From fa8e706b9b66c1d5f0f64967939861fe00101a22 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Thu, 14 Mar 2024 09:43:37 +0300 Subject: [PATCH] fix(3p/overlays): upgrade tpm2-pkcs11, but add unmerged patch Instead of pinning to an old version, move forward but with a fix for the critical bug that's been preventing me from upgrading. The project seems to be unmaintained upstream, but I took the fix from the open pull requests. Change-Id: I85c8f780b1e363bac4060dd89b1930a6e59ce2a3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11145 Tested-by: BuildkiteCI Autosubmit: tazjin Reviewed-by: flokli --- .../patches/tpm2-pkcs11-190-dbupgrade.patch | 29 +++++ third_party/overlays/patches/tpm2-pkcs11.nix | 105 ------------------ third_party/overlays/tvl.nix | 12 +- 3 files changed, 37 insertions(+), 109 deletions(-) create mode 100644 third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch delete mode 100644 third_party/overlays/patches/tpm2-pkcs11.nix diff --git a/third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch b/third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch new file mode 100644 index 000000000..f831c11a8 --- /dev/null +++ b/third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch @@ -0,0 +1,29 @@ +From 987323794148a6ff5ce3d02eef8cfeb46bee1761 Mon Sep 17 00:00:00 2001 +From: Anton +Date: Tue, 7 Nov 2023 12:02:15 +0300 +Subject: [PATCH] Skip null attribute during DB update + +Signed-off-by: Anton +--- + src/lib/db.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/lib/db.c b/src/lib/db.c +index b4bbd1bf..74c5a7b4 100644 +--- a/src/lib/db.c ++++ b/src/lib/db.c +@@ -2169,9 +2169,11 @@ static CK_RV dbup_handler_from_7_to_8(sqlite3 *updb) { + + /* for each tobject */ + CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(tobj->attrs, CKA_ALLOWED_MECHANISMS); +- CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen); +- if (type != TYPE_BYTE_INT_SEQ) { +- rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs); ++ if (a) { ++ CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen); ++ if (type != TYPE_BYTE_INT_SEQ) { ++ rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs); ++ } + } + + tobject_free(tobj); diff --git a/third_party/overlays/patches/tpm2-pkcs11.nix b/third_party/overlays/patches/tpm2-pkcs11.nix deleted file mode 100644 index 2e7db7aca..000000000 --- a/third_party/overlays/patches/tpm2-pkcs11.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ stdenv -, lib -, fetchFromGitHub -, substituteAll -, pkg-config -, autoreconfHook -, autoconf-archive -, makeWrapper -, patchelf -, tpm2-tss -, tpm2-tools -, opensc -, openssl -, sqlite -, python3 -, glibc -, libyaml -, abrmdSupport ? true -, tpm2-abrmd ? null -}: - -stdenv.mkDerivation rec { - pname = "tpm2-pkcs11"; - version = "1.8.0"; - - src = fetchFromGitHub { - owner = "tpm2-software"; - repo = pname; - rev = version; - sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I="; - }; - - patches = lib.singleton ( - substituteAll { - src = ./0001-configure-ac-version.patch; - VERSION = version; - }); - - # The preConfigure phase doesn't seem to be working here - # ./bootstrap MUST be executed as the first step, before all - # of the autoreconfHook stuff - postPatch = '' - ./bootstrap - ''; - - nativeBuildInputs = [ - pkg-config - autoreconfHook - autoconf-archive - makeWrapper - patchelf - ]; - buildInputs = [ - tpm2-tss - tpm2-tools - opensc - openssl - sqlite - libyaml - (python3.withPackages (ps: with ps; [ packaging pyyaml cryptography pyasn1-modules tpm2-pytss ])) - ]; - - outputs = [ "out" "bin" "dev" ]; - - dontStrip = true; - dontPatchELF = true; - - # To be able to use the userspace resource manager, the RUNPATH must - # explicitly include the tpm2-abrmd shared libraries. - preFixup = - let - rpath = lib.makeLibraryPath ( - (lib.optional abrmdSupport tpm2-abrmd) - ++ [ - tpm2-tss - sqlite - openssl - glibc - libyaml - ] - ); - in - '' - patchelf \ - --set-rpath ${rpath} \ - ${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \ - --add-needed ${lib.makeLibraryPath [tpm2-tss]}/libtss2-tcti-device.so \ - $out/lib/libtpm2_pkcs11.so.0.0.0 - ''; - - postInstall = '' - mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/ - mv ./tools/* $bin/share/tpm2_pkcs11/ - makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \ - --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]} - ''; - - meta = with lib; { - description = "A PKCS#11 interface for TPM2 hardware"; - homepage = "https://github.com/tpm2-software/tpm2-pkcs11"; - license = licenses.bsd2; - platforms = platforms.linux; - maintainers = with maintainers; [ matthiasbeyer ]; - }; -} diff --git a/third_party/overlays/tvl.nix b/third_party/overlays/tvl.nix index 9ebe21369..c8a256fa3 100644 --- a/third_party/overlays/tvl.nix +++ b/third_party/overlays/tvl.nix @@ -149,8 +149,12 @@ depot.nix.readTree.drvTargets { }; }; - # OpenVPN + TPM2 is broken on versions of this package somewhere - # after 1.8.0, but it is a critical dependency for tazjin. For this - # reason it is vendored from a specific nixpkgs commit. - tpm2-pkcs11 = self.callPackage ./patches/tpm2-pkcs11.nix { }; + # Imports a patch that fixes usage of this package on versions + # >=1.9. The patch has been proposed upstream, but so far with no + # reactions from the maintainer: + # + # https://github.com/tpm2-software/tpm2-pkcs11/pull/849 + tpm2-pkcs11 = super.tpm2-pkcs11.overrideAttrs (old: { + patches = (old.patches or [ ]) ++ [ ./patches/tpm2-pkcs11-190-dbupgrade.patch ]; + }); }