udev: add default group for sgx enclave access

Closes #18669.

This creates a "well known" for sgx_enclave ownership. By doing this here we
avoid the risk that various projects making use of the device will provide
similar-but-slightly-incompatible installation instructions, in particular
using different group names.

ACLs are actually a better approach to grant access to users, but not in all
cases, so we want to provide a standard group anyway.

Mode is 0o660, not 0o666 because this is very new code and distributions are
likely to not want to give full access to all users. This might change in the
future, but being conservative is a good default in the beginning.

Rules for /dev/sgx_provision will be provided by libsg-ae-pce:
https://github.com/intel/linux-sgx/issues/678.

2 files changed, 3 insertions, 0 deletions

diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
index 346c742c87..edfa8bb107 100644
--- a/rules.d/50-udev-default.rules.in
+++ b/rules.d/50-udev-default.rules.in
@@ -39,6 +39,8 @@ SUBSYSTEM=="cec", GROUP="video"
 SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 SUBSYSTEM=="kfd", GROUP="render", MODE="@GROUP_RENDER_MODE@"
 
+SUBSYSTEM=="misc", KERNEL=="sgx_enclave", GROUP="sgx", MODE="0660"
+
 # When using static_node= with non-default permissions, also update
 # tmpfiles.d/static-nodes-permissions.conf.in to keep permissions synchronized.
 
diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index 8e358c02d6..4be0bd869e 100644
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -31,6 +31,7 @@ g input   -     -            -
 g kvm     -     -            -
 g lp      -     -            -
 g render  -     -            -
+g sgx     -     -            -
 g tape    -     -            -
 g video   -     -            -