nixos/modules/services/hardware/tcsd.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / hardware / tcsd.nix
at 23.11-pre 5.1 kB view raw
  1# tcsd daemon.
  2
  3{ config, options, pkgs, lib, ... }:
  4
  5with lib;
  6let
  7
  8  cfg = config.services.tcsd;
  9  opt = options.services.tcsd;
 10
 11  tcsdConf = pkgs.writeText "tcsd.conf" ''
 12    port = 30003
 13    num_threads = 10
 14    system_ps_file = ${cfg.stateDir}/system.data
 15    # This is the log of each individual measurement done by the system.
 16    # By re-calculating the PCR registers based on this information, even
 17    # finer details about the measured environment can be inferred than
 18    # what is available directly from the PCR registers.
 19    firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
 20    kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
 21    firmware_pcrs = ${cfg.firmwarePCRs}
 22    kernel_pcrs = ${cfg.kernelPCRs}
 23    platform_cred = ${cfg.platformCred}
 24    conformance_cred = ${cfg.conformanceCred}
 25    endorsement_cred = ${cfg.endorsementCred}
 26    #remote_ops = create_key,random
 27    #host_platform_class = server_12
 28    #all_platform_classes = pc_11,pc_12,mobile_12
 29  '';
 30
 31in
 32{
 33
 34  ###### interface
 35
 36  options = {
 37
 38    services.tcsd = {
 39
 40      enable = mkOption {
 41        default = false;
 42        type = types.bool;
 43        description = lib.mdDoc ''
 44          Whether to enable tcsd, a Trusted Computing management service
 45          that provides TCG Software Stack (TSS).  The tcsd daemon is
 46          the only portal to the Trusted Platform Module (TPM), a hardware
 47          chip on the motherboard.
 48        '';
 49      };
 50
 51      user = mkOption {
 52        default = "tss";
 53        type = types.str;
 54        description = lib.mdDoc "User account under which tcsd runs.";
 55      };
 56
 57      group = mkOption {
 58        default = "tss";
 59        type = types.str;
 60        description = lib.mdDoc "Group account under which tcsd runs.";
 61      };
 62
 63      stateDir = mkOption {
 64        default = "/var/lib/tpm";
 65        type = types.path;
 66        description = lib.mdDoc ''
 67          The location of the system persistent storage file.
 68          The system persistent storage file holds keys and data across
 69          restarts of the TCSD and system reboots.
 70        '';
 71      };
 72
 73      firmwarePCRs = mkOption {
 74        default = "0,1,2,3,4,5,6,7";
 75        type = types.str;
 76        description = lib.mdDoc "PCR indices used in the TPM for firmware measurements.";
 77      };
 78
 79      kernelPCRs = mkOption {
 80        default = "8,9,10,11,12";
 81        type = types.str;
 82        description = lib.mdDoc "PCR indices used in the TPM for kernel measurements.";
 83      };
 84
 85      platformCred = mkOption {
 86        default = "${cfg.stateDir}/platform.cert";
 87        defaultText = literalExpression ''"''${config.${opt.stateDir}}/platform.cert"'';
 88        type = types.path;
 89        description = lib.mdDoc ''
 90          Path to the platform credential for your TPM. Your TPM
 91          manufacturer may have provided you with a set of credentials
 92          (certificates) that should be used when creating identities
 93          using your TPM. When a user of your TPM makes an identity,
 94          this credential will be encrypted as part of that process.
 95          See the 1.1b TPM Main specification section 9.3 for information
 96          on this process. '';
 97      };
 98
 99      conformanceCred = mkOption {
100        default = "${cfg.stateDir}/conformance.cert";
101        defaultText = literalExpression ''"''${config.${opt.stateDir}}/conformance.cert"'';
102        type = types.path;
103        description = lib.mdDoc ''
104          Path to the conformance credential for your TPM.
105          See also the platformCred option'';
106      };
107
108      endorsementCred = mkOption {
109        default = "${cfg.stateDir}/endorsement.cert";
110        defaultText = literalExpression ''"''${config.${opt.stateDir}}/endorsement.cert"'';
111        type = types.path;
112        description = lib.mdDoc ''
113          Path to the endorsement credential for your TPM.
114          See also the platformCred option'';
115      };
116    };
117
118  };
119
120  ###### implementation
121
122  config = mkIf cfg.enable {
123
124    environment.systemPackages = [ pkgs.trousers ];
125
126    services.udev.extraRules = ''
127      # Give tcsd ownership of all TPM devices
128      KERNEL=="tpm[0-9]*", MODE="0660", OWNER="${cfg.user}", GROUP="${cfg.group}"
129      # Tag TPM devices to create a .device unit for tcsd to depend on
130      ACTION=="add", KERNEL=="tpm[0-9]*", TAG+="systemd"
131    '';
132
133    systemd.tmpfiles.rules = [
134      # Initialise the state directory
135      "d ${cfg.stateDir} 0770 ${cfg.user} ${cfg.group} - -"
136    ];
137
138    systemd.services.tcsd = {
139      description = "Manager for Trusted Computing resources";
140      documentation = [ "man:tcsd(8)" ];
141
142      requires = [ "dev-tpm0.device" ];
143      after = [ "dev-tpm0.device" ];
144      wantedBy = [ "multi-user.target" ];
145
146      serviceConfig = {
147        User = cfg.user;
148        Group = cfg.group;
149        ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}";
150      };
151    };
152
153    users.users = optionalAttrs (cfg.user == "tss") {
154      tss = {
155        group = "tss";
156        isSystemUser = true;
157      };
158    };
159
160    users.groups = optionalAttrs (cfg.group == "tss") { tss = {}; };
161  };
162}