about summary refs log tree commit diff
path: root/third_party/overlays
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/overlays')
-rw-r--r--third_party/overlays/patches/.skip-tree1
-rw-r--r--third_party/overlays/patches/0001-configure-ac-version.patch13
-rw-r--r--third_party/overlays/patches/tpm2-pkcs11.nix105
-rw-r--r--third_party/overlays/tvl.nix5
4 files changed, 124 insertions, 0 deletions
diff --git a/third_party/overlays/patches/.skip-tree b/third_party/overlays/patches/.skip-tree
new file mode 100644
index 000000000000..86eae51a6d62
--- /dev/null
+++ b/third_party/overlays/patches/.skip-tree
@@ -0,0 +1 @@
+No readTree-compatible files.
diff --git a/third_party/overlays/patches/0001-configure-ac-version.patch b/third_party/overlays/patches/0001-configure-ac-version.patch
new file mode 100644
index 000000000000..fa2575cb938a
--- /dev/null
+++ b/third_party/overlays/patches/0001-configure-ac-version.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index e861e42..018c19c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -26,7 +26,7 @@
+ #;**********************************************************************;
+ 
+ AC_INIT([tpm2-pkcs11],
+-  [m4_esyscmd_s([git describe --tags --always --dirty])],
++  [git-@VERSION@],
+   [https://github.com/tpm2-software/tpm2-pkcs11/issues],
+   [],
+   [https://github.com/tpm2-software/tpm2-pkcs11])
diff --git a/third_party/overlays/patches/tpm2-pkcs11.nix b/third_party/overlays/patches/tpm2-pkcs11.nix
new file mode 100644
index 000000000000..2e7db7aca3bb
--- /dev/null
+++ b/third_party/overlays/patches/tpm2-pkcs11.nix
@@ -0,0 +1,105 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, substituteAll
+, pkg-config
+, autoreconfHook
+, autoconf-archive
+, makeWrapper
+, patchelf
+, tpm2-tss
+, tpm2-tools
+, opensc
+, openssl
+, sqlite
+, python3
+, glibc
+, libyaml
+, abrmdSupport ? true
+, tpm2-abrmd ? null
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tpm2-pkcs11";
+  version = "1.8.0";
+
+  src = fetchFromGitHub {
+    owner = "tpm2-software";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I=";
+  };
+
+  patches = lib.singleton (
+    substituteAll {
+      src = ./0001-configure-ac-version.patch;
+      VERSION = version;
+    });
+
+  # The preConfigure phase doesn't seem to be working here
+  # ./bootstrap MUST be executed as the first step, before all
+  # of the autoreconfHook stuff
+  postPatch = ''
+    ./bootstrap
+  '';
+
+  nativeBuildInputs = [
+    pkg-config
+    autoreconfHook
+    autoconf-archive
+    makeWrapper
+    patchelf
+  ];
+  buildInputs = [
+    tpm2-tss
+    tpm2-tools
+    opensc
+    openssl
+    sqlite
+    libyaml
+    (python3.withPackages (ps: with ps; [ packaging pyyaml cryptography pyasn1-modules tpm2-pytss ]))
+  ];
+
+  outputs = [ "out" "bin" "dev" ];
+
+  dontStrip = true;
+  dontPatchELF = true;
+
+  # To be able to use the userspace resource manager, the RUNPATH must
+  # explicitly include the tpm2-abrmd shared libraries.
+  preFixup =
+    let
+      rpath = lib.makeLibraryPath (
+        (lib.optional abrmdSupport tpm2-abrmd)
+        ++ [
+          tpm2-tss
+          sqlite
+          openssl
+          glibc
+          libyaml
+        ]
+      );
+    in
+    ''
+      patchelf \
+        --set-rpath ${rpath} \
+        ${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \
+        --add-needed ${lib.makeLibraryPath [tpm2-tss]}/libtss2-tcti-device.so \
+        $out/lib/libtpm2_pkcs11.so.0.0.0
+    '';
+
+  postInstall = ''
+    mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
+    mv ./tools/* $bin/share/tpm2_pkcs11/
+    makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
+      --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
+  '';
+
+  meta = with lib; {
+    description = "A PKCS#11 interface for TPM2 hardware";
+    homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
+    license = licenses.bsd2;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ matthiasbeyer ];
+  };
+}
diff --git a/third_party/overlays/tvl.nix b/third_party/overlays/tvl.nix
index a070320c73f6..661470914351 100644
--- a/third_party/overlays/tvl.nix
+++ b/third_party/overlays/tvl.nix
@@ -132,4 +132,9 @@ depot.nix.readTree.drvTargets {
       license = licenses.asl20;
     };
   };
+
+  # OpenVPN + TPM2 is broken on versions of this package somewhere
+  # after 1.8.0, but it is a critical dependency for tazjin. For this
+  # reason it is vendored from a specific nixpkgs commit.
+  tpm2-pkcs11 = self.callPackage ./patches/tpm2-pkcs11.nix { };
 }