nixos/modules/services/misc/tee-supplicant/default.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / tee-supplicant / default.nix
at master 2.3 kB view raw
 1{
 2  config,
 3  pkgs,
 4  lib,
 5  ...
 6}:
 7let
 8  inherit (lib)
 9    getExe'
10    mkEnableOption
11    mkIf
12    mkOption
13    mkPackageOption
14    types
15    ;
16
17  cfg = config.services.tee-supplicant;
18
19  taDir = "optee_armtz";
20
21  trustedApplications = pkgs.linkFarm "runtime-trusted-applications" (
22    map (
23      ta:
24      let
25        # This is safe since we are using it as the path value, so the context
26        # will still ensure that this nix store path exists on the running
27        # system.
28        taFile = builtins.baseNameOf (builtins.unsafeDiscardStringContext ta);
29      in
30      {
31        name = "lib/${taDir}/${taFile}";
32        path = ta;
33      }
34    ) cfg.trustedApplications
35  );
36in
37{
38  options.services.tee-supplicant = {
39    enable = mkEnableOption "OP-TEE userspace supplicant";
40
41    package = mkPackageOption pkgs "optee-client" { };
42
43    trustedApplications = mkOption {
44      type = types.listOf types.path;
45      default = [ ];
46      description = ''
47        A list of full paths to trusted applications that will be loaded at
48        runtime by tee-supplicant.
49      '';
50    };
51
52    pluginPath = mkOption {
53      type = types.path;
54      default = "/run/current-system/sw/lib/tee-supplicant/plugins";
55      description = ''
56        The directory where plugins will be loaded from on startup.
57      '';
58    };
59
60    reeFsParentPath = mkOption {
61      type = types.path;
62      default = "/var/lib/tee";
63      description = ''
64        The directory where the secure filesystem will be stored in the rich
65        execution environment (REE FS).
66      '';
67    };
68  };
69
70  config = mkIf cfg.enable {
71    environment = mkIf (cfg.trustedApplications != [ ]) {
72      systemPackages = [ trustedApplications ];
73      pathsToLink = [ "/lib/${taDir}" ];
74    };
75
76    systemd.services.tee-supplicant = {
77      description = "Userspace supplicant for OPTEE-OS";
78
79      serviceConfig = {
80        ExecStart = toString [
81          (getExe' cfg.package "tee-supplicant")
82          "--ta-dir ${taDir}"
83          "--fs-parent-path ${cfg.reeFsParentPath}"
84          "--plugin-path ${cfg.pluginPath}"
85        ];
86        Restart = "always";
87      };
88
89      after = [ "modprobe@optee.service" ];
90      wants = [ "modprobe@optee.service" ];
91
92      wantedBy = [ "multi-user.target" ];
93    };
94  };
95}