Message ID | 20220829140432.3169225-1-jerome.forissier@linaro.org |
---|---|
State | New |
Headers | show |
Series | [meta-security,resend] Parsec-service: add parsec user to teeclnt group when optee is present | expand |
On Mon, Aug 29, 2022 at 4:05 PM Jerome Forissier < jerome.forissier@linaro.org> wrote: > The optee-client package provides a PKCS#11 interface that may be used by > Parsec with the below configuration. For this to work, the parsec user > needs to be a member of the teeclnt group. Therefore, add it when 'optee' > is present in MACHINE_FEATURES. > > # Provider configuration in /etc/parsec/config.toml > [[provider]] > name = "pkcs11-optee" > provider_type = "Pkcs11" > key_info_manager = "sqlite-manager" > library_path = "/usr/lib/libckteec.so.0" > > Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> > --- > .../recipes-parsec/parsec-service/parsec-service_1.0.0.bb | 1 + > 1 file changed, 1 insertion(+) > > This is a resend because a few hours after my initial post I still can't > find it at https://lists.yoctoproject.org/g/yocto/messages. I am now > subscribed to the list so hopefully it will help (although > https://git.yoctoproject.org/meta-security/tree/README doesn't mention > subscription). > Subscription is not required, but then you end up in the moderation queue. I can see your message in the moderation queue, I will delete the original message. > > diff --git a/meta-parsec/recipes-parsec/parsec-service/ > parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/ > parsec-service_1.0.0.bb > index ad7e560..ea2b0c9 100644 > --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb > +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb > @@ -68,6 +68,7 @@ USERADD_PACKAGES = "${PN}" > USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d > ${localstatedir}/lib/parsec parsec" > GROUPADD_PARAM:${PN} = "-r parsec" > GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', > 'tpm-provider', '-a parsec -g tss', '', d)}" > +GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('MACHINE_FEATURES', > 'optee', '-a parsec -g teeclnt', '', d)}" > > FILES:${PN} += " \ > ${sysconfdir}/parsec/config.toml \ > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#57934): > https://lists.yoctoproject.org/g/yocto/message/57934 > Mute This Topic: https://lists.yoctoproject.org/mt/93326818/1279857 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ > nicolas.dechesne@linaro.org] > -=-=-=-=-=-=-=-=-=-=-=- > >
The latest version of parsec-service recipe adds parsec into teeclnt group if Parsec is built with TS provider: https://git.yoctoproject.org/meta-security/tree/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb#n75 In this case teeclnt group is created by libts recipe (it will be merged into meat-arm later this week). With your change it's not clear what recipe will create the group. Could you point me to this recipe. Anton
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb index ad7e560..ea2b0c9 100644 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb @@ -68,6 +68,7 @@ USERADD_PACKAGES = "${PN}" USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec" GROUPADD_PARAM:${PN} = "-r parsec" GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}" +GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('MACHINE_FEATURES', 'optee', '-a parsec -g teeclnt', '', d)}" FILES:${PN} += " \ ${sysconfdir}/parsec/config.toml \
The optee-client package provides a PKCS#11 interface that may be used by Parsec with the below configuration. For this to work, the parsec user needs to be a member of the teeclnt group. Therefore, add it when 'optee' is present in MACHINE_FEATURES. # Provider configuration in /etc/parsec/config.toml [[provider]] name = "pkcs11-optee" provider_type = "Pkcs11" key_info_manager = "sqlite-manager" library_path = "/usr/lib/libckteec.so.0" Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> --- .../recipes-parsec/parsec-service/parsec-service_1.0.0.bb | 1 + 1 file changed, 1 insertion(+) This is a resend because a few hours after my initial post I still can't find it at https://lists.yoctoproject.org/g/yocto/messages. I am now subscribed to the list so hopefully it will help (although https://git.yoctoproject.org/meta-security/tree/README doesn't mention subscription).