New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/tpm2: init #72029
nixos/tpm2: init #72029
Conversation
d1c64a0
to
2936834
Compare
2936834
to
291689b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know much about TPM, but I'm wondering whether it's worth having some of these options. In particular I can't see a use case for changing tssUser
and tssGroup
, a fixed value will probably work fine, same for abrmd.user
. applyUdevRules
seems also like it could be an unconfigurable true
, would anybody want to turn that off? Same for setEnvironmentVariables
. What do you think?
@infinisil Regarding your comments on the different (configurable) options:
I thereby conclude, that unfortunately the complexity of this module cannot be reduced significantly without trade offs. |
|
Extending my points above:
|
Alright I see, you convinced me :) Looks ready to merge then after the adjustments above |
291689b
to
41dfe2e
Compare
Okay, so this has been a long time coming. I've finally addressed your concerns @infinisil and used this module in a working production setup, polishing one or the other thing. The behaviour now comes as close to "working out of the box" and "confirming to the TPM2 TSS desired setup" as I can think of. The default configuration now leads to the following device ownership:
This works for most use cases (where the "device" TCTI is used), however breaks the userspace resource manager, which must run as non-root, but still have access to the TPM device and ships only with D-Bus rules for "tss". Therefore, when using the userspace resource manager, the device is instead owned by "tss", which is then automatically set as the device owner per udev rule. If you want to, you can still override most things. Quite confusing, but should cause the least troubles. However, this module is now dependent on #72374 which should be ready too. |
41dfe2e
to
a6f1bf6
Compare
5caf86a
to
390ea69
Compare
Now that #72374 is done, this one should be ready again. Could you remove the "blocked" label, @infinisil? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still some things to improve, I hope you don't mind!
There's always room for improvement - I'm willing to invest more time. Unfortunately, I got sick, hence the delay. |
I saw some interest for this PR on IRC by @danderson, so here I am with a ping :) |
390ea69
to
e5be86e
Compare
Glad to know there's interest. It'll be a big step if NixOS will support TPM2 modules without much hassle and manual setup. There's great potential, as long as the TPM is not an Intel fTPM. I've tried to address all your change requests and they did improve the module quite a lot. Maybe this will be the last iteration? :) Feel free to "resolve" the conversations if you feel I've sufficiently addressed the underlying issues. When this is merged I can finally write my blog post on how to do TPM-based SSH using the PKCS#11 module. |
e5be86e
to
505bc37
Compare
Ready for another review round I guess. |
This commit adds udev rules, the userspace resource manager and PKCS#11 module support.
505bc37
to
156b879
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good!
Motivation for this change
The TPM2 device files should be owned by a specific user. In addition to that, the TPM2 kernel resource manager (
/dev/tpmrm*
) should be owned by a specific group, such that an unprivileged user is able to access this device.Furthermore, this commit adds a systemd service for the
tpm2-abrmd
userspace resource manager (merged in #72018), on which many applications still rely.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)@Lassulus