fix(3p/overlays): pin specific version of tpm2-pkcs11
Newer versions broke compatibility with who knows whatever part of the stack is required for correct TVM + OpenVPN interaction, but I need this to work. This was previously picked from stable, but we've bumped stable and it has advanced to a version where this is also broken. I believe this is a known issue, but right now I don't have the time to look into it. Change-Id: I1060f3ecfd7b43ebe5e1860f59f7574ca094570a Reviewed-on: https://cl.tvl.fyi/c/depot/+/10743 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
This commit is contained in:
parent
0d55a6dcc8
commit
c397aaceef
5 changed files with 124 additions and 3 deletions
3
third_party/nixpkgs/default.nix
vendored
3
third_party/nixpkgs/default.nix
vendored
|
@ -52,9 +52,6 @@ let
|
||||||
stableOverlay = _unstableSelf: unstableSuper: {
|
stableOverlay = _unstableSelf: unstableSuper: {
|
||||||
# weird memory access issues in SBCL on AMD; 2024-02-01
|
# weird memory access issues in SBCL on AMD; 2024-02-01
|
||||||
sbcl = stableNixpkgs.sbcl;
|
sbcl = stableNixpkgs.sbcl;
|
||||||
|
|
||||||
# TPM authentication seems broken on unstable; 2023-11-29
|
|
||||||
tpm2-pkcs11 = stableNixpkgs.tpm2-pkcs11;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Overlay to expose the nixpkgs commits we are using to other Nix code.
|
# Overlay to expose the nixpkgs commits we are using to other Nix code.
|
||||||
|
|
1
third_party/overlays/patches/.skip-tree
vendored
Normal file
1
third_party/overlays/patches/.skip-tree
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
No readTree-compatible files.
|
13
third_party/overlays/patches/0001-configure-ac-version.patch
vendored
Normal file
13
third_party/overlays/patches/0001-configure-ac-version.patch
vendored
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index e861e42..018c19c 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -26,7 +26,7 @@
|
||||||
|
#;**********************************************************************;
|
||||||
|
|
||||||
|
AC_INIT([tpm2-pkcs11],
|
||||||
|
- [m4_esyscmd_s([git describe --tags --always --dirty])],
|
||||||
|
+ [git-@VERSION@],
|
||||||
|
[https://github.com/tpm2-software/tpm2-pkcs11/issues],
|
||||||
|
[],
|
||||||
|
[https://github.com/tpm2-software/tpm2-pkcs11])
|
105
third_party/overlays/patches/tpm2-pkcs11.nix
vendored
Normal file
105
third_party/overlays/patches/tpm2-pkcs11.nix
vendored
Normal file
|
@ -0,0 +1,105 @@
|
||||||
|
{ stdenv
|
||||||
|
, lib
|
||||||
|
, fetchFromGitHub
|
||||||
|
, substituteAll
|
||||||
|
, pkg-config
|
||||||
|
, autoreconfHook
|
||||||
|
, autoconf-archive
|
||||||
|
, makeWrapper
|
||||||
|
, patchelf
|
||||||
|
, tpm2-tss
|
||||||
|
, tpm2-tools
|
||||||
|
, opensc
|
||||||
|
, openssl
|
||||||
|
, sqlite
|
||||||
|
, python3
|
||||||
|
, glibc
|
||||||
|
, libyaml
|
||||||
|
, abrmdSupport ? true
|
||||||
|
, tpm2-abrmd ? null
|
||||||
|
}:
|
||||||
|
|
||||||
|
stdenv.mkDerivation rec {
|
||||||
|
pname = "tpm2-pkcs11";
|
||||||
|
version = "1.8.0";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "tpm2-software";
|
||||||
|
repo = pname;
|
||||||
|
rev = version;
|
||||||
|
sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I=";
|
||||||
|
};
|
||||||
|
|
||||||
|
patches = lib.singleton (
|
||||||
|
substituteAll {
|
||||||
|
src = ./0001-configure-ac-version.patch;
|
||||||
|
VERSION = version;
|
||||||
|
});
|
||||||
|
|
||||||
|
# The preConfigure phase doesn't seem to be working here
|
||||||
|
# ./bootstrap MUST be executed as the first step, before all
|
||||||
|
# of the autoreconfHook stuff
|
||||||
|
postPatch = ''
|
||||||
|
./bootstrap
|
||||||
|
'';
|
||||||
|
|
||||||
|
nativeBuildInputs = [
|
||||||
|
pkg-config
|
||||||
|
autoreconfHook
|
||||||
|
autoconf-archive
|
||||||
|
makeWrapper
|
||||||
|
patchelf
|
||||||
|
];
|
||||||
|
buildInputs = [
|
||||||
|
tpm2-tss
|
||||||
|
tpm2-tools
|
||||||
|
opensc
|
||||||
|
openssl
|
||||||
|
sqlite
|
||||||
|
libyaml
|
||||||
|
(python3.withPackages (ps: with ps; [ packaging pyyaml cryptography pyasn1-modules tpm2-pytss ]))
|
||||||
|
];
|
||||||
|
|
||||||
|
outputs = [ "out" "bin" "dev" ];
|
||||||
|
|
||||||
|
dontStrip = true;
|
||||||
|
dontPatchELF = true;
|
||||||
|
|
||||||
|
# To be able to use the userspace resource manager, the RUNPATH must
|
||||||
|
# explicitly include the tpm2-abrmd shared libraries.
|
||||||
|
preFixup =
|
||||||
|
let
|
||||||
|
rpath = lib.makeLibraryPath (
|
||||||
|
(lib.optional abrmdSupport tpm2-abrmd)
|
||||||
|
++ [
|
||||||
|
tpm2-tss
|
||||||
|
sqlite
|
||||||
|
openssl
|
||||||
|
glibc
|
||||||
|
libyaml
|
||||||
|
]
|
||||||
|
);
|
||||||
|
in
|
||||||
|
''
|
||||||
|
patchelf \
|
||||||
|
--set-rpath ${rpath} \
|
||||||
|
${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \
|
||||||
|
--add-needed ${lib.makeLibraryPath [tpm2-tss]}/libtss2-tcti-device.so \
|
||||||
|
$out/lib/libtpm2_pkcs11.so.0.0.0
|
||||||
|
'';
|
||||||
|
|
||||||
|
postInstall = ''
|
||||||
|
mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
|
||||||
|
mv ./tools/* $bin/share/tpm2_pkcs11/
|
||||||
|
makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
|
||||||
|
--prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "A PKCS#11 interface for TPM2 hardware";
|
||||||
|
homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
|
||||||
|
license = licenses.bsd2;
|
||||||
|
platforms = platforms.linux;
|
||||||
|
maintainers = with maintainers; [ matthiasbeyer ];
|
||||||
|
};
|
||||||
|
}
|
5
third_party/overlays/tvl.nix
vendored
5
third_party/overlays/tvl.nix
vendored
|
@ -132,4 +132,9 @@ depot.nix.readTree.drvTargets {
|
||||||
license = licenses.asl20;
|
license = licenses.asl20;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# OpenVPN + TPM2 is broken on versions of this package somewhere
|
||||||
|
# after 1.8.0, but it is a critical dependency for tazjin. For this
|
||||||
|
# reason it is vendored from a specific nixpkgs commit.
|
||||||
|
tpm2-pkcs11 = self.callPackage ./patches/tpm2-pkcs11.nix { };
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue