tee-supplicant: add udev rule and systemd service file

tee-supplicant startup with systemd init based is non-trivial. Add needed udev rule and systemd service files here so that distros can co-operate maintaining them. Files are from meta-arm https://git.yoctoproject.org/meta-arm at commit 7cce43e632daa8650f683ac726f9124681b302a4 with license MIT and authors: Peter Griffin <[email protected]> Joshua Watt <[email protected]> Javier Tia <[email protected]> Mikko Rapeli <[email protected]> The udev rule starts tee-supplicant once optee has been detected via /dev/teepriv[0-9]* device file. The startup expects to find teeclnt system group on the running host. systemd service starts before tpm2.target (new in systemd 256) which starts in initramfs too. This covers firmware TPM TA usecases, and possibly others which are started before main rootfs is mounted. For stopping tee-supplicant, the ftpm kernel modules are removed and only then the main process stopped to avoid fTPM breakage. These workarounds may be removed once RPMB kernel and optee patches without tee-supplicant are merged. Cc: Peter Griffin <[email protected]> Cc: Joshua Watt <[email protected]> Cc: Javier Tia <[email protected]> Signed-off-by: Mikko Rapeli <[email protected]>
OP-TEE · Oct 3, 2024 · 44e6a63 · 44e6a63
1 parent 49e646d
commit 44e6a63
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
@@ -113,3 +113,6 @@ endif()
 # Install targets
 ################################################################################
 install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
+install(FILES optee-udev.rules DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d)
+configure_file([email protected] [email protected] @ONLY)
+install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/[email protected] DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
diff --git a/tee-supplicant/optee-udev.rules b/tee-supplicant/optee-udev.rules
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: MIT
+KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd"
+
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
diff --git a/tee-supplicant/[email protected] b/tee-supplicant/[email protected]
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: MIT
+[Unit]
+Description=TEE Supplicant on %i
+DefaultDependencies=no
+After=dev-%i.device
+Wants=dev-%i.device
+Conflicts=shutdown.target
+Before=tpm2.target sysinit.target shutdown.target
+
+[Service]
+Type=notify
+EnvironmentFile=-@CMAKE_INSTALL_SYSCONFDIR@/default/tee-supplicant
+ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS
+ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"