diff options
| author | Vincent Ambo <tazjin@tvl.su> | 2024-02-04T17·32+0300 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2024-02-05T21·10+0000 |
| commit | c397aaceef4ab72a9437eeb6fb97d534dce1b663 (patch) | |
| tree | 67d2e6f4f536c60f8ca746302659dc4286bacfd3 /third_party | |
| parent | 0d55a6dcc86b4f7f3f0f26fb8a5db5fc2e72a08e (diff) | |
fix(3p/overlays): pin specific version of tpm2-pkcs11 r/7476
Newer versions broke compatibility with who knows whatever part of the stack is required for correct TVM + OpenVPN interaction, but I need this to work. This was previously picked from stable, but we've bumped stable and it has advanced to a version where this is also broken. I believe this is a known issue, but right now I don't have the time to look into it. Change-Id: I1060f3ecfd7b43ebe5e1860f59f7574ca094570a Reviewed-on: https://cl.tvl.fyi/c/depot/+/10743 Reviewed-by: tazjin <tazjin@tvl.su> Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
Diffstat (limited to 'third_party')
| -rw-r--r-- | third_party/nixpkgs/default.nix | 3 | ||||
| -rw-r--r-- | third_party/overlays/patches/.skip-tree | 1 | ||||
| -rw-r--r-- | third_party/overlays/patches/0001-configure-ac-version.patch | 13 | ||||
| -rw-r--r-- | third_party/overlays/patches/tpm2-pkcs11.nix | 105 | ||||
| -rw-r--r-- | third_party/overlays/tvl.nix | 5 |
5 files changed, 124 insertions, 3 deletions
diff --git a/third_party/nixpkgs/default.nix b/third_party/nixpkgs/default.nix index 08ec6f8524..747cf5a114 100644 --- a/third_party/nixpkgs/default.nix +++ b/third_party/nixpkgs/default.nix @@ -52,9 +52,6 @@ let stableOverlay = _unstableSelf: unstableSuper: { # weird memory access issues in SBCL on AMD; 2024-02-01 sbcl = stableNixpkgs.sbcl; - - # TPM authentication seems broken on unstable; 2023-11-29 - tpm2-pkcs11 = stableNixpkgs.tpm2-pkcs11; }; # Overlay to expose the nixpkgs commits we are using to other Nix code. diff --git a/third_party/overlays/patches/.skip-tree b/third_party/overlays/patches/.skip-tree new file mode 100644 index 0000000000..86eae51a6d --- /dev/null +++ b/third_party/overlays/patches/.skip-tree @@ -0,0 +1 @@ +No readTree-compatible files. diff --git a/third_party/overlays/patches/0001-configure-ac-version.patch b/third_party/overlays/patches/0001-configure-ac-version.patch new file mode 100644 index 0000000000..fa2575cb93 --- /dev/null +++ b/third_party/overlays/patches/0001-configure-ac-version.patch @@ -0,0 +1,13 @@ +diff --git a/configure.ac b/configure.ac +index e861e42..018c19c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -26,7 +26,7 @@ + #;**********************************************************************; + + AC_INIT([tpm2-pkcs11], +- [m4_esyscmd_s([git describe --tags --always --dirty])], ++ [git-@VERSION@], + [https://github.com/tpm2-software/tpm2-pkcs11/issues], + [], + [https://github.com/tpm2-software/tpm2-pkcs11]) diff --git a/third_party/overlays/patches/tpm2-pkcs11.nix b/third_party/overlays/patches/tpm2-pkcs11.nix new file mode 100644 index 0000000000..2e7db7aca3 --- /dev/null +++ b/third_party/overlays/patches/tpm2-pkcs11.nix @@ -0,0 +1,105 @@ +{ stdenv +, lib +, fetchFromGitHub +, substituteAll +, pkg-config +, autoreconfHook +, autoconf-archive +, makeWrapper +, patchelf +, tpm2-tss +, tpm2-tools +, opensc +, openssl +, sqlite +, python3 +, glibc +, libyaml +, abrmdSupport ? true +, tpm2-abrmd ? null +}: + +stdenv.mkDerivation rec { + pname = "tpm2-pkcs11"; + version = "1.8.0"; + + src = fetchFromGitHub { + owner = "tpm2-software"; + repo = pname; + rev = version; + sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I="; + }; + + patches = lib.singleton ( + substituteAll { + src = ./0001-configure-ac-version.patch; + VERSION = version; + }); + + # The preConfigure phase doesn't seem to be working here + # ./bootstrap MUST be executed as the first step, before all + # of the autoreconfHook stuff + postPatch = '' + ./bootstrap + ''; + + nativeBuildInputs = [ + pkg-config + autoreconfHook + autoconf-archive + makeWrapper + patchelf + ]; + buildInputs = [ + tpm2-tss + tpm2-tools + opensc + openssl + sqlite + libyaml + (python3.withPackages (ps: with ps; [ packaging pyyaml cryptography pyasn1-modules tpm2-pytss ])) + ]; + + outputs = [ "out" "bin" "dev" ]; + + dontStrip = true; + dontPatchELF = true; + + # To be able to use the userspace resource manager, the RUNPATH must + # explicitly include the tpm2-abrmd shared libraries. + preFixup = + let + rpath = lib.makeLibraryPath ( + (lib.optional abrmdSupport tpm2-abrmd) + ++ [ + tpm2-tss + sqlite + openssl + glibc + libyaml + ] + ); + in + '' + patchelf \ + --set-rpath ${rpath} \ + ${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \ + --add-needed ${lib.makeLibraryPath [tpm2-tss]}/libtss2-tcti-device.so \ + $out/lib/libtpm2_pkcs11.so.0.0.0 + ''; + + postInstall = '' + mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/ + mv ./tools/* $bin/share/tpm2_pkcs11/ + makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \ + --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]} + ''; + + meta = with lib; { + description = "A PKCS#11 interface for TPM2 hardware"; + homepage = "https://github.com/tpm2-software/tpm2-pkcs11"; + license = licenses.bsd2; + platforms = platforms.linux; + maintainers = with maintainers; [ matthiasbeyer ]; + }; +} diff --git a/third_party/overlays/tvl.nix b/third_party/overlays/tvl.nix index a070320c73..6614709143 100644 --- a/third_party/overlays/tvl.nix +++ b/third_party/overlays/tvl.nix @@ -132,4 +132,9 @@ depot.nix.readTree.drvTargets { license = licenses.asl20; }; }; + + # OpenVPN + TPM2 is broken on versions of this package somewhere + # after 1.8.0, but it is a critical dependency for tazjin. For this + # reason it is vendored from a specific nixpkgs commit. + tpm2-pkcs11 = self.callPackage ./patches/tpm2-pkcs11.nix { }; } |