[v7,2/4] arm/optee-client: fix systemd service dependencies

Message ID	20240926154739.2379609-3-jon.mason@arm.com
State	New
Headers	show Return-Path: <jdmason@kudzu.us> ip: 209.85.222.170, mailfrom: jdmason@kudzu.us) From: Jon Mason <jdmason@kudzu.us> To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli <mikko.rapeli@linaro.org> Subject: [PATCH v7 2/4] arm/optee-client: fix systemd service dependencies Date: Thu, 26 Sep 2024 11:47:37 -0400 Message-Id: <20240926154739.2379609-3-jon.mason@arm.com> In-Reply-To: <20240926154739.2379609-1-jon.mason@arm.com> References: <20240926154739.2379609-1-jon.mason@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	UEFI secureboot \| expand [v7,0/4] UEFI secureboot [v7,1/4] arm/optee: Add optee udev rules [v7,2/4] arm/optee-client: fix systemd service dependencies [v7,3/4] arm: Enable Secure Boot in all required recipes [v7,4/4] arm/qemuarm64-secureboot: Enable UEFI Secure Boot

Message ID

20240926154739.2379609-3-jon.mason@arm.com

State

New

Headers

From: Jon Mason <jdmason@kudzu.us>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [PATCH v7 2/4] arm/optee-client: fix systemd service dependencies
Date: Thu, 26 Sep 2024 11:47:37 -0400
Message-Id: <20240926154739.2379609-3-jon.mason@arm.com>
In-Reply-To: <20240926154739.2379609-1-jon.mason@arm.com>
References: <20240926154739.2379609-1-jon.mason@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

UEFI secureboot | expand

Commit Message

Jon Mason Sept. 26, 2024, 3:47 p.m. UTC

From: Mikko Rapeli <mikko.rapeli@linaro.org>

udev starts tee-supplicant once optee has been found.
Fix dependencies in systemd service so that starting it in
initrd is possible. Stopping requires that ftpm
kernel module is disabled or any TPM related actions will fail until
the next reboot so working around these in the service file. These
are limitations of current kernel optee and ftpm drivers.

tpm2.target requires systemd 256 or newer. With older system version
there is no simple way to queue in service before TPM device is
available.

https://www.freedesktop.org/software/systemd/man/devel/systemd.special.html#tpm2.target

Note that
https://www.freedesktop.org/software/systemd/man/devel/systemd-tpm2-generator.html
detects TPM support from either existing kernel driver (built in or
loaded really early in initrd and rootfs boot) or ACPI table entry for
TPM device. If firmware used a TPM device but doesn't provide ACPI table
entry for it, then a kernel patch has been proposed to expose this to
userspace:

https://lore.kernel.org/lkml/20240422112711.362779-1-mikko.rapeli@linaro.org/

and matching change proposal for systemd:

https://github.com/systemd/systemd/pull/32400

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 .../optee/optee-client/tee-supplicant@.service         | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
index 72c0b9aa57ec..8325b6be5174 100644
--- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
+++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
@@ -1,10 +1,12 @@ 
 [Unit]
 Description=TEE Supplicant on %i
+DefaultDependencies=no
+After=dev-%i.device
+Wants=dev-%i.device
+Conflicts=shutdown.target
+Before=tpm2.target sysinit.target shutdown.target
 
 [Service]
-User=root
 EnvironmentFile=-@sysconfdir@/default/tee-supplicant
 ExecStart=@sbindir@/tee-supplicant $OPTARGS
-
-[Install]
-WantedBy=basic.target
+ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"

[v7,2/4] arm/optee-client: fix systemd service dependencies

Commit Message

Patch