From 9ba076a9af6c7120094ec26bc42e07f76e088cb8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 24 Mar 2016 12:54:01 -0700 Subject: [PATCH 1/4] Install tpmown We need the tpmown app available in order to permit admins to configure the TPM correctly and take ownership. --- .../go-tspi/{go-tspi-0.1-r3.ebuild => go-tspi-0.1-r4.ebuild} | 0 .../coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/{go-tspi-0.1-r3.ebuild => go-tspi-0.1-r4.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-0.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-0.1-r4.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-0.1-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-0.1-r4.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild index e86b5ae454..beb1c97a78 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild @@ -21,10 +21,10 @@ DEPEND="${RDEPEND}" src_compile() { go_build "${COREOS_GO_PACKAGE}/tpmd" + go_build "${COREOS_GO_PACKAGE}/tpmown" } src_install() { dobin ${GOBIN}/* systemd_dounit "${FILESDIR}"/tpmd.service - systemd_enable_service multi-user.target tpmd.service } From 1a03a35c330a62a9607e7e21f01f23cd7ed51cef Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 24 Mar 2016 12:54:41 -0700 Subject: [PATCH 2/4] Fix up tpmd service This has to run as root (in order to be able to read the kernel event logs) and be given a port to bind to. --- .../coreos-overlay/app-crypt/go-tspi/files/tpmd.service | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service index 20c3a7356e..7af811da6f 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service @@ -3,8 +3,7 @@ Description=TPM remote access daemon Requires=tcsd.service [Service] -User=tss -ExecStart=/bin/tpmd +ExecStart=/bin/tpmd 23179 [Install] WantedBy=multi-user.target From 69fb2322b02e4cae7be8ae5d35f7a4e411a73a97 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 24 Mar 2016 13:16:51 -0700 Subject: [PATCH 3/4] Update to current HEAD --- .../coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild index beb1c97a78..27888c2b06 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/go-tspi-9999.ebuild @@ -7,7 +7,7 @@ EGIT_REPO_URI="git://github.com/coreos/go-tspi.git" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm64" else - EGIT_COMMIT="1708d740a1fec08db39d9c15960ed6cc3a7e974a" + EGIT_COMMIT="27182e3e7b1dfcfb398b5408a619abc4f652a38b" KEYWORDS="amd64 arm64" fi From ddbbbc80a529e01ec74bb413a23d989b9432918a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 24 Mar 2016 13:19:31 -0700 Subject: [PATCH 4/4] Restart tpmd on failure This is a critical component - make sure it restarts on any failures --- .../coreos-overlay/app-crypt/go-tspi/files/tpmd.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service index 7af811da6f..edf5c70aed 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/go-tspi/files/tpmd.service @@ -4,6 +4,8 @@ Requires=tcsd.service [Service] ExecStart=/bin/tpmd 23179 +Restart=always +RestartSec=0 [Install] WantedBy=multi-user.target