udev: add default group for sgx enclave access

Closes #18669.

This creates a "well known" for sgx_enclave ownership. By doing this here we
avoid the risk that various projects making use of the device will provide
similar-but-slightly-incompatible installation instructions, in particular
using different group names.

ACLs are actually a better approach to grant access to users, but not in all
cases, so we want to provide a standard group anyway.

Mode is 0o660, not 0o666 because this is very new code and distributions are
likely to not want to give full access to all users. This might change in the
future, but being conservative is a good default in the beginning.

Rules for /dev/sgx_provision will be provided by libsg-ae-pce:
https://github.com/intel/linux-sgx/issues/678.

diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
index 346c742c87f7884e31cf4d8f4dc3458eccd37f36..edfa8bb107e5d5a3c5a75afd616f0eb56c3319e5 100644 (file)
--- a/rules.d/50-udev-default.rules.in
+++ b/rules.d/50-udev-default.rules.in
@@ -39,6 +39,8 @@ SUBSYSTEM=="cec", GROUP="video"
 SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 SUBSYSTEM=="kfd", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 
+SUBSYSTEM=="misc", KERNEL=="sgx_enclave", GROUP="sgx", MODE="0660"
+
 # When using static_node= with non-default permissions, also update
 # tmpfiles.d/static-nodes-permissions.conf.in to keep permissions synchronized.
 

diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index 8e358c02d65e27480952cdfeda5afc04674c4092..4be0bd869e7fff6f7016403ca86f4dab38778417 100644 (file)
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -31,6 +31,7 @@ g input   -     -            -
 g kvm     -     -            -
 g lp      -     -            -
 g render  -     -            -
+g sgx     -     -            -
 g tape    -     -            -
 g video   -     -            -