nixos/modules/services/hardware/tcsd.nix at release-16.03-start · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / hardware / tcsd.nix
at release-16.03-start 4.5 kB view raw
  1# tcsd daemon.
  2
  3{ config, pkgs, lib, ... }:
  4
  5with lib;
  6let
  7
  8  cfg = config.services.tcsd;
  9
 10  tcsdConf = pkgs.writeText "tcsd.conf" ''
 11    port = 30003
 12    num_threads = 10
 13    system_ps_file = ${cfg.stateDir}/system.data
 14    # This is the log of each individual measurement done by the system.
 15    # By re-calculating the PCR registers based on this information, even
 16    # finer details about the measured environment can be inferred than
 17    # what is available directly from the PCR registers.
 18    firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
 19    kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
 20    firmware_pcrs = ${cfg.firmwarePCRs}
 21    kernel_pcrs = ${cfg.kernelPCRs}
 22    platform_cred = ${cfg.platformCred}
 23    conformance_cred = ${cfg.conformanceCred}
 24    endorsement_cred = ${cfg.endorsementCred}
 25    #remote_ops = create_key,random
 26    #host_platform_class = server_12
 27    #all_platform_classes = pc_11,pc_12,mobile_12
 28  '';
 29
 30in
 31{
 32
 33  ###### interface
 34
 35  options = {
 36
 37    services.tcsd = {
 38
 39      enable = mkOption {
 40        default = false;
 41        type = types.bool;
 42        description = ''
 43          Whether to enable tcsd, a Trusted Computing management service
 44          that provides TCG Software Stack (TSS).  The tcsd daemon is
 45          the only portal to the Trusted Platform Module (TPM), a hardware
 46          chip on the motherboard.
 47        '';
 48      };
 49
 50      user = mkOption {
 51        default = "tss";
 52        type = types.string;
 53        description = "User account under which tcsd runs.";
 54      };
 55
 56      group = mkOption {
 57        default = "tss";
 58        type = types.string;
 59        description = "Group account under which tcsd runs.";
 60      };
 61
 62      stateDir = mkOption {
 63        default = "/var/lib/tpm";
 64        type = types.path;
 65        description = ''
 66          The location of the system persistent storage file.
 67          The system persistent storage file holds keys and data across
 68          restarts of the TCSD and system reboots. 
 69        '';
 70      };
 71
 72      firmwarePCRs = mkOption {
 73        default = "0,1,2,3,4,5,6,7";
 74        type = types.string;
 75        description = "PCR indices used in the TPM for firmware measurements.";
 76      };
 77
 78      kernelPCRs = mkOption {
 79        default = "8,9,10,11,12";
 80        type = types.string;
 81        description = "PCR indices used in the TPM for kernel measurements.";
 82      };
 83
 84      platformCred = mkOption {
 85        default = "${cfg.stateDir}/platform.cert";
 86        type = types.path;
 87        description = ''
 88          Path to the platform credential for your TPM. Your TPM
 89          manufacturer may have provided you with a set of credentials
 90          (certificates) that should be used when creating identities
 91          using your TPM. When a user of your TPM makes an identity,
 92          this credential will be encrypted as part of that process.
 93          See the 1.1b TPM Main specification section 9.3 for information
 94          on this process. '';
 95      };
 96
 97      conformanceCred = mkOption {
 98        default = "${cfg.stateDir}/conformance.cert";
 99        type = types.path;
100        description = ''
101          Path to the conformance credential for your TPM.
102          See also the platformCred option'';
103      };
104
105      endorsementCred = mkOption {
106        default = "${cfg.stateDir}/endorsement.cert";
107        type = types.path;
108        description = ''
109          Path to the endorsement credential for your TPM.
110          See also the platformCred option'';
111      };
112    };
113
114  };
115
116  ###### implementation
117
118  config = mkIf cfg.enable {
119
120    environment.systemPackages = [ pkgs.trousers ];
121
122#    system.activationScripts.tcsd =
123#      ''
124#        chown ${cfg.user}:${cfg.group} ${tcsdConf}
125#      '';
126
127    systemd.services.tcsd = {
128      description = "TCSD";
129      after = [ "systemd-udev-settle.service" ];
130      wantedBy = [ "multi-user.target" ];
131      path = [ pkgs.trousers ];
132      preStart =
133        ''
134        mkdir -m 0700 -p ${cfg.stateDir}
135        chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
136        '';
137      serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}";
138    };
139
140    users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton
141      { name = "tss";
142        group = "tss";
143        uid = config.ids.uids.tss;
144      });
145
146    users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton
147      { name = "tss";
148        gid = config.ids.gids.tss;
149      });
150  };
151}