mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-14 14:10:33 +03:00
b8937303ce
The tee-supplicant is a program that interacts with OP-TEE OS and allows loading trusted applications at runtime (among other things). There is an `optee` test included that uses the pkcs11 trusted application (in upstream OP-TEE OS), loads it during system startup via tee-supplicant, and uses `pkcs11-tool` to list available token slots.
95 lines
2.2 KiB
Nix
95 lines
2.2 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
getExe'
|
|
mkEnableOption
|
|
mkIf
|
|
mkOption
|
|
mkPackageOption
|
|
types
|
|
;
|
|
|
|
cfg = config.services.tee-supplicant;
|
|
|
|
taDir = "optee_armtz";
|
|
|
|
trustedApplications = pkgs.linkFarm "runtime-trusted-applications" (
|
|
map (
|
|
ta:
|
|
let
|
|
# This is safe since we are using it as the path value, so the context
|
|
# will still ensure that this nix store path exists on the running
|
|
# system.
|
|
taFile = builtins.baseNameOf (builtins.unsafeDiscardStringContext ta);
|
|
in
|
|
{
|
|
name = "lib/${taDir}/${taFile}";
|
|
path = ta;
|
|
}
|
|
) cfg.trustedApplications
|
|
);
|
|
in
|
|
{
|
|
options.services.tee-supplicant = {
|
|
enable = mkEnableOption "OP-TEE userspace supplicant";
|
|
|
|
package = mkPackageOption pkgs "optee-client" { };
|
|
|
|
trustedApplications = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [ ];
|
|
description = ''
|
|
A list of full paths to trusted applications that will be loaded at
|
|
runtime by tee-supplicant.
|
|
'';
|
|
};
|
|
|
|
pluginPath = mkOption {
|
|
type = types.path;
|
|
default = "/run/current-system/sw/lib/tee-supplicant/plugins";
|
|
description = ''
|
|
The directory where plugins will be loaded from on startup.
|
|
'';
|
|
};
|
|
|
|
reeFsParentPath = mkOption {
|
|
type = types.path;
|
|
default = "/var/lib/tee";
|
|
description = ''
|
|
The directory where the secure filesystem will be stored in the rich
|
|
execution environment (REE FS).
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
environment = mkIf (cfg.trustedApplications != [ ]) {
|
|
systemPackages = [ trustedApplications ];
|
|
pathsToLink = [ "/lib/${taDir}" ];
|
|
};
|
|
|
|
systemd.services.tee-supplicant = {
|
|
description = "Userspace supplicant for OPTEE-OS";
|
|
|
|
serviceConfig = {
|
|
ExecStart = toString [
|
|
(getExe' cfg.package "tee-supplicant")
|
|
"--ta-dir ${taDir}"
|
|
"--fs-parent-path ${cfg.reeFsParentPath}"
|
|
"--plugin-path ${cfg.pluginPath}"
|
|
];
|
|
Restart = "always";
|
|
};
|
|
|
|
after = [ "modprobe@optee.service" ];
|
|
wants = [ "modprobe@optee.service" ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
};
|
|
}
|