From e3a9d7b41843e2fb4395115dc3f3c675b6d073d2 Mon Sep 17 00:00:00 2001
From: Alex Lewontin <alex.lewontin@canonical.com>
Date: Wed, 28 May 2025 15:04:22 +0000
Subject: [PATCH] many: add tee-supplicant on arm64/armhf systems

Signed-off-by: Alex Lewontin <alex.lewontin@canonical.com>
---
 hooks/001-extra-packages.chroot                      |  6 ++++++
 hooks/020-extra-files.chroot                         |  7 +++++++
 static/usr/lib/core/remount-core-fs                  |  1 +
 .../usr/lib/systemd/system/core.start-snapd.service  |  4 ++--
 .../tee-supplicant.service.d/core-override.conf      | 12 ++++++++++++
 .../var-lib-optee\\x2dclient-data-tee.mount"         |  1 +
 .../system/var-lib-optee\\x2dclient-data-tee.mount"  |  9 +++++++++
 static/usr/lib/udev/rules.d/99-optee.rules           |  5 +++++
 8 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 static/usr/lib/systemd/system/tee-supplicant.service.d/core-override.conf
 create mode 120000 "static/usr/lib/systemd/system/tee-supplicant.service.requires/var-lib-optee\\x2dclient-data-tee.mount"
 create mode 100644 "static/usr/lib/systemd/system/var-lib-optee\\x2dclient-data-tee.mount"
 create mode 100644 static/usr/lib/udev/rules.d/99-optee.rules

diff --git a/hooks/001-extra-packages.chroot b/hooks/001-extra-packages.chroot
index 358d6317..b01875f6 100755
--- a/hooks/001-extra-packages.chroot
+++ b/hooks/001-extra-packages.chroot
@@ -244,6 +244,12 @@ case "$(dpkg --print-architecture)" in
         ;;
 esac
 
+case "$(dpkg --print-architecture)" in
+    arm64|armhf)
+        PACKAGES+=(tee-supplicant)
+        ;;
+esac
+
 if [[ ${SNAP_FIPS_BUILD+x} ]]; then
     # Ensure vital crypt packages are refreshed / downgraded and downloaded
     # from the FIPS ppa. This should also contain openssh-server, but we already
diff --git a/hooks/020-extra-files.chroot b/hooks/020-extra-files.chroot
index 0f599efb..1eed449a 100755
--- a/hooks/020-extra-files.chroot
+++ b/hooks/020-extra-files.chroot
@@ -40,6 +40,13 @@ mkdir -p /var/lib/waagent
 echo "console-conf directories"
 mkdir -p /var/lib/console-conf
 
+case "$(dpkg --print-architecture)" in
+    arm64|armhf)
+        echo "op-tee secure storage dir"
+	mkdir -p /var/lib/optee-client/data/tee
+        ;;
+esac
+
 echo "ensure snapctl is available"
 ln -s ../lib/snapd/snapctl /usr/bin/snapctl
 
diff --git a/static/usr/lib/core/remount-core-fs b/static/usr/lib/core/remount-core-fs
index ac5ac4aa..db022fbc 100755
--- a/static/usr/lib/core/remount-core-fs
+++ b/static/usr/lib/core/remount-core-fs
@@ -10,6 +10,7 @@ FILESYSTEMS=(
     /run/mnt/ubuntu-save
     /run/mnt/ubuntu-seed
     /writable
+    /run/mnt/tee-data
 )
 
 for fs in "${FILESYSTEMS[@]}"; do
diff --git a/static/usr/lib/systemd/system/core.start-snapd.service b/static/usr/lib/systemd/system/core.start-snapd.service
index b94aa4f7..d00a4bf4 100644
--- a/static/usr/lib/systemd/system/core.start-snapd.service
+++ b/static/usr/lib/systemd/system/core.start-snapd.service
@@ -1,8 +1,8 @@
 [Unit]
 Description=Start the snapd services from the snapd snap
 RequiresMountsFor=/run
-Wants=secureboot-db.service
-After=secureboot-db.service
+Wants=secureboot-db.service tee-supplicant.service
+After=secureboot-db.service tee-supplicant.service
 
 [Service]
 ExecStart=/usr/lib/core/run-snapd-from-snap start
diff --git a/static/usr/lib/systemd/system/tee-supplicant.service.d/core-override.conf b/static/usr/lib/systemd/system/tee-supplicant.service.d/core-override.conf
new file mode 100644
index 00000000..d6aaf9bd
--- /dev/null
+++ b/static/usr/lib/systemd/system/tee-supplicant.service.d/core-override.conf
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: BSD-2-Clause
+# Adapted from https://github.com/OP-TEE/optee_client/blob/6486773583b5983af8250a47cf07eca938e0e422/tee-supplicant/tee-supplicant%40.service.in
+[Unit]
+DefaultDependencies=no
+BindsTo=dev-teepriv0.device var-lib-optee\x2dclient-data-tee.mount
+After=dev-teepriv0.device var-lib-optee\x2dclient-data-tee.mount
+
+[Service]
+Type=notify
+ExecStartPre=-/usr/sbin/modprobe -v -r tpm_ftpm_tee
+ExecStartPost=-/usr/sbin/modprobe -v tpm_ftpm_tee
+ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"
diff --git "a/static/usr/lib/systemd/system/tee-supplicant.service.requires/var-lib-optee\\x2dclient-data-tee.mount" "b/static/usr/lib/systemd/system/tee-supplicant.service.requires/var-lib-optee\\x2dclient-data-tee.mount"
new file mode 120000
index 00000000..918fae2f
--- /dev/null
+++ "b/static/usr/lib/systemd/system/tee-supplicant.service.requires/var-lib-optee\\x2dclient-data-tee.mount"
@@ -0,0 +1 @@
+../var-lib-optee\x2dclient-data-tee.mount
\ No newline at end of file
diff --git "a/static/usr/lib/systemd/system/var-lib-optee\\x2dclient-data-tee.mount" "b/static/usr/lib/systemd/system/var-lib-optee\\x2dclient-data-tee.mount"
new file mode 100644
index 00000000..a3b2642d
--- /dev/null
+++ "b/static/usr/lib/systemd/system/var-lib-optee\\x2dclient-data-tee.mount"
@@ -0,0 +1,9 @@
+[Unit]
+ConditionPathIsMountPoint=/run/mnt/tee-data
+DefaultDependencies=no
+
+[Mount]
+What=/run/mnt/tee-data
+Where=/var/lib/optee-client/data/tee
+Options=bind
+Type=none
diff --git a/static/usr/lib/udev/rules.d/99-optee.rules b/static/usr/lib/udev/rules.d/99-optee.rules
new file mode 100644
index 00000000..8d1d10a7
--- /dev/null
+++ b/static/usr/lib/udev/rules.d/99-optee.rules
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: BSD-2-Clause
+# Adapted from https://github.com/OP-TEE/optee_client/blob/6486773583b5983af8250a47cf07eca938e0e422/tee-supplicant/optee-udev.rules.in
+KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="root", TAG+="systemd"
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="root", TAG+="systemd"
+