From 6037b4dfcf67d28147edf5f7554131ef24313f2c Mon Sep 17 00:00:00 2001 From: Gary Guo Date: Fri, 10 Nov 2023 01:30:46 +0000 Subject: [PATCH 1/2] tpm2-pkcs11: 1.8.0 -> 1.9.0 --- .../tpm2-pkcs11/0001-configure-ac-version.patch | 13 ------------- pkgs/misc/tpm2-pkcs11/default.nix | 11 ++++------- pkgs/misc/tpm2-pkcs11/version.patch | 10 ++++++++++ 3 files changed, 14 insertions(+), 20 deletions(-) delete mode 100644 pkgs/misc/tpm2-pkcs11/0001-configure-ac-version.patch create mode 100644 pkgs/misc/tpm2-pkcs11/version.patch diff --git a/pkgs/misc/tpm2-pkcs11/0001-configure-ac-version.patch b/pkgs/misc/tpm2-pkcs11/0001-configure-ac-version.patch deleted file mode 100644 index fa2575cb938a..000000000000 --- a/pkgs/misc/tpm2-pkcs11/0001-configure-ac-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index e861e42..018c19c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -26,7 +26,7 @@ - #;**********************************************************************; - - AC_INIT([tpm2-pkcs11], -- [m4_esyscmd_s([git describe --tags --always --dirty])], -+ [git-@VERSION@], - [https://github.com/tpm2-software/tpm2-pkcs11/issues], - [], - [https://github.com/tpm2-software/tpm2-pkcs11]) diff --git a/pkgs/misc/tpm2-pkcs11/default.nix b/pkgs/misc/tpm2-pkcs11/default.nix index dd0cf011b158..faf2bdd5570c 100644 --- a/pkgs/misc/tpm2-pkcs11/default.nix +++ b/pkgs/misc/tpm2-pkcs11/default.nix @@ -6,25 +6,22 @@ stdenv.mkDerivation rec { pname = "tpm2-pkcs11"; - version = "1.8.0"; + version = "1.9.0"; src = fetchFromGitHub { owner = "tpm2-software"; repo = pname; rev = version; - sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I="; + sha256 = "sha256-SoHtgZRIYNJg4/w1MIocZAM26mkrM+UOQ+RKCh6nwCk="; }; - patches = lib.singleton ( - substituteAll { - src = ./0001-configure-ac-version.patch; - VERSION = version; - }); + patches = [ ./version.patch ]; # The preConfigure phase doesn't seem to be working here # ./bootstrap MUST be executed as the first step, before all # of the autoreconfHook stuff postPatch = '' + echo ${version} > VERSION ./bootstrap ''; diff --git a/pkgs/misc/tpm2-pkcs11/version.patch b/pkgs/misc/tpm2-pkcs11/version.patch new file mode 100644 index 000000000000..297a7bd53736 --- /dev/null +++ b/pkgs/misc/tpm2-pkcs11/version.patch @@ -0,0 +1,10 @@ +--- a/bootstrap ++++ b/bootstrap +@@ -4,7 +4,6 @@ + + # Generate a VERSION file that is included in the dist tarball to avoid needed git + # when calling autoreconf in a release tarball. +-git describe --tags --always --dirty > VERSION + + # generate list of source files for use in Makefile.am + # if you add new source files, you must run ./bootstrap again From 9aa795690a4c6d572beb94e70cfbbcde06474c9b Mon Sep 17 00:00:00 2001 From: Gary Guo Date: Fri, 10 Nov 2023 02:10:43 +0000 Subject: [PATCH 2/2] tpm2-pkcs11: allow fapi support to be disabled --- pkgs/misc/tpm2-pkcs11/default.nix | 11 +++- .../misc/tpm2-pkcs11/graceful-fapi-fail.patch | 51 +++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 pkgs/misc/tpm2-pkcs11/graceful-fapi-fail.patch diff --git a/pkgs/misc/tpm2-pkcs11/default.nix b/pkgs/misc/tpm2-pkcs11/default.nix index faf2bdd5570c..91b7c31eb323 100644 --- a/pkgs/misc/tpm2-pkcs11/default.nix +++ b/pkgs/misc/tpm2-pkcs11/default.nix @@ -2,6 +2,7 @@ , pkg-config, autoreconfHook, autoconf-archive, makeWrapper, patchelf , tpm2-tss, tpm2-tools, opensc, openssl, sqlite, python3, glibc, libyaml , abrmdSupport ? true, tpm2-abrmd ? null +, fapiSupport ? true }: stdenv.mkDerivation rec { @@ -15,7 +16,10 @@ stdenv.mkDerivation rec { sha256 = "sha256-SoHtgZRIYNJg4/w1MIocZAM26mkrM+UOQ+RKCh6nwCk="; }; - patches = [ ./version.patch ]; + patches = [ + ./version.patch + ./graceful-fapi-fail.patch + ]; # The preConfigure phase doesn't seem to be working here # ./bootstrap MUST be executed as the first step, before all @@ -25,6 +29,11 @@ stdenv.mkDerivation rec { ./bootstrap ''; + configureFlags = lib.optionals (!fapiSupport) [ + # Note: this will be renamed to with-fapi in next release. + "--enable-fapi=no" + ]; + nativeBuildInputs = [ pkg-config autoreconfHook autoconf-archive makeWrapper patchelf ]; diff --git a/pkgs/misc/tpm2-pkcs11/graceful-fapi-fail.patch b/pkgs/misc/tpm2-pkcs11/graceful-fapi-fail.patch new file mode 100644 index 000000000000..26712e9830c7 --- /dev/null +++ b/pkgs/misc/tpm2-pkcs11/graceful-fapi-fail.patch @@ -0,0 +1,51 @@ +From 2e3e3c0b0f4e0c19e411fd46358930bf158ad3f5 Mon Sep 17 00:00:00 2001 +From: Jonathan McDowell +Date: Wed, 1 Feb 2023 09:29:58 +0000 +Subject: [PATCH] Gracefully fail FAPI init when it's not compiled in + +Instead of emitting: + + WARNING: Getting tokens from fapi backend failed. + +errors when FAPI support is not compiled in gracefully fail the FAPI +init and don't log any warnings. We'll still produce a message +indicating this is what's happened in verbose mode, but normal operation +no longer gets an unnecessary message. + +Fixes #792 + +Signed-off-by: Jonathan McDowell +--- + src/lib/backend.c | 4 +++- + src/lib/backend_fapi.c | 3 ++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/lib/backend.c b/src/lib/backend.c +index ca5e2ccf..128f58b9 100644 +--- a/src/lib/backend.c ++++ b/src/lib/backend.c +@@ -53,7 +53,9 @@ CK_RV backend_init(void) { + LOGE(msg); + return rv; + } +- LOGW(msg); ++ if (rv != CKR_FUNCTION_NOT_SUPPORTED) { ++ LOGW(msg); ++ } + } else { + fapi_init = true; + } +diff --git a/src/lib/backend_fapi.c b/src/lib/backend_fapi.c +index fe594f0e..3a203632 100644 +--- a/src/lib/backend_fapi.c ++++ b/src/lib/backend_fapi.c +@@ -977,7 +977,8 @@ CK_RV backend_fapi_token_changeauth(token *tok, bool user, twist toldpin, twist + + CK_RV backend_fapi_init(void) { + +- return CKR_OK; ++ LOGV("FAPI not enabled, failing init"); ++ return CKR_FUNCTION_NOT_SUPPORTED; + } + + CK_RV backend_fapi_destroy(void) {