about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@tvl.su>2024-03-14T06·43+0300
committerclbot <clbot@tvl.fyi>2024-03-17T11·30+0000
commitfa8e706b9b66c1d5f0f64967939861fe00101a22 (patch)
tree876d7f4627189932d7af199c89f12ebab160fd07
parente220d807270e9967d7b76070b968981c2c3dda0c (diff)
fix(3p/overlays): upgrade tpm2-pkcs11, but add unmerged patch r/7718
Instead of pinning to an old version, move forward but with a fix for
the critical bug that's been preventing me from upgrading.

The project seems to be unmaintained upstream, but I took the fix from
the open pull requests.

Change-Id: I85c8f780b1e363bac4060dd89b1930a6e59ce2a3
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11145
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
-rw-r--r--third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch29
-rw-r--r--third_party/overlays/patches/tpm2-pkcs11.nix105
-rw-r--r--third_party/overlays/tvl.nix12
3 files changed, 37 insertions, 109 deletions
diff --git a/third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch b/third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch
new file mode 100644
index 000000000000..f831c11a80bc
--- /dev/null
+++ b/third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch
@@ -0,0 +1,29 @@
+From 987323794148a6ff5ce3d02eef8cfeb46bee1761 Mon Sep 17 00:00:00 2001
+From: Anton <tracefinder@gmail.com>
+Date: Tue, 7 Nov 2023 12:02:15 +0300
+Subject: [PATCH] Skip null attribute during DB update
+
+Signed-off-by: Anton <tracefinder@gmail.com>
+---
+ src/lib/db.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/db.c b/src/lib/db.c
+index b4bbd1bf..74c5a7b4 100644
+--- a/src/lib/db.c
++++ b/src/lib/db.c
+@@ -2169,9 +2169,11 @@ static CK_RV dbup_handler_from_7_to_8(sqlite3 *updb) {
+ 
+         /* for each tobject */
+         CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(tobj->attrs, CKA_ALLOWED_MECHANISMS);
+-        CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen);
+-        if (type != TYPE_BYTE_INT_SEQ) {
+-            rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs);
++        if (a) {
++            CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen);
++            if (type != TYPE_BYTE_INT_SEQ) {
++                rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs);
++            }
+         }
+ 
+         tobject_free(tobj);
diff --git a/third_party/overlays/patches/tpm2-pkcs11.nix b/third_party/overlays/patches/tpm2-pkcs11.nix
deleted file mode 100644
index 2e7db7aca3bb..000000000000
--- a/third_party/overlays/patches/tpm2-pkcs11.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, substituteAll
-, pkg-config
-, autoreconfHook
-, autoconf-archive
-, makeWrapper
-, patchelf
-, tpm2-tss
-, tpm2-tools
-, opensc
-, openssl
-, sqlite
-, python3
-, glibc
-, libyaml
-, abrmdSupport ? true
-, tpm2-abrmd ? null
-}:
-
-stdenv.mkDerivation rec {
-  pname = "tpm2-pkcs11";
-  version = "1.8.0";
-
-  src = fetchFromGitHub {
-    owner = "tpm2-software";
-    repo = pname;
-    rev = version;
-    sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I=";
-  };
-
-  patches = lib.singleton (
-    substituteAll {
-      src = ./0001-configure-ac-version.patch;
-      VERSION = version;
-    });
-
-  # The preConfigure phase doesn't seem to be working here
-  # ./bootstrap MUST be executed as the first step, before all
-  # of the autoreconfHook stuff
-  postPatch = ''
-    ./bootstrap
-  '';
-
-  nativeBuildInputs = [
-    pkg-config
-    autoreconfHook
-    autoconf-archive
-    makeWrapper
-    patchelf
-  ];
-  buildInputs = [
-    tpm2-tss
-    tpm2-tools
-    opensc
-    openssl
-    sqlite
-    libyaml
-    (python3.withPackages (ps: with ps; [ packaging pyyaml cryptography pyasn1-modules tpm2-pytss ]))
-  ];
-
-  outputs = [ "out" "bin" "dev" ];
-
-  dontStrip = true;
-  dontPatchELF = true;
-
-  # To be able to use the userspace resource manager, the RUNPATH must
-  # explicitly include the tpm2-abrmd shared libraries.
-  preFixup =
-    let
-      rpath = lib.makeLibraryPath (
-        (lib.optional abrmdSupport tpm2-abrmd)
-        ++ [
-          tpm2-tss
-          sqlite
-          openssl
-          glibc
-          libyaml
-        ]
-      );
-    in
-    ''
-      patchelf \
-        --set-rpath ${rpath} \
-        ${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \
-        --add-needed ${lib.makeLibraryPath [tpm2-tss]}/libtss2-tcti-device.so \
-        $out/lib/libtpm2_pkcs11.so.0.0.0
-    '';
-
-  postInstall = ''
-    mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
-    mv ./tools/* $bin/share/tpm2_pkcs11/
-    makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
-      --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
-  '';
-
-  meta = with lib; {
-    description = "A PKCS#11 interface for TPM2 hardware";
-    homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
-    license = licenses.bsd2;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ matthiasbeyer ];
-  };
-}
diff --git a/third_party/overlays/tvl.nix b/third_party/overlays/tvl.nix
index 9ebe21369ba9..c8a256fa3a83 100644
--- a/third_party/overlays/tvl.nix
+++ b/third_party/overlays/tvl.nix
@@ -149,8 +149,12 @@ depot.nix.readTree.drvTargets {
     };
   };
 
-  # OpenVPN + TPM2 is broken on versions of this package somewhere
-  # after 1.8.0, but it is a critical dependency for tazjin. For this
-  # reason it is vendored from a specific nixpkgs commit.
-  tpm2-pkcs11 = self.callPackage ./patches/tpm2-pkcs11.nix { };
+  # Imports a patch that fixes usage of this package on versions
+  # >=1.9. The patch has been proposed upstream, but so far with no
+  # reactions from the maintainer:
+  #
+  # https://github.com/tpm2-software/tpm2-pkcs11/pull/849
+  tpm2-pkcs11 = super.tpm2-pkcs11.overrideAttrs (old: {
+    patches = (old.patches or [ ]) ++ [ ./patches/tpm2-pkcs11-190-dbupgrade.patch ];
+  });
 }