tpm_manager/server/tpm_managerd.conf - third_party/platform2 - Git at Google

 # Copyright 2015 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Chromium OS device tpm_manager service."
 author          "chromium-os-dev@chromium.org"

 start on started boot-services and started tcsd
 stop on hwsec-stop-tpm_manager-signal
 respawn

 oom score -100

 tmpfiles /usr/lib/tmpfiles.d/tpm_manager.conf

 # KEY_EVICTION value is set from the ebuild file if the USE flag is enabled.
 env KEY_EVICTION=""

 env TPM_MANAGER_FREEZER_CGROUP_DIR=/sys/fs/cgroup/freezer/tpm_manager

 pre-start script
   # Migration errors are non-fatal for the daemon startup.
   local_data_migration || true
   check_tpm_preinit_condition || true
   # Reinvoke tmpfiles so that the files created by pre-start script are
   # properly configured
   /usr/bin/systemd-tmpfiles --create --remove --clean \
       /usr/lib/tmpfiles.d/tpm_manager.conf
 end script

 expect fork
 script
   # TODO(b/259005156): refactor this section for minijail mount setup. We can
   # export those as a separate upstart event so we don't have to do it for
   # every single miniajil setup, and can be shared with all other daemons.
   # Some bind mount arguments should be set conditionally.
   set --
   # TPM1.2 devices need to read /run/tcsd/tcsd.socket.
   if [ -d "/run/tcsd" ]; then
     set -- "$@" -b /run/tcsd
   fi
   # Files in /sys/class/tpm/tpm0 need to be readable for TPM_DYNAMIC case. Note
   # that some flex devices may not have tpm, so we bind mount it conditionally.
   # And mount the point with writable, so we can control TPM PPI.
   if [ -d "/sys/class/tpm/tpm0" ]; then
     set -- "$@" -b /sys/class/tpm/tpm0,,1
   fi
   # Same for /sys/class/dmi/id files.
   if [ -d "/sys/class/dmi/id" ]; then
     set -- "$@" -b /sys/class/dmi/id,,1
   fi

   exec minijail0 --config /usr/share/minijail/tpm_managerd.conf              \
   "$@"                                                                       \
   -u tpm_manager -G -g tpm_manager                                           \
   -S /usr/share/policy/tpm_managerd-seccomp.policy                           \
   -- /usr/sbin/tpm_managerd
 end script

 post-start script
   if [ "${KEY_EVICTION}" = true ]; then
   /usr/bin/systemd-tmpfiles --create --remove --clean \
      /usr/lib/tmpfiles.d/tpm_manager_freezer.conf
     echo $(status | cut -f 4 -d ' ') > \
       "${TPM_MANAGER_FREEZER_CGROUP_DIR}/cgroup.procs"
   fi

   # Wait for daemon to claim its D-Bus name.
   exec minijail0 -u tpm_manager -G \
     /usr/bin/gdbus wait --system --timeout 15 org.chromium.TpmManager
 end script
	# Copyright 2015 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Chromium OS device tpm_manager service."
	author "chromium-os-dev@chromium.org"

	start on started boot-services and started tcsd
	stop on hwsec-stop-tpm_manager-signal
	respawn

	oom score -100

	tmpfiles /usr/lib/tmpfiles.d/tpm_manager.conf

	# KEY_EVICTION value is set from the ebuild file if the USE flag is enabled.
	env KEY_EVICTION=""

	env TPM_MANAGER_FREEZER_CGROUP_DIR=/sys/fs/cgroup/freezer/tpm_manager

	pre-start script
	# Migration errors are non-fatal for the daemon startup.
	local_data_migration \|\| true
	check_tpm_preinit_condition \|\| true
	# Reinvoke tmpfiles so that the files created by pre-start script are
	# properly configured
	/usr/bin/systemd-tmpfiles --create --remove --clean \
	/usr/lib/tmpfiles.d/tpm_manager.conf
	end script

	expect fork
	script
	# TODO(b/259005156): refactor this section for minijail mount setup. We can
	# export those as a separate upstart event so we don't have to do it for
	# every single miniajil setup, and can be shared with all other daemons.
	# Some bind mount arguments should be set conditionally.
	set --
	# TPM1.2 devices need to read /run/tcsd/tcsd.socket.
	if [ -d "/run/tcsd" ]; then
	set -- "$@" -b /run/tcsd
	fi
	# Files in /sys/class/tpm/tpm0 need to be readable for TPM_DYNAMIC case. Note
	# that some flex devices may not have tpm, so we bind mount it conditionally.
	# And mount the point with writable, so we can control TPM PPI.
	if [ -d "/sys/class/tpm/tpm0" ]; then
	set -- "$@" -b /sys/class/tpm/tpm0,,1
	fi
	# Same for /sys/class/dmi/id files.
	if [ -d "/sys/class/dmi/id" ]; then
	set -- "$@" -b /sys/class/dmi/id,,1
	fi

	exec minijail0 --config /usr/share/minijail/tpm_managerd.conf \
	"$@" \
	-u tpm_manager -G -g tpm_manager \
	-S /usr/share/policy/tpm_managerd-seccomp.policy \
	-- /usr/sbin/tpm_managerd
	end script

	post-start script
	if [ "${KEY_EVICTION}" = true ]; then
	/usr/bin/systemd-tmpfiles --create --remove --clean \
	/usr/lib/tmpfiles.d/tpm_manager_freezer.conf
	echo $(status \| cut -f 4 -d ' ') > \
	"${TPM_MANAGER_FREEZER_CGROUP_DIR}/cgroup.procs"
	fi

	# Wait for daemon to claim its D-Bus name.
	exec minijail0 -u tpm_manager -G \
	/usr/bin/gdbus wait --system --timeout 15 org.chromium.TpmManager
	end script