Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions hooks/001-extra-packages.chroot
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,12 @@ case "$(dpkg --print-architecture)" in
;;
esac

case "$(dpkg --print-architecture)" in
arm64|armhf)
PACKAGES+=(tee-supplicant)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe one day, we should make a list of all packages that are from universe rather than main.

;;
esac

if [[ ${SNAP_FIPS_BUILD+x} ]]; then
# Ensure vital crypt packages are refreshed / downgraded and downloaded
# from the FIPS ppa. This should also contain openssh-server, but we already
Expand Down
7 changes: 7 additions & 0 deletions hooks/020-extra-files.chroot
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,13 @@ mkdir -p /var/lib/waagent
echo "console-conf directories"
mkdir -p /var/lib/console-conf

case "$(dpkg --print-architecture)" in
arm64|armhf)
echo "op-tee secure storage dir"
mkdir -p /var/lib/optee-client/data/tee
;;
esac

echo "ensure snapctl is available"
ln -s ../lib/snapd/snapctl /usr/bin/snapctl

Expand Down
1 change: 1 addition & 0 deletions static/usr/lib/core/remount-core-fs
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ FILESYSTEMS=(
/run/mnt/ubuntu-save
/run/mnt/ubuntu-seed
/writable
/run/mnt/tee-data
)

for fs in "${FILESYSTEMS[@]}"; do
Expand Down
4 changes: 2 additions & 2 deletions static/usr/lib/systemd/system/core.start-snapd.service
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[Unit]
Description=Start the snapd services from the snapd snap
RequiresMountsFor=/run
Wants=secureboot-db.service
After=secureboot-db.service
Wants=secureboot-db.service tee-supplicant.service
After=secureboot-db.service tee-supplicant.service

[Service]
ExecStart=/usr/lib/core/run-snapd-from-snap start
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# SPDX-License-Identifier: BSD-2-Clause
# Adapted from https://github.com/OP-TEE/optee_client/blob/6486773583b5983af8250a47cf07eca938e0e422/tee-supplicant/tee-supplicant%40.service.in
[Unit]
DefaultDependencies=no
BindsTo=dev-teepriv0.device var-lib-optee\x2dclient-data-tee.mount
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it really BindsTo the mount rather than Requires?

Would RequireMountsFor=/var/lib/optee-client/data/tee not work?

After=dev-teepriv0.device var-lib-optee\x2dclient-data-tee.mount

[Service]
Type=notify
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure you should override this one. This is a drop-in. And the original looks like having that set.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I see... it comes from the package.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would really drop all the configuration that comes from the Debian package. And just take upstream configuration including udev. I do not think the debian package configuration makes much sense.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eventually, we should maybe build it ourselves. That is a universe package anyway.

ExecStartPre=-/usr/sbin/modprobe -v -r tpm_ftpm_tee
ExecStartPost=-/usr/sbin/modprobe -v tpm_ftpm_tee
Comment on lines +10 to +11
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why we need that. So you want to remove tpm_ftpm_tee before starting. Then once tee-supplicant has started and sent READY=1, reload the module.

ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/usr/sbin/modprobe?

Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[Unit]
ConditionPathIsMountPoint=/run/mnt/tee-data
DefaultDependencies=no

[Mount]
What=/run/mnt/tee-data
Where=/var/lib/optee-client/data/tee
Options=bind
Type=none
5 changes: 5 additions & 0 deletions static/usr/lib/udev/rules.d/99-optee.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# SPDX-License-Identifier: BSD-2-Clause
# Adapted from https://github.com/OP-TEE/optee_client/blob/6486773583b5983af8250a47cf07eca938e0e422/tee-supplicant/optee-udev.rules.in
KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="root", TAG+="systemd"
KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="root", TAG+="systemd"
Comment on lines +3 to +4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If group is root, maybe 0600 makes more sense.