udev: add default group for sgx enclave access

Closes #18669. This creates a "well known" for sgx_enclave ownership. By doing this here we avoid the risk that various projects making use of the device will provide similar-but-slightly-incompatible installation instructions, in particular using different group names. ACLs are actually a better approach to grant access to users, but not in all cases, so we want to provide a standard group anyway. Mode is 0o660, not 0o666 because this is very new code and distributions are likely to not want to give full access to all users. This might change in the future, but being conservative is a good default in the beginning. Rules for /dev/sgx_provision will be provided by libsg-ae-pce: intel/linux-sgx#678.
systemd · Mar 10, 2021 · 7f82f97 · 7f82f97
1 parent 9813d83
commit 7f82f97
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
@@ -40,6 +40,8 @@ SUBSYSTEM=="cec", GROUP="video"
 SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 SUBSYSTEM=="kfd", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 
+SUBSYSTEM=="misc", KERNEL=="sgx_enclave", GROUP="sgx", MODE="0660"
+
 # When using static_node= with non-default permissions, also update
 # tmpfiles.d/static-nodes-permissions.conf.in to keep permissions synchronized.
 

diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
@@ -31,6 +31,7 @@ g input   -     -            -
 g kvm     -     -            -
 g lp      -     -            -
 g render  -     -            -
+g sgx     -     -            -
 g tape    -     -            -
 g video   -     -            -