nixpkgs/nixos/modules/services/hardware/tcsd.nix

# tcsd daemon.

{ config, pkgs, lib, ... }:

with lib;
let

  cfg = config.services.tcsd;

  tcsdConf = pkgs.writeText "tcsd.conf" ''
    port = 30003
    num_threads = 10
    system_ps_file = ${cfg.stateDir}/system.data
    # This is the log of each individual measurement done by the system.
    # By re-calculating the PCR registers based on this information, even
    # finer details about the measured environment can be inferred than
    # what is available directly from the PCR registers.
    firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
    kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
    #firmware_pcrs = 0,1,2,3,4,5,6,7
    #kernel_pcrs = 10,11
    platform_cred = ${cfg.platformCred}
    conformance_cred = ${cfg.conformanceCred}
    endorsement_cred = ${cfg.endorsementCred}
    #remote_ops = create_key,random
    #host_platform_class = server_12
    #all_platform_classes = pc_11,pc_12,mobile_12
  '';

in
{

  ###### interface

  options = {

    services.tcsd = {

      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Whether to enable tcsd, a Trusted Computing management service
          that provides TCG Software Stack (TSS).  The tcsd daemon is
          the only portal to the Trusted Platform Module (TPM), a hardware
          chip on the motherboard.
        '';
      };

      user = mkOption {
        default = "tss";
        type = types.string;
        description = "User account under which tcsd runs.";
      };

      group = mkOption {
        default = "tss";
        type = types.string;
        description = "Group account under which tcsd runs.";
      };

      stateDir = mkOption {
	default = "/var/lib/tpm";
        type = types.path;
	description = ''
          The location of the system persistent storage file.
          The system persistent storage file holds keys and data across
          restarts of the TCSD and system reboots. 
	'';
      };

      platformCred = mkOption {
        default = "${cfg.stateDir}/platform.cert";
        type = types.path;
        description = ''
	  Path to the platform credential for your TPM. Your TPM
          manufacturer may have provided you with a set of credentials
          (certificates) that should be used when creating identities
          using your TPM. When a user of your TPM makes an identity,
          this credential will be encrypted as part of that process.
          See the 1.1b TPM Main specification section 9.3 for information
          on this process. '';
      };

      conformanceCred = mkOption {
        default = "${cfg.stateDir}/conformance.cert";
        type = types.path;
        description = ''
          Path to the conformance credential for your TPM.
          See also the platformCred option'';
      };

      endorsementCred = mkOption {
        default = "${cfg.stateDir}/endorsement.cert";
        type = types.path;
        description = ''
          Path to the endorsement credential for your TPM.
          See also the platformCred option'';
      };
    };

  };

  ###### implementation

  config = mkIf cfg.enable {

    environment.systemPackages = [ pkgs.trousers ];

#    system.activationScripts.tcsd =
#      ''
#        chown ${cfg.user}:${cfg.group} ${tcsdConf}
#      '';

    systemd.services.tcsd = {
      description = "TCSD";
      after = [ "systemd-udev-settle.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.trousers ];
      preStart =
        ''
        mkdir -m 0700 -p ${cfg.stateDir}
        chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
        '';
      serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}";
    };

    users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton
      { name = "tss";
        group = "tss";
        uid = config.ids.uids.nginx;
      });

    users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton
      { name = "tss";
        gid = config.ids.gids.nginx;
      });
  };
}
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`# tcsd daemon.`

Some pkgs.lib -> lib fixes 2014-08-25 14:40:40 +02:00			`{ config, pkgs, lib, ... }:`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00
Some pkgs.lib -> lib fixes 2014-08-25 14:40:40 +02:00			`with lib;`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`let`

			`cfg = config.services.tcsd;`

			`tcsdConf = pkgs.writeText "tcsd.conf" ''`
			`port = 30003`
			`num_threads = 10`
			`system_ps_file = ${cfg.stateDir}/system.data`
			`# This is the log of each individual measurement done by the system.`
			`# By re-calculating the PCR registers based on this information, even`
			`# finer details about the measured environment can be inferred than`
			`# what is available directly from the PCR registers.`
			`firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements`
			`kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements`
			`#firmware_pcrs = 0,1,2,3,4,5,6,7`
			`#kernel_pcrs = 10,11`
			`platform_cred = ${cfg.platformCred}`
			`conformance_cred = ${cfg.conformanceCred}`
			`endorsement_cred = ${cfg.endorsementCred}`
			`#remote_ops = create_key,random`
			`#host_platform_class = server_12`
			`#all_platform_classes = pc_11,pc_12,mobile_12`
			`'';`

			`in`
			`{`

			`###### interface`

			`options = {`

			`services.tcsd = {`

			`enable = mkOption {`
			`default = false;`
Add types to tcsd config options. 2014-04-22 13:39:28 +02:00			`type = types.bool;`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`description = ''`
			`Whether to enable tcsd, a Trusted Computing management service`
			`that provides TCG Software Stack (TSS). The tcsd daemon is`
			`the only portal to the Trusted Platform Module (TPM), a hardware`
			`chip on the motherboard.`
			`'';`
			`};`

			`user = mkOption {`
			`default = "tss";`
Add types to tcsd config options. 2014-04-22 13:39:28 +02:00			`type = types.string;`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`description = "User account under which tcsd runs.";`
			`};`

			`group = mkOption {`
			`default = "tss";`
Add types to tcsd config options. 2014-04-22 13:39:28 +02:00			`type = types.string;`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`description = "Group account under which tcsd runs.";`
			`};`

			`stateDir = mkOption {`
			`default = "/var/lib/tpm";`
Add types to tcsd config options. 2014-04-22 13:39:28 +02:00			`type = types.path;`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`description = ''`
			`The location of the system persistent storage file.`
			`The system persistent storage file holds keys and data across`
			`restarts of the TCSD and system reboots.`
			`'';`
			`};`

			`platformCred = mkOption {`
			`default = "${cfg.stateDir}/platform.cert";`
Add types to tcsd config options. 2014-04-22 13:39:28 +02:00			`type = types.path;`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`description = ''`
			`Path to the platform credential for your TPM. Your TPM`
			`manufacturer may have provided you with a set of credentials`
			`(certificates) that should be used when creating identities`
			`using your TPM. When a user of your TPM makes an identity,`
			`this credential will be encrypted as part of that process.`
			`See the 1.1b TPM Main specification section 9.3 for information`
			`on this process. '';`
			`};`

			`conformanceCred = mkOption {`
			`default = "${cfg.stateDir}/conformance.cert";`
Add types to tcsd config options. 2014-04-22 13:39:28 +02:00			`type = types.path;`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`description = ''`
			`Path to the conformance credential for your TPM.`
			`See also the platformCred option'';`
			`};`

			`endorsementCred = mkOption {`
			`default = "${cfg.stateDir}/endorsement.cert";`
Add types to tcsd config options. 2014-04-22 13:39:28 +02:00			`type = types.path;`
Added TCSD (Trusted Computing Group Software Stack (TSS) daemon). Start tcsd after systemd-udev-settle and run it in foreground. 2013-08-21 17:44:29 +02:00			`description = ''`
			`Path to the endorsement credential for your TPM.`
			`See also the platformCred option'';`
			`};`
			`};`

			`};`

			`###### implementation`

			`config = mkIf cfg.enable {`

			`environment.systemPackages = [ pkgs.trousers ];`

			`# system.activationScripts.tcsd =`
			`# ''`
			`# chown ${cfg.user}:${cfg.group} ${tcsdConf}`
			`# '';`

			`systemd.services.tcsd = {`
			`description = "TCSD";`
			`after = [ "systemd-udev-settle.service" ];`
			`wantedBy = [ "multi-user.target" ];`
			`path = [ pkgs.trousers ];`
			`preStart =`
			`''`
			`mkdir -m 0700 -p ${cfg.stateDir}`
			`chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}`
			`'';`
			`serviceConfig.ExecStart = "${pkgs.trousers}/sbin/tcsd -f -c ${tcsdConf}";`
			`};`

			`users.extraUsers = optionalAttrs (cfg.user == "tss") (singleton`
			`{ name = "tss";`
			`group = "tss";`
			`uid = config.ids.uids.nginx;`
			`});`

			`users.extraGroups = optionalAttrs (cfg.group == "tss") (singleton`
			`{ name = "tss";`
			`gid = config.ids.gids.nginx;`
			`});`
			`};`
			`}`