tpm2-pkcs11: 1.9.0 -> 1.9.1 (f7ee78c6) · Commits · nix / nixpkgs

pkgs/by-name/tp/tpm2-pkcs11/graceful-fapi-fail.patch

deleted100644 → 0

+0 −51

Original line number	Diff line number	Diff line
		From 2e3e3c0b0f4e0c19e411fd46358930bf158ad3f5 Mon Sep 17 00:00:00 2001
		From: Jonathan McDowell <noodles@earth.li>
		Date: Wed, 1 Feb 2023 09:29:58 +0000
		Subject: [PATCH] Gracefully fail FAPI init when it's not compiled in

		Instead of emitting:

		WARNING: Getting tokens from fapi backend failed.

		errors when FAPI support is not compiled in gracefully fail the FAPI
		init and don't log any warnings. We'll still produce a message
		indicating this is what's happened in verbose mode, but normal operation
		no longer gets an unnecessary message.

		Fixes #792

		Signed-off-by: Jonathan McDowell <noodles@earth.li>
		---
		src/lib/backend.c \| 4 +++-
		src/lib/backend_fapi.c \| 3 ++-
		2 files changed, 5 insertions(+), 2 deletions(-)

		diff --git a/src/lib/backend.c b/src/lib/backend.c
		index ca5e2ccf..128f58b9 100644
		--- a/src/lib/backend.c
		+++ b/src/lib/backend.c
		@@ -53,7 +53,9 @@ CK_RV backend_init(void) {
		LOGE(msg);
		return rv;
		}
		- LOGW(msg);
		+ if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
		+ LOGW(msg);
		+ }
		} else {
		fapi_init = true;
		}
		diff --git a/src/lib/backend_fapi.c b/src/lib/backend_fapi.c
		index fe594f0e..3a203632 100644
		--- a/src/lib/backend_fapi.c
		+++ b/src/lib/backend_fapi.c
		@@ -977,7 +977,8 @@ CK_RV backend_fapi_token_changeauth(token *tok, bool user, twist toldpin, twist

		CK_RV backend_fapi_init(void) {

		- return CKR_OK;
		+ LOGV("FAPI not enabled, failing init");
		+ return CKR_FUNCTION_NOT_SUPPORTED;
		}

		CK_RV backend_fapi_destroy(void) {

pkgs/by-name/tp/tpm2-pkcs11/package.nix

+71 −42

Original line number	Diff line number	Diff line
		{
		stdenv,
		lib,
		fetchFromGitHub,
		pkg-config,
		autoreconfHook,
		autoconf-archive,
		autoreconfHook,
		clangStdenv,
		cmocka,
		fetchFromGitHub,
		glibc,
		lib,
		libyaml,
		makeWrapper,
		patchelf,
		tpm2-tss,
		tpm2-tools,
		opensc,
		openssl,
		sqlite,
		patchelf,
		pkg-config,
		python3,
		glibc,
		libyaml,
		abrmdSupport ? true,
		tpm2-abrmd ? null,
		stdenv,
		sqlite,
		tpm2-abrmd,
		tpm2-pkcs11, # for passthru abrmd tests
		tpm2-tools,
		tpm2-tss,
		abrmdSupport ? false,
		fapiSupport ? true,
		enableFuzzing ? false,
		}:

		stdenv.mkDerivation rec {
		let
		chosenStdenv = if enableFuzzing then clangStdenv else stdenv;
		in
		chosenStdenv.mkDerivation (finalAttrs: {
		pname = "tpm2-pkcs11";
		version = "1.9.0";
		version = "1.9.1";

		src = fetchFromGitHub {
		owner = "tpm2-software";
		repo = pname;
		rev = version;
		sha256 = "sha256-SoHtgZRIYNJg4/w1MIocZAM26mkrM+UOQ+RKCh6nwCk=";
		repo = "tpm2-pkcs11";
		tag = finalAttrs.version;
		hash = "sha256-W74ckrpK7ypny1L3Gn7nNbOVh8zbHavIk/TX3b8XbI8=";
		};

		patches = [
		./version.patch
		./graceful-fapi-fail.patch
		];

		# The preConfigure phase doesn't seem to be working here
		# ./bootstrap MUST be executed as the first step, before all
		# of the autoreconfHook stuff
		postPatch = ''
		echo ${version} > VERSION
		echo "$version" > VERSION

		# Don't run git in the bootstrap
		substituteInPlace bootstrap --replace-warn "git" "# git"

		# Don't run tests with dbus
		substituteInPlace Makefile.am --replace-fail "dbus-run-session" "env"

		patchShebangs test

		./bootstrap
		'';

		configureFlags = lib.optionals (!fapiSupport) [
		# Note: this will be renamed to with-fapi in next release.
		"--enable-fapi=no"
		];
		configureFlags =
		lib.singleton (lib.enableFeature finalAttrs.doCheck "unit")
		++ lib.optionals enableFuzzing [
		"--enable-fuzzing"
		"--disable-hardening"
		]
		++ lib.optional fapiSupport "--with-fapi";

		strictDeps = true;

		nativeBuildInputs = [
		pkg-config
		autoreconfHook
		autoconf-archive
		autoreconfHook
		makeWrapper
		patchelf
		];
		buildInputs = [
		tpm2-tss
		tpm2-tools
		opensc
		openssl
		sqlite
		libyaml
		pkg-config
		(python3.withPackages (
		ps: with ps; [
		packaging
		@@ -73,6 +81,20 @@ stdenv.mkDerivation rec {
		]
		))
		];
		buildInputs = [
		libyaml
		opensc
		openssl
		sqlite
		tpm2-tools
		tpm2-tss
		];
		checkInputs = [
		cmocka
		];

		enableParallelBuilding = true;
		hardeningDisable = lib.optional enableFuzzing "all";

		outputs = [
		"out"
		@@ -80,6 +102,7 @@ stdenv.mkDerivation rec {
		"dev"
		];

		doCheck = true;
		dontStrip = true;
		dontPatchELF = true;

		@@ -90,11 +113,11 @@ stdenv.mkDerivation rec {
		rpath = lib.makeLibraryPath (
		(lib.optional abrmdSupport tpm2-abrmd)
		++ [
		tpm2-tss
		sqlite
		openssl
		glibc
		libyaml
		openssl
		sqlite
		tpm2-tss
		]
		);
		in
		@@ -113,6 +136,12 @@ stdenv.mkDerivation rec {
		--prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
		'';

		passthru = {
		tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
		abrmdSupport = true;
		};
		};

		meta = with lib; {
		description = "PKCS#11 interface for TPM2 hardware";
		homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
		@@ -121,4 +150,4 @@ stdenv.mkDerivation rec {
		maintainers = [ ];
		mainProgram = "tpm2_ptool";
		};
		}
		})

pkgs/by-name/tp/tpm2-pkcs11/version.patch

deleted100644 → 0

+0 −10

Original line number	Diff line number	Diff line
		--- a/bootstrap
		+++ b/bootstrap
		@@ -4,7 +4,6 @@

		# Generate a VERSION file that is included in the dist tarball to avoid needed git
		# when calling autoreconf in a release tarball.
		-git describe --tags --always --dirty > VERSION

		# generate list of source files for use in Makefile.am
		# if you add new source files, you must run ./bootstrap again

Admin message