Addenda: As the whole /dev/tpm0 has no known use outside the security/tpm2-* stuff (nothing uses it besides these ports) ports it might be actually reasonable to just hardcode 0:601/0660 in the driver, but before proposing a change in the kernel driver I would really like to hear other opinions.
Thanks for any suggestion, A. > On 16 Apr 2025, at 15:50, Andrea Cocito <[email protected]> wrote: > > Hello, > > I am fixing a few things in the security/tpm2-* ports, among other problems > security/tpm2-abrmd does not seem to handle properly the permissions of > /dev/tpm0. > > At boot /dev/tpm0 is owned by root:weel and mode 0600; the port tpm2-abrmd > needs it to be at worst root:_tss and mode 0660, it tries to handle this by > installing a dedicated /usr/local/etc/devd/tpm2-abrmd-devd.conf; besides the > fact that the rules in the provided tpm2-abrmd-devd.conf are broken, this > cannot work even in principle: tpm0 device is not loaded dynamically (it’s > not an USB pen!) and devd does not receive any notification, because when the > device is loaded (at kernel boot time) devd isn’t even running yet. > > The only options I see are: > 1. Change the owner and permissions in the driver itself; but, while changing > the permissions is fine, hardcoding a non-system gid (_tss=601) in a kernel > driver does not look like a great idea to me. > 2. Have the port change /etc/devfs.conf when installed; but I do not know of > a “clean” way to do it > 3. Change the port so that user _tss is also member of wheel, and change the > driver so that the device is root:wheel mode 0660; but I see this as a > security issue > > So my questions are: > A: Does anyone see any other option besides the ones listed above? > B: What is the clean way to edit /etc/devfs.conf when installing a port ? > > About question “B”, it could be easily done in the "post-install” target (or > maybe done with “@postexec” and cleaned up with “@preunexec” in the plist?), > but the Porter's Handbook strongly discourages using this target for anything > besides changing files that the port itself installed; I have googled and > dinged into the documentation and could not find any clue. > > Looking at existing ports almost all of them end up with a note to the user > in post-installation messages: “Please add the following lines to > /etc/devfs.conf”; as it is not a change subject to administrator’s > discretion, and all tpm2-* stuff simply does not work without this change, I > do not think this is the best option. > > Any suggestion? > > Thanks, > > A. > >
