| commit | bf0d02758696ee7a9f7af9e95f85f5c238d0e109 | [log] [tgz] |
|---|---|---|
| author | Mikko Rapeli <mikko.rapeli@linaro.org> | Wed Oct 02 15:24:21 2024 +0100 |
| committer | Jerome Forissier <jerome@forissier.org> | Thu Oct 10 16:41:49 2024 +0200 |
| tree | 7b1429f3ecc602931420cf91fe5edd120995d03f | |
| parent | 49e646de7ed3b5e5a67627ab8e83fa1e012ed568 [diff] |
tee-supplicant: add udev rule and systemd service file tee-supplicant startup with systemd init based is non-trivial. Add sample udev rule and systemd service files here so that distros can co-operate maintaining them. Files are from meta-arm https://git.yoctoproject.org/meta-arm at commit 7cce43e632daa8650f683ac726f9124681b302a4 with license MIT and authors: Peter Griffin <peter.griffin@linaro.org> Joshua Watt <JPEWhacker@gmail.com> Javier Tia <javier.tia@linaro.org> Mikko Rapeli <mikko.rapeli@linaro.org> With permission from the authors, files can be relicensed to BSD-2-Clause like rest of optee client repo. The config files expect to find tee and teepriv system groups and teesuppl user and group (part of teepriv group) for running tee-supplicant. Additionally state directory /var/lib/tee must be owned by teesuppl user and group with no rights to other users. The groups and user can be changed via CMake variables: CFG_TEE_GROUP CFG_TEEPRIV_GROUP CFG_TEE_SUPPL_USER CFG_TEE_SUPPL_GROUP Change storage path from /data to /var/lib and use standard CMake variables also for constructing install paths which can be override to change the defaults: CMAKE_INSTALL_PREFIX, e.g. / CMAKE_INSTALL_LIBDIR, e.g. /usr/lib CMAKE_INSTALL_LOCALSTATEDIR /var Once these are setup, udev will start tee-supplicant in initramfs or rootfs with teesuppl user and group when /dev/teepriv device appears. The systemd service starts before tpm2.target (new in systemd 256) which starts early in initramfs and in main rootfs. This covers firmware TPM TA usecases for main rootfs encryption. When stopping tee-supplicant, the ftpm kernel modules are removed and only then the main process stopped to avoid fTPM breakage. These workarounds may be removed once RPMB kernel and optee patches without tee-supplicant are merged (Linux kernel >= 6.12-rc1, optee_os latest master or >= 4.4). Tested on yocto meta-arm setup which runs fTPM and optee-test/xtest under qemuarm64: $ git clone https://git.yoctoproject.org/meta-arm $ cd meta-arm $ SSTATE_DIR=$HOME/sstate DL_DIR=$HOME/download kas build \ ci/qemuarm64-secureboot.yml:ci/poky-altcfg.yml:ci/testimage.yml Compiled image can be manually started to qemu serial console with: $ SSTATE_DIR=$HOME/sstate DL_DIR=$HOME/download kas shell \ ci/qemuarm64-secureboot.yml:ci/poky-altcfg.yml:ci/testimage.yml $ runqemu slirp nographic meta-arm maintainers run these tests as part of their CI. Note that if the tee-supplicant state directory /var/lib/tee can not be accessed due permissions or other problems, then tee-supplicant startup with systemd still works. Only optee-test/xtest will be failing and fTPM kernel drivers fail to load with error messages. Cc: Peter Griffin <peter.griffin@linaro.org> Cc: Joshua Watt <JPEWhacker@gmail.com> Cc: Javier Tia <javier.tia@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
This git contains source code for the non-secure side implementation of the OP-TEE project making up the client library and tee-supplicant.
All official OP-TEE documentation has moved to http://optee.readthedocs.io. The information that used to be here in this git can be found under optee_client.
// OP-TEE core maintainers