Add /dev/tpm* permissions to clevis user about clevis HOT 6 CLOSED

@martinezjavier Can you take care of this?

from clevis.

@npmccallum sure thing, I'll take care of it.

from clevis.

@npmccallum I think that this should be solved at the package level. The tpm2 tools already have a udev rule that sets the owner of /dev/tpm[0-9]* to the tss user and group. So I think we should add usermod -a -G tss %{name} to the clevis specfile %pre section.

There are some things that I need to also fix on the tpm2 packages though, since the current udev rule only takes into account /dev/tpm[0-9]*, while we are using in Clevis the character device that exposes the resource manager /dev/tpmrm[0-9]*. And also the permission bits only allow the tss user ad not member of the tss group to access the device. Finally, this udev rule is installed by the tpm2-abrmd (user-space daemon) instead of the tpm2-tss (the TPM2 library, which makes more sense).

Anyways, these are orthogonal issues so I'll change the clevis package and then go to fix the issues in the tpm2-* ones.

from clevis.

I've proposed the following a pull request to the Clevis package. I've found another problem, but I'll fill it as a separate issue.

from clevis.

Okay, since we can fix this in the package, I'll close this bug.

from clevis.

@npmccallum yes, FYI I've already proposed a PR to the tpm2-abrmd project fixing the issues I mentioned with the current tpm udev rule:

tpm2-software/tpm2-abrmd#335

I'll also update the Fedora tpm2-abrmd package to ship the udev rule with the fixes.

from clevis.