[meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present

[meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present

[Jerome Forissier]

The optee-client package provides a PKCS#11 interface that may be used by
Parsec with the below configuration. For this to work, the parsec user
needs to be a member of the teeclnt group. Therefore, add it when 'optee'
is present in MACHINE_FEATURES.

 # Provider configuration in /etc/parsec/config.toml
 [[provider]]
 name = "pkcs11-optee"
 provider_type = "Pkcs11"
 key_info_manager = "sqlite-manager"
 library_path = "/usr/lib/libckteec.so.0"

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
---
 .../recipes-parsec/parsec-service/parsec-service_1.0.0.bb        | 1 +
 1 file changed, 1 insertion(+)

This is a resend because a few hours after my initial post I still can't
find it at https://lists.yoctoproject.org/g/yocto/messages. I am now
subscribed to the list so hopefully it will help (although
https://git.yoctoproject.org/meta-security/tree/README doesn't mention
subscription).

diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
index ad7e560..ea2b0c9 100644
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
@@ -68,6 +68,7 @@ USERADD_PACKAGES = "${PN}"
 USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
 GROUPADD_PARAM:${PN} = "-r parsec"
 GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}"
+GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('MACHINE_FEATURES', 'optee', '-a parsec -g teeclnt', '', d)}"
 
 FILES:${PN} += " \
     ${sysconfdir}/parsec/config.toml \
-- 
2.34.1

Re: [yocto] [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present

[Nicolas Dechesne]

[-- Attachment #1: Type: text/plain, Size: 2442 bytes --]

On Mon, Aug 29, 2022 at 4:05 PM Jerome Forissier <
jerome.forissier@linaro.org> wrote:

> The optee-client package provides a PKCS#11 interface that may be used by
> Parsec with the below configuration. For this to work, the parsec user
> needs to be a member of the teeclnt group. Therefore, add it when 'optee'
> is present in MACHINE_FEATURES.
>
>  # Provider configuration in /etc/parsec/config.toml
>  [[provider]]
>  name = "pkcs11-optee"
>  provider_type = "Pkcs11"
>  key_info_manager = "sqlite-manager"
>  library_path = "/usr/lib/libckteec.so.0"
>
> Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
> ---
>  .../recipes-parsec/parsec-service/parsec-service_1.0.0.bb        | 1 +
>  1 file changed, 1 insertion(+)
>
> This is a resend because a few hours after my initial post I still can't
> find it at https://lists.yoctoproject.org/g/yocto/messages. I am now
> subscribed to the list so hopefully it will help (although
> https://git.yoctoproject.org/meta-security/tree/README doesn't mention
> subscription).
>

Subscription is not required, but then you end up in the moderation queue.
I can see your message in the moderation queue, I will delete the original
message.


>
> diff --git a/meta-parsec/recipes-parsec/parsec-service/
> parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/
> parsec-service_1.0.0.bb
> index ad7e560..ea2b0c9 100644
> --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
> +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
> @@ -68,6 +68,7 @@ USERADD_PACKAGES = "${PN}"
>  USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d
> ${localstatedir}/lib/parsec parsec"
>  GROUPADD_PARAM:${PN} = "-r parsec"
>  GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS',
> 'tpm-provider', '-a parsec -g tss', '', d)}"
> +GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('MACHINE_FEATURES',
> 'optee', '-a parsec -g teeclnt', '', d)}"
>
>  FILES:${PN} += " \
>      ${sysconfdir}/parsec/config.toml \
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#57934):
> https://lists.yoctoproject.org/g/yocto/message/57934
> Mute This Topic: https://lists.yoctoproject.org/mt/93326818/1279857
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> nicolas.dechesne@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 4336 bytes --]

Re: [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present

[Anton Antonov]

[-- Attachment #1: Type: text/plain, Size: 456 bytes --]

The latest version of parsec-service recipe adds parsec into teeclnt group if Parsec is built with TS provider:

https://git.yoctoproject.org/meta-security/tree/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb#n75

In this case teeclnt group is created by libts recipe (it will be merged into meat-arm later this week).

With your change it's not clear what recipe will create the group. Could you point me to this recipe.

Anton

[-- Attachment #2: Type: text/html, Size: 655 bytes --]