On 2025-04-16 12:12, Andrea Cocito wrote:
Addenda:As the whole /dev/tpm0 has no known use outside the security/tpm2-* stuff (nothinguses it besides these ports) ports it might be actually reasonable to justhardcode 0:601/0660 in the driver, but before proposing a change in the kerneldriver I would really like to hear other opinions. Thanks for any suggestion,
OK I've got a few ideas off the top of my head on how I might approach this. But I'll simply suggest looking at how the video drivers in the ports tree handle this. Specifically DRM modules. As to "editing" /etc/devfs.conf. Can't you simply use ${CAT} ? fe;
${CAT} EOF (
something here
something else
something # with a coment
) EOF >>/path/to/target.file
or perhaps even easier:
${CAT} /path/to/input/file >> /path/to/target/file
Just a couple thoughts.
A.On 16 Apr 2025, at 15:50, Andrea Cocito <[email protected]> wrote: Hello,I am fixing a few things in the security/tpm2-* ports, among other problems security/tpm2-abrmd does not seem to handle properly the permissions of /dev/tpm0.At boot /dev/tpm0 is owned by root:weel and mode 0600; the port tpm2-abrmd needs it to be at worst root:_tss and mode 0660, it tries to handle this by installing a dedicated /usr/local/etc/devd/tpm2-abrmd-devd.conf; besides the fact that the rules in the provided tpm2-abrmd-devd.conf are broken, this cannot work even in principle: tpm0 device is not loaded dynamically (it’s not an USB pen!) and devd does not receive any notification, because when the device is loaded (at kernel boot time) devd isn’t even running yet.The only options I see are:1. Change the owner and permissions in the driver itself; but, while changing the permissions is fine, hardcoding a non-system gid (_tss=601) in a kernel driver does not look like a great idea to me. 2. Have the port change /etc/devfs.conf when installed; but I do not know of a “clean” way to do it 3. Change the port so that user _tss is also member of wheel, and change the driver so that the device is root:wheel mode 0660; but I see this as a security issueSo my questions are: A: Does anyone see any other option besides the ones listed above? B: What is the clean way to edit /etc/devfs.conf when installing a port ?About question “B”, it could be easily done in the "post-install” target (or maybe done with “@postexec” and cleaned up with “@preunexec” in the plist?), but the Porter's Handbook strongly discourages using this target for anything besides changing files that the port itself installed; I have googled and dinged into the documentation and could not find any clue.Looking at existing ports almost all of them end up with a note to the user in post-installation messages: “Please add the following lines to /etc/devfs.conf”; as it is not a change subject to administrator’s discretion, and all tpm2-* stuff simply does not work without this change, I do not think this is the best option.Any suggestion? Thanks, A.
-- -- Be a measuring stick of quality. Not everyone is used to an environment where excellence is expected.
0xE512722F.asc
Description: application/pgp-keys
