From aa4f69d8919d94fa304d6fc20011a07f00c39c1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= Date: Thu, 27 Feb 2025 08:59:01 +0100 Subject: [PATCH] fix: we need to roll our own versions of tpm2-tools and tpm2-tss --- flake.nix | 2 + pkgs/kernel/default.nix | 4 +- pkgs/kernel/generic.config | 1 + pkgs/rootfs/default.nix | 2 + pkgs/rootfs/mkrootfs.sh | 6 ++- pkgs/tpm2-tools/default.nix | 48 +++++++++++++++++++ pkgs/tpm2-tss/default.nix | 86 +++++++++++++++++++++++++++++++++++ pkgs/tpm2-tss/no-shadow.patch | 16 +++++++ 8 files changed, 162 insertions(+), 3 deletions(-) create mode 100644 pkgs/tpm2-tools/default.nix create mode 100644 pkgs/tpm2-tss/default.nix create mode 100644 pkgs/tpm2-tss/no-shadow.patch diff --git a/flake.nix b/flake.nix index 32097ba..071ae56 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,8 @@ kernel = pkgs.callPackage ./pkgs/kernel { }; glibc = pkgs.callPackage ./pkgs/glibc { }; kexec = pkgs.callPackage ./pkgs/kexec-tools { }; + tpm2-tools = pkgs.callPackage ./pkgs/tpm2-tools { inherit patosPkgs; }; + tpm2-tss = pkgs.callPackage ./pkgs/tpm2-tss { }; systemd = pkgs.callPackage ./pkgs/systemd { }; dbus-broker = pkgs.callPackage ./pkgs/dbus-broker { }; diff --git a/pkgs/kernel/default.nix b/pkgs/kernel/default.nix index e10d25b..73ecd1f 100644 --- a/pkgs/kernel/default.nix +++ b/pkgs/kernel/default.nix @@ -1,6 +1,6 @@ { pkgs, ... }: let - version = "6.13.2"; + version = "6.13.4"; in pkgs.linuxPackagesFor ( pkgs.linuxManualConfig { @@ -8,7 +8,7 @@ pkgs.linuxPackagesFor ( modDirVersion = version; src = pkgs.fetchurl { url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz"; - hash = "sha256-zfYpgZBru+lwGutzxPn8yAegmEbCiHMWY9YnF+0a5wU="; + hash = "sha256-uA4LyO+8MenOWoTRCE3Mz6QOAb6ozCWv0GZIuT1hM54="; }; configfile = ./generic.config; allowImportFromDerivation = true; diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config index 7e0325c..c717915 100644 --- a/pkgs/kernel/generic.config +++ b/pkgs/kernel/generic.config @@ -2213,6 +2213,7 @@ CONFIG_TCG_CRB=y CONFIG_TCG_TIS_CORE=y CONFIG_TCG_TIS=y CONFIG_TCG_TPM=y +CONFIG_TCG_TPM2_HMAC=y CONFIG_TCP_CONG_ADVANCED=y CONFIG_TCP_CONG_BBR=y CONFIG_TCP_CONG_CUBIC=y diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix index c6f6fa1..4d7768b 100644 --- a/pkgs/rootfs/default.nix +++ b/pkgs/rootfs/default.nix @@ -26,6 +26,8 @@ stdenvNoCC.mkDerivation (finalAttrs: { kmodBin = pkgs.kmod.out; libbpf = pkgs.libbpf.out; btrfs = pkgs.btrfs-progs.out; + tpm2Libs = patosPkgs.tpm2-tss.out; + tpm2Tools = patosPkgs.tpm2-tools.out; kexec = patosPkgs.kexec.out; builder = ./mkrootfs.sh; diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh index 078c011..7d94052 100644 --- a/pkgs/rootfs/mkrootfs.sh +++ b/pkgs/rootfs/mkrootfs.sh @@ -116,6 +116,10 @@ cp -Pr ${kexec}/sbin/kexec $out/usr/bin/ cp -Pr ${btrfs}/bin/* $out/usr/bin/ cp -Pr ${btrfs}/lib/* $out/usr/lib/ +### install tpm2 tools +cp -P ${tpm2Tools}/bin/* $out/usr/bin/ +cp -P ${tpm2Libs}/lib/*.so* $out/usr/lib/ + ### install lib kmod cp -P $kmodLibs/lib/* $out/usr/lib cp -P $kmodBin/bin/* $out/usr/bin @@ -189,7 +193,7 @@ EOF chmod 644 $out/etc/group ### Find and install all shared libs -find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | sort -u | xargs cp -t $out/usr/lib +find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | sort -u | xargs cp -t $out/usr/lib find $out -type f -executable -exec chmod 755 {} \; # FIXME: ELF patching. Is there a better way? diff --git a/pkgs/tpm2-tools/default.nix b/pkgs/tpm2-tools/default.nix new file mode 100644 index 0000000..f447fe6 --- /dev/null +++ b/pkgs/tpm2-tools/default.nix @@ -0,0 +1,48 @@ +{ + stdenv, + fetchurl, + lib, + pandoc, + pkg-config, + curl, + openssl, + patosPkgs, + libuuid, +}: + +stdenv.mkDerivation rec { + pname = "tpm2-tools"; + version = "5.7"; + + src = fetchurl { + url = "https://github.com/tpm2-software/${pname}/releases/download/${version}/${pname}-${version}.tar.gz"; + sha256 = "sha256-OBDTa1B5JW9PL3zlUuIiE9Q7EDHBMVON+KLbw8VwmDo="; + }; + + nativeBuildInputs = [ + pandoc + pkg-config + ]; + buildInputs = [ + curl + openssl + patosPkgs.tpm2-tss + libuuid + ]; + + # Unit tests disabled, as they rely on a dbus session + configureFlags = [ "--prefix=/" ]; + preInstall = '' + mkdir -p $out + export DESTDIR=$out + ''; + doCheck = false; + + meta = with lib; { + description = "Command line tools that provide access to a TPM 2.0 compatible device"; + homepage = "https://github.com/tpm2-software/tpm2-tools"; + license = licenses.bsd3; + platforms = platforms.linux; + maintainers = with maintainers; [ tomfitzhenry ]; + }; +} diff --git a/pkgs/tpm2-tss/default.nix b/pkgs/tpm2-tss/default.nix new file mode 100644 index 0000000..5e23100 --- /dev/null +++ b/pkgs/tpm2-tss/default.nix @@ -0,0 +1,86 @@ +{ + stdenv, + lib, + fetchFromGitHub, + autoreconfHook, + autoconf-archive, + pkg-config, + doxygen, + perl, + openssl, + json_c, + curl, + libgcrypt, + uthash, + git, + libuuid, + libtpms, +}: + +stdenv.mkDerivation rec { + pname = "tpm2-tss"; + version = "4.1.3"; + + src = fetchFromGitHub { + owner = "tpm2-software"; + repo = pname; + rev = version; + hash = "sha256-BP28utEUI9g1VNv3lCXuiKrDtEImFQxxZfIjLiE3Wr8="; + }; + + patches = [ + ./no-shadow.patch + ]; + + postPatch = '' + substituteInPlace ./bootstrap \ + --replace-fail 'git describe --tags --always --dirty' 'echo "${version}"' + ''; + + outputs = [ + "out" + ]; + + nativeBuildInputs = [ + autoreconfHook + autoconf-archive + pkg-config + doxygen + perl + git + ]; + + buildInputs = [ + openssl + json_c + curl + libgcrypt + uthash + libuuid + libtpms + ]; + + strictDeps = true; + preAutoreconf = "./bootstrap"; + + enableParallelBuilding = true; + + configureFlags = [ + "--prefix=/" + ]; + + preInstall = '' + mkdir -p $out + export DESTDIR=$out + ''; + + doCheck = false; + + meta = with lib; { + description = "OSS implementation of the TCG TPM2 Software Stack (TSS2)"; + homepage = "https://github.com/tpm2-software/tpm2-tss"; + license = licenses.bsd2; + platforms = platforms.unix; + maintainers = with maintainers; [ baloo ]; + }; +} diff --git a/pkgs/tpm2-tss/no-shadow.patch b/pkgs/tpm2-tss/no-shadow.patch new file mode 100644 index 0000000..a42bf06 --- /dev/null +++ b/pkgs/tpm2-tss/no-shadow.patch @@ -0,0 +1,16 @@ +diff --git a/configure.ac b/configure.ac +index e2d579b8..0eac4ff3 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -672,9 +672,9 @@ AS_IF([test "$HOSTOS" = "Linux" && test "x$systemd_sysusers" != "xyes"], + AC_CHECK_PROG(adduser, adduser, yes) + AC_CHECK_PROG(addgroup, addgroup, yes) + AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ], +- [AC_MSG_ERROR([addgroup or groupadd are needed.])]) ++ [AC_MSG_WARN([addgroup or groupadd are needed.])]) + AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ], +- [AC_MSG_ERROR([adduser or useradd are needed.])])]) ++ [AC_MSG_WARN([adduser or useradd are needed.])])]) + + AC_SUBST([PATH]) +