nixpkgs/nixos/modules/services/misc/tee-supplicant/default.nix

{
  config,
  pkgs,
  lib,
  ...
}:
let
  inherit (lib)
    getExe'
    mkEnableOption
    mkIf
    mkOption
    mkPackageOption
    types
    ;

  cfg = config.services.tee-supplicant;

  taDir = "optee_armtz";

  trustedApplications = pkgs.linkFarm "runtime-trusted-applications" (
    map (
      ta:
      let
        # This is safe since we are using it as the path value, so the context
        # will still ensure that this nix store path exists on the running
        # system.
        taFile = builtins.baseNameOf (builtins.unsafeDiscardStringContext ta);
      in
      {
        name = "lib/${taDir}/${taFile}";
        path = ta;
      }
    ) cfg.trustedApplications
  );
in
{
  options.services.tee-supplicant = {
    enable = mkEnableOption "OP-TEE userspace supplicant";

    package = mkPackageOption pkgs "optee-client" { };

    trustedApplications = mkOption {
      type = types.listOf types.path;
      default = [ ];
      description = ''
        A list of full paths to trusted applications that will be loaded at
        runtime by tee-supplicant.
      '';
    };

    pluginPath = mkOption {
      type = types.path;
      default = "/run/current-system/sw/lib/tee-supplicant/plugins";
      description = ''
        The directory where plugins will be loaded from on startup.
      '';
    };

    reeFsParentPath = mkOption {
      type = types.path;
      default = "/var/lib/tee";
      description = ''
        The directory where the secure filesystem will be stored in the rich
        execution environment (REE FS).
      '';
    };
  };

  config = mkIf cfg.enable {
    environment = mkIf (cfg.trustedApplications != [ ]) {
      systemPackages = [ trustedApplications ];
      pathsToLink = [ "/lib/${taDir}" ];
    };

    systemd.services.tee-supplicant = {
      description = "Userspace supplicant for OPTEE-OS";

      serviceConfig = {
        ExecStart = toString [
          (getExe' cfg.package "tee-supplicant")
          "--ta-dir ${taDir}"
          "--fs-parent-path ${cfg.reeFsParentPath}"
          "--plugin-path ${cfg.pluginPath}"
        ];
        Restart = "always";
      };

      after = [ "modprobe@optee.service" ];
      wants = [ "modprobe@optee.service" ];

      wantedBy = [ "multi-user.target" ];
    };
  };
}
nixos/tee-supplicant: add tee-supplicant module The tee-supplicant is a program that interacts with OP-TEE OS and allows loading trusted applications at runtime (among other things). There is an `optee` test included that uses the pkcs11 trusted application (in upstream OP-TEE OS), loads it during system startup via tee-supplicant, and uses `pkcs11-tool` to list available token slots. 2023-06-13 11:38:28 -07:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}:`
			`let`
			`inherit (lib)`
			`getExe'`
			`mkEnableOption`
			`mkIf`
			`mkOption`
			`mkPackageOption`
			`types`
			`;`

			`cfg = config.services.tee-supplicant;`

			`taDir = "optee_armtz";`

			`trustedApplications = pkgs.linkFarm "runtime-trusted-applications" (`
			`map (`
			`ta:`
			`let`
			`# This is safe since we are using it as the path value, so the context`
			`# will still ensure that this nix store path exists on the running`
			`# system.`
			`taFile = builtins.baseNameOf (builtins.unsafeDiscardStringContext ta);`
			`in`
			`{`
			`name = "lib/${taDir}/${taFile}";`
			`path = ta;`
			`}`
			`) cfg.trustedApplications`
			`);`
			`in`
			`{`
			`options.services.tee-supplicant = {`
			`enable = mkEnableOption "OP-TEE userspace supplicant";`

			`package = mkPackageOption pkgs "optee-client" { };`

			`trustedApplications = mkOption {`
			`type = types.listOf types.path;`
			`default = [ ];`
			`description = ''`
			`A list of full paths to trusted applications that will be loaded at`
			`runtime by tee-supplicant.`
			`'';`
			`};`

			`pluginPath = mkOption {`
			`type = types.path;`
			`default = "/run/current-system/sw/lib/tee-supplicant/plugins";`
			`description = ''`
			`The directory where plugins will be loaded from on startup.`
			`'';`
			`};`

			`reeFsParentPath = mkOption {`
			`type = types.path;`
			`default = "/var/lib/tee";`
			`description = ''`
			`The directory where the secure filesystem will be stored in the rich`
			`execution environment (REE FS).`
			`'';`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`environment = mkIf (cfg.trustedApplications != [ ]) {`
			`systemPackages = [ trustedApplications ];`
			`pathsToLink = [ "/lib/${taDir}" ];`
			`};`

			`systemd.services.tee-supplicant = {`
			`description = "Userspace supplicant for OPTEE-OS";`

			`serviceConfig = {`
			`ExecStart = toString [`
			`(getExe' cfg.package "tee-supplicant")`
			`"--ta-dir ${taDir}"`
			`"--fs-parent-path ${cfg.reeFsParentPath}"`
			`"--plugin-path ${cfg.pluginPath}"`
			`];`
			`Restart = "always";`
			`};`

			`after = [ "modprobe@optee.service" ];`
			`wants = [ "modprobe@optee.service" ];`

			`wantedBy = [ "multi-user.target" ];`
			`};`
			`};`
			`}`