Message ID | 20240925090147.66618-4-mikko.rapeli@linaro.org |
---|---|
State | New |
Headers | show |
Series | optee 4.3 update and systemd service changes | expand |
Hi, On Wed, Sep 25, 2024 at 12:01:46PM +0300, Mikko Rapeli wrote: > udev starts tee-supplicant once optee has been found. > Fix dependencies in systemd service so that starting it in > initrd is possible. Stopping requires that ftpm > kernel module is disabled or any TPM related actions will fail until > the next reboot so working around these in the service file. These > are limitations of current kernel optee and ftpm drivers. > > tpm2.target requires systemd 256 or newer. With older system version > there is no simple way to queue in service before TPM device is > available. > > https://www.freedesktop.org/software/systemd/man/devel/systemd.special.html#tpm2.target > > Note that > https://www.freedesktop.org/software/systemd/man/devel/systemd-tpm2-generator.html > detects TPM support from either existing kernel driver (built in or > loaded really early in initrd and rootfs boot) or ACPI table entry for > TPM device. If firmware used a TPM device but doesn't provide ACPI table > entry for it, then a kernel patch has been proposed to expose this to > userspace: > > https://lore.kernel.org/lkml/20240422112711.362779-1-mikko.rapeli@linaro.org/ > > and matching change proposal for systemd: > > https://github.com/systemd/systemd/pull/32400 > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > --- > .../optee/optee-client/tee-supplicant@.service | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service > index 72c0b9aa..8325b6be 100644 > --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service > +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service > @@ -1,10 +1,12 @@ > [Unit] > Description=TEE Supplicant on %i > +DefaultDependencies=no > +After=dev-%i.device > +Wants=dev-%i.device > +Conflicts=shutdown.target > +Before=tpm2.target sysinit.target shutdown.target > > [Service] Sorry, needs here: Type=notify Will add this in v2. Cheers, -Mikko > -User=root > EnvironmentFile=-@sysconfdir@/default/tee-supplicant > ExecStart=@sbindir@/tee-supplicant $OPTARGS > - > -[Install] > -WantedBy=basic.target > +ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID" > -- > 2.34.1 >
diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service index 72c0b9aa..8325b6be 100644 --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service @@ -1,10 +1,12 @@ [Unit] Description=TEE Supplicant on %i +DefaultDependencies=no +After=dev-%i.device +Wants=dev-%i.device +Conflicts=shutdown.target +Before=tpm2.target sysinit.target shutdown.target [Service] -User=root EnvironmentFile=-@sysconfdir@/default/tee-supplicant ExecStart=@sbindir@/tee-supplicant $OPTARGS - -[Install] -WantedBy=basic.target +ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"
udev starts tee-supplicant once optee has been found. Fix dependencies in systemd service so that starting it in initrd is possible. Stopping requires that ftpm kernel module is disabled or any TPM related actions will fail until the next reboot so working around these in the service file. These are limitations of current kernel optee and ftpm drivers. tpm2.target requires systemd 256 or newer. With older system version there is no simple way to queue in service before TPM device is available. https://www.freedesktop.org/software/systemd/man/devel/systemd.special.html#tpm2.target Note that https://www.freedesktop.org/software/systemd/man/devel/systemd-tpm2-generator.html detects TPM support from either existing kernel driver (built in or loaded really early in initrd and rootfs boot) or ACPI table entry for TPM device. If firmware used a TPM device but doesn't provide ACPI table entry for it, then a kernel patch has been proposed to expose this to userspace: https://lore.kernel.org/lkml/20240422112711.362779-1-mikko.rapeli@linaro.org/ and matching change proposal for systemd: https://github.com/systemd/systemd/pull/32400 Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> --- .../optee/optee-client/tee-supplicant@.service | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)