Hi,
I'm running in circles and failing to start optee userspace daemon tee-supplicant
correctly with systemd in initrd.
In certain firmware/HW configurations with optee and firmware TPM trusted application,
the setup needs tee-supplicant to start in initrd userspace before the fTPM kernel
module gets enumerated, but I'm failing to express this in the systemd
service dependencies.
TPM usage in firmware is being detected correctly and tpm2.target is queued correctly,
but the dev-tpmrm0.device is not found since tee-supplicant@teepriv0.service is not
getting started before it.
optee kernel driver is loaded and working. /dev/teepriv0 is generated by udev but not
before dev-tpmrm0.device.
tee-supplicant@.service:
[Unit]
Description=TEE Supplicant on %i
[Service]
User=root
EnvironmentFile=-@sysconfdir@/default/tee-supplicant
ExecStart=@sbindir@/tee-supplicant $OPTARGS
[Install]
WantedBy=basic.target
udev rule is:
KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd"
# If a /dev/teepriv[0-9]* device is detected, start an instance of
# tee-supplicant.service with the device name as parameter
KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
So basically dev-tpmrm0.device depends on tee-supplicant@teepriv0.service started
on dev-teepriv0.device by udev. How to express this dependency?
I tried to queue tee-supplicant@.service with "Wants: tpm2.target" but that did not work
and seems wrong. The dependency is earlier to the kernel /dev/tpmrm0 device node.
Then I tried to amend the teepriv udev rule to
ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service tpm2.target" and
ENV{SYSTEMD_BEFORE}+="tpm2.target" but this did not work either. I must be doing this
somehow wrong. Any ideas what would work?
Example serial log from a rockpi4b board where fTPM is failing to be detected in
initramfs since tee-supplicant wasn't started:
https://ledge.validation.linaro.org/scheduler/job/87532
Cheers,
-Mikko
tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device
- From: Mikko Rapeli <mikko.rapeli@xxxxxxxxxx>
- Date: Thu, 23 May 2024 10:54:17 +0300
- Follow-Ups:
- Re: tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device
- From: Lennart Poettering
- Re: tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device
- Prev by Date: Re: Question about propagation of INVOCATION_ID and JOURNAL_STREAM env variables in Desktop Environments
- Next by Date: Re: tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device
- Previous by thread: systemd prerelease 256-rc3
- Next by thread: Re: tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device
- Index(es):
 |