diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2014-08-12 19:43:34 +0200 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2014-08-12 19:43:34 +0200 |
commit | bcdbbf3ea158b694192e12be9e719ec653b94fc2 (patch) | |
tree | 194a8ee9d61699f93df6d9e5ea94ef2d03d60ef0 /nixos | |
parent | 526edcaf15730fbe824335a25d20d98ab71b31c1 (diff) | |
parent | abd361173a9f50b55a15bf65593f78a5cf884703 (diff) | |
download | nixlib-bcdbbf3ea158b694192e12be9e719ec653b94fc2.tar nixlib-bcdbbf3ea158b694192e12be9e719ec653b94fc2.tar.gz nixlib-bcdbbf3ea158b694192e12be9e719ec653b94fc2.tar.bz2 nixlib-bcdbbf3ea158b694192e12be9e719ec653b94fc2.tar.lz nixlib-bcdbbf3ea158b694192e12be9e719ec653b94fc2.tar.xz nixlib-bcdbbf3ea158b694192e12be9e719ec653b94fc2.tar.zst nixlib-bcdbbf3ea158b694192e12be9e719ec653b94fc2.zip |
Merge #2129: add trusted computing components
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/misc/ids.nix | 1 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/rngd.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/hardware/tcsd.nix | 139 |
4 files changed, 143 insertions, 1 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 50903aadd53a..8a459ce5e889 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -254,6 +254,7 @@ mopidy = 130; docker = 131; gdm = 132; + tss = 133; # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399! diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a4c1896e09ec..d90c56f2412a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -126,6 +126,7 @@ ./services/hardware/pcscd.nix ./services/hardware/pommed.nix ./services/hardware/sane.nix + ./services/hardware/tcsd.nix ./services/hardware/thinkfan.nix ./services/hardware/udev.nix ./services/hardware/udisks2.nix diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix index c31e57e6f6f8..4d8fabc7696e 100644 --- a/nixos/modules/security/rngd.nix +++ b/nixos/modules/security/rngd.nix @@ -30,7 +30,8 @@ with lib; description = "Hardware RNG Entropy Gatherer Daemon"; - serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f"; + serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" + + (if config.services.tcsd.enable then " --no-tpm=1" else ""); restartTriggers = [ pkgs.rng_tools ]; }; diff --git a/nixos/modules/services/hardware/tcsd.nix b/nixos/modules/services/hardware/tcsd.nix new file mode 100644 index 000000000000..26b2c884b8f1 --- /dev/null +++ b/nixos/modules/services/hardware/tcsd.nix @@ -0,0 +1,139 @@ +# tcsd daemon. + +{ config, pkgs, ... }: + +with pkgs.lib; +let + + cfg = config.services.tcsd; + + tcsdConf = pkgs.writeText "tcsd.conf" '' + port = 30003 + num_threads = 10 + system_ps_file = ${cfg.stateDir}/system.data + # This is the log of each individual measurement done by the system. + # By re-calculating the PCR registers based on this information, even + # finer details about the measured environment can be inferred than + # what is available directly from the PCR registers. + firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements + kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements + #firmware_pcrs = 0,1,2,3,4,5,6,7 + #kernel_pcrs = 10,11 + platform_cred = ${cfg.platformCred} + conformance_cred = ${cfg.conformanceCred} + endorsement_cred = ${cfg.endorsementCred} + #remote_ops = create_key,random + #host_platform_class = server_12 + #all_platform_classes = pc_11,pc_12,mobile_12 + ''; + +in +{ + + ###### interface + + options = { + + services.tcsd = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable tcsd, a Trusted Computing management service + that provides TCG Software Stack (TSS). The tcsd daemon is + the only portal to the Trusted Platform Module (TPM), a hardware + chip on the motherboard. + ''; + }; + + user = mkOption { + default = "tss"; + type = types.string; + description = "User account under which tcsd runs."; + }; + + group = mkOption { + default = "tss"; + type = types.string; + description = "Group account under which tcsd runs."; + }; + + stateDir = mkOption { + default = "/var/lib/tpm"; + type = types.path; + description = '' + The location of the system persistent storage file. + The system persistent storage file holds keys and data across + restarts of the TCSD and system reboots. + ''; + }; + + platformCred = mkOption { + default = "${cfg.stateDir}/platform.cert"; + type = types.path; + description = '' + Path to the platform credential for your TPM. Your TPM + manufacturer may have provided you with a set of credentials + (certificates) that should be used when creating identities + using your TPM. When a user of your TPM makes an identity, + this credential will be encrypted as part of that process. + See the 1.1b TPM Main specification section 9.3 for information + on this process. ''; + }; + + conformanceCred = mkOption { + default = "${cfg.stateDir}/conformance.cert"; + type = types.path; + description = '' + Path to the conformance credential for your TPM. + See also the platformCred option''; + }; + + endorsementCred = mkOption { + default = "${cfg.stateDir}/endorsement.cert"; + type = types.path; + description = '' + Path to the endorsement credential for your TPM. + See also the platformCred option''; + }; + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + environment.systemPackages = [ pkgs.trousers ]; + +# system.activationScripts.tcsd = +# '' +# chown ${cfg.user}:${cfg.group} ${tcsdConf} +# ''; + + systemd.services.tcsd = { + description = "TCSD"; + after = [ "systemd-udev-settle.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.trousers ]; + preStart = + '' + mkdir -m 0700 -p ${cfg.stateDir} + chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir} + ''; + serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}"; + }; + + users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton + { name = "tss"; + group = "tss"; + uid = config.ids.uids.nginx; + }); + + users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton + { name = "tss"; + gid = config.ids.gids.nginx; + }); + }; +} |