supplicant has started and sent READY=1, reload the module.
| KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="root", TAG+="systemd" | ||
| KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="root", TAG+="systemd" |
There was a problem hiding this comment.
If group is root, maybe 0600 makes more sense.
| @@ -0,0 +1 @@ | |||
| ../var-lib-optee\x2dclient-data-tee.mount No newline at end of file | |||
|
|
||
| case "$(dpkg --print-architecture)" in | ||
| arm64|armhf) | ||
| PACKAGES+=(tee-supplicant) |
There was a problem hiding this comment.
Maybe one day, we should make a list of all packages that are from universe rather than main.
2 participants
This includes tee-supplicant as a service on arm64/armhf systems. tee-supplicant is primarily responsible for providing Secure Storage to OP-TEE Trusted Applications, and in the context of Ubuntu Core, specifically the https://github.com/OP-TEE/optee_ftpm TA.
It needs to be implemented as a service in the Core snap instead of as a snap app because, in the fTPM case, it needs to be available when snapd seals the encrypted partitions in install mode and our testing has shown that gadget services do not run early enough to guarantee availability. We also played with the concept of systemd's Root Storage Daemons but unfortunately while we can cause the service to survive the initial switchroot killing spree, the second instance of systemd kills it on deserialization as the unit file is no longer there.
This PR adds about 24KB to the compressed size of the arm64 core snap (potentially less with the chiseling done in #225, I also have slice yaml files available for these packages!). It will not affect architectures other than arm64/armhf.
It is architected so as to not change the running behavior of systems that do not explicitly enable it by passing a data directory from the initrd mounted at /run/mnt/tee-data (see canonical/snapd#15296 for corresponding changes to the core-initrd tooling).