fix(3p/overlays): upgrade tpm2-pkcs11, but add unmerged patch
Instead of pinning to an old version, move forward but with a fix for the critical bug that's been preventing me from upgrading. The project seems to be unmaintained upstream, but I took the fix from the open pull requests. Change-Id: I85c8f780b1e363bac4060dd89b1930a6e59ce2a3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11145 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de>
This commit is contained in:
parent
e220d80727
commit
fa8e706b9b
3 changed files with 37 additions and 109 deletions
29
third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch
vendored
Normal file
29
third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch
vendored
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
From 987323794148a6ff5ce3d02eef8cfeb46bee1761 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anton <tracefinder@gmail.com>
|
||||||
|
Date: Tue, 7 Nov 2023 12:02:15 +0300
|
||||||
|
Subject: [PATCH] Skip null attribute during DB update
|
||||||
|
|
||||||
|
Signed-off-by: Anton <tracefinder@gmail.com>
|
||||||
|
---
|
||||||
|
src/lib/db.c | 8 +++++---
|
||||||
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/db.c b/src/lib/db.c
|
||||||
|
index b4bbd1bf..74c5a7b4 100644
|
||||||
|
--- a/src/lib/db.c
|
||||||
|
+++ b/src/lib/db.c
|
||||||
|
@@ -2169,9 +2169,11 @@ static CK_RV dbup_handler_from_7_to_8(sqlite3 *updb) {
|
||||||
|
|
||||||
|
/* for each tobject */
|
||||||
|
CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(tobj->attrs, CKA_ALLOWED_MECHANISMS);
|
||||||
|
- CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen);
|
||||||
|
- if (type != TYPE_BYTE_INT_SEQ) {
|
||||||
|
- rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs);
|
||||||
|
+ if (a) {
|
||||||
|
+ CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen);
|
||||||
|
+ if (type != TYPE_BYTE_INT_SEQ) {
|
||||||
|
+ rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
tobject_free(tobj);
|
105
third_party/overlays/patches/tpm2-pkcs11.nix
vendored
105
third_party/overlays/patches/tpm2-pkcs11.nix
vendored
|
@ -1,105 +0,0 @@
|
||||||
{ stdenv
|
|
||||||
, lib
|
|
||||||
, fetchFromGitHub
|
|
||||||
, substituteAll
|
|
||||||
, pkg-config
|
|
||||||
, autoreconfHook
|
|
||||||
, autoconf-archive
|
|
||||||
, makeWrapper
|
|
||||||
, patchelf
|
|
||||||
, tpm2-tss
|
|
||||||
, tpm2-tools
|
|
||||||
, opensc
|
|
||||||
, openssl
|
|
||||||
, sqlite
|
|
||||||
, python3
|
|
||||||
, glibc
|
|
||||||
, libyaml
|
|
||||||
, abrmdSupport ? true
|
|
||||||
, tpm2-abrmd ? null
|
|
||||||
}:
|
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
|
||||||
pname = "tpm2-pkcs11";
|
|
||||||
version = "1.8.0";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "tpm2-software";
|
|
||||||
repo = pname;
|
|
||||||
rev = version;
|
|
||||||
sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I=";
|
|
||||||
};
|
|
||||||
|
|
||||||
patches = lib.singleton (
|
|
||||||
substituteAll {
|
|
||||||
src = ./0001-configure-ac-version.patch;
|
|
||||||
VERSION = version;
|
|
||||||
});
|
|
||||||
|
|
||||||
# The preConfigure phase doesn't seem to be working here
|
|
||||||
# ./bootstrap MUST be executed as the first step, before all
|
|
||||||
# of the autoreconfHook stuff
|
|
||||||
postPatch = ''
|
|
||||||
./bootstrap
|
|
||||||
'';
|
|
||||||
|
|
||||||
nativeBuildInputs = [
|
|
||||||
pkg-config
|
|
||||||
autoreconfHook
|
|
||||||
autoconf-archive
|
|
||||||
makeWrapper
|
|
||||||
patchelf
|
|
||||||
];
|
|
||||||
buildInputs = [
|
|
||||||
tpm2-tss
|
|
||||||
tpm2-tools
|
|
||||||
opensc
|
|
||||||
openssl
|
|
||||||
sqlite
|
|
||||||
libyaml
|
|
||||||
(python3.withPackages (ps: with ps; [ packaging pyyaml cryptography pyasn1-modules tpm2-pytss ]))
|
|
||||||
];
|
|
||||||
|
|
||||||
outputs = [ "out" "bin" "dev" ];
|
|
||||||
|
|
||||||
dontStrip = true;
|
|
||||||
dontPatchELF = true;
|
|
||||||
|
|
||||||
# To be able to use the userspace resource manager, the RUNPATH must
|
|
||||||
# explicitly include the tpm2-abrmd shared libraries.
|
|
||||||
preFixup =
|
|
||||||
let
|
|
||||||
rpath = lib.makeLibraryPath (
|
|
||||||
(lib.optional abrmdSupport tpm2-abrmd)
|
|
||||||
++ [
|
|
||||||
tpm2-tss
|
|
||||||
sqlite
|
|
||||||
openssl
|
|
||||||
glibc
|
|
||||||
libyaml
|
|
||||||
]
|
|
||||||
);
|
|
||||||
in
|
|
||||||
''
|
|
||||||
patchelf \
|
|
||||||
--set-rpath ${rpath} \
|
|
||||||
${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \
|
|
||||||
--add-needed ${lib.makeLibraryPath [tpm2-tss]}/libtss2-tcti-device.so \
|
|
||||||
$out/lib/libtpm2_pkcs11.so.0.0.0
|
|
||||||
'';
|
|
||||||
|
|
||||||
postInstall = ''
|
|
||||||
mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
|
|
||||||
mv ./tools/* $bin/share/tpm2_pkcs11/
|
|
||||||
makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
|
|
||||||
--prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "A PKCS#11 interface for TPM2 hardware";
|
|
||||||
homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
|
|
||||||
license = licenses.bsd2;
|
|
||||||
platforms = platforms.linux;
|
|
||||||
maintainers = with maintainers; [ matthiasbeyer ];
|
|
||||||
};
|
|
||||||
}
|
|
12
third_party/overlays/tvl.nix
vendored
12
third_party/overlays/tvl.nix
vendored
|
@ -149,8 +149,12 @@ depot.nix.readTree.drvTargets {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# OpenVPN + TPM2 is broken on versions of this package somewhere
|
# Imports a patch that fixes usage of this package on versions
|
||||||
# after 1.8.0, but it is a critical dependency for tazjin. For this
|
# >=1.9. The patch has been proposed upstream, but so far with no
|
||||||
# reason it is vendored from a specific nixpkgs commit.
|
# reactions from the maintainer:
|
||||||
tpm2-pkcs11 = self.callPackage ./patches/tpm2-pkcs11.nix { };
|
#
|
||||||
|
# https://github.com/tpm2-software/tpm2-pkcs11/pull/849
|
||||||
|
tpm2-pkcs11 = super.tpm2-pkcs11.overrideAttrs (old: {
|
||||||
|
patches = (old.patches or [ ]) ++ [ ./patches/tpm2-pkcs11-190-dbupgrade.patch ];
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue