fix(3p/overlays): upgrade tpm2-pkcs11, but add unmerged patch
Instead of pinning to an old version, move forward but with a fix for the critical bug that's been preventing me from upgrading. The project seems to be unmaintained upstream, but I took the fix from the open pull requests. Change-Id: I85c8f780b1e363bac4060dd89b1930a6e59ce2a3 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11145 Tested-by: BuildkiteCI Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de>
This commit is contained in:
		
							parent
							
								
									e220d80727
								
							
						
					
					
						commit
						fa8e706b9b
					
				
					 3 changed files with 37 additions and 109 deletions
				
			
		
							
								
								
									
										29
									
								
								third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch
									
										
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								third_party/overlays/patches/tpm2-pkcs11-190-dbupgrade.patch
									
										
									
									
										vendored
									
									
										Normal file
									
								
							|  | @ -0,0 +1,29 @@ | |||
| From 987323794148a6ff5ce3d02eef8cfeb46bee1761 Mon Sep 17 00:00:00 2001 | ||||
| From: Anton <tracefinder@gmail.com> | ||||
| Date: Tue, 7 Nov 2023 12:02:15 +0300 | ||||
| Subject: [PATCH] Skip null attribute during DB update | ||||
| 
 | ||||
| Signed-off-by: Anton <tracefinder@gmail.com> | ||||
| ---
 | ||||
|  src/lib/db.c | 8 +++++--- | ||||
|  1 file changed, 5 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/lib/db.c b/src/lib/db.c
 | ||||
| index b4bbd1bf..74c5a7b4 100644
 | ||||
| --- a/src/lib/db.c
 | ||||
| +++ b/src/lib/db.c
 | ||||
| @@ -2169,9 +2169,11 @@ static CK_RV dbup_handler_from_7_to_8(sqlite3 *updb) {
 | ||||
|   | ||||
|          /* for each tobject */ | ||||
|          CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(tobj->attrs, CKA_ALLOWED_MECHANISMS); | ||||
| -        CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen);
 | ||||
| -        if (type != TYPE_BYTE_INT_SEQ) {
 | ||||
| -            rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs);
 | ||||
| +        if (a) {
 | ||||
| +            CK_BYTE type = type_from_ptr(a->pValue, a->ulValueLen);
 | ||||
| +            if (type != TYPE_BYTE_INT_SEQ) {
 | ||||
| +                rv = _db_update_tobject_attrs(updb, tobj->id, tobj->attrs);
 | ||||
| +            }
 | ||||
|          } | ||||
|   | ||||
|          tobject_free(tobj); | ||||
							
								
								
									
										105
									
								
								third_party/overlays/patches/tpm2-pkcs11.nix
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										105
									
								
								third_party/overlays/patches/tpm2-pkcs11.nix
									
										
									
									
										vendored
									
									
								
							|  | @ -1,105 +0,0 @@ | |||
| { stdenv | ||||
| , lib | ||||
| , fetchFromGitHub | ||||
| , substituteAll | ||||
| , pkg-config | ||||
| , autoreconfHook | ||||
| , autoconf-archive | ||||
| , makeWrapper | ||||
| , patchelf | ||||
| , tpm2-tss | ||||
| , tpm2-tools | ||||
| , opensc | ||||
| , openssl | ||||
| , sqlite | ||||
| , python3 | ||||
| , glibc | ||||
| , libyaml | ||||
| , abrmdSupport ? true | ||||
| , tpm2-abrmd ? null | ||||
| }: | ||||
| 
 | ||||
| stdenv.mkDerivation rec { | ||||
|   pname = "tpm2-pkcs11"; | ||||
|   version = "1.8.0"; | ||||
| 
 | ||||
|   src = fetchFromGitHub { | ||||
|     owner = "tpm2-software"; | ||||
|     repo = pname; | ||||
|     rev = version; | ||||
|     sha256 = "sha256-f5wi0nIM071yaQCwPkY1agKc7OEQa/IxHJc4V2i0Q9I="; | ||||
|   }; | ||||
| 
 | ||||
|   patches = lib.singleton ( | ||||
|     substituteAll { | ||||
|       src = ./0001-configure-ac-version.patch; | ||||
|       VERSION = version; | ||||
|     }); | ||||
| 
 | ||||
|   # The preConfigure phase doesn't seem to be working here | ||||
|   # ./bootstrap MUST be executed as the first step, before all | ||||
|   # of the autoreconfHook stuff | ||||
|   postPatch = '' | ||||
|     ./bootstrap | ||||
|   ''; | ||||
| 
 | ||||
|   nativeBuildInputs = [ | ||||
|     pkg-config | ||||
|     autoreconfHook | ||||
|     autoconf-archive | ||||
|     makeWrapper | ||||
|     patchelf | ||||
|   ]; | ||||
|   buildInputs = [ | ||||
|     tpm2-tss | ||||
|     tpm2-tools | ||||
|     opensc | ||||
|     openssl | ||||
|     sqlite | ||||
|     libyaml | ||||
|     (python3.withPackages (ps: with ps; [ packaging pyyaml cryptography pyasn1-modules tpm2-pytss ])) | ||||
|   ]; | ||||
| 
 | ||||
|   outputs = [ "out" "bin" "dev" ]; | ||||
| 
 | ||||
|   dontStrip = true; | ||||
|   dontPatchELF = true; | ||||
| 
 | ||||
|   # To be able to use the userspace resource manager, the RUNPATH must | ||||
|   # explicitly include the tpm2-abrmd shared libraries. | ||||
|   preFixup = | ||||
|     let | ||||
|       rpath = lib.makeLibraryPath ( | ||||
|         (lib.optional abrmdSupport tpm2-abrmd) | ||||
|         ++ [ | ||||
|           tpm2-tss | ||||
|           sqlite | ||||
|           openssl | ||||
|           glibc | ||||
|           libyaml | ||||
|         ] | ||||
|       ); | ||||
|     in | ||||
|     '' | ||||
|       patchelf \ | ||||
|         --set-rpath ${rpath} \ | ||||
|         ${lib.optionalString abrmdSupport "--add-needed ${lib.makeLibraryPath [tpm2-abrmd]}/libtss2-tcti-tabrmd.so"} \ | ||||
|         --add-needed ${lib.makeLibraryPath [tpm2-tss]}/libtss2-tcti-device.so \ | ||||
|         $out/lib/libtpm2_pkcs11.so.0.0.0 | ||||
|     ''; | ||||
| 
 | ||||
|   postInstall = '' | ||||
|     mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/ | ||||
|     mv ./tools/* $bin/share/tpm2_pkcs11/ | ||||
|     makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \ | ||||
|       --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]} | ||||
|   ''; | ||||
| 
 | ||||
|   meta = with lib; { | ||||
|     description = "A PKCS#11 interface for TPM2 hardware"; | ||||
|     homepage = "https://github.com/tpm2-software/tpm2-pkcs11"; | ||||
|     license = licenses.bsd2; | ||||
|     platforms = platforms.linux; | ||||
|     maintainers = with maintainers; [ matthiasbeyer ]; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										12
									
								
								third_party/overlays/tvl.nix
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										12
									
								
								third_party/overlays/tvl.nix
									
										
									
									
										vendored
									
									
								
							|  | @ -149,8 +149,12 @@ depot.nix.readTree.drvTargets { | |||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   # OpenVPN + TPM2 is broken on versions of this package somewhere | ||||
|   # after 1.8.0, but it is a critical dependency for tazjin. For this | ||||
|   # reason it is vendored from a specific nixpkgs commit. | ||||
|   tpm2-pkcs11 = self.callPackage ./patches/tpm2-pkcs11.nix { }; | ||||
|   # Imports a patch that fixes usage of this package on versions | ||||
|   # >=1.9. The patch has been proposed upstream, but so far with no | ||||
|   # reactions from the maintainer: | ||||
|   # | ||||
|   # https://github.com/tpm2-software/tpm2-pkcs11/pull/849 | ||||
|   tpm2-pkcs11 = super.tpm2-pkcs11.overrideAttrs (old: { | ||||
|     patches = (old.patches or [ ]) ++ [ ./patches/tpm2-pkcs11-190-dbupgrade.patch ]; | ||||
|   }); | ||||
| } | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue