fix: we need to roll our own versions of tpm2-tools and tpm2-tss

flake.nix

@@ -37,6 +37,8 @@
           kernel = pkgs.callPackage ./pkgs/kernel { };
           glibc = pkgs.callPackage ./pkgs/glibc { };
           kexec = pkgs.callPackage ./pkgs/kexec-tools { };
+          tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; };
+          tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { };
           systemd = pkgs.callPackage ./pkgs/systemd { };
           dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { };
 

pkgs/kernel/default.nix

@@ -1,6 +1,6 @@
 { pkgs, ... }:
 let
-  version = "6.13.2";
+  version = "6.13.4";
 in
 pkgs.linuxPackagesFor (
   pkgs.linuxManualConfig {
@@ -8,7 +8,7 @@ pkgs.linuxPackagesFor (
     modDirVersion = version;
     src = pkgs.fetchurl {
       url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
-      hash = "sha256-zfYpgZBru+lwGutzxPn8yAegmEbCiHMWY9YnF+0a5wU=";
+      hash = "sha256-uA4LyO+8MenOWoTRCE3Mz6QOAb6ozCWv0GZIuT1hM54=";
     };
     configfile = ./generic.config;
     allowImportFromDerivation = true;

pkgs/kernel/generic.config

@@ -2213,6 +2213,7 @@ CONFIG_TCG_CRB=y
 CONFIG_TCG_TIS_CORE=y
 CONFIG_TCG_TIS=y
 CONFIG_TCG_TPM=y
+CONFIG_TCG_TPM2_HMAC=y
 CONFIG_TCP_CONG_ADVANCED=y
 CONFIG_TCP_CONG_BBR=y
 CONFIG_TCP_CONG_CUBIC=y

pkgs/rootfs/default.nix

@@ -26,6 +26,8 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   kmodBin = pkgs.kmod.out;
   libbpf = pkgs.libbpf.out;
   btrfs = pkgs.btrfs-progs.out;
+  tpm2Libs = patosPkgs.tpm2-tss.out;
+  tpm2Tools = patosPkgs.tpm2-tools.out;
   kexec = patosPkgs.kexec.out;
 
   builder = ./mkrootfs.sh;

pkgs/rootfs/mkrootfs.sh

@@ -116,6 +116,10 @@ cp -Pr ${kexec}/sbin/kexec $out/usr/bin/
 cp -Pr ${btrfs}/bin/* $out/usr/bin/
 cp -Pr ${btrfs}/lib/* $out/usr/lib/
 
+### install tpm2 tools
+cp -P ${tpm2Tools}/bin/* $out/usr/bin/
+cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/
+
 ### install lib kmod
 cp -P $kmodLibs/lib/* $out/usr/lib
 cp -P $kmodBin/bin/* $out/usr/bin
@@ -189,7 +193,7 @@ EOF
 chmod 644 $out/etc/group
 
 ### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t $out/usr/lib
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | sort -u | xargs cp -t $out/usr/lib
 find $out -type f -executable -exec chmod 755 {} \;
 
 # FIXME: ELF patching. Is there a better way?

pkgs/tpm2-tools/default.nix

@@ -0,0 +1,48 @@
+{
+  stdenv,
+  fetchurl,
+  lib,
+  pandoc,
+  pkg-config,
+  curl,
+  openssl,
+  patosPkgs,
+  libuuid,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tpm2-tools";
+  version = "5.7";
+
+  src = fetchurl {
+    url = "https://github.com/tpm2-software/${pname}/releases/download/${version}/${pname}-${version}.tar.gz";
+    sha256 = "sha256-OBDTa1B5JW9PL3zlUuIiE9Q7EDHBMVON+KLbw8VwmDo=";
+  };
+
+  nativeBuildInputs = [
+    pandoc
+    pkg-config
+  ];
+  buildInputs = [
+    curl
+    openssl
+    patosPkgs.tpm2-tss
+    libuuid
+  ];
+
+  # Unit tests disabled, as they rely on a dbus session
+  configureFlags = [ "--prefix=/" ];
+  preInstall = ''
+    mkdir -p $out
+    export DESTDIR=$out
+  '';
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Command line tools that provide access to a TPM 2.0 compatible device";
+    homepage = "https://github.com/tpm2-software/tpm2-tools";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ tomfitzhenry ];
+  };
+}

pkgs/tpm2-tss/default.nix

@@ -0,0 +1,86 @@
+{
+  stdenv,
+  lib,
+  fetchFromGitHub,
+  autoreconfHook,
+  autoconf-archive,
+  pkg-config,
+  doxygen,
+  perl,
+  openssl,
+  json_c,
+  curl,
+  libgcrypt,
+  uthash,
+  git,
+  libuuid,
+  libtpms,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tpm2-tss";
+  version = "4.1.3";
+
+  src = fetchFromGitHub {
+    owner = "tpm2-software";
+    repo = pname;
+    rev = version;
+    hash = "sha256-BP28utEUI9g1VNv3lCXuiKrDtEImFQxxZfIjLiE3Wr8=";
+  };
+
+  patches = [
+    ./no-shadow.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace ./bootstrap \
+      --replace-fail 'git describe --tags --always --dirty' 'echo "${version}"'
+  '';
+
+  outputs = [
+    "out"
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    autoconf-archive
+    pkg-config
+    doxygen
+    perl
+    git
+  ];
+
+  buildInputs = [
+    openssl
+    json_c
+    curl
+    libgcrypt
+    uthash
+    libuuid
+    libtpms
+  ];
+
+  strictDeps = true;
+  preAutoreconf = "./bootstrap";
+
+  enableParallelBuilding = true;
+
+  configureFlags = [
+    "--prefix=/"
+  ];
+
+  preInstall = ''
+    mkdir -p $out
+    export DESTDIR=$out
+  '';
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "OSS implementation of the TCG TPM2 Software Stack (TSS2)";
+    homepage = "https://github.com/tpm2-software/tpm2-tss";
+    license = licenses.bsd2;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ baloo ];
+  };
+}

pkgs/tpm2-tss/no-shadow.patch

@@ -0,0 +1,16 @@
+diff --git a/configure.ac b/configure.ac
+index e2d579b8..0eac4ff3 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -672,9 +672,9 @@ AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"],
+       AC_CHECK_PROG(adduser, adduser, yes)
+       AC_CHECK_PROG(addgroup, addgroup, yes)
+       AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
+-         [AC_MSG_ERROR([addgroup or groupadd are needed.])])
++         [AC_MSG_WARN([addgroup or groupadd are needed.])])
+       AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
+-         [AC_MSG_ERROR([adduser or useradd are needed.])])])
++         [AC_MSG_WARN([adduser or useradd are needed.])])])
+ 
+ AC_SUBST([PATH])
+