* [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present
@ 2022-08-29 14:04 Jerome Forissier
2022-08-29 16:35 ` [yocto] " Nicolas Dechesne
0 siblings, 1 reply; 3+ messages in thread
From: Jerome Forissier @ 2022-08-29 14:04 UTC (permalink / raw)
To: yocto; +Cc: Jerome Forissier
The optee-client package provides a PKCS#11 interface that may be used by
Parsec with the below configuration. For this to work, the parsec user
needs to be a member of the teeclnt group. Therefore, add it when 'optee'
is present in MACHINE_FEATURES.
# Provider configuration in /etc/parsec/config.toml
[[provider]]
name = "pkcs11-optee"
provider_type = "Pkcs11"
key_info_manager = "sqlite-manager"
library_path = "/usr/lib/libckteec.so.0"
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
---
.../recipes-parsec/parsec-service/parsec-service_1.0.0.bb | 1 +
1 file changed, 1 insertion(+)
This is a resend because a few hours after my initial post I still can't
find it at https://lists.yoctoproject.org/g/yocto/messages. I am now
subscribed to the list so hopefully it will help (although
https://git.yoctoproject.org/meta-security/tree/README doesn't mention
subscription).
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
index ad7e560..ea2b0c9 100644
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
@@ -68,6 +68,7 @@ USERADD_PACKAGES = "${PN}"
USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
GROUPADD_PARAM:${PN} = "-r parsec"
GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}"
+GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('MACHINE_FEATURES', 'optee', '-a parsec -g teeclnt', '', d)}"
FILES:${PN} += " \
${sysconfdir}/parsec/config.toml \
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [yocto] [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present
2022-08-29 14:04 [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present Jerome Forissier
@ 2022-08-29 16:35 ` Nicolas Dechesne
2022-08-30 15:51 ` Anton Antonov
0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Dechesne @ 2022-08-29 16:35 UTC (permalink / raw)
To: Jerome Forissier; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 2442 bytes --]
On Mon, Aug 29, 2022 at 4:05 PM Jerome Forissier <
jerome.forissier@linaro.org> wrote:
> The optee-client package provides a PKCS#11 interface that may be used by
> Parsec with the below configuration. For this to work, the parsec user
> needs to be a member of the teeclnt group. Therefore, add it when 'optee'
> is present in MACHINE_FEATURES.
>
> # Provider configuration in /etc/parsec/config.toml
> [[provider]]
> name = "pkcs11-optee"
> provider_type = "Pkcs11"
> key_info_manager = "sqlite-manager"
> library_path = "/usr/lib/libckteec.so.0"
>
> Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
> ---
> .../recipes-parsec/parsec-service/parsec-service_1.0.0.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> This is a resend because a few hours after my initial post I still can't
> find it at https://lists.yoctoproject.org/g/yocto/messages. I am now
> subscribed to the list so hopefully it will help (although
> https://git.yoctoproject.org/meta-security/tree/README doesn't mention
> subscription).
>
Subscription is not required, but then you end up in the moderation queue.
I can see your message in the moderation queue, I will delete the original
message.
>
> diff --git a/meta-parsec/recipes-parsec/parsec-service/
> parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/
> parsec-service_1.0.0.bb
> index ad7e560..ea2b0c9 100644
> --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
> +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
> @@ -68,6 +68,7 @@ USERADD_PACKAGES = "${PN}"
> USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d
> ${localstatedir}/lib/parsec parsec"
> GROUPADD_PARAM:${PN} = "-r parsec"
> GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS',
> 'tpm-provider', '-a parsec -g tss', '', d)}"
> +GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('MACHINE_FEATURES',
> 'optee', '-a parsec -g teeclnt', '', d)}"
>
> FILES:${PN} += " \
> ${sysconfdir}/parsec/config.toml \
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#57934):
> https://lists.yoctoproject.org/g/yocto/message/57934
> Mute This Topic: https://lists.yoctoproject.org/mt/93326818/1279857
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> nicolas.dechesne@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
[-- Attachment #2: Type: text/html, Size: 4336 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present
2022-08-29 16:35 ` [yocto] " Nicolas Dechesne
@ 2022-08-30 15:51 ` Anton Antonov
0 siblings, 0 replies; 3+ messages in thread
From: Anton Antonov @ 2022-08-30 15:51 UTC (permalink / raw)
To: yocto
[-- Attachment #1: Type: text/plain, Size: 456 bytes --]
The latest version of parsec-service recipe adds parsec into teeclnt group if Parsec is built with TS provider:
https://git.yoctoproject.org/meta-security/tree/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb#n75
In this case teeclnt group is created by libts recipe (it will be merged into meat-arm later this week).
With your change it's not clear what recipe will create the group. Could you point me to this recipe.
Anton
[-- Attachment #2: Type: text/html, Size: 655 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-30 15:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-29 14:04 [meta-security][PATCH resend] Parsec-service: add parsec user to teeclnt group when optee is present Jerome Forissier
2022-08-29 16:35 ` [yocto] " Nicolas Dechesne
2022-08-30 15:51 ` Anton Antonov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.