fix(3p/overlays): pin specific version of tpm2-pkcs11

Newer versions broke compatibility with who knows whatever part of the
stack is required for correct TVM + OpenVPN interaction, but I need
this to work.

This was previously picked from stable, but we've bumped stable and it
has advanced to a version where this is also broken.

I believe this is a known issue, but right now I don't have the time
to look into it.

Change-Id: I1060f3ecfd7b43ebe5e1860f59f7574ca094570a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10743
Reviewed-by: tazjin <tazjin@tvl.su>
Autosubmit: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo 2024-02-04 20:32:19 +03:00 committed by clbot
parent 0d55a6dcc8
commit c397aaceef
5 changed files with 124 additions and 3 deletions

View file

@ -52,9 +52,6 @@ let
stableOverlay = _unstableSelf: unstableSuper: { stableOverlay = _unstableSelf: unstableSuper: {
# weird memory access issues in SBCL on AMD; 2024-02-01 # weird memory access issues in SBCL on AMD; 2024-02-01
sbcl = stableNixpkgs.sbcl; sbcl = stableNixpkgs.sbcl;
# TPM authentication seems broken on unstable; 2023-11-29
tpm2-pkcs11 = stableNixpkgs.tpm2-pkcs11;
}; };
# Overlay to expose the nixpkgs commits we are using to other Nix code. # Overlay to expose the nixpkgs commits we are using to other Nix code.

View file

@ -0,0 +1 @@
No readTree-compatible files.

View file

@ -0,0 +1,13 @@
diff --git a/configure.ac b/configure.ac
index e861e42..018c19c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@
#;**********************************************************************;
AC_INIT([tpm2-pkcs11],
- [m4_esyscmd_s([git describe --tags --always --dirty])],
+ [git-@VERSION@],
[https://github.com/tpm2-software/tpm2-pkcs11/issues],
[],
[https://github.com/tpm2-software/tpm2-pkcs11])

View file

@ -0,0 +1,105 @@
{ stdenv
, lib
, fetchFromGitHub
, substituteAll
, pkg-config
, autoreconfHook
, autoconf-archive
, makeWrapper
, patchelf
, tpm2-tss
, tpm2-tools
, opensc
, openssl
, sqlite
, python3
, glibc
, libyaml
, abrmdSupport ? true
, tpm2-abrmd ? null
}:
stdenv.mkDerivation rec {
pname = "tpm2-pkcs11";
version = "1.8.0";
src = fetchFromGitHub {
owner = "tpm2-software";
repo = pname;
rev = version;
sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I=";
};
patches = lib.singleton (
substituteAll {
src = ./0001-configure-ac-version.patch;
VERSION = version;
});
# The preConfigure phase doesn't seem to be working here
# ./bootstrap MUST be executed as the first step, before all
# of the autoreconfHook stuff
postPatch = ''
./bootstrap
'';
nativeBuildInputs = [
pkg-config
autoreconfHook
autoconf-archive
makeWrapper
patchelf
];
buildInputs = [
tpm2-tss
tpm2-tools
opensc
openssl
sqlite
libyaml
(python3.withPackages (ps: with ps; [ packaging pyyaml cryptography pyasn1-modules tpm2-pytss ]))
];
outputs = [ "out" "bin" "dev" ];
dontStrip = true;
dontPatchELF = true;
# To be able to use the userspace resource manager, the RUNPATH must
# explicitly include the tpm2-abrmd shared libraries.
preFixup =
let
rpath = lib.makeLibraryPath (
(lib.optional abrmdSupport tpm2-abrmd)
++ [
tpm2-tss
sqlite
openssl
glibc
libyaml
]
);
in
''
patchelf \
--set-rpath ${rpath} \
${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \
--add-needed ${lib.makeLibraryPath [tpm2-tss]}/libtss2-tcti-device.so \
$out/lib/libtpm2_pkcs11.so.0.0.0
'';
postInstall = ''
mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
mv ./tools/* $bin/share/tpm2_pkcs11/
makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
--prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
'';
meta = with lib; {
description = "A PKCS#11 interface for TPM2 hardware";
homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
license = licenses.bsd2;
platforms = platforms.linux;
maintainers = with maintainers; [ matthiasbeyer ];
};
}

View file

@ -132,4 +132,9 @@ depot.nix.readTree.drvTargets {
license = licenses.asl20; license = licenses.asl20;
}; };
}; };
# OpenVPN + TPM2 is broken on versions of this package somewhere
# after 1.8.0, but it is a critical dependency for tazjin. For this
# reason it is vendored from a specific nixpkgs commit.
tpm2-pkcs11 = self.callPackage ./patches/tpm2-pkcs11.nix { };
} }