Unverified Commit b01196a1 authored by Tristan Ross's avatar Tristan Ross Committed by GitHub
Browse files

tpm2-pkcs11: fix fapi configure option; init tpm2-pkcs11-{fapi,esapi} (#396751)

parents 9bb2f070 e7356914

doc/release-notes/rl-2505.section.md

+2 −0
Original line number Diff line number Diff line
@@ -351,6 +351,8 @@ 


- GOverlay has been updated to 1.2, please check the [upstream changelog](https://github.com/benjamimgois/goverlay/releases) for more details.



- `tpm2-pkcs11` now has the variant `tpm2-pkcs11-fapi`, which has been patched to default to the Feature API backend. It has also been split into `tpm2-pkcs11-esapi`, which _only_ supports the older Enhanced System API backend. Note the [differences](https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.1/docs/FAPI.md), and that `tpm2-pkcs11` itself still needs `TPM2_PKCS11_BACKEND=fapi` exported in order to use the Feature API, whereas `tpm2-pkcs11-fapi` does not, and `tpm2-pkcs11-esapi` just does not support fapi entirely.



- For matrix homeserver Synapse we are now following the upstream recommendation to enable jemalloc as the memory allocator by default.



- In `dovecot` package removed hard coding path to module directory.

pkgs/by-name/tp/tpm2-pkcs11-esapi/package.nix

0 → 100644
+12 −0
Original line number Diff line number Diff line 
{

  tpm2-pkcs11,

  ...

}@args:



tpm2-pkcs11.override (

  args

  // {

    fapiSupport = false;

    extraDescription = "Disables FAPI support, as if TPM2_PKCS11_BACKEND were always set to 'esysdb'.";

  }

)

pkgs/by-name/tp/tpm2-pkcs11-fapi/package.nix

0 → 100644
+13 −0
Original line number Diff line number Diff line 
{

  tpm2-pkcs11,

  ...

}@args:



tpm2-pkcs11.override (

  args

  // {

    fapiSupport = true;

    defaultToFapi = true;

    extraDescription = "Enables fapi by default, as if TPM2_PKCS11_BACKEND defaulted to 'fapi'.";

  }

)

pkgs/by-name/tp/tpm2-pkcs11/default-to-fapi.patch

0 → 100644
+33 −0
Original line number Diff line number Diff line 
From 648f0d08953152185e13feaca4feda02f8665341 Mon Sep 17 00:00:00 2001

From: Morgan Jones <me@numin.it>

Date: Wed, 9 Apr 2025 00:12:47 -0700

Subject: [PATCH] backend: default to fapi



---

 src/lib/backend.c | 8 ++++----

 1 file changed, 4 insertions(+), 4 deletions(-)



diff --git a/src/lib/backend.c b/src/lib/backend.c

index 128f58b..8404afe 100644

--- a/src/lib/backend.c

+++ b/src/lib/backend.c

@@ -15,12 +15,12 @@ static enum backend get_backend(void) {

 

     const char *env = getenv("TPM2_PKCS11_BACKEND");

 

-    if (!env || !strcasecmp(env, "esysdb")) {

-        return backend_esysdb;

+    if (!env || !strcasecmp(env, "fapi")) {

+        return backend_fapi;

     }

 

-    if (!strcasecmp(env, "fapi")) {

-        return backend_fapi;

+    if (!strcasecmp(env, "esysdb")) {

+        return backend_esysdb;

     }

 

     return backend_error;

-- 

2.47.0

pkgs/by-name/tp/tpm2-pkcs11/package.nix

+30 −7
Original line number Diff line number Diff line
@@ -26,14 +26,18 @@ 
  swtpm,

  tpm2-abrmd,

  tpm2-openssl,

  tpm2-pkcs11, # for passthru abrmd tests

  tpm2-pkcs11, # for passthru tests

  tpm2-pkcs11-esapi,

  tpm2-pkcs11-fapi,

  tpm2-tools,

  tpm2-tss,

  which,

  xxd,

  abrmdSupport ? false,

  fapiSupport ? true,

  defaultToFapi ? false,

  enableFuzzing ? false,

  extraDescription ? null,

}:



let
@@ -51,7 +55,9 @@ chosenStdenv.mkDerivation (finalAttrs: { 
  };



  # Disable Java‐based tests because of missing dependencies

  patches = [ ./disable-java-integration.patch ];

  patches =

    lib.singleton ./disable-java-integration.patch

    ++ lib.optional defaultToFapi ./default-to-fapi.patch;



  postPatch = ''

    echo ${lib.escapeShellArg finalAttrs.version} >VERSION
@@ -80,12 +86,14 @@ chosenStdenv.mkDerivation (finalAttrs: { 
    [

      (lib.enableFeature finalAttrs.doCheck "unit")

      (lib.enableFeature finalAttrs.doCheck "integration")



      # Strangely, it uses --with-fapi=yes|no instead of a normal configure flag.

      "--with-fapi=${if fapiSupport then "yes" else "no"}"

    ]

    ++ lib.optionals enableFuzzing [

      "--enable-fuzzing"

      "--disable-hardening"

    ]

    ++ lib.optional fapiSupport "--with-fapi";

    ];



  strictDeps = true;
@@ -178,6 +186,10 @@ chosenStdenv.mkDerivation (finalAttrs: { 


      # Enable tests to load TPM2 OpenSSL module

      export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules"

    ''

    + lib.optionalString defaultToFapi ''

      # Need to change the default since the tests expect the other way.

      export TPM2_PKCS11_BACKEND=esysdb

    '';



  postInstall = ''
@@ -211,13 +223,24 @@ chosenStdenv.mkDerivation (finalAttrs: { 
    '';



  passthru = {

    tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {

    tests = {

      inherit tpm2-pkcs11-esapi tpm2-pkcs11-fapi;

      tpm2-pkcs11-abrmd = tpm2-pkcs11.override {

        abrmdSupport = true;

      };

      tpm2-pkcs11-esapi-abrmd = tpm2-pkcs11-esapi.override {

        abrmdSupport = true;

      };

      tpm2-pkcs11-fapi-abrmd = tpm2-pkcs11-fapi.override {

        abrmdSupport = true;

      };

    };

  };



  meta = {

    description = "PKCS#11 interface for TPM2 hardware";

    description =

      "PKCS#11 interface for TPM2 hardware."

      + lib.optionalString (extraDescription != null) " ${extraDescription}";

    homepage = "https://github.com/tpm2-software/tpm2-pkcs11";

    license = lib.licenses.bsd2;

    platforms = lib.platforms.linux;