Merge pull request #266568 from nbdd0121/tpm2

tpm2-pkcs11: 1.8.0 -> 1.9.0

pkgs/misc/tpm2-pkcs11/0001-configure-ac-version.patch

@@ -1,13 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index e861e42..018c19c 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -26,7 +26,7 @@
- #;**********************************************************************;
- 
- AC_INIT([tpm2-pkcs11],
--  [m4_esyscmd_s([git describe --tags --always --dirty])],
-+  [git-@VERSION@],
-   [https://github.com/tpm2-software/tpm2-pkcs11/issues],
-   [],
-   [https://github.com/tpm2-software/tpm2-pkcs11])

pkgs/misc/tpm2-pkcs11/default.nix

@@ -2,32 +2,38 @@
 , pkg-config, autoreconfHook, autoconf-archive, makeWrapper, patchelf
 , tpm2-tss, tpm2-tools, opensc, openssl, sqlite, python3, glibc, libyaml
 , abrmdSupport ? true, tpm2-abrmd ? null
+, fapiSupport ? true
 }:
 
 stdenv.mkDerivation rec {
   pname = "tpm2-pkcs11";
-  version = "1.8.0";
+  version = "1.9.0";
 
   src = fetchFromGitHub {
     owner = "tpm2-software";
     repo = pname;
     rev = version;
-    sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I=";
+    sha256 = "sha256-SoHtgZRIYNJg4/w1MIocZAM26mkrM+UOQ+RKCh6nwCk=";
   };
 
-  patches = lib.singleton (
+  patches = [
-    substituteAll {
+    ./version.patch
-      src = ./0001-configure-ac-version.patch;
+    ./graceful-fapi-fail.patch
-      VERSION = version;
+  ];
-    });
 
   # The preConfigure phase doesn't seem to be working here
   # ./bootstrap MUST be executed as the first step, before all
   # of the autoreconfHook stuff
   postPatch = ''
+    echo ${version} > VERSION
     ./bootstrap
   '';
 
+  configureFlags = lib.optionals (!fapiSupport) [
+    # Note: this will be renamed to with-fapi in next release.
+    "--enable-fapi=no"
+  ];
+
   nativeBuildInputs = [
     pkg-config autoreconfHook autoconf-archive makeWrapper patchelf
   ];

pkgs/misc/tpm2-pkcs11/graceful-fapi-fail.patch

@@ -0,0 +1,51 @@
+From 2e3e3c0b0f4e0c19e411fd46358930bf158ad3f5 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Wed, 1 Feb 2023 09:29:58 +0000
+Subject: [PATCH] Gracefully fail FAPI init when it's not compiled in
+
+Instead of emitting:
+
+   WARNING: Getting tokens from fapi backend failed.
+
+errors when FAPI support is not compiled in gracefully fail the FAPI
+init and don't log any warnings. We'll still produce a message
+indicating this is what's happened in verbose mode, but normal operation
+no longer gets an unnecessary message.
+
+Fixes #792
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+---
+ src/lib/backend.c      | 4 +++-
+ src/lib/backend_fapi.c | 3 ++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/backend.c b/src/lib/backend.c
+index ca5e2ccf..128f58b9 100644
+--- a/src/lib/backend.c
++++ b/src/lib/backend.c
+@@ -53,7 +53,9 @@ CK_RV backend_init(void) {
+             LOGE(msg);
+             return rv;
+         }
+-        LOGW(msg);
++        if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
++            LOGW(msg);
++        }
+     } else {
+         fapi_init = true;
+     }
+diff --git a/src/lib/backend_fapi.c b/src/lib/backend_fapi.c
+index fe594f0e..3a203632 100644
+--- a/src/lib/backend_fapi.c
++++ b/src/lib/backend_fapi.c
+@@ -977,7 +977,8 @@ CK_RV backend_fapi_token_changeauth(token *tok, bool user, twist toldpin, twist
+ 
+ CK_RV backend_fapi_init(void) {
+ 
+-	return CKR_OK;
++	LOGV("FAPI not enabled, failing init");
++	return CKR_FUNCTION_NOT_SUPPORTED;
+ }
+ 
+ CK_RV backend_fapi_destroy(void) {

pkgs/misc/tpm2-pkcs11/version.patch

@@ -0,0 +1,10 @@
+--- a/bootstrap
++++ b/bootstrap
+@@ -4,7 +4,6 @@
+ 
+ # Generate a VERSION file that is included in the dist tarball to avoid needed git
+ # when calling autoreconf in a release tarball.
+-git describe --tags --always --dirty > VERSION
+ 
+ # generate list of source files for use in Makefile.am
+ # if you add new source files, you must run ./bootstrap again